Saml2SecurityTokenHandler Class

Definition

Represents a security token handler that creates security tokens from SAML 2.0 Assertions.

public ref class Saml2SecurityTokenHandler : System::IdentityModel::Tokens::SecurityTokenHandler
public class Saml2SecurityTokenHandler : System.IdentityModel.Tokens.SecurityTokenHandler
type Saml2SecurityTokenHandler = class
    inherit SecurityTokenHandler
Public Class Saml2SecurityTokenHandler
Inherits SecurityTokenHandler
Inheritance
Saml2SecurityTokenHandler

Remarks

The Saml2SecurityTokenHandler class serializes and deserializes security tokens backed by SAML 2.0 Assertions into Saml2SecurityToken objects. Security token handlers are responsible for creating, reading, writing, and validating tokens.

You can configure a security token service (STS) or relying party (RP) application to process SAML 2.0 Assertion-backed security tokens by adding an instance of the Saml2SecurityTokenHandler class to the SecurityTokenHandlerCollection object configured for the service (or application). This can be done either programmatically or in the configuration file. The handler itself is configured from the configuration specified for the collection through the collection's Configuration property when it is added to the collection. While it is possible to configure the handler individually by setting its Configuration property, this is not normally necessary; however, if the handler must be configured individually, the property should be set after the handler is added to the collection.

For many scenarios, the Saml2SecurityTokenHandler class can be used as-is; however, the class provides many extension points through the methods it exposes. By deriving from the Saml2SecurityTokenHandler and overriding specific methods, you can modify the functionality of the token processing provided in the default implementation, or you can add processing for extensions to the SAML Assertion specification that may be needed in some custom scenarios.

Constructors

Saml2SecurityTokenHandler()

Initializes a new instance of the Saml2SecurityTokenHandler class with default security token requirements.

Saml2SecurityTokenHandler(SamlSecurityTokenRequirement)

Initializes a new instance of the Saml2SecurityTokenHandler class with the specified security token requirements.

Fields

TokenProfile11ValueType

The key identifier value type for SAML 2.0 assertion IDs, as defined by the OASIS Web Services Security SAML Token Profile 1.1. This is a URI.

Properties

CanValidateToken

Gets a value that indicates if this handler can validate tokens of type Saml2SecurityToken.

CanWriteToken

Gets a value that indicates whether this handler can serialize tokens of type Saml2SecurityToken.

CertificateValidator

Gets or sets the X.509 certificate validator that is used by the current instance to validate X.509 certificates.

Configuration

Gets or sets the SecurityTokenHandlerConfiguration object that provides configuration for the current instance.

(Inherited from SecurityTokenHandler)
ContainingCollection

Gets the token handler collection that contains the current instance.

(Inherited from SecurityTokenHandler)
KeyInfoSerializer

Gets or sets the security token serializer that is used to serialize and deserialize key identifiers.

SamlSecurityTokenRequirement

Gets or sets the security token requirements for this instance.

TokenType

Gets the token type supported by this handler.

Methods

AddDelegateToAttributes(ClaimsIdentity, ICollection<Saml2Attribute>, SecurityTokenDescriptor)

Adds all of the delegates associated with the subject into the attribute collection.

CanReadKeyIdentifierClause(XmlReader)

Indicates if the current XML element is pointing to a key identifier clause that can be serialized by this instance.

CanReadToken(String)

Returns a value that indicates whether the specified string can be deserialized as a token of the type processed by this instance.

(Inherited from SecurityTokenHandler)
CanReadToken(XmlReader)

Indicates whether the current XML element can be read as a token of the type handled by this instance.

CanWriteKeyIdentifierClause(SecurityKeyIdentifierClause)

Indicates if the specified key identifier clause can be serialized by this instance.

CollectAttributeValues(ICollection<Saml2Attribute>)

Collects attributes with a common claim type, claim value type, and original issuer into a single attribute with multiple values.

CreateAdvice(SecurityTokenDescriptor)

Creates a Saml2Advice object for the assertion.

CreateAttribute(Claim, SecurityTokenDescriptor)

Creates a Saml2Attribute object from a claim.

CreateAttributeStatement(ClaimsIdentity, SecurityTokenDescriptor)

Creates a Saml2AttributeStatement object from a token descriptor.

CreateAuthenticationStatement(AuthenticationInformation, SecurityTokenDescriptor)

Creates a SAML 2.0 authentication statement from the specified authentication information.

CreateClaims(Saml2SecurityToken)

Creates claims from a SAML 2.0 token.

CreateConditions(Lifetime, String, SecurityTokenDescriptor)

Creates the conditions for the assertion.

CreateIssuerNameIdentifier(SecurityTokenDescriptor)

Creates a name identifier that identifies the assertion issuer.

CreateSamlSubject(SecurityTokenDescriptor)

Creates a SAML 2.0 subject for the assertion.

CreateSecurityTokenReference(SecurityToken, Boolean)

Creates the security token reference when the token is not attached to the message.

CreateStatements(SecurityTokenDescriptor)

Creates SAML 2.0 statements to be included in the assertion.

CreateToken(SecurityTokenDescriptor)

Creates a security token based on a token descriptor.

CreateWindowsIdentity(String)

Creates a WindowsIdentity object using the specified User Principal Name (UPN).

CreateXmlStringFromAttributes(IEnumerable<Saml2Attribute>)

Builds an XML formatted string from a collection of SAML 2.0 attributes that represent the Actor.

DenormalizeAuthenticationType(String)

Returns the Saml2 AuthenticationContext matching a normalized value.

DetectReplayedToken(SecurityToken)

Throws an exception if the specified token already exists in the token replay cache; otherwise the token is added to the cache.

Equals(Object)

Determines whether the specified object is equal to the current object.

(Inherited from Object)
FindUpn(ClaimsIdentity)

Finds the UPN claim value in the specified ClaimsIdentity object for the purpose of mapping the identity to a WindowsIdentity object.

GetEncryptingCredentials(SecurityTokenDescriptor)

Gets the token encrypting credentials. Override this method to change the token encrypting credentials.

GetHashCode()

Serves as the default hash function.

(Inherited from Object)
GetSigningCredentials(SecurityTokenDescriptor)

Gets the credentials for signing the assertion.

GetTokenReplayCacheEntryExpirationTime(Saml2SecurityToken)

Returns the time until which the token should be held in the token replay cache.

GetTokenTypeIdentifiers()

Gets the token type identifier(s) supported by this handler.

GetType()

Gets the Type of the current instance.

(Inherited from Object)
LoadCustomConfiguration(XmlNodeList)

Loads custom configuration from XML.

MemberwiseClone()

Creates a shallow copy of the current Object.

(Inherited from Object)
NormalizeAuthenticationContextClassReference(String)

Returns the normalized value matching a SAML authentication context class reference.

ProcessAttributeStatement(Saml2AttributeStatement, ClaimsIdentity, String)

Creates claims from a SAML 2.0 attribute statement and adds them to the specified subject.

ProcessAuthenticationStatement(Saml2AuthenticationStatement, ClaimsIdentity, String)

Creates claims from a SAML 2.0 authentication statement and adds them to the specified subject.

ProcessAuthorizationDecisionStatement(Saml2AuthorizationDecisionStatement, ClaimsIdentity, String)

Creates claims from a SAML 2.0 authorization decision statement and adds them to the specified subject.

ProcessSamlSubject(Saml2Subject, ClaimsIdentity, String)

Creates claims from the SAML 2.0 subject and adds them to the specified subject.

ProcessStatement(Collection<Saml2Statement>, ClaimsIdentity, String)

Creates claims from a collection of SAML 2.0 statements and adds them to the specified subject.

ReadAction(XmlReader)

Reads the <saml:Action> element.

ReadAdvice(XmlReader)

Reads the <saml:Advice> element.

ReadAssertion(XmlReader)

Reads the <saml:Assertion> element.

ReadAttribute(XmlReader)

Reads the <saml:Attribute> element.

ReadAttributeStatement(XmlReader)

Reads the <saml:AttributeStatement> element, or a <saml:Statement> element that specifies an xsi:type of saml:AttributeStatementType.

ReadAttributeValue(XmlReader, Saml2Attribute)

Reads an attribute value.

ReadAudienceRestriction(XmlReader)

Reads the <saml:AudienceRestriction> element or a <saml:Condition> element that specifies an xsi:type of saml:AudienceRestrictionType.

ReadAuthenticationContext(XmlReader)

Reads the <saml:AuthnContext> element.

ReadAuthenticationStatement(XmlReader)

Reads the <saml:AuthnStatement> element or a <saml:Statement> element that specifies an xsi:type of saml:AuthnStatementType.

ReadAuthorizationDecisionStatement(XmlReader)

Reads the <saml:AuthzDecisionStatement> element or a <saml:Statement> element that specifies an xsi:type of saml:AuthzDecisionStatementType.

ReadConditions(XmlReader)

Reads the <saml:Conditions> element.

ReadEncryptedId(XmlReader)

Reads the <saml:EncryptedId> element.

ReadEvidence(XmlReader)

Reads the <saml:Evidence> element.

ReadIssuer(XmlReader)

Reads the <saml:Issuer> element.

ReadKeyIdentifierClause(XmlReader)

Reads a SecurityKeyIdentifierClause.

ReadNameId(XmlReader)

Reads the <saml:NameID> element.

ReadNameIdType(XmlReader)

Both <Issuer> and <NameID> are of NameIDType. This method reads the content of either one of those elements.

ReadProxyRestriction(XmlReader)

Reads the <saml:ProxyRestriction> element, or a <saml:Condition> element that specifies an xsi:type of saml:ProxyRestrictionType.

ReadSigningKeyInfo(XmlReader, Saml2Assertion)

Deserializes the SAML Signing KeyInfo.

ReadStatement(XmlReader)

Reads the <saml:Statement> element.

ReadSubject(XmlReader)

Reads the <saml:Subject> element.

ReadSubjectConfirmation(XmlReader)

Reads the <SubjectConfirmation> element.

ReadSubjectConfirmationData(XmlReader)

Reads the <saml:SubjectConfirmationData> element.

ReadSubjectId(XmlReader, String)

This method handles the construct used in the <Subject> and <SubjectConfirmation> elements for ID.

ReadSubjectKeyInfo(XmlReader)

Deserializes the SAML Subject <ds:KeyInfo> element.

ReadSubjectLocality(XmlReader)

Reads the <saml:SubjectLocality> element.

ReadToken(String)

When overridden in a derived class, deserializes the specified string to a token of the type processed by the derived class.

(Inherited from SecurityTokenHandler)
ReadToken(XmlReader)

Reads a SAML 2.0 token from the specified stream.

ReadToken(XmlReader, SecurityTokenResolver)

When overridden in a derived class, deserializes the XML referenced by the specified XML reader to a token of the type processed by the derived class by using the specified token resolver.

(Inherited from SecurityTokenHandler)
ResolveIssuerToken(Saml2Assertion, SecurityTokenResolver)

Resolves the Signing Key Identifier to a SecurityToken.

ResolveSecurityKeys(Saml2Assertion, SecurityTokenResolver)

Resolves the collection of SecurityKey referenced in a Saml2Assertion.

SetDelegateFromAttribute(Saml2Attribute, ClaimsIdentity, String)

This method gets called when a special type of Saml2Attribute is detected. The Saml2Attribute passed in wraps a Saml2Attribute that contains a collection of attribute values (in the Values property), each of which will get mapped to a claim. All of the claims will be returned in an ClaimsIdentity with the specified issuer.

ToString()

Returns a string that represents the current object.

(Inherited from Object)
TraceTokenValidationFailure(SecurityToken, String)

Traces the failure event during the validation of security tokens when tracing is enabled.

(Inherited from SecurityTokenHandler)
TraceTokenValidationSuccess(SecurityToken)

Traces the successful validation of security tokens event when tracing is enabled.

(Inherited from SecurityTokenHandler)
TryResolveIssuerToken(Saml2Assertion, SecurityTokenResolver, SecurityToken)

Resolves the Signing Key Identifier to a SecurityToken.

ValidateConditions(Saml2Conditions, Boolean)

Validates the specified Saml2Conditions object.

ValidateConfirmationData(Saml2SubjectConfirmationData)

Validates the specified Saml2SubjectConfirmationData object.

ValidateToken(SecurityToken)

Validates the token data and returns its claims.

WriteAction(XmlWriter, Saml2Action)

Writes the <saml:Action> element.

WriteAdvice(XmlWriter, Saml2Advice)

Writes the <saml:Advice> element.

WriteAssertion(XmlWriter, Saml2Assertion)

Serializes the specified SAML assertion to the specified XML writer.

WriteAttribute(XmlWriter, Saml2Attribute)

Writes the <saml:Attribute> element.

WriteAttributeStatement(XmlWriter, Saml2AttributeStatement)

Writes the <saml:AttributeStatement> element.

WriteAttributeValue(XmlWriter, String, Saml2Attribute)

Writes the saml:Attribute value.

WriteAudienceRestriction(XmlWriter, Saml2AudienceRestriction)

Writes the <saml:AudienceRestriction> element.

WriteAuthenticationContext(XmlWriter, Saml2AuthenticationContext)

Writes the <saml:AuthnContext> element.

WriteAuthenticationStatement(XmlWriter, Saml2AuthenticationStatement)

Writes the <saml:AuthnStatement> element.

WriteAuthorizationDecisionStatement(XmlWriter, Saml2AuthorizationDecisionStatement)

Writes the <saml:AuthzDecisionStatement> element.

WriteConditions(XmlWriter, Saml2Conditions)

Writes the <saml:Conditions> element.

WriteEvidence(XmlWriter, Saml2Evidence)

Writes the <saml:Evidence> element.

WriteIssuer(XmlWriter, Saml2NameIdentifier)

Writes the <saml:Issuer> element.

WriteKeyIdentifierClause(XmlWriter, SecurityKeyIdentifierClause)

Serializes a Saml2AssertionKeyIdentifierClause to the specified XML writer.

WriteNameId(XmlWriter, Saml2NameIdentifier)

Writes the <saml:NameID> element.

WriteNameIdType(XmlWriter, Saml2NameIdentifier)

Both <Issuer> and <NameID> are of NameIDType. This method writes the content of either one of those elements.

WriteProxyRestriction(XmlWriter, Saml2ProxyRestriction)

Writes the <saml:ProxyRestriction> element.

WriteSigningKeyInfo(XmlWriter, SecurityKeyIdentifier)

Writes the Signing <ds:KeyInfo> element using the specified XML writer.

WriteStatement(XmlWriter, Saml2Statement)

Writes a Saml2Statement.

WriteSubject(XmlWriter, Saml2Subject)

Writes the <saml:Subject> element.

WriteSubjectConfirmation(XmlWriter, Saml2SubjectConfirmation)

Writes the <saml:SubjectConfirmation> element.

WriteSubjectConfirmationData(XmlWriter, Saml2SubjectConfirmationData)

Writes the <saml:SubjectConfirmationData> element.

WriteSubjectKeyInfo(XmlWriter, SecurityKeyIdentifier)

Serializes the Subject <ds:KeyInfo> element using the specified XML writer.

WriteSubjectLocality(XmlWriter, Saml2SubjectLocality)

Writes the <saml:SubjectLocality> element.

WriteToken(SecurityToken)

When overridden in a derived class, serializes the specified security token to a string. The token must be of the type processed by the derived class.

(Inherited from SecurityTokenHandler)
WriteToken(XmlWriter, SecurityToken)

Writes a Saml2 Token to the specified XML writer.

Applies to

See also