Example 51 with Assertion
use of com.sun.identity.saml2.assertion.Assertion in project OpenAM by OpenRock.
the class SAML2Utils method checkAudience.
private static void checkAudience(final Conditions conds, final String hostEntityId, final String assertionID) throws SAML2Exception {
final String method = "SAML2Utils.checkAudience:";
if (conds == null) {
if (debug.messageEnabled()) {
debug.message(method + "Conditions is missing from Assertion.");
}
String[] data = { assertionID };
LogUtil.error(Level.INFO, LogUtil.MISSING_CONDITIONS, data, null);
throw new SAML2Exception(bundle.getString("missingConditions"));
}
List restrictions = conds.getAudienceRestrictions();
if (restrictions == null) {
if (debug.messageEnabled()) {
debug.message(method + "missing AudienceRestriction.");
}
String[] data = { assertionID };
LogUtil.error(Level.INFO, LogUtil.MISSING_AUDIENCE_RESTRICTION, data, null);
throw new SAML2Exception(bundle.getString("missingAudienceRestriction"));
}
Iterator restIter = restrictions.iterator();
boolean found = false;
while (restIter.hasNext()) {
List audienceList = ((AudienceRestriction) restIter.next()).getAudience();
if (audienceList.contains(hostEntityId)) {
found = true;
break;
}
}
if (!found) {
if (debug.messageEnabled()) {
debug.message(method + "This SP is not the intended audience.");
}
String[] data = { assertionID };
LogUtil.error(Level.INFO, LogUtil.WRONG_AUDIENCE, data, null);
throw new SAML2Exception(bundle.getString("audienceNotMatch"));
}
}
Also used :
AudienceRestriction(com.sun.identity.saml2.assertion.AudienceRestriction)
Iterator(java.util.Iterator)
ArrayList(java.util.ArrayList)
List(java.util.List)
Example 52 with Assertion
use of com.sun.identity.saml2.assertion.Assertion in project OpenAM by OpenRock.
the class SAML2Utils method isBearerSubjectConfirmation.
private static Map isBearerSubjectConfirmation(final List subjectConfirms, final String inRespToResponse, final SPSSODescriptorElement spDesc, final SPSSOConfigElement spConfig, final String assertionID) throws SAML2Exception {
String method = "SAML2Utils.isBearerSubjectConfirmation:";
Map retMap = new HashMap();
boolean hasBearer = false;
for (Iterator it = subjectConfirms.iterator(); it.hasNext(); ) {
SubjectConfirmation subjectConfirm = (SubjectConfirmation) it.next();
if (subjectConfirm == null || subjectConfirm.getMethod() == null || !subjectConfirm.getMethod().equals(SAML2Constants.SUBJECT_CONFIRMATION_METHOD_BEARER)) {
continue;
}
// since this is bearer SC, all below must be true
SubjectConfirmationData subjectConfData = subjectConfirm.getSubjectConfirmationData();
if (subjectConfData == null) {
if (debug.messageEnabled()) {
debug.message(method + "missing SubjectConfirmationData.");
}
String[] data = { assertionID };
LogUtil.error(Level.INFO, LogUtil.MISSING_SUBJECT_COMFIRMATION_DATA, data, null);
throw new SAML2Exception(bundle.getString("missingSubjectConfirmationData"));
}
String recipient = subjectConfData.getRecipient();
if (recipient == null || recipient.length() == 0) {
if (debug.messageEnabled()) {
debug.message(method + "missing Recipient in Assertion.");
}
String[] data = { assertionID };
LogUtil.error(Level.INFO, LogUtil.MISSING_RECIPIENT, data, null);
throw new SAML2Exception(bundle.getString("missingRecipient"));
}
boolean foundMatch = false;
Iterator acsIter = spDesc.getAssertionConsumerService().iterator();
while (acsIter.hasNext()) {
AssertionConsumerServiceElement acs = (AssertionConsumerServiceElement) acsIter.next();
if (recipient.equals(acs.getLocation())) {
foundMatch = true;
break;
}
}
if (!foundMatch) {
if (debug.messageEnabled()) {
debug.message(method + "this sp is not the intended " + "recipient.");
}
String[] data = { assertionID, recipient };
LogUtil.error(Level.INFO, LogUtil.WRONG_RECIPIENT, data, null);
throw new SAML2Exception(bundle.getString("wrongRecipient"));
}
// in seconds
int timeskew = SAML2Constants.ASSERTION_TIME_SKEW_DEFAULT;
String timeskewStr = getAttributeValueFromSPSSOConfig(spConfig, SAML2Constants.ASSERTION_TIME_SKEW);
if (timeskewStr != null && timeskewStr.trim().length() > 0) {
timeskew = Integer.parseInt(timeskewStr);
if (timeskew < 0) {
timeskew = SAML2Constants.ASSERTION_TIME_SKEW_DEFAULT;
}
}
if (debug.messageEnabled()) {
debug.message(method + "timeskew = " + timeskew);
}
Date notOnOrAfter = subjectConfData.getNotOnOrAfter();
if (notOnOrAfter == null || ((notOnOrAfter.getTime() + timeskew * 1000) < System.currentTimeMillis())) {
if (debug.messageEnabled()) {
debug.message(method + "Time in SubjectConfirmationData of " + "Assertion:" + assertionID + " is invalid.");
}
String[] data = { assertionID };
LogUtil.error(Level.INFO, LogUtil.INVALID_TIME_SUBJECT_CONFIRMATION_DATA, data, null);
throw new SAML2Exception(bundle.getString("invalidTimeOnSubjectConfirmationData"));
}
retMap.put(SAML2Constants.NOTONORAFTER, notOnOrAfter);
Date notBefore = subjectConfData.getNotBefore();
if (notBefore != null) {
if ((notBefore.getTime() + timeskew * 1000) > System.currentTimeMillis()) {
if (debug.messageEnabled()) {
debug.message(method + "SubjectConfirmationData included " + "NotBefore.");
}
String[] data = { assertionID };
LogUtil.error(Level.INFO, LogUtil.CONTAINED_NOT_BEFORE, data, null);
throw new SAML2Exception(bundle.getString("containedNotBefore"));
}
}
retMap.put(SAML2Constants.NOTBEFORE, notBefore);
String inRespTo = subjectConfData.getInResponseTo();
if (inRespTo != null && inRespTo.length() != 0) {
if (!inRespTo.equals(inRespToResponse)) {
if (debug.messageEnabled()) {
debug.message(method + "InResponseTo in Assertion is " + "different from the one in Response.");
}
String[] data = { assertionID };
LogUtil.error(Level.INFO, LogUtil.WRONG_INRESPONSETO_ASSERTION, data, null);
throw new SAML2Exception(bundle.getString("wrongInResponseToInAssertion"));
}
} else {
if (inRespToResponse != null && inRespToResponse.length() != 0) {
if (debug.messageEnabled()) {
debug.message(method + "Assertion doesn't contain " + "InResponseTo, but Response does.");
}
String[] data = { assertionID };
LogUtil.error(Level.INFO, LogUtil.WRONG_INRESPONSETO_ASSERTION, data, null);
throw new SAML2Exception(bundle.getString("wrongInResponseToInAssertion"));
}
}
hasBearer = true;
break;
}
retMap.put(SAML2Constants.IS_BEARER, Boolean.valueOf(hasBearer));
return retMap;
}
Also used :
SubjectConfirmation(com.sun.identity.saml2.assertion.SubjectConfirmation)
HashMap(java.util.HashMap)
Iterator(java.util.Iterator)
AssertionConsumerServiceElement(com.sun.identity.saml2.jaxb.metadata.AssertionConsumerServiceElement)
SubjectConfirmationData(com.sun.identity.saml2.assertion.SubjectConfirmationData)
Map(java.util.Map)
HashMap(java.util.HashMap)
Date(java.util.Date)
Example 53 with Assertion
use of com.sun.identity.saml2.assertion.Assertion in project OpenAM by OpenRock.
the class AttributeQueryUtil method getAssertion.
private static Assertion getAssertion(AttributeQuery attrQuery, String attrAuthorityEntityID, String requesterEntityID, String realm, String attrQueryProfileAlias, List attributes) throws SAML2Exception {
AssertionFactory assertionFactory = AssertionFactory.getInstance();
Assertion assertion = assertionFactory.createAssertion();
assertion.setID(SAML2Utils.generateID());
assertion.setVersion(SAML2Constants.VERSION_2_0);
assertion.setIssueInstant(new Date());
Issuer issuer = assertionFactory.createIssuer();
issuer.setValue(attrAuthorityEntityID);
assertion.setIssuer(issuer);
Subject subjectQ = attrQuery.getSubject();
Subject subject = assertionFactory.createSubject();
subject.setEncryptedID(subjectQ.getEncryptedID());
subject.setNameID(subjectQ.getNameID());
subject.setBaseID(subjectQ.getBaseID());
subject.setSubjectConfirmation(subjectQ.getSubjectConfirmation());
assertion.setSubject(subject);
if ((attributes != null) && (!attributes.isEmpty())) {
AttributeStatement attrStatement = assertionFactory.createAttributeStatement();
attrStatement.setAttribute(attributes);
List attrStatementList = new ArrayList();
attrStatementList.add(attrStatement);
assertion.setAttributeStatements(attrStatementList);
}
int effectiveTime = IDPSSOUtil.getEffectiveTime(realm, attrAuthorityEntityID);
int notBeforeSkewTime = IDPSSOUtil.getNotBeforeSkewTime(realm, attrAuthorityEntityID);
Conditions conditions = IDPSSOUtil.getConditions(requesterEntityID, notBeforeSkewTime, effectiveTime);
assertion.setConditions(conditions);
return assertion;
}
Also used :
AssertionFactory(com.sun.identity.saml2.assertion.AssertionFactory)
Issuer(com.sun.identity.saml2.assertion.Issuer)
AttributeStatement(com.sun.identity.saml2.assertion.AttributeStatement)
EncryptedAssertion(com.sun.identity.saml2.assertion.EncryptedAssertion)
Assertion(com.sun.identity.saml2.assertion.Assertion)
ArrayList(java.util.ArrayList)
List(java.util.List)
ArrayList(java.util.ArrayList)
Date(java.util.Date)
Subject(com.sun.identity.saml2.assertion.Subject)
Conditions(com.sun.identity.saml2.assertion.Conditions)
Example 54 with Assertion
use of com.sun.identity.saml2.assertion.Assertion in project OpenAM by OpenRock.
the class AttributeQueryUtil method validateSAMLResponseForFedlet.
/**
* Validates the SAML response obtained from Attribute Authortity
*
* @param samlResp saml response
*
* @exception SAML2Exception if the operation is not successful
*
* @supported.api
*/
private static boolean validateSAMLResponseForFedlet(Response samlResp, String spEntityID, boolean wantNameIDEncrypted) throws SAML2Exception {
boolean resp = true;
if (samlResp != null && samlResp.isSigned()) {
List assertions = null;
if (wantNameIDEncrypted) {
assertions = samlResp.getEncryptedAssertion();
} else {
assertions = samlResp.getAssertion();
}
if (assertions == null) {
return false;
}
for (Iterator asserIter = assertions.iterator(); asserIter.hasNext(); ) {
Assertion assertion = null;
if (wantNameIDEncrypted) {
assertion = getDecryptedAssertion((EncryptedAssertion) asserIter.next(), spEntityID);
} else {
assertion = (Assertion) asserIter.next();
}
if (assertion != null) {
Conditions conditions = assertion.getConditions();
if (conditions != null) {
List audienceRes = conditions.getAudienceRestrictions();
if (audienceRes.size() > 1) {
resp = false;
break;
}
}
List statements = assertion.getAttributeStatements();
if (statements.size() > 1) {
resp = false;
break;
}
}
}
} else {
resp = false;
}
return resp;
}
Also used :
EncryptedAssertion(com.sun.identity.saml2.assertion.EncryptedAssertion)
Iterator(java.util.Iterator)
EncryptedAssertion(com.sun.identity.saml2.assertion.EncryptedAssertion)
Assertion(com.sun.identity.saml2.assertion.Assertion)
List(java.util.List)
ArrayList(java.util.ArrayList)
Conditions(com.sun.identity.saml2.assertion.Conditions)
Example 55 with Assertion
use of com.sun.identity.saml2.assertion.Assertion in project OpenAM by OpenRock.
the class AttributeQueryUtil method getAttributesForFedlet.
/**
* Sends the AttributeQuery to specified attribute authority,
* validates the response and returns the attribute map
* <code>Map<String, Set<String>></code> to the Fedlet
*
* @param spEntityID SP entity ID
* @param idpEntityID IDP entity ID
* @param nameIDValue NameID value
* @param attrsList The list of attributes whose values need to be
* fetched from IDP
* @param attrQueryProfileAlias Attribute Query Profile Alias
* @param subjectDN Attribute name which contains X.509 subject DN
*
* @return the <code>Map</code> object
* @exception SAML2Exception if the operation is not successful
*
* @supported.api
*/
public static Map<String, Set<String>> getAttributesForFedlet(String spEntityID, String idpEntityID, String nameIDValue, List<String> attrsList, String attrQueryProfileAlias, String subjectDN) throws SAML2Exception {
final String classMethod = "AttributeQueryUtil.getAttributesForFedlet: ";
AttributeQueryConfigElement attrQueryConfig = metaManager.getAttributeQueryConfig("/", spEntityID);
if (attrQueryConfig == null) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "Attribute Query Config is null");
}
return null;
}
String attrqMetaAlias = attrQueryConfig.getMetaAlias();
if (attrqMetaAlias == null) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "Attribute Query MetaAlias is null");
}
return null;
}
boolean wantNameIDEncrypted = SAML2Utils.getWantNameIDEncrypted("/", spEntityID, SAML2Constants.ATTR_QUERY_ROLE);
AttributeQuery attrQuery = constructAttrQueryForFedlet(spEntityID, idpEntityID, nameIDValue, attrsList, attrqMetaAlias, attrQueryProfileAlias, subjectDN, wantNameIDEncrypted);
String attrQueryProfile = null;
if (attrQueryProfileAlias.equals(SAML2Constants.DEFAULT_ATTR_QUERY_PROFILE_ALIAS)) {
attrQueryProfile = SAML2Constants.DEFAULT_ATTR_QUERY_PROFILE;
} else if (attrQueryProfileAlias.equals(SAML2Constants.X509_SUBJECT_ATTR_QUERY_PROFILE_ALIAS)) {
attrQueryProfile = SAML2Constants.X509_SUBJECT_ATTR_QUERY_PROFILE;
}
Response samlResp = sendAttributeQuery(attrQuery, idpEntityID, "/", attrQueryProfile, SAML2Constants.BASIC_ATTRIBUTE_PROFILE, SAML2Constants.SOAP);
// Validate the response
boolean validResp = validateSAMLResponseForFedlet(samlResp, spEntityID, wantNameIDEncrypted);
Map<String, Set<String>> attrMap = new HashMap<String, Set<String>>();
if (validResp) {
// Return back the AttributeMap
if (samlResp != null) {
List<Object> assertions;
if (wantNameIDEncrypted) {
assertions = samlResp.getEncryptedAssertion();
} else {
assertions = samlResp.getAssertion();
}
for (Object currentAssertion : assertions) {
Assertion assertion;
if (wantNameIDEncrypted) {
assertion = getDecryptedAssertion((EncryptedAssertion) currentAssertion, spEntityID);
} else {
assertion = (Assertion) currentAssertion;
}
if (assertion != null) {
List<AttributeStatement> statements = assertion.getAttributeStatements();
if (statements != null && statements.size() > 0) {
for (AttributeStatement statement : statements) {
List<Attribute> attributes = statement.getAttribute();
attrMap.putAll(mapAttributes("/", spEntityID, idpEntityID, nameIDValue, attributes));
}
} else {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "Empty Statement present in SAML response");
}
}
} else {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "Empty Assertion present in SAML response");
}
}
}
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "attributes received from Attribute Query: " + attrMap);
}
}
} else {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "Invalid response obtained from Attribute Authority");
}
}
// Return the attribute map and to the fedlet
return attrMap;
}
Also used :
Set(java.util.Set)
HashSet(java.util.HashSet)
HashMap(java.util.HashMap)
Attribute(com.sun.identity.saml2.assertion.Attribute)
EncryptedAssertion(com.sun.identity.saml2.assertion.EncryptedAssertion)
Assertion(com.sun.identity.saml2.assertion.Assertion)
AttributeQueryConfigElement(com.sun.identity.saml2.jaxb.entityconfig.AttributeQueryConfigElement)
Response(com.sun.identity.saml2.protocol.Response)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
AttributeQuery(com.sun.identity.saml2.protocol.AttributeQuery)
EncryptedAssertion(com.sun.identity.saml2.assertion.EncryptedAssertion)
AttributeStatement(com.sun.identity.saml2.assertion.AttributeStatement)
Aggregations
SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)53
ArrayList (java.util.ArrayList)42
List (java.util.List)42
Assertion (com.sun.identity.saml2.assertion.Assertion)30
SAML2MetaException (com.sun.identity.saml2.meta.SAML2MetaException)24
Date (java.util.Date)24
EncryptedAssertion (com.sun.identity.saml2.assertion.EncryptedAssertion)20
Issuer (com.sun.identity.saml2.assertion.Issuer)16
SPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)16
Response (com.sun.identity.saml2.protocol.Response)16
Iterator (java.util.Iterator)15
HttpServletResponse (javax.servlet.http.HttpServletResponse)13
SessionException (com.sun.identity.plugin.session.SessionException)12
IOException (java.io.IOException)12
SAML2TokenRepositoryException (org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException)11
NameID (com.sun.identity.saml2.assertion.NameID)10
PrivateKey (java.security.PrivateKey)10
AttributeStatement (com.sun.identity.saml2.assertion.AttributeStatement)8
Subject (com.sun.identity.saml2.assertion.Subject)8
SAML2MetaManager (com.sun.identity.saml2.meta.SAML2MetaManager)8
