Example 36 with Assertion
use of com.sun.identity.saml2.assertion.Assertion in project OpenAM by OpenRock.
the class SAML2TokenGenerationImpl method setIssuer.
private void setIssuer(Assertion assertion, SAML2Config config) throws TokenCreationException {
final Issuer issuer = AssertionFactory.getInstance().createIssuer();
try {
issuer.setValue(config.getIdpId());
assertion.setIssuer(issuer);
} catch (SAML2Exception e) {
throw new TokenCreationException(ResourceException.INTERNAL_ERROR, "Exception caught setting issuer in SAML2TokenGenerationImpl: " + e, e);
}
}
Also used :
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
Issuer(com.sun.identity.saml2.assertion.Issuer)
TokenCreationException(org.forgerock.openam.sts.TokenCreationException)
Example 37 with Assertion
use of com.sun.identity.saml2.assertion.Assertion in project OpenAM by OpenRock.
the class SAML2TokenGenerationImpl method generate.
public String generate(SSOToken subjectToken, STSInstanceState stsInstanceState, TokenGenerationServiceInvocationState invocationState) throws TokenCreationException {
final SAML2Config saml2Config = stsInstanceState.getConfig().getSaml2Config();
if (saml2Config == null) {
throw new TokenCreationException(ResourceException.BAD_REQUEST, "Invocation targets a SAML2 token, but no SAML2Config was specified in the published sts!");
}
final String subjectId = ssoTokenIdentity.validateAndGetTokenPrincipal(subjectToken);
final Assertion assertion = AssertionFactory.getInstance().createAssertion();
setVersionAndId(assertion);
setIssuer(assertion, saml2Config);
final Date issueInstant = new Date();
setIssueInstant(assertion, issueInstant);
final SAML2TokenGenerationState tokenGenerationState = invocationState.getSaml2TokenGenerationState();
setConditions(assertion, saml2Config, issueInstant, tokenGenerationState.getSaml2SubjectConfirmation());
setSubject(assertion, subjectId, saml2Config.getSpAcsUrl(), saml2Config, invocationState.getSaml2TokenGenerationState().getSaml2SubjectConfirmation(), issueInstant, tokenGenerationState.getProofTokenState());
setAuthenticationStatements(assertion, saml2Config, tokenGenerationState.getAuthnContextClassRef());
setAttributeStatements(assertion, subjectToken, saml2Config);
setAuthzDecisionStatements(assertion, subjectToken, saml2Config);
/*
entering this branch handles both encryption and signing, as the encryption of the entire assertion must be
proceeded by signing.
*/
String assertionString;
if (saml2Config.encryptAssertion()) {
EncryptedAssertion encryptedAssertion = handleSingingAndEncryptionOfEntireAssertion(assertion, saml2Config, stsInstanceState);
try {
assertionString = encryptedAssertion.toXMLString(ASSERTION_TO_STRING_INCLUDE_NAMESPACE_PREFIX, ASSERTION_TO_STRING_DECLARE_NAMESPACE_PREFIX);
} catch (SAML2Exception e) {
throw new TokenCreationException(ResourceException.INTERNAL_ERROR, "Exception caught calling Assertion.toXMLString: " + e, e);
}
} else {
if (saml2Config.encryptAttributes()) {
encryptAttributeStatement(assertion, saml2Config, stsInstanceState);
}
if (saml2Config.encryptNameID()) {
encryptNameID(assertion, saml2Config, stsInstanceState);
}
if (saml2Config.signAssertion()) {
signAssertion(assertion, stsInstanceState);
}
try {
assertionString = assertion.toXMLString(ASSERTION_TO_STRING_INCLUDE_NAMESPACE_PREFIX, ASSERTION_TO_STRING_DECLARE_NAMESPACE_PREFIX);
} catch (SAML2Exception e) {
throw new TokenCreationException(ResourceException.INTERNAL_ERROR, "Exception caught calling Assertion.toXMLString: " + e, e);
}
}
if (stsInstanceState.getConfig().persistIssuedTokensInCTS()) {
try {
ctsTokenPersistence.persistToken(invocationState.getStsInstanceId(), TokenType.SAML2, assertionString, subjectId, issueInstant.getTime(), saml2Config.getTokenLifetimeInSeconds());
} catch (CTSTokenPersistenceException e) {
throw new TokenCreationException(e.getCode(), e.getMessage(), e);
}
}
return assertionString;
}
Also used :
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
SAML2Config(org.forgerock.openam.sts.config.user.SAML2Config)
EncryptedAssertion(com.sun.identity.saml2.assertion.EncryptedAssertion)
EncryptedAssertion(com.sun.identity.saml2.assertion.EncryptedAssertion)
Assertion(com.sun.identity.saml2.assertion.Assertion)
TokenCreationException(org.forgerock.openam.sts.TokenCreationException)
CTSTokenPersistenceException(org.forgerock.openam.sts.CTSTokenPersistenceException)
Date(java.util.Date)
SAML2TokenGenerationState(org.forgerock.openam.sts.service.invocation.SAML2TokenGenerationState)
Example 38 with Assertion
use of com.sun.identity.saml2.assertion.Assertion in project OpenAM by OpenRock.
the class SAML2TokenGenerationImpl method encryptNameID.
private void encryptNameID(Assertion assertion, SAML2Config saml2Config, STSInstanceState stsInstanceState) throws TokenCreationException {
/*
The null checks below model IDPSSOUtil#signAndEncryptResponseComponents. The Subject and NameID will
never be null when generated by the DefaultSubjectProvider, but when generated by a custom provider, this
invariant is not assured.
*/
Subject subject = assertion.getSubject();
if (subject == null) {
throw new TokenCreationException(ResourceException.INTERNAL_ERROR, "In SAML2TokenGenerationImpl, saml2Config specifies encryption of NameID, but " + "encapsulating subject is null.");
}
NameID nameID = subject.getNameID();
if (nameID == null) {
throw new TokenCreationException(ResourceException.INTERNAL_ERROR, "In SAML2TokenGenerationImpl, saml2Config specifies encryption of NameID, but " + "NameID in subject is null.");
}
try {
EncryptedID encryptedNameID = nameID.encrypt(stsInstanceState.getSAML2CryptoProvider().getSPX509Certificate(saml2Config.getEncryptionKeyAlias()).getPublicKey(), saml2Config.getEncryptionAlgorithm(), saml2Config.getEncryptionAlgorithmStrength(), saml2Config.getSpEntityId());
if (encryptedNameID == null) {
throw new TokenCreationException(ResourceException.INTERNAL_ERROR, "In SAML2TokenGenerationImpl, the EncryptedID returned from NameID#encrypt is null.");
}
subject.setEncryptedID(encryptedNameID);
// reset NameID
subject.setNameID(null);
assertion.setSubject(subject);
} catch (SAML2Exception e) {
throw new TokenCreationException(ResourceException.INTERNAL_ERROR, "Exception thrown encrypting NameID in SAML2TokenGenerationImpl: " + e, e);
}
}
Also used :
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
NameID(com.sun.identity.saml2.assertion.NameID)
TokenCreationException(org.forgerock.openam.sts.TokenCreationException)
EncryptedID(com.sun.identity.saml2.assertion.EncryptedID)
Subject(com.sun.identity.saml2.assertion.Subject)
Example 39 with Assertion
use of com.sun.identity.saml2.assertion.Assertion in project OpenAM by OpenRock.
the class SAML2TokenGenerationImpl method setVersionAndId.
private void setVersionAndId(Assertion assertion) throws TokenCreationException {
try {
assertion.setVersion("2.0");
assertion.setID(SAML2SDKUtils.generateID());
} catch (SAML2Exception e) {
throw new TokenCreationException(ResourceException.INTERNAL_ERROR, "Exception caught setting version and/or id in SAML2TokenGenerationImpl: " + e, e);
}
}
Also used :
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
TokenCreationException(org.forgerock.openam.sts.TokenCreationException)
Example 40 with Assertion
use of com.sun.identity.saml2.assertion.Assertion in project OpenAM by OpenRock.
the class SPACSUtils method getSAMLAttributes.
/**
* Gets the attributes from an assert's AttributeStates.
*
* @param assertion The assertion from which to pull the AttributeStates.
* @param needAttributeEncrypted Whether attributes must be encrypted (or else rejected).
* @param privateKeys Private keys used to decrypt those encrypted attributes.
* @return a list of attributes pulled from the provided assertion.
*/
public static List<Attribute> getSAMLAttributes(Assertion assertion, boolean needAttributeEncrypted, Set<PrivateKey> privateKeys) {
List<Attribute> attrList = null;
if (assertion != null) {
List<AttributeStatement> statements = assertion.getAttributeStatements();
if (CollectionUtils.isNotEmpty(statements)) {
for (AttributeStatement statement : statements) {
List<Attribute> attributes = statement.getAttribute();
if (needAttributeEncrypted && attributes != null && !attributes.isEmpty()) {
SAML2Utils.debug.error("Attribute not encrypted.");
return null;
}
if (attributes != null) {
if (attrList == null) {
attrList = new ArrayList<>();
}
attrList.addAll(attributes);
}
List<EncryptedAttribute> encAttrs = statement.getEncryptedAttribute();
if (encAttrs != null) {
for (EncryptedAttribute encAttr : encAttrs) {
if (attrList == null) {
attrList = new ArrayList<>();
}
try {
attrList.add((encAttr).decrypt(privateKeys));
} catch (SAML2Exception se) {
SAML2Utils.debug.error("Decryption error:", se);
return null;
}
}
}
}
}
}
return attrList;
}
Also used :
EncryptedAttribute(com.sun.identity.saml2.assertion.EncryptedAttribute)
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
Attribute(com.sun.identity.saml2.assertion.Attribute)
EncryptedAttribute(com.sun.identity.saml2.assertion.EncryptedAttribute)
AttributeStatement(com.sun.identity.saml2.assertion.AttributeStatement)
Aggregations
SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)53
ArrayList (java.util.ArrayList)42
List (java.util.List)42
Assertion (com.sun.identity.saml2.assertion.Assertion)30
SAML2MetaException (com.sun.identity.saml2.meta.SAML2MetaException)24
Date (java.util.Date)24
EncryptedAssertion (com.sun.identity.saml2.assertion.EncryptedAssertion)20
Issuer (com.sun.identity.saml2.assertion.Issuer)16
SPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)16
Response (com.sun.identity.saml2.protocol.Response)16
Iterator (java.util.Iterator)15
HttpServletResponse (javax.servlet.http.HttpServletResponse)13
SessionException (com.sun.identity.plugin.session.SessionException)12
IOException (java.io.IOException)12
SAML2TokenRepositoryException (org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException)11
NameID (com.sun.identity.saml2.assertion.NameID)10
PrivateKey (java.security.PrivateKey)10
AttributeStatement (com.sun.identity.saml2.assertion.AttributeStatement)8
Subject (com.sun.identity.saml2.assertion.Subject)8
SAML2MetaManager (com.sun.identity.saml2.meta.SAML2MetaManager)8
