Search in sources :

Example 1 with AttributeQuery

use of com.sun.identity.saml2.protocol.AttributeQuery in project OpenAM by OpenRock.

the class AttributeQueryUtil method signAttributeQuery.

private static void signAttributeQuery(AttributeQuery attrQuery, String realm, boolean includeCert) throws SAML2Exception {
    String requesterEntityID = attrQuery.getIssuer().getValue();
    String alias = SAML2Utils.getSigningCertAlias(realm, requesterEntityID, SAML2Constants.ATTR_QUERY_ROLE);
    PrivateKey signingKey = keyProvider.getPrivateKey(alias);
    if (signingKey == null) {
        throw new SAML2Exception(SAML2Utils.bundle.getString("missingSigningCertAlias"));
    }
    X509Certificate signingCert = null;
    if (includeCert) {
        signingCert = keyProvider.getX509Certificate(alias);
    }
    if (signingKey != null) {
        attrQuery.sign(signingKey, signingCert);
    }
}
Also used : SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) PrivateKey(java.security.PrivateKey) X509Certificate(java.security.cert.X509Certificate)

Example 2 with AttributeQuery

use of com.sun.identity.saml2.protocol.AttributeQuery in project OpenAM by OpenRock.

the class AttributeQueryUtil method constructAttrQueryForFedlet.

/**
     * Constructs the Attribute Query used by the Fedlet to retrieve the 
     * values from IDP
     *
     * @param samlResp saml response
     *
     * @exception SAML2Exception if the operation is not successful
     *
     * @supported.api
     */
private static AttributeQuery constructAttrQueryForFedlet(String spEntityID, String idpEntityID, String nameIDValue, List<String> attrsList, String attrqMetaAlias, String attrProfileNameAlias, String subjectDN, boolean wantNameIDEncrypted) throws SAML2Exception {
    String attrqEntityID = SAML2Utils.getSAML2MetaManager().getEntityByMetaAlias(attrqMetaAlias);
    ProtocolFactory protocolFactory = ProtocolFactory.getInstance();
    AssertionFactory assertionFactory = AssertionFactory.getInstance();
    AttributeQuery attrQuery = protocolFactory.createAttributeQuery();
    Issuer issuer = assertionFactory.createIssuer();
    issuer.setValue(attrqEntityID);
    attrQuery.setIssuer(issuer);
    attrQuery.setID(SAML2Utils.generateID());
    attrQuery.setVersion(SAML2Constants.VERSION_2_0);
    attrQuery.setIssueInstant(new Date());
    List attrs = new ArrayList();
    for (String attributeName : attrsList) {
        Attribute attr = assertionFactory.createAttribute();
        attr.setName(attributeName);
        attr.setNameFormat(SAML2Constants.BASIC_NAME_FORMAT);
        attrs.add(attr);
    }
    attrQuery.setAttributes(attrs);
    Subject subject = assertionFactory.createSubject();
    NameID nameID = assertionFactory.createNameID();
    nameID.setNameQualifier(idpEntityID);
    nameID.setSPNameQualifier(spEntityID);
    if (attrProfileNameAlias.equals(SAML2Constants.DEFAULT_ATTR_QUERY_PROFILE_ALIAS)) {
        nameID.setFormat(SAML2Constants.NAMEID_TRANSIENT_FORMAT);
        nameID.setValue(nameIDValue);
    }
    if (attrProfileNameAlias.equals(SAML2Constants.X509_SUBJECT_ATTR_QUERY_PROFILE_ALIAS)) {
        nameID.setFormat(SAML2Constants.X509_SUBJECT_NAME);
        nameID.setValue(subjectDN);
    }
    if (!wantNameIDEncrypted) {
        subject.setNameID(nameID);
    } else {
        AttributeAuthorityDescriptorElement aad = metaManager.getAttributeAuthorityDescriptor("/", idpEntityID);
        EncInfo encInfo = KeyUtil.getEncInfo(aad, idpEntityID, SAML2Constants.ATTR_AUTH_ROLE);
        EncryptedID encryptedID = nameID.encrypt(encInfo.getWrappingKey(), encInfo.getDataEncAlgorithm(), encInfo.getDataEncStrength(), idpEntityID);
        subject.setEncryptedID(encryptedID);
    }
    attrQuery.setSubject(subject);
    return attrQuery;
}
Also used : Issuer(com.sun.identity.saml2.assertion.Issuer) Attribute(com.sun.identity.saml2.assertion.Attribute) NameID(com.sun.identity.saml2.assertion.NameID) ArrayList(java.util.ArrayList) AttributeAuthorityDescriptorElement(com.sun.identity.saml2.jaxb.metadata.AttributeAuthorityDescriptorElement) EncryptedID(com.sun.identity.saml2.assertion.EncryptedID) Date(java.util.Date) Subject(com.sun.identity.saml2.assertion.Subject) ProtocolFactory(com.sun.identity.saml2.protocol.ProtocolFactory) EncInfo(com.sun.identity.saml2.key.EncInfo) AssertionFactory(com.sun.identity.saml2.assertion.AssertionFactory) AttributeQuery(com.sun.identity.saml2.protocol.AttributeQuery) List(java.util.List) ArrayList(java.util.ArrayList)

Example 3 with AttributeQuery

use of com.sun.identity.saml2.protocol.AttributeQuery in project OpenAM by OpenRock.

the class AttributeQueryUtil method sendAttributeQuery.

/**
     * Sends the <code>AttributeQuery</code> to specified
     * attribute authority and returns <code>Response</code> coming
     * from the attribute authority.
     *
     * @param attrQuery the <code>AttributeQuery</code> object
     * @param request the HTTP Request
     * @param  response the HTTP Response
     * @param attrAuthorityEntityID entity ID of attribute authority
     * @param realm the realm of hosted entity
     * @param attrQueryProfile the attribute query profile or null to ignore
     * @param attrProfile the attribute profile
     * @param binding the binding
     *
     * @exception SAML2Exception if the operation is not successful
     *
     * @supported.api
     */
public static void sendAttributeQuery(AttributeQuery attrQuery, HttpServletRequest request, HttpServletResponse response, String attrAuthorityEntityID, String realm, String attrQueryProfile, String attrProfile, String binding) throws SAML2Exception {
    AttributeAuthorityDescriptorElement aad = null;
    try {
        aad = metaManager.getAttributeAuthorityDescriptor(realm, attrAuthorityEntityID);
    } catch (SAML2MetaException sme) {
        SAML2Utils.debug.error("AttributeQueryUtil.sendAttributeQuery:", sme);
        throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
    }
    if (aad == null) {
        throw new SAML2Exception(SAML2Utils.bundle.getString("attrAuthorityNotFound"));
    }
    if (binding == null) {
        throw new SAML2Exception(SAML2Utils.bundle.getString("unsupportedBinding"));
    }
    String location = findLocation(aad, binding, attrQueryProfile, attrProfile);
    if (location == null) {
        throw new SAML2Exception(SAML2Utils.bundle.getString("attrAuthorityNotFound"));
    }
    if (binding.equalsIgnoreCase(SAML2Constants.HTTP_POST)) {
        signAttributeQuery(attrQuery, realm, false);
        String encodedReqMsg = SAML2Utils.encodeForPOST(attrQuery.toXMLString(true, true));
        SAML2Utils.postToTarget(request, response, "SAMLRequest", encodedReqMsg, null, null, location);
    } else {
        throw new SAML2Exception(SAML2Utils.bundle.getString("unsupportedBinding"));
    }
}
Also used : SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) AttributeAuthorityDescriptorElement(com.sun.identity.saml2.jaxb.metadata.AttributeAuthorityDescriptorElement) SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException)

Example 4 with AttributeQuery

use of com.sun.identity.saml2.protocol.AttributeQuery in project OpenAM by OpenRock.

the class AttributeQueryUtil method sendAttributeQuery.

/**
     * Sends the <code>AttributeQuery</code> to specified
     * attribute authority and returns <code>Response</code> coming
     * from the attribute authority.
     *
     * @param attrQuery the <code>AttributeQuery</code> object
     * @param attrAuthorityEntityID entity ID of attribute authority
     * @param realm the realm of hosted entity
     * @param attrQueryProfile the attribute query profile or null to ignore
     * @param attrProfile the attribute profile
     * @param binding the binding
     *
     * @return the <code>Response</code> object
     * @exception SAML2Exception if the operation is not successful
     *
     * @supported.api
     */
public static Response sendAttributeQuery(AttributeQuery attrQuery, String attrAuthorityEntityID, String realm, String attrQueryProfile, String attrProfile, String binding) throws SAML2Exception {
    AttributeAuthorityDescriptorElement aad = null;
    try {
        aad = metaManager.getAttributeAuthorityDescriptor(realm, attrAuthorityEntityID);
    } catch (SAML2MetaException sme) {
        SAML2Utils.debug.error("AttributeQueryUtil.sendAttributeQuery:", sme);
        throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
    }
    if (aad == null) {
        throw new SAML2Exception(SAML2Utils.bundle.getString("attrAuthorityNotFound"));
    }
    if (binding == null) {
        throw new SAML2Exception(SAML2Utils.bundle.getString("unsupportedBinding"));
    }
    String location = findLocation(aad, binding, attrQueryProfile, attrProfile);
    if (location == null) {
        throw new SAML2Exception(SAML2Utils.bundle.getString("attrAuthorityNotFound"));
    }
    if (binding.equalsIgnoreCase(SAML2Constants.SOAP)) {
        signAttributeQuery(attrQuery, realm, false);
        return sendAttributeQuerySOAP(attrQuery, location, attrAuthorityEntityID, aad);
    } else {
        throw new SAML2Exception(SAML2Utils.bundle.getString("unsupportedBinding"));
    }
}
Also used : SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) AttributeAuthorityDescriptorElement(com.sun.identity.saml2.jaxb.metadata.AttributeAuthorityDescriptorElement) SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException)

Example 5 with AttributeQuery

use of com.sun.identity.saml2.protocol.AttributeQuery in project OpenAM by OpenRock.

the class AttributeQueryUtil method verifyAttrQuerySignature.

/**
     * Checks if the attribute query signature is valid.
     *
     * @param attrQuery attribute query
     * @param attrAuthorityEntityID entity ID of attribute authority
     * @param realm the realm of hosted entity
     *
     * @exception SAML2Exception if the attribute query signature is not valid.
     */
public static void verifyAttrQuerySignature(AttributeQuery attrQuery, String attrAuthorityEntityID, String realm) throws SAML2Exception {
    if (!attrQuery.isSigned()) {
        throw new SAML2Exception(SAML2Utils.bundle.getString("attrQueryNotSigned"));
    }
    String requestedEntityID = attrQuery.getIssuer().getValue();
    AttributeQueryDescriptorElement attrqDesc = metaManager.getAttributeQueryDescriptor(realm, requestedEntityID);
    if (attrqDesc == null) {
        throw new SAML2Exception(SAML2Utils.bundle.getString("attrQueryIssuerNotFound"));
    }
    Set<X509Certificate> signingCerts = KeyUtil.getVerificationCerts(attrqDesc, requestedEntityID, SAML2Constants.ATTR_QUERY_ROLE);
    if (!signingCerts.isEmpty()) {
        boolean valid = attrQuery.isSignatureValid(signingCerts);
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message("AttributeQueryUtil.verifyAttributeQuery: " + "Signature validity is : " + valid);
        }
        if (!valid) {
            throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSignatureAttrQuery"));
        }
    } else {
        throw new SAML2Exception(SAML2Utils.bundle.getString("missingSigningCertAlias"));
    }
}
Also used : SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) AttributeQueryDescriptorElement(com.sun.identity.saml2.jaxb.metadataextquery.AttributeQueryDescriptorElement) X509Certificate(java.security.cert.X509Certificate)

Aggregations

SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)12 Issuer (com.sun.identity.saml2.assertion.Issuer)5 AttributeAuthorityDescriptorElement (com.sun.identity.saml2.jaxb.metadata.AttributeAuthorityDescriptorElement)5 ArrayList (java.util.ArrayList)5 List (java.util.List)5 Attribute (com.sun.identity.saml2.assertion.Attribute)4 EncryptedID (com.sun.identity.saml2.assertion.EncryptedID)4 Subject (com.sun.identity.saml2.assertion.Subject)4 Response (com.sun.identity.saml2.protocol.Response)4 HashMap (java.util.HashMap)4 HashSet (java.util.HashSet)4 Set (java.util.Set)4 HttpServletResponse (javax.servlet.http.HttpServletResponse)4 DataStoreProviderException (com.sun.identity.plugin.datastore.DataStoreProviderException)3 Assertion (com.sun.identity.saml2.assertion.Assertion)3 EncryptedAssertion (com.sun.identity.saml2.assertion.EncryptedAssertion)3 NameID (com.sun.identity.saml2.assertion.NameID)3 SAML2MetaException (com.sun.identity.saml2.meta.SAML2MetaException)3 AttributeQuery (com.sun.identity.saml2.protocol.AttributeQuery)3 X509Certificate (java.security.cert.X509Certificate)3