Examples with SubjectConfirmation com.sun.identity.saml2.assertion.SubjectConfirmation used on opensource projects

Example 6 with SubjectConfirmation

use of com.sun.identity.saml2.assertion.SubjectConfirmation in project OpenAM by OpenRock.

the class DefaultSubjectProvider method get.

public Subject get(String subjectId, String spAcsUrl, SAML2Config saml2Config, SAML2SubjectConfirmation subjectConfirmation, Date assertionIssueInstant, ProofTokenState proofTokenState) throws TokenCreationException {
    try {
        Subject subject = AssertionFactory.getInstance().createSubject();
        setNameIdentifier(subject, subjectId, saml2Config.getNameIdFormat());
        SubjectConfirmation subConfirmation = AssertionFactory.getInstance().createSubjectConfirmation();
        switch(subjectConfirmation) {
            case BEARER:
                subConfirmation.setMethod(SAML2Constants.SUBJECT_CONFIRMATION_METHOD_BEARER);
                /*
                    see section 4.1.4.2 of http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf -
                    Recipient attribute of SubjectConfirmation element must be set to the Service Provider
                    ACS url.
                     */
                SubjectConfirmationData bearerConfirmationData = AssertionFactory.getInstance().createSubjectConfirmationData();
                bearerConfirmationData.setRecipient(spAcsUrl);
                /*
                    see section 4.1.4.2 of http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf - NotBefore cannot
                    be set, but NotOnOrAfter must be set.
                     */
                bearerConfirmationData.setNotOnOrAfter(new Date(assertionIssueInstant.getTime() + (saml2Config.getTokenLifetimeInSeconds() * 1000)));
                subConfirmation.setSubjectConfirmationData(bearerConfirmationData);
                break;
            case SENDER_VOUCHES:
                subConfirmation.setMethod(SAML2Constants.SUBJECT_CONFIRMATION_METHOD_SENDER_VOUCHES);
                break;
            case HOLDER_OF_KEY:
                subConfirmation.setMethod(SAML2Constants.SUBJECT_CONFIRMATION_METHOD_HOLDER_OF_KEY);
                subConfirmation.setSubjectConfirmationData(getHoKSubjectConfirmationData(proofTokenState.getX509Certificate()));
                break;
            default:
                throw new TokenCreationException(ResourceException.INTERNAL_ERROR, "Unexpected SubjectConfirmation value in DefaultSubjectProvider: " + subjectConfirmation);
        }
        List<SubjectConfirmation> subjectConfirmationList = new ArrayList<>();
        subjectConfirmationList.add(subConfirmation);
        subject.setSubjectConfirmation(subjectConfirmationList);
        return subject;
    } catch (SAML2Exception e) {
        throw new TokenCreationException(ResourceException.INTERNAL_ERROR, "Exception caught setting subject confirmation state in DefaultSubjectProvider: " + e, e);
    }
}

Example 7 with SubjectConfirmation

use of com.sun.identity.saml2.assertion.SubjectConfirmation in project OpenAM by OpenRock.

the class DefaultConditionsProvider method get.

/**
     * @see org.forgerock.openam.sts.tokengeneration.saml2.statements.ConditionsProvider#get(
     * org.forgerock.openam.sts.config.user.SAML2Config, java.util.Date,
     * org.forgerock.openam.sts.token.SAML2SubjectConfirmation)
     */
public Conditions get(SAML2Config saml2Config, Date issueInstant, SAML2SubjectConfirmation saml2SubjectConfirmation) throws TokenCreationException {
    Conditions conditions = AssertionFactory.getInstance().createConditions();
    try {
        conditions.setNotBefore(issueInstant);
        conditions.setNotOnOrAfter(new Date(issueInstant.getTime() + (saml2Config.getTokenLifetimeInSeconds() * 1000)));
    } catch (SAML2Exception e) {
        throw new TokenCreationException(ResourceException.INTERNAL_ERROR, "Exception caught setting token lifetime state in SAML2TokenGenerationImpl: " + e, e);
    }
    String audience = saml2Config.getSpEntityId();
    /*
         Section 4.1.4.2 of http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf specifies that
         Audiences specifying the entity ids of SPs, must be contained in the AudienceRestriction for bearer tokens.
         */
    if (((audience == null) || audience.isEmpty()) && SAML2SubjectConfirmation.BEARER.equals(saml2SubjectConfirmation)) {
        throw new TokenCreationException(ResourceException.BAD_REQUEST, "The audiences field in the SAML2Config is empty, " + "but the BEARER SubjectConfirmation is required. BEARER tokens must include Conditions with " + "AudienceRestrictions specifying the SP entity ids.");
    }
    if ((audience != null) && !audience.isEmpty()) {
        try {
            AudienceRestriction audienceRestriction = AssertionFactory.getInstance().createAudienceRestriction();
            List<String> audienceList = new ArrayList<String>(1);
            audienceList.add(audience);
            audienceRestriction.setAudience(audienceList);
            List<AudienceRestriction> audienceRestrictionList = new ArrayList<AudienceRestriction>(1);
            audienceRestrictionList.add(audienceRestriction);
            conditions.setAudienceRestrictions(audienceRestrictionList);
        } catch (SAML2Exception e) {
            throw new TokenCreationException(ResourceException.INTERNAL_ERROR, "Exception caught setting audience restriction state in SAML2TokenGenerationImpl: " + e, e);
        }
    }
    return conditions;
}

Example 8 with SubjectConfirmation

use of com.sun.identity.saml2.assertion.SubjectConfirmation in project OpenAM by OpenRock.

the class DefaultSubjectProvider method getHoKSubjectConfirmationData.

private SubjectConfirmationData getHoKSubjectConfirmationData(X509Certificate certificate) throws TokenCreationException {
    Element keyInfoElement;
    try {
        keyInfoElement = keyInfoFactory.generatePublicKeyInfo(certificate);
    } catch (ParserConfigurationException e) {
        throw new TokenCreationException(ResourceException.INTERNAL_ERROR, "Exception caught generating KeyInfo for HoK SubjectConfirmation DefaultSubjectProvider: " + e, e);
    } catch (XMLSecurityException e) {
        throw new TokenCreationException(ResourceException.INTERNAL_ERROR, "Exception caught generating KeyInfo for HoK SubjectConfirmation DefaultSubjectProvider: " + e, e);
    }
    try {
        final List<Element> elementList = new ArrayList<Element>();
        elementList.add(keyInfoElement);
        final SubjectConfirmationData subjectConfirmationData = AssertionFactory.getInstance().createSubjectConfirmationData();
        subjectConfirmationData.setContentType(KEY_INFO_CONFIRMATION_DATA_TYPE);
        subjectConfirmationData.setContent(elementList);
        return subjectConfirmationData;
    } catch (SAML2Exception e) {
        throw new TokenCreationException(ResourceException.INTERNAL_ERROR, "Exception caught generating SubjectConfirmationData with HoK KeyInfo element in DefaultSubjectProvider: " + e, e);
    }
}

Example 9 with SubjectConfirmation

use of com.sun.identity.saml2.assertion.SubjectConfirmation in project OpenAM by OpenRock.

the class DefaultSubjectProviderTest method testBearerStateSettings.

@Test
public void testBearerStateSettings() throws TokenCreationException {
    SubjectProvider subjectProvider = new DefaultSubjectProvider(Guice.createInjector(new MyModule()).getInstance(KeyInfoFactory.class));
    Date issueInstant = new Date();
    //must be set only when SubjectConfirmation is HoK
    ProofTokenState proof = null;
    Subject subject = subjectProvider.get(SUBJECT_ID, AUDIENCE_ID, createSAML2Config(), SAML2SubjectConfirmation.BEARER, issueInstant, proof);
    assertTrue(SUBJECT_ID.equals(subject.getNameID().getValue()));
    assertTrue(NAME_ID_FORMAT.equals(subject.getNameID().getFormat()));
    SubjectConfirmation subjectConfirmation = (SubjectConfirmation) subject.getSubjectConfirmation().get(0);
    assertTrue(SAML2Constants.SUBJECT_CONFIRMATION_METHOD_BEARER.equals(subjectConfirmation.getMethod()));
    SubjectConfirmationData subjectConfirmationData = subjectConfirmation.getSubjectConfirmationData();
    assertTrue((issueInstant.getTime() + (TOKEN_LIFETIME_SECONDS * 1000)) == subjectConfirmationData.getNotOnOrAfter().getTime());
}

Example 10 with SubjectConfirmation

use of com.sun.identity.saml2.assertion.SubjectConfirmation in project OpenAM by OpenRock.

the class DefaultSubjectProviderTest method testHoKSubjectConfirmation.

@Test
public void testHoKSubjectConfirmation() throws Exception {
    SubjectProvider subjectProvider = new DefaultSubjectProvider(Guice.createInjector(new MyModule()).getInstance(KeyInfoFactory.class));
    Date issueInstant = new Date();
    Subject subject = subjectProvider.get(SUBJECT_ID, AUDIENCE_ID, createSAML2Config(), SAML2SubjectConfirmation.HOLDER_OF_KEY, issueInstant, getProofState());
    assertEquals(SUBJECT_ID, subject.getNameID().getValue());
    assertEquals(NAME_ID_FORMAT, subject.getNameID().getFormat());
    SubjectConfirmation subjectConfirmation = (SubjectConfirmation) subject.getSubjectConfirmation().get(0);
    assertEquals(SAML2Constants.SUBJECT_CONFIRMATION_METHOD_HOLDER_OF_KEY, subjectConfirmation.getMethod());
    SubjectConfirmationData subjectConfirmationData = subjectConfirmation.getSubjectConfirmationData();
    assertTrue(subjectConfirmationData != null);
    assertEquals(subjectConfirmationData.getContentType(), KEY_INFO_CONFIRMATION_DATA_TYPE);
    //see if we can go from xml back to class instance.
    AssertionFactory.getInstance().createSubjectConfirmationData(subjectConfirmationData.toXMLString(true, true));
}