Search in sources :

Example 1 with SAMLProviderMetadata

use of org.apache.cloudstack.saml.SAMLProviderMetadata in project cloudstack by apache.

the class SAML2LoginAPIAuthenticatorCmd method authenticate.

@Override
public String authenticate(final String command, final Map<String, Object[]> params, final HttpSession session, final InetAddress remoteAddress, final String responseType, final StringBuilder auditTrailSb, final HttpServletRequest req, final HttpServletResponse resp) throws ServerApiException {
    try {
        if (!params.containsKey(SAMLPluginConstants.SAML_RESPONSE) && !params.containsKey("SAMLart")) {
            String idpId = null;
            String domainPath = null;
            if (params.containsKey(ApiConstants.IDP_ID)) {
                idpId = ((String[]) params.get(ApiConstants.IDP_ID))[0];
            }
            if (params.containsKey(ApiConstants.DOMAIN)) {
                domainPath = ((String[]) params.get(ApiConstants.DOMAIN))[0];
            }
            if (domainPath != null && !domainPath.isEmpty()) {
                if (!domainPath.startsWith("/")) {
                    domainPath = "/" + domainPath;
                }
                if (!domainPath.endsWith("/")) {
                    domainPath = domainPath + "/";
                }
            }
            SAMLProviderMetadata spMetadata = _samlAuthManager.getSPMetadata();
            SAMLProviderMetadata idpMetadata = _samlAuthManager.getIdPMetadata(idpId);
            if (idpMetadata == null) {
                throw new ServerApiException(ApiErrorCode.PARAM_ERROR, _apiServer.getSerializedApiError(ApiErrorCode.PARAM_ERROR.getHttpCode(), "IdP ID (" + idpId + ") is not found in our list of supported IdPs, cannot proceed.", params, responseType));
            }
            if (idpMetadata.getSsoUrl() == null || idpMetadata.getSsoUrl().isEmpty()) {
                throw new ServerApiException(ApiErrorCode.PARAM_ERROR, _apiServer.getSerializedApiError(ApiErrorCode.PARAM_ERROR.getHttpCode(), "IdP ID (" + idpId + ") has no Single Sign On URL defined please contact " + idpMetadata.getContactPersonName() + " <" + idpMetadata.getContactPersonEmail() + ">, cannot proceed.", params, responseType));
            }
            String authnId = SAMLUtils.generateSecureRandomId();
            _samlAuthManager.saveToken(authnId, domainPath, idpMetadata.getEntityId());
            s_logger.debug("Sending SAMLRequest id=" + authnId);
            String redirectUrl = SAMLUtils.buildAuthnRequestUrl(authnId, spMetadata, idpMetadata, SAML2AuthManager.SAMLSignatureAlgorithm.value());
            resp.sendRedirect(redirectUrl);
            return "";
        }
        if (params.containsKey("SAMLart")) {
            throw new ServerApiException(ApiErrorCode.UNSUPPORTED_ACTION_ERROR, _apiServer.getSerializedApiError(ApiErrorCode.UNSUPPORTED_ACTION_ERROR.getHttpCode(), "SAML2 HTTP Artifact Binding is not supported", params, responseType));
        } else {
            final String samlResponse = ((String[]) params.get(SAMLPluginConstants.SAML_RESPONSE))[0];
            Response processedSAMLResponse = this.processSAMLResponse(samlResponse);
            String statusCode = processedSAMLResponse.getStatus().getStatusCode().getValue();
            if (!statusCode.equals(StatusCode.SUCCESS_URI)) {
                throw new ServerApiException(ApiErrorCode.ACCOUNT_ERROR, _apiServer.getSerializedApiError(ApiErrorCode.ACCOUNT_ERROR.getHttpCode(), "Identity Provider send a non-successful authentication status code", params, responseType));
            }
            String username = null;
            Issuer issuer = processedSAMLResponse.getIssuer();
            SAMLProviderMetadata spMetadata = _samlAuthManager.getSPMetadata();
            SAMLProviderMetadata idpMetadata = _samlAuthManager.getIdPMetadata(issuer.getValue());
            String responseToId = processedSAMLResponse.getInResponseTo();
            s_logger.debug("Received SAMLResponse in response to id=" + responseToId);
            SAMLTokenVO token = _samlAuthManager.getToken(responseToId);
            if (token != null) {
                if (!(token.getEntity().equalsIgnoreCase(issuer.getValue()))) {
                    throw new ServerApiException(ApiErrorCode.ACCOUNT_ERROR, _apiServer.getSerializedApiError(ApiErrorCode.ACCOUNT_ERROR.getHttpCode(), "The SAML response contains Issuer Entity ID that is different from the original SAML request", params, responseType));
                }
            } else {
                throw new ServerApiException(ApiErrorCode.ACCOUNT_ERROR, _apiServer.getSerializedApiError(ApiErrorCode.ACCOUNT_ERROR.getHttpCode(), "Received SAML response for a SSO request that we may not have made or has expired, please try logging in again", params, responseType));
            }
            // Set IdpId for this session
            session.setAttribute(SAMLPluginConstants.SAML_IDPID, issuer.getValue());
            Signature sig = processedSAMLResponse.getSignature();
            if (idpMetadata.getSigningCertificate() != null && sig != null) {
                BasicX509Credential credential = new BasicX509Credential();
                credential.setEntityCertificate(idpMetadata.getSigningCertificate());
                SignatureValidator validator = new SignatureValidator(credential);
                try {
                    validator.validate(sig);
                } catch (ValidationException e) {
                    s_logger.error("SAML Response's signature failed to be validated by IDP signing key:" + e.getMessage());
                    throw new ServerApiException(ApiErrorCode.ACCOUNT_ERROR, _apiServer.getSerializedApiError(ApiErrorCode.ACCOUNT_ERROR.getHttpCode(), "SAML Response's signature failed to be validated by IDP signing key", params, responseType));
                }
            }
            if (username == null) {
                username = SAMLUtils.getValueFromAssertions(processedSAMLResponse.getAssertions(), SAML2AuthManager.SAMLUserAttributeName.value());
            }
            for (Assertion assertion : processedSAMLResponse.getAssertions()) {
                if (assertion != null && assertion.getSubject() != null && assertion.getSubject().getNameID() != null) {
                    session.setAttribute(SAMLPluginConstants.SAML_NAMEID, assertion.getSubject().getNameID().getValue());
                    break;
                }
            }
            if (idpMetadata.getEncryptionCertificate() != null && spMetadata != null && spMetadata.getKeyPair() != null && spMetadata.getKeyPair().getPrivate() != null) {
                Credential credential = SecurityHelper.getSimpleCredential(idpMetadata.getEncryptionCertificate().getPublicKey(), spMetadata.getKeyPair().getPrivate());
                StaticKeyInfoCredentialResolver keyInfoResolver = new StaticKeyInfoCredentialResolver(credential);
                EncryptedKeyResolver keyResolver = new InlineEncryptedKeyResolver();
                Decrypter decrypter = new Decrypter(null, keyInfoResolver, keyResolver);
                decrypter.setRootInNewDocument(true);
                List<EncryptedAssertion> encryptedAssertions = processedSAMLResponse.getEncryptedAssertions();
                if (encryptedAssertions != null) {
                    for (EncryptedAssertion encryptedAssertion : encryptedAssertions) {
                        Assertion assertion = null;
                        try {
                            assertion = decrypter.decrypt(encryptedAssertion);
                        } catch (DecryptionException e) {
                            s_logger.warn("SAML EncryptedAssertion error: " + e.toString());
                        }
                        if (assertion == null) {
                            continue;
                        }
                        Signature encSig = assertion.getSignature();
                        if (idpMetadata.getSigningCertificate() != null && encSig != null) {
                            BasicX509Credential sigCredential = new BasicX509Credential();
                            sigCredential.setEntityCertificate(idpMetadata.getSigningCertificate());
                            SignatureValidator validator = new SignatureValidator(sigCredential);
                            try {
                                validator.validate(encSig);
                            } catch (ValidationException e) {
                                s_logger.error("SAML Response's signature failed to be validated by IDP signing key:" + e.getMessage());
                                throw new ServerApiException(ApiErrorCode.ACCOUNT_ERROR, _apiServer.getSerializedApiError(ApiErrorCode.ACCOUNT_ERROR.getHttpCode(), "SAML Response's signature failed to be validated by IDP signing key", params, responseType));
                            }
                        }
                        if (assertion.getSubject() != null && assertion.getSubject().getNameID() != null) {
                            session.setAttribute(SAMLPluginConstants.SAML_NAMEID, assertion.getSubject().getNameID().getValue());
                        }
                        if (username == null) {
                            username = SAMLUtils.getValueFromAttributeStatements(assertion.getAttributeStatements(), SAML2AuthManager.SAMLUserAttributeName.value());
                        }
                    }
                }
            }
            if (username == null) {
                throw new ServerApiException(ApiErrorCode.ACCOUNT_ERROR, _apiServer.getSerializedApiError(ApiErrorCode.ACCOUNT_ERROR.getHttpCode(), "Failed to find admin configured username attribute in the SAML Response. Please ask your administrator to check SAML user attribute name.", params, responseType));
            }
            UserAccount userAccount = null;
            List<UserAccountVO> possibleUserAccounts = _userAccountDao.getAllUsersByNameAndEntity(username, issuer.getValue());
            if (possibleUserAccounts != null && possibleUserAccounts.size() > 0) {
                // Users can switch to other allowed accounts later
                for (UserAccountVO possibleUserAccount : possibleUserAccounts) {
                    if (possibleUserAccount.getAccountState().equals(Account.State.enabled.toString())) {
                        userAccount = possibleUserAccount;
                        break;
                    }
                }
            }
            if (userAccount == null || userAccount.getExternalEntity() == null || !_samlAuthManager.isUserAuthorized(userAccount.getId(), issuer.getValue())) {
                throw new ServerApiException(ApiErrorCode.ACCOUNT_ERROR, _apiServer.getSerializedApiError(ApiErrorCode.ACCOUNT_ERROR.getHttpCode(), "Your authenticated user is not authorized for SAML Single Sign-On, please contact your administrator", params, responseType));
            }
            try {
                if (_apiServer.verifyUser(userAccount.getId())) {
                    LoginCmdResponse loginResponse = (LoginCmdResponse) _apiServer.loginUser(session, userAccount.getUsername(), userAccount.getUsername() + userAccount.getSource().toString(), userAccount.getDomainId(), null, remoteAddress, params);
                    SAMLUtils.setupSamlUserCookies(loginResponse, resp);
                    resp.sendRedirect(SAML2AuthManager.SAMLCloudStackRedirectionUrl.value());
                    return ApiResponseSerializer.toSerializedString(loginResponse, responseType);
                }
            } catch (CloudAuthenticationException | IOException exception) {
                s_logger.debug("SAML Login failed to log in the user due to: " + exception.getMessage());
            }
        }
    } catch (IOException e) {
        auditTrailSb.append("SP initiated SAML authentication using HTTP redirection failed:");
        auditTrailSb.append(e.getMessage());
    }
    throw new ServerApiException(ApiErrorCode.ACCOUNT_ERROR, _apiServer.getSerializedApiError(ApiErrorCode.ACCOUNT_ERROR.getHttpCode(), "Unable to authenticate user while performing SAML based SSO. Please make sure your user/account has been added, enable and authorized by the admin before you can authenticate. Please contact your administrator.", params, responseType));
}
Also used : ValidationException(org.opensaml.xml.validation.ValidationException) Issuer(org.opensaml.saml2.core.Issuer) SAMLTokenVO(org.apache.cloudstack.saml.SAMLTokenVO) CloudAuthenticationException(com.cloud.exception.CloudAuthenticationException) StaticKeyInfoCredentialResolver(org.opensaml.xml.security.keyinfo.StaticKeyInfoCredentialResolver) ServerApiException(org.apache.cloudstack.api.ServerApiException) SAMLProviderMetadata(org.apache.cloudstack.saml.SAMLProviderMetadata) BasicX509Credential(org.opensaml.xml.security.x509.BasicX509Credential) Credential(org.opensaml.xml.security.credential.Credential) Assertion(org.opensaml.saml2.core.Assertion) EncryptedAssertion(org.opensaml.saml2.core.EncryptedAssertion) Decrypter(org.opensaml.saml2.encryption.Decrypter) IOException(java.io.IOException) LoginCmdResponse(org.apache.cloudstack.api.response.LoginCmdResponse) Response(org.opensaml.saml2.core.Response) HttpServletResponse(javax.servlet.http.HttpServletResponse) UserAccountVO(com.cloud.user.UserAccountVO) BasicX509Credential(org.opensaml.xml.security.x509.BasicX509Credential) EncryptedAssertion(org.opensaml.saml2.core.EncryptedAssertion) Signature(org.opensaml.xml.signature.Signature) SignatureValidator(org.opensaml.xml.signature.SignatureValidator) InlineEncryptedKeyResolver(org.opensaml.xml.encryption.InlineEncryptedKeyResolver) DecryptionException(org.opensaml.xml.encryption.DecryptionException) UserAccount(com.cloud.user.UserAccount) LoginCmdResponse(org.apache.cloudstack.api.response.LoginCmdResponse) InlineEncryptedKeyResolver(org.opensaml.xml.encryption.InlineEncryptedKeyResolver) EncryptedKeyResolver(org.opensaml.xml.encryption.EncryptedKeyResolver)

Example 2 with SAMLProviderMetadata

use of org.apache.cloudstack.saml.SAMLProviderMetadata in project cloudstack by apache.

the class GetServiceProviderMetaDataCmdTest method testAuthenticate.

@Test
public void testAuthenticate() throws NoSuchFieldException, SecurityException, IllegalArgumentException, IllegalAccessException, CertificateParsingException, CertificateEncodingException, NoSuchAlgorithmException, InvalidKeyException, NoSuchProviderException, SignatureException, UnknownHostException {
    GetServiceProviderMetaDataCmd cmd = new GetServiceProviderMetaDataCmd();
    Field apiServerField = GetServiceProviderMetaDataCmd.class.getDeclaredField("_apiServer");
    apiServerField.setAccessible(true);
    apiServerField.set(cmd, apiServer);
    Field managerField = GetServiceProviderMetaDataCmd.class.getDeclaredField("_samlAuthManager");
    managerField.setAccessible(true);
    managerField.set(cmd, samlAuthManager);
    String spId = "someSPID";
    String url = "someUrl";
    KeyPair kp = SAMLUtils.generateRandomKeyPair();
    X509Certificate cert = SAMLUtils.generateRandomX509Certificate(kp);
    SAMLProviderMetadata providerMetadata = new SAMLProviderMetadata();
    providerMetadata.setEntityId("random");
    providerMetadata.setSigningCertificate(cert);
    providerMetadata.setEncryptionCertificate(cert);
    providerMetadata.setKeyPair(kp);
    providerMetadata.setSsoUrl("http://test.local");
    providerMetadata.setSloUrl("http://test.local");
    Mockito.when(samlAuthManager.getSPMetadata()).thenReturn(providerMetadata);
    String result = cmd.authenticate("command", null, session, InetAddress.getByName("127.0.0.1"), HttpUtils.RESPONSE_TYPE_JSON, new StringBuilder(), req, resp);
    Assert.assertTrue(result.contains("md:EntityDescriptor"));
}
Also used : Field(java.lang.reflect.Field) KeyPair(java.security.KeyPair) SAMLProviderMetadata(org.apache.cloudstack.saml.SAMLProviderMetadata) GetServiceProviderMetaDataCmd(org.apache.cloudstack.api.command.GetServiceProviderMetaDataCmd) X509Certificate(java.security.cert.X509Certificate) Test(org.junit.Test)

Example 3 with SAMLProviderMetadata

use of org.apache.cloudstack.saml.SAMLProviderMetadata in project cloudstack by apache.

the class SAML2LoginAPIAuthenticatorCmdTest method testAuthenticate.

@Test
public void testAuthenticate() throws Exception {
    SAML2LoginAPIAuthenticatorCmd cmd = Mockito.spy(new SAML2LoginAPIAuthenticatorCmd());
    Field apiServerField = SAML2LoginAPIAuthenticatorCmd.class.getDeclaredField("_apiServer");
    apiServerField.setAccessible(true);
    apiServerField.set(cmd, apiServer);
    Field managerField = SAML2LoginAPIAuthenticatorCmd.class.getDeclaredField("_samlAuthManager");
    managerField.setAccessible(true);
    managerField.set(cmd, samlAuthManager);
    Field accountServiceField = BaseCmd.class.getDeclaredField("_accountService");
    accountServiceField.setAccessible(true);
    accountServiceField.set(cmd, accountService);
    Field domainMgrField = SAML2LoginAPIAuthenticatorCmd.class.getDeclaredField("_domainMgr");
    domainMgrField.setAccessible(true);
    domainMgrField.set(cmd, domainMgr);
    Field userAccountDaoField = SAML2LoginAPIAuthenticatorCmd.class.getDeclaredField("_userAccountDao");
    userAccountDaoField.setAccessible(true);
    userAccountDaoField.set(cmd, userAccountDao);
    KeyPair kp = SAMLUtils.generateRandomKeyPair();
    X509Certificate cert = SAMLUtils.generateRandomX509Certificate(kp);
    SAMLProviderMetadata providerMetadata = new SAMLProviderMetadata();
    providerMetadata.setEntityId("random");
    providerMetadata.setSigningCertificate(cert);
    providerMetadata.setEncryptionCertificate(cert);
    providerMetadata.setKeyPair(kp);
    providerMetadata.setSsoUrl("http://test.local");
    providerMetadata.setSloUrl("http://test.local");
    Mockito.when(session.getAttribute(Mockito.anyString())).thenReturn(null);
    Mockito.when(domain.getId()).thenReturn(1L);
    Mockito.when(domainMgr.getDomain(Mockito.anyString())).thenReturn(domain);
    UserAccountVO user = new UserAccountVO();
    user.setId(1000L);
    Mockito.when(userAccountDao.getUserAccount(Mockito.anyString(), Mockito.anyLong())).thenReturn(user);
    Mockito.when(apiServer.verifyUser(Mockito.anyLong())).thenReturn(false);
    Mockito.when(samlAuthManager.getSPMetadata()).thenReturn(providerMetadata);
    Mockito.when(samlAuthManager.getIdPMetadata(Mockito.anyString())).thenReturn(providerMetadata);
    Map<String, Object[]> params = new HashMap<String, Object[]>();
    // SSO redirection test
    cmd.authenticate("command", params, session, InetAddress.getByName("127.0.0.1"), HttpUtils.RESPONSE_TYPE_JSON, new StringBuilder(), req, resp);
    Mockito.verify(resp, Mockito.times(1)).sendRedirect(Mockito.anyString());
    // SSO SAMLResponse verification test, this should throw ServerApiException for auth failure
    params.put(SAMLPluginConstants.SAML_RESPONSE, new String[] { "Some String" });
    Mockito.stub(cmd.processSAMLResponse(Mockito.anyString())).toReturn(buildMockResponse());
    boolean failing = true;
    try {
        cmd.authenticate("command", params, session, InetAddress.getByName("127.0.0.1"), HttpUtils.RESPONSE_TYPE_JSON, new StringBuilder(), req, resp);
    } catch (ServerApiException ignored) {
        failing = false;
    }
    assertFalse("authentication should not have succeeded", failing);
    Mockito.verify(userAccountDao, Mockito.times(0)).getUserAccount(Mockito.anyString(), Mockito.anyLong());
    Mockito.verify(apiServer, Mockito.times(0)).verifyUser(Mockito.anyLong());
}
Also used : KeyPair(java.security.KeyPair) HashMap(java.util.HashMap) X509Certificate(java.security.cert.X509Certificate) Field(java.lang.reflect.Field) UserAccountVO(com.cloud.user.UserAccountVO) ServerApiException(org.apache.cloudstack.api.ServerApiException) SAMLProviderMetadata(org.apache.cloudstack.saml.SAMLProviderMetadata) Test(org.junit.Test)

Example 4 with SAMLProviderMetadata

use of org.apache.cloudstack.saml.SAMLProviderMetadata in project cloudstack by apache.

the class GetServiceProviderMetaDataCmd method authenticate.

@Override
public String authenticate(String command, Map<String, Object[]> params, HttpSession session, InetAddress remoteAddress, String responseType, StringBuilder auditTrailSb, final HttpServletRequest req, final HttpServletResponse resp) throws ServerApiException {
    SAMLMetaDataResponse response = new SAMLMetaDataResponse();
    response.setResponseName(getCommandName());
    try {
        DefaultBootstrap.bootstrap();
    } catch (ConfigurationException | FactoryConfigurationError e) {
        s_logger.error("OpenSAML Bootstrapping error: " + e.getMessage());
        throw new ServerApiException(ApiErrorCode.ACCOUNT_ERROR, _apiServer.getSerializedApiError(ApiErrorCode.ACCOUNT_ERROR.getHttpCode(), "OpenSAML Bootstrapping error while creating SP MetaData", params, responseType));
    }
    final SAMLProviderMetadata spMetadata = _samlAuthManager.getSPMetadata();
    EntityDescriptor spEntityDescriptor = new EntityDescriptorBuilder().buildObject();
    spEntityDescriptor.setEntityID(spMetadata.getEntityId());
    SPSSODescriptor spSSODescriptor = new SPSSODescriptorBuilder().buildObject();
    spSSODescriptor.setWantAssertionsSigned(true);
    spSSODescriptor.setAuthnRequestsSigned(true);
    X509KeyInfoGeneratorFactory keyInfoGeneratorFactory = new X509KeyInfoGeneratorFactory();
    keyInfoGeneratorFactory.setEmitEntityCertificate(true);
    KeyInfoGenerator keyInfoGenerator = keyInfoGeneratorFactory.newInstance();
    KeyDescriptor signKeyDescriptor = new KeyDescriptorBuilder().buildObject();
    signKeyDescriptor.setUse(UsageType.SIGNING);
    KeyDescriptor encKeyDescriptor = new KeyDescriptorBuilder().buildObject();
    encKeyDescriptor.setUse(UsageType.ENCRYPTION);
    BasicX509Credential signingCredential = new BasicX509Credential();
    signingCredential.setEntityCertificate(spMetadata.getSigningCertificate());
    BasicX509Credential encryptionCredential = new BasicX509Credential();
    encryptionCredential.setEntityCertificate(spMetadata.getEncryptionCertificate());
    try {
        signKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(signingCredential));
        encKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(encryptionCredential));
        spSSODescriptor.getKeyDescriptors().add(signKeyDescriptor);
        spSSODescriptor.getKeyDescriptors().add(encKeyDescriptor);
    } catch (SecurityException e) {
        s_logger.warn("Unable to add SP X509 descriptors:" + e.getMessage());
    }
    NameIDFormat nameIDFormat = new NameIDFormatBuilder().buildObject();
    nameIDFormat.setFormat(NameIDType.PERSISTENT);
    spSSODescriptor.getNameIDFormats().add(nameIDFormat);
    NameIDFormat emailNameIDFormat = new NameIDFormatBuilder().buildObject();
    emailNameIDFormat.setFormat(NameIDType.EMAIL);
    spSSODescriptor.getNameIDFormats().add(emailNameIDFormat);
    NameIDFormat transientNameIDFormat = new NameIDFormatBuilder().buildObject();
    transientNameIDFormat.setFormat(NameIDType.TRANSIENT);
    spSSODescriptor.getNameIDFormats().add(transientNameIDFormat);
    AssertionConsumerService assertionConsumerService = new AssertionConsumerServiceBuilder().buildObject();
    assertionConsumerService.setIndex(1);
    assertionConsumerService.setIsDefault(true);
    assertionConsumerService.setBinding(SAMLConstants.SAML2_POST_BINDING_URI);
    assertionConsumerService.setLocation(spMetadata.getSsoUrl());
    spSSODescriptor.getAssertionConsumerServices().add(assertionConsumerService);
    AssertionConsumerService assertionConsumerService2 = new AssertionConsumerServiceBuilder().buildObject();
    assertionConsumerService2.setIndex(2);
    assertionConsumerService2.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
    assertionConsumerService2.setLocation(spMetadata.getSsoUrl());
    spSSODescriptor.getAssertionConsumerServices().add(assertionConsumerService2);
    SingleLogoutService ssoService = new SingleLogoutServiceBuilder().buildObject();
    ssoService.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
    ssoService.setLocation(spMetadata.getSloUrl());
    spSSODescriptor.getSingleLogoutServices().add(ssoService);
    SingleLogoutService ssoService2 = new SingleLogoutServiceBuilder().buildObject();
    ssoService2.setBinding(SAMLConstants.SAML2_POST_BINDING_URI);
    ssoService2.setLocation(spMetadata.getSloUrl());
    spSSODescriptor.getSingleLogoutServices().add(ssoService2);
    spSSODescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS);
    spEntityDescriptor.getRoleDescriptors().add(spSSODescriptor);
    // Add technical contact
    GivenName givenName = new GivenNameBuilder().buildObject();
    givenName.setName(spMetadata.getContactPersonName());
    EmailAddress emailAddress = new EmailAddressBuilder().buildObject();
    emailAddress.setAddress(spMetadata.getContactPersonEmail());
    ContactPerson contactPerson = new ContactPersonBuilder().buildObject();
    contactPerson.setType(ContactPersonTypeEnumeration.TECHNICAL);
    contactPerson.setGivenName(givenName);
    contactPerson.getEmailAddresses().add(emailAddress);
    spEntityDescriptor.getContactPersons().add(contactPerson);
    // Add administrative/support contact
    GivenName givenNameAdmin = new GivenNameBuilder().buildObject();
    givenNameAdmin.setName(spMetadata.getContactPersonName());
    EmailAddress emailAddressAdmin = new EmailAddressBuilder().buildObject();
    emailAddressAdmin.setAddress(spMetadata.getContactPersonEmail());
    ContactPerson contactPersonAdmin = new ContactPersonBuilder().buildObject();
    contactPersonAdmin.setType(ContactPersonTypeEnumeration.ADMINISTRATIVE);
    contactPersonAdmin.setGivenName(givenNameAdmin);
    contactPersonAdmin.getEmailAddresses().add(emailAddressAdmin);
    spEntityDescriptor.getContactPersons().add(contactPersonAdmin);
    Organization organization = new OrganizationBuilder().buildObject();
    OrganizationName organizationName = new OrganizationNameBuilder().buildObject();
    organizationName.setName(new LocalizedString(spMetadata.getOrganizationName(), Locale.getDefault().getLanguage()));
    OrganizationURL organizationURL = new OrganizationURLBuilder().buildObject();
    organizationURL.setURL(new LocalizedString(spMetadata.getOrganizationUrl(), Locale.getDefault().getLanguage()));
    organization.getOrganizationNames().add(organizationName);
    organization.getURLs().add(organizationURL);
    spEntityDescriptor.setOrganization(organization);
    StringWriter stringWriter = new StringWriter();
    try {
        DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
        DocumentBuilder builder = factory.newDocumentBuilder();
        Document document = builder.newDocument();
        Marshaller out = Configuration.getMarshallerFactory().getMarshaller(spEntityDescriptor);
        out.marshall(spEntityDescriptor, document);
        Transformer transformer = TransformerFactory.newInstance().newTransformer();
        StreamResult streamResult = new StreamResult(stringWriter);
        DOMSource source = new DOMSource(document);
        transformer.transform(source, streamResult);
        stringWriter.close();
        response.setMetadata(stringWriter.toString());
    } catch (ParserConfigurationException | IOException | MarshallingException | TransformerException e) {
        if (responseType.equals(HttpUtils.JSON_CONTENT_TYPE)) {
            response.setMetadata("Error creating Service Provider MetaData XML: " + e.getMessage());
        } else {
            return "Error creating Service Provider MetaData XML: " + e.getMessage();
        }
    }
    // For JSON type return serialized response object
    if (responseType.equals(HttpUtils.RESPONSE_TYPE_JSON)) {
        return ApiResponseSerializer.toSerializedString(response, responseType);
    }
    // For other response types return XML
    return stringWriter.toString();
}
Also used : OrganizationName(org.opensaml.saml2.metadata.OrganizationName) EmailAddressBuilder(org.opensaml.saml2.metadata.impl.EmailAddressBuilder) DOMSource(javax.xml.transform.dom.DOMSource) SAMLMetaDataResponse(org.apache.cloudstack.api.response.SAMLMetaDataResponse) Organization(org.opensaml.saml2.metadata.Organization) OrganizationNameBuilder(org.opensaml.saml2.metadata.impl.OrganizationNameBuilder) DocumentBuilderFactory(javax.xml.parsers.DocumentBuilderFactory) Transformer(javax.xml.transform.Transformer) SPSSODescriptorBuilder(org.opensaml.saml2.metadata.impl.SPSSODescriptorBuilder) KeyDescriptor(org.opensaml.saml2.metadata.KeyDescriptor) GivenName(org.opensaml.saml2.metadata.GivenName) NameIDFormatBuilder(org.opensaml.saml2.metadata.impl.NameIDFormatBuilder) LocalizedString(org.opensaml.saml2.metadata.LocalizedString) Document(org.w3c.dom.Document) EntityDescriptorBuilder(org.opensaml.saml2.metadata.impl.EntityDescriptorBuilder) ContactPerson(org.opensaml.saml2.metadata.ContactPerson) SPSSODescriptor(org.opensaml.saml2.metadata.SPSSODescriptor) KeyInfoGenerator(org.opensaml.xml.security.keyinfo.KeyInfoGenerator) ServerApiException(org.apache.cloudstack.api.ServerApiException) StringWriter(java.io.StringWriter) MarshallingException(org.opensaml.xml.io.MarshallingException) ParserConfigurationException(javax.xml.parsers.ParserConfigurationException) ConfigurationException(org.opensaml.xml.ConfigurationException) SingleLogoutServiceBuilder(org.opensaml.saml2.metadata.impl.SingleLogoutServiceBuilder) AssertionConsumerService(org.opensaml.saml2.metadata.AssertionConsumerService) OrganizationBuilder(org.opensaml.saml2.metadata.impl.OrganizationBuilder) ParserConfigurationException(javax.xml.parsers.ParserConfigurationException) SAMLProviderMetadata(org.apache.cloudstack.saml.SAMLProviderMetadata) FactoryConfigurationError(javax.xml.stream.FactoryConfigurationError) GivenNameBuilder(org.opensaml.saml2.metadata.impl.GivenNameBuilder) TransformerException(javax.xml.transform.TransformerException) X509KeyInfoGeneratorFactory(org.opensaml.xml.security.x509.X509KeyInfoGeneratorFactory) Marshaller(org.opensaml.xml.io.Marshaller) OrganizationURLBuilder(org.opensaml.saml2.metadata.impl.OrganizationURLBuilder) StreamResult(javax.xml.transform.stream.StreamResult) SingleLogoutService(org.opensaml.saml2.metadata.SingleLogoutService) AssertionConsumerServiceBuilder(org.opensaml.saml2.metadata.impl.AssertionConsumerServiceBuilder) SecurityException(org.opensaml.xml.security.SecurityException) IOException(java.io.IOException) EmailAddress(org.opensaml.saml2.metadata.EmailAddress) ContactPersonBuilder(org.opensaml.saml2.metadata.impl.ContactPersonBuilder) EntityDescriptor(org.opensaml.saml2.metadata.EntityDescriptor) NameIDFormat(org.opensaml.saml2.metadata.NameIDFormat) BasicX509Credential(org.opensaml.xml.security.x509.BasicX509Credential) DocumentBuilder(javax.xml.parsers.DocumentBuilder) KeyDescriptorBuilder(org.opensaml.saml2.metadata.impl.KeyDescriptorBuilder) OrganizationURL(org.opensaml.saml2.metadata.OrganizationURL)

Example 5 with SAMLProviderMetadata

use of org.apache.cloudstack.saml.SAMLProviderMetadata in project cloudstack by apache.

the class ListIdpsCmd method authenticate.

@Override
public String authenticate(String command, Map<String, Object[]> params, HttpSession session, InetAddress remoteAddress, String responseType, StringBuilder auditTrailSb, HttpServletRequest req, HttpServletResponse resp) throws ServerApiException {
    ListResponse<IdpResponse> response = new ListResponse<IdpResponse>();
    List<IdpResponse> idpResponseList = new ArrayList<IdpResponse>();
    for (SAMLProviderMetadata metadata : _samlAuthManager.getAllIdPMetadata()) {
        if (metadata == null) {
            continue;
        }
        IdpResponse idpResponse = new IdpResponse();
        idpResponse.setId(metadata.getEntityId());
        if (metadata.getOrganizationName() == null || metadata.getOrganizationName().isEmpty()) {
            idpResponse.setOrgName(metadata.getEntityId());
        } else {
            idpResponse.setOrgName(metadata.getOrganizationName());
        }
        idpResponse.setOrgUrl(metadata.getOrganizationUrl());
        idpResponse.setObjectName("idp");
        idpResponseList.add(idpResponse);
    }
    response.setResponses(idpResponseList, idpResponseList.size());
    response.setResponseName(getCommandName());
    return ApiResponseSerializer.toSerializedString(response, responseType);
}
Also used : ListResponse(org.apache.cloudstack.api.response.ListResponse) ArrayList(java.util.ArrayList) SAMLProviderMetadata(org.apache.cloudstack.saml.SAMLProviderMetadata) IdpResponse(org.apache.cloudstack.api.response.IdpResponse)

Aggregations

SAMLProviderMetadata (org.apache.cloudstack.saml.SAMLProviderMetadata)6 ServerApiException (org.apache.cloudstack.api.ServerApiException)4 IOException (java.io.IOException)3 UserAccountVO (com.cloud.user.UserAccountVO)2 Field (java.lang.reflect.Field)2 KeyPair (java.security.KeyPair)2 X509Certificate (java.security.cert.X509Certificate)2 HttpServletResponse (javax.servlet.http.HttpServletResponse)2 ParserConfigurationException (javax.xml.parsers.ParserConfigurationException)2 FactoryConfigurationError (javax.xml.stream.FactoryConfigurationError)2 Test (org.junit.Test)2 Response (org.opensaml.saml2.core.Response)2 ConfigurationException (org.opensaml.xml.ConfigurationException)2 MarshallingException (org.opensaml.xml.io.MarshallingException)2 CloudAuthenticationException (com.cloud.exception.CloudAuthenticationException)1 UserAccount (com.cloud.user.UserAccount)1 StringWriter (java.io.StringWriter)1 ArrayList (java.util.ArrayList)1 HashMap (java.util.HashMap)1 DocumentBuilder (javax.xml.parsers.DocumentBuilder)1