Example 11 with Conditions
use of com.sun.identity.saml2.assertion.Conditions in project OpenAM by OpenRock.
the class SAML2Utils method checkAudience.
private static void checkAudience(final Conditions conds, final String hostEntityId, final String assertionID) throws SAML2Exception {
final String method = "SAML2Utils.checkAudience:";
if (conds == null) {
if (debug.messageEnabled()) {
debug.message(method + "Conditions is missing from Assertion.");
}
String[] data = { assertionID };
LogUtil.error(Level.INFO, LogUtil.MISSING_CONDITIONS, data, null);
throw new SAML2Exception(bundle.getString("missingConditions"));
}
List restrictions = conds.getAudienceRestrictions();
if (restrictions == null) {
if (debug.messageEnabled()) {
debug.message(method + "missing AudienceRestriction.");
}
String[] data = { assertionID };
LogUtil.error(Level.INFO, LogUtil.MISSING_AUDIENCE_RESTRICTION, data, null);
throw new SAML2Exception(bundle.getString("missingAudienceRestriction"));
}
Iterator restIter = restrictions.iterator();
boolean found = false;
while (restIter.hasNext()) {
List audienceList = ((AudienceRestriction) restIter.next()).getAudience();
if (audienceList.contains(hostEntityId)) {
found = true;
break;
}
}
if (!found) {
if (debug.messageEnabled()) {
debug.message(method + "This SP is not the intended audience.");
}
String[] data = { assertionID };
LogUtil.error(Level.INFO, LogUtil.WRONG_AUDIENCE, data, null);
throw new SAML2Exception(bundle.getString("audienceNotMatch"));
}
}
Also used :
AudienceRestriction(com.sun.identity.saml2.assertion.AudienceRestriction)
Iterator(java.util.Iterator)
ArrayList(java.util.ArrayList)
List(java.util.List)
Example 12 with Conditions
use of com.sun.identity.saml2.assertion.Conditions in project OpenAM by OpenRock.
the class AttributeQueryUtil method getAssertion.
private static Assertion getAssertion(AttributeQuery attrQuery, String attrAuthorityEntityID, String requesterEntityID, String realm, String attrQueryProfileAlias, List attributes) throws SAML2Exception {
AssertionFactory assertionFactory = AssertionFactory.getInstance();
Assertion assertion = assertionFactory.createAssertion();
assertion.setID(SAML2Utils.generateID());
assertion.setVersion(SAML2Constants.VERSION_2_0);
assertion.setIssueInstant(new Date());
Issuer issuer = assertionFactory.createIssuer();
issuer.setValue(attrAuthorityEntityID);
assertion.setIssuer(issuer);
Subject subjectQ = attrQuery.getSubject();
Subject subject = assertionFactory.createSubject();
subject.setEncryptedID(subjectQ.getEncryptedID());
subject.setNameID(subjectQ.getNameID());
subject.setBaseID(subjectQ.getBaseID());
subject.setSubjectConfirmation(subjectQ.getSubjectConfirmation());
assertion.setSubject(subject);
if ((attributes != null) && (!attributes.isEmpty())) {
AttributeStatement attrStatement = assertionFactory.createAttributeStatement();
attrStatement.setAttribute(attributes);
List attrStatementList = new ArrayList();
attrStatementList.add(attrStatement);
assertion.setAttributeStatements(attrStatementList);
}
int effectiveTime = IDPSSOUtil.getEffectiveTime(realm, attrAuthorityEntityID);
int notBeforeSkewTime = IDPSSOUtil.getNotBeforeSkewTime(realm, attrAuthorityEntityID);
Conditions conditions = IDPSSOUtil.getConditions(requesterEntityID, notBeforeSkewTime, effectiveTime);
assertion.setConditions(conditions);
return assertion;
}
Also used :
AssertionFactory(com.sun.identity.saml2.assertion.AssertionFactory)
Issuer(com.sun.identity.saml2.assertion.Issuer)
AttributeStatement(com.sun.identity.saml2.assertion.AttributeStatement)
EncryptedAssertion(com.sun.identity.saml2.assertion.EncryptedAssertion)
Assertion(com.sun.identity.saml2.assertion.Assertion)
ArrayList(java.util.ArrayList)
List(java.util.List)
ArrayList(java.util.ArrayList)
Date(java.util.Date)
Subject(com.sun.identity.saml2.assertion.Subject)
Conditions(com.sun.identity.saml2.assertion.Conditions)
Example 13 with Conditions
use of com.sun.identity.saml2.assertion.Conditions in project OpenAM by OpenRock.
the class AttributeQueryUtil method validateSAMLResponseForFedlet.
/**
* Validates the SAML response obtained from Attribute Authortity
*
* @param samlResp saml response
*
* @exception SAML2Exception if the operation is not successful
*
* @supported.api
*/
private static boolean validateSAMLResponseForFedlet(Response samlResp, String spEntityID, boolean wantNameIDEncrypted) throws SAML2Exception {
boolean resp = true;
if (samlResp != null && samlResp.isSigned()) {
List assertions = null;
if (wantNameIDEncrypted) {
assertions = samlResp.getEncryptedAssertion();
} else {
assertions = samlResp.getAssertion();
}
if (assertions == null) {
return false;
}
for (Iterator asserIter = assertions.iterator(); asserIter.hasNext(); ) {
Assertion assertion = null;
if (wantNameIDEncrypted) {
assertion = getDecryptedAssertion((EncryptedAssertion) asserIter.next(), spEntityID);
} else {
assertion = (Assertion) asserIter.next();
}
if (assertion != null) {
Conditions conditions = assertion.getConditions();
if (conditions != null) {
List audienceRes = conditions.getAudienceRestrictions();
if (audienceRes.size() > 1) {
resp = false;
break;
}
}
List statements = assertion.getAttributeStatements();
if (statements.size() > 1) {
resp = false;
break;
}
}
}
} else {
resp = false;
}
return resp;
}
Also used :
EncryptedAssertion(com.sun.identity.saml2.assertion.EncryptedAssertion)
Iterator(java.util.Iterator)
EncryptedAssertion(com.sun.identity.saml2.assertion.EncryptedAssertion)
Assertion(com.sun.identity.saml2.assertion.Assertion)
List(java.util.List)
ArrayList(java.util.ArrayList)
Conditions(com.sun.identity.saml2.assertion.Conditions)
Example 14 with Conditions
use of com.sun.identity.saml2.assertion.Conditions in project OpenAM by OpenRock.
the class AuthnRequestImpl method parseDOMElement.
/**
* Parses the Docuemnt Element for this object.
*
* @param element the Document Element of this object.
* @throws SAML2Exception if error parsing the Document Element.
*/
protected void parseDOMElement(Element element) throws SAML2Exception {
AssertionFactory assertionFactory = AssertionFactory.getInstance();
ProtocolFactory protoFactory = ProtocolFactory.getInstance();
requestId = element.getAttribute(SAML2Constants.ID);
validateID(requestId);
version = element.getAttribute(SAML2Constants.VERSION);
validateVersion(version);
String issueInstantStr = element.getAttribute(SAML2Constants.ISSUE_INSTANT);
validateIssueInstant(issueInstantStr);
destinationURI = element.getAttribute(SAML2Constants.DESTINATION);
consent = element.getAttribute(SAML2Constants.CONSENT);
NodeList nList = element.getChildNodes();
if ((nList != null) && (nList.getLength() > 0)) {
for (int i = 0; i < nList.getLength(); i++) {
Node childNode = nList.item(i);
String cName = childNode.getLocalName();
if (cName != null) {
if (cName.equals(SAML2Constants.ISSUER)) {
validateIssuer();
nameID = assertionFactory.createIssuer((Element) childNode);
} else if (cName.equals(SAML2Constants.SIGNATURE)) {
validateSignature();
signatureString = XMLUtils.print((Element) childNode);
isSigned = true;
} else if (cName.equals(SAML2Constants.EXTENSIONS)) {
validateExtensions();
extensions = protoFactory.createExtensions((Element) childNode);
} else if (cName.equals(SAML2Constants.SUBJECT)) {
validateSubject();
subject = assertionFactory.createSubject((Element) childNode);
} else if (cName.equals(SAML2Constants.NAMEIDPOLICY)) {
validateNameIDPolicy();
nameIDPolicy = protoFactory.createNameIDPolicy((Element) childNode);
} else if (cName.equals(SAML2Constants.CONDITIONS)) {
validateConditions();
conditions = assertionFactory.createConditions((Element) childNode);
} else if (cName.equals(SAML2Constants.REQ_AUTHN_CONTEXT)) {
validateReqAuthnContext();
reqAuthnContext = protoFactory.createRequestedAuthnContext((Element) childNode);
} else if (cName.equals(SAML2Constants.SCOPING)) {
validateScoping();
scoping = protoFactory.createScoping((Element) childNode);
}
}
}
}
// Get ForceAuthn Attribute
String forceAuthnAttr = element.getAttribute(SAML2Constants.FORCEAUTHN);
if ((forceAuthnAttr != null) && (forceAuthnAttr.length() > 0)) {
forceAuthn = SAML2SDKUtils.booleanValueOf(forceAuthnAttr);
}
String isPassiveAttr = element.getAttribute(SAML2Constants.ISPASSIVE);
if ((isPassiveAttr != null) && (isPassiveAttr.length() > 0)) {
isPassive = SAML2SDKUtils.booleanValueOf(isPassiveAttr);
}
protocolBinding = element.getAttribute(SAML2Constants.PROTOBINDING);
String index = element.getAttribute(SAML2Constants.ASSERTION_CONSUMER_SVC_INDEX);
if ((index != null) && (index.length() > 0)) {
assertionConsumerSvcIndex = new Integer(index);
validateAssertionConsumerServiceIndex(assertionConsumerSvcIndex);
}
assertionConsumerServiceURL = XMLUtils.unescapeSpecialCharacters(element.getAttribute(SAML2Constants.ASSERTION_CONSUMER_SVC_URL));
index = element.getAttribute(SAML2Constants.ATTR_CONSUMING_SVC_INDEX);
if ((index != null) && (index.length() > 0)) {
attrConsumingSvcIndex = new Integer(index);
validateAttributeConsumingServiceIndex(attrConsumingSvcIndex);
}
providerName = element.getAttribute(SAML2Constants.PROVIDER_NAME);
}
Also used :
ProtocolFactory(com.sun.identity.saml2.protocol.ProtocolFactory)
AssertionFactory(com.sun.identity.saml2.assertion.AssertionFactory)
NodeList(org.w3c.dom.NodeList)
Node(org.w3c.dom.Node)
Element(org.w3c.dom.Element)
Example 15 with Conditions
use of com.sun.identity.saml2.assertion.Conditions in project OpenAM by OpenRock.
the class Saml2GrantTypeHandler method validAssertion.
private boolean validAssertion(Assertion assertion, String deploymentURL) throws SAML2Exception {
//must contain issuer
final Issuer issuer = assertion.getIssuer();
if (issuer == null) {
logger.error("Issuer does not exist");
return false;
}
/**
* The Assertion MUST contain <Conditions> element with an
* <AudienceRestriction> element with an <Audience> element
* containing a URI reference that identifies the authorization
* server, or the service provider SAML entity of its controlling
* domain, as an intended audience. The token endpoint URL of the
* authorization server MAY be used as an acceptable value for an
* <Audience> element. The authorization server MUST verify that it
* is an intended audience for the Assertion.
*
*/
final Conditions conditions = assertion.getConditions();
if (conditions == null) {
logger.error("Saml2BearerServerResource.validAssertion(): Conditions does not exist");
return false;
}
final List<AudienceRestriction> audienceRestriction = conditions.getAudienceRestrictions();
if (audienceRestriction == null || audienceRestriction.isEmpty()) {
logger.error("Saml2BearerServerResource.validAssertion(): Audience Restriction does not exist");
return false;
}
boolean found = false;
logger.trace("Saml2BearerServerResource.validAssertion(): URL of authorization server: " + deploymentURL);
for (final AudienceRestriction restriction : audienceRestriction) {
final List<String> audiences = restriction.getAudience();
if (audiences == null || audiences.isEmpty()) {
continue;
}
for (final String audience : audiences) {
String deployURL = deploymentURL;
String aud = audience;
//check for the url with and without trailing /
if (deployURL.endsWith("/")) {
deployURL = deploymentURL.substring(0, deployURL.length() - 1);
}
if (aud.endsWith("/")) {
aud = aud.substring(0, aud.length() - 1);
}
if (aud.equalsIgnoreCase(deployURL)) {
found = true;
}
}
}
if (found == false) {
logger.error("Didn't find the oauth2 provider in audience restrictions");
return false;
}
/**
* The Assertion MUST contain a <Subject> element. The subject MAY
* identify the resource owner for whom the access token is being
* requested. For client authentication, the Subject MUST be the
* "client_id" of the OAuth client. When using an Assertion as an
* authorization grant, the Subject SHOULD identify an authorized
* accessor for whom the access token is being requested (typically
* the resource owner, or an authorized delegate). Additional
* information identifying the subject/principal of the transaction
* MAY be included in an <AttributeStatement>.
*/
final Subject subject = assertion.getSubject();
if (subject == null) {
logger.error("Subject does not exist");
return false;
}
final String resourceOwner = subject.getNameID().getValue();
/**
* The Assertion MUST have an expiry that limits the time window
* during which it can be used. The expiry can be expressed either
* as the NotOnOrAfter attribute of the <Conditions> element or as
* the NotOnOrAfter attribute of a suitable <SubjectConfirmationData>
* element.
*/
/**
* The <Subject> element MUST contain at least one
* <SubjectConfirmation> element that allows the authorization server
* to confirm it as a Bearer Assertion. Such a <SubjectConfirmation>
* element MUST have a Method attribute with a value of
* "urn:oasis:names:tc:SAML:2.0:cm:bearer". The
* <SubjectConfirmation> element MUST contain a
* <SubjectConfirmationData> element, unless the Assertion has a
* suitable NotOnOrAfter attribute on the <Conditions> element, in
* which case the <SubjectConfirmationData> element MAY be omitted.
* When present, the <SubjectConfirmationData> element MUST have a
* Recipient attribute with a value indicating the token endpoint URL
* of the authorization server (or an acceptable alias). The
* authorization server MUST verify that the value of the Recipient
* attribute matches the token endpoint URL (or an acceptable alias)
* to which the Assertion was delivered. The
* <SubjectConfirmationData> element MUST have a NotOnOrAfter
* attribute that limits the window during which the Assertion can be
* confirmed. The <SubjectConfirmationData> element MAY also contain
* an Address attribute limiting the client address from which the
* Assertion can be delivered. Verification of the Address is at the
* discretion of the authorization server.
*/
final List<SubjectConfirmation> subjectConfirmations = subject.getSubjectConfirmation();
found = false;
if (subjectConfirmations == null || subjectConfirmations.isEmpty()) {
logger.error("Subject Confirmations does not exist");
return false;
}
//if conditions is expired assertion is expired
if (!assertion.isTimeValid()) {
logger.error("Assertion expired");
return false;
} else {
found = true;
}
for (final SubjectConfirmation subjectConfirmation : subjectConfirmations) {
if (subjectConfirmation.getMethod() == null) {
continue;
}
if (subjectConfirmation.getMethod().equalsIgnoreCase(OAuth2Constants.SAML20.SUBJECT_CONFIRMATION_METHOD)) {
final SubjectConfirmationData subjectConfirmationData = subjectConfirmation.getSubjectConfirmationData();
if (subjectConfirmationData == null) {
continue;
} else if (subjectConfirmationData.getNotOnOrAfter().before(new Date()) && subjectConfirmationData.getRecipient().equalsIgnoreCase(deploymentURL)) {
found = true;
}
//TODO check Client Address
}
}
if (!found) {
logger.error("Assertion expired or subject expired");
return false;
}
if (!assertion.isSigned()) {
logger.error("Assertion must be signed");
return false;
}
if (!SAMLUtils.checkSignatureValid(assertion.toXMLString(), "ID", issuer.getValue())) {
logger.error("Assertion signature verification failed");
return false;
}
return true;
}
Also used :
AudienceRestriction(com.sun.identity.saml2.assertion.AudienceRestriction)
SubjectConfirmation(com.sun.identity.saml2.assertion.SubjectConfirmation)
Issuer(com.sun.identity.saml2.assertion.Issuer)
SubjectConfirmationData(com.sun.identity.saml2.assertion.SubjectConfirmationData)
Conditions(com.sun.identity.saml2.assertion.Conditions)
Subject(com.sun.identity.saml2.assertion.Subject)
Date(java.util.Date)
Aggregations
Conditions (com.sun.identity.saml2.assertion.Conditions)9
Date (java.util.Date)9
ArrayList (java.util.ArrayList)8
AudienceRestriction (com.sun.identity.saml2.assertion.AudienceRestriction)7
SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)7
List (java.util.List)7
Assertion (com.sun.identity.saml2.assertion.Assertion)4
AttributeStatement (com.sun.identity.saml2.assertion.AttributeStatement)4
EncryptedAssertion (com.sun.identity.saml2.assertion.EncryptedAssertion)4
AssertionFactory (com.sun.identity.saml2.assertion.AssertionFactory)3
AuthnStatement (com.sun.identity.saml2.assertion.AuthnStatement)3
Issuer (com.sun.identity.saml2.assertion.Issuer)3
Subject (com.sun.identity.saml2.assertion.Subject)3
AuthzDecisionStatement (com.sun.identity.saml2.assertion.AuthzDecisionStatement)2
Condition (com.sun.identity.saml2.assertion.Condition)2
OneTimeUse (com.sun.identity.saml2.assertion.OneTimeUse)2
ProxyRestriction (com.sun.identity.saml2.assertion.ProxyRestriction)2
Iterator (java.util.Iterator)2
Test (org.testng.annotations.Test)2
Element (org.w3c.dom.Element)2
