Examples with SAML2ReceivedResponseTO org.apache.syncope.common.lib.to.SAML2ReceivedResponseTO used on opensource projects

Example 6 with SAML2ReceivedResponseTO

use of org.apache.syncope.common.lib.to.SAML2ReceivedResponseTO in project syncope by apache.

the class Logout method doPost.

@Override
protected void doPost(final HttpServletRequest request, final HttpServletResponse response) throws ServletException, IOException {
    // process POST binding logout response
    SAML2ReceivedResponseTO receivedResponse = extract(StringUtils.substringBefore(request.getRequestURL().toString(), "/saml2sp"), "saml2sp", request.getRemoteAddr(), request.getInputStream());
    doLogout(receivedResponse, request, response);
}

Example 7 with SAML2ReceivedResponseTO

use of org.apache.syncope.common.lib.to.SAML2ReceivedResponseTO in project syncope by apache.

the class SAML2ITCase method unsignedAssertionInLoginResponse.

@Test
public void unsignedAssertionInLoginResponse() throws Exception {
    assumeTrue(SAML2SPDetector.isSAML2SPAvailable());
    // Get a valid login request for the Fediz realm
    SAML2SPService saml2Service = anonymous.getService(SAML2SPService.class);
    SAML2RequestTO loginRequest = saml2Service.createLoginRequest(ADDRESS, "urn:org:apache:cxf:fediz:idp:realm-A");
    assertNotNull(loginRequest);
    SAML2ReceivedResponseTO response = new SAML2ReceivedResponseTO();
    response.setSpEntityID("http://recipient.apache.org/");
    response.setUrlContext("saml2sp");
    response.setRelayState(loginRequest.getRelayState());
    // Create a SAML Response using WSS4J
    JwsJwtCompactConsumer relayState = new JwsJwtCompactConsumer(response.getRelayState());
    String inResponseTo = relayState.getJwtClaims().getSubject();
    org.opensaml.saml.saml2.core.Response samlResponse = createResponse(inResponseTo, false, SAML2Constants.CONF_SENDER_VOUCHES, "urn:org:apache:cxf:fediz:idp:realm-A");
    Document doc = DOMUtils.newDocument();
    Element responseElement = OpenSAMLUtil.toDom(samlResponse, doc);
    String responseStr = DOM2Writer.nodeToString(responseElement);
    // Validate the SAML Response
    response.setSamlResponse(Base64.getEncoder().encodeToString(responseStr.getBytes()));
    try {
        saml2Service.validateLoginResponse(response);
        fail("Failure expected on an unsigned Assertion");
    } catch (SyncopeClientException e) {
        assertNotNull(e);
    }
}

Example 8 with SAML2ReceivedResponseTO

use of org.apache.syncope.common.lib.to.SAML2ReceivedResponseTO in project syncope by apache.

the class SAML2ITCase method loginResponseWrappingAttack.

@Test
public void loginResponseWrappingAttack() throws Exception {
    assumeTrue(SAML2SPDetector.isSAML2SPAvailable());
    // Get a valid login request for the Fediz realm
    SAML2SPService saml2Service = anonymous.getService(SAML2SPService.class);
    SAML2RequestTO loginRequest = saml2Service.createLoginRequest(ADDRESS, "urn:org:apache:cxf:fediz:idp:realm-A");
    assertNotNull(loginRequest);
    SAML2ReceivedResponseTO response = new SAML2ReceivedResponseTO();
    response.setSpEntityID("http://recipient.apache.org/");
    response.setUrlContext("saml2sp");
    response.setRelayState(loginRequest.getRelayState());
    // Create a SAML Response using WSS4J
    JwsJwtCompactConsumer relayState = new JwsJwtCompactConsumer(response.getRelayState());
    String inResponseTo = relayState.getJwtClaims().getSubject();
    org.opensaml.saml.saml2.core.Response samlResponse = createResponse(inResponseTo);
    Document doc = DOMUtils.newDocument();
    Element responseElement = OpenSAMLUtil.toDom(samlResponse, doc);
    assertNotNull(responseElement);
    doc.appendChild(responseElement);
    // Get Assertion Element
    Element assertionElement = (Element) responseElement.getElementsByTagNameNS(SAMLConstants.SAML20_NS, "Assertion").item(0);
    assertNotNull(assertionElement);
    // Clone it, strip the Signature, modify the Subject, change Subj Conf
    Element clonedAssertion = (Element) assertionElement.cloneNode(true);
    clonedAssertion.setAttributeNS(null, "ID", "_12345623562");
    Element sigElement = (Element) clonedAssertion.getElementsByTagNameNS(WSConstants.SIG_NS, "Signature").item(0);
    clonedAssertion.removeChild(sigElement);
    Element subjElement = (Element) clonedAssertion.getElementsByTagNameNS(SAMLConstants.SAML20_NS, "Subject").item(0);
    Element subjNameIdElement = (Element) subjElement.getElementsByTagNameNS(SAMLConstants.SAML20_NS, "NameID").item(0);
    subjNameIdElement.setTextContent("verdi");
    Element subjConfElement = (Element) subjElement.getElementsByTagNameNS(SAMLConstants.SAML20_NS, "SubjectConfirmation").item(0);
    subjConfElement.setAttributeNS(null, "Method", SAML2Constants.CONF_SENDER_VOUCHES);
    // Now insert the modified cloned Assertion into the Response after the other assertion
    responseElement.insertBefore(clonedAssertion, null);
    String responseStr = DOM2Writer.nodeToString(responseElement);
    // Validate the SAML Response
    response.setSamlResponse(Base64.getEncoder().encodeToString(responseStr.getBytes()));
    try {
        saml2Service.validateLoginResponse(response);
        fail("Failure expected on an unsigned Assertion");
    } catch (SyncopeClientException e) {
        assertNotNull(e);
    }
}

Example 9 with SAML2ReceivedResponseTO

use of org.apache.syncope.common.lib.to.SAML2ReceivedResponseTO in project syncope by apache.

the class SAML2ITCase method validateLoginResponse.

@Test
public void validateLoginResponse() throws Exception {
    assumeTrue(SAML2SPDetector.isSAML2SPAvailable());
    // Get a valid login request for the Fediz realm
    SAML2SPService saml2Service = anonymous.getService(SAML2SPService.class);
    SAML2RequestTO loginRequest = saml2Service.createLoginRequest(ADDRESS, "urn:org:apache:cxf:fediz:idp:realm-A");
    assertNotNull(loginRequest);
    assertEquals("https://localhost:8443/fediz-idp/saml/up", loginRequest.getIdpServiceAddress());
    assertNotNull(loginRequest.getContent());
    assertTrue(BASE64.matcher(loginRequest.getContent()).matches());
    assertNotNull(loginRequest.getRelayState());
    // Check a null relaystate
    SAML2ReceivedResponseTO response = new SAML2ReceivedResponseTO();
    response.setSpEntityID("http://recipient.apache.org/");
    response.setUrlContext("saml2sp");
    try {
        saml2Service.validateLoginResponse(response);
        fail("Failure expected on no Relay State");
    } catch (SyncopeClientException e) {
        assertTrue(e.getMessage().contains("No Relay State was provided"));
    }
    // Check a null Response
    response.setRelayState(loginRequest.getRelayState());
    try {
        saml2Service.validateLoginResponse(response);
        fail("Failure expected on no SAML Response");
    } catch (SyncopeClientException e) {
        assertTrue(e.getMessage().contains("No SAML Response was provided"));
    }
    // Create a SAML Response using WSS4J
    JwsJwtCompactConsumer relayState = new JwsJwtCompactConsumer(response.getRelayState());
    String inResponseTo = relayState.getJwtClaims().getSubject();
    org.opensaml.saml.saml2.core.Response samlResponse = createResponse(inResponseTo);
    Document doc = DOMUtils.newDocument();
    Element responseElement = OpenSAMLUtil.toDom(samlResponse, doc);
    String responseStr = DOM2Writer.nodeToString(responseElement);
    // Validate the SAML Response
    response.setSamlResponse(Base64.getEncoder().encodeToString(responseStr.getBytes()));
    SAML2LoginResponseTO loginResponse = saml2Service.validateLoginResponse(response);
    assertNotNull(loginResponse.getAccessToken());
    assertEquals("puccini", loginResponse.getNameID());
}