Example 1 with AttributeQuery
use of com.sun.identity.saml2.protocol.AttributeQuery in project OpenAM by OpenRock.
the class AttributeQueryUtil method signAttributeQuery.
private static void signAttributeQuery(AttributeQuery attrQuery, String realm, boolean includeCert) throws SAML2Exception {
String requesterEntityID = attrQuery.getIssuer().getValue();
String alias = SAML2Utils.getSigningCertAlias(realm, requesterEntityID, SAML2Constants.ATTR_QUERY_ROLE);
PrivateKey signingKey = keyProvider.getPrivateKey(alias);
if (signingKey == null) {
throw new SAML2Exception(SAML2Utils.bundle.getString("missingSigningCertAlias"));
}
X509Certificate signingCert = null;
if (includeCert) {
signingCert = keyProvider.getX509Certificate(alias);
}
if (signingKey != null) {
attrQuery.sign(signingKey, signingCert);
}
}
Also used :
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
PrivateKey(java.security.PrivateKey)
X509Certificate(java.security.cert.X509Certificate)
Example 2 with AttributeQuery
use of com.sun.identity.saml2.protocol.AttributeQuery in project OpenAM by OpenRock.
the class AttributeQueryUtil method constructAttrQueryForFedlet.
/**
* Constructs the Attribute Query used by the Fedlet to retrieve the
* values from IDP
*
* @param samlResp saml response
*
* @exception SAML2Exception if the operation is not successful
*
* @supported.api
*/
private static AttributeQuery constructAttrQueryForFedlet(String spEntityID, String idpEntityID, String nameIDValue, List<String> attrsList, String attrqMetaAlias, String attrProfileNameAlias, String subjectDN, boolean wantNameIDEncrypted) throws SAML2Exception {
String attrqEntityID = SAML2Utils.getSAML2MetaManager().getEntityByMetaAlias(attrqMetaAlias);
ProtocolFactory protocolFactory = ProtocolFactory.getInstance();
AssertionFactory assertionFactory = AssertionFactory.getInstance();
AttributeQuery attrQuery = protocolFactory.createAttributeQuery();
Issuer issuer = assertionFactory.createIssuer();
issuer.setValue(attrqEntityID);
attrQuery.setIssuer(issuer);
attrQuery.setID(SAML2Utils.generateID());
attrQuery.setVersion(SAML2Constants.VERSION_2_0);
attrQuery.setIssueInstant(new Date());
List attrs = new ArrayList();
for (String attributeName : attrsList) {
Attribute attr = assertionFactory.createAttribute();
attr.setName(attributeName);
attr.setNameFormat(SAML2Constants.BASIC_NAME_FORMAT);
attrs.add(attr);
}
attrQuery.setAttributes(attrs);
Subject subject = assertionFactory.createSubject();
NameID nameID = assertionFactory.createNameID();
nameID.setNameQualifier(idpEntityID);
nameID.setSPNameQualifier(spEntityID);
if (attrProfileNameAlias.equals(SAML2Constants.DEFAULT_ATTR_QUERY_PROFILE_ALIAS)) {
nameID.setFormat(SAML2Constants.NAMEID_TRANSIENT_FORMAT);
nameID.setValue(nameIDValue);
}
if (attrProfileNameAlias.equals(SAML2Constants.X509_SUBJECT_ATTR_QUERY_PROFILE_ALIAS)) {
nameID.setFormat(SAML2Constants.X509_SUBJECT_NAME);
nameID.setValue(subjectDN);
}
if (!wantNameIDEncrypted) {
subject.setNameID(nameID);
} else {
AttributeAuthorityDescriptorElement aad = metaManager.getAttributeAuthorityDescriptor("/", idpEntityID);
EncInfo encInfo = KeyUtil.getEncInfo(aad, idpEntityID, SAML2Constants.ATTR_AUTH_ROLE);
EncryptedID encryptedID = nameID.encrypt(encInfo.getWrappingKey(), encInfo.getDataEncAlgorithm(), encInfo.getDataEncStrength(), idpEntityID);
subject.setEncryptedID(encryptedID);
}
attrQuery.setSubject(subject);
return attrQuery;
}
Also used :
Issuer(com.sun.identity.saml2.assertion.Issuer)
Attribute(com.sun.identity.saml2.assertion.Attribute)
NameID(com.sun.identity.saml2.assertion.NameID)
ArrayList(java.util.ArrayList)
AttributeAuthorityDescriptorElement(com.sun.identity.saml2.jaxb.metadata.AttributeAuthorityDescriptorElement)
EncryptedID(com.sun.identity.saml2.assertion.EncryptedID)
Date(java.util.Date)
Subject(com.sun.identity.saml2.assertion.Subject)
ProtocolFactory(com.sun.identity.saml2.protocol.ProtocolFactory)
EncInfo(com.sun.identity.saml2.key.EncInfo)
AssertionFactory(com.sun.identity.saml2.assertion.AssertionFactory)
AttributeQuery(com.sun.identity.saml2.protocol.AttributeQuery)
List(java.util.List)
ArrayList(java.util.ArrayList)
Example 3 with AttributeQuery
use of com.sun.identity.saml2.protocol.AttributeQuery in project OpenAM by OpenRock.
the class AttributeQueryUtil method sendAttributeQuery.
/**
* Sends the <code>AttributeQuery</code> to specified
* attribute authority and returns <code>Response</code> coming
* from the attribute authority.
*
* @param attrQuery the <code>AttributeQuery</code> object
* @param request the HTTP Request
* @param response the HTTP Response
* @param attrAuthorityEntityID entity ID of attribute authority
* @param realm the realm of hosted entity
* @param attrQueryProfile the attribute query profile or null to ignore
* @param attrProfile the attribute profile
* @param binding the binding
*
* @exception SAML2Exception if the operation is not successful
*
* @supported.api
*/
public static void sendAttributeQuery(AttributeQuery attrQuery, HttpServletRequest request, HttpServletResponse response, String attrAuthorityEntityID, String realm, String attrQueryProfile, String attrProfile, String binding) throws SAML2Exception {
AttributeAuthorityDescriptorElement aad = null;
try {
aad = metaManager.getAttributeAuthorityDescriptor(realm, attrAuthorityEntityID);
} catch (SAML2MetaException sme) {
SAML2Utils.debug.error("AttributeQueryUtil.sendAttributeQuery:", sme);
throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
}
if (aad == null) {
throw new SAML2Exception(SAML2Utils.bundle.getString("attrAuthorityNotFound"));
}
if (binding == null) {
throw new SAML2Exception(SAML2Utils.bundle.getString("unsupportedBinding"));
}
String location = findLocation(aad, binding, attrQueryProfile, attrProfile);
if (location == null) {
throw new SAML2Exception(SAML2Utils.bundle.getString("attrAuthorityNotFound"));
}
if (binding.equalsIgnoreCase(SAML2Constants.HTTP_POST)) {
signAttributeQuery(attrQuery, realm, false);
String encodedReqMsg = SAML2Utils.encodeForPOST(attrQuery.toXMLString(true, true));
SAML2Utils.postToTarget(request, response, "SAMLRequest", encodedReqMsg, null, null, location);
} else {
throw new SAML2Exception(SAML2Utils.bundle.getString("unsupportedBinding"));
}
}
Also used :
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
AttributeAuthorityDescriptorElement(com.sun.identity.saml2.jaxb.metadata.AttributeAuthorityDescriptorElement)
SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException)
Example 4 with AttributeQuery
use of com.sun.identity.saml2.protocol.AttributeQuery in project OpenAM by OpenRock.
the class AttributeQueryUtil method sendAttributeQuery.
/**
* Sends the <code>AttributeQuery</code> to specified
* attribute authority and returns <code>Response</code> coming
* from the attribute authority.
*
* @param attrQuery the <code>AttributeQuery</code> object
* @param attrAuthorityEntityID entity ID of attribute authority
* @param realm the realm of hosted entity
* @param attrQueryProfile the attribute query profile or null to ignore
* @param attrProfile the attribute profile
* @param binding the binding
*
* @return the <code>Response</code> object
* @exception SAML2Exception if the operation is not successful
*
* @supported.api
*/
public static Response sendAttributeQuery(AttributeQuery attrQuery, String attrAuthorityEntityID, String realm, String attrQueryProfile, String attrProfile, String binding) throws SAML2Exception {
AttributeAuthorityDescriptorElement aad = null;
try {
aad = metaManager.getAttributeAuthorityDescriptor(realm, attrAuthorityEntityID);
} catch (SAML2MetaException sme) {
SAML2Utils.debug.error("AttributeQueryUtil.sendAttributeQuery:", sme);
throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
}
if (aad == null) {
throw new SAML2Exception(SAML2Utils.bundle.getString("attrAuthorityNotFound"));
}
if (binding == null) {
throw new SAML2Exception(SAML2Utils.bundle.getString("unsupportedBinding"));
}
String location = findLocation(aad, binding, attrQueryProfile, attrProfile);
if (location == null) {
throw new SAML2Exception(SAML2Utils.bundle.getString("attrAuthorityNotFound"));
}
if (binding.equalsIgnoreCase(SAML2Constants.SOAP)) {
signAttributeQuery(attrQuery, realm, false);
return sendAttributeQuerySOAP(attrQuery, location, attrAuthorityEntityID, aad);
} else {
throw new SAML2Exception(SAML2Utils.bundle.getString("unsupportedBinding"));
}
}
Also used :
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
AttributeAuthorityDescriptorElement(com.sun.identity.saml2.jaxb.metadata.AttributeAuthorityDescriptorElement)
SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException)
Example 5 with AttributeQuery
use of com.sun.identity.saml2.protocol.AttributeQuery in project OpenAM by OpenRock.
the class AttributeQueryUtil method verifyAttrQuerySignature.
/**
* Checks if the attribute query signature is valid.
*
* @param attrQuery attribute query
* @param attrAuthorityEntityID entity ID of attribute authority
* @param realm the realm of hosted entity
*
* @exception SAML2Exception if the attribute query signature is not valid.
*/
public static void verifyAttrQuerySignature(AttributeQuery attrQuery, String attrAuthorityEntityID, String realm) throws SAML2Exception {
if (!attrQuery.isSigned()) {
throw new SAML2Exception(SAML2Utils.bundle.getString("attrQueryNotSigned"));
}
String requestedEntityID = attrQuery.getIssuer().getValue();
AttributeQueryDescriptorElement attrqDesc = metaManager.getAttributeQueryDescriptor(realm, requestedEntityID);
if (attrqDesc == null) {
throw new SAML2Exception(SAML2Utils.bundle.getString("attrQueryIssuerNotFound"));
}
Set<X509Certificate> signingCerts = KeyUtil.getVerificationCerts(attrqDesc, requestedEntityID, SAML2Constants.ATTR_QUERY_ROLE);
if (!signingCerts.isEmpty()) {
boolean valid = attrQuery.isSignatureValid(signingCerts);
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("AttributeQueryUtil.verifyAttributeQuery: " + "Signature validity is : " + valid);
}
if (!valid) {
throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSignatureAttrQuery"));
}
} else {
throw new SAML2Exception(SAML2Utils.bundle.getString("missingSigningCertAlias"));
}
}
Also used :
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
AttributeQueryDescriptorElement(com.sun.identity.saml2.jaxb.metadataextquery.AttributeQueryDescriptorElement)
X509Certificate(java.security.cert.X509Certificate)
Aggregations
SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)12
Issuer (com.sun.identity.saml2.assertion.Issuer)5
AttributeAuthorityDescriptorElement (com.sun.identity.saml2.jaxb.metadata.AttributeAuthorityDescriptorElement)5
ArrayList (java.util.ArrayList)5
List (java.util.List)5
Attribute (com.sun.identity.saml2.assertion.Attribute)4
EncryptedID (com.sun.identity.saml2.assertion.EncryptedID)4
Subject (com.sun.identity.saml2.assertion.Subject)4
Response (com.sun.identity.saml2.protocol.Response)4
HashMap (java.util.HashMap)4
HashSet (java.util.HashSet)4
Set (java.util.Set)4
HttpServletResponse (javax.servlet.http.HttpServletResponse)4
DataStoreProviderException (com.sun.identity.plugin.datastore.DataStoreProviderException)3
Assertion (com.sun.identity.saml2.assertion.Assertion)3
EncryptedAssertion (com.sun.identity.saml2.assertion.EncryptedAssertion)3
NameID (com.sun.identity.saml2.assertion.NameID)3
SAML2MetaException (com.sun.identity.saml2.meta.SAML2MetaException)3
AttributeQuery (com.sun.identity.saml2.protocol.AttributeQuery)3
X509Certificate (java.security.cert.X509Certificate)3
