In .net Web API, how can I configure Thinktechture Saml2SecurityTokenHandler to use a X509 Certificate to handle an encrypted SAML2 security token (decrypt it before validating).
The token was encrypted by Identity Server by configuring the RP to use the certificate for encrypting.
Below is the working configuration (without handling an encrypted token) taken from Thinktechture samples:
#region IdentityServer SAML
authentication.AddSaml2(
issuerThumbprint: Constants.IdSrv.SigningCertThumbprint,
issuerName: Constants.IdSrv.IssuerUri,
audienceUri: Constants.Realm,
certificateValidator: X509CertificateValidator.None,
options: AuthenticationOptions.ForAuthorizationHeader(Constants.IdSrv.SamlScheme),
scheme: AuthenticationScheme.SchemeOnly(Constants.IdSrv.SamlScheme));
#endregion
To enable encrypted tokens with Web API, I found this helpful: http://www.alexthissen.nl/blogs/main/archive/2011/07/18/using-active-profile-for.aspx
Towards the end you'll see code setting the ServiceTokenResolver property on the Configuration property of a SecurityTokenHandlerCollection using a X509 certificate from the LocalMachine store. The Configuration property is a SecurityTokenHandlerConfiguration, which is one of the parameters to an overload of the AddSaml2 extension method in AuthenticationConfigurationExtensionsCore.cs from the ThinkTecture.IdentityModel source. The below is what I ended up with.
var registry = new ConfigurationBasedIssuerNameRegistry();
registry.AddTrustedIssuer(Constants.IdSrv.SigningCertThumbprint, Constants.IdSrv.IssuerUri);
var handlerConfig = new SecurityTokenHandlerConfiguration();
handlerConfig.AudienceRestriction.AllowedAudienceUris.Add(new Uri(Constants.Realm));
handlerConfig.IssuerNameRegistry = registry;
handlerConfig.CertificateValidator = GetX509CertificateValidatorSetting();
X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
X509Certificate2Collection certificates = store.Certificates;
X509Certificate2Collection matchingCertificates = certificates.Find(
X509FindType.FindBySubjectDistinguishedName,
"CN=RPTokenCertificate", false);
X509Certificate2 certificate = certificates[0];
List<SecurityToken> serviceTokens = new List<SecurityToken>();
serviceTokens.Add(new X509SecurityToken(certificate));
SecurityTokenResolver serviceResolver =
SecurityTokenResolver.CreateDefaultSecurityTokenResolver(
serviceTokens.AsReadOnly(), false);
handlerConfig.ServiceTokenResolver = serviceResolver;
authentication.AddSaml2(handlerConfig,
AuthenticationOptions.ForAuthorizationHeader(SamlScheme),
AuthenticationScheme.SchemeOnly(SamlScheme));
Hope it helps.