Search in sources :

Example 81 with Assertion

use of com.sun.identity.saml2.assertion.Assertion in project OpenAM by OpenRock.

the class IDPSSOUtil method extractAuthenticatingAuthorities.

private static List<String> extractAuthenticatingAuthorities(Assertion assertion) {
    final List<String> authenticatingAuthorities = new ArrayList<String>();
    final List<AuthnStatement> authnStatements = assertion.getAuthnStatements();
    if (authnStatements != null) {
        for (AuthnStatement authnStatement : authnStatements) {
            final List<String> authorities = authnStatement.getAuthnContext().getAuthenticatingAuthority();
            if (authorities != null) {
                authenticatingAuthorities.addAll(authorities);
            }
        }
    }
    return authenticatingAuthorities;
}
Also used : ArrayList(java.util.ArrayList) AuthnStatement(com.sun.identity.saml2.assertion.AuthnStatement)

Example 82 with Assertion

use of com.sun.identity.saml2.assertion.Assertion in project OpenAM by OpenRock.

the class IDPSSOUtil method signAssertion.

/**
     * Signs an <code>Assertion</code>
     *
     * @param realm       the realm name of the identity provider
     * @param idpEntityID the entity id of the identity provider
     * @param assertion   The <code>Assertion</code> to be signed
     */
static void signAssertion(String realm, String idpEntityID, Assertion assertion) throws SAML2Exception {
    String classMethod = "IDPSSOUtil.signAssertion: ";
    KeyProvider kp = KeyUtil.getKeyProviderInstance();
    if (kp == null) {
        SAML2Utils.debug.error(classMethod + "Unable to get a key provider instance.");
        throw new SAML2Exception(SAML2Utils.bundle.getString("nullKeyProvider"));
    }
    String idpSignCertAlias = SAML2Utils.getSigningCertAlias(realm, idpEntityID, SAML2Constants.IDP_ROLE);
    if (idpSignCertAlias == null) {
        SAML2Utils.debug.error(classMethod + "Unable to get the hosted IDP signing certificate alias.");
        throw new SAML2Exception(SAML2Utils.bundle.getString("missingSigningCertAlias"));
    }
    String encryptedKeyPass = SAML2Utils.getSigningCertEncryptedKeyPass(realm, idpEntityID, SAML2Constants.IDP_ROLE);
    PrivateKey key;
    if (encryptedKeyPass == null || encryptedKeyPass.isEmpty()) {
        key = kp.getPrivateKey(idpSignCertAlias);
    } else {
        key = kp.getPrivateKey(idpSignCertAlias, encryptedKeyPass);
    }
    assertion.sign(key, kp.getX509Certificate(idpSignCertAlias));
}
Also used : KeyProvider(com.sun.identity.saml.xmlsig.KeyProvider) SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) PrivateKey(java.security.PrivateKey)

Example 83 with Assertion

use of com.sun.identity.saml2.assertion.Assertion in project OpenAM by OpenRock.

the class IDPSSOUtil method getValidTimeofResponse.

public static long getValidTimeofResponse(String realm, String idpEntityID, Response response) throws SAML2Exception {
    // in seconds
    int timeskew = SAML2Constants.ASSERTION_TIME_SKEW_DEFAULT;
    String timeskewStr = getAttributeValueFromIDPSSOConfig(realm, idpEntityID, SAML2Constants.ASSERTION_TIME_SKEW);
    if (timeskewStr != null && timeskewStr.trim().length() > 0) {
        timeskew = Integer.parseInt(timeskewStr);
        if (timeskew < 0) {
            timeskew = SAML2Constants.ASSERTION_TIME_SKEW_DEFAULT;
        }
    }
    if (SAML2Utils.debug.messageEnabled()) {
        SAML2Utils.debug.message("timeskew = " + timeskew);
    }
    List assertions = response.getAssertion();
    if ((assertions == null) || (assertions.size() == 0)) {
        // failed case
        return (System.currentTimeMillis() + getEffectiveTime(realm, idpEntityID) + timeskew * 1000);
    }
    Assertion assertion = (Assertion) assertions.get(0);
    Conditions cond = assertion.getConditions();
    if (cond == null) {
        throw new SAML2Exception("nullConditions");
    }
    Date notOnOrAfter = cond.getNotOnOrAfter();
    long ret = notOnOrAfter.getTime() + timeskew * 1000;
    if (notOnOrAfter == null || (ret < System.currentTimeMillis())) {
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message("Time in Assertion " + " is invalid.");
        }
        throw new SAML2Exception(SAML2Utils.bundle.getString("invalidTimeOnResponse"));
    }
    return ret;
}
Also used : SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) EncryptedAssertion(com.sun.identity.saml2.assertion.EncryptedAssertion) Assertion(com.sun.identity.saml2.assertion.Assertion) List(java.util.List) ArrayList(java.util.ArrayList) Conditions(com.sun.identity.saml2.assertion.Conditions) Date(java.util.Date)

Example 84 with Assertion

use of com.sun.identity.saml2.assertion.Assertion in project OpenAM by OpenRock.

the class QueryClient method processXACMLQuery.

/**
     * Returns SAMLv2 <code>Response</code>.
     * SAMLv2 request is sent enclosed in the body of a  SOAP Message
     * to a SOAP endpoint.
     * Prior to sending the request query, attributes required for completeness
     * of the SAMLv2 Request will be set (eg. Issuer) if not already set.
     * Message will be signed if signing is enabled.
     * SAMLv2 Query Request will be enclosed in the SOAP Body to create a SOAP
     * message to send to the server.
     *
     * @param request the SAMLv2 <code>RequestAbstract</code> object.
     * @param pepEntityID entity identifier of the hosted query requester.
     * @param pdpEntityID entity identifier of the remote server.
     * @return SAMLv2 <code>Response</code> received from the
     *         Query Responder.
     * @throws SAML2Exception if there is an error processing the query.
     */
public static Response processXACMLQuery(RequestAbstract request, String pepEntityID, String pdpEntityID) throws SAML2Exception {
    String classMethod = "QueryClient:processXACMLQuery";
    String realm = "/";
    Response samlResponse = null;
    Response response = null;
    // retreive pepEntityID metadata
    if (pepEntityID == null || pepEntityID.length() == 0) {
        debug.error(classMethod + "PEP Identifier is null");
        String[] data = { pepEntityID };
        LogUtil.error(Level.INFO, LogUtil.INVALID_PEP_ID, data);
        throw new SAML2Exception(SAML2SDKUtils.bundle.getString("nullPEP"));
    }
    // retreive pdpEntityID metadata
    if (pdpEntityID == null || pdpEntityID.length() == 0) {
        debug.error(classMethod + "PDP Identifier is null");
        String[] data = { pdpEntityID };
        LogUtil.error(Level.INFO, LogUtil.INVALID_PDP_ID, data);
        throw new SAML2Exception(SAML2SDKUtils.bundle.getString("nullPDP"));
    }
    if (request != null) {
        // set properties in the request.
        XACMLAuthzDecisionQuery xacmlQuery = (XACMLAuthzDecisionQuery) request;
        if (xacmlQuery != null) {
            // set Issuer
            Issuer issuer = createIssuer(pepEntityID);
            xacmlQuery.setIssuer(issuer);
            //generate ID
            String requestID = SAML2SDKUtils.generateID();
            xacmlQuery.setID(requestID);
            xacmlQuery.setVersion(SAML2Constants.VERSION_2_0);
            xacmlQuery.setIssueInstant(new Date());
            XACMLPDPConfigElement pdpConfig = getPDPConfig(realm, pdpEntityID);
            if (pdpConfig != null) {
                String wantQuerySigned = getAttributeValueFromPDPConfig(pdpConfig, "wantXACMLAuthzDecisionQuerySigned");
                if (wantQuerySigned != null && wantQuerySigned.equals("true")) {
                    signAttributeQuery(xacmlQuery, realm, pepEntityID, false);
                }
            }
            String xmlString = xacmlQuery.toXMLString(true, true);
            if (debug.messageEnabled()) {
                debug.message(classMethod + "XACML Query XML String :" + xmlString);
            }
            // retrieve endpoint from meta data
            String endPoint = null;
            XACMLAuthzDecisionQueryConfigElement pepConfig = getPEPConfig(realm, pepEntityID);
            endPoint = getPDPEndPoint(pdpEntityID);
            if (debug.messageEnabled()) {
                debug.message(classMethod + " ResponseLocation is :" + endPoint);
            }
            // create SOAP message
            try {
                String soapMessage = SAML2SDKUtils.createSOAPMessageString(xmlString);
                endPoint = SAML2SDKUtils.fillInBasicAuthInfo(pepConfig, endPoint);
                String[] urls = { endPoint };
                SOAPClient soapClient = new SOAPClient(urls);
                if (debug.messageEnabled()) {
                    debug.message(classMethod + "soapMessage :" + soapMessage);
                }
                InputStream soapIn = soapClient.call(soapMessage, null, null);
                StringBuffer reply = new StringBuffer();
                String line;
                BufferedReader reader = new BufferedReader(new InputStreamReader(soapIn, "UTF-8"));
                while ((line = reader.readLine()) != null) {
                    reply.append(line).append("\n");
                }
                // check the SOAP message for any SOAP related errors
                // before passing control to SAML processor
                xmlString = reply.toString();
                if (debug.messageEnabled()) {
                    debug.message("Response Message:\n" + xmlString);
                }
                samlResponse = getSAMLResponse(xmlString);
                issuer = samlResponse.getIssuer();
                String issuerID = null;
                if (issuer != null) {
                    issuerID = issuer.getValue().trim();
                }
                boolean isTrusted = verifyResponseIssuer(realm, pepEntityID, issuerID);
                if (!isTrusted) {
                    if (debug.messageEnabled()) {
                        debug.message(classMethod + "Issuer in Request is not valid.");
                    }
                    String[] args = { realm, pepEntityID, pdpEntityID };
                    LogUtil.error(Level.INFO, LogUtil.INVALID_ISSUER_IN_PEP_REQUEST, args);
                    throw new SAML2Exception("invalidIssuerInRequest");
                }
                if (samlResponse != null) {
                    xmlString = samlResponse.toXMLString(true, true);
                    if (debug.messageEnabled()) {
                        debug.message(classMethod + "Response: " + xmlString);
                    }
                    response = verifyResponse(realm, pepEntityID, samlResponse);
                    if (debug.messageEnabled()) {
                        debug.message(classMethod + "Response with decrypted Assertion: " + response.toXMLString(true, true));
                    }
                }
            } catch (SOAPException soae) {
                if (debug.messageEnabled()) {
                    debug.message(classMethod + "SOAPException :", soae);
                }
                throw new SAML2Exception(soae.getMessage());
            } catch (Exception e) {
                if (debug.messageEnabled()) {
                    debug.message(classMethod + "Exception ", e);
                }
                throw new SAML2Exception(e.getMessage());
            }
        }
    }
    return response;
}
Also used : InputStreamReader(java.io.InputStreamReader) Issuer(com.sun.identity.saml2.assertion.Issuer) InputStream(java.io.InputStream) XACMLPDPConfigElement(com.sun.identity.saml2.jaxb.entityconfig.XACMLPDPConfigElement) Date(java.util.Date) SOAPException(javax.xml.soap.SOAPException) SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException) IOException(java.io.IOException) SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) Response(com.sun.identity.saml2.protocol.Response) SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) SOAPClient(com.sun.identity.shared.jaxrpc.SOAPClient) SOAPException(javax.xml.soap.SOAPException) BufferedReader(java.io.BufferedReader) XACMLAuthzDecisionQuery(com.sun.identity.xacml.saml2.XACMLAuthzDecisionQuery) XACMLAuthzDecisionQueryConfigElement(com.sun.identity.saml2.jaxb.entityconfig.XACMLAuthzDecisionQueryConfigElement)

Example 85 with Assertion

use of com.sun.identity.saml2.assertion.Assertion in project OpenAM by OpenRock.

the class QueryClient method verifyResponse.

/**
     * Returns SAMLv2 <code>Response</code> after validation of the
     * response. A new <code>Response</code> object is created which
     * contains decrypted assertion if the assertions were encrypted.
     *
     * @param realm the realm of the entity.
     * @param pepEntityID entity identifier of the PEP.
     * @param samlResponse the <code>Response</code>.
     * @exception <code>SAML2Exception</code> if there is an error.
     */
private static Response verifyResponse(String realm, String pepEntityID, Response samlResponse) throws SAML2Exception {
    Response response = samlResponse;
    String classMethod = "QueryClient:verifyResponse";
    if (samlResponse != null) {
        //validate issuer trust.
        Issuer issuer = samlResponse.getIssuer();
        String issuerID = null;
        if (issuer != null) {
            issuerID = issuer.getValue().trim();
        }
        String pdpEntityID = issuerID;
        boolean isTrusted = verifyResponseIssuer(realm, pepEntityID, issuerID);
        if (!isTrusted) {
            if (debug.messageEnabled()) {
                debug.message(classMethod + "Issuer in Request is not valid.");
            }
            String[] args = { realm, pepEntityID, issuerID };
            LogUtil.error(Level.INFO, LogUtil.INVALID_ISSUER_IN_PEP_REQUEST, args);
            throw new SAML2Exception(SAML2SDKUtils.BUNDLE_NAME, "invalidIssuer", args);
        }
        // verify signed response
        verifySignedResponse(pepEntityID, pdpEntityID, samlResponse);
        try {
            // check if assertion needs to be encrypted,signed.
            XACMLAuthzDecisionQueryConfigElement pepConfig = saml2MetaManager.getPolicyEnforcementPointConfig(realm, pepEntityID);
            String assertionEncrypted = getAttributeValueFromPEPConfig(pepConfig, SAML2Constants.WANT_ASSERTION_ENCRYPTED);
            boolean wantAssertionEncrypted = (assertionEncrypted != null && assertionEncrypted.equalsIgnoreCase("true")) ? true : false;
            boolean wantAssertionSigned = wantAssertionSigned(realm, pepEntityID);
            String respID = samlResponse.getID();
            List assertions = samlResponse.getAssertion();
            if (wantAssertionEncrypted && (assertions != null && (assertions.size() != 0))) {
                String[] data = { issuerID, respID };
                LogUtil.error(Level.INFO, LogUtil.ASSERTION_FROM_PDP_NOT_ENCRYPTED, data);
                throw new SAML2Exception(SAML2SDKUtils.bundle.getString("assertionNotEncrypted"));
            }
            Set<PrivateKey> decryptionKeys;
            List<EncryptedAssertion> encAssertions = samlResponse.getEncryptedAssertion();
            if (encAssertions != null) {
                decryptionKeys = KeyUtil.getDecryptionKeys(pepConfig);
                for (EncryptedAssertion encAssertion : encAssertions) {
                    Assertion assertion = encAssertion.decrypt(decryptionKeys);
                    if (assertions == null) {
                        assertions = new ArrayList<>();
                    }
                    assertions.add(assertion);
                }
            }
            if (assertions == null || assertions.size() == 0) {
                if (debug.messageEnabled()) {
                    debug.message(classMethod + "no assertion in the Response.");
                }
                String[] data = { issuerID, respID };
                LogUtil.error(Level.INFO, LogUtil.MISSING_ASSERTION_IN_PDP_RESPONSE, data);
                throw new SAML2Exception(SAML2SDKUtils.bundle.getString("missingAssertion"));
            }
            // validate Issuer  in Assertion
            Iterator assertionIter = assertions.iterator();
            Set<X509Certificate> verificationCerts = null;
            XACMLPDPDescriptorElement pdpDesc = null;
            if (wantAssertionSigned) {
                pdpDesc = saml2MetaManager.getPolicyDecisionPointDescriptor(realm, pdpEntityID);
                verificationCerts = KeyUtil.getPDPVerificationCerts(pdpDesc, pdpEntityID);
            }
            while (assertionIter.hasNext()) {
                Assertion assertion = (Assertion) assertionIter.next();
                String assertionID = assertion.getID();
                String assertionIssuer = assertion.getIssuer().getValue().trim();
                isTrusted = verifyResponseIssuer(realm, pepEntityID, assertionIssuer);
                if (!isTrusted) {
                    debug.error(classMethod + "Assertion's source site is not valid.");
                    String[] data = { assertionIssuer, assertionID };
                    LogUtil.error(Level.INFO, LogUtil.INVALID_ISSUER_IN_ASSERTION_FROM_PDP, data);
                    throw new SAML2Exception(SAML2SDKUtils.bundle.getString("invalidIssuerInAssertion"));
                }
                String respIssuer = samlResponse.getIssuer().getValue().trim();
                if (!respIssuer.equals(assertionIssuer)) {
                    if (debug.messageEnabled()) {
                        debug.message(classMethod + "Issuer in Assertion " + assertionIssuer + "doesn't match the Issuer in Response." + respIssuer);
                    }
                    String[] data = { pdpEntityID, assertionIssuer };
                    LogUtil.error(Level.INFO, LogUtil.MISMATCH_ISSUER_IN_ASSERTION_FROM_PDP, data);
                    throw new SAML2Exception(SAML2SDKUtils.bundle.getString("mismatchIssuer"));
                }
                if (wantAssertionSigned) {
                    if (debug.messageEnabled()) {
                        debug.message(classMethod + "wantAssertionSigned " + wantAssertionSigned);
                    }
                    if (!assertion.isSigned() || !assertion.isSignatureValid(verificationCerts)) {
                        debug.error(classMethod + "Assertion is not signed or signature " + "is not valid.");
                        String[] data = { assertionIssuer, assertionID };
                        LogUtil.error(Level.INFO, LogUtil.INVALID_SIGNATURE_ASSERTION_FROM_PDP, data);
                        throw new SAML2Exception(SAML2SDKUtils.bundle.getString("invalidSignatureOnAssertion"));
                    }
                }
            }
            //end while
            if (wantAssertionEncrypted) {
                response = createResponse(samlResponse, assertions);
            }
            if (debug.messageEnabled()) {
                debug.message(classMethod + " Response : " + response.toXMLString(true, true));
            }
        } catch (SAML2MetaException sme) {
            if (debug.messageEnabled()) {
                debug.message(classMethod + "Error retreiving meta", sme);
            }
            throw new SAML2Exception(SAML2SDKUtils.bundle.getString("metaDataError"));
        }
    }
    return response;
}
Also used : PrivateKey(java.security.PrivateKey) Issuer(com.sun.identity.saml2.assertion.Issuer) EncryptedAssertion(com.sun.identity.saml2.assertion.EncryptedAssertion) Assertion(com.sun.identity.saml2.assertion.Assertion) XACMLPDPDescriptorElement(com.sun.identity.saml2.jaxb.metadata.XACMLPDPDescriptorElement) X509Certificate(java.security.cert.X509Certificate) Response(com.sun.identity.saml2.protocol.Response) SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) EncryptedAssertion(com.sun.identity.saml2.assertion.EncryptedAssertion) Iterator(java.util.Iterator) XACMLAuthzDecisionQueryConfigElement(com.sun.identity.saml2.jaxb.entityconfig.XACMLAuthzDecisionQueryConfigElement) ArrayList(java.util.ArrayList) NodeList(org.w3c.dom.NodeList) List(java.util.List) SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException)

Aggregations

SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)53 ArrayList (java.util.ArrayList)42 List (java.util.List)42 Assertion (com.sun.identity.saml2.assertion.Assertion)30 SAML2MetaException (com.sun.identity.saml2.meta.SAML2MetaException)24 Date (java.util.Date)24 EncryptedAssertion (com.sun.identity.saml2.assertion.EncryptedAssertion)20 Issuer (com.sun.identity.saml2.assertion.Issuer)16 SPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)16 Response (com.sun.identity.saml2.protocol.Response)16 Iterator (java.util.Iterator)15 HttpServletResponse (javax.servlet.http.HttpServletResponse)13 SessionException (com.sun.identity.plugin.session.SessionException)12 IOException (java.io.IOException)12 SAML2TokenRepositoryException (org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException)11 NameID (com.sun.identity.saml2.assertion.NameID)10 PrivateKey (java.security.PrivateKey)10 AttributeStatement (com.sun.identity.saml2.assertion.AttributeStatement)8 Subject (com.sun.identity.saml2.assertion.Subject)8 SAML2MetaManager (com.sun.identity.saml2.meta.SAML2MetaManager)8