Search in sources :

Example 21 with Subject

use of com.sun.identity.saml2.assertion.Subject in project OpenAM by OpenRock.

the class AttributeQueryUtil method getAttributesForFedlet.

/**
     * Sends the AttributeQuery to specified attribute authority,
     * validates the response and returns the attribute map
     * <code>Map&lt;String, Set&lt;String&gt;&gt;</code> to the Fedlet
     *
     * @param spEntityID SP entity ID
     * @param idpEntityID IDP entity ID
     * @param nameIDValue  NameID value 
     * @param attrsList The list of attributes whose values need to be
     *                  fetched from IDP
     * @param attrQueryProfileAlias  Attribute Query Profile Alias
     * @param subjectDN  Attribute name which contains X.509 subject DN
     *
     * @return the <code>Map</code> object
     * @exception SAML2Exception if the operation is not successful
     *
     * @supported.api
     */
public static Map<String, Set<String>> getAttributesForFedlet(String spEntityID, String idpEntityID, String nameIDValue, List<String> attrsList, String attrQueryProfileAlias, String subjectDN) throws SAML2Exception {
    final String classMethod = "AttributeQueryUtil.getAttributesForFedlet: ";
    AttributeQueryConfigElement attrQueryConfig = metaManager.getAttributeQueryConfig("/", spEntityID);
    if (attrQueryConfig == null) {
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message(classMethod + "Attribute Query Config is null");
        }
        return null;
    }
    String attrqMetaAlias = attrQueryConfig.getMetaAlias();
    if (attrqMetaAlias == null) {
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message(classMethod + "Attribute Query MetaAlias is null");
        }
        return null;
    }
    boolean wantNameIDEncrypted = SAML2Utils.getWantNameIDEncrypted("/", spEntityID, SAML2Constants.ATTR_QUERY_ROLE);
    AttributeQuery attrQuery = constructAttrQueryForFedlet(spEntityID, idpEntityID, nameIDValue, attrsList, attrqMetaAlias, attrQueryProfileAlias, subjectDN, wantNameIDEncrypted);
    String attrQueryProfile = null;
    if (attrQueryProfileAlias.equals(SAML2Constants.DEFAULT_ATTR_QUERY_PROFILE_ALIAS)) {
        attrQueryProfile = SAML2Constants.DEFAULT_ATTR_QUERY_PROFILE;
    } else if (attrQueryProfileAlias.equals(SAML2Constants.X509_SUBJECT_ATTR_QUERY_PROFILE_ALIAS)) {
        attrQueryProfile = SAML2Constants.X509_SUBJECT_ATTR_QUERY_PROFILE;
    }
    Response samlResp = sendAttributeQuery(attrQuery, idpEntityID, "/", attrQueryProfile, SAML2Constants.BASIC_ATTRIBUTE_PROFILE, SAML2Constants.SOAP);
    // Validate the response
    boolean validResp = validateSAMLResponseForFedlet(samlResp, spEntityID, wantNameIDEncrypted);
    Map<String, Set<String>> attrMap = new HashMap<String, Set<String>>();
    if (validResp) {
        // Return back the AttributeMap
        if (samlResp != null) {
            List<Object> assertions;
            if (wantNameIDEncrypted) {
                assertions = samlResp.getEncryptedAssertion();
            } else {
                assertions = samlResp.getAssertion();
            }
            for (Object currentAssertion : assertions) {
                Assertion assertion;
                if (wantNameIDEncrypted) {
                    assertion = getDecryptedAssertion((EncryptedAssertion) currentAssertion, spEntityID);
                } else {
                    assertion = (Assertion) currentAssertion;
                }
                if (assertion != null) {
                    List<AttributeStatement> statements = assertion.getAttributeStatements();
                    if (statements != null && statements.size() > 0) {
                        for (AttributeStatement statement : statements) {
                            List<Attribute> attributes = statement.getAttribute();
                            attrMap.putAll(mapAttributes("/", spEntityID, idpEntityID, nameIDValue, attributes));
                        }
                    } else {
                        if (SAML2Utils.debug.messageEnabled()) {
                            SAML2Utils.debug.message(classMethod + "Empty Statement present in SAML response");
                        }
                    }
                } else {
                    if (SAML2Utils.debug.messageEnabled()) {
                        SAML2Utils.debug.message(classMethod + "Empty Assertion present in SAML response");
                    }
                }
            }
            if (SAML2Utils.debug.messageEnabled()) {
                SAML2Utils.debug.message(classMethod + "attributes received from Attribute Query: " + attrMap);
            }
        }
    } else {
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message(classMethod + "Invalid response obtained from Attribute Authority");
        }
    }
    // Return the attribute map and to the fedlet
    return attrMap;
}
Also used : Set(java.util.Set) HashSet(java.util.HashSet) HashMap(java.util.HashMap) Attribute(com.sun.identity.saml2.assertion.Attribute) EncryptedAssertion(com.sun.identity.saml2.assertion.EncryptedAssertion) Assertion(com.sun.identity.saml2.assertion.Assertion) AttributeQueryConfigElement(com.sun.identity.saml2.jaxb.entityconfig.AttributeQueryConfigElement) Response(com.sun.identity.saml2.protocol.Response) HttpServletResponse(javax.servlet.http.HttpServletResponse) AttributeQuery(com.sun.identity.saml2.protocol.AttributeQuery) EncryptedAssertion(com.sun.identity.saml2.assertion.EncryptedAssertion) AttributeStatement(com.sun.identity.saml2.assertion.AttributeStatement)

Example 22 with Subject

use of com.sun.identity.saml2.assertion.Subject in project OpenAM by OpenRock.

the class DiscoveryBootstrap method getResourceOffering.

/**
     * Gets the discovery bootstrap resource offering for the user.
     * @return Discovery Resource Offering String
     * @exception  SAML2Exception if there's any failure.
     */
private String getResourceOffering(String authnContextClassRef, Subject subject, String wscID, String realm) throws SAML2Exception {
    if (SAML2Utils.debug.messageEnabled()) {
        SAML2Utils.debug.message("DiscoveryBootstrap.getResourceOffering:Init");
    }
    DiscoEntryElement discoEntry = DiscoServiceManager.getBootstrappingDiscoEntry();
    if (discoEntry == null) {
        throw new SAML2Exception(SAML2Utils.bundle.getString("missingUnivID"));
    }
    String[] values = null;
    try {
        values = SessionManager.getProvider().getProperty(session, Constants.UNIVERSAL_IDENTIFIER);
    } catch (SessionException se) {
        throw new SAML2Exception(se);
    }
    if ((values == null) || (values.length == 0)) {
        throw new SAML2Exception(SAML2Utils.bundle.getString("missingDiscoOffering"));
    }
    String univID = values[0];
    try {
        ResourceOfferingType offering = discoEntry.getResourceOffering();
        ServiceInstanceType serviceInstance = offering.getServiceInstance();
        String providerID = serviceInstance.getProviderID();
        if (!DiscoServiceManager.useImpliedResource()) {
            ResourceIDMapper idMapper = DiscoServiceManager.getResourceIDMapper(providerID);
            if (idMapper == null) {
                idMapper = DiscoServiceManager.getDefaultResourceIDMapper();
            }
            ObjectFactory fac = new ObjectFactory();
            ResourceIDType resourceID = fac.createResourceIDType();
            String resourceIDValue = idMapper.getResourceID(providerID, univID);
            if (SAML2Utils.debug.messageEnabled()) {
                SAML2Utils.debug.message("DiscoveryBootstrap.getResourceOffering: " + "ResourceID Value:" + resourceIDValue);
            }
            resourceID.setValue(resourceIDValue);
            offering.setResourceID(resourceID);
        } else {
            ObjectFactory fac = new com.sun.identity.liberty.ws.disco.jaxb.ObjectFactory();
            ResourceIDType resourceID = fac.createResourceIDType();
            resourceID.setValue(DiscoConstants.IMPLIED_RESOURCE);
            offering.setResourceID(resourceID);
        }
        List discoEntryList = new ArrayList();
        discoEntryList.add(discoEntry);
        SessionSubject sessionSubject = null;
        if (DiscoServiceManager.encryptNIinSessionContext()) {
            IDPSSODescriptorElement idpSSODesc = SAML2Utils.getSAML2MetaManager().getIDPSSODescriptor(realm, providerID);
            EncInfo encInfo = KeyUtil.getEncInfo(idpSSODesc, wscID, SAML2Constants.IDP_ROLE);
            NameIdentifier ni = EncryptedNameIdentifier.getEncryptedNameIdentifier(convertSPNameID(subject.getNameID()), providerID, encInfo.getWrappingKey(), encInfo.getDataEncAlgorithm(), encInfo.getDataEncStrength());
            sessionSubject = new SessionSubject(ni, convertSC(subject.getSubjectConfirmation()), convertIDPNameID(subject.getNameID()));
        } else {
            sessionSubject = new SessionSubject(convertSPNameID(subject.getNameID()), convertSC(subject.getSubjectConfirmation()), convertIDPNameID(subject.getNameID()));
        }
        AuthnContext authnContext = new AuthnContext(authnContextClassRef, null);
        authnContext.setMinorVersion(IFSConstants.FF_12_PROTOCOL_MINOR_VERSION);
        SessionContext invocatorSession = new SessionContext(sessionSubject, authnContext, providerID);
        Map map = DiscoUtils.checkPolicyAndHandleDirectives(univID, null, discoEntryList, null, invocatorSession, wscID, session);
        List offerings = (List) map.get(DiscoUtils.OFFERINGS);
        if (offerings.isEmpty()) {
            if (SAML2Utils.debug.messageEnabled()) {
                SAML2Utils.debug.message("DiscoveryBootstrap.getResourceOffering:" + "no ResourceOffering");
            }
            throw new SAML2Exception(SAML2Utils.bundle.getString("missingDiscoOffering"));
        }
        ResourceOffering resourceOffering = (ResourceOffering) offerings.get(0);
        assertions = (List) map.get(DiscoUtils.CREDENTIALS);
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message("DiscoveryBootstrap.getResourceOffering: " + "Resource Offering:" + resourceOffering);
        }
        return resourceOffering.toString();
    } catch (Exception ex) {
        SAML2Utils.debug.error("DiscoveryBootstrap.getResourceOffering:" + "Exception while creating resource offering.", ex);
        throw new SAML2Exception(ex);
    }
}
Also used : ResourceOffering(com.sun.identity.liberty.ws.disco.ResourceOffering) SessionSubject(com.sun.identity.liberty.ws.security.SessionSubject) NameIdentifier(com.sun.identity.saml.assertion.NameIdentifier) IDPProvidedNameIdentifier(com.sun.identity.federation.message.common.IDPProvidedNameIdentifier) EncryptedNameIdentifier(com.sun.identity.federation.message.common.EncryptedNameIdentifier) ResourceOfferingType(com.sun.identity.liberty.ws.disco.jaxb.ResourceOfferingType) ArrayList(java.util.ArrayList) SessionException(com.sun.identity.plugin.session.SessionException) DiscoEntryElement(com.sun.identity.liberty.ws.disco.plugins.jaxb.DiscoEntryElement) SessionException(com.sun.identity.plugin.session.SessionException) SAMLException(com.sun.identity.saml.common.SAMLException) SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) AuthnContext(com.sun.identity.federation.message.common.AuthnContext) SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) EncInfo(com.sun.identity.saml2.key.EncInfo) ServiceInstanceType(com.sun.identity.liberty.ws.disco.jaxb.ServiceInstanceType) ResourceIDMapper(com.sun.identity.liberty.ws.interfaces.ResourceIDMapper) ObjectFactory(com.sun.identity.liberty.ws.disco.jaxb.ObjectFactory) SessionContext(com.sun.identity.liberty.ws.security.SessionContext) ArrayList(java.util.ArrayList) List(java.util.List) ResourceIDType(com.sun.identity.liberty.ws.disco.jaxb.ResourceIDType) Map(java.util.Map) IDPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)

Example 23 with Subject

use of com.sun.identity.saml2.assertion.Subject in project OpenAM by OpenRock.

the class SPACSUtils method getPrincipalWithoutLogin.

/**
     * Returns the username if there was one from the Assertion we were able to map into a local user account. Returns
     * null if not. Should only be used from the SP side. Should only be called in conjuncture with the Auth Module.
     * In addition, it performs what attribute federation it can.
     *
     * This method is a picked apart version of the "processResponse" function.
     */
public static String getPrincipalWithoutLogin(Subject assertionSubject, Assertion authnAssertion, String realm, String spEntityId, SAML2MetaManager metaManager, String idpEntityId, String storageKey) throws SAML2Exception {
    final EncryptedID encId = assertionSubject.getEncryptedID();
    final SPSSOConfigElement spssoconfig = metaManager.getSPSSOConfig(realm, spEntityId);
    final Set<PrivateKey> decryptionKeys = KeyUtil.getDecryptionKeys(spssoconfig);
    final SPAccountMapper acctMapper = SAML2Utils.getSPAccountMapper(realm, spEntityId);
    boolean needNameIDEncrypted = false;
    NameID nameId = assertionSubject.getNameID();
    String assertionEncryptedAttr = SAML2Utils.getAttributeValueFromSPSSOConfig(spssoconfig, SAML2Constants.WANT_ASSERTION_ENCRYPTED);
    if (assertionEncryptedAttr == null || !Boolean.parseBoolean(assertionEncryptedAttr)) {
        String idEncryptedStr = SAML2Utils.getAttributeValueFromSPSSOConfig(spssoconfig, SAML2Constants.WANT_NAMEID_ENCRYPTED);
        if (idEncryptedStr != null && Boolean.parseBoolean(idEncryptedStr)) {
            needNameIDEncrypted = true;
        }
    }
    if (needNameIDEncrypted && encId == null) {
        throw new SAML2Exception(SAML2Utils.bundle.getString("nameIDNotEncrypted"));
    }
    if (encId != null) {
        nameId = encId.decrypt(decryptionKeys);
    }
    SPSSODescriptorElement spDesc = null;
    try {
        spDesc = metaManager.getSPSSODescriptor(realm, spEntityId);
    } catch (SAML2MetaException ex) {
        SAML2Utils.debug.error("Unable to read SPSSODescription", ex);
    }
    if (spDesc == null) {
        throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
    }
    final String nameIDFormat = nameId.getFormat();
    if (nameIDFormat != null) {
        List spNameIDFormatList = spDesc.getNameIDFormat();
        if (CollectionUtils.isNotEmpty(spNameIDFormatList) && !spNameIDFormatList.contains(nameIDFormat)) {
            Object[] args = { nameIDFormat };
            throw new SAML2Exception(SAML2Utils.BUNDLE_NAME, "unsupportedNameIDFormatSP", args);
        }
    }
    final boolean isTransient = SAML2Constants.NAMEID_TRANSIENT_FORMAT.equals(nameIDFormat);
    final boolean isPersistent = SAML2Constants.PERSISTENT.equals(nameIDFormat);
    final boolean ignoreProfile = SAML2PluginsUtils.isIgnoredProfile(realm);
    final boolean shouldPersistNameID = isPersistent || (!isTransient && !ignoreProfile && acctMapper.shouldPersistNameIDFormat(realm, spEntityId, idpEntityId, nameIDFormat));
    String userName = null;
    boolean isNewAccountLink = false;
    try {
        if (shouldPersistNameID) {
            try {
                userName = SAML2Utils.getDataStoreProvider().getUserID(realm, SAML2Utils.getNameIDKeyMap(nameId, spEntityId, idpEntityId, realm, SAML2Constants.SP_ROLE));
            } catch (DataStoreProviderException dse) {
                throw new SAML2Exception(dse.getMessage());
            }
        }
        //if we can't get an already linked account, see if we'll be generating a new one based on federated data
        if (userName == null) {
            userName = acctMapper.getIdentity(authnAssertion, spEntityId, realm);
            //we'll use this later to inform us
            isNewAccountLink = true;
        }
    } catch (SAML2Exception se) {
        return null;
    }
    //if we're new and we're persistent, store the federation data in the user pref
    if (isNewAccountLink && isPersistent) {
        try {
            writeFedData(nameId, spEntityId, realm, metaManager, idpEntityId, userName, storageKey);
        } catch (SAML2Exception se) {
            return userName;
        }
    }
    return userName;
}
Also used : DataStoreProviderException(com.sun.identity.plugin.datastore.DataStoreProviderException) PrivateKey(java.security.PrivateKey) NameID(com.sun.identity.saml2.assertion.NameID) SPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement) SPSSOConfigElement(com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement) EncryptedID(com.sun.identity.saml2.assertion.EncryptedID) SPAccountMapper(com.sun.identity.saml2.plugins.SPAccountMapper) SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) List(java.util.List) ArrayList(java.util.ArrayList) SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException)

Example 24 with Subject

use of com.sun.identity.saml2.assertion.Subject in project OpenAM by OpenRock.

the class AuthnRequestImpl method parseDOMElement.

/** 
     * Parses the Docuemnt Element for this object.
     * 
     * @param element the Document Element of this object.
     * @throws SAML2Exception if error parsing the Document Element.
     */
protected void parseDOMElement(Element element) throws SAML2Exception {
    AssertionFactory assertionFactory = AssertionFactory.getInstance();
    ProtocolFactory protoFactory = ProtocolFactory.getInstance();
    requestId = element.getAttribute(SAML2Constants.ID);
    validateID(requestId);
    version = element.getAttribute(SAML2Constants.VERSION);
    validateVersion(version);
    String issueInstantStr = element.getAttribute(SAML2Constants.ISSUE_INSTANT);
    validateIssueInstant(issueInstantStr);
    destinationURI = element.getAttribute(SAML2Constants.DESTINATION);
    consent = element.getAttribute(SAML2Constants.CONSENT);
    NodeList nList = element.getChildNodes();
    if ((nList != null) && (nList.getLength() > 0)) {
        for (int i = 0; i < nList.getLength(); i++) {
            Node childNode = nList.item(i);
            String cName = childNode.getLocalName();
            if (cName != null) {
                if (cName.equals(SAML2Constants.ISSUER)) {
                    validateIssuer();
                    nameID = assertionFactory.createIssuer((Element) childNode);
                } else if (cName.equals(SAML2Constants.SIGNATURE)) {
                    validateSignature();
                    signatureString = XMLUtils.print((Element) childNode);
                    isSigned = true;
                } else if (cName.equals(SAML2Constants.EXTENSIONS)) {
                    validateExtensions();
                    extensions = protoFactory.createExtensions((Element) childNode);
                } else if (cName.equals(SAML2Constants.SUBJECT)) {
                    validateSubject();
                    subject = assertionFactory.createSubject((Element) childNode);
                } else if (cName.equals(SAML2Constants.NAMEIDPOLICY)) {
                    validateNameIDPolicy();
                    nameIDPolicy = protoFactory.createNameIDPolicy((Element) childNode);
                } else if (cName.equals(SAML2Constants.CONDITIONS)) {
                    validateConditions();
                    conditions = assertionFactory.createConditions((Element) childNode);
                } else if (cName.equals(SAML2Constants.REQ_AUTHN_CONTEXT)) {
                    validateReqAuthnContext();
                    reqAuthnContext = protoFactory.createRequestedAuthnContext((Element) childNode);
                } else if (cName.equals(SAML2Constants.SCOPING)) {
                    validateScoping();
                    scoping = protoFactory.createScoping((Element) childNode);
                }
            }
        }
    }
    // Get ForceAuthn Attribute
    String forceAuthnAttr = element.getAttribute(SAML2Constants.FORCEAUTHN);
    if ((forceAuthnAttr != null) && (forceAuthnAttr.length() > 0)) {
        forceAuthn = SAML2SDKUtils.booleanValueOf(forceAuthnAttr);
    }
    String isPassiveAttr = element.getAttribute(SAML2Constants.ISPASSIVE);
    if ((isPassiveAttr != null) && (isPassiveAttr.length() > 0)) {
        isPassive = SAML2SDKUtils.booleanValueOf(isPassiveAttr);
    }
    protocolBinding = element.getAttribute(SAML2Constants.PROTOBINDING);
    String index = element.getAttribute(SAML2Constants.ASSERTION_CONSUMER_SVC_INDEX);
    if ((index != null) && (index.length() > 0)) {
        assertionConsumerSvcIndex = new Integer(index);
        validateAssertionConsumerServiceIndex(assertionConsumerSvcIndex);
    }
    assertionConsumerServiceURL = XMLUtils.unescapeSpecialCharacters(element.getAttribute(SAML2Constants.ASSERTION_CONSUMER_SVC_URL));
    index = element.getAttribute(SAML2Constants.ATTR_CONSUMING_SVC_INDEX);
    if ((index != null) && (index.length() > 0)) {
        attrConsumingSvcIndex = new Integer(index);
        validateAttributeConsumingServiceIndex(attrConsumingSvcIndex);
    }
    providerName = element.getAttribute(SAML2Constants.PROVIDER_NAME);
}
Also used : ProtocolFactory(com.sun.identity.saml2.protocol.ProtocolFactory) AssertionFactory(com.sun.identity.saml2.assertion.AssertionFactory) NodeList(org.w3c.dom.NodeList) Node(org.w3c.dom.Node) Element(org.w3c.dom.Element)

Example 25 with Subject

use of com.sun.identity.saml2.assertion.Subject in project OpenAM by OpenRock.

the class Saml2GrantTypeHandler method validAssertion.

private boolean validAssertion(Assertion assertion, String deploymentURL) throws SAML2Exception {
    //must contain issuer
    final Issuer issuer = assertion.getIssuer();
    if (issuer == null) {
        logger.error("Issuer does not exist");
        return false;
    }
    /**
         * The Assertion MUST contain <Conditions> element with an
         * <AudienceRestriction> element with an <Audience> element
         * containing a URI reference that identifies the authorization
         * server, or the service provider SAML entity of its controlling
         * domain, as an intended audience.  The token endpoint URL of the
         * authorization server MAY be used as an acceptable value for an
         *       <Audience> element.  The authorization server MUST verify that it
         * is an intended audience for the Assertion.
         *
         */
    final Conditions conditions = assertion.getConditions();
    if (conditions == null) {
        logger.error("Saml2BearerServerResource.validAssertion(): Conditions does not exist");
        return false;
    }
    final List<AudienceRestriction> audienceRestriction = conditions.getAudienceRestrictions();
    if (audienceRestriction == null || audienceRestriction.isEmpty()) {
        logger.error("Saml2BearerServerResource.validAssertion(): Audience Restriction does not exist");
        return false;
    }
    boolean found = false;
    logger.trace("Saml2BearerServerResource.validAssertion(): URL of authorization server: " + deploymentURL);
    for (final AudienceRestriction restriction : audienceRestriction) {
        final List<String> audiences = restriction.getAudience();
        if (audiences == null || audiences.isEmpty()) {
            continue;
        }
        for (final String audience : audiences) {
            String deployURL = deploymentURL;
            String aud = audience;
            //check for the url with and without trailing /
            if (deployURL.endsWith("/")) {
                deployURL = deploymentURL.substring(0, deployURL.length() - 1);
            }
            if (aud.endsWith("/")) {
                aud = aud.substring(0, aud.length() - 1);
            }
            if (aud.equalsIgnoreCase(deployURL)) {
                found = true;
            }
        }
    }
    if (found == false) {
        logger.error("Didn't find the oauth2 provider in audience restrictions");
        return false;
    }
    /**
         * The Assertion MUST contain a <Subject> element.  The subject MAY
         * identify the resource owner for whom the access token is being
         * requested.  For client authentication, the Subject MUST be the
         * "client_id" of the OAuth client.  When using an Assertion as an
         * authorization grant, the Subject SHOULD identify an authorized
         * accessor for whom the access token is being requested (typically
         * the resource owner, or an authorized delegate).  Additional
         * information identifying the subject/principal of the transaction
         * MAY be included in an <AttributeStatement>.
         */
    final Subject subject = assertion.getSubject();
    if (subject == null) {
        logger.error("Subject does not exist");
        return false;
    }
    final String resourceOwner = subject.getNameID().getValue();
    /**
         * The Assertion MUST have an expiry that limits the time window
         * during which it can be used.  The expiry can be expressed either
         * as the NotOnOrAfter attribute of the <Conditions> element or as
         * the NotOnOrAfter attribute of a suitable <SubjectConfirmationData>
         * element.
         */
    /**
         * The <Subject> element MUST contain at least one
         * <SubjectConfirmation> element that allows the authorization server
         * to confirm it as a Bearer Assertion.  Such a <SubjectConfirmation>
         * element MUST have a Method attribute with a value of
         * "urn:oasis:names:tc:SAML:2.0:cm:bearer".  The
         * <SubjectConfirmation> element MUST contain a
         * <SubjectConfirmationData> element, unless the Assertion has a
         * suitable NotOnOrAfter attribute on the <Conditions> element, in
         * which case the <SubjectConfirmationData> element MAY be omitted.
         * When present, the <SubjectConfirmationData> element MUST have a
         * Recipient attribute with a value indicating the token endpoint URL
         * of the authorization server (or an acceptable alias).  The
         * authorization server MUST verify that the value of the Recipient
         * attribute matches the token endpoint URL (or an acceptable alias)
         * to which the Assertion was delivered.  The
         * <SubjectConfirmationData> element MUST have a NotOnOrAfter
         * attribute that limits the window during which the Assertion can be
         * confirmed.  The <SubjectConfirmationData> element MAY also contain
         * an Address attribute limiting the client address from which the
         * Assertion can be delivered.  Verification of the Address is at the
         * discretion of the authorization server.
         */
    final List<SubjectConfirmation> subjectConfirmations = subject.getSubjectConfirmation();
    found = false;
    if (subjectConfirmations == null || subjectConfirmations.isEmpty()) {
        logger.error("Subject Confirmations does not exist");
        return false;
    }
    //if conditions is expired assertion is expired
    if (!assertion.isTimeValid()) {
        logger.error("Assertion expired");
        return false;
    } else {
        found = true;
    }
    for (final SubjectConfirmation subjectConfirmation : subjectConfirmations) {
        if (subjectConfirmation.getMethod() == null) {
            continue;
        }
        if (subjectConfirmation.getMethod().equalsIgnoreCase(OAuth2Constants.SAML20.SUBJECT_CONFIRMATION_METHOD)) {
            final SubjectConfirmationData subjectConfirmationData = subjectConfirmation.getSubjectConfirmationData();
            if (subjectConfirmationData == null) {
                continue;
            } else if (subjectConfirmationData.getNotOnOrAfter().before(new Date()) && subjectConfirmationData.getRecipient().equalsIgnoreCase(deploymentURL)) {
                found = true;
            }
        //TODO check Client Address
        }
    }
    if (!found) {
        logger.error("Assertion expired or subject expired");
        return false;
    }
    if (!assertion.isSigned()) {
        logger.error("Assertion must be signed");
        return false;
    }
    if (!SAMLUtils.checkSignatureValid(assertion.toXMLString(), "ID", issuer.getValue())) {
        logger.error("Assertion signature verification failed");
        return false;
    }
    return true;
}
Also used : AudienceRestriction(com.sun.identity.saml2.assertion.AudienceRestriction) SubjectConfirmation(com.sun.identity.saml2.assertion.SubjectConfirmation) Issuer(com.sun.identity.saml2.assertion.Issuer) SubjectConfirmationData(com.sun.identity.saml2.assertion.SubjectConfirmationData) Conditions(com.sun.identity.saml2.assertion.Conditions) Subject(com.sun.identity.saml2.assertion.Subject) Date(java.util.Date)

Aggregations

SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)19 Subject (com.sun.identity.saml2.assertion.Subject)15 ArrayList (java.util.ArrayList)15 List (java.util.List)14 Date (java.util.Date)10 NameID (com.sun.identity.saml2.assertion.NameID)9 Assertion (com.sun.identity.saml2.assertion.Assertion)8 AttributeStatement (com.sun.identity.saml2.assertion.AttributeStatement)6 EncryptedAssertion (com.sun.identity.saml2.assertion.EncryptedAssertion)6 EncryptedID (com.sun.identity.saml2.assertion.EncryptedID)6 SubjectConfirmation (com.sun.identity.saml2.assertion.SubjectConfirmation)6 Map (java.util.Map)6 Issuer (com.sun.identity.saml2.assertion.Issuer)5 HashMap (java.util.HashMap)5 Element (org.w3c.dom.Element)5 AssertionFactory (com.sun.identity.saml2.assertion.AssertionFactory)4 AuthnStatement (com.sun.identity.saml2.assertion.AuthnStatement)4 SubjectConfirmationData (com.sun.identity.saml2.assertion.SubjectConfirmationData)4 Node (org.w3c.dom.Node)4 NodeList (org.w3c.dom.NodeList)4