Search in sources :

Example 6 with SAML2ReceivedResponseTO

use of org.apache.syncope.common.lib.to.SAML2ReceivedResponseTO in project syncope by apache.

the class Logout method doPost.

@Override
protected void doPost(final HttpServletRequest request, final HttpServletResponse response) throws ServletException, IOException {
    // process POST binding logout response
    SAML2ReceivedResponseTO receivedResponse = extract(StringUtils.substringBefore(request.getRequestURL().toString(), "/saml2sp"), "saml2sp", request.getRemoteAddr(), request.getInputStream());
    doLogout(receivedResponse, request, response);
}
Also used : SAML2ReceivedResponseTO(org.apache.syncope.common.lib.to.SAML2ReceivedResponseTO)

Example 7 with SAML2ReceivedResponseTO

use of org.apache.syncope.common.lib.to.SAML2ReceivedResponseTO in project syncope by apache.

the class SAML2ITCase method unsignedAssertionInLoginResponse.

@Test
public void unsignedAssertionInLoginResponse() throws Exception {
    assumeTrue(SAML2SPDetector.isSAML2SPAvailable());
    // Get a valid login request for the Fediz realm
    SAML2SPService saml2Service = anonymous.getService(SAML2SPService.class);
    SAML2RequestTO loginRequest = saml2Service.createLoginRequest(ADDRESS, "urn:org:apache:cxf:fediz:idp:realm-A");
    assertNotNull(loginRequest);
    SAML2ReceivedResponseTO response = new SAML2ReceivedResponseTO();
    response.setSpEntityID("http://recipient.apache.org/");
    response.setUrlContext("saml2sp");
    response.setRelayState(loginRequest.getRelayState());
    // Create a SAML Response using WSS4J
    JwsJwtCompactConsumer relayState = new JwsJwtCompactConsumer(response.getRelayState());
    String inResponseTo = relayState.getJwtClaims().getSubject();
    org.opensaml.saml.saml2.core.Response samlResponse = createResponse(inResponseTo, false, SAML2Constants.CONF_SENDER_VOUCHES, "urn:org:apache:cxf:fediz:idp:realm-A");
    Document doc = DOMUtils.newDocument();
    Element responseElement = OpenSAMLUtil.toDom(samlResponse, doc);
    String responseStr = DOM2Writer.nodeToString(responseElement);
    // Validate the SAML Response
    response.setSamlResponse(Base64.getEncoder().encodeToString(responseStr.getBytes()));
    try {
        saml2Service.validateLoginResponse(response);
        fail("Failure expected on an unsigned Assertion");
    } catch (SyncopeClientException e) {
        assertNotNull(e);
    }
}
Also used : SAML2SPService(org.apache.syncope.common.rest.api.service.SAML2SPService) SAML2RequestTO(org.apache.syncope.common.lib.to.SAML2RequestTO) SAML2ReceivedResponseTO(org.apache.syncope.common.lib.to.SAML2ReceivedResponseTO) Element(org.w3c.dom.Element) SyncopeClientException(org.apache.syncope.common.lib.SyncopeClientException) JwsJwtCompactConsumer(org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer) Document(org.w3c.dom.Document) Test(org.junit.jupiter.api.Test)

Example 8 with SAML2ReceivedResponseTO

use of org.apache.syncope.common.lib.to.SAML2ReceivedResponseTO in project syncope by apache.

the class SAML2ITCase method loginResponseWrappingAttack.

@Test
public void loginResponseWrappingAttack() throws Exception {
    assumeTrue(SAML2SPDetector.isSAML2SPAvailable());
    // Get a valid login request for the Fediz realm
    SAML2SPService saml2Service = anonymous.getService(SAML2SPService.class);
    SAML2RequestTO loginRequest = saml2Service.createLoginRequest(ADDRESS, "urn:org:apache:cxf:fediz:idp:realm-A");
    assertNotNull(loginRequest);
    SAML2ReceivedResponseTO response = new SAML2ReceivedResponseTO();
    response.setSpEntityID("http://recipient.apache.org/");
    response.setUrlContext("saml2sp");
    response.setRelayState(loginRequest.getRelayState());
    // Create a SAML Response using WSS4J
    JwsJwtCompactConsumer relayState = new JwsJwtCompactConsumer(response.getRelayState());
    String inResponseTo = relayState.getJwtClaims().getSubject();
    org.opensaml.saml.saml2.core.Response samlResponse = createResponse(inResponseTo);
    Document doc = DOMUtils.newDocument();
    Element responseElement = OpenSAMLUtil.toDom(samlResponse, doc);
    assertNotNull(responseElement);
    doc.appendChild(responseElement);
    // Get Assertion Element
    Element assertionElement = (Element) responseElement.getElementsByTagNameNS(SAMLConstants.SAML20_NS, "Assertion").item(0);
    assertNotNull(assertionElement);
    // Clone it, strip the Signature, modify the Subject, change Subj Conf
    Element clonedAssertion = (Element) assertionElement.cloneNode(true);
    clonedAssertion.setAttributeNS(null, "ID", "_12345623562");
    Element sigElement = (Element) clonedAssertion.getElementsByTagNameNS(WSConstants.SIG_NS, "Signature").item(0);
    clonedAssertion.removeChild(sigElement);
    Element subjElement = (Element) clonedAssertion.getElementsByTagNameNS(SAMLConstants.SAML20_NS, "Subject").item(0);
    Element subjNameIdElement = (Element) subjElement.getElementsByTagNameNS(SAMLConstants.SAML20_NS, "NameID").item(0);
    subjNameIdElement.setTextContent("verdi");
    Element subjConfElement = (Element) subjElement.getElementsByTagNameNS(SAMLConstants.SAML20_NS, "SubjectConfirmation").item(0);
    subjConfElement.setAttributeNS(null, "Method", SAML2Constants.CONF_SENDER_VOUCHES);
    // Now insert the modified cloned Assertion into the Response after the other assertion
    responseElement.insertBefore(clonedAssertion, null);
    String responseStr = DOM2Writer.nodeToString(responseElement);
    // Validate the SAML Response
    response.setSamlResponse(Base64.getEncoder().encodeToString(responseStr.getBytes()));
    try {
        saml2Service.validateLoginResponse(response);
        fail("Failure expected on an unsigned Assertion");
    } catch (SyncopeClientException e) {
        assertNotNull(e);
    }
}
Also used : SAML2SPService(org.apache.syncope.common.rest.api.service.SAML2SPService) SAML2RequestTO(org.apache.syncope.common.lib.to.SAML2RequestTO) SAML2ReceivedResponseTO(org.apache.syncope.common.lib.to.SAML2ReceivedResponseTO) Element(org.w3c.dom.Element) SyncopeClientException(org.apache.syncope.common.lib.SyncopeClientException) JwsJwtCompactConsumer(org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer) Document(org.w3c.dom.Document) Test(org.junit.jupiter.api.Test)

Example 9 with SAML2ReceivedResponseTO

use of org.apache.syncope.common.lib.to.SAML2ReceivedResponseTO in project syncope by apache.

the class SAML2ITCase method validateLoginResponse.

@Test
public void validateLoginResponse() throws Exception {
    assumeTrue(SAML2SPDetector.isSAML2SPAvailable());
    // Get a valid login request for the Fediz realm
    SAML2SPService saml2Service = anonymous.getService(SAML2SPService.class);
    SAML2RequestTO loginRequest = saml2Service.createLoginRequest(ADDRESS, "urn:org:apache:cxf:fediz:idp:realm-A");
    assertNotNull(loginRequest);
    assertEquals("https://localhost:8443/fediz-idp/saml/up", loginRequest.getIdpServiceAddress());
    assertNotNull(loginRequest.getContent());
    assertTrue(BASE64.matcher(loginRequest.getContent()).matches());
    assertNotNull(loginRequest.getRelayState());
    // Check a null relaystate
    SAML2ReceivedResponseTO response = new SAML2ReceivedResponseTO();
    response.setSpEntityID("http://recipient.apache.org/");
    response.setUrlContext("saml2sp");
    try {
        saml2Service.validateLoginResponse(response);
        fail("Failure expected on no Relay State");
    } catch (SyncopeClientException e) {
        assertTrue(e.getMessage().contains("No Relay State was provided"));
    }
    // Check a null Response
    response.setRelayState(loginRequest.getRelayState());
    try {
        saml2Service.validateLoginResponse(response);
        fail("Failure expected on no SAML Response");
    } catch (SyncopeClientException e) {
        assertTrue(e.getMessage().contains("No SAML Response was provided"));
    }
    // Create a SAML Response using WSS4J
    JwsJwtCompactConsumer relayState = new JwsJwtCompactConsumer(response.getRelayState());
    String inResponseTo = relayState.getJwtClaims().getSubject();
    org.opensaml.saml.saml2.core.Response samlResponse = createResponse(inResponseTo);
    Document doc = DOMUtils.newDocument();
    Element responseElement = OpenSAMLUtil.toDom(samlResponse, doc);
    String responseStr = DOM2Writer.nodeToString(responseElement);
    // Validate the SAML Response
    response.setSamlResponse(Base64.getEncoder().encodeToString(responseStr.getBytes()));
    SAML2LoginResponseTO loginResponse = saml2Service.validateLoginResponse(response);
    assertNotNull(loginResponse.getAccessToken());
    assertEquals("puccini", loginResponse.getNameID());
}
Also used : SAML2RequestTO(org.apache.syncope.common.lib.to.SAML2RequestTO) SAML2LoginResponseTO(org.apache.syncope.common.lib.to.SAML2LoginResponseTO) Element(org.w3c.dom.Element) SyncopeClientException(org.apache.syncope.common.lib.SyncopeClientException) Document(org.w3c.dom.Document) SAML2SPService(org.apache.syncope.common.rest.api.service.SAML2SPService) SAML2ReceivedResponseTO(org.apache.syncope.common.lib.to.SAML2ReceivedResponseTO) JwsJwtCompactConsumer(org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer) Test(org.junit.jupiter.api.Test)

Aggregations

SAML2ReceivedResponseTO (org.apache.syncope.common.lib.to.SAML2ReceivedResponseTO)9 SAML2SPService (org.apache.syncope.common.rest.api.service.SAML2SPService)6 SyncopeClientException (org.apache.syncope.common.lib.SyncopeClientException)5 SAML2RequestTO (org.apache.syncope.common.lib.to.SAML2RequestTO)5 Test (org.junit.jupiter.api.Test)5 Document (org.w3c.dom.Document)5 Element (org.w3c.dom.Element)5 JwsJwtCompactConsumer (org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer)4 SAML2LoginResponseTO (org.apache.syncope.common.lib.to.SAML2LoginResponseTO)3 Generators (com.fasterxml.uuid.Generators)1 RandomBasedGenerator (com.fasterxml.uuid.impl.RandomBasedGenerator)1 IOException (java.io.IOException)1 OutputStream (java.io.OutputStream)1 OutputStreamWriter (java.io.OutputStreamWriter)1 Method (java.lang.reflect.Method)1 URLEncoder (java.net.URLEncoder)1 StandardCharsets (java.nio.charset.StandardCharsets)1 Collections (java.util.Collections)1 Date (java.util.Date)1 HashMap (java.util.HashMap)1