Example 11 with AttributeStatement
use of com.sun.identity.saml2.assertion.AttributeStatement in project OpenAM by OpenRock.
the class AttributeQueryUtil method getAssertion.
private static Assertion getAssertion(AttributeQuery attrQuery, String attrAuthorityEntityID, String requesterEntityID, String realm, String attrQueryProfileAlias, List attributes) throws SAML2Exception {
AssertionFactory assertionFactory = AssertionFactory.getInstance();
Assertion assertion = assertionFactory.createAssertion();
assertion.setID(SAML2Utils.generateID());
assertion.setVersion(SAML2Constants.VERSION_2_0);
assertion.setIssueInstant(new Date());
Issuer issuer = assertionFactory.createIssuer();
issuer.setValue(attrAuthorityEntityID);
assertion.setIssuer(issuer);
Subject subjectQ = attrQuery.getSubject();
Subject subject = assertionFactory.createSubject();
subject.setEncryptedID(subjectQ.getEncryptedID());
subject.setNameID(subjectQ.getNameID());
subject.setBaseID(subjectQ.getBaseID());
subject.setSubjectConfirmation(subjectQ.getSubjectConfirmation());
assertion.setSubject(subject);
if ((attributes != null) && (!attributes.isEmpty())) {
AttributeStatement attrStatement = assertionFactory.createAttributeStatement();
attrStatement.setAttribute(attributes);
List attrStatementList = new ArrayList();
attrStatementList.add(attrStatement);
assertion.setAttributeStatements(attrStatementList);
}
int effectiveTime = IDPSSOUtil.getEffectiveTime(realm, attrAuthorityEntityID);
int notBeforeSkewTime = IDPSSOUtil.getNotBeforeSkewTime(realm, attrAuthorityEntityID);
Conditions conditions = IDPSSOUtil.getConditions(requesterEntityID, notBeforeSkewTime, effectiveTime);
assertion.setConditions(conditions);
return assertion;
}
Also used :
AssertionFactory(com.sun.identity.saml2.assertion.AssertionFactory)
Issuer(com.sun.identity.saml2.assertion.Issuer)
AttributeStatement(com.sun.identity.saml2.assertion.AttributeStatement)
EncryptedAssertion(com.sun.identity.saml2.assertion.EncryptedAssertion)
Assertion(com.sun.identity.saml2.assertion.Assertion)
ArrayList(java.util.ArrayList)
List(java.util.List)
ArrayList(java.util.ArrayList)
Date(java.util.Date)
Subject(com.sun.identity.saml2.assertion.Subject)
Conditions(com.sun.identity.saml2.assertion.Conditions)
Example 12 with AttributeStatement
use of com.sun.identity.saml2.assertion.AttributeStatement in project OpenAM by OpenRock.
the class AttributeQueryUtil method getAttributesForFedlet.
/**
* Sends the AttributeQuery to specified attribute authority,
* validates the response and returns the attribute map
* <code>Map<String, Set<String>></code> to the Fedlet
*
* @param spEntityID SP entity ID
* @param idpEntityID IDP entity ID
* @param nameIDValue NameID value
* @param attrsList The list of attributes whose values need to be
* fetched from IDP
* @param attrQueryProfileAlias Attribute Query Profile Alias
* @param subjectDN Attribute name which contains X.509 subject DN
*
* @return the <code>Map</code> object
* @exception SAML2Exception if the operation is not successful
*
* @supported.api
*/
public static Map<String, Set<String>> getAttributesForFedlet(String spEntityID, String idpEntityID, String nameIDValue, List<String> attrsList, String attrQueryProfileAlias, String subjectDN) throws SAML2Exception {
final String classMethod = "AttributeQueryUtil.getAttributesForFedlet: ";
AttributeQueryConfigElement attrQueryConfig = metaManager.getAttributeQueryConfig("/", spEntityID);
if (attrQueryConfig == null) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "Attribute Query Config is null");
}
return null;
}
String attrqMetaAlias = attrQueryConfig.getMetaAlias();
if (attrqMetaAlias == null) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "Attribute Query MetaAlias is null");
}
return null;
}
boolean wantNameIDEncrypted = SAML2Utils.getWantNameIDEncrypted("/", spEntityID, SAML2Constants.ATTR_QUERY_ROLE);
AttributeQuery attrQuery = constructAttrQueryForFedlet(spEntityID, idpEntityID, nameIDValue, attrsList, attrqMetaAlias, attrQueryProfileAlias, subjectDN, wantNameIDEncrypted);
String attrQueryProfile = null;
if (attrQueryProfileAlias.equals(SAML2Constants.DEFAULT_ATTR_QUERY_PROFILE_ALIAS)) {
attrQueryProfile = SAML2Constants.DEFAULT_ATTR_QUERY_PROFILE;
} else if (attrQueryProfileAlias.equals(SAML2Constants.X509_SUBJECT_ATTR_QUERY_PROFILE_ALIAS)) {
attrQueryProfile = SAML2Constants.X509_SUBJECT_ATTR_QUERY_PROFILE;
}
Response samlResp = sendAttributeQuery(attrQuery, idpEntityID, "/", attrQueryProfile, SAML2Constants.BASIC_ATTRIBUTE_PROFILE, SAML2Constants.SOAP);
// Validate the response
boolean validResp = validateSAMLResponseForFedlet(samlResp, spEntityID, wantNameIDEncrypted);
Map<String, Set<String>> attrMap = new HashMap<String, Set<String>>();
if (validResp) {
// Return back the AttributeMap
if (samlResp != null) {
List<Object> assertions;
if (wantNameIDEncrypted) {
assertions = samlResp.getEncryptedAssertion();
} else {
assertions = samlResp.getAssertion();
}
for (Object currentAssertion : assertions) {
Assertion assertion;
if (wantNameIDEncrypted) {
assertion = getDecryptedAssertion((EncryptedAssertion) currentAssertion, spEntityID);
} else {
assertion = (Assertion) currentAssertion;
}
if (assertion != null) {
List<AttributeStatement> statements = assertion.getAttributeStatements();
if (statements != null && statements.size() > 0) {
for (AttributeStatement statement : statements) {
List<Attribute> attributes = statement.getAttribute();
attrMap.putAll(mapAttributes("/", spEntityID, idpEntityID, nameIDValue, attributes));
}
} else {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "Empty Statement present in SAML response");
}
}
} else {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "Empty Assertion present in SAML response");
}
}
}
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "attributes received from Attribute Query: " + attrMap);
}
}
} else {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "Invalid response obtained from Attribute Authority");
}
}
// Return the attribute map and to the fedlet
return attrMap;
}
Also used :
Set(java.util.Set)
HashSet(java.util.HashSet)
HashMap(java.util.HashMap)
Attribute(com.sun.identity.saml2.assertion.Attribute)
EncryptedAssertion(com.sun.identity.saml2.assertion.EncryptedAssertion)
Assertion(com.sun.identity.saml2.assertion.Assertion)
AttributeQueryConfigElement(com.sun.identity.saml2.jaxb.entityconfig.AttributeQueryConfigElement)
Response(com.sun.identity.saml2.protocol.Response)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
AttributeQuery(com.sun.identity.saml2.protocol.AttributeQuery)
EncryptedAssertion(com.sun.identity.saml2.assertion.EncryptedAssertion)
AttributeStatement(com.sun.identity.saml2.assertion.AttributeStatement)
Example 13 with AttributeStatement
use of com.sun.identity.saml2.assertion.AttributeStatement in project OpenAM by OpenRock.
the class Saml2GrantTypeHandler method validAssertion.
private boolean validAssertion(Assertion assertion, String deploymentURL) throws SAML2Exception {
//must contain issuer
final Issuer issuer = assertion.getIssuer();
if (issuer == null) {
logger.error("Issuer does not exist");
return false;
}
/**
* The Assertion MUST contain <Conditions> element with an
* <AudienceRestriction> element with an <Audience> element
* containing a URI reference that identifies the authorization
* server, or the service provider SAML entity of its controlling
* domain, as an intended audience. The token endpoint URL of the
* authorization server MAY be used as an acceptable value for an
* <Audience> element. The authorization server MUST verify that it
* is an intended audience for the Assertion.
*
*/
final Conditions conditions = assertion.getConditions();
if (conditions == null) {
logger.error("Saml2BearerServerResource.validAssertion(): Conditions does not exist");
return false;
}
final List<AudienceRestriction> audienceRestriction = conditions.getAudienceRestrictions();
if (audienceRestriction == null || audienceRestriction.isEmpty()) {
logger.error("Saml2BearerServerResource.validAssertion(): Audience Restriction does not exist");
return false;
}
boolean found = false;
logger.trace("Saml2BearerServerResource.validAssertion(): URL of authorization server: " + deploymentURL);
for (final AudienceRestriction restriction : audienceRestriction) {
final List<String> audiences = restriction.getAudience();
if (audiences == null || audiences.isEmpty()) {
continue;
}
for (final String audience : audiences) {
String deployURL = deploymentURL;
String aud = audience;
//check for the url with and without trailing /
if (deployURL.endsWith("/")) {
deployURL = deploymentURL.substring(0, deployURL.length() - 1);
}
if (aud.endsWith("/")) {
aud = aud.substring(0, aud.length() - 1);
}
if (aud.equalsIgnoreCase(deployURL)) {
found = true;
}
}
}
if (found == false) {
logger.error("Didn't find the oauth2 provider in audience restrictions");
return false;
}
/**
* The Assertion MUST contain a <Subject> element. The subject MAY
* identify the resource owner for whom the access token is being
* requested. For client authentication, the Subject MUST be the
* "client_id" of the OAuth client. When using an Assertion as an
* authorization grant, the Subject SHOULD identify an authorized
* accessor for whom the access token is being requested (typically
* the resource owner, or an authorized delegate). Additional
* information identifying the subject/principal of the transaction
* MAY be included in an <AttributeStatement>.
*/
final Subject subject = assertion.getSubject();
if (subject == null) {
logger.error("Subject does not exist");
return false;
}
final String resourceOwner = subject.getNameID().getValue();
/**
* The Assertion MUST have an expiry that limits the time window
* during which it can be used. The expiry can be expressed either
* as the NotOnOrAfter attribute of the <Conditions> element or as
* the NotOnOrAfter attribute of a suitable <SubjectConfirmationData>
* element.
*/
/**
* The <Subject> element MUST contain at least one
* <SubjectConfirmation> element that allows the authorization server
* to confirm it as a Bearer Assertion. Such a <SubjectConfirmation>
* element MUST have a Method attribute with a value of
* "urn:oasis:names:tc:SAML:2.0:cm:bearer". The
* <SubjectConfirmation> element MUST contain a
* <SubjectConfirmationData> element, unless the Assertion has a
* suitable NotOnOrAfter attribute on the <Conditions> element, in
* which case the <SubjectConfirmationData> element MAY be omitted.
* When present, the <SubjectConfirmationData> element MUST have a
* Recipient attribute with a value indicating the token endpoint URL
* of the authorization server (or an acceptable alias). The
* authorization server MUST verify that the value of the Recipient
* attribute matches the token endpoint URL (or an acceptable alias)
* to which the Assertion was delivered. The
* <SubjectConfirmationData> element MUST have a NotOnOrAfter
* attribute that limits the window during which the Assertion can be
* confirmed. The <SubjectConfirmationData> element MAY also contain
* an Address attribute limiting the client address from which the
* Assertion can be delivered. Verification of the Address is at the
* discretion of the authorization server.
*/
final List<SubjectConfirmation> subjectConfirmations = subject.getSubjectConfirmation();
found = false;
if (subjectConfirmations == null || subjectConfirmations.isEmpty()) {
logger.error("Subject Confirmations does not exist");
return false;
}
//if conditions is expired assertion is expired
if (!assertion.isTimeValid()) {
logger.error("Assertion expired");
return false;
} else {
found = true;
}
for (final SubjectConfirmation subjectConfirmation : subjectConfirmations) {
if (subjectConfirmation.getMethod() == null) {
continue;
}
if (subjectConfirmation.getMethod().equalsIgnoreCase(OAuth2Constants.SAML20.SUBJECT_CONFIRMATION_METHOD)) {
final SubjectConfirmationData subjectConfirmationData = subjectConfirmation.getSubjectConfirmationData();
if (subjectConfirmationData == null) {
continue;
} else if (subjectConfirmationData.getNotOnOrAfter().before(new Date()) && subjectConfirmationData.getRecipient().equalsIgnoreCase(deploymentURL)) {
found = true;
}
//TODO check Client Address
}
}
if (!found) {
logger.error("Assertion expired or subject expired");
return false;
}
if (!assertion.isSigned()) {
logger.error("Assertion must be signed");
return false;
}
if (!SAMLUtils.checkSignatureValid(assertion.toXMLString(), "ID", issuer.getValue())) {
logger.error("Assertion signature verification failed");
return false;
}
return true;
}
Also used :
AudienceRestriction(com.sun.identity.saml2.assertion.AudienceRestriction)
SubjectConfirmation(com.sun.identity.saml2.assertion.SubjectConfirmation)
Issuer(com.sun.identity.saml2.assertion.Issuer)
SubjectConfirmationData(com.sun.identity.saml2.assertion.SubjectConfirmationData)
Conditions(com.sun.identity.saml2.assertion.Conditions)
Subject(com.sun.identity.saml2.assertion.Subject)
Date(java.util.Date)
Example 14 with AttributeStatement
use of com.sun.identity.saml2.assertion.AttributeStatement in project OpenAM by OpenRock.
the class AssertionImpl method toXMLString.
/**
* Returns a String representation
* @param includeNSPrefix Determines whether or not the namespace
* qualifier is prepended to the Element when converted
* @param declareNS Determines whether or not the namespace is declared
* within the Element.
* @return A String representation
* @exception SAML2Exception if something is wrong during conversion
*/
@Override
public String toXMLString(boolean includeNSPrefix, boolean declareNS) throws SAML2Exception {
if ((signature != null) && (signedXMLString != null)) {
return signedXMLString;
}
StringBuffer sb = new StringBuffer(2000);
String NS = "";
String appendNS = "";
if (declareNS) {
NS = SAML2Constants.ASSERTION_DECLARE_STR;
}
if (includeNSPrefix) {
appendNS = SAML2Constants.ASSERTION_PREFIX;
}
sb.append("<").append(appendNS).append(ASSERTION_ELEMENT).append(NS);
if ((version == null) || (version.length() == 0)) {
SAML2SDKUtils.debug.error("AssertionImpl.toXMLString(): version missing");
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("missing_assertion_version"));
}
sb.append(" ").append(ASSERTION_VERSION_ATTR).append("=\"").append(version).append("\"");
if ((id == null) || (id.length() == 0)) {
SAML2SDKUtils.debug.error("AssertionImpl.toXMLString(): assertion id missing");
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("missing_assertion_id"));
}
sb.append(" ").append(ASSERTION_ID_ATTR).append("=\"").append(id).append("\"");
if (issueInstant == null) {
SAML2SDKUtils.debug.error("AssertionImpl.toXMLString(): issue instant missing");
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("missing_issue_instant"));
}
String instantStr = DateUtils.toUTCDateFormat(issueInstant);
sb.append(" ").append(ASSERTION_ISSUEINSTANT_ATTR).append("=\"").append(instantStr).append("\"").append(">\n");
if (issuer == null) {
SAML2SDKUtils.debug.error("AssertionImpl.toXMLString(): issuer missing");
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("missing_subelement_issuer"));
}
sb.append(issuer.toXMLString(includeNSPrefix, false));
if (signature != null) {
sb.append(signature);
}
if (subject != null) {
sb.append(subject.toXMLString(includeNSPrefix, false));
}
if (conditions != null) {
sb.append(conditions.toXMLString(includeNSPrefix, false));
}
if (advice != null) {
sb.append(advice.toXMLString(includeNSPrefix, false));
}
int length = 0;
if (statements != null) {
length = statements.size();
for (int i = 0; i < length; i++) {
String str = (String) statements.get(i);
sb.append(str);
}
}
if (authnStatements != null) {
length = authnStatements.size();
for (int i = 0; i < length; i++) {
AuthnStatement st = (AuthnStatement) authnStatements.get(i);
sb.append(st.toXMLString(includeNSPrefix, false));
}
}
if (authzDecisionStatements != null) {
length = authzDecisionStatements.size();
for (int i = 0; i < length; i++) {
AuthzDecisionStatement st = (AuthzDecisionStatement) authzDecisionStatements.get(i);
sb.append(st.toXMLString(includeNSPrefix, false));
}
}
if (attributeStatements != null) {
length = attributeStatements.size();
for (int i = 0; i < length; i++) {
AttributeStatement st = (AttributeStatement) attributeStatements.get(i);
sb.append(st.toXMLString(includeNSPrefix, false));
}
}
sb.append("</").append(appendNS).append(ASSERTION_ELEMENT).append(">\n");
//return SAML2Utils.removeNewLineChars(sb.toString());
return sb.toString();
}
Also used :
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
AttributeStatement(com.sun.identity.saml2.assertion.AttributeStatement)
AuthzDecisionStatement(com.sun.identity.saml2.assertion.AuthzDecisionStatement)
AuthnStatement(com.sun.identity.saml2.assertion.AuthnStatement)
Example 15 with AttributeStatement
use of com.sun.identity.saml2.assertion.AttributeStatement in project OpenAM by OpenRock.
the class IDPSSOUtil method getAttributeStatement.
/**
* Returns a <code>SAML AttributeStatement</code> object
*
* @param session the user's session
* @param idpEntityID the entity id of the identity provider
* @param recipientEntityID the entity id of the response recipient
* @param realm the realm name
* @return the <code>SAML AttributeStatement</code> object
* @throws SAML2Exception if the operation is not successful
*/
private static AttributeStatement getAttributeStatement(Object session, String idpEntityID, String recipientEntityID, String realm) throws SAML2Exception {
IDPAttributeMapper idpAttrMapper = getIDPAttributeMapper(realm, idpEntityID);
List attributes = idpAttrMapper.getAttributes(session, idpEntityID, recipientEntityID, realm);
if ((attributes == null) || (attributes.isEmpty())) {
return null;
}
AttributeStatement attrStatement = AssertionFactory.getInstance().createAttributeStatement();
attrStatement.setAttribute(attributes);
return attrStatement;
}
Also used :
IDPAttributeMapper(com.sun.identity.saml2.plugins.IDPAttributeMapper)
AttributeStatement(com.sun.identity.saml2.assertion.AttributeStatement)
List(java.util.List)
ArrayList(java.util.ArrayList)
Aggregations
AttributeStatement (com.sun.identity.saml2.assertion.AttributeStatement)12
Attribute (com.sun.identity.saml2.assertion.Attribute)8
SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)8
ArrayList (java.util.ArrayList)8
EncryptedAttribute (com.sun.identity.saml2.assertion.EncryptedAttribute)5
Assertion (com.sun.identity.saml2.assertion.Assertion)4
EncryptedAssertion (com.sun.identity.saml2.assertion.EncryptedAssertion)4
Subject (com.sun.identity.saml2.assertion.Subject)4
List (java.util.List)4
AuthnStatement (com.sun.identity.saml2.assertion.AuthnStatement)3
Conditions (com.sun.identity.saml2.assertion.Conditions)3
Issuer (com.sun.identity.saml2.assertion.Issuer)3
Date (java.util.Date)3
HashSet (java.util.HashSet)3
AuthzDecisionStatement (com.sun.identity.saml2.assertion.AuthzDecisionStatement)2
HashMap (java.util.HashMap)2
Set (java.util.Set)2
TokenCreationException (org.forgerock.openam.sts.TokenCreationException)2
DataStoreProviderException (com.sun.identity.plugin.datastore.DataStoreProviderException)1
SessionException (com.sun.identity.plugin.session.SessionException)1
