Sustainsys.Saml2

Is this certificate for current or future use?

The certificate is used for current requests

The certificate is used for current and/or future requests

How is the certificate used?

The certificate is used for either signing or encryption, or both. Equivalent to Signing | Encryption.

The certificate is used for signing outbound requests

The certificate is used for decrypting inbound assertions

The certificate is used as a Tls Client certificate for outbound tls requests.

Extension methods for claims.

Create a Saml2NameIdentifier from a claim.

Name identifier or Saml2 logout info claim. Saml2NameIdentifier The field order is:NameQualifier,SPNameQualifier,Format,SPProvidedID,Value

Extension methods for Claims Identities

Creates a Saml2Assertion from a ClaimsIdentity.

Claims to include in Assertion. Issuer to include in assertion. Saml2Assertion

Creates a Saml2Assertion from a ClaimsIdentity.

Claims to include in Assertion. Issuer to include in assertion. Audience to set as audience restriction. Saml2Assertion

Creates a Saml2Assertion from a ClaimsIdentity.

Claims to include in Assertion. Issuer to include in assertion. Audience to set as audience restriction. In response to id The destination Uri for the message Saml2Assertion

Create a Saml2NameIdentifier from the identity.

Identity to get NameIdentifier claim from. Saml2NameIdentifier

Config collection of ArtifactResolutionElements.

Factory for element type.

Get an identifying key of the element.

Element Index of endpoint

Generic enumerator.

Generic enumerator

Configuration of an artifact resolution service endpoint on an idp.

Index of the artifact resolution service endpoint.

Location of the endpoint.

Collection of certificate elements.

Create a new element of the right type.

A new certificate element

Get the key of an element.

Element to get key of. A guid. There is no support for removing items and we want this to be unique.

Get enumerator for the elements.

Config element for the signing certificate.

Allows local modification of the configuration for testing purposes

File name of cert stored in file.

Store name to search.

Store location to search.

The search term used for searching the certificate store.

Find type, what field to search.

Load the certificate pointed to by this configuration.

Certificate

Compatibility settings. Can be used to make Saml2 accept certain non-standard behaviour.

Ctor

Config element to load

If an EntitiesDescriptor element is found when loading metadata for an IdentityProvider, automatically check inside it if there is a single EntityDescriptor and in that case use it.

Do not send logout state cookie, e.g. if you are not using ReturnUrl or if you know the cookie will be lost due to cross-domain redirects

Honor the owin authentication mode even on logout. Normally the logout handling is always done as if the middleware was active, to allow for simple sign out without specifying an auth type.

Do not read the AuthnContext element in Saml2Response. If you do not need these values to be present as claims in the generated identity, using this option can prevent XML format errors (IDX13102) e.g. when value cannot parse as absolute URI

Ignore the check for the missing InResponseTo attribute in the Saml response. This is different to setting the allowUnsolicitedAuthnResponse as it will only ignore the InResponseTo attribute if there is no relayState. Setting IgnoreMissingInResponseTo to true will always skip the check.

Handling logout requires access to the authenticated user session. If logout is done over the POST binding, the session cookie must have SameSite=None set (which is probably a bad idea). To avoid problems, disable logout over POST in metadata by default.

SAML2 Specs says in section 4.4.4.2: "... The responder MUST authenticate itself to the requester and ensure message integrity, either by signing the message or using a binding-specific mechanism." Unfortunately not all IDP seem to follow the specification. Disables requirement for a signed LogoutResponse.

Compatibility settings. Can be used to make Saml2 accept certain non-standard behaviour.

Used for testing, always returns true in production.

Returns true (unless during tests)

If an EntitiesDescriptor element is found when loading metadata for an IdentityProvider, automatically check inside it if there is a single EntityDescriptor and in that case use it.

Do not send logout state cookie, e.g. if you are not using ReturnUrl or if you know the cookie will be lost due to cross-domain redirects

Collection of items with two sources: configured and loaded dyanically. The dynamically loaded can reset while the configured are kept. metadata.

Add a configured key.

Key to add.

Add a configured certificate.

Certificate to add.

Set the complete set of loaded items keys. Previously loaded items are cleared, configured items remain.

Items to set

The loaded items.

Gets an enumerator to the combined set of keys.

Enumerator

Contact person for a SAML2 entity.

The type of this contact. A value from the System.IdentityModel.Metadata.ContactType enumeration.

Name of the company of the contact.

Given name of the contact.

Surname of the contact.

Phone number of the contact.

E-mail of the contact.

Config collection of contacts.

Create a new element of the right type.

A new ContactPersonElement.

Get the key of an element.

Element to get key of. A guid. There is no support for removing items and we want this to be unique.

Get enumerator for the elements.

Converts between string and EntityId, used by the configuration system to allow configuration properties of type EntityId.

Converts a string to an EntityId

Ignored Ignored String to convert EntityID

Config collection of federations.

Create new elemnt of the right type.

FederationElement

Get the key of an element, which is the metadata url.

FedertionElement

Generic IEnumerable implementation.

Enumerator

Registers the identity providers from the configured federations in the identity provider dictionary.

Current options.

Configuration of a federation.

Location (url, local path or app relative path such as ~/App_Data) where metadata is located.

Are unsolicited responses from the idps in the federation allowed?

Signing certificates for the federation

Config collection of IdentityProviderElements.

Create new element of right type.

IdentityProviderElement

Get the name of an element.

IdentityProviderElement element.Name

Get a strongly typed enumerator.

Strongly typed enumerator.

Current options.

A thread safe wrapper around a dictionary for the identity providers.

First I thought about using a ConcurrentDictionary, but that does not maintain any order of the added objects. Since the first idp added becomes the default idp, the order must be preserved. And there has to be queuing semantics if the first idp is dynamically loaded from a federation and later removed. Locks are simple and this part of the code shouldn't be that performance sensitive.

Gets an idp from the entity id.

entity Id to look up. IdentityProvider

Add an identity provider to the collection..

Identity provider to add.

The default identity provider; i.e. the first registered of the currently known.

Gets all currently known identity providers. Note that the returned enumeration is a copy to avoid race conditions.

Try to get the value of an idp with a given entity id.

Entity id to search for. The idp, if found. True if an idp with the given entity id was found.

Checks if there are no known identity providers.

Removes the idp with the given entity id, if present. If no such entity is found, nothing is done.

EntityId of idp to remove.

Config element for the identity provider element.

Allows local modification of the configuration for testing purposes

EntityId as presented by the idp. Used as key to configuration.

Destination url to send sign in requests to.

Single logout url endpoint of Idp.

The binding to use when sending requests to the Idp.

Certificate location for the certificate the Idp uses to sign its messages.

Signing algorithm for outbound messages to this Idp. Overrides the main signature algorithm configured in .

Allow unsolicited responses. That is InResponseTo is missing in the AuthnRequest. If true InResponseTo is not required. If false InResponseTo is required. Even though AllowUnsolicitedAuthnResponse is true the InResponseTo must be valid if existing.

Enable automatic downloading of metadata form the well-known uri (i.e. interpret the EntityID as an uri and download metadata from it).

Metadata location url to be used for automatic downloading of metadata.

Artifact Resolution endpoints for the identity provider.

Does this Idp want the AuthnRequests to be signed?

Disable outbound logout requests to this idp, even though Saml2 is configured for single logout and the idp supports it. This setting might be usable when adding SLO to an existing setup, to ensure that everyone is ready for SLO before activating.

Indicates that the IDP sends the return url as part of the RelayState. This is used when is enabled.

Root interface for the options objects, handling all configuration of Saml2.

Options for the service provider's behaviour; i.e. everything except the idp list and the notifications.

Information about known identity providers.

Set of callbacks that can be used as extension points for various events.

Metadata configuration.

Used by tests to write-enable config.

Is the element contents read only? Always true in production, but can be changed during tests.

Is the element contents read only?

Information about organization.

Optional attribute that describes for how long anyone may cache the metadata presented by the service provider. Defaults to 1 hour.

How long after generation should the metadata be valid?

Collection of contacts.

Requested attributes of the service provider.

Metadata flag that we want assertions to be signed.

NamedId policy configuration element.

Allow create.

The NameId format.

Options implementation for handling in memory options.

Set of callbacks that can be used as extension points for various events.

Reads the options from the current config file.

Options object.

Creates an options object with the specified SPOptions.

Options for the service provider's behaviour; i.e. everything except the idp and federation list.

Available identity providers.

Information about the organization responsible for the entity.

Is this section readonly?

Name of the organization.

Display name of the organization.

Url of the organization.

The language that should be used for the organization strings.

Config for a requested element in the SPs metadata.

Name of the attribute. Usually on the form urn:oid:....

Friendly, human readable name of the attribute.

Format of the Name property, one of the standard Uris in the saml specification.

Is this attribute required by the SP for it to work correctly?

Collection of requested attributes that an SP wants in incoming assertions.

Create a new element of the right type.

A new RequestedAttributeElement

Get the key of an element.

Element to get key of. The name of the requested attribute.

Get a generic enumerator to the collection.

Generic enumerator

Configuration of RequestedAuthnContext in generated AuthnRequests.

Used for testing, always returns true in production.

Returns true (unless during tests)

AuthnContextClassRef. Either a full URL or the last word of a standard URL.

Comparison mode of AuthnContextClassRef

Set of callbacks that can be used as extension points for various events.

Notification called when a has been created. The authenticationrequest can be amended and modified.

Notification called when the SignIn command has produced a , but before anything has been applied to the outgoing response. Set the flag to suppress the library's built in apply functionality to the outgoing response.

Notification called when the SignIn command is about to select what Idp to use for the request. The EntityId is the one supplied (e.g. through query string). To select a specicic IdentityProvider simply return it. Return null to fall back to built in selection.

Notification called to decide if a SameSite=None attribute should be set for a cookie. The default implementation is based on the pseudo code in https://devblogs.microsoft.com/aspnet/upcoming-samesite-cookie-changes-in-asp-net-and-asp-net-core/ More covering code can be found at https://www.chromium.org/updates/same-site/incompatible-clients but that cannot be shipped with the library due to the license.

Notification called when the logout command is about to use the StoredRequestState derived from the request's RelayState data. Return a different StoredRequestState if you would like to customize the RelayState lookup.

Notification called when a command is about to construct a fully-qualified url Return a non-null Uri if you need to override this per request. Otherwise it will fall back to the normal logic that checks the request Uri and the SPOptions.PublicOrigin setting

Notification called when single logout status is returned from IDP. Return true to indicate that your notification has handled this status. Otherwise it will fall back to the normal status processing logic.

Get a binding that can unbind data from the supplied request. The default is to use

Notification called when the command has extracted data from request (by using )

Notification called when the ACS command has produced a , but before anything has been applied to the outgoing response. Set the flag to suppress the library's built in apply functionality to the outgoing response.

Notification called when the Logout command has produced a , but before anything has been applied to the outgoing response. Set the flag to suppress the library's built in apply functionality to the outgoing response.

Notification called when a logout request is created to initiate single log out with an identity provider.

Notification called when a logout request has been transformed to an XML node tree.

Notification called when a logout request has been received and processed and a Logout Response has been created.

Notification called when metadata has been created, but before signing. At this point the contents of the metadata can be altered before presented.

Notification called when the Metadata command has produced a , but before anything has been applied to the outgoing response. Set the flag to suppress the library's built in apply functionality to the outgoing response.

Notification called by the SignIn and Logout commands to validate a ReturnUrl that is not relative. Return true to indicate that you accept the ReturnUrl, false otherwise. Default validation do not accept any absolute URL. When false is returned, the SignIn and Logout commands will throw an .

Notification called when getting an identity provider. Default version is to return the given idp from Options.IdentityProviders.

Callbacks that allow modifying the validation behavior in potentially unsafe/insecure ways

Callbacks that allow modification of validation behavior in potentially unsafe/insecure ways

Notification called when the token handler has populated the . Modify it's properties to customize the generated validation parameters.

Notification called when an incoming Saml Response contains an unexpected InResponseTo value. Return true to acceppt the message despite this.

This notification has been added to aid in troubleshooting a hard-to-track-down issue. It will be removed in a future release if a better solution is identified thanks to the added production analysis that this enables.

Certificates used by the service provider for signing, decryption and TLS client certificates for artifact resolve.

Add a certificate to the collection with default status use and metadata behaviour.

Certificate to add.

Add to the collection at the specified position.

Position index. Service certificate to add.

Config element for the service certificate element.

Is this certificate for current or future use?

Intended use of the certificate

How should we override the metadata publishing rules?

Config collection of ServiceCertificateElements.

Create new element of right type.

ServiceCertificateElement

Get the name of an element.

ServiceCertificateElement element.Name

Get a strongly typed enumerator.

Strongly typed enumerator.

Current options.

Signing behavior for requests.

Sign authnrequests if the idp is configured for it. This is the default behavior.

Always sign AuthnRequests. AuthnRequestsSigned is set to true in metadata.

Never sign AuthnRequests.

Options for the service provider's behaviour; i.e. everything except the idp and federation list.

Ctor

Construct the options from the given configuration section

Return Uri to redirect the client to, if no return uri was specified when initiating the signin sequence.

Recommendation of cache refresh interval to those who reads our metadata.

Maximum validity duration after fetch for those who reads our metadata. Exposed as an absolute validUntil time in the metadata. If set to null, no validUntil is exposed in metadata.

The security token handler used to process incoming assertions for this SP. The default value is to lazy create one using the current EntityId.

Url to discovery service to use if no idp is specified in the sign in call.

EntityId - The identity of the ServiceProvider to use when sending requests to Idp and presenting the SP in metadata.

Application root relative path for Saml2 endpoints. The default is "/Saml2".

By default, the service provider uses the host, protocol, port and application root path from the HTTP request when creating links. This might not be accurate in reverse proxy or load-balancing situations. You can override the origin used for link generation for the entire application using this property. To override per request, implement a GetPublicOrigin Notification function.

Metadata describing the organization responsible for the entity.

NameId Policy.

RequestedAuthnContext

Collection of contacts for the SAML2 entity.

Collection of attribute consuming services for the service provider.

Certificates used by the service provider for signing or decryption.

Certificates valid for use in decryption

Certificate for use in signing outbound requests

Certificates to be published in metadata

Signing behaviour for AuthnRequests.

Signing algorithm for metadata and outbound messages. Can be overriden for each .

Metadata flag that we want assertions to be signed.

Validate certificates when validating signatures? Normally not a good idea as SAML2 deployments typically exchange certificates directly and instead of relying on the public certificate infrastructure.

Compatibility settings. Can be used to make Saml2 accept certain non-standard behaviour.

Minimum accepted signature algorithm for any incoming messages.

Adapter to logging framework of hosting application.

Template for token validation parameters. Some security critical validation parameters are set for each use. The Unsafe.TokenValidationParametersCreated notification is called after those are set if those need to be overriden.

Config section for the module.

Used for testing, always returns true in production.

Returns true (unless during tests)

Current config as read from app/web.config.

EntityId - The identity of the ServiceProvider to use when sending requests to Idp and presenting the SP in metadata.

The Url to redirect back to after successfull authentication.

By default, the service provider uses the host, protocol, and port from the HTTP request when creating links. This might not be accurate in reverse proxy or load-balancing situations. You can override the origin used for link generation using this property.

Set of identity providers known to the service provider.

Set of federations. The service provider will trust all the idps in these federations.

Url to discovery service to use if no idp is specified in the sign in call.

Application root relative path for Saml2 endpoints. The default is "Saml2".

NamedId policy element.

RequestedAuthnContext config.

Metadata describing the organization responsible for the entity.

Metadata of the service provider.

Contacts for the SAML2 entity.

Attribute consuming services.

Certificates used by the service provider for signing and/or decryption.

Signing behavior for created AuthnRequests.

Signing algorithm for metadata and outbound messages. Can be overriden for each .

Weakest accepted signing algorithm for inbound messages.

Compatibility settings. Can be used to make Saml2 accept certain non-standard behaviour.

Helper methods for DateTime formatting.

Format a datetime for inclusion in SAML messages.

Datetime to format. Formatted value.

A SAML response was found, but could not be parsed due to formatting issues.

Ctor

Message of the exception.

Ctor

Message of the exception. Inner exception.

Serialization Ctor

Serialization info Serialization context

Exception thrown when an signature is not valid according to the SAML standard.

Default ctor

Ctor

Message of exception

Ctor

Message Inner exception

Serialization Ctor

Serialization info Serialization context

No saml response was found in the http request.

Default Ctor, setting message to a default.

Ctor

Message of the exception.

Ctor

Message of the exception. Inner exception.

Serialization Ctor

Serialization info Serialization context

Base class for authentication services specific exceptions, that might require special handling for error reporting to the user.

Default Ctor

Ctor

Message of the exception.

Ctor

Message of the exception. Inner exception.

Serialization Ctor

Serialization info Serialization context

A SAML2 Response failed validation.

Ctor

Message of the exception.

Ctor

Message of the exception. Inner exception.

Serialization Ctor

Serialization info Serialization context

A SAML2 Response failed InResponseTo validation because RelayState is lost, or an unsolicited response contains an InResponseTo

Ctor

Message of the exception.

Ctor

Message of the exception. Inner exception.

Serialization Ctor

Serialization info Serialization context

Extended exception containing information about the status and status message SAML response.

Status of the SAML2Response

Status message of SAML2Response

Second level status of SAML2Response

Ctor, bundling the Saml2 status codes and message into the exception message.

Exception message. Status of the SAML2Response Status message of SAML2Response Second level status of SAML2Response

Represents a federation known to this service provider.

Ctor

Config to use to initialize the federation. Options to pass on to created IdentityProvider instances and register identity providers in.

Ctor

Location (url, local path or app relative path such as ~/App_Data) where metadata is located. Should unsolicited responses from idps in this federation be accepted? Options to pass on to created IdentityProvider instances and register identity providers in.

Ctor

For how long is the metadata that the federation has loaded valid? Null if there is no limit.

Signing keys to use to verify the metadata before using it.

Permitted cache duration for the metadata.

Valid until

Represents a known identity provider that this service provider can communicate with.

Ctor

Entity id of the identityprovider. Service provider options to use when creating AuthnRequests for this Idp.

Should this idp load metadata? The metadata is loaded immediately when the property is set to true, so the must be correct before settingLoadMetadata to true.

The binding used when sending AuthnRequests to the identity provider.

The Url of the single sign on service. This is where the browser is redirected or where the post data is sent to when sending an AuthnRequest to the idp.

Artifact resolution endpoints on the idp.

The Url of the single sign out service. This is where the browser is redirected or where the post data is sent to when sending a LogoutRequest to the idp.

The Url to send single logout responses to. Defaults to SingleLogoutServiceUrl.

Binding for the Single logout service. If not set, returns the same as the main binding (used for AuthnRequests)

The Entity Id of the identity provider.

Is this idp allowed to send unsolicited responses, i.e. idp initiated sign in?

Does the RelayState contains the return url?, This setting is used only when the AllowUnsolicitedAuthnResponse setting is enabled.

Location of metadata for the Identity Provider. Automatically enables . The location can be a URL, an absolute path to a local file or an app relative path (e.g. ~/App_Data/IdpMetadata.xml). By default the entity id is interpreted as the metadata location (which is a convention).

Create an authenticate request aimed for this idp.

Urls for Saml2, used to populate fields in the created AuthnRequest

Signing Algorithm to be used when signing oubound messages.

Bind a Saml2 message using the active binding of the idp, producing a CommandResult with the result of the binding.

This overload does not support the usage of Xml Created notifications. The Saml2 message to bind. CommandResult with the bound request.

Bind a Saml2 message using the active binding of hte idp, producing a CommandResult with the result of the binding.

Type of the message. The Saml2 message to bind. Notification to call with Xml structure CommandResult with the bound message.

The public key of the idp that is used to verify signatures of responses/assertions.

Reads the supplied metadata and sets all properties of the IdentityProvider based on the metadata.

Metadata to read.

Validity time of the metadata this idp was configured from. Null if idp was not configured from metadata.

Does this Idp want the AuthnRequests signed?

Create a logout request to the idp, for the current identity.

Interface for an adapter around the logging framework used on each platform.

Write informational message.

Message to write.

Write an error message

Message Exception to include in error message.

Write an informational message on the verbose level.

Message to write

SymmetricAlgorithm decrypting implementation for http://www.w3.org/2009/xmlenc11#aes128-gcm. This is class is not a general implementation and can only do decryption.

A WebClient implementation that will add a list of client certificates to the requests it makes.

Certificates to offer to server

Override the base class to add the certificate to the reuqest before returning it.

Helpers for delimited string, with support for escaping the delimiter character.

Join strings with a delimiter and escape any occurence of the delimiter and the escape character in the string.

Strings to join Joined string

Split strings delimited strings, respecting if the delimiter characters is escaped.

Joined string from Unescaped, split strings

Class to help with mapping virtual paths relative to the server.

Returns the base path of the website or application running.

Maps a virtual path to the BasePath of the running appliction.

The virtual path that needs to mapped relative to the server. A file path.

Determines if a virtual path is relative or not.

The path that is to be tested. True if the path is relative otherwise false.

Determines if a url is relative to current host, excluding protocol-relative addresses

The path that is to be tested. True if the url is relative otherwise false.

Class implements static methods to help parse a query string.

Splits a query string into its key/value pairs.

A query string, with or without the leading '?' character. A collecktion with the parsed keys and values.

AES-GCM Nonce size defined in https://www.w3.org/TR/xmlenc-core1/#sec-AES-GCM

Crypto description for a Managed implementation of SHA256 signatures.

Ctor

Create a deformatter

Key Deformatter

Create a formatter

Key Formatter

How should we override the metadata publishing rules

No override. Published according to the normal rules.

Publish as Unspecified

Publish as Encryption

Publish as Signing

Do not publish

Metadata for an attribute consuming service.

Index of the endpoint

Is this the default endpoint?

Is the service required?

The name of the attribute consuming service.

Description of the attribute consuming service

Requested attributes.

Use this instance for reading metadata. It uses custom extensions to increase feature support when reading metadata.

An indexed entry with an optional default

Index of the endpoint

Is this the default endpoint?

A collection of indexed entries with support for getting the configured default entry

The type stored in the collection

Index of the endpoint

Is this the default endpoint?

Extensions for Metadatabase.

Use a MetadataSerializer to create an XML string out of metadata.

Metadata to serialize. Certificate to sign the metadata with. Supply null to not sign. Algorithm to use when signing.

Helper for loading SAML2 metadata

Load and parse metadata.

Path to metadata. A Url, absolute path or an app relative path (e.g. ~/App_Data/metadata.xml) EntityDescriptor containing metadata

Load and parse metadata.

Path to metadata. A Url, absolute path or an app relative path (e.g. ~/App_Data/metadata.xml) If the metadata contains an EntitiesDescriptor, try to unpack it and return a single EntityDescriptor inside if there is one. EntityDescriptor containing metadata

Load and parse metadata for a federation.

Url to metadata Extended entitiesdescriptor

Load and parse metadata for a federation.

Url to metadata Validate the certificate when doing signature validation. Normally a bad idea with SAML2 as certificates are not required to be valid but are only used as conventient carriers for keys. Mininum strength accepted for signing algorithm. Extended entitiesdescriptor

Specifies an attribute requested by the service provider.

Ctor

Name of the attribute.

Ctor

Name of the attribute. Value of the attribute.

Is this attribute required by the service provider?

Uri used for NameFormat to specify that the Name is a Uri.

Uri used for NameFormat to specify that the format of the Name is unspecified.

Uri used for NameFormat to specify that the format of the Name fulfills the standard's basic requirements.

Extensions for NameIdFormat enum.

Get the full Uri for a NameIdFormat.

NameIdFormat to get Uri for Uri

Logger adapter that does nothing.

Write an error message

Message Exception to include in error message.

Write informational message.

Message to write.

Write an informational message on the verbose level.

Message to write

Generator of secure random keys..

Create a unique random string with a cryptographically secure random function.

Random string 56-chars string

Create a unique random array with a cryptographically secure random function.

20 random bytes.

Simple default implementation of detection of browsers/devices not compatible with the SameSite=None cookie attribute. Based on https://docs.microsoft.com/en-us/aspnet/core/security/samesite?view=aspnetcore-3.1

Should a SameSite=None cookie attribute be emitted?

User Agent string True if SameSite=None should be emitted.

Extension methods for Saml2Assertion

Writes out the assertion as an XElement.

The assertion to create xml for. XElement

Claim type constants.

Session index is set by the idp and is used to correlate sessions during single logout.

Original subject name identifier from the SAML2 idp, that should be logged out as part of a single logout scenario.

Extension methods for Saml2Condition

Writes out the conditions as an XElement.

Conditions to create xml for. XElement

Extension methods for Saml2NameId

Create XElement for the Saml2NameIdentifier.

SAML2 namespace constants.

Namespace of the SAML2 protocol.

Namespace Uri of Saml2 protocol.

Namespace of SAML2 assertions.

Namespace Uri of SAML2 assertions.

Namespace of SAML2 Metadata.

Namespace for idp discovery protocol extension.

Namespace for Xml schema instance.

Namespace for Soap envelope.

Comparison setting for RequestedAuthnContext, see SAML2 Core spec 3.3.2.2.1.

Exact match is required. This is the default.

The resulting AuthnContext must be at least as strong as the specified classRef.

The resulting AuthnContext must be at most as strong as the specified classRef.

The resulting AuthnContext must be better than the specified classRef. The classRef specified is thus not permitted.

Wraps a and generates a signature automatically when the envelope is written completely. By default the generated signature is inserted as the last element in the envelope. This can be modified by explicitly calling WriteSignature to indicate the location inside the envelope where the signature should be inserted.

Initializes an instance of . The returned writer can be directly used to write the envelope. The signature will be automatically generated when the envelope is completed.

Writer to wrap/ SigningCredentials to be used to generate the signature. The reference Id of the envelope. if is null. if is null. if is null or Empty.

Initializes an instance of . The returned writer can be directly used to write the envelope. The signature will be automatically generated when the envelope is completed.

Writer to wrap/ SigningCredentials to be used to generate the signature. The reference Id of the envelope. inclusive prefix list to use for exclusive canonicalization. if is null. if is null. if is null or Empty.

Gets or sets the to use.

if value is null.

Calculates and inserts the Signature.

Sets the position of the signature within the envelope. Call this method while writing the envelope to indicate at which point the signature should be inserted.

Overrides the base class implementation. When the last element of the envelope is written the signature is automatically computed over the envelope and the signature is inserted at the appropriate position, if WriteSignature was explicitly called or is inserted at the end of the envelope.

Overrides the base class. Writes the specified start tag and associates it with the given namespace.

The namespace prefix of the element. The local name of the element. The namespace URI to associate with the element.

Releases the unmanaged resources used by the System.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureWriter and optionally releases the managed resources.

True to release both managed and unmanaged resources; false to release only unmanaged resources.

Common properties of all Saml2 message implementations (both requests and responses). There is no corresponding definition in the SAML2 standard, so this is made up of the common fields of 3.2.2 Complex Type StatusResponseType (the base type for all responses) and of 3.2.1 Complex Type RequestAbstractType.

The destination of the message.

Serializes the message into wellformed Xml.

string containing the Xml data.

Transforms the message to an XElement object tree.

XElement with Xml representation of the message

The name of the message to use in a query string or form input field. Typically "SAMLRequest" or "SAMLResponse".

RelayState attached to the message.

Strictly speaking, this is not part of the message, but it is delivered together with the message so we need to keep track of it together with a message.

Certificate used to sign the message with during binding, according to the signature processing rules of each binding.

The signing algorithm to use when signing the message during binding, according to the signature processing rules of each binding.

The signing algorithm.

Issuer of the message.

Serializes the message into wellformed XML.

Saml2 message to transform to XML Notification allowing modification of XML tree before serialization. string containing the Xml data.

The NameId Format.

No NameId format has been configured. No format will be included in AuthnRequests and metadata.

8.3.1 Unspecified

8.3.2 Email Address

8.3.3 X.509 Subject Name

8.3.4 Windows Domain Qualified Name

8.3.5 Kerberos Principal Name

8.3.6 Entity Identifier

8.3.7 Persistent Identifier

8.3.8 Transient Identifier

Artifact resolution request, corresponds to section 3.5.1 in SAML core specification.

Artifact to resolve.

The SAML2 request name

Serializes the message into wellformed Xml.

string containing the Xml data.

A Saml2 ArtifactResponse message as specified in SAML2 Core 3.5.2.

Ctor

Parsed XML with message.

Contained message.

Status code of the Artifact response.

An authentication request corresponding to section 3.4.1 in SAML Core specification.

Default constructor

The SAML2 request name

Serializes the request to a Xml message.

XElement

Serializes the message into wellformed Xml

string containing the Xml data.

Read the supplied Xml and parse it into a authenticationrequest.

xml data. Relay State attached to the message or null if not present. Saml2Request On xml errors or unexpected xml structure.

Ctor

Xml data RelayState associateed with the message.

The assertion consumer url that the idp should send its response back to.

Index to the SP metadata where the list of requested attributes is found.

Scoping for request

NameId policy.

RequestedAuthnContext.

Binding type to request the Idp to use when responding.

Sets whether request should force the idp to authenticate the presenter directly, rather than rely on a previous security context. If false, the ForceAuthn parameter is omitted from the request. If true, the request is sent with ForceAuthn="true".

Sets whether request should request for SAML Passive login if possible, If false, the IsPassive parameter is omitted from the request. If true, the request is sent with IsPassive="true".

The Saml2IdPEntry specifies a single identity provider trusted by the requester to authenticate the presenter

Initializes a new instance of the class.

The provider identifier.

A URI reference representing the location of a profile-specific endpoint supporting the authentication request protocol. The binding to be used must be understood from the profile of use.

A human-readable name for the identity provider.

The Entity Id of the Identity Provider. Cannot be null.

Create XElement for the Saml2IdPEntry.

A Saml2 LogoutRequest message (SAML core spec 3.7.1)

Ctor

Id of message.

Create Saml2LogoutRequest from data in Xml.

Xml data to initialize the Saml2LogoutRequest from.

The SAML2 request name

Name id to logout.

Session index to logout.

Serializes the message into wellformed Xml.

string containing the Xml data.

A Saml2 Logout Response.

Ctor

Status of the response.

Serializes the message into wellformed Xml.

string containing the Xml data.

Appends xml for the Saml2LogoutResponse to the given parent node.

Xml for the Saml2LogoutResponse is appended to the children of this node.

Load values into Saml2LogoutResponse from passed xml element

XmlElement containing a LogoutResponse Saml2LogoutResponse

The NameId policy.

The class is used in created AuthnRequests, so it is immutable to avoid unintended changes.

Ctor

Value of AllowCreate attribute. Set to null to omit.

The NameId format.

Somewhat ugly subclassing to be able to access some methods that are protected on Saml2SecurityTokenHandler. The public interface of Saml2SecurityTokenHandler expects the actual assertion to be signed, which is not always the case when using Saml2-P. The assertion can be embedded in a signed response. Or the signing could be handled at transport level.

Process authentication statement from SAML assertion. WIF chokes if the authentication statement contains a DeclarationReference, so we clear this out before calling the base method http://referencesource.microsoft.com/#System.IdentityModel/System/IdentityModel/Tokens/Saml2SecurityTokenHandler.cs,1970

Authentication statement Claim subject Assertion Issuer

Reads a <saml:Assertion> element.

A positioned at a element. if is null. if assertion is encrypted. If is not positioned at a Saml2Assertion. If Version is not '2.0'. If 'Id' is missing.> If 'IssueInstant' is missing.> If no statements are found.> A instance.

Base class for saml requests, corresponds to section 3.2.1 in SAML Core specification.

The id of the request.

Version of the SAML request. Always returns "2.0"

The instant that the request was issued (well actually, created).

SAML message name for requests - hard coded to SAMLRequest.

The destination of the request.

The issuer of the request.

The additional content to append within an Extensions element.

The SAML2 request name

Transforms the message to an XElement object tree.

XElement with Xml representation of the message

Creates XNodes for the fields of the Saml2RequestBase class. These nodes should be added when creating XML out of derived classes.

Reads the request properties present in Saml2RequestBase Also validates basic properties of the request

The xml document to parse

Serializes the message into wellformed Xml.

string containing the Xml data.

RelayState attached to the message.

Certificate used to sign the message with during binding, according to the signature processing rules of each binding.

The signing algorithm to use when signing the message during binding, according to the signature processing rules of each binding.

The signing algorithm.

Configuration of RequestedAuthnContext

Ctor

Config element to load.

Ctor

AuthnContextClassRef Comparison

Authentication context class reference.

Comparison method.

Represents a SAML2 response according to 3.3.3. The class is immutable (to an external observer. Internal state is lazy initiated).

Holds all assertion element nodes

Read the supplied Xml and parse it into a response.

xml data. Saml2Response On xml errors or unexpected xml structure.

Read the supplied Xml and parse it into a response.

xml data. The expected value of the InReplyTo parameter in the message. Saml2Response On xml errors or unexpected xml structure.

Read the supplied Xml and parse it into a response.

xml data. The expected value of the InReplyTo parameter in the message. Service provider settings used when validating Saml response Saml2Response On xml errors or unexpected xml structure.

Ctor

Root xml element. The expected value of the InReplyTo parameter in the message. Service provider settings used when validating Saml response

Ctor

Root xml element. The expected value of the InReplyTo parameter in the message.

Create a response with the supplied data.

Issuer of the response. The certificate to use when signing this response in XML form. The destination Uri for the message In response to id Claims identities to be included in the response. Each identity is translated into a separate assertion.

Create a response with the supplied data.

Issuer of the response. The certificate to use when signing this response in XML form. The destination Uri for the message In response to id RelayState associated with the message. Claims identities to be included in the response. Each identity is translated into a separate assertion.

Create a response with the supplied data.

Issuer of the response. The certificate to use when signing this response in XML form. The destination Uri for the message In response to id RelayState associated with the message. Claims identities to be included in the Audience of the response, set as AudienceRestriction response. Each identity is translated into a separate assertion.

Certificate used to sign the message with during binding, according to the signature processing rules of each binding.

The signing algorithm to use when signing the message during binding, according to the signature processing rules of each binding.

The signing algorithm.

The response as an xml element. Either the original xml, or xml that is generated from supplied data.

Transforms the message to an XElement object tree.

This operation is inefficient, but it is only used by the StubIdp so it's acceptable. XElement with Xml representation of the message

SAML Message name for responses, hard coded to SAMLResponse.

string representation of the Saml2Response serialized to xml.

string containing xml.

Id of the response message.

Expected InResponseTo as extracted from

InResponseTo id.

Issue instant of the response message.

Status code of the message according to the SAML2 spec section 3.2.2.2

StatusMessage of the message according to the SAML2 spec section 3.2.2.1

Optional status which MAY give additional information about the cause of the problem (according to the SAML2 spec section 3.2.2.2))))))))). Because it may change in future specifications let's not make enum out of it yet.

Issuer (= sender) of the response.

The destination of the response message.

Gets all assertion element nodes from this response message.

All assertion element nodes.

Extract claims from the assertions contained in the response.

Service provider settings used when processing the response into claims. ClaimsIdentities

Extract claims from the assertions contained in the response.

Service provider settings used when processing the response into claims. Relay data stored when creating AuthnRequest, to be passed on to GetIdentityProvider notification. ClaimsIdentities

RelayState attached to the message.

Session termination time for a session generated from this response.

Saml2Scoping specifies a set of identity providers trusted by the requester to authenticate the presenter, as well as limitations and context related to proxying of the authentication request message to subsequent identity providers by the responder.

Gets advisory list of identity providers and associated information that the requester deems acceptable to respond to the request.

Fluent config helper that adds a to the

Idp entry to add this

Specifies the number of proxying indirections permissible between the identity provider that receives the authentication request and the identity provider who ultimately authenticates the principal. A count of zero permits no proxying, while omitting (null) this attribute expresses no such restriction.

Gets or sets the set of requesting entities on whose behalf the requester is acting. Used to communicate the chain of requesters when proxying occurs.

Fluent config helper that adds a requester id to the

Requester Id to add this

Create XElement for the Saml2Scoping.

Saml2 Soap binding implementation.

This class does not follow the pattern of the other three bindings (Redirect, POST and Artifact) because it does not use the front channel with messages being passed over the user's browser.

Create a SOAP body around a specified payload.

Payload of the message.

Extract the body of a SOAP message.

xml data Parsed data.

Send a SOAP request to the specified endpoint and return the result.

Message payload Destination endpoint Response.

Send a SOAP request to the specified endpoint and return the result.

Message payload Destination endpoint Client certificates to offer to the server. Response.

Status codes, mapped against states in section 3.2.2.2 in the SAML2 spec.

Success.

Error because of the requester.

Error because of the responder.

Versions doesn't match.

The responding provider was unable to successfully authenticate the principal

Unexpected or invalid content was encountered within a saml:Attribute or saml:AttributeValue element.

The responding provider cannot or will not support the requested name identifier policy.

The specified authentication context requirements cannot be met by the responder.

Used by an intermediary to indicate that none of the supported identity provider Loc elements in an IDPList can be resolved or that none of the supported identity providers are available.

Indicates the responding provider cannot authenticate the principal passively, as has been requested.

Used by an intermediary to indicate that none of the identity providers in an IDPList are supported by the intermediary.

Used by a session authority to indicate to a session participant that it was not able to propagate logout to all other session participants.

Indicates that a responding provider cannot authenticate the principal directly and is not permitted to proxy the request further.

The SAML responder or SAML authority is able to process the request but has chosen not to respond. This status code MAY be used when there is concern about the security context of the request message or the sequence of request messages received from a particular requester.

The SAML responder or SAML authority does not support the request.

The SAML responder cannot process any requests with the protocol version specified in the request.

The SAML responder cannot process the request because the protocol version specified in the request message is a major upgrade from the highest protocol version supported by the responder.

The SAML responder cannot process the request because the protocol version specified in the request message is too low.

The resource value provided in the request message is invalid or unrecognized.

The response message would contain more elements than the SAML responder is able to return.

An entity that has no knowledge of a particular attribute profile has been presented with an attribute drawn from that profile.

The responding provider does not recognize the principal specified or implied by the request.

The SAML responder cannot properly fulfill the request using the protocol binding specified in the request.

Abstract Saml2 StatusResponseType class.

Ctor

Status of the response

The destination of the message.

Issuer of the message.

Id of request message, if this message is a response to a previous request.

The name of the message to use in a query string or form input field. Typically "SAMLRequest" or "SAMLResponse".

RelayState attached to the message.

Strictly speaking, this is not part of the message, but it is delivered together with the message so we need to keep track of it together with a message.

Certificate used to sign the message with during binding, according to the signature processing rules of each binding.

The signing algorithm to use when signing the message during binding, according to the signature processing rules of each binding.

The signing algorithm.

Status code of the message.

Id of the message.

Issue instant.

Serializes the message into wellformed Xml.

string containing the Xml data.

Transforms the message to an XElement object tree.

XElement with Xml representation of the message

Extension methods for Saml2Statement

Writes out the statement as an XElement.

Statement to create xml for. XElement

Extension methods for Saml2Subject

Writes out the subject as an XElement.

The subject to create xml for. XElement

Writes out the subject confirmation as an XElement.

Writes out the subject confirmation data as an XElement.

Service Certificate definition

Ctor

Ctor for loading from configuration

X509 Certificate

Is this certificate for current or future use?

What is the intended use of this certificate.

How should we override the metadata publishing rules?

Stored data for pending requests.

Start of the cookie name for state preservation.

Ctor

The EntityId of the IDP the request was sent to The Url to redirect back to after a succesful login ID of the SAML message, used to match InResponseTo Aux data that can be stored across the authentication request.

The IDP the request was sent to

The Url to redirect back to after a succesful login

Message id of the originating Saml message. Should match InResponseTo in the response.

Aux data that need to be preserved across the authentication call.

Get a serialized representation of the data.

Serialized data

Ctor that restores a StoredRequestState object from serialized representation.

data buffer

The level of trust that a certain piece of data comes with.

The data cannot be trusted at all.

The data was retreived through a request that was initiated from our end, but there was no transport protection.

The data was retrevied through TLS protected request that was initaited from our end, to a host that had a valid TLS certificate.

The data was signed and have been verified by a signing key.

Data is from a local configuration source. E.g. metadata or a certificate loaded from disk.

Represents the assertion consumer service command behaviour. Instances of this class can be created directly or by using the factory method CommandFactory.GetCommand(CommandFactory.AcsCommandName).

Run the command, initiating or handling the assertion consumer sequence.

Request data. Options CommandResult

Reimplementation of System.Web.HttpCacheability.

Value is not initialized and probably a mistake.

Sets the Cache-Control: no-cache header.

The default value. Sets the cache control to "private".

Specifies that the response is cached only at the origin server.

Will disallow anyone but the server to cache the result.

Sets the Cache-Control to public.

The response is cached in the client and the server but nowhere else.

Factory to create the command objects thand handles the incoming http requests.

The name of the Assertion Consumer Service Command.

The name of the Sign In Command.

The name of the Log Out Command.

The metadata command has no name - it is triggered at base url for Saml2.

Gets a command for a command name.

Name of a command. Probably a path. A leading slash in the command name is ignored. A command implementation or notFoundCommand if invalid.

The results of a command.

Status code that should be returned.

Cacheability of the command result.

Location, if the status code is a redirect.

The extracted principal if the command has parsed an incoming assertion.

Session termination time. Priority order: 1. SessionNotOnOrAfter in assertion. 2. WIF configured lifetime with SessionSecurityTokenHandler 3. SessionSecurityTokenHandler default.

The response body that is the result of the command.

The Mime-type

Data relayed from a previous request, such as the dictionary storing the Owin Authentication Properties.

Indicates that the local session should be terminated. Used by logout functionality.

Name of cookie to set.

Value of the "Secure" flag for the cookie (relevant if != null).

SAML RelayState value

Request state to store so that it is available on next http request.

Serialized request state.

Name of cookie to be cleared.

Ctor

Can be set by a notification callback to indicate that the has been handled and should not be applied by the Saml2 library to the response.

Other headers that should be set on the response.

The data of a http request that Saml2 needs to handle. A separate DTO is used to make the core library totally independent of the hosting environment.

Ctor

Http method of the request Full url requested Form data, if present (only for POST requests) Path to the application root Cookies of request Function that decrypts cookie contents to clear text.

Ctor

Http method of the request Full url requested Form data, if present (only for POST requests) Path to the application root Cookies of request Function that decrypts cookie contents to clear text. Claims Principal associated with the request

Ctor

Http method of the request Full url requested Form data, if present (only for POST requests) Path to the application root Function that reads cookie if it exists Function that decrypts cookie contents to clear text. Claims Principal associated with the request

Escape a Base 64 encoded cookie value, matching the unescaping that is done in the ctor.

Data to escape Escaped data

The http method of the request.

The complete Url of the request.

The form data associated with the request (if any).

The query string parameters of the request.

The root Url of the application. This includes the virtual directory that the application is installed in, e.g. http://hosting.example.com/myapp/

RelayState from SAML message

Request state from a previous call, carried over through cookie.

User (if any) associated with the request

A command - corresponds to an action in Mvc.

Run the command and return a result.

The http request that the input data can be read from. The options to use when performing the command. The results of the command, as a DTO.

Represents the logout command behaviour. Instances of this class can be created directly or by using the factory method CommandFactory.GetCommand(CommandFactory.LogoutCommandName).

Run the command, initiating or handling the logout sequence.

Request data. Options CommandResult

Run the command, initating or handling the logout sequence.

Request data. Path to return to, only used if this is the start of an SP-initiated logout. Options CommandResult

Initiatiate a federated logout.

Request data Return url to redirect to after logout optins Terminate local session as part of signout?

Represents the service provider metadata command behaviour. Instances of this class can be created directly or by using the factory method CommandFactory.GetCommand(CommandFactory.MetadataCommandName).

Run the command, creating and returning the service provider metadata.

Request data. Options CommandResult

Represents a missing command. Instances of this class are returned by CommandFactory.GetCommand(...) when the specified command name is not recognised.

Run the command, returning a CommandResult specifying an HTTP 404 Not Found status code.

Request data. Options CommandResult

Saml2 Artifact binding.

Checks if the binding can extract a message out of the current http request.

HttpRequest to check for message. Options used to look up details of issuing idp when needed (artifact binding). True if the binding supports the current request.

Create a SAML artifact value.

Entity id of the artifact issuer. Index of the artifact resolution endpoint that the requester should use to resolve the artifact.

Binds a message to a http response with HTTP Redirect.

Message to bind. Logger to use. CommandResult.

Pending messages where the artifact has been sent.

The result of a Saml2Binding.UnBind.

Ctor

The data payload The associated relay state. Level of trust that can be put in data. Does not care about any signature included in the data.

The data payload.

The associated relay state, if any. Otherwise null.

Trust level indicating how much the message contents can be trusted.

Abstract base for all Saml2Bindings that binds a message to a specific kind of transport.

Uri identifier of the HTTP-POST binding.

Uri identifier of the HTTP-Redirect binding.

Uri identifier of the HTTP-Artifact binding.

Uri identifier of the Discovery Response SAML extension.

Uri identifier of the SOAP binding.

Binds a message to a http response.

Message to bind. Logger to log use, can be null. CommandResult.

Binds a message to an http response.

Type of the message. Message to bind Logger to log use, can be null. Notification to call for modification of XDocument, can be null. CommandResult.

Binds a message to a http response.

Message to bind. CommandResult.

Extracts a message out of the current HttpRequest.

Current HttpRequest. Options, used to look up certificate information in bindings that validate signatures. If set to null, the returned result will have TrustLevel.None. Extracted message.

Checks if the binding can extract a message out of the current http request.

HttpRequest to check for message. True if the binding supports the current request.

Get a cached binding instance that supports the requested type.

Type of binding to get A derived class instance that supports the requested binding.

Get a cached binding instance that can handle the current request.

Current HttpRequest A derived class instance that supports the requested binding, or null if no binding supports the current request.

Gets the Saml2BindingType enum value for a Saml2Binding type uri, where the uri should be one specified in the standard.

Uri for the binding. Binding type enum value. If the uri doesn't correspond to a known binding.

Gets the Uri for a Saml2BindingType.

Saml2BindingType Uri constant for the speicified Binding Type If the type is not mapped.

Saml2 binding types.

The http redirect binding according to saml bindings section 3.4

The http post binding according to saml bindings section 3.5

The artifact resolution binding according to bindings section 3.6

The urls of Saml2 that are used in various messages.

Resolve the urls for Saml2 from an http request and options.

Request to get application root url from. Options to get module path and (optional) notification hooks from.

Creates the urls for Saml2 based on the complete base Url the application and the Saml2 base module path.

The full Url to the root of the application. Path of module, starting with / and ending without.

Creates the urls for Saml2 based on the given full urls for assertion consumer service and sign-in

The full Url for the Assertion Consumer Service. The full Url for sign-in. The full Url for the application root.

The full url of the assertion consumer service.

The full url of the signin command, which is also the response location for idp discovery.

The full url of the application root. Used as default redirect location after logout.

The full url of the logout command.

Represents the sign in command behaviour. Instances of this class can be created directly or by using the factory method CommandFactory.GetCommand(CommandFactory.SignInCommandName).

Run the command, initiating the sign in sequence.

Request data. Options CommandResult

Initiate the sign in sequence.

Entity id of idp to sign in to, or null to use default (discovery service if configured) Path to redirect to when the sign in is complete. The incoming http request. Options. Data to store and make available when the ACS command has processed the response. Command Result

Extension methods and helpers for XmlDocument/XmlElement etc.

Sign an xml document with the supplied cert.

XmlDocument to be signed. The signature is added as a node in the document, right after the Issuer node. Certificate to use when signing.

Creates an Xml document with secure settings and initialized it from a string.

Source string to load Xml document

Create an Xml Document with secure settings, specifically disabling xml external entities. Also set PreserveWhiteSpace = true

Xml Document

Remove the attribute with the given name from the collection.

Attribute collection. Name of attribute to remove.

Remove the child xml element with the specified name.

Parent Name of child Namespace of child

Sign an xml document with the supplied cert.

XmlDocument to be signed. The signature is added as a node in the document, right after the Issuer node. Certificate to use when signing. Include public key in signed output.

Sign an xml document with the supplied cert.

XmlDocument to be signed. The signature is added as a node in the document, right after the Issuer node. Certificate to use when signing. Include public key in signed output. Uri of signing algorithm to use.

Sign an xml element with the supplied cert.

xmlElement to be signed. The signature is added as a node in the document, right after the Issuer node. Certificate to use when signing. Include public key in signed output.

Sign an xml element with the supplied cert.

xmlElement to be signed. The signature is added as a node in the document, right after the Issuer node. Certificate to use when signing. Include public key in signed output. The signing algorithm to use.

Checks if an xml element is signed by the given certificate, through a contained enveloped signature.

Xml Element that should be signed Signing keys to test, one should validate. Should the certificate be validated too? The mininum signing algorithm strength allowed. True on correct signature, false on missing signature If the data has been tampered with or is not valid according to the SAML spec.

Workaround for a bug in Reference.LoadXml incorrectly counting index of signature from the start of the document, not from the start of the element. Reported to Microsoft at https://connect.microsoft.com/VisualStudio/feedback/details/2288620

SignedXml Signature element.

Check if the signature method is at least as strong as the mininum one.

If the signaturemethod is too weak.

Pretty an xml element.

Xml to pretty print. Nicely indented and readable data.

Store a list of signing algorithms that are available in SignedXml. This needs to be done through reflection, to keep the library targetting lowest supported .NET version, while still getting access to new algorithms if the hosting application targets a later version.