Example 61 with CriteriaSet
use of net.shibboleth.utilities.java.support.resolver.CriteriaSet in project cas by apereo.
the class SamlRegisteredServiceDefaultCachingMetadataResolverTests method getCriteriaFor.
private static CriteriaSet getCriteriaFor(final String entityId) {
val criteriaSet1 = new CriteriaSet();
criteriaSet1.add(new EntityIdCriterion(entityId));
criteriaSet1.add(new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME));
return criteriaSet1;
}
Also used :
lombok.val(lombok.val)
CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet)
EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion)
EntityRoleCriterion(org.opensaml.saml.criterion.EntityRoleCriterion)
Example 62 with CriteriaSet
use of net.shibboleth.utilities.java.support.resolver.CriteriaSet in project cas by apereo.
the class SamlIdPUtils method determineNameIdNameQualifier.
/**
* Determine name id name qualifier string.
*
* @param samlRegisteredService the saml registered service
* @param samlIdPMetadataResolver the saml id p metadata resolver
* @return the string
*/
public static String determineNameIdNameQualifier(final SamlRegisteredService samlRegisteredService, final MetadataResolver samlIdPMetadataResolver) {
if (StringUtils.isNotBlank(samlRegisteredService.getNameIdQualifier())) {
return samlRegisteredService.getNameIdQualifier();
}
val nameQualifier = FunctionUtils.doIf(StringUtils.isNotBlank(samlRegisteredService.getIssuerEntityId()), samlRegisteredService::getIssuerEntityId, Unchecked.supplier(() -> {
val criteriaSet = new CriteriaSet(new EvaluableEntityRoleEntityDescriptorCriterion(IDPSSODescriptor.DEFAULT_ELEMENT_NAME), new SamlIdPSamlRegisteredServiceCriterion(samlRegisteredService));
LOGGER.trace("Resolving entity id from SAML2 IdP metadata to determine issuer for [{}]", samlRegisteredService.getName());
val entityDescriptor = Objects.requireNonNull(samlIdPMetadataResolver.resolveSingle(criteriaSet));
return entityDescriptor.getEntityID();
})).get();
LOGGER.debug("Using name qualifier [{}] for the Name ID", nameQualifier);
return nameQualifier;
}
Also used :
lombok.val(lombok.val)
EvaluableEntityRoleEntityDescriptorCriterion(org.opensaml.saml.metadata.criteria.entity.impl.EvaluableEntityRoleEntityDescriptorCriterion)
SamlIdPSamlRegisteredServiceCriterion(org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPSamlRegisteredServiceCriterion)
CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet)
Example 63 with CriteriaSet
use of net.shibboleth.utilities.java.support.resolver.CriteriaSet in project verify-hub by alphagov.
the class IdpSingleSignOnServiceHelper method getSingleSignOn.
public URI getSingleSignOn(String entityId) {
EntityDescriptor idpEntityDescriptor;
try {
CriteriaSet criteria = new CriteriaSet(new EntityIdCriterion(entityId));
idpEntityDescriptor = metadataProvider.resolveSingle(criteria);
} catch (ResolverException e) {
LOG.log(Level.SEVERE, format("Exception when accessing metadata: {0}", e));
throw new RuntimeException(e);
}
if (idpEntityDescriptor != null) {
final IDPSSODescriptor idpssoDescriptor = idpEntityDescriptor.getIDPSSODescriptor(SAMLConstants.SAML20P_NS);
final List<SingleSignOnService> singleSignOnServices = idpssoDescriptor.getSingleSignOnServices();
if (singleSignOnServices.isEmpty()) {
LOG.log(Level.SEVERE, format("No singleSignOnServices present for IDP entityId: {0}", entityId));
} else {
if (singleSignOnServices.size() > 1) {
LOG.log(Level.WARNING, format("More than one singleSignOnService present: {0} for {1}", singleSignOnServices.size(), entityId));
}
return URI.create(singleSignOnServices.get(0).getLocation());
}
}
throw ApplicationException.createUnauditedException(ExceptionType.NOT_FOUND, UUID.randomUUID(), new RuntimeException(format("no entity descriptor for IDP: {0}", entityId)));
}
Also used :
EntityDescriptor(org.opensaml.saml.saml2.metadata.EntityDescriptor)
ResolverException(net.shibboleth.utilities.java.support.resolver.ResolverException)
IDPSSODescriptor(org.opensaml.saml.saml2.metadata.IDPSSODescriptor)
CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet)
EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion)
SingleSignOnService(org.opensaml.saml.saml2.metadata.SingleSignOnService)
Example 64 with CriteriaSet
use of net.shibboleth.utilities.java.support.resolver.CriteriaSet in project verify-hub by alphagov.
the class HubAsIdpMetadataHandler method getMetadataAsAnIdentityProvider.
public HubIdentityProviderMetadataDto getMetadataAsAnIdentityProvider() {
URI hubFrontend = samlProxyConfiguration.getFrontendExternalUri();
SamlEndpointDto binding = new SamlEndpointDto(SamlEndpointDto.Binding.POST, URI.create(hubFrontend + SAML2_SSO_REQUEST_ENDPOINT));
Iterable<EntityDescriptor> entityDescriptors;
try {
CriteriaSet criteria = new CriteriaSet(new EntitiesDescriptorNameCriterion(hubFederationId));
entityDescriptors = metadataResolver.resolve(criteria);
LOG.info("Retrieved metadata from " + samlProxyConfiguration.getMetadataConfiguration().getUri());
} catch (ResolverException e) {
throw ApplicationException.createUnauditedException(ExceptionType.METADATA_PROVIDER_EXCEPTION, e.getMessage(), e);
}
final Iterable<EntityDescriptor> idpEntityDescriptors = StreamSupport.stream(entityDescriptors.spliterator(), false).filter(input -> input.getIDPSSODescriptor(SAMLConstants.SAML20P_NS) != null).collect(Collectors.toList());
final Iterable<EntityDescriptor> hubEntityDescriptors = StreamSupport.stream(entityDescriptors.spliterator(), false).filter(input -> input.getEntityID().equals(hubEntityId)).collect(Collectors.toList());
final Iterable<List<Certificate>> idpSigningCertificates = StreamSupport.stream(idpEntityDescriptors.spliterator(), false).map(this::getIDPSigningCertificates).collect(Collectors.toList());
final Iterable<Certificate> hubEncryptionCertificate = StreamSupport.stream(hubEntityDescriptors.spliterator(), false).map(this::getHubEncryptionCertificate).collect(Collectors.toList());
final Iterable<List<Certificate>> hubSigningCertificates = StreamSupport.stream(hubEntityDescriptors.spliterator(), false).map(this::getHubSigningCertificates).collect(Collectors.toList());
return new HubIdentityProviderMetadataDto(singletonList(binding), hubEntityId, organisationDto, Collections.emptySet(), ImmutableList.copyOf(Iterables.concat(idpSigningCertificates)), DateTime.now().plus(samlProxyConfiguration.getMetadataValidDuration().toMilliseconds()), ImmutableList.copyOf(Iterables.concat(hubSigningCertificates)), hubEncryptionCertificate.iterator().next());
}
Also used :
Iterables(com.google.common.collect.Iterables)
ExceptionType(uk.gov.ida.common.ExceptionType)
KeyDescriptor(org.opensaml.saml.saml2.metadata.KeyDescriptor)
Collections.singletonList(java.util.Collections.singletonList)
Inject(javax.inject.Inject)
HubIdentityProviderMetadataDto(uk.gov.ida.saml.metadata.domain.HubIdentityProviderMetadataDto)
ImmutableList(com.google.common.collect.ImmutableList)
StreamSupport(java.util.stream.StreamSupport)
Named(javax.inject.Named)
URI(java.net.URI)
SamlEndpointDto(uk.gov.ida.saml.metadata.domain.SamlEndpointDto)
SAMLConstants(org.opensaml.saml.common.xml.SAMLConstants)
ApplicationException(uk.gov.ida.exceptions.ApplicationException)
ResolverException(net.shibboleth.utilities.java.support.resolver.ResolverException)
UsageType(org.opensaml.security.credential.UsageType)
DateTime(org.joda.time.DateTime)
MetadataResolver(org.opensaml.saml.metadata.resolver.MetadataResolver)
OrganisationDto(uk.gov.ida.saml.metadata.domain.OrganisationDto)
Logger(java.util.logging.Logger)
Collectors(java.util.stream.Collectors)
List(java.util.List)
X509Certificate(org.opensaml.xmlsec.signature.X509Certificate)
X509Data(org.opensaml.xmlsec.signature.X509Data)
CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet)
EntityDescriptor(org.opensaml.saml.saml2.metadata.EntityDescriptor)
Collections(java.util.Collections)
Certificate(uk.gov.ida.common.shared.security.Certificate)
SamlProxyConfiguration(uk.gov.ida.hub.samlproxy.SamlProxyConfiguration)
EntitiesDescriptorNameCriterion(uk.gov.ida.saml.metadata.EntitiesDescriptorNameCriterion)
SAML2_SSO_REQUEST_ENDPOINT(uk.gov.ida.hub.samlproxy.Urls.FrontendUrls.SAML2_SSO_REQUEST_ENDPOINT)
SamlEndpointDto(uk.gov.ida.saml.metadata.domain.SamlEndpointDto)
ResolverException(net.shibboleth.utilities.java.support.resolver.ResolverException)
EntitiesDescriptorNameCriterion(uk.gov.ida.saml.metadata.EntitiesDescriptorNameCriterion)
URI(java.net.URI)
EntityDescriptor(org.opensaml.saml.saml2.metadata.EntityDescriptor)
HubIdentityProviderMetadataDto(uk.gov.ida.saml.metadata.domain.HubIdentityProviderMetadataDto)
CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet)
Collections.singletonList(java.util.Collections.singletonList)
ImmutableList(com.google.common.collect.ImmutableList)
List(java.util.List)
X509Certificate(org.opensaml.xmlsec.signature.X509Certificate)
Certificate(uk.gov.ida.common.shared.security.Certificate)
Example 65 with CriteriaSet
use of net.shibboleth.utilities.java.support.resolver.CriteriaSet in project spring-security by spring-projects.
the class OpenSamlSigningUtils method resolveSigningParameters.
private static SignatureSigningParameters resolveSigningParameters(RelyingPartyRegistration relyingPartyRegistration) {
List<Credential> credentials = resolveSigningCredentials(relyingPartyRegistration);
List<String> algorithms = relyingPartyRegistration.getAssertingPartyDetails().getSigningAlgorithms();
List<String> digests = Collections.singletonList(SignatureConstants.ALGO_ID_DIGEST_SHA256);
String canonicalization = SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS;
SignatureSigningParametersResolver resolver = new SAMLMetadataSignatureSigningParametersResolver();
CriteriaSet criteria = new CriteriaSet();
BasicSignatureSigningConfiguration signingConfiguration = new BasicSignatureSigningConfiguration();
signingConfiguration.setSigningCredentials(credentials);
signingConfiguration.setSignatureAlgorithms(algorithms);
signingConfiguration.setSignatureReferenceDigestMethods(digests);
signingConfiguration.setSignatureCanonicalizationAlgorithm(canonicalization);
signingConfiguration.setKeyInfoGeneratorManager(buildSignatureKeyInfoGeneratorManager());
criteria.add(new SignatureSigningConfigurationCriterion(signingConfiguration));
try {
SignatureSigningParameters parameters = resolver.resolveSingle(criteria);
Assert.notNull(parameters, "Failed to resolve any signing credential");
return parameters;
} catch (Exception ex) {
throw new Saml2Exception(ex);
}
}
Also used :
BasicCredential(org.opensaml.security.credential.BasicCredential)
Credential(org.opensaml.security.credential.Credential)
Saml2X509Credential(org.springframework.security.saml2.core.Saml2X509Credential)
SAMLMetadataSignatureSigningParametersResolver(org.opensaml.saml.security.impl.SAMLMetadataSignatureSigningParametersResolver)
SignatureSigningParametersResolver(org.opensaml.xmlsec.SignatureSigningParametersResolver)
SignatureSigningParameters(org.opensaml.xmlsec.SignatureSigningParameters)
SAMLMetadataSignatureSigningParametersResolver(org.opensaml.saml.security.impl.SAMLMetadataSignatureSigningParametersResolver)
CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet)
SignatureSigningConfigurationCriterion(org.opensaml.xmlsec.criterion.SignatureSigningConfigurationCriterion)
Saml2Exception(org.springframework.security.saml2.Saml2Exception)
BasicSignatureSigningConfiguration(org.opensaml.xmlsec.impl.BasicSignatureSigningConfiguration)
MarshallingException(org.opensaml.core.xml.io.MarshallingException)
SecurityException(org.opensaml.security.SecurityException)
Saml2Exception(org.springframework.security.saml2.Saml2Exception)
Aggregations
CriteriaSet (net.shibboleth.utilities.java.support.resolver.CriteriaSet)68
lombok.val (lombok.val)44
EntityIdCriterion (org.opensaml.core.criterion.EntityIdCriterion)40
EntityRoleCriterion (org.opensaml.saml.criterion.EntityRoleCriterion)28
SamlRegisteredService (org.apereo.cas.support.saml.services.SamlRegisteredService)18
Test (org.junit.jupiter.api.Test)16
UsageCriterion (org.opensaml.security.criteria.UsageCriterion)11
SamlIdPProperties (org.apereo.cas.configuration.model.support.saml.idp.SamlIdPProperties)10
EntityDescriptor (org.opensaml.saml.saml2.metadata.EntityDescriptor)10
ArrayList (java.util.ArrayList)9
SignatureSigningConfigurationCriterion (org.opensaml.xmlsec.criterion.SignatureSigningConfigurationCriterion)9
MetadataResolver (org.opensaml.saml.metadata.resolver.MetadataResolver)8
SAMLMetadataSignatureSigningParametersResolver (org.opensaml.saml.security.impl.SAMLMetadataSignatureSigningParametersResolver)8
SneakyThrows (lombok.SneakyThrows)7
StringUtils (org.apache.commons.lang3.StringUtils)7
SignatureSigningParameters (org.opensaml.xmlsec.SignatureSigningParameters)7
FileSystemResource (org.springframework.core.io.FileSystemResource)7
SamlException (org.apereo.cas.support.saml.SamlException)6
EvaluableEntityRoleEntityDescriptorCriterion (org.opensaml.saml.metadata.criteria.entity.impl.EvaluableEntityRoleEntityDescriptorCriterion)6
Credential (org.opensaml.security.credential.Credential)6
