use of com.sun.identity.saml2.assertion.Attribute in project OpenAM by OpenRock.
the class Saml2GrantTypeHandler method validAssertion.
private boolean validAssertion(Assertion assertion, String deploymentURL) throws SAML2Exception {
//must contain issuer
final Issuer issuer = assertion.getIssuer();
if (issuer == null) {
logger.error("Issuer does not exist");
return false;
}
/**
* The Assertion MUST contain <Conditions> element with an
* <AudienceRestriction> element with an <Audience> element
* containing a URI reference that identifies the authorization
* server, or the service provider SAML entity of its controlling
* domain, as an intended audience. The token endpoint URL of the
* authorization server MAY be used as an acceptable value for an
* <Audience> element. The authorization server MUST verify that it
* is an intended audience for the Assertion.
*
*/
final Conditions conditions = assertion.getConditions();
if (conditions == null) {
logger.error("Saml2BearerServerResource.validAssertion(): Conditions does not exist");
return false;
}
final List<AudienceRestriction> audienceRestriction = conditions.getAudienceRestrictions();
if (audienceRestriction == null || audienceRestriction.isEmpty()) {
logger.error("Saml2BearerServerResource.validAssertion(): Audience Restriction does not exist");
return false;
}
boolean found = false;
logger.trace("Saml2BearerServerResource.validAssertion(): URL of authorization server: " + deploymentURL);
for (final AudienceRestriction restriction : audienceRestriction) {
final List<String> audiences = restriction.getAudience();
if (audiences == null || audiences.isEmpty()) {
continue;
}
for (final String audience : audiences) {
String deployURL = deploymentURL;
String aud = audience;
//check for the url with and without trailing /
if (deployURL.endsWith("/")) {
deployURL = deploymentURL.substring(0, deployURL.length() - 1);
}
if (aud.endsWith("/")) {
aud = aud.substring(0, aud.length() - 1);
}
if (aud.equalsIgnoreCase(deployURL)) {
found = true;
}
}
}
if (found == false) {
logger.error("Didn't find the oauth2 provider in audience restrictions");
return false;
}
/**
* The Assertion MUST contain a <Subject> element. The subject MAY
* identify the resource owner for whom the access token is being
* requested. For client authentication, the Subject MUST be the
* "client_id" of the OAuth client. When using an Assertion as an
* authorization grant, the Subject SHOULD identify an authorized
* accessor for whom the access token is being requested (typically
* the resource owner, or an authorized delegate). Additional
* information identifying the subject/principal of the transaction
* MAY be included in an <AttributeStatement>.
*/
final Subject subject = assertion.getSubject();
if (subject == null) {
logger.error("Subject does not exist");
return false;
}
final String resourceOwner = subject.getNameID().getValue();
/**
* The Assertion MUST have an expiry that limits the time window
* during which it can be used. The expiry can be expressed either
* as the NotOnOrAfter attribute of the <Conditions> element or as
* the NotOnOrAfter attribute of a suitable <SubjectConfirmationData>
* element.
*/
/**
* The <Subject> element MUST contain at least one
* <SubjectConfirmation> element that allows the authorization server
* to confirm it as a Bearer Assertion. Such a <SubjectConfirmation>
* element MUST have a Method attribute with a value of
* "urn:oasis:names:tc:SAML:2.0:cm:bearer". The
* <SubjectConfirmation> element MUST contain a
* <SubjectConfirmationData> element, unless the Assertion has a
* suitable NotOnOrAfter attribute on the <Conditions> element, in
* which case the <SubjectConfirmationData> element MAY be omitted.
* When present, the <SubjectConfirmationData> element MUST have a
* Recipient attribute with a value indicating the token endpoint URL
* of the authorization server (or an acceptable alias). The
* authorization server MUST verify that the value of the Recipient
* attribute matches the token endpoint URL (or an acceptable alias)
* to which the Assertion was delivered. The
* <SubjectConfirmationData> element MUST have a NotOnOrAfter
* attribute that limits the window during which the Assertion can be
* confirmed. The <SubjectConfirmationData> element MAY also contain
* an Address attribute limiting the client address from which the
* Assertion can be delivered. Verification of the Address is at the
* discretion of the authorization server.
*/
final List<SubjectConfirmation> subjectConfirmations = subject.getSubjectConfirmation();
found = false;
if (subjectConfirmations == null || subjectConfirmations.isEmpty()) {
logger.error("Subject Confirmations does not exist");
return false;
}
//if conditions is expired assertion is expired
if (!assertion.isTimeValid()) {
logger.error("Assertion expired");
return false;
} else {
found = true;
}
for (final SubjectConfirmation subjectConfirmation : subjectConfirmations) {
if (subjectConfirmation.getMethod() == null) {
continue;
}
if (subjectConfirmation.getMethod().equalsIgnoreCase(OAuth2Constants.SAML20.SUBJECT_CONFIRMATION_METHOD)) {
final SubjectConfirmationData subjectConfirmationData = subjectConfirmation.getSubjectConfirmationData();
if (subjectConfirmationData == null) {
continue;
} else if (subjectConfirmationData.getNotOnOrAfter().before(new Date()) && subjectConfirmationData.getRecipient().equalsIgnoreCase(deploymentURL)) {
found = true;
}
//TODO check Client Address
}
}
if (!found) {
logger.error("Assertion expired or subject expired");
return false;
}
if (!assertion.isSigned()) {
logger.error("Assertion must be signed");
return false;
}
if (!SAMLUtils.checkSignatureValid(assertion.toXMLString(), "ID", issuer.getValue())) {
logger.error("Assertion signature verification failed");
return false;
}
return true;
}
use of com.sun.identity.saml2.assertion.Attribute in project OpenAM by OpenRock.
the class SAMLv2ModelImpl method setIDPStdAttributeValues.
/**
* Saves the standard attribute values for the Identiy Provider.
*
* @param realm to which the entity belongs.
* @param entityName is the entity id.
* @param idpStdValues Map which contains the standard attribute values.
* @throws AMConsoleException if saving of attribute value fails.
*/
public void setIDPStdAttributeValues(String realm, String entityName, Map idpStdValues) throws AMConsoleException {
String[] params = { realm, entityName, "SAMLv2", "IDP-Standard" };
logEvent("ATTEMPT_MODIFY_ENTITY_DESCRIPTOR", params);
IDPSSODescriptorElement idpssoDescriptor = null;
com.sun.identity.saml2.jaxb.metadata.ObjectFactory objFact = new com.sun.identity.saml2.jaxb.metadata.ObjectFactory();
try {
SAML2MetaManager samlManager = getSAML2MetaManager();
EntityDescriptorElement entityDescriptor = samlManager.getEntityDescriptor(realm, entityName);
idpssoDescriptor = samlManager.getIDPSSODescriptor(realm, entityName);
if (idpssoDescriptor != null) {
// save for WantAuthnRequestsSigned
if (idpStdValues.keySet().contains(WANT_AUTHN_REQ_SIGNED)) {
boolean value = setToBoolean(idpStdValues, WANT_AUTHN_REQ_SIGNED);
idpssoDescriptor.setWantAuthnRequestsSigned(value);
}
// save for Artifact Resolution Service
if (idpStdValues.keySet().contains(ART_RES_LOCATION)) {
String artLocation = getResult(idpStdValues, ART_RES_LOCATION);
String indexValue = getResult(idpStdValues, ART_RES_INDEX);
if (StringUtils.isEmpty(indexValue)) {
indexValue = "0";
}
boolean isDefault = setToBoolean(idpStdValues, ART_RES_ISDEFAULT);
ArtifactResolutionServiceElement elem = null;
List artList = idpssoDescriptor.getArtifactResolutionService();
if (artList.isEmpty()) {
elem = objFact.createArtifactResolutionServiceElement();
elem.setBinding(soapBinding);
elem.setLocation("");
elem.setIndex(0);
elem.setIsDefault(false);
idpssoDescriptor.getArtifactResolutionService().add(elem);
artList = idpssoDescriptor.getArtifactResolutionService();
}
elem = (ArtifactResolutionServiceElement) artList.get(0);
elem.setLocation(artLocation);
elem.setIndex(Integer.parseInt(indexValue));
elem.setIsDefault(isDefault);
idpssoDescriptor.getArtifactResolutionService().clear();
idpssoDescriptor.getArtifactResolutionService().add(elem);
}
// save for Single Logout Service - Http-Redirect
if (idpStdValues.keySet().contains(SINGLE_LOGOUT_HTTP_LOCATION)) {
String lohttpLocation = getResult(idpStdValues, SINGLE_LOGOUT_HTTP_LOCATION);
String lohttpRespLocation = getResult(idpStdValues, SINGLE_LOGOUT_HTTP_RESP_LOCATION);
String postLocation = getResult(idpStdValues, SLO_POST_LOC);
String postRespLocation = getResult(idpStdValues, SLO_POST_RESPLOC);
String losoapLocation = getResult(idpStdValues, SINGLE_LOGOUT_SOAP_LOCATION);
String priority = getResult(idpStdValues, SINGLE_LOGOUT_DEFAULT);
if (priority.contains("none")) {
if (lohttpLocation != null) {
priority = httpRedirectBinding;
} else if (postLocation != null) {
priority = httpPostBinding;
} else if (losoapLocation != null) {
priority = soapBinding;
}
}
List logList = idpssoDescriptor.getSingleLogoutService();
if (!logList.isEmpty()) {
logList.clear();
}
if (priority != null && priority.contains("HTTP-Redirect")) {
savehttpRedLogout(lohttpLocation, lohttpRespLocation, logList, objFact);
savepostLogout(postLocation, postRespLocation, logList, objFact);
savesoapLogout(losoapLocation, logList, objFact);
} else if (priority != null && priority.contains("HTTP-POST")) {
savepostLogout(postLocation, postRespLocation, logList, objFact);
savehttpRedLogout(lohttpLocation, lohttpRespLocation, logList, objFact);
savesoapLogout(losoapLocation, logList, objFact);
} else if (priority != null && priority.contains("SOAP")) {
savesoapLogout(losoapLocation, logList, objFact);
savehttpRedLogout(lohttpLocation, lohttpRespLocation, logList, objFact);
savepostLogout(postLocation, postRespLocation, logList, objFact);
}
}
// save for Manage Name ID Service
if (idpStdValues.keySet().contains(MANAGE_NAMEID_HTTP_LOCATION)) {
String mnihttpLocation = getResult(idpStdValues, MANAGE_NAMEID_HTTP_LOCATION);
String mnihttpRespLocation = getResult(idpStdValues, MANAGE_NAMEID_HTTP_RESP_LOCATION);
String mnipostLocation = getResult(idpStdValues, MNI_POST_LOC);
String mnipostRespLocation = getResult(idpStdValues, MNI_POST_RESPLOC);
String mnisoapLocation = getResult(idpStdValues, MANAGE_NAMEID_SOAP_LOCATION);
String priority = getResult(idpStdValues, SINGLE_MANAGE_NAMEID_DEFAULT);
if (priority.contains("none")) {
if (mnihttpLocation != null) {
priority = httpRedirectBinding;
} else if (mnipostLocation != null) {
priority = httpPostBinding;
} else if (mnisoapLocation != null) {
priority = soapBinding;
}
}
List manageNameIdList = idpssoDescriptor.getManageNameIDService();
if (!manageNameIdList.isEmpty()) {
manageNameIdList.clear();
}
if (priority != null && priority.contains("HTTP-Redirect")) {
savehttpRedMni(mnihttpLocation, mnihttpRespLocation, manageNameIdList, objFact);
savepostMni(mnipostLocation, mnipostRespLocation, manageNameIdList, objFact);
savesoapMni(mnisoapLocation, manageNameIdList, objFact);
} else if (priority != null && priority.contains("HTTP-POST")) {
savepostMni(mnipostLocation, mnipostRespLocation, manageNameIdList, objFact);
savehttpRedMni(mnihttpLocation, mnihttpRespLocation, manageNameIdList, objFact);
savesoapMni(mnisoapLocation, manageNameIdList, objFact);
} else if (priority != null && priority.contains("SOAP")) {
savesoapMni(mnisoapLocation, manageNameIdList, objFact);
savehttpRedMni(mnihttpLocation, mnihttpRespLocation, manageNameIdList, objFact);
savepostMni(mnipostLocation, mnipostRespLocation, manageNameIdList, objFact);
}
}
//save nameid mapping
if (idpStdValues.keySet().contains(NAME_ID_MAPPPING)) {
String nameIDmappingloc = getResult(idpStdValues, NAME_ID_MAPPPING);
NameIDMappingServiceElement namidElem1 = null;
List nameIDmappingList = idpssoDescriptor.getNameIDMappingService();
if (nameIDmappingList.isEmpty()) {
namidElem1 = objFact.createNameIDMappingServiceElement();
namidElem1.setBinding(soapBinding);
idpssoDescriptor.getNameIDMappingService().add(namidElem1);
nameIDmappingList = idpssoDescriptor.getNameIDMappingService();
}
namidElem1 = (NameIDMappingServiceElement) nameIDmappingList.get(0);
namidElem1.setLocation(nameIDmappingloc);
idpssoDescriptor.getNameIDMappingService().clear();
idpssoDescriptor.getNameIDMappingService().add(namidElem1);
}
//save nameid format
if (idpStdValues.keySet().contains(NAMEID_FORMAT)) {
saveNameIdFormat(idpssoDescriptor, idpStdValues);
}
//save for SingleSignOnService
if (idpStdValues.keySet().contains(SINGLE_SIGNON_HTTP_LOCATION)) {
String ssohttpLocation = getResult(idpStdValues, SINGLE_SIGNON_HTTP_LOCATION);
String ssopostLocation = getResult(idpStdValues, SINGLE_SIGNON_SOAP_LOCATION);
String ssoSoapLocation = getResult(idpStdValues, SSO_SOAPS_LOC);
List signonList = idpssoDescriptor.getSingleSignOnService();
if (!signonList.isEmpty()) {
signonList.clear();
}
if (ssohttpLocation != null && ssohttpLocation.length() > 0) {
SingleSignOnServiceElement slsElemRed = objFact.createSingleSignOnServiceElement();
slsElemRed.setBinding(httpRedirectBinding);
slsElemRed.setLocation(ssohttpLocation);
signonList.add(slsElemRed);
}
if (ssopostLocation != null && ssopostLocation.length() > 0) {
SingleSignOnServiceElement slsElemPost = objFact.createSingleSignOnServiceElement();
slsElemPost.setBinding(httpPostBinding);
slsElemPost.setLocation(ssopostLocation);
signonList.add(slsElemPost);
}
if (ssoSoapLocation != null && ssoSoapLocation.length() > 0) {
SingleSignOnServiceElement slsElemSoap = objFact.createSingleSignOnServiceElement();
slsElemSoap.setBinding(soapBinding);
slsElemSoap.setLocation(ssoSoapLocation);
signonList.add(slsElemSoap);
}
}
samlManager.setEntityDescriptor(realm, entityDescriptor);
}
logEvent("SUCCEED_MODIFY_ENTITY_DESCRIPTOR", params);
} catch (SAML2MetaException e) {
debug.warning("SAMLv2ModelImpl.setIDPStdAttributeValues:", e);
String strError = getErrorString(e);
String[] paramsEx = { realm, entityName, "SAMLv2", "IDP-Standard", strError };
logEvent("FEDERATION_EXCEPTION_MODIFY_ENTITY_DESCRIPTOR", paramsEx);
throw new AMConsoleException(strError);
} catch (JAXBException e) {
debug.warning("SAMLv2ModelImpl.setIDPStdAttributeValues:", e);
String strError = getErrorString(e);
String[] paramsEx = { realm, entityName, "SAMLv2", "IDP-Standard", strError };
logEvent("FEDERATION_EXCEPTION_MODIFY_ENTITY_DESCRIPTOR", paramsEx);
}
}
use of com.sun.identity.saml2.assertion.Attribute in project OpenAM by OpenRock.
the class SAMLv2ModelImpl method setStdAuthnAuthorityValues.
/**
* Saves the standard attribute values for Authn Authority.
*
* @param realm to which the entity belongs.
* @param entityName is the entity id.
* @param authnAuthValues Map which contains standard authn authority values.
* @throws AMConsoleException if saving of attribute value fails.
*/
public void setStdAuthnAuthorityValues(String realm, String entityName, Map authnAuthValues) throws AMConsoleException {
String[] params = { realm, entityName, "SAMLv2", "AuthnAuthority-Std" };
logEvent("ATTEMPT_MODIFY_AUTHN_AUTH_ATTR_VALUES", params);
com.sun.identity.saml2.jaxb.metadata.ObjectFactory objFact = new com.sun.identity.saml2.jaxb.metadata.ObjectFactory();
AuthnAuthorityDescriptorElement authnauthDescriptor = null;
try {
SAML2MetaManager samlManager = getSAML2MetaManager();
EntityDescriptorElement entityDescriptor = samlManager.getEntityDescriptor(realm, entityName);
authnauthDescriptor = samlManager.getAuthnAuthorityDescriptor(realm, entityName);
if (authnauthDescriptor != null) {
String queryService = getResult(authnAuthValues, AUTHN_QUERY_SERVICE);
//save query service
List authQueryServiceList = authnauthDescriptor.getAuthnQueryService();
if (!authQueryServiceList.isEmpty()) {
authnauthDescriptor.getAuthnQueryService().clear();
}
AuthnQueryServiceElement key = objFact.createAuthnQueryServiceElement();
key.setBinding(soapBinding);
key.setLocation(queryService);
authnauthDescriptor.getAuthnQueryService().add(key);
//save assertion ID request
String soapLocation = getResult(authnAuthValues, ASSERTION_ID_SAOP_LOC);
String uriLocation = getResult(authnAuthValues, ASSERTION_ID_URI_LOC);
List assertionIDReqList = authnauthDescriptor.getAssertionIDRequestService();
if (!assertionIDReqList.isEmpty()) {
assertionIDReqList.clear();
}
AssertionIDRequestServiceElement elem1 = objFact.createAssertionIDRequestServiceElement();
elem1.setBinding(soapBinding);
AssertionIDRequestServiceElement elem2 = objFact.createAssertionIDRequestServiceElement();
elem2.setBinding(uriBinding);
if (soapLocation != null) {
elem1.setLocation(soapLocation);
}
if (uriLocation != null) {
elem2.setLocation(uriLocation);
}
authnauthDescriptor.getAssertionIDRequestService().add(elem1);
authnauthDescriptor.getAssertionIDRequestService().add(elem2);
samlManager.setEntityDescriptor(realm, entityDescriptor);
}
logEvent("SUCCEED_MODIFY_AUTHN_AUTH_ATTR_VALUES", params);
} catch (SAML2MetaException e) {
debug.warning("SAMLv2ModelImpl.setStdAuthnAuthorityValues:", e);
String strError = getErrorString(e);
String[] paramsEx = { realm, entityName, "SAMLv2", "AuthnAuthority-Std", strError };
logEvent("FEDERATION_EXCEPTION_MODIFY_AUTHN_AUTH_ATTR_VALUES", paramsEx);
throw new AMConsoleException(strError);
} catch (JAXBException e) {
debug.warning("SAMLv2ModelImpl.setStdAttributeAuthorityValues:", e);
String strError = getErrorString(e);
String[] paramsEx = { realm, entityName, "SAMLv2", "AttribAuthority-Std", strError };
logEvent("FEDERATION_EXCEPTION_MODIFY_AUTHN_AUTH_ATTR_VALUES", paramsEx);
}
}
use of com.sun.identity.saml2.assertion.Attribute in project OpenAM by OpenRock.
the class SAMLv2ModelImpl method setSPExtAttributeValues.
/**
* Saves the extended attribute values for the Service Provider.
*
* @param realm to which the entity belongs.
* @param entityName is the entity id.
* @param spExtValues Map which contains the standard attribute values.
* @param location has the information whether remote or hosted.
* @throws AMConsoleException if saving of attribute value fails.
*/
public void setSPExtAttributeValues(String realm, String entityName, Map spExtValues, String location) throws AMConsoleException {
String[] params = { realm, entityName, "SAMLv2", "SP-Extended" };
logEvent("ATTEMPT_MODIFY_ENTITY_DESCRIPTOR", params);
String role = EntityModel.SERVICE_PROVIDER;
try {
SAML2MetaManager samlManager = getSAML2MetaManager();
//entityConfig is the extended entity configuration object
EntityConfigElement entityConfig = samlManager.getEntityConfig(realm, entityName);
//for remote cases
if (entityConfig == null) {
createExtendedObject(realm, entityName, location, role);
entityConfig = samlManager.getEntityConfig(realm, entityName);
}
SPSSOConfigElement spssoConfig = samlManager.getSPSSOConfig(realm, entityName);
if (spssoConfig != null) {
updateBaseConfig(spssoConfig, spExtValues, role);
}
//saves the attributes by passing the new entityConfig object
samlManager.setEntityConfig(realm, entityConfig);
logEvent("SUCCEED_MODIFY_ENTITY_DESCRIPTOR", params);
} catch (SAML2MetaException e) {
debug.error("SAMLv2ModelImpl.setSPExtAttributeValues:", e);
String strError = getErrorString(e);
String[] paramsEx = { realm, entityName, "SAMLv2", "SP Ext", strError };
logEvent("FEDERATION_EXCEPTION_MODIFY_ENTITY_DESCRIPTOR", paramsEx);
} catch (JAXBException e) {
debug.error("SAMLv2ModelImpl.setSPExtAttributeValues:", e);
String strError = getErrorString(e);
String[] paramsEx = { realm, entityName, "SAMLv2", "SP Ext", strError };
logEvent("FEDERATION_EXCEPTION_MODIFY_ENTITY_DESCRIPTOR", paramsEx);
} catch (AMConsoleException e) {
debug.error("SAMLv2ModelImpl.setSPExtAttributeValues:", e);
String strError = getErrorString(e);
String[] paramsEx = { realm, entityName, "SAMLv2", "SP Ext", strError };
logEvent("FEDERATION_EXCEPTION_MODIFY_ENTITY_DESCRIPTOR", paramsEx);
}
}
use of com.sun.identity.saml2.assertion.Attribute in project OpenAM by OpenRock.
the class SAMLv2ModelImpl method updateKeyinfo.
/**
* Saves the signing and encryption values for the entity.
*
* @param realm to which the entity belongs.
* @param entityName is the entity id.
* @param extValues Map which contains the extended attribute values.
* @param stdValues Map which contains the standard attribute values.
* @param isIDP has information whether entity is an idp or sp.
* @throws AMConsoleException if saving of attribute value fails.
*/
public void updateKeyinfo(String realm, String entityName, Map<String, Set<String>> extValues, Map<String, Set<String>> stdValues, boolean isIDP) throws AMConsoleException {
String keysize = getResult(stdValues, TF_KEY_NAME);
String algorithm = getResult(stdValues, TF_ALGORITHM);
Set<String> signingCertAliases;
Set<String> encryptionCertAliases;
if (isIDP) {
encryptionCertAliases = extValues.get(IDP_ENCRYPT_CERT_ALIAS);
signingCertAliases = extValues.get(IDP_SIGN_CERT_ALIAS);
} else {
encryptionCertAliases = extValues.get(SP_ENCRYPT_CERT_ALIAS);
signingCertAliases = extValues.get(SP_SIGN_CERT_ALIAS);
}
int keysi = !StringUtils.isEmpty(keysize) ? Integer.parseInt(keysize) : 128;
String alg = StringUtils.isEmpty(algorithm) ? XMLCipher.AES_128 : algorithm;
try {
SAML2MetaSecurityUtils.updateProviderKeyInfo(realm, entityName, signingCertAliases, true, isIDP, alg, keysi);
SAML2MetaSecurityUtils.updateProviderKeyInfo(realm, entityName, encryptionCertAliases, false, isIDP, alg, keysi);
} catch (SAML2MetaException e) {
debug.warning("SAMLv2ModelImpl.updateKeyinfo:", e);
throw new AMConsoleException(getErrorString(e));
}
}
Aggregations