Search in sources :

Example 36 with Assertion

use of com.sun.identity.saml2.assertion.Assertion in project OpenAM by OpenRock.

the class SAML2TokenGenerationImpl method setIssuer.

private void setIssuer(Assertion assertion, SAML2Config config) throws TokenCreationException {
    final Issuer issuer = AssertionFactory.getInstance().createIssuer();
    try {
        issuer.setValue(config.getIdpId());
        assertion.setIssuer(issuer);
    } catch (SAML2Exception e) {
        throw new TokenCreationException(ResourceException.INTERNAL_ERROR, "Exception caught setting issuer in SAML2TokenGenerationImpl: " + e, e);
    }
}
Also used : SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) Issuer(com.sun.identity.saml2.assertion.Issuer) TokenCreationException(org.forgerock.openam.sts.TokenCreationException)

Example 37 with Assertion

use of com.sun.identity.saml2.assertion.Assertion in project OpenAM by OpenRock.

the class SAML2TokenGenerationImpl method generate.

public String generate(SSOToken subjectToken, STSInstanceState stsInstanceState, TokenGenerationServiceInvocationState invocationState) throws TokenCreationException {
    final SAML2Config saml2Config = stsInstanceState.getConfig().getSaml2Config();
    if (saml2Config == null) {
        throw new TokenCreationException(ResourceException.BAD_REQUEST, "Invocation targets a SAML2 token, but no SAML2Config was specified in the published sts!");
    }
    final String subjectId = ssoTokenIdentity.validateAndGetTokenPrincipal(subjectToken);
    final Assertion assertion = AssertionFactory.getInstance().createAssertion();
    setVersionAndId(assertion);
    setIssuer(assertion, saml2Config);
    final Date issueInstant = new Date();
    setIssueInstant(assertion, issueInstant);
    final SAML2TokenGenerationState tokenGenerationState = invocationState.getSaml2TokenGenerationState();
    setConditions(assertion, saml2Config, issueInstant, tokenGenerationState.getSaml2SubjectConfirmation());
    setSubject(assertion, subjectId, saml2Config.getSpAcsUrl(), saml2Config, invocationState.getSaml2TokenGenerationState().getSaml2SubjectConfirmation(), issueInstant, tokenGenerationState.getProofTokenState());
    setAuthenticationStatements(assertion, saml2Config, tokenGenerationState.getAuthnContextClassRef());
    setAttributeStatements(assertion, subjectToken, saml2Config);
    setAuthzDecisionStatements(assertion, subjectToken, saml2Config);
    /*
        entering this branch handles both encryption and signing, as the encryption of the entire assertion must be
        proceeded by signing.
         */
    String assertionString;
    if (saml2Config.encryptAssertion()) {
        EncryptedAssertion encryptedAssertion = handleSingingAndEncryptionOfEntireAssertion(assertion, saml2Config, stsInstanceState);
        try {
            assertionString = encryptedAssertion.toXMLString(ASSERTION_TO_STRING_INCLUDE_NAMESPACE_PREFIX, ASSERTION_TO_STRING_DECLARE_NAMESPACE_PREFIX);
        } catch (SAML2Exception e) {
            throw new TokenCreationException(ResourceException.INTERNAL_ERROR, "Exception caught calling Assertion.toXMLString: " + e, e);
        }
    } else {
        if (saml2Config.encryptAttributes()) {
            encryptAttributeStatement(assertion, saml2Config, stsInstanceState);
        }
        if (saml2Config.encryptNameID()) {
            encryptNameID(assertion, saml2Config, stsInstanceState);
        }
        if (saml2Config.signAssertion()) {
            signAssertion(assertion, stsInstanceState);
        }
        try {
            assertionString = assertion.toXMLString(ASSERTION_TO_STRING_INCLUDE_NAMESPACE_PREFIX, ASSERTION_TO_STRING_DECLARE_NAMESPACE_PREFIX);
        } catch (SAML2Exception e) {
            throw new TokenCreationException(ResourceException.INTERNAL_ERROR, "Exception caught calling Assertion.toXMLString: " + e, e);
        }
    }
    if (stsInstanceState.getConfig().persistIssuedTokensInCTS()) {
        try {
            ctsTokenPersistence.persistToken(invocationState.getStsInstanceId(), TokenType.SAML2, assertionString, subjectId, issueInstant.getTime(), saml2Config.getTokenLifetimeInSeconds());
        } catch (CTSTokenPersistenceException e) {
            throw new TokenCreationException(e.getCode(), e.getMessage(), e);
        }
    }
    return assertionString;
}
Also used : SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) SAML2Config(org.forgerock.openam.sts.config.user.SAML2Config) EncryptedAssertion(com.sun.identity.saml2.assertion.EncryptedAssertion) EncryptedAssertion(com.sun.identity.saml2.assertion.EncryptedAssertion) Assertion(com.sun.identity.saml2.assertion.Assertion) TokenCreationException(org.forgerock.openam.sts.TokenCreationException) CTSTokenPersistenceException(org.forgerock.openam.sts.CTSTokenPersistenceException) Date(java.util.Date) SAML2TokenGenerationState(org.forgerock.openam.sts.service.invocation.SAML2TokenGenerationState)

Example 38 with Assertion

use of com.sun.identity.saml2.assertion.Assertion in project OpenAM by OpenRock.

the class SAML2TokenGenerationImpl method encryptNameID.

private void encryptNameID(Assertion assertion, SAML2Config saml2Config, STSInstanceState stsInstanceState) throws TokenCreationException {
    /*
        The null checks below model IDPSSOUtil#signAndEncryptResponseComponents. The Subject and NameID will
        never be null when generated by the DefaultSubjectProvider, but when generated by a custom provider, this
        invariant is not assured.
         */
    Subject subject = assertion.getSubject();
    if (subject == null) {
        throw new TokenCreationException(ResourceException.INTERNAL_ERROR, "In SAML2TokenGenerationImpl, saml2Config specifies encryption of NameID, but " + "encapsulating subject is null.");
    }
    NameID nameID = subject.getNameID();
    if (nameID == null) {
        throw new TokenCreationException(ResourceException.INTERNAL_ERROR, "In SAML2TokenGenerationImpl, saml2Config specifies encryption of NameID, but " + "NameID in subject is null.");
    }
    try {
        EncryptedID encryptedNameID = nameID.encrypt(stsInstanceState.getSAML2CryptoProvider().getSPX509Certificate(saml2Config.getEncryptionKeyAlias()).getPublicKey(), saml2Config.getEncryptionAlgorithm(), saml2Config.getEncryptionAlgorithmStrength(), saml2Config.getSpEntityId());
        if (encryptedNameID == null) {
            throw new TokenCreationException(ResourceException.INTERNAL_ERROR, "In SAML2TokenGenerationImpl, the EncryptedID returned from NameID#encrypt is null.");
        }
        subject.setEncryptedID(encryptedNameID);
        // reset NameID
        subject.setNameID(null);
        assertion.setSubject(subject);
    } catch (SAML2Exception e) {
        throw new TokenCreationException(ResourceException.INTERNAL_ERROR, "Exception thrown encrypting NameID in SAML2TokenGenerationImpl: " + e, e);
    }
}
Also used : SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) NameID(com.sun.identity.saml2.assertion.NameID) TokenCreationException(org.forgerock.openam.sts.TokenCreationException) EncryptedID(com.sun.identity.saml2.assertion.EncryptedID) Subject(com.sun.identity.saml2.assertion.Subject)

Example 39 with Assertion

use of com.sun.identity.saml2.assertion.Assertion in project OpenAM by OpenRock.

the class SAML2TokenGenerationImpl method setVersionAndId.

private void setVersionAndId(Assertion assertion) throws TokenCreationException {
    try {
        assertion.setVersion("2.0");
        assertion.setID(SAML2SDKUtils.generateID());
    } catch (SAML2Exception e) {
        throw new TokenCreationException(ResourceException.INTERNAL_ERROR, "Exception caught setting version and/or id in SAML2TokenGenerationImpl: " + e, e);
    }
}
Also used : SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) TokenCreationException(org.forgerock.openam.sts.TokenCreationException)

Example 40 with Assertion

use of com.sun.identity.saml2.assertion.Assertion in project OpenAM by OpenRock.

the class SPACSUtils method getSAMLAttributes.

/**
     * Gets the attributes from an assert's AttributeStates.
     *
     * @param assertion The assertion from which to pull the AttributeStates.
     * @param needAttributeEncrypted Whether attributes must be encrypted (or else rejected).
     * @param privateKeys Private keys used to decrypt those encrypted attributes.
     * @return a list of attributes pulled from the provided assertion.
     */
public static List<Attribute> getSAMLAttributes(Assertion assertion, boolean needAttributeEncrypted, Set<PrivateKey> privateKeys) {
    List<Attribute> attrList = null;
    if (assertion != null) {
        List<AttributeStatement> statements = assertion.getAttributeStatements();
        if (CollectionUtils.isNotEmpty(statements)) {
            for (AttributeStatement statement : statements) {
                List<Attribute> attributes = statement.getAttribute();
                if (needAttributeEncrypted && attributes != null && !attributes.isEmpty()) {
                    SAML2Utils.debug.error("Attribute not encrypted.");
                    return null;
                }
                if (attributes != null) {
                    if (attrList == null) {
                        attrList = new ArrayList<>();
                    }
                    attrList.addAll(attributes);
                }
                List<EncryptedAttribute> encAttrs = statement.getEncryptedAttribute();
                if (encAttrs != null) {
                    for (EncryptedAttribute encAttr : encAttrs) {
                        if (attrList == null) {
                            attrList = new ArrayList<>();
                        }
                        try {
                            attrList.add((encAttr).decrypt(privateKeys));
                        } catch (SAML2Exception se) {
                            SAML2Utils.debug.error("Decryption error:", se);
                            return null;
                        }
                    }
                }
            }
        }
    }
    return attrList;
}
Also used : EncryptedAttribute(com.sun.identity.saml2.assertion.EncryptedAttribute) SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) Attribute(com.sun.identity.saml2.assertion.Attribute) EncryptedAttribute(com.sun.identity.saml2.assertion.EncryptedAttribute) AttributeStatement(com.sun.identity.saml2.assertion.AttributeStatement)

Aggregations

SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)53 ArrayList (java.util.ArrayList)42 List (java.util.List)42 Assertion (com.sun.identity.saml2.assertion.Assertion)30 SAML2MetaException (com.sun.identity.saml2.meta.SAML2MetaException)24 Date (java.util.Date)24 EncryptedAssertion (com.sun.identity.saml2.assertion.EncryptedAssertion)20 Issuer (com.sun.identity.saml2.assertion.Issuer)16 SPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)16 Response (com.sun.identity.saml2.protocol.Response)16 Iterator (java.util.Iterator)15 HttpServletResponse (javax.servlet.http.HttpServletResponse)13 SessionException (com.sun.identity.plugin.session.SessionException)12 IOException (java.io.IOException)12 SAML2TokenRepositoryException (org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException)11 NameID (com.sun.identity.saml2.assertion.NameID)10 PrivateKey (java.security.PrivateKey)10 AttributeStatement (com.sun.identity.saml2.assertion.AttributeStatement)8 Subject (com.sun.identity.saml2.assertion.Subject)8 SAML2MetaManager (com.sun.identity.saml2.meta.SAML2MetaManager)8