-
Notifications
You must be signed in to change notification settings - Fork 605
/
Copy pathCompatibility.cs
92 lines (82 loc) · 3.96 KB
/
Compatibility.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
namespace Sustainsys.Saml2.Configuration
{
/// <summary>
/// Compatibility settings. Can be used to make Saml2 accept
/// certain non-standard behaviour.
/// </summary>
public class Compatibility
{
/// <summary>
/// Ctor
/// </summary>
public Compatibility()
{ }
/// <summary>
/// Ctor
/// </summary>
/// <param name="configElement">Config element to load</param>
public Compatibility(CompatibilityElement configElement)
{
if(configElement == null)
{
throw new ArgumentNullException(nameof(configElement));
}
UnpackEntitiesDescriptorInIdentityProviderMetadata =
configElement.UnpackEntitiesDescriptorInIdentityProviderMetadata;
DisableLogoutStateCookie = configElement.DisableLogoutStateCookie;
IgnoreMissingInResponseTo = configElement.IgnoreMissingInResponseTo;
}
/// <summary>
/// If an EntitiesDescriptor element is found when loading metadata
/// for an IdentityProvider, automatically check inside it if there
/// is a single EntityDescriptor and in that case use it.
/// </summary>
public bool UnpackEntitiesDescriptorInIdentityProviderMetadata { get; set; }
/// <summary>
/// Do not send logout state cookie, e.g. if you are not using ReturnUrl
/// or if you know the cookie will be lost due to cross-domain redirects
/// </summary>
[System.Diagnostics.CodeAnalysis.SuppressMessage( "Microsoft.Naming", "CA1726:UsePreferredTerms", MessageId = "Logout" )]
public bool DisableLogoutStateCookie { get; set; }
/// <summary>
/// Honor the owin authentication mode even on logout. Normally the logout
/// handling is always done as if the middleware was active, to allow for
/// simple sign out without specifying an auth type.
/// </summary>
public bool StrictOwinAuthenticationMode { get; set; }
/// <summary>
/// Do not read the AuthnContext element in Saml2Response.
/// If you do not need these values to be present as claims in the generated
/// identity, using this option can prevent XML format errors (IDX13102)
/// e.g. when value cannot parse as absolute URI
/// </summary>
public bool IgnoreAuthenticationContextInResponse { get; set; }
/// <summary>
/// Ignore the check for the missing InResponseTo attribute in the Saml response.
/// This is different to setting the allowUnsolicitedAuthnResponse as it will only
/// ignore the InResponseTo attribute if there is no relayState. Setting
/// IgnoreMissingInResponseTo to true will always skip the check.
/// </summary>
public bool IgnoreMissingInResponseTo { get; set; }
/// <summary>
/// Handling logout requires access to the authenticated user session. If logout
/// is done over the POST binding, the session cookie must have SameSite=None
/// set (which is probably a bad idea). To avoid problems, disable logout
/// over POST in metadata by default.
/// </summary>
[System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Naming", "CA1726:UsePreferredTerms", MessageId = "Logout")]
public bool EnableLogoutOverPost { get; set; }
/// <summary>
/// SAML2 Specs says in section 4.4.4.2:
/// "... The responder MUST authenticate itself to the requester and ensure message integrity, either by signing the message or using a binding-specific mechanism."
///
/// Unfortunately not all IDP seem to follow the specification. Disables requirement for a signed LogoutResponse.
/// </summary>
public bool AcceptUnsignedLogoutResponses { get; set; }
}
}