Merge pull request #83 from ITfoxtec/NemLogin3

NemLog-in 3

Author: Revsgaard

ITfoxtec.Identity.Saml2.sln

@@ -31,6 +31,8 @@ Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "TestWebAppCoreAzureKeyVault
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "TestWebAppCoreAngularApi", "test\TestWebAppCoreAngularApi\TestWebAppCoreAngularApi.csproj", "{66FA6C5B-164C-44F3-9A96-60F0239ABDCE}"
 EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "TestWebAppCoreNemLogin3Sp", "test\TestWebAppCoreNemLogin3Sp\TestWebAppCoreNemLogin3Sp.csproj", "{072134FF-11D2-4EF5-A5C5-0A601DFECE80}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -73,6 +75,10 @@ Global
 		{66FA6C5B-164C-44F3-9A96-60F0239ABDCE}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{66FA6C5B-164C-44F3-9A96-60F0239ABDCE}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{66FA6C5B-164C-44F3-9A96-60F0239ABDCE}.Release|Any CPU.Build.0 = Release|Any CPU
+		{072134FF-11D2-4EF5-A5C5-0A601DFECE80}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{072134FF-11D2-4EF5-A5C5-0A601DFECE80}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{072134FF-11D2-4EF5-A5C5-0A601DFECE80}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{072134FF-11D2-4EF5-A5C5-0A601DFECE80}.Release|Any CPU.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
@@ -87,6 +93,7 @@ Global
 		{1966436F-5CEC-4290-A547-152357C0BD24} = {A05F26DE-17C2-497F-B244-EE6790789066}
 		{03A37D91-A36B-48C0-90A1-1FCF43621E60} = {DE5976C5-83CD-4518-A05E-0DEC2EA5D17C}
 		{66FA6C5B-164C-44F3-9A96-60F0239ABDCE} = {DE5976C5-83CD-4518-A05E-0DEC2EA5D17C}
+		{072134FF-11D2-4EF5-A5C5-0A601DFECE80} = {DE5976C5-83CD-4518-A05E-0DEC2EA5D17C}
 	EndGlobalSection
 	GlobalSection(ExtensibilityGlobals) = postSolution
 		SolutionGuid = {64BB7D39-E92F-466D-B601-276E16FF6EB4}

src/ITfoxtec.Identity.Saml2/Schemas/Metadata/EncryptionMethodType.cs

@@ -0,0 +1,37 @@
+using System.Collections.Generic;
+using System.Xml.Linq;
+
+namespace ITfoxtec.Identity.Saml2.Schemas.Metadata
+{
+    /// <summary>
+    /// EncryptionMethod is an optional element that describes the encryption algorithm applied to the cipher data. 
+    /// If the element is absent, the encryption algorithm must be known to the recipient or the decryption will fail.
+    /// </summary>
+    public class EncryptionMethodType
+    {
+        const string elementName = Saml2MetadataConstants.Message.EncryptionMethod;
+
+        /// <summary>
+        /// [Required]
+        /// the Algorithm attribute URI.
+        /// </summary>
+        public string Algorithm { get; set; }
+
+        public XElement ToXElement()
+        {
+            var envelope = new XElement(Saml2MetadataConstants.MetadataNamespaceX + elementName);
+
+            envelope.Add(GetXContent());
+
+            return envelope;
+        }
+
+        protected IEnumerable<XObject> GetXContent()
+        {
+            if (Algorithm != null)
+            {
+                yield return new XElement(Saml2MetadataConstants.MetadataNamespaceX + Saml2MetadataConstants.Message.Algorithm, Algorithm);
+            }
+        }
+    }
+}

src/ITfoxtec.Identity.Saml2/Schemas/Metadata/EntityDescriptor.cs

@@ -92,15 +92,18 @@ public string IdAsString
         public EntityDescriptor()
         { }
 
-        public EntityDescriptor(Saml2Configuration config)
+        public EntityDescriptor(Saml2Configuration config, bool signMetadata = true)
         {
             if (config == null) throw new ArgumentNullException(nameof(config));
 
             Config = config;
             EntityId = config.Issuer;
             Id = new Saml2Id();
-            MetadataSigningCertificate = config.SigningCertificate;
-            CertificateIncludeOption = X509IncludeOption.EndCertOnly;
+            if (signMetadata)
+            {
+                MetadataSigningCertificate = config.SigningCertificate;
+                CertificateIncludeOption = X509IncludeOption.EndCertOnly;
+            }
         }
 
         public XmlDocument ToXmlDocument()

src/ITfoxtec.Identity.Saml2/Schemas/Metadata/IdPSsoDescriptor.cs

@@ -50,7 +50,7 @@ protected IEnumerable<XObject> GetXContent()
             {
                 foreach (var encryptionCertificate in EncryptionCertificates)
                 {
-                    yield return KeyDescriptor(encryptionCertificate, Saml2MetadataConstants.KeyTypes.Encryption);
+                    yield return KeyDescriptor(encryptionCertificate, Saml2MetadataConstants.KeyTypes.Encryption, EncryptionMethods);
                 }
             }
 

src/ITfoxtec.Identity.Saml2/Schemas/Metadata/SPSsoDescriptor.cs

@@ -71,7 +71,7 @@ protected IEnumerable<XObject> GetXContent()
             {
                 foreach(var encryptionCertificate in EncryptionCertificates)
                 {
-                    yield return KeyDescriptor(encryptionCertificate, Saml2MetadataConstants.KeyTypes.Encryption);
+                    yield return KeyDescriptor(encryptionCertificate, Saml2MetadataConstants.KeyTypes.Encryption, EncryptionMethods);
                 }                
             }
 

src/ITfoxtec.Identity.Saml2/Schemas/Metadata/Saml2MetadataConstants.cs

@@ -3,7 +3,7 @@
 
 namespace ITfoxtec.Identity.Saml2.Schemas.Metadata
 {
-    internal class Saml2MetadataConstants
+    public class Saml2MetadataConstants
     {
         /// <summary>
         /// The XML namespace of the Metadata.
@@ -20,6 +20,7 @@ internal class Saml2MetadataConstants
         public static readonly XName MetadataNamespaceNameX = XNamespace.Xmlns + "m";     
 
         public const string AttributeNameFormat = "urn:oasis:names:tc:SAML:2.0:attrname-format:basic";
+        public const string AttributeNameFormatUri = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri";
 
         public class Message
         {
@@ -51,6 +52,10 @@ public class Message
 
             public const string KeyDescriptor = "KeyDescriptor";
 
+            public const string EncryptionMethod = "EncryptionMethod";
+
+            public const string Algorithm = "Algorithm";
+
             public const string Use = "use";
 
             public const string KeyInfo = "KeyInfo";

src/ITfoxtec.Identity.Saml2/Schemas/Metadata/SsoDescriptorType.cs

@@ -1,5 +1,6 @@
 using System;
 using System.Collections.Generic;
+using System.Linq;
 using System.Security.Cryptography.X509Certificates;
 using System.Security.Cryptography.Xml;
 using System.Xml;
@@ -40,6 +41,12 @@ public abstract class SsoDescriptorType
         /// </summary>
         public IEnumerable<X509Certificate2> EncryptionCertificates { get; set; }
 
+        /// <summary>
+        /// [Optional]
+        /// Specifying algorithms and algorithm-specific settings supported by the entity.
+        /// </summary>
+        public IEnumerable<EncryptionMethodType> EncryptionMethods { get; set; }        
+
         /// <summary>
         /// [Optional]
         /// Zero or one element of type EndpointType that describe endpoints that support the Single
@@ -55,14 +62,33 @@ public abstract class SsoDescriptorType
         /// </summary>
         public IEnumerable<Uri> NameIDFormats { get; set; }
 
-        protected XObject KeyDescriptor(X509Certificate2 certificate, string keyType)
+        /// <summary>
+        /// Configure default encryption methods used by .NET.
+        /// </summary>
+        public void SetDefaultEncryptionMethods()
+        {
+            EncryptionMethods = new[] { new EncryptionMethodType { Algorithm = EncryptedXml.XmlEncAES256Url }, new EncryptionMethodType { Algorithm = EncryptedXml.XmlEncRSAOAEPUrl } };
+        }
+
+        protected XObject KeyDescriptor(X509Certificate2 certificate, string keyType, IEnumerable<EncryptionMethodType> encryptionMethods = null)
         {
             var keyinfo = new KeyInfo();
             keyinfo.AddClause(new KeyInfoX509Data(certificate, CertificateIncludeOption));
 
-            return new XElement(Saml2MetadataConstants.MetadataNamespaceX + Saml2MetadataConstants.Message.KeyDescriptor,
+            var keyDescriptorElement = new XElement(Saml2MetadataConstants.MetadataNamespaceX + Saml2MetadataConstants.Message.KeyDescriptor,
                 new XAttribute(Saml2MetadataConstants.Message.Use, keyType),
                 XElement.Parse(keyinfo.GetXml().OuterXml));
+
+            if (keyType == Saml2MetadataConstants.KeyTypes.Encryption && encryptionMethods?.Count() > 0)
+            {
+                foreach(var encryptionMethod in encryptionMethods)
+                {
+                    keyDescriptorElement.Add(new XElement(Saml2MetadataConstants.MetadataNamespaceX + Saml2MetadataConstants.Message.EncryptionMethod,
+                        new XAttribute(Saml2MetadataConstants.Message.Algorithm, encryptionMethod.Algorithm)));
+                }
+            }
+
+            return keyDescriptorElement;
         }
 
         protected void ReadKeyDescriptors(XmlElement xmlElement)

test/TestWebAppCoreNemLogin3Sp/Controllers/AuthController.cs

@@ -0,0 +1,145 @@
+using ITfoxtec.Identity.Saml2;
+using ITfoxtec.Identity.Saml2.Schemas;
+using ITfoxtec.Identity.Saml2.MvcCore;
+using System;
+using System.Collections.Generic;
+using System.Diagnostics;
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc;
+using TestWebAppCoreNemLogin3Sp.Identity;
+using Microsoft.Extensions.Options;
+using System.Security.Authentication;
+using System.Security.Claims;
+using System.Linq;
+
+namespace TestWebAppCoreNemLogin3Sp.Controllers
+{
+    [AllowAnonymous]
+    [Route("Auth")]
+    public class AuthController : Controller
+    {
+        const string relayStateReturnUrl = "ReturnUrl";
+        private readonly Saml2Configuration config;
+
+        public AuthController(IOptions<Saml2Configuration> configAccessor)
+        {
+            config = configAccessor.Value;
+        }
+
+        [Route("Login")]
+        public IActionResult Login(string returnUrl = null)
+        {
+            var binding = new Saml2RedirectBinding();
+            binding.SetRelayStateQuery(new Dictionary<string, string> { { relayStateReturnUrl, returnUrl ?? Url.Content("~/") } });
+
+            return binding.Bind(new Saml2AuthnRequest(config)
+            {
+                //ForceAuthn = true,
+                RequestedAuthnContext = new RequestedAuthnContext
+                {
+                    Comparison = AuthnContextComparisonTypes.Minimum,
+                    AuthnContextClassRef = new string[] 
+                    {
+                        //"https://data.gov.dk/concept/core/nsis/loa/Low"
+                        "https://data.gov.dk/concept/core/nsis/loa/Substantial",
+                        //"https://data.gov.dk/concept/core/nsis/loa/High"
+
+                        //"https://nemlogin.dk/internal/credential/type/nemidkeycard"
+                        //"https://nemlogin.dk/internal/credential/type/nemidkeyfile"
+                        //"https://nemlogin.dk/internal/credential/type/mitid"
+                        //"https://nemlogin.dk/internal/credential/type/local"
+                        //"https://nemlogin.dk/internal/credential/type/test"
+
+                        //"https://data.gov.dk/eid/Professional"
+                        //"https://data.gov.dk/eid/Person"
+                    },
+                },
+            }).ToActionResult();
+        }
+
+        [Route("AssertionConsumerService")]
+        public async Task<IActionResult> AssertionConsumerService()
+        {       
+            var binding = new Saml2PostBinding();
+            var saml2AuthnResponse = new Saml2AuthnResponse(config);
+
+            binding.ReadSamlResponse(Request.ToGenericHttpRequest(), saml2AuthnResponse);
+            if (saml2AuthnResponse.Status != Saml2StatusCodes.Success)
+            {
+                throw new AuthenticationException($"SAML Response status: {saml2AuthnResponse.Status}");
+            }
+            binding.Unbind(Request.ToGenericHttpRequest(), saml2AuthnResponse);
+            await saml2AuthnResponse.CreateSession(HttpContext, claimsTransform: (claimsPrincipal) => ClaimsTransform.Transform(CheckAssurance(claimsPrincipal)));
+
+            var relayStateQuery = binding.GetRelayStateQuery();
+            var returnUrl = relayStateQuery.ContainsKey(relayStateReturnUrl) ? relayStateQuery[relayStateReturnUrl] : Url.Content("~/");
+            return Redirect(returnUrl);
+        }
+
+        private ClaimsPrincipal CheckAssurance(ClaimsPrincipal claimsPrincipal)
+        {
+            var nsisLevelAccepted = claimsPrincipal.Claims.Where(c => c.Type == OioSaml3ClaimTypes.NsisLoa && (c.Value == NsisLevels.Substantial || c.Value == NsisLevels.High)).Any();
+            var oldAssuranceLevelAccepted = claimsPrincipal.Claims.Where(c => c.Type == OioSaml2ClaimTypes.AssuranceLevel && Convert.ToInt32(c.Value) >= 3).Any();
+            
+            if (!nsisLevelAccepted && !oldAssuranceLevelAccepted)
+            {
+                throw new Exception("Assurance level not accepted.");
+            }
+
+            return claimsPrincipal;
+        }
+
+        [HttpPost("Logout")]
+        [ValidateAntiForgeryToken]
+        public async Task<IActionResult> Logout()
+        {
+            if (!User.Identity.IsAuthenticated)
+            {
+                return Redirect(Url.Content("~/"));
+            }
+
+            var binding = new Saml2PostBinding();
+            var saml2LogoutRequest = await new Saml2LogoutRequest(config, User).DeleteSession(HttpContext);
+            return binding.Bind(saml2LogoutRequest).ToActionResult();
+        }
+
+        [Route("LoggedOut")]
+        public IActionResult LoggedOut()
+        {
+            var binding = new Saml2PostBinding();
+            binding.Unbind(Request.ToGenericHttpRequest(), new Saml2LogoutResponse(config));
+
+            return Redirect(Url.Content("~/"));
+        }
+
+        [Route("SingleLogout")]
+        public async Task<IActionResult> SingleLogout()
+        {
+            Saml2StatusCodes status;
+            var requestBinding = new Saml2PostBinding();
+            var logoutRequest = new Saml2LogoutRequest(config, User);
+            try
+            {
+                requestBinding.Unbind(Request.ToGenericHttpRequest(), logoutRequest);
+                status = Saml2StatusCodes.Success;
+                await logoutRequest.DeleteSession(HttpContext);
+            }
+            catch (Exception exc)
+            {
+                // log exception
+                Debug.WriteLine("SingleLogout error: " + exc.ToString());
+                status = Saml2StatusCodes.RequestDenied;
+            }
+
+            var responsebinding = new Saml2PostBinding();
+            responsebinding.RelayState = requestBinding.RelayState;
+            var saml2LogoutResponse = new Saml2LogoutResponse(config)
+            {
+                InResponseToAsString = logoutRequest.IdAsString,
+                Status = status,
+            };
+            return responsebinding.Bind(saml2LogoutResponse).ToActionResult();
+        }
+    }
+}

test/TestWebAppCoreNemLogin3Sp/Controllers/HomeController.cs

@@ -0,0 +1,29 @@
+using System.Linq;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.Authorization;
+using System.Security.Claims;
+
+namespace TestWebAppCoreNemLogin3Sp.Controllers
+{
+    public class HomeController : Controller
+    {
+        public IActionResult Index()
+        {
+            return View();
+        }
+
+        [Authorize]
+        public IActionResult Secure()
+        {
+            // The NameIdentifier
+            var nameIdentifier = User.Claims.Where(c => c.Type == ClaimTypes.NameIdentifier).Select(c => c.Value).Single();
+
+            return View();
+        }
+
+        public IActionResult Error()
+        {
+            return View();
+        }
+    }
+}