Merge pull request #41 from RockSolidKnowledge/feature/SLO

Add OIDC and SAML SLO Sample

Author: JoStevensRSK

DuendeIdentityServer/SLO/SamlOidcSLO/Common/Common.csproj

@@ -0,0 +1,9 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+    <PropertyGroup>
+        <TargetFramework>net7.0</TargetFramework>
+        <ImplicitUsings>enable</ImplicitUsings>
+        <Nullable>enable</Nullable>
+    </PropertyGroup>
+
+</Project>

DuendeIdentityServer/SLO/SamlOidcSLO/Common/TestConstants.cs

@@ -0,0 +1,7 @@
+namespace Common;
+
+public static class TestConstants
+{
+    public static string LicenseKey = "eyJTb2xkRm9yIjowLjAsIktleVByZXNldCI6NiwiU2F2ZUtleSI6ZmFsc2UsIkxlZ2FjeUtleSI6ZmFsc2UsIlJlbmV3YWxTZW50VGltZSI6IjAwMDEtMDEtMDFUMDA6MDA6MDAiLCJhdXRoIjoiREVNTyIsImV4cCI6IjIwMjMtMDUtMTlUMDE6MDA6MDAuNzA3NTI2NiswMDowMCIsImlhdCI6IjIwMjMtMDQtMTlUMDE6MDA6MDAiLCJvcmciOiJERU1PIiwiYXVkIjoyfQ==.TOLSabk8Uf3jNF908d6r3jj9NzRPNExgZ1qqZMyBWkJ0Fpi+RESseOs7Dj8xtSdxt9SoCn4VnomVZnWA4alV3gDnAKIIatMgT8YzCr5Y/IrgEmJmRTb7jNDd5azBrgjCDNmjI8clx5UzGwLfuL1+K72KjsAq1R6DvAZdFiJ0Ggtw4sCocGfhjKrPbDo6izyc3A6EOtgOL0TDLuqxsPm0vPkHB/NRxUsVAGaiLwhu65Wz9iLMGx9BJIIpTr5frGAfrpmv4brjCe92jZcBuCMWgQPVxJKbGzZqNhK8m1uqiLvSdvdoymsvccLaKeVa8APeaq0KROJu9KqPKNg0R/anSYfwBz88L9CgqszLNYRynK4pcSm52POd3g4ulhtZ5vcvRDDI3W3rgw6LO4Et8iQ6SXU/JEhSIjbmqAbKCnQErUDYT8/k2qpIy5W9Sy14F4OkueW1i19R6UcLQVcRztbGUFz7rGRUwbStWS+Eb1sFjDjFzoEGxQhgy/GW/MNUGFF39KVUfZaYTWuz9MvgsXc7exrmT/zKsTjC6GB0wSFcRK5I34T7aIymC95rPHwAqFzfOr2FNt6DvJXogS7VWS+tJkVAHxVYB/stXT3+eBLU9Qa3Su2nZ36YdrYAMIBJmFwiQMq52QAi2/1/2a2e0nrKFTQJh3tdnQGtG2ZjXRtvdWo=";
+    public static string Licensee = "DEMO";
+}

DuendeIdentityServer/SLO/SamlOidcSLO/IdentityServer/Config.cs

@@ -0,0 +1,172 @@
+using System.Security.Cryptography.X509Certificates;
+using Duende.IdentityServer;
+using Duende.IdentityServer.Models;
+using IdentityModel;
+using Rsk.Saml;
+using Rsk.Saml.Models;
+using ServiceProvider = Rsk.Saml.Models.ServiceProvider;
+
+namespace IdentityServer;
+
+public static class Config
+{
+    public static IEnumerable<IdentityResource> IdentityResources =>
+        new List<IdentityResource>
+        { 
+            new IdentityResources.OpenId(),
+            new IdentityResources.Profile(),
+            new IdentityResource()
+            {
+                Name = "verification",
+                UserClaims = new List<string> 
+                { 
+                    JwtClaimTypes.Email,
+                    JwtClaimTypes.EmailVerified
+                }
+            }
+        };
+
+    public static IEnumerable<ApiScope> ApiScopes =>
+        new List<ApiScope>
+        { 
+            new ApiScope("api1", "MyAPI") 
+        };
+
+    public static IEnumerable<ApiResource> ApiResources =>
+        new List<ApiResource>
+        { 
+        };
+
+    public static IEnumerable<Client> Clients =>
+        new List<Client> 
+        {
+            // machine-to-machine client (from quickstart 1)
+            new Client
+            {
+                ClientId = "client",
+                ClientSecrets = { new Secret("secret".Sha256()) },
+                
+                AllowedGrantTypes = GrantTypes.ClientCredentials,
+                // scopes that client has access to
+                AllowedScopes = { "api1" },
+            },
+            // interactive ASP.NET Core Web App
+            new Client
+            {
+                ClientId = "web",
+                ClientSecrets = { new Secret("secret".Sha256()) },
+
+                AllowedGrantTypes = GrantTypes.Code,
+
+                // where to redirect after login
+                RedirectUris = { "https://localhost:5002/signin-oidc" },
+
+                // where to redirect after logout
+                PostLogoutRedirectUris = { "https://localhost:5002/signout-callback-oidc" },
+
+                AllowedScopes = new List<string>
+                {
+                    IdentityServerConstants.StandardScopes.OpenId,
+                    IdentityServerConstants.StandardScopes.Profile,
+                    "verification"
+                }
+            },
+            new Client()
+            {
+                ClientId = "https://localhost:5002",
+                ProtocolType = IdentityServerConstants.ProtocolTypes.Saml2p,
+                RedirectUris = new List<string>()
+                {
+                    "https://localhost:5002/signin-saml"
+                },
+                
+                AllowedScopes = new List<string>
+                {
+                    IdentityServerConstants.StandardScopes.OpenId,
+                    IdentityServerConstants.StandardScopes.Profile,
+                }            
+            },
+            new Client()
+            {
+                ClientId = "https://localhost:5003",
+                ProtocolType = IdentityServerConstants.ProtocolTypes.Saml2p,
+                RedirectUris = new List<string>()
+                {
+                    "https://localhost:5003/signin-saml"
+                },
+                
+                AllowedScopes = new List<string>
+                {
+                    IdentityServerConstants.StandardScopes.OpenId,
+                    IdentityServerConstants.StandardScopes.Profile,
+                }            
+            },
+            new Client()
+            {
+                ClientId = "https://localhost:5004",
+                ProtocolType = IdentityServerConstants.ProtocolTypes.Saml2p,
+                RedirectUris = new List<string>()
+                {
+                    "https://localhost:5004/signin-saml"
+                },
+                
+                AllowedScopes = new List<string>
+                {
+                    IdentityServerConstants.StandardScopes.OpenId,
+                    IdentityServerConstants.StandardScopes.Profile,
+                }            
+            }
+        };
+
+    public static IEnumerable<ServiceProvider> ServiceProvider => new List<ServiceProvider>()
+    {
+        new ServiceProvider()
+        {
+            EntityId = "https://localhost:5002",
+            AssertionConsumerServices = new List<Service>()
+            {
+                new Service(SamlConstants.BindingTypes.HttpPost, "https://localhost:5002/signin-saml")
+            },
+            SingleLogoutServices = new List<Service>()
+            {
+              new Service(SamlConstants.BindingTypes.HttpPost, "https://localhost:5002/signout-saml")  
+            },
+            SigningCertificates = new List<X509Certificate2>()
+            {
+                new X509Certificate2("Resources/testclient.cer")
+            }
+        },
+        new ServiceProvider()
+        {
+          EntityId = "https://localhost:5003",
+          AssertionConsumerServices = new List<Service>()
+          {
+              new Service(SamlConstants.BindingTypes.HttpPost, "https://localhost:5003/signin-saml")
+          },
+          SingleLogoutServices = new List<Service>()
+          {
+            new Service(SamlConstants.BindingTypes.HttpPost, "https://localhost:5003/signout-saml")  
+          },
+          SigningCertificates = new List<X509Certificate2>()
+          {
+              new X509Certificate2("Resources/testclient.cer")
+          }
+        },
+        new ServiceProvider()
+        {
+            EntityId = "https://localhost:5004",
+            AssertionConsumerServices = new List<Service>()
+            {
+                new Service(SamlConstants.BindingTypes.HttpPost, "https://localhost:5004/signin-saml")
+            },
+            SingleLogoutServices = new List<Service>()
+            {
+                new Service(SamlConstants.BindingTypes.HttpPost, "https://localhost:5004/signout-saml")  
+            },
+            SigningCertificates = new List<X509Certificate2>()
+            {
+                new X509Certificate2("Resources/testclient.cer")
+            }
+        }
+    };
+}

DuendeIdentityServer/SLO/SamlOidcSLO/IdentityServer/HostingExtensions.cs

@@ -0,0 +1,68 @@
+using Common;
+using Duende.IdentityServer;
+using Duende.IdentityServer.Configuration;
+using IdentityServerHost;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.IdentityModel.Tokens;
+using Rsk.Saml.Configuration;
+using Serilog;
+
+namespace IdentityServer;
+
+internal static class HostingExtensions
+{
+    public static WebApplication ConfigureServices(this WebApplicationBuilder builder)
+    {
+        builder.Services.AddRazorPages();
+
+        builder.Services.AddIdentityServer(options =>
+            {
+                options.KeyManagement.Enabled = true;
+
+                //Required to use the SAML plugin with Key Management
+                options.KeyManagement.SigningAlgorithms = new[]
+                {
+                    new SigningAlgorithmOptions("RS256")
+                    {
+                        UseX509Certificate = true
+                    }
+                };
+            })
+            .AddInMemoryIdentityResources(Config.IdentityResources)
+            .AddInMemoryApiScopes(Config.ApiScopes)
+            .AddInMemoryClients(Config.Clients)
+            .AddTestUsers(TestUsers.Users)
+            .AddSamlPlugin(options =>
+            {
+                options.Licensee = TestConstants.Licensee;
+                options.LicenseKey = TestConstants.LicenseKey;
+
+                //Use Iterative SLO
+                options.UseIFramesForSlo = false;
+            })
+            .AddInMemoryServiceProviders(Config.ServiceProvider)
+            .AddInMemoryPersistedGrants();
+
+        return builder.Build();
+    }
+    
+    public static WebApplication ConfigurePipeline(this WebApplication app)
+    { 
+        app.UseSerilogRequestLogging();
+        if (app.Environment.IsDevelopment())
+        {
+            app.UseDeveloperExceptionPage();
+        }
+
+        app.UseStaticFiles();
+        app.UseRouting();
+            
+        app.UseIdentityServer()
+            .UseIdentityServerSamlPlugin();
+        
+        app.UseAuthorization();
+        app.MapRazorPages().RequireAuthorization();
+
+        return app;
+    }
+}

DuendeIdentityServer/SLO/SamlOidcSLO/IdentityServer/IdentityServer.csproj

@@ -0,0 +1,48 @@
+<Project Sdk="Microsoft.NET.Sdk.Web">
+  <PropertyGroup>
+    <TargetFramework>net7.0</TargetFramework>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <UserSecretsId>38ced442-cf32-4289-bb08-57d4a78831b3</UserSecretsId>
+  </PropertyGroup>
+  <ItemGroup>
+    <PackageReference Include="AspNetCore.ReCaptcha" Version="1.7.0" />
+    <PackageReference Include="Duende.IdentityServer.EntityFramework" Version="6.2.3" />
+    <PackageReference Include="Microsoft.AspNetCore.Authentication.WsFederation" Version="7.0.4" />
+    <PackageReference Include="Microsoft.AspNetCore.DataProtection" Version="7.0.4" />
+    <PackageReference Include="Microsoft.AspNetCore.DataProtection.EntityFrameworkCore" Version="7.0.4" />
+    <PackageReference Include="Microsoft.EntityFrameworkCore.SqlServer" Version="7.0.4" />
+    <PackageReference Include="Microsoft.Extensions.Caching.SqlServer" Version="7.0.4" />
+    <PackageReference Include="Microsoft.Extensions.Caching.StackExchangeRedis" Version="7.0.4" />
+    <PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
+    <PackageReference Include="Oracle.ManagedDataAccess.Core" Version="3.21.90" />
+    <PackageReference Include="Rsk.Saml.DuendeIdentityServer" Version="7.0.3" />
+    <PackageReference Include="Rsk.Saml.DuendeIdentityServer.EntityFramework" Version="7.0.1" />
+    <PackageReference Include="Serilog.AspNetCore" Version="6.1.0" />
+    <PackageReference Include="Microsoft.AspNetCore.Diagnostics.EntityFrameworkCore" Version="7.0.4" />
+    <PackageReference Include="Serilog.Settings.Configuration" Version="3.4.0" />
+    <PackageReference Include="Serilog.Sinks.MSSqlServer" Version="6.3.0" />
+    <PackageReference Include="System.ServiceModel.Http" Version="4.10.2" />
+    <PackageReference Include="System.ServiceModel.Primitives" Version="4.10.2" />
+  </ItemGroup>
+  <ItemGroup>
+    <None Update="Resources\testclient.cer">
+      <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+    </None>
+  </ItemGroup>
+  <ItemGroup>
+    <ProjectReference Include="..\Common\Common.csproj" />
+  </ItemGroup>
+  <ItemGroup>
+    <_ContentIncludedByDefault Remove="Pages\Ciba\All.cshtml" />
+    <_ContentIncludedByDefault Remove="Pages\Ciba\Consent.cshtml" />
+    <_ContentIncludedByDefault Remove="Pages\Ciba\Index.cshtml" />
+    <_ContentIncludedByDefault Remove="Pages\Ciba\_ScopeListItem.cshtml" />
+    <_ContentIncludedByDefault Remove="Pages\Device\Index.cshtml" />
+    <_ContentIncludedByDefault Remove="Pages\Device\Success.cshtml" />
+    <_ContentIncludedByDefault Remove="Pages\Device\_ScopeListItem.cshtml" />
+    <_ContentIncludedByDefault Remove="Pages\Diagnostics\Index.cshtml" />
+    <_ContentIncludedByDefault Remove="Pages\Grants\Index.cshtml" />
+    <_ContentIncludedByDefault Remove="Pages\ExternalLogin\Callback.cshtml" />
+    <_ContentIncludedByDefault Remove="Pages\ExternalLogin\Challenge.cshtml" />
+  </ItemGroup>
+</Project>

DuendeIdentityServer/SLO/SamlOidcSLO/IdentityServer/Pages/Account/AccessDenied.cshtml

@@ -0,0 +1,10 @@
+@page
+@model IdentityServerHost.Pages.Account.AccessDeniedModel
+@{
+}
+<div class="row">
+    <div class="col">
+        <h1>Access Denied</h1>
+        <p>You do not have permission to access that resource.</p>
+    </div>
+</div>

DuendeIdentityServer/SLO/SamlOidcSLO/IdentityServer/Pages/Account/AccessDenied.cshtml.cs

@@ -0,0 +1,11 @@
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.Mvc.RazorPages;
+
+namespace IdentityServerHost.Pages.Account;
+
+public class AccessDeniedModel : PageModel
+{
+    public void OnGet()
+    {
+    }
+}