use of net.shibboleth.idp.saml.attribute.encoding.impl.SAML2StringNameIDEncoder in project cas by apereo.
the class SamlProfileSamlNameIdBuilder method buildNameId.
/**
* Build name id.
* If there are no explicitly defined NameIDFormats, include the default format.
* see: http://saml2int.org/profile/current/#section92
*
* @param authnRequest the authn request
* @param assertion the assertion
* @param service the service
* @param adaptor the adaptor
* @return the name id
* @throws SamlException the saml exception
*/
private NameID buildNameId(final AuthnRequest authnRequest, final Assertion assertion, final SamlRegisteredService service, final SamlRegisteredServiceServiceProviderMetadataFacade adaptor) throws SamlException {
final List<String> supportedNameFormats = adaptor.getSupportedNameIdFormats();
LOGGER.debug("Metadata for [{}] declares support for the following NameIDs [{}]", adaptor.getEntityId(), supportedNameFormats);
if (supportedNameFormats.isEmpty()) {
supportedNameFormats.add(NameIDType.TRANSIENT);
LOGGER.debug("No supported nameId formats could be determined from metadata. Added default [{}]", NameIDType.TRANSIENT);
}
if (StringUtils.isNotBlank(service.getRequiredNameIdFormat())) {
final String fmt = parseAndBuildRequiredNameIdFormat(service);
supportedNameFormats.add(0, fmt);
LOGGER.debug("Added required nameId format [{}] based on saml service configuration for [{}]", fmt, service.getServiceId());
}
String requiredNameFormat = null;
if (authnRequest.getNameIDPolicy() != null) {
requiredNameFormat = authnRequest.getNameIDPolicy().getFormat();
LOGGER.debug("AuthN request indicates [{}] is the required NameID format", requiredNameFormat);
if (NameID.ENCRYPTED.equals(requiredNameFormat)) {
LOGGER.warn("Encrypted NameID formats are not supported");
requiredNameFormat = null;
}
}
if (StringUtils.isNotBlank(requiredNameFormat) && !supportedNameFormats.contains(requiredNameFormat)) {
LOGGER.warn("Required NameID format [{}] in the AuthN request issued by [{}] is not supported based on the metadata for [{}]", requiredNameFormat, SamlIdPUtils.getIssuerFromSamlRequest(authnRequest), adaptor.getEntityId());
throw new SamlException("Required NameID format cannot be provided because it is not supported");
}
for (final String nameFormat : supportedNameFormats) {
try {
LOGGER.debug("Evaluating NameID format [{}]", nameFormat);
final SAML2StringNameIDEncoder encoder = new SAML2StringNameIDEncoder();
encoder.setNameFormat(nameFormat);
if (authnRequest.getNameIDPolicy() != null) {
final String qualifier = authnRequest.getNameIDPolicy().getSPNameQualifier();
LOGGER.debug("NameID qualifier is set to [{}]", qualifier);
encoder.setNameQualifier(qualifier);
}
final IdPAttribute attribute = new IdPAttribute(AttributePrincipal.class.getName());
final IdPAttributeValue<String> value = new StringAttributeValue(assertion.getPrincipal().getName());
LOGGER.debug("NameID attribute value is set to [{}]", assertion.getPrincipal().getName());
attribute.setValues(Collections.singletonList(value));
LOGGER.debug("Encoding NameID based on [{}]", nameFormat);
final NameID nameid = encoder.encode(attribute);
LOGGER.debug("Final NameID encoded is [{}] with value [{}]", nameid.getFormat(), nameid.getValue());
return nameid;
} catch (final Exception e) {
LOGGER.error(e.getMessage(), e);
}
}
return null;
}
Aggregations