Start to support fastfed SAML

Author: habarthierry-hue

src/FastFed/SimpleIdServer.FastFed.ApplicationProvider.Authentication.Saml/FastFedServicesBuilderExtensions.cs

@@ -0,0 +1,24 @@
+// Copyright (c) SimpleIdServer. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
+
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.Extensions.DependencyInjection;
+using SimpleIdServer.FastFed.Apis.FastFedMetadata;
+using SimpleIdServer.FastFed.ApplicationProvider.Authentication.Saml.Infrastructures;
+using System;
+
+namespace SimpleIdServer.FastFed.ApplicationProvider.Authentication.Saml;
+
+public static class FastFedServicesBuilderExtensions
+{
+    public static FastFedServicesBuilder AddSamlAppProviderAuthenticationProfile(this FastFedServicesBuilder builder, Action<SamlAuthenticationOptions> cb)
+    {
+        builder.Services.Configure(cb);
+        builder.Services.AddTransient<IProviderMetadataEnricher, SamlAuthenticationProviderMetadataEnricher>();
+        builder.Services.AddTransient<IAppProviderProvisioningService, SamlAuthenticationProvisioningService>();
+        builder.Services.AddScoped<IAuthenticationHandlerProvider, DynamicSamlAuthenticationHandlerProvider>();
+        builder.Services.AddSingleton<IAuthenticationSchemeProvider, DynamicSamlAuthenticationSchemeProvider>();
+        builder.Services.AddSingleton<ISamlAuthenticationSchemeProvider>(x => x.GetService<IAuthenticationSchemeProvider>() as ISamlAuthenticationSchemeProvider);
+        return builder;
+    }
+}

src/FastFed/SimpleIdServer.FastFed.ApplicationProvider.Authentication.Saml/Infrastructures/AuthSchemeProvider.cs

@@ -0,0 +1,10 @@
+// Copyright (c) SimpleIdServer. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
+namespace SimpleIdServer.FastFed.ApplicationProvider.Authentication.Saml.Infrastructures;
+
+public class AuthSchemeProvider
+{
+    public string Name { get; set; }
+    public string DisplayName { get; set; }
+    public string SamlMetadataUri { get; set; }
+}

src/FastFed/SimpleIdServer.FastFed.ApplicationProvider.Authentication.Saml/Infrastructures/DynamicSamlAuthenticationHandlerProvider.cs

@@ -0,0 +1,55 @@
+// Copyright (c) SimpleIdServer. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Http;
+using Microsoft.Extensions.Options;
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Threading.Tasks;
+
+namespace SimpleIdServer.FastFed.ApplicationProvider.Authentication.Saml.Infrastructures;
+
+public class DynamicSamlAuthenticationHandlerProvider : IAuthenticationHandlerProvider
+{
+    private readonly Dictionary<string, IAuthenticationHandler> _handlerMap = new Dictionary<string, IAuthenticationHandler>(StringComparer.Ordinal);
+    private readonly ISamlAuthenticationSchemeProvider _authenticationSchemeProvider;
+
+    public DynamicSamlAuthenticationHandlerProvider(ISamlAuthenticationSchemeProvider authenticationSchemeProvider)
+    {
+        _authenticationSchemeProvider = authenticationSchemeProvider;
+    }
+
+    public async Task<IAuthenticationHandler> GetHandlerAsync(HttpContext context, string authenticationScheme)
+    {
+        if (_handlerMap.TryGetValue(authenticationScheme, out var value))
+            return value;
+
+        var scheme = await _authenticationSchemeProvider.GetSamlSchemeAsync(authenticationScheme);
+        if (scheme == null) return null;
+        var handlerType = scheme.AuthScheme.HandlerType;
+        var handler = context.RequestServices.GetService(handlerType) as IAuthenticationHandler;
+        if (handler == null)
+        {
+            var ctr = handlerType.GetConstructors().First();
+            var args = new List<object>();
+            foreach (var par in ctr.GetParameters())
+            {
+                if (par.ParameterType.IsGenericType && par.ParameterType.GetGenericTypeDefinition() == typeof(IOptionsMonitor<>).GetGenericTypeDefinition())
+                    args.Add(scheme.SamlSpOptions);
+                else
+                    args.Add(context.RequestServices.GetService(par.ParameterType));
+            }
+
+            handler = Activator.CreateInstance(handlerType, args.ToArray()) as IAuthenticationHandler;
+        }
+
+        if (handler != null)
+        {
+            await handler.InitializeAsync(scheme.AuthScheme, context);
+            _handlerMap[authenticationScheme] = handler;
+        }
+
+        return handler;
+    }
+}

src/FastFed/SimpleIdServer.FastFed.ApplicationProvider.Authentication.Saml/Infrastructures/DynamicSamlAuthenticationSchemeProvider.cs

@@ -0,0 +1,134 @@
+// Copyright (c) SimpleIdServer. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
+using MassTransit;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Options;
+using SimpleIdServer.FastFed.Stores;
+using SimpleIdServer.IdServer.Saml.Sp;
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Net.Http;
+using System.Text.Json.Nodes;
+using System.Threading;
+using System.Threading.Tasks;
+
+namespace SimpleIdServer.FastFed.ApplicationProvider.Authentication.Saml.Infrastructures;
+
+public interface ISamlAuthenticationSchemeProvider
+{
+    Task<SamlAuthenticationScheme> GetSamlSchemeAsync(string name);
+}
+
+public class DynamicSamlAuthenticationSchemeProvider : AuthenticationSchemeProvider, ISamlAuthenticationSchemeProvider
+{
+    private readonly IBusControl _busControl;
+    private readonly IServiceProvider _serviceProvider;
+    private readonly SamlAuthenticationOptions _samlAuthOptions;
+    private readonly SamlSpOptions _samlSpOptions;
+    private DateTime? _nextExpirationTime;
+    private IEnumerable<AuthSchemeProvider> _cachedAuthSchemeProviders;
+    private object _lck = new object();
+
+    public DynamicSamlAuthenticationSchemeProvider(
+        IBusControl busControl,
+        IServiceProvider serviceProvider,
+        IOptions<SamlAuthenticationOptions> samlAuthOptions,
+        IOptions<SamlSpOptions> samlSpOptions,
+        IOptions<AuthenticationOptions> options) : base(options)
+    {
+        _busControl = busControl;
+        _serviceProvider = serviceProvider;
+        _samlAuthOptions = samlAuthOptions.Value;
+        _samlSpOptions = samlSpOptions.Value;
+    }
+
+    public async override Task<IEnumerable<AuthenticationScheme>> GetAllSchemesAsync()
+    {
+        var rules = (await base.GetAllSchemesAsync()).ToList();
+        var authenticationSchemeProviders = await GetAuthenticationSchemeProviders();
+        foreach (var scheme in authenticationSchemeProviders)
+        {
+            var newRule = Convert(scheme);
+            if (newRule == null)
+                continue;
+
+            rules.Add(newRule.AuthScheme);
+        }
+
+        return rules;
+    }
+
+    public override async Task<AuthenticationScheme> GetSchemeAsync(string name) => (await GetSamlSchemeAsync(name)).AuthScheme;
+
+    public async Task<SamlAuthenticationScheme> GetSamlSchemeAsync(string name)
+    {
+        var result = await base.GetSchemeAsync(name);
+        if (result != null)
+            return new SamlAuthenticationScheme(result);
+
+        var providers = await GetAuthenticationSchemeProviders();
+        var provider = providers.FirstOrDefault(p => p.Name == name);
+        return provider == null ? null : Convert(provider);
+    }
+
+    private SamlAuthenticationScheme Convert(AuthSchemeProvider provider)
+    {
+        lock (_lck)
+        {
+            var handlerType = typeof(SamlSpHandler);
+            var options = new SamlSpOptions
+            {
+                SPId = _samlSpOptions.SPId,
+                IdpMetadataUrl = provider.SamlMetadataUri,
+                SigningCertificate = _samlSpOptions.SigningCertificate
+            };
+            if (options.Backchannel == null)
+                options.Backchannel = new HttpClient(_samlSpOptions.BackchannelHttpHandler ?? new HttpClientHandler());
+            return new SamlAuthenticationScheme(new AuthenticationScheme(provider.Name, provider.DisplayName, handlerType), options);
+        }
+    }
+
+    private async Task<IEnumerable<AuthSchemeProvider>> GetAuthenticationSchemeProviders()
+    {
+        using (var scope = _serviceProvider.CreateScope())
+        {
+            var providerFederationStore = scope.ServiceProvider.GetRequiredService<IProviderFederationStore>();
+            var currentDateTime = DateTime.UtcNow;
+            var authenticationSchemeProviders = _cachedAuthSchemeProviders;
+            if (_nextExpirationTime == null ||
+                _nextExpirationTime.Value <= currentDateTime ||
+                _samlAuthOptions.CacheSamlAuthProvidersInSeconds == null)
+            {
+                var result = new List<AuthSchemeProvider>();
+                var providerFederations = await providerFederationStore.GetAll(CancellationToken.None);
+                foreach (var providerFederation in providerFederations.Where(f => f.LastCapabilities != null && f.LastCapabilities.Status == Models.IdentityProviderStatus.CONFIRMED))
+                {
+                    var configuration = providerFederation.LastCapabilities.Configurations.SingleOrDefault(c => c.ProfileName == SimpleIdServer.FastFed.Authentication.Saml.Constants.ProvisioningProfileName);
+                    if (configuration == null || string.IsNullOrWhiteSpace(configuration.IdProviderConfiguration)) continue;
+                    var jObj = JsonObject.Parse(configuration.IdProviderConfiguration).AsObject();
+                    if (jObj == null) continue;
+                    if (jObj.ContainsKey(FastFed.Authentication.Saml.Constants.SamlMetadataUri))
+                    {
+                        result.Add(new AuthSchemeProvider
+                        {
+                            Name = providerFederation.EntityId,
+                            DisplayName = providerFederation.DisplayName,
+                            SamlMetadataUri = jObj[FastFed.Authentication.Saml.Constants.SamlMetadataUri].ToString()
+                        });
+                    }
+                }
+
+                authenticationSchemeProviders = result;
+                if (_samlAuthOptions.CacheSamlAuthProvidersInSeconds != null)
+                {
+                    _nextExpirationTime = currentDateTime.AddSeconds(_samlAuthOptions.CacheSamlAuthProvidersInSeconds.Value);
+                    _cachedAuthSchemeProviders = authenticationSchemeProviders;
+                }
+            }
+
+            return authenticationSchemeProviders;
+        }
+    }
+}

src/FastFed/SimpleIdServer.FastFed.ApplicationProvider.Authentication.Saml/Infrastructures/SamlAuthenticationScheme.cs

@@ -0,0 +1,23 @@
+// Copyright (c) SimpleIdServer. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
+using Microsoft.AspNetCore.Authentication;
+using SimpleIdServer.IdServer.Saml.Sp;
+
+namespace SimpleIdServer.FastFed.ApplicationProvider.Authentication.Saml.Infrastructures;
+
+public class SamlAuthenticationScheme
+{
+    public SamlAuthenticationScheme(AuthenticationScheme authScheme)
+    {
+        AuthScheme = authScheme;
+    }
+
+    public SamlAuthenticationScheme(AuthenticationScheme authScheme, SamlSpOptions samlSpOptions) : this(authScheme)
+    {
+        SamlSpOptions = samlSpOptions;
+    }
+
+
+    public AuthenticationScheme AuthScheme { get; set; }
+    public SamlSpOptions SamlSpOptions { get; set; }
+}

src/FastFed/SimpleIdServer.FastFed.ApplicationProvider.Authentication.Saml/SamlAuthenticationOptions.cs

@@ -0,0 +1,14 @@
+// Copyright (c) SimpleIdServer. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
+
+using SimpleIdServer.FastFed.Authentication.Saml;
+
+namespace SimpleIdServer.FastFed.ApplicationProvider.Authentication.Saml;
+
+public class SamlAuthenticationOptions
+{
+    public string SpId { get; set; } = "samlApplicationProvider";
+    public string SamlMetadataUri { get; set; }
+    public SamlEntrepriseMappingsResult Mappings { get; set; }
+    public int? CacheSamlAuthProvidersInSeconds { get; set; }
+}

src/FastFed/SimpleIdServer.FastFed.ApplicationProvider.Authentication.Saml/SamlAuthenticationProviderMetadataEnricher.cs

@@ -0,0 +1,25 @@
+// Copyright (c) SimpleIdServer. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
+
+using Microsoft.Extensions.Options;
+using SimpleIdServer.FastFed.Apis.FastFedMetadata;
+using System.Text.Json;
+using System.Text.Json.Nodes;
+
+namespace SimpleIdServer.FastFed.ApplicationProvider.Authentication.Saml;
+
+public class SamlAuthenticationProviderMetadataEnricher : IProviderMetadataEnricher
+{
+    private readonly SamlAuthenticationOptions _options;
+
+    public SamlAuthenticationProviderMetadataEnricher(IOptions<SamlAuthenticationOptions> options)
+    {
+        _options = options.Value;
+    }
+
+    public void EnrichApplicationProvider(JsonObject otherParameters)
+    {
+        if (_options.Mappings != null)
+            otherParameters.Add(SimpleIdServer.FastFed.Authentication.Saml.Constants.ProvisioningProfileName, JsonObject.Parse(JsonSerializer.Serialize(_options.Mappings)).AsObject());
+    }
+}

src/FastFed/SimpleIdServer.FastFed.ApplicationProvider.Authentication.Saml/SamlAuthenticationProvisioningService.cs

@@ -0,0 +1,34 @@
+// Copyright (c) SimpleIdServer. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
+
+using Microsoft.Extensions.Options;
+using Microsoft.IdentityModel.JsonWebTokens;
+using SimpleIdServer.FastFed.Models;
+using System.Text.Json.Nodes;
+using System.Threading;
+using System.Threading.Tasks;
+
+namespace SimpleIdServer.FastFed.ApplicationProvider.Authentication.Saml;
+
+public class SamlAuthenticationProvisioningService : IAppProviderProvisioningService
+{
+    private readonly SamlAuthenticationOptions _options;
+
+    public SamlAuthenticationProvisioningService(IOptions<SamlAuthenticationOptions> options)
+    {
+        _options = options.Value;
+    }
+
+    public string Name => FastFed.Authentication.Saml.Constants.ProvisioningProfileName;
+
+    public string RegisterConfigurationName => FastFed.Authentication.Saml.Constants.SamlAuthentication;
+
+    public Task<JsonObject> EnableCapability(IdentityProviderFederation identityProviderFederation, JsonWebToken jwt, CancellationToken cancellationToken)
+    {
+        var result = new JsonObject
+        {
+            { FastFed.Authentication.Saml.Constants.SamlMetadataUri, _options.SamlMetadataUri }
+        };
+        return Task.FromResult(result);
+    }
+}

src/FastFed/SimpleIdServer.FastFed.ApplicationProvider.Authentication.Saml/SimpleIdServer.FastFed.ApplicationProvider.Authentication.Saml.csproj

@@ -0,0 +1,11 @@
+<Project Sdk="Microsoft.NET.Sdk">
+	<PropertyGroup>
+		<TargetFramework>net8.0</TargetFramework>
+		<Description>Add SAML authentication support to the application provider.</Description>
+	</PropertyGroup>
+	<ItemGroup>
+	  <ProjectReference Include="..\..\IdServer\SimpleIdServer.IdServer.Saml.Sp\SimpleIdServer.IdServer.Saml.Sp.csproj" />
+	  <ProjectReference Include="..\SimpleIdServer.FastFed.Authentication.Saml\SimpleIdServer.FastFed.Authentication.Saml.csproj" />
+	  <ProjectReference Include="..\SimpleIdServer.FastFed\SimpleIdServer.FastFed.csproj" />
+	</ItemGroup>
+</Project>

src/FastFed/SimpleIdServer.FastFed.ApplicationProvider.Provisioning.Scim/FastFedServicesBuilderExtensions.cs

@@ -13,9 +13,8 @@ public static class FastFedServicesBuilderExtensions
     public static FastFedServicesBuilder AddAppProviderScimProvisioning(this FastFedServicesBuilder builder, Action<ScimProvisioningOptions> cb)
     {
         builder.Services.Configure(cb);
-        builder.Services.RemoveAll<IGetProviderMetadataQuery>();
         builder.Services.AddTransient<IAppProviderProvisioningService, ScimProvisioningService>();
-        builder.Services.AddTransient<IGetProviderMetadataQuery, ScimGetProviderMetadataQuery>();
+        builder.Services.AddTransient<IProviderMetadataEnricher, ScimProviderMetadataEnricher>();
         return builder;
     }
 }