akunzai · akunzai · Feb 17, 2024 · Feb 16, 2024
diff --git a/.devcontainer/keycloak/import/demo-realm.json b/.devcontainer/keycloak/import/demo-realm.json
@@ -2247,7 +2247,7 @@
     "cibaInterval" : "5",
     "realmReusableOtpCode" : "false"
   },
-  "keycloakVersion" : "23.0.3",
+  "keycloakVersion" : "23.0.6",
   "userManagedAccessAllowed" : false,
   "clientProfiles" : {
     "profiles" : [ ]

diff --git a/samples/AspNetCoreSample/AspNetCoreSample.csproj b/samples/AspNetCoreSample/AspNetCoreSample.csproj
@@ -28,7 +28,7 @@
   </ItemGroup>
 
   <ItemGroup>
-    <None Update="saml2.p12">
+    <None Update="*.p12">
       <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
     </None>
   </ItemGroup>

diff --git a/samples/AspNetCoreSample/Program.cs b/samples/AspNetCoreSample/Program.cs
@@ -165,7 +165,21 @@ await context.Options.Events.RedirectToLogout(new RedirectContext<CookieAuthenti
         options.SPOptions.EntityId = new EntityId(builder.Configuration["SAML2:SP:EntityId"]);
         options.SPOptions.ServiceCertificates.Add(new X509Certificate2(
             builder.Configuration["SAML2:SP:Certificate:Path"]!,
-            builder.Configuration["SAML2:SP:Certificate:Pass"]!));
+            builder.Configuration["SAML2:SP:Certificate:Pass"],
+            X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet));
+
+        var decryptionCertificatePath = builder.Configuration["SAML2:SP:Decryption:Certificate:Path"];
+        if (!string.IsNullOrWhiteSpace(decryptionCertificatePath) && File.Exists(decryptionCertificatePath))
+        {
+            options.SPOptions.ServiceCertificates.Add(new ServiceCertificate
+            {
+                Certificate = new X509Certificate2(decryptionCertificatePath,
+                    builder.Configuration["SAML2:SP:Decryption:Certificate:Pass"],
+                    X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet),
+                Use = CertificateUse.Encryption
+            });
+        }
+
         options.SPOptions.TokenValidationParametersTemplate.NameClaimType = ClaimTypes.NameIdentifier;
         options.IdentityProviders.Add(
             new IdentityProvider(new EntityId(builder.Configuration["SAML2:IdP:EntityId"]), options.SPOptions)

diff --git a/samples/AspNetCoreSample/appsettings.Development.json b/samples/AspNetCoreSample/appsettings.Development.json
@@ -18,14 +18,5 @@
     "ClientId": "oidc",
     "ClientSecret": "AGtQZ3m2rHK63lQpoZ35vFXG6MgjkN5w",
     "SaveTokens": true
-  },
-  "SAML2": {
-    "SP": {
-      "Certificate": {
-        "Path": "saml2.p12",
-        "Pass": "changeit"
-      },
-      "EntityId": "saml"
-    }
   }
 }
diff --git a/samples/AspNetCoreSample/appsettings.json b/samples/AspNetCoreSample/appsettings.json
@@ -21,7 +21,11 @@
       "MetadataLocation": "https://auth.dev.local/realms/demo/protocol/saml/descriptor"
     },
     "SP": {
-      "EntityId": "CHANGE_ME"
+      "EntityId": "saml",
+      "Certificate": {
+        "Path": "saml.p12",
+        "Pass": "changeit"
+      }
     }
   }
 }
diff --git a/samples/AspNetCoreSample/saml.p12 b/samples/AspNetCoreSample/saml.p12
diff --git a/samples/AspNetCoreSample/saml2.p12 b/samples/AspNetCoreSample/saml2.p12
diff --git a/samples/OwinSample/App_Data/saml.p12 b/samples/OwinSample/App_Data/saml.p12
diff --git a/samples/OwinSample/App_Data/saml2.p12 b/samples/OwinSample/App_Data/saml2.p12
diff --git a/samples/OwinSample/OwinSample.csproj b/samples/OwinSample/OwinSample.csproj
@@ -1,4 +1,4 @@
-<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
 <Project ToolsVersion="15.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
   <PropertyGroup>
@@ -83,7 +83,9 @@
       <DependentUpon>appsettings.json</DependentUpon>
       <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
     </None>
-    <Content Include="App_Data\saml2.p12" />
+    <None Include="App_Data\*.p12">
+      <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+    </None>
   </ItemGroup>
   <ItemGroup>
     <PackageReference Include="Microsoft.AspNet.Mvc" />

diff --git a/samples/OwinSample/Startup.cs b/samples/OwinSample/Startup.cs
@@ -1,4 +1,5 @@
 using System;
+using System.IO;
 using System.Security.Claims;
 using System.Security.Cryptography.X509Certificates;
 using System.Threading.Tasks;
@@ -224,15 +225,24 @@ public void Configuration(IAppBuilder app)
 
         private static Saml2AuthenticationOptions CreateSaml2Options(IConfiguration configuration)
         {
-            var spOptions = new SPOptions() { EntityId = new EntityId(configuration["SAML2:SP:EntityId"]) };
-            var certPath = configuration["SAML2:SP:Certificate:Path"];
-            if (certPath != null && certPath.StartsWith("~"))
+            var spOptions = new SPOptions { EntityId = new EntityId(configuration["SAML2:SP:EntityId"]) };
+            spOptions.ServiceCertificates.Add(new X509Certificate2(
+                HttpContext.Current.Server.MapPath(configuration["SAML2:SP:Certificate:Path"]),
+                configuration["SAML2:SP:Certificate:Pass"],
+                X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet));
+            var decryptionCertificatePath =
+                HttpContext.Current.Server.MapPath(configuration["SAML2:SP:Decryption:Certificate:Path"]);
+            if (!string.IsNullOrWhiteSpace(decryptionCertificatePath) && File.Exists(decryptionCertificatePath))
             {
-                certPath = HttpContext.Current.Server.MapPath(certPath);
+                spOptions.ServiceCertificates.Add(new ServiceCertificate
+                {
+                    Certificate = new X509Certificate2(decryptionCertificatePath,
+                        configuration["SAML2:SP:Decryption:Certificate:Pass"]!,
+                        X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet),
+                    Use = CertificateUse.Encryption
+                });
             }
 
-            spOptions.ServiceCertificates.Add(
-                new X509Certificate2(certPath, configuration["SAML2:SP:Certificate:Pass"]));
             spOptions.TokenValidationParametersTemplate.NameClaimType = ClaimTypes.NameIdentifier;
             var options = new Saml2AuthenticationOptions(false) { SPOptions = spOptions };
             var idp = new IdentityProvider(new EntityId(configuration["SAML2:IdP:EntityId"]), spOptions)

diff --git a/samples/OwinSample/appsettings.Development.json b/samples/OwinSample/appsettings.Development.json
@@ -2,14 +2,5 @@
   "OIDC": {
     "ClientId": "oidc",
     "ClientSecret": "AGtQZ3m2rHK63lQpoZ35vFXG6MgjkN5w"
-  },
-  "SAML2": {
-    "SP": {
-      "Certificate": {
-        "Path": "~/App_Data/saml2.p12",
-        "Pass": "changeit"
-      },
-      "EntityId": "saml"
-    }
   }
 }
diff --git a/samples/OwinSample/appsettings.json b/samples/OwinSample/appsettings.json
@@ -14,7 +14,11 @@
       "MetadataLocation": "https://auth.dev.local/realms/demo/protocol/saml/descriptor"
     },
     "SP": {
-      "EntityId": "CHANGE_ME"
+      "EntityId": "saml",
+      "Certificate": {
+        "Path": "~/App_Data/saml.p12",
+        "Pass": "changeit"
+      }
     }
   }
 }