Example 6 with SAML2RequestTO
use of org.apache.syncope.common.lib.to.SAML2RequestTO in project syncope by apache.
the class SAML2ITCase method createLoginRequest.
@Test
public void createLoginRequest() {
assumeTrue(SAML2SPDetector.isSAML2SPAvailable());
SAML2RequestTO loginRequest = anonymous.getService(SAML2SPService.class).createLoginRequest(ADDRESS, "https://idp.testshib.org/idp/shibboleth");
assertNotNull(loginRequest);
assertEquals("https://idp.testshib.org/idp/profile/SAML2/POST/SSO", loginRequest.getIdpServiceAddress());
assertNotNull(loginRequest.getContent());
assertTrue(BASE64.matcher(loginRequest.getContent()).matches());
assertNotNull(loginRequest.getRelayState());
}
Also used :
SAML2SPService(org.apache.syncope.common.rest.api.service.SAML2SPService)
SAML2RequestTO(org.apache.syncope.common.lib.to.SAML2RequestTO)
Test(org.junit.jupiter.api.Test)
Example 7 with SAML2RequestTO
use of org.apache.syncope.common.lib.to.SAML2RequestTO in project syncope by apache.
the class SAML2ITCase method loginResponseWrappingAttack.
@Test
public void loginResponseWrappingAttack() throws Exception {
assumeTrue(SAML2SPDetector.isSAML2SPAvailable());
// Get a valid login request for the Fediz realm
SAML2SPService saml2Service = anonymous.getService(SAML2SPService.class);
SAML2RequestTO loginRequest = saml2Service.createLoginRequest(ADDRESS, "urn:org:apache:cxf:fediz:idp:realm-A");
assertNotNull(loginRequest);
SAML2ReceivedResponseTO response = new SAML2ReceivedResponseTO();
response.setSpEntityID("http://recipient.apache.org/");
response.setUrlContext("saml2sp");
response.setRelayState(loginRequest.getRelayState());
// Create a SAML Response using WSS4J
JwsJwtCompactConsumer relayState = new JwsJwtCompactConsumer(response.getRelayState());
String inResponseTo = relayState.getJwtClaims().getSubject();
org.opensaml.saml.saml2.core.Response samlResponse = createResponse(inResponseTo);
Document doc = DOMUtils.newDocument();
Element responseElement = OpenSAMLUtil.toDom(samlResponse, doc);
assertNotNull(responseElement);
doc.appendChild(responseElement);
// Get Assertion Element
Element assertionElement = (Element) responseElement.getElementsByTagNameNS(SAMLConstants.SAML20_NS, "Assertion").item(0);
assertNotNull(assertionElement);
// Clone it, strip the Signature, modify the Subject, change Subj Conf
Element clonedAssertion = (Element) assertionElement.cloneNode(true);
clonedAssertion.setAttributeNS(null, "ID", "_12345623562");
Element sigElement = (Element) clonedAssertion.getElementsByTagNameNS(WSConstants.SIG_NS, "Signature").item(0);
clonedAssertion.removeChild(sigElement);
Element subjElement = (Element) clonedAssertion.getElementsByTagNameNS(SAMLConstants.SAML20_NS, "Subject").item(0);
Element subjNameIdElement = (Element) subjElement.getElementsByTagNameNS(SAMLConstants.SAML20_NS, "NameID").item(0);
subjNameIdElement.setTextContent("verdi");
Element subjConfElement = (Element) subjElement.getElementsByTagNameNS(SAMLConstants.SAML20_NS, "SubjectConfirmation").item(0);
subjConfElement.setAttributeNS(null, "Method", SAML2Constants.CONF_SENDER_VOUCHES);
// Now insert the modified cloned Assertion into the Response after the other assertion
responseElement.insertBefore(clonedAssertion, null);
String responseStr = DOM2Writer.nodeToString(responseElement);
// Validate the SAML Response
response.setSamlResponse(Base64.getEncoder().encodeToString(responseStr.getBytes()));
try {
saml2Service.validateLoginResponse(response);
fail("Failure expected on an unsigned Assertion");
} catch (SyncopeClientException e) {
assertNotNull(e);
}
}
Also used :
SAML2SPService(org.apache.syncope.common.rest.api.service.SAML2SPService)
SAML2RequestTO(org.apache.syncope.common.lib.to.SAML2RequestTO)
SAML2ReceivedResponseTO(org.apache.syncope.common.lib.to.SAML2ReceivedResponseTO)
Element(org.w3c.dom.Element)
SyncopeClientException(org.apache.syncope.common.lib.SyncopeClientException)
JwsJwtCompactConsumer(org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer)
Document(org.w3c.dom.Document)
Test(org.junit.jupiter.api.Test)
Example 8 with SAML2RequestTO
use of org.apache.syncope.common.lib.to.SAML2RequestTO in project syncope by apache.
the class SAML2ITCase method validateLoginResponse.
@Test
public void validateLoginResponse() throws Exception {
assumeTrue(SAML2SPDetector.isSAML2SPAvailable());
// Get a valid login request for the Fediz realm
SAML2SPService saml2Service = anonymous.getService(SAML2SPService.class);
SAML2RequestTO loginRequest = saml2Service.createLoginRequest(ADDRESS, "urn:org:apache:cxf:fediz:idp:realm-A");
assertNotNull(loginRequest);
assertEquals("https://localhost:8443/fediz-idp/saml/up", loginRequest.getIdpServiceAddress());
assertNotNull(loginRequest.getContent());
assertTrue(BASE64.matcher(loginRequest.getContent()).matches());
assertNotNull(loginRequest.getRelayState());
// Check a null relaystate
SAML2ReceivedResponseTO response = new SAML2ReceivedResponseTO();
response.setSpEntityID("http://recipient.apache.org/");
response.setUrlContext("saml2sp");
try {
saml2Service.validateLoginResponse(response);
fail("Failure expected on no Relay State");
} catch (SyncopeClientException e) {
assertTrue(e.getMessage().contains("No Relay State was provided"));
}
// Check a null Response
response.setRelayState(loginRequest.getRelayState());
try {
saml2Service.validateLoginResponse(response);
fail("Failure expected on no SAML Response");
} catch (SyncopeClientException e) {
assertTrue(e.getMessage().contains("No SAML Response was provided"));
}
// Create a SAML Response using WSS4J
JwsJwtCompactConsumer relayState = new JwsJwtCompactConsumer(response.getRelayState());
String inResponseTo = relayState.getJwtClaims().getSubject();
org.opensaml.saml.saml2.core.Response samlResponse = createResponse(inResponseTo);
Document doc = DOMUtils.newDocument();
Element responseElement = OpenSAMLUtil.toDom(samlResponse, doc);
String responseStr = DOM2Writer.nodeToString(responseElement);
// Validate the SAML Response
response.setSamlResponse(Base64.getEncoder().encodeToString(responseStr.getBytes()));
SAML2LoginResponseTO loginResponse = saml2Service.validateLoginResponse(response);
assertNotNull(loginResponse.getAccessToken());
assertEquals("puccini", loginResponse.getNameID());
}
Also used :
SAML2RequestTO(org.apache.syncope.common.lib.to.SAML2RequestTO)
SAML2LoginResponseTO(org.apache.syncope.common.lib.to.SAML2LoginResponseTO)
Element(org.w3c.dom.Element)
SyncopeClientException(org.apache.syncope.common.lib.SyncopeClientException)
Document(org.w3c.dom.Document)
SAML2SPService(org.apache.syncope.common.rest.api.service.SAML2SPService)
SAML2ReceivedResponseTO(org.apache.syncope.common.lib.to.SAML2ReceivedResponseTO)
JwsJwtCompactConsumer(org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer)
Test(org.junit.jupiter.api.Test)
Aggregations
SAML2RequestTO (org.apache.syncope.common.lib.to.SAML2RequestTO)8
SAML2SPService (org.apache.syncope.common.rest.api.service.SAML2SPService)6
SyncopeClientException (org.apache.syncope.common.lib.SyncopeClientException)5
JwsJwtCompactConsumer (org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer)4
SAML2ReceivedResponseTO (org.apache.syncope.common.lib.to.SAML2ReceivedResponseTO)4
Test (org.junit.jupiter.api.Test)4
Document (org.w3c.dom.Document)3
Element (org.w3c.dom.Element)3
IOException (java.io.IOException)2
Date (java.util.Date)2
HashMap (java.util.HashMap)2
ServletException (javax.servlet.ServletException)2
SyncopeClient (org.apache.syncope.client.lib.SyncopeClient)2
SAML2IdPEntity (org.apache.syncope.core.logic.saml2.SAML2IdPEntity)2
NotFoundException (org.apache.syncope.core.persistence.api.dao.NotFoundException)2
DateTime (org.joda.time.DateTime)2
XMLObject (org.opensaml.core.xml.XMLObject)2
XSString (org.opensaml.core.xml.schema.XSString)2
Issuer (org.opensaml.saml.saml2.core.Issuer)2
IssuerBuilder (org.opensaml.saml.saml2.core.impl.IssuerBuilder)2
