Example 6 with XACMLPDPDescriptorElement
use of com.sun.identity.saml2.jaxb.metadata.XACMLPDPDescriptorElement in project OpenAM by OpenRock.
the class QueryClient method getPDPEndPoint.
/**
* Returns the Policy Decision Point End Point (PDP) URL.
*
* @param pdpEntityID entity Identifier of the PDP.
* @return the PDP endpoint URL.
* @exception if there is an error retreiving the endpoint from the
* configuration.
*/
private static String getPDPEndPoint(String pdpEntityID) throws SAML2Exception {
String endPoint = null;
String classMethod = "QueryClient:getPDPEndPoint";
if (saml2MetaManager != null) {
try {
XACMLPDPDescriptorElement pdpDescriptor = saml2MetaManager.getPolicyDecisionPointDescriptor(null, pdpEntityID);
if (pdpDescriptor != null) {
List xacmlPDP = pdpDescriptor.getXACMLAuthzService();
if (xacmlPDP != null) {
Iterator i = xacmlPDP.iterator();
while (i.hasNext()) {
Object o = (Object) i.next();
if (o instanceof XACMLAuthzServiceElement) {
XACMLAuthzServiceElement xType = (XACMLAuthzServiceElement) o;
endPoint = xType.getLocation();
if (debug.messageEnabled()) {
debug.message(classMethod + "EndPoint :" + endPoint);
}
}
break;
}
}
}
} catch (SAML2MetaException sme) {
if (debug.messageEnabled()) {
debug.message(classMethod + "Error retreiving PDP Meta", sme);
}
String[] args = { pdpEntityID };
LogUtil.error(Level.INFO, LogUtil.PDP_METADATA_ERROR, args);
throw new SAML2Exception(SAML2SDKUtils.BUNDLE_NAME, "pdpMetaRetreivalError", args);
}
}
return endPoint;
}
Also used :
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
XACMLAuthzServiceElement(com.sun.identity.saml2.jaxb.metadata.XACMLAuthzServiceElement)
XACMLPDPDescriptorElement(com.sun.identity.saml2.jaxb.metadata.XACMLPDPDescriptorElement)
Iterator(java.util.Iterator)
ArrayList(java.util.ArrayList)
NodeList(org.w3c.dom.NodeList)
List(java.util.List)
SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException)
Example 7 with XACMLPDPDescriptorElement
use of com.sun.identity.saml2.jaxb.metadata.XACMLPDPDescriptorElement in project OpenAM by OpenRock.
the class QueryClient method verifyResponse.
/**
* Returns SAMLv2 <code>Response</code> after validation of the
* response. A new <code>Response</code> object is created which
* contains decrypted assertion if the assertions were encrypted.
*
* @param realm the realm of the entity.
* @param pepEntityID entity identifier of the PEP.
* @param samlResponse the <code>Response</code>.
* @exception <code>SAML2Exception</code> if there is an error.
*/
private static Response verifyResponse(String realm, String pepEntityID, Response samlResponse) throws SAML2Exception {
Response response = samlResponse;
String classMethod = "QueryClient:verifyResponse";
if (samlResponse != null) {
//validate issuer trust.
Issuer issuer = samlResponse.getIssuer();
String issuerID = null;
if (issuer != null) {
issuerID = issuer.getValue().trim();
}
String pdpEntityID = issuerID;
boolean isTrusted = verifyResponseIssuer(realm, pepEntityID, issuerID);
if (!isTrusted) {
if (debug.messageEnabled()) {
debug.message(classMethod + "Issuer in Request is not valid.");
}
String[] args = { realm, pepEntityID, issuerID };
LogUtil.error(Level.INFO, LogUtil.INVALID_ISSUER_IN_PEP_REQUEST, args);
throw new SAML2Exception(SAML2SDKUtils.BUNDLE_NAME, "invalidIssuer", args);
}
// verify signed response
verifySignedResponse(pepEntityID, pdpEntityID, samlResponse);
try {
// check if assertion needs to be encrypted,signed.
XACMLAuthzDecisionQueryConfigElement pepConfig = saml2MetaManager.getPolicyEnforcementPointConfig(realm, pepEntityID);
String assertionEncrypted = getAttributeValueFromPEPConfig(pepConfig, SAML2Constants.WANT_ASSERTION_ENCRYPTED);
boolean wantAssertionEncrypted = (assertionEncrypted != null && assertionEncrypted.equalsIgnoreCase("true")) ? true : false;
boolean wantAssertionSigned = wantAssertionSigned(realm, pepEntityID);
String respID = samlResponse.getID();
List assertions = samlResponse.getAssertion();
if (wantAssertionEncrypted && (assertions != null && (assertions.size() != 0))) {
String[] data = { issuerID, respID };
LogUtil.error(Level.INFO, LogUtil.ASSERTION_FROM_PDP_NOT_ENCRYPTED, data);
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("assertionNotEncrypted"));
}
Set<PrivateKey> decryptionKeys;
List<EncryptedAssertion> encAssertions = samlResponse.getEncryptedAssertion();
if (encAssertions != null) {
decryptionKeys = KeyUtil.getDecryptionKeys(pepConfig);
for (EncryptedAssertion encAssertion : encAssertions) {
Assertion assertion = encAssertion.decrypt(decryptionKeys);
if (assertions == null) {
assertions = new ArrayList<>();
}
assertions.add(assertion);
}
}
if (assertions == null || assertions.size() == 0) {
if (debug.messageEnabled()) {
debug.message(classMethod + "no assertion in the Response.");
}
String[] data = { issuerID, respID };
LogUtil.error(Level.INFO, LogUtil.MISSING_ASSERTION_IN_PDP_RESPONSE, data);
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("missingAssertion"));
}
// validate Issuer in Assertion
Iterator assertionIter = assertions.iterator();
Set<X509Certificate> verificationCerts = null;
XACMLPDPDescriptorElement pdpDesc = null;
if (wantAssertionSigned) {
pdpDesc = saml2MetaManager.getPolicyDecisionPointDescriptor(realm, pdpEntityID);
verificationCerts = KeyUtil.getPDPVerificationCerts(pdpDesc, pdpEntityID);
}
while (assertionIter.hasNext()) {
Assertion assertion = (Assertion) assertionIter.next();
String assertionID = assertion.getID();
String assertionIssuer = assertion.getIssuer().getValue().trim();
isTrusted = verifyResponseIssuer(realm, pepEntityID, assertionIssuer);
if (!isTrusted) {
debug.error(classMethod + "Assertion's source site is not valid.");
String[] data = { assertionIssuer, assertionID };
LogUtil.error(Level.INFO, LogUtil.INVALID_ISSUER_IN_ASSERTION_FROM_PDP, data);
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("invalidIssuerInAssertion"));
}
String respIssuer = samlResponse.getIssuer().getValue().trim();
if (!respIssuer.equals(assertionIssuer)) {
if (debug.messageEnabled()) {
debug.message(classMethod + "Issuer in Assertion " + assertionIssuer + "doesn't match the Issuer in Response." + respIssuer);
}
String[] data = { pdpEntityID, assertionIssuer };
LogUtil.error(Level.INFO, LogUtil.MISMATCH_ISSUER_IN_ASSERTION_FROM_PDP, data);
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("mismatchIssuer"));
}
if (wantAssertionSigned) {
if (debug.messageEnabled()) {
debug.message(classMethod + "wantAssertionSigned " + wantAssertionSigned);
}
if (!assertion.isSigned() || !assertion.isSignatureValid(verificationCerts)) {
debug.error(classMethod + "Assertion is not signed or signature " + "is not valid.");
String[] data = { assertionIssuer, assertionID };
LogUtil.error(Level.INFO, LogUtil.INVALID_SIGNATURE_ASSERTION_FROM_PDP, data);
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("invalidSignatureOnAssertion"));
}
}
}
//end while
if (wantAssertionEncrypted) {
response = createResponse(samlResponse, assertions);
}
if (debug.messageEnabled()) {
debug.message(classMethod + " Response : " + response.toXMLString(true, true));
}
} catch (SAML2MetaException sme) {
if (debug.messageEnabled()) {
debug.message(classMethod + "Error retreiving meta", sme);
}
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("metaDataError"));
}
}
return response;
}
Also used :
PrivateKey(java.security.PrivateKey)
Issuer(com.sun.identity.saml2.assertion.Issuer)
EncryptedAssertion(com.sun.identity.saml2.assertion.EncryptedAssertion)
Assertion(com.sun.identity.saml2.assertion.Assertion)
XACMLPDPDescriptorElement(com.sun.identity.saml2.jaxb.metadata.XACMLPDPDescriptorElement)
X509Certificate(java.security.cert.X509Certificate)
Response(com.sun.identity.saml2.protocol.Response)
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
EncryptedAssertion(com.sun.identity.saml2.assertion.EncryptedAssertion)
Iterator(java.util.Iterator)
XACMLAuthzDecisionQueryConfigElement(com.sun.identity.saml2.jaxb.entityconfig.XACMLAuthzDecisionQueryConfigElement)
ArrayList(java.util.ArrayList)
NodeList(org.w3c.dom.NodeList)
List(java.util.List)
SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException)
Example 8 with XACMLPDPDescriptorElement
use of com.sun.identity.saml2.jaxb.metadata.XACMLPDPDescriptorElement in project OpenAM by OpenRock.
the class SAML2Test method importEntity.
@Test(groups = { "samlv2", "samlv2op" }, dependsOnMethods = { "createMetaTemplate" })
public void importEntity() throws CLIException, SAML2MetaException {
entering("importEntity", null);
String[] args = { "import-entity", CLIConstants.PREFIX_ARGUMENT_LONG + FedCLIConstants.ARGUMENT_METADATA, "meta", CLIConstants.PREFIX_ARGUMENT_LONG + FedCLIConstants.ARGUMENT_EXTENDED_DATA, "extended", CLIConstants.PREFIX_ARGUMENT_LONG + FedCLIConstants.ARGUMENT_COT, NAME_COT, CLIConstants.PREFIX_ARGUMENT_LONG + FedCLIConstants.SPECIFICATION_VERSION, FedCLIConstants.SAML2_SPECIFICATION };
CLIRequest req = new CLIRequest(null, args, getAdminSSOToken());
cmdManager.addToRequestQueue(req);
cmdManager.serviceRequestQueue();
SAML2MetaManager mgr = new SAML2MetaManager();
EntityDescriptorElement entity = mgr.getEntityDescriptor("/", NAME_IDP);
assert (entity != null);
SPSSODescriptorElement spElt = mgr.getSPSSODescriptor("/", NAME_IDP);
assert (spElt != null);
IDPSSODescriptorElement idpElt = mgr.getIDPSSODescriptor("/", NAME_IDP);
assert (idpElt != null);
XACMLPDPDescriptorElement pdpElt = mgr.getPolicyDecisionPointDescriptor("/", NAME_IDP);
assert (pdpElt != null);
XACMLAuthzDecisionQueryDescriptorElement pepElt = mgr.getPolicyEnforcementPointDescriptor("/", NAME_IDP);
assert (pepElt != null);
IDPSSOConfigElement idpConfig = mgr.getIDPSSOConfig("/", NAME_IDP);
assert (idpConfig != null);
SPSSOConfigElement spConfig = mgr.getSPSSOConfig("/", NAME_IDP);
assert (spConfig != null);
XACMLPDPConfigElement pdpConfig = mgr.getPolicyDecisionPointConfig("/", NAME_IDP);
assert (pdpConfig != null);
XACMLAuthzDecisionQueryConfigElement pepConfig = mgr.getPolicyEnforcementPointConfig("/", NAME_IDP);
assert (pepConfig != null);
exiting("importEntity");
}
Also used :
SPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)
XACMLPDPDescriptorElement(com.sun.identity.saml2.jaxb.metadata.XACMLPDPDescriptorElement)
SPSSOConfigElement(com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement)
CLIRequest(com.sun.identity.cli.CLIRequest)
XACMLPDPConfigElement(com.sun.identity.saml2.jaxb.entityconfig.XACMLPDPConfigElement)
IDPSSOConfigElement(com.sun.identity.saml2.jaxb.entityconfig.IDPSSOConfigElement)
SAML2MetaManager(com.sun.identity.saml2.meta.SAML2MetaManager)
EntityDescriptorElement(com.sun.identity.saml2.jaxb.metadata.EntityDescriptorElement)
XACMLAuthzDecisionQueryConfigElement(com.sun.identity.saml2.jaxb.entityconfig.XACMLAuthzDecisionQueryConfigElement)
XACMLAuthzDecisionQueryDescriptorElement(com.sun.identity.saml2.jaxb.metadata.XACMLAuthzDecisionQueryDescriptorElement)
IDPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)
Test(org.testng.annotations.Test)
BeforeTest(org.testng.annotations.BeforeTest)
Aggregations
XACMLPDPDescriptorElement (com.sun.identity.saml2.jaxb.metadata.XACMLPDPDescriptorElement)8
ArrayList (java.util.ArrayList)6
List (java.util.List)6
EntityDescriptorElement (com.sun.identity.saml2.jaxb.metadata.EntityDescriptorElement)4
SAML2MetaException (com.sun.identity.saml2.meta.SAML2MetaException)4
SAML2MetaManager (com.sun.identity.saml2.meta.SAML2MetaManager)4
SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)3
XACMLAuthzDecisionQueryConfigElement (com.sun.identity.saml2.jaxb.entityconfig.XACMLAuthzDecisionQueryConfigElement)3
IDPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)3
SPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)3
XACMLAuthzDecisionQueryDescriptorElement (com.sun.identity.saml2.jaxb.metadata.XACMLAuthzDecisionQueryDescriptorElement)3
XACMLAuthzServiceElement (com.sun.identity.saml2.jaxb.metadata.XACMLAuthzServiceElement)3
Iterator (java.util.Iterator)3
AMConsoleException (com.sun.identity.console.base.model.AMConsoleException)2
BaseConfigType (com.sun.identity.saml2.jaxb.entityconfig.BaseConfigType)2
EntityConfigElement (com.sun.identity.saml2.jaxb.entityconfig.EntityConfigElement)2
ObjectFactory (com.sun.identity.saml2.jaxb.entityconfig.ObjectFactory)2
AttributeAuthorityDescriptorElement (com.sun.identity.saml2.jaxb.metadata.AttributeAuthorityDescriptorElement)2
AuthnAuthorityDescriptorElement (com.sun.identity.saml2.jaxb.metadata.AuthnAuthorityDescriptorElement)2
AttributeQueryDescriptorElement (com.sun.identity.saml2.jaxb.metadataextquery.AttributeQueryDescriptorElement)2
