Example 31 with SPSSODescriptorElement
use of com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement in project OpenAM by OpenRock.
the class SAMLv2ModelImpl method getAssertionConsumerServices.
/**
* Returns a List with Assertion Consumer Service attributes and values.
*
* @param realm to which the entity belongs.
* @param entityName is the entity id.
* @return List with Assertion Consumer values of Service Provider.
* @throws AMConsoleException if unable to retrieve the Service Provider
* Assertion Consumer values based on the realm and entityName passed.
*/
public List getAssertionConsumerServices(String realm, String entityName) throws AMConsoleException {
List asconsServiceList = null;
SPSSODescriptorElement spssoDescriptor = null;
try {
SAML2MetaManager samlManager = getSAML2MetaManager();
spssoDescriptor = samlManager.getSPSSODescriptor(realm, entityName);
if (spssoDescriptor != null) {
asconsServiceList = spssoDescriptor.getAssertionConsumerService();
}
} catch (SAML2MetaException e) {
if (debug.warningEnabled()) {
debug.warning("SAMLv2ModelImpl.getAssertionConsumerService", e);
}
throw new AMConsoleException(getErrorString(e));
}
return asconsServiceList;
}
Also used :
SPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)
List(java.util.List)
ArrayList(java.util.ArrayList)
SAML2MetaManager(com.sun.identity.saml2.meta.SAML2MetaManager)
AMConsoleException(com.sun.identity.console.base.model.AMConsoleException)
SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException)
Example 32 with SPSSODescriptorElement
use of com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement in project OpenAM by OpenRock.
the class SAML2Test method importEntity.
@Test(groups = { "samlv2", "samlv2op" }, dependsOnMethods = { "createMetaTemplate" })
public void importEntity() throws CLIException, SAML2MetaException {
entering("importEntity", null);
String[] args = { "import-entity", CLIConstants.PREFIX_ARGUMENT_LONG + FedCLIConstants.ARGUMENT_METADATA, "meta", CLIConstants.PREFIX_ARGUMENT_LONG + FedCLIConstants.ARGUMENT_EXTENDED_DATA, "extended", CLIConstants.PREFIX_ARGUMENT_LONG + FedCLIConstants.ARGUMENT_COT, NAME_COT, CLIConstants.PREFIX_ARGUMENT_LONG + FedCLIConstants.SPECIFICATION_VERSION, FedCLIConstants.SAML2_SPECIFICATION };
CLIRequest req = new CLIRequest(null, args, getAdminSSOToken());
cmdManager.addToRequestQueue(req);
cmdManager.serviceRequestQueue();
SAML2MetaManager mgr = new SAML2MetaManager();
EntityDescriptorElement entity = mgr.getEntityDescriptor("/", NAME_IDP);
assert (entity != null);
SPSSODescriptorElement spElt = mgr.getSPSSODescriptor("/", NAME_IDP);
assert (spElt != null);
IDPSSODescriptorElement idpElt = mgr.getIDPSSODescriptor("/", NAME_IDP);
assert (idpElt != null);
XACMLPDPDescriptorElement pdpElt = mgr.getPolicyDecisionPointDescriptor("/", NAME_IDP);
assert (pdpElt != null);
XACMLAuthzDecisionQueryDescriptorElement pepElt = mgr.getPolicyEnforcementPointDescriptor("/", NAME_IDP);
assert (pepElt != null);
IDPSSOConfigElement idpConfig = mgr.getIDPSSOConfig("/", NAME_IDP);
assert (idpConfig != null);
SPSSOConfigElement spConfig = mgr.getSPSSOConfig("/", NAME_IDP);
assert (spConfig != null);
XACMLPDPConfigElement pdpConfig = mgr.getPolicyDecisionPointConfig("/", NAME_IDP);
assert (pdpConfig != null);
XACMLAuthzDecisionQueryConfigElement pepConfig = mgr.getPolicyEnforcementPointConfig("/", NAME_IDP);
assert (pepConfig != null);
exiting("importEntity");
}
Also used :
SPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)
XACMLPDPDescriptorElement(com.sun.identity.saml2.jaxb.metadata.XACMLPDPDescriptorElement)
SPSSOConfigElement(com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement)
CLIRequest(com.sun.identity.cli.CLIRequest)
XACMLPDPConfigElement(com.sun.identity.saml2.jaxb.entityconfig.XACMLPDPConfigElement)
IDPSSOConfigElement(com.sun.identity.saml2.jaxb.entityconfig.IDPSSOConfigElement)
SAML2MetaManager(com.sun.identity.saml2.meta.SAML2MetaManager)
EntityDescriptorElement(com.sun.identity.saml2.jaxb.metadata.EntityDescriptorElement)
XACMLAuthzDecisionQueryConfigElement(com.sun.identity.saml2.jaxb.entityconfig.XACMLAuthzDecisionQueryConfigElement)
XACMLAuthzDecisionQueryDescriptorElement(com.sun.identity.saml2.jaxb.metadata.XACMLAuthzDecisionQueryDescriptorElement)
IDPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)
Test(org.testng.annotations.Test)
BeforeTest(org.testng.annotations.BeforeTest)
Example 33 with SPSSODescriptorElement
use of com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement in project OpenAM by OpenRock.
the class ValidateSAML2 method validateSP.
private void validateSP() throws WorkflowException {
try {
SAML2MetaManager mm = SAML2Utils.getSAML2MetaManager();
SPSSODescriptorElement elt = mm.getSPSSODescriptor(realm, spEntityId);
if (elt == null) {
Object[] param = { spEntityId };
throw new WorkflowException("cannot.locate.sp", param);
}
if (spMetaAlias != null) {
SPSSOConfigElement spConfig = mm.getSPSSOConfig(realm, spEntityId);
if (spConfig == null) {
Object[] param = { spEntityId };
throw new WorkflowException("cannot.locate.sp", param);
} else {
if (!spConfig.getMetaAlias().equals(spMetaAlias)) {
Object[] param = { spEntityId };
throw new WorkflowException("cannot.locate.sp", param);
}
}
}
List sloServiceList = elt.getSingleLogoutService();
spBaseURL = getSPBaseURL(sloServiceList);
if (spBaseURL == null) {
bFedlet = true;
} else {
validateURL(spBaseURL);
}
} catch (SAML2MetaException ex) {
debug.error("ValidateSAML2: Error while validating SP", ex);
Object[] param = { spEntityId };
throw new WorkflowException("cannot.locate.sp", param);
}
}
Also used :
SPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)
SPSSOConfigElement(com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement)
List(java.util.List)
SAML2MetaManager(com.sun.identity.saml2.meta.SAML2MetaManager)
SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException)
Example 34 with SPSSODescriptorElement
use of com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement in project OpenAM by OpenRock.
the class SAML2Utils method verifyQueryString.
/**
* Verify Signed Query string.
*
* @param queryString URL query string that will be verified.
* @param realm realm of host entity.
* @param hostEntityRole entity role of host entity.
* @param remoteEntity entityID of peer entity.
* @return returns true if sign is valid.
* @throws SAML2Exception if error in verifying the signature.
*/
public static boolean verifyQueryString(String queryString, String realm, String hostEntityRole, String remoteEntity) throws SAML2Exception {
String method = "verifyQueryString : ";
if (debug.messageEnabled()) {
debug.message(method + "queryString :" + queryString);
}
Set<X509Certificate> signingCerts;
if (hostEntityRole.equalsIgnoreCase(SAML2Constants.IDP_ROLE)) {
SPSSODescriptorElement spSSODesc = saml2MetaManager.getSPSSODescriptor(realm, remoteEntity);
signingCerts = KeyUtil.getVerificationCerts(spSSODesc, remoteEntity, SAML2Constants.SP_ROLE);
} else {
IDPSSODescriptorElement idpSSODesc = saml2MetaManager.getIDPSSODescriptor(realm, remoteEntity);
signingCerts = KeyUtil.getVerificationCerts(idpSSODesc, remoteEntity, SAML2Constants.IDP_ROLE);
}
if (debug.messageEnabled()) {
debug.message(method + "realm is : " + realm);
debug.message(method + "Host Entity role is : " + hostEntityRole);
debug.message(method + "remoteEntity is : " + remoteEntity);
}
if (signingCerts.isEmpty()) {
debug.error("Incorrect configuration for Signing Certificate.");
throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
}
return QuerySignatureUtil.verify(queryString, signingCerts);
}
Also used :
SPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)
X509Certificate(java.security.cert.X509Certificate)
IDPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)
Example 35 with SPSSODescriptorElement
use of com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement in project OpenAM by OpenRock.
the class SAML2Utils method isBearerSubjectConfirmation.
private static Map isBearerSubjectConfirmation(final List subjectConfirms, final String inRespToResponse, final SPSSODescriptorElement spDesc, final SPSSOConfigElement spConfig, final String assertionID) throws SAML2Exception {
String method = "SAML2Utils.isBearerSubjectConfirmation:";
Map retMap = new HashMap();
boolean hasBearer = false;
for (Iterator it = subjectConfirms.iterator(); it.hasNext(); ) {
SubjectConfirmation subjectConfirm = (SubjectConfirmation) it.next();
if (subjectConfirm == null || subjectConfirm.getMethod() == null || !subjectConfirm.getMethod().equals(SAML2Constants.SUBJECT_CONFIRMATION_METHOD_BEARER)) {
continue;
}
// since this is bearer SC, all below must be true
SubjectConfirmationData subjectConfData = subjectConfirm.getSubjectConfirmationData();
if (subjectConfData == null) {
if (debug.messageEnabled()) {
debug.message(method + "missing SubjectConfirmationData.");
}
String[] data = { assertionID };
LogUtil.error(Level.INFO, LogUtil.MISSING_SUBJECT_COMFIRMATION_DATA, data, null);
throw new SAML2Exception(bundle.getString("missingSubjectConfirmationData"));
}
String recipient = subjectConfData.getRecipient();
if (recipient == null || recipient.length() == 0) {
if (debug.messageEnabled()) {
debug.message(method + "missing Recipient in Assertion.");
}
String[] data = { assertionID };
LogUtil.error(Level.INFO, LogUtil.MISSING_RECIPIENT, data, null);
throw new SAML2Exception(bundle.getString("missingRecipient"));
}
boolean foundMatch = false;
Iterator acsIter = spDesc.getAssertionConsumerService().iterator();
while (acsIter.hasNext()) {
AssertionConsumerServiceElement acs = (AssertionConsumerServiceElement) acsIter.next();
if (recipient.equals(acs.getLocation())) {
foundMatch = true;
break;
}
}
if (!foundMatch) {
if (debug.messageEnabled()) {
debug.message(method + "this sp is not the intended " + "recipient.");
}
String[] data = { assertionID, recipient };
LogUtil.error(Level.INFO, LogUtil.WRONG_RECIPIENT, data, null);
throw new SAML2Exception(bundle.getString("wrongRecipient"));
}
// in seconds
int timeskew = SAML2Constants.ASSERTION_TIME_SKEW_DEFAULT;
String timeskewStr = getAttributeValueFromSPSSOConfig(spConfig, SAML2Constants.ASSERTION_TIME_SKEW);
if (timeskewStr != null && timeskewStr.trim().length() > 0) {
timeskew = Integer.parseInt(timeskewStr);
if (timeskew < 0) {
timeskew = SAML2Constants.ASSERTION_TIME_SKEW_DEFAULT;
}
}
if (debug.messageEnabled()) {
debug.message(method + "timeskew = " + timeskew);
}
Date notOnOrAfter = subjectConfData.getNotOnOrAfter();
if (notOnOrAfter == null || ((notOnOrAfter.getTime() + timeskew * 1000) < System.currentTimeMillis())) {
if (debug.messageEnabled()) {
debug.message(method + "Time in SubjectConfirmationData of " + "Assertion:" + assertionID + " is invalid.");
}
String[] data = { assertionID };
LogUtil.error(Level.INFO, LogUtil.INVALID_TIME_SUBJECT_CONFIRMATION_DATA, data, null);
throw new SAML2Exception(bundle.getString("invalidTimeOnSubjectConfirmationData"));
}
retMap.put(SAML2Constants.NOTONORAFTER, notOnOrAfter);
Date notBefore = subjectConfData.getNotBefore();
if (notBefore != null) {
if ((notBefore.getTime() + timeskew * 1000) > System.currentTimeMillis()) {
if (debug.messageEnabled()) {
debug.message(method + "SubjectConfirmationData included " + "NotBefore.");
}
String[] data = { assertionID };
LogUtil.error(Level.INFO, LogUtil.CONTAINED_NOT_BEFORE, data, null);
throw new SAML2Exception(bundle.getString("containedNotBefore"));
}
}
retMap.put(SAML2Constants.NOTBEFORE, notBefore);
String inRespTo = subjectConfData.getInResponseTo();
if (inRespTo != null && inRespTo.length() != 0) {
if (!inRespTo.equals(inRespToResponse)) {
if (debug.messageEnabled()) {
debug.message(method + "InResponseTo in Assertion is " + "different from the one in Response.");
}
String[] data = { assertionID };
LogUtil.error(Level.INFO, LogUtil.WRONG_INRESPONSETO_ASSERTION, data, null);
throw new SAML2Exception(bundle.getString("wrongInResponseToInAssertion"));
}
} else {
if (inRespToResponse != null && inRespToResponse.length() != 0) {
if (debug.messageEnabled()) {
debug.message(method + "Assertion doesn't contain " + "InResponseTo, but Response does.");
}
String[] data = { assertionID };
LogUtil.error(Level.INFO, LogUtil.WRONG_INRESPONSETO_ASSERTION, data, null);
throw new SAML2Exception(bundle.getString("wrongInResponseToInAssertion"));
}
}
hasBearer = true;
break;
}
retMap.put(SAML2Constants.IS_BEARER, Boolean.valueOf(hasBearer));
return retMap;
}
Also used :
SubjectConfirmation(com.sun.identity.saml2.assertion.SubjectConfirmation)
HashMap(java.util.HashMap)
Iterator(java.util.Iterator)
AssertionConsumerServiceElement(com.sun.identity.saml2.jaxb.metadata.AssertionConsumerServiceElement)
SubjectConfirmationData(com.sun.identity.saml2.assertion.SubjectConfirmationData)
Map(java.util.Map)
HashMap(java.util.HashMap)
Date(java.util.Date)
Aggregations
SPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)47
List (java.util.List)32
SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)29
ArrayList (java.util.ArrayList)25
IDPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)19
SAML2MetaException (com.sun.identity.saml2.meta.SAML2MetaException)18
X509Certificate (java.security.cert.X509Certificate)11
SPSSOConfigElement (com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement)10
Iterator (java.util.Iterator)10
Map (java.util.Map)10
AssertionConsumerServiceElement (com.sun.identity.saml2.jaxb.metadata.AssertionConsumerServiceElement)9
SAML2MetaManager (com.sun.identity.saml2.meta.SAML2MetaManager)9
SAML2TokenRepositoryException (org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException)8
Issuer (com.sun.identity.saml2.assertion.Issuer)7
AuthnRequest (com.sun.identity.saml2.protocol.AuthnRequest)7
IOException (java.io.IOException)7
HashMap (java.util.HashMap)7
SessionException (com.sun.identity.plugin.session.SessionException)6
EncryptedID (com.sun.identity.saml2.assertion.EncryptedID)5
EntityDescriptorElement (com.sun.identity.saml2.jaxb.metadata.EntityDescriptorElement)5
