Adds documentation and fleshes out examples

Author: gislikonrad

README.md

@@ -1,2 +1,194 @@
 # Solid.Identity.Protocols.Saml2p
- 
+![badge](https://action-badges.now.sh/SOLIDSoftworks/Solid.Identity.Protocols.Saml2p)
+
+A simple SAML2p protocol library for aspnetcore.
+
+## Features
+- SSO
+- Multiple partner IDPs
+- Multiple parnter SPs
+- Global event handlers
+- Per partner event handlers
+- In-memory partner store
+- Optional custom partner store
+- Microsoft.AspNetCore.Authentication integration
+
+### Upcoming features
+- SLO
+- Encrypted tokens
+- Signed requests
+- Signed responses
+- Federation metadata endpoint
+- Federation metadata import
+- Validate incoming authentication context
+- Allow accept and initiate events to manually provide a status
+
+## Usage
+
+### Service provider (SP)
+Using this package as an SP is pretty easy with the *Microsoft.AspNetCore.Authentication* integration.
+```csharp
+
+public void ConfigureServices(IServiceCollection services)
+{
+    services
+        .AddSaml2p(options =>
+        {
+            // this will be the issuer of the AuthnRequest 
+            // unless overridden in the parnter IDP configuration.
+            options.DefaultIssuer = "https://myhost/saml";
+
+            // The following values should come from your partner IDP.
+            // If these values differ between environments, you can implement 
+            // IConfigureOptions<Saml2pOptions> and add as a singleton to the
+            // service collection.
+            options.AddIdentityProvider("https://identityproviderhost/saml", idp =>
+            {
+                idp.Name = "My partner identity provider";
+                idp.BaseUrl = new Uri("https://identityproviderhost");
+                idp.AcceptSsoEndpoint = "/saml/sso";
+                idp.CanInitiateSso = true;
+                // Multiple signing keys can be added for secondary 
+                // and tertiary key purposes.
+                idp.AssertionSigningKeys.Add(new X509SecurityKey(new X509Certificate2(Convert.FromBase64String(SigningCertificateBase64))));
+            });
+        })
+    ;
+
+    services
+        .AddAuthentication(options =>
+        {
+            options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
+            options.DefaultChallengeScheme = Saml2pAuthenticationDefaults.AuthenticationScheme;
+        })
+        .AddCookie()
+        .AddSaml2p("https://identityproviderhost/saml")
+    ;
+}
+
+```
+
+#### Razor or MVC
+If you are using Razor or MVC, you can simply put an ```[Authorize]``` attribute on your PageModel/Controller/Method and this will just work.
+
+#### Manual use
+If you're not using Razor og MVC, you can call the extension methods for *HttpContext* included in aspnetcore.
+
+```csharp
+var result = await context.AuthenticateAsync();
+if(!result.Succeeded)
+    await context.ChallengeAsync();
+```
+
+### Identity provider (IDP)
+Using this package as an IDP is also pretty easy with the *Microsoft.AspNetCore.Authentication* integration.
+```csharp
+public class Startup
+{
+    public void ConfigureServices(IServiceCollection services)
+    {
+        services
+            .AddSaml2p(options =>
+            {
+                // this will be the issuer of the Response 
+                // unless overridden in the parnter SP configuration.
+                options.DefaultIssuer = "https://myhost/saml";
+    
+                // The following values should come from your partner SP.
+                // If these values differ between environments, you can implement 
+                // IConfigureOptions<Saml2pOptions> and add as a singleton to the
+                // service collection.
+                options.AddServiceProvider("https://serviceproviderhost/saml", sp =>
+                {
+                    sp.BaseUrl = new Uri("https://serviceproviderhost");
+                    sp.MaxClockSkew = TimeSpan.FromMinutes(2);
+                    sp.AssertionConsumerServiceEndpoint = "/finish";
+                    sp.AssertionSigningKey = new X509SecurityKey(new X509Certificate2(Convert.FromBase64String(SigningCertificateBase64)));
+    
+                    sp.SupportedBindings.Clear();
+                    sp.SupportedBindings.Add(BindingType.Post);
+                });
+            })
+        ;
+    
+        // You can implement your authentication any way you like.
+        // You can even integrate with IdentityServer4 or Duende IdentityServer.
+        services
+            .AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
+            .AddCookie(o =>
+            {
+                o.LoginPath = "/login";
+            })
+        ;
+    }
+
+    public void Configure(IApplicationBuilder app)
+    {
+        // other middleware/endpoints added at your discretion.
+        app.UseRouting();
+        app.UseAuthentication();
+        app.UseAuthorization();
+
+        app.UseEndpoints(endpoints =>
+        {
+            endpoints.MapSaml2pIdentityProvider("/saml/sso");
+        });
+    }
+}
+```
+#### Responding to RequestedAuthnContext
+According to the spec, if a specific authentication context is requested, it's at the chosen at the discretion of the responder. This can be done with more authentication handlers on the IDP side and 
+
+```csharp
+public void ConfigureServices(IServiceCollection services)
+{
+    services.Configure<CookiePolicyOptions>(options =>
+    {
+        // This lambda determines whether user consent for non-essential cookies is needed for a given request.
+        options.CheckConsentNeeded = context => true;
+        options.MinimumSameSitePolicy = SameSiteMode.None;
+    });
+
+    services
+        .AddSaml2p(options =>
+        {
+            options.DefaultIssuer = "https://myhost/saml";
+
+            options.IdentityProviderEvents.OnAcceptSso = (services, context) =>
+            {
+                if (context.Request.RequestedAuthnContext?.AuthnContextClassRef == Saml2pConstants.Classes.Kerberos)
+                {
+                    // The SAML2p AcceptSsoEndpointMiddleware will challenge using this scheme.
+                    context.AuthenticationScheme = "FauxKerberos";
+                }
+                return new ValueTask();
+            };
+            options.AddServiceProvider("https://serviceproviderhost/saml", sp =>
+            {
+                sp.BaseUrl = new Uri("https://serviceproviderhost");
+                sp.MaxClockSkew = TimeSpan.FromMinutes(2);
+                sp.AssertionConsumerServiceEndpoint = "/finish";
+                sp.AssertionSigningKey = new X509SecurityKey(new X509Certificate2(Convert.FromBase64String(SigningCertificateBase64)));
+
+                sp.SupportedBindings.Clear();
+                sp.SupportedBindings.Add(BindingType.Post);
+            });
+        })
+    ;
+
+    services
+        .AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
+        .AddCookie(o =>
+        {
+            o.LoginPath = "/login";
+            o.Cookie.Name = "Cookie.Idp";
+        })
+        .AddCookie("FauxKerberos", o =>
+        {
+            o.LoginPath = "/fauxkerberos";
+        })
+    ;
+
+    //...
+}
+```

src/AspNetCore.IdpSample/AspNetCore.IdpSample.csproj

@@ -5,6 +5,10 @@
     <AspNetCoreHostingModel>InProcess</AspNetCoreHostingModel>
   </PropertyGroup>
 
+  <ItemGroup>
+    <PackageReference Include="Microsoft.VisualStudio.Web.CodeGeneration.Design" Version="3.1.4" />
+  </ItemGroup>
+
   <ItemGroup>
     <ProjectReference Include="..\Solid.Identity.Protocols.Saml2p\Solid.Identity.Protocols.Saml2p.csproj" />
   </ItemGroup>

src/AspNetCore.IdpSample/Pages/FauxKerberos.cshtml

@@ -0,0 +1,9 @@
+@page
+@model AspNetCore.IdpSample.Pages.FauxKerberosModel
+@{
+    ViewData["Title"] = "FauxKerberos";
+    Layout = "~/Pages/Shared/_Layout.cshtml";
+}
+
+<h1>FauxKerberos</h1>
+

src/AspNetCore.IdpSample/Pages/FauxKerberos.cshtml.cs

@@ -0,0 +1,31 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Security.Claims;
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.Mvc.RazorPages;
+using Microsoft.IdentityModel.Tokens.Saml;
+using Solid.Identity.Protocols.Saml2p;
+
+namespace AspNetCore.IdpSample.Pages
+{
+    public class FauxKerberosModel : PageModel
+    {
+        public async Task OnGet(string returnUrl)
+        {
+            var userName = "KerberosUser";
+            var claims = new List<Claim>();
+            claims.Add(new Claim(ClaimTypes.NameIdentifier, userName));
+            claims.Add(new Claim(ClaimTypes.AuthenticationInstant, DateTime.UtcNow.ToString("yyyy-MM-ddTHH:mm:ss.fffZ")));
+            claims.Add(new Claim(ClaimTypes.AuthenticationMethod, Saml2pConstants.Classes.KerberosString));
+            claims.Add(new Claim(ClaimTypes.Name, userName));
+
+            var identity = new ClaimsIdentity(claims, "Kerberos", ClaimTypes.NameIdentifier, ClaimTypes.Role);
+            var subject = new ClaimsPrincipal(identity);
+            await HttpContext.SignInAsync(subject);
+            HttpContext.Response.Redirect(returnUrl);
+        }
+    }
+}

src/AspNetCore.IdpSample/Pages/Login.cshtml.cs

@@ -28,7 +28,7 @@ public async Task OnPost(string returnUrl)
 
             var identity = new ClaimsIdentity(claims, "Password", ClaimTypes.NameIdentifier, ClaimTypes.Role);
             var subject = new ClaimsPrincipal(identity);
-            await HttpContext.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme, subject);
+            await HttpContext.SignInAsync(subject);
             HttpContext.Response.Redirect(returnUrl);
         }
     }

src/AspNetCore.IdpSample/Startup.cs

@@ -2,6 +2,7 @@
 using System.Collections.Generic;
 using System.IO;
 using System.Linq;
+using System.Security.Claims;
 using System.Security.Cryptography.X509Certificates;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Authentication.Cookies;
@@ -14,6 +15,7 @@
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Hosting;
 using Microsoft.IdentityModel.Tokens;
+using Solid.Identity.Protocols.Saml2p;
 using Solid.Identity.Protocols.Saml2p.Models;
 using Solid.Identity.Protocols.Saml2p.Options;
 
@@ -44,6 +46,15 @@ public void ConfigureServices(IServiceCollection services)
                 .AddSaml2p(options =>
                 {
                     options.DefaultIssuer = "https://localhost:5001/saml";
+                    options.IdentityProviderEvents.OnAcceptSso = (services, context) =>
+                    {
+                        if (context.Request.RequestedAuthnContext?.AuthnContextClassRef == Saml2pConstants.Classes.Kerberos)
+                        {
+                            context.AuthenticationScheme = "FauxKerberos";
+                            context.AuthenticationPropertyItems.Add(ClaimTypes.AuthenticationMethod, Saml2pConstants.Classes.KerberosString);
+                        }
+                        return new ValueTask();
+                    };
                     options.AddServiceProvider("https://localhost:5003/saml", sp =>
                     {
                         sp.BaseUrl = new Uri("https://localhost:5003");
@@ -53,8 +64,6 @@ public void ConfigureServices(IServiceCollection services)
 
                         sp.SupportedBindings.Clear();
                         sp.SupportedBindings.Add(BindingType.Post);
-
-                        sp.Enabled = false;
                     });
                 })
             ;
@@ -66,6 +75,10 @@ public void ConfigureServices(IServiceCollection services)
                     o.LoginPath = "/login";
                     o.Cookie.Name = "Cookie.Idp";
                 })
+                .AddCookie("FauxKerberos", o =>
+                {
+                    o.LoginPath = "/fauxkerberos";
+                })
             ;
 
             services.AddMvc();

src/AspNetCore.SpSample/Startup.cs

@@ -4,8 +4,10 @@
 using System.Linq;
 using System.Security.Cryptography.X509Certificates;
 using System.Threading.Tasks;
+using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Authentication.Cookies;
 using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.DataProtection;
 using Microsoft.AspNetCore.Hosting;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.HttpsPolicy;
@@ -14,6 +16,7 @@
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Hosting;
 using Microsoft.IdentityModel.Tokens;
+using Solid.Identity.Protocols.Saml2p;
 using Solid.Identity.Protocols.Saml2p.Authentication;
 using Solid.Identity.Protocols.Saml2p.Models.Context;
 using Solid.Identity.Protocols.Saml2p.Options;
@@ -47,12 +50,12 @@ public void ConfigureServices(IServiceCollection services)
                     options.DefaultIssuer = "https://localhost:5003/saml";
                     options.AddIdentityProvider("https://localhost:5001/saml", idp =>
                     {
-                        idp.BaseUrl = new Uri("https://localhost:5001");                        
+                        idp.BaseUrl = new Uri("https://localhost:5001");
                         idp.AcceptSsoEndpoint = "/saml/sso";
                         idp.CanInitiateSso = true;
+                        idp.RequestedAuthnContextClassRef = Saml2pConstants.Classes.Kerberos;
                         idp.AssertionSigningKeys.Add(new X509SecurityKey(new X509Certificate2(Convert.FromBase64String(SigningCertificateBase64))));
                         //idp.Events.OnGeneratingRelayState = (provider, context) => new ValueTask();
-                        //idp.Events.OnStartSso += (provider, context) => new ValueTask();
                         //idp.Events.OnValidatingToken = ValidatingToken;
                         //idp.Events.OnValidatingToken += (provider, context) => new ValueTask();
                     });
@@ -62,9 +65,7 @@ public void ConfigureServices(IServiceCollection services)
             services
                 .AddAuthentication(options =>
                 {
-                    options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
-                    options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
-
+                    options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                     options.DefaultChallengeScheme = Saml2pAuthenticationDefaults.AuthenticationScheme;
                 })
                 .AddCookie(o =>

src/Solid.Identity.Protocols.Saml2p/Abstractions/ISaml2pIdentityProvider.cs

@@ -1,6 +1,7 @@
 using Microsoft.AspNetCore.Http;
 using Microsoft.IdentityModel.Tokens;
 using Solid.Identity.Protocols.Saml2p.Models.Context;
+using Solid.Identity.Protocols.Saml2p.Models.Protocol;
 using Solid.Identity.Protocols.Saml2p.Options;
 using System;
 using System.Collections.Generic;
@@ -23,6 +24,11 @@ public interface ISaml2pIdentityProvider : ISaml2pPartner<Saml2pServiceProviderE
         /// The requested authentication type from the IDP partner.
         /// </summary>
         Uri RequestedAuthnContextClassRef { get; }
+        
+        /// <summary>
+        /// The comparison the IDP partner should use when choosing an authentication type.
+        /// </summary>
+        Comparison RequestedAuthnContextClassRefComparison { get; }
 
         /// <summary>
         /// The endpoint on the IDP partner service that is used when starting SSO.

src/Solid.Identity.Protocols.Saml2p/Factories/AuthnRequestFactory.cs

@@ -55,7 +55,8 @@ public async Task<AuthnRequest> CreateAuthnRequestAsync(HttpContext context, ISa
                 },
                 RequestedAuthnContext = new RequestedAuthnContext
                 {
-                    AuthnContextClassRef = idp.RequestedAuthnContextClassRef
+                    AuthnContextClassRef = idp.RequestedAuthnContextClassRef,
+                    Comparison = idp.RequestedAuthnContextClassRefComparison
                 }
             };
             var generateContext = new GenerateRelayStateContext

src/Solid.Identity.Protocols.Saml2p/Middleware/Idp/AcceptSsoEndpointMiddleware.cs

@@ -72,9 +72,9 @@ public override async Task InvokeAsync(HttpContext context)
                 context.Response.Redirect(ssoContext.ReturnUrl);
             }
             else if (ssoContext.AuthenticationScheme != null)
-                await ChallengeAsync(context, request, ssoContext.ReturnUrl, ssoContext.AuthenticationScheme);
+                await ChallengeAsync(context, request, ssoContext.ReturnUrl, ssoContext.AuthenticationPropertyItems, ssoContext.AuthenticationScheme);
             else
-                await ChallengeAsync(context, request, ssoContext.ReturnUrl);
+                await ChallengeAsync(context, request, ssoContext.ReturnUrl, ssoContext.AuthenticationPropertyItems);
         }
 
         // TODO: extract this to a validator class and test it