/*
* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License").
* You may not use this file except in compliance with the License.
* A copy of the License is located at
*
* http://aws.amazon.com/apache2.0
*
* or in the "license" file accompanying this file. This file is distributed
* on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
* express or implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
using System;
using System.Net;
using Amazon.Util;
namespace Amazon.SecurityToken.SAML
{
///
/// Interface implemented by plugins supplied to the SAMLAuthenticationController
/// to perform the call to the authentication endpoint. The implementor returns the
/// final response from the authentication process for subsequent parsing.
///
public interface IAuthenticationController
{
///
/// Calls the specified endpoint, optionally providing custom credentials.
///
/// The endpoint providing
///
/// Optional, if not supplied the token for the currently logged-in user is supplied to the authentication endpoint.
///
///
/// The authentication type expected by the endpoint. Valid values are 'NTLM',
/// 'Digest', 'Kerberos' and 'Negotiate'.
///
/// Null or configured proxy settings for the HTTPS call.
/// The raw response data from the authentication request.
string Authenticate(Uri identityProvider, ICredentials credentials, string authenticationType,
#if NETSTANDARD
IWebProxy proxySettings);
#else
WebProxy proxySettings);
#endif
}
///
/// Interface implemented by plugins supplied to the SAMLAuthenticationController
/// to parse an authentication response returned by an IAuthenticator instance and
/// yield a SAMLAssertion instance.
///
public interface IAuthenticationResponseParser
{
///
/// Parses the supplied reponse data to instantiate a SAMLAssertion instance
/// containing IAM role and token data that can be used to generate temporary
/// AWS credentials.
///
///
/// The response that was returned from user authentication.
///
/// SAMLAssertion instance corresponding to the response data.
SAMLAssertion Parse(string authenticationResponse);
}
///
/// Helper class to perform SAML authentication negotiation for an identity
/// provider and relying party combination. Yields a SAMLAssertion instance
/// that can be used to retrieve temporary, auto-refreshing AWS credentials.
///
public class SAMLAuthenticationController
{
///
/// Handler that will be called to perform the authentication process to a
/// defined endpoint.
///
public IAuthenticationController AuthenticationController { get; private set; }
///
/// Handler that will be called to parse the response from a succesful
/// authentication request.
///
public IAuthenticationResponseParser ResponseParser { get; private set; }
///
/// Proxy details if required for communication with the authentication endpoint.
///
#if NETSTANDARD
public IWebProxy ProxySettings { get; private set; }
#else
public WebProxy ProxySettings { get; private set; }
#endif
///
/// Instantiates a controller instance configured to use the built-in AD FS
/// classes to authenticate and parse the responses.
///
public SAMLAuthenticationController()
: this(new AdfsAuthenticationController(), new AdfsAuthenticationResponseParser(), null)
{
}
///
/// Instantiates a controller instance configured to use the built-in AD FS
/// classes to authenticate and parse the responses. The supplied proxy settings will
/// be used in the HTTPS calls to the authentication endpoint.
///
#if NETSTANDARD
public SAMLAuthenticationController(IWebProxy proxySettings)
#else
public SAMLAuthenticationController(WebProxy proxySettings)
#endif
: this(new AdfsAuthenticationController(), new AdfsAuthenticationResponseParser(), proxySettings)
{
}
///
/// Instantiates the controller to use the specified instances to perform authentication
/// and response parsing.
///
///
/// Handler that will be called to perform authentication.
///
///
/// Handler that will be called to parse successful authentication responses
///
///
/// Null or proxy settings that should be used when communicating with the authentication endpoint.
///
public SAMLAuthenticationController(IAuthenticationController authenticationController,
IAuthenticationResponseParser responseParser,
#if NETSTANDARD
IWebProxy proxySettings)
#else
WebProxy proxySettings)
#endif
{
if (authenticationController == null)
throw new ArgumentNullException("authenticationController");
if (responseParser == null)
throw new ArgumentNullException("responseParser");
AuthenticationController = authenticationController;
ResponseParser = responseParser;
ProxySettings = proxySettings;
}
///
/// Authenticates the specified network credentials with a provider endpoint and
/// returns the SAML assertion data from which temporary AWS credentials can be obtained.
///
/// The authentication endpoint to be called.
///
/// Credentials for the call. If null, the users default network credentials will be used
/// in a temporary impersonation context.
///
///
/// The authentication type expected by the endpoint. The default value if not specified
/// is 'Kerberos'. Valid values are 'NTLM', 'Digest', 'Kerberos' and 'Negotiate'.
///
/// SAMLAssertion instance wrapping the returned document on successful authentication.
public SAMLAssertion GetSAMLAssertion(string identityProviderUrl,
ICredentials credentials,
string authenticationType)
{
return GetSAMLAssertion(new Uri(identityProviderUrl), credentials, authenticationType);
}
///
/// Authenticates the specified network credentials with a provider endpoint and
/// returns the SAML assertion data from which temporary AWS credentials can be obtained.
///
/// The authentication endpoint to be called.
///
/// Credentials for the call. If null, the users default network credentials will be used
/// in a temporary impersonation context.
///
///
/// The authentication type expected by the endpoint. The default value if not specified
/// is 'Kerberos'. Valid values are 'NTLM', 'Digest', 'Kerberos' and 'Negotiate'.
///
/// SAMLAssertion instance wrapping the returned document on successful authentication.
public SAMLAssertion GetSAMLAssertion(Uri identityProviderUrl,
ICredentials credentials,
string authenticationType)
{
var response = AuthenticationController.Authenticate(identityProviderUrl,
credentials,
string.IsNullOrEmpty(authenticationType)
? SAMLEndpointSettings.DefaultAuthenticationType : authenticationType,
ProxySettings);
return ResponseParser.Parse(response);
}
}
}