Search in sources :

Example 6 with SAML2RequestTO

use of org.apache.syncope.common.lib.to.SAML2RequestTO in project syncope by apache.

the class SAML2ITCase method createLoginRequest.

@Test
public void createLoginRequest() {
    assumeTrue(SAML2SPDetector.isSAML2SPAvailable());
    SAML2RequestTO loginRequest = anonymous.getService(SAML2SPService.class).createLoginRequest(ADDRESS, "https://idp.testshib.org/idp/shibboleth");
    assertNotNull(loginRequest);
    assertEquals("https://idp.testshib.org/idp/profile/SAML2/POST/SSO", loginRequest.getIdpServiceAddress());
    assertNotNull(loginRequest.getContent());
    assertTrue(BASE64.matcher(loginRequest.getContent()).matches());
    assertNotNull(loginRequest.getRelayState());
}
Also used : SAML2SPService(org.apache.syncope.common.rest.api.service.SAML2SPService) SAML2RequestTO(org.apache.syncope.common.lib.to.SAML2RequestTO) Test(org.junit.jupiter.api.Test)

Example 7 with SAML2RequestTO

use of org.apache.syncope.common.lib.to.SAML2RequestTO in project syncope by apache.

the class SAML2ITCase method loginResponseWrappingAttack.

@Test
public void loginResponseWrappingAttack() throws Exception {
    assumeTrue(SAML2SPDetector.isSAML2SPAvailable());
    // Get a valid login request for the Fediz realm
    SAML2SPService saml2Service = anonymous.getService(SAML2SPService.class);
    SAML2RequestTO loginRequest = saml2Service.createLoginRequest(ADDRESS, "urn:org:apache:cxf:fediz:idp:realm-A");
    assertNotNull(loginRequest);
    SAML2ReceivedResponseTO response = new SAML2ReceivedResponseTO();
    response.setSpEntityID("http://recipient.apache.org/");
    response.setUrlContext("saml2sp");
    response.setRelayState(loginRequest.getRelayState());
    // Create a SAML Response using WSS4J
    JwsJwtCompactConsumer relayState = new JwsJwtCompactConsumer(response.getRelayState());
    String inResponseTo = relayState.getJwtClaims().getSubject();
    org.opensaml.saml.saml2.core.Response samlResponse = createResponse(inResponseTo);
    Document doc = DOMUtils.newDocument();
    Element responseElement = OpenSAMLUtil.toDom(samlResponse, doc);
    assertNotNull(responseElement);
    doc.appendChild(responseElement);
    // Get Assertion Element
    Element assertionElement = (Element) responseElement.getElementsByTagNameNS(SAMLConstants.SAML20_NS, "Assertion").item(0);
    assertNotNull(assertionElement);
    // Clone it, strip the Signature, modify the Subject, change Subj Conf
    Element clonedAssertion = (Element) assertionElement.cloneNode(true);
    clonedAssertion.setAttributeNS(null, "ID", "_12345623562");
    Element sigElement = (Element) clonedAssertion.getElementsByTagNameNS(WSConstants.SIG_NS, "Signature").item(0);
    clonedAssertion.removeChild(sigElement);
    Element subjElement = (Element) clonedAssertion.getElementsByTagNameNS(SAMLConstants.SAML20_NS, "Subject").item(0);
    Element subjNameIdElement = (Element) subjElement.getElementsByTagNameNS(SAMLConstants.SAML20_NS, "NameID").item(0);
    subjNameIdElement.setTextContent("verdi");
    Element subjConfElement = (Element) subjElement.getElementsByTagNameNS(SAMLConstants.SAML20_NS, "SubjectConfirmation").item(0);
    subjConfElement.setAttributeNS(null, "Method", SAML2Constants.CONF_SENDER_VOUCHES);
    // Now insert the modified cloned Assertion into the Response after the other assertion
    responseElement.insertBefore(clonedAssertion, null);
    String responseStr = DOM2Writer.nodeToString(responseElement);
    // Validate the SAML Response
    response.setSamlResponse(Base64.getEncoder().encodeToString(responseStr.getBytes()));
    try {
        saml2Service.validateLoginResponse(response);
        fail("Failure expected on an unsigned Assertion");
    } catch (SyncopeClientException e) {
        assertNotNull(e);
    }
}
Also used : SAML2SPService(org.apache.syncope.common.rest.api.service.SAML2SPService) SAML2RequestTO(org.apache.syncope.common.lib.to.SAML2RequestTO) SAML2ReceivedResponseTO(org.apache.syncope.common.lib.to.SAML2ReceivedResponseTO) Element(org.w3c.dom.Element) SyncopeClientException(org.apache.syncope.common.lib.SyncopeClientException) JwsJwtCompactConsumer(org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer) Document(org.w3c.dom.Document) Test(org.junit.jupiter.api.Test)

Example 8 with SAML2RequestTO

use of org.apache.syncope.common.lib.to.SAML2RequestTO in project syncope by apache.

the class SAML2ITCase method validateLoginResponse.

@Test
public void validateLoginResponse() throws Exception {
    assumeTrue(SAML2SPDetector.isSAML2SPAvailable());
    // Get a valid login request for the Fediz realm
    SAML2SPService saml2Service = anonymous.getService(SAML2SPService.class);
    SAML2RequestTO loginRequest = saml2Service.createLoginRequest(ADDRESS, "urn:org:apache:cxf:fediz:idp:realm-A");
    assertNotNull(loginRequest);
    assertEquals("https://localhost:8443/fediz-idp/saml/up", loginRequest.getIdpServiceAddress());
    assertNotNull(loginRequest.getContent());
    assertTrue(BASE64.matcher(loginRequest.getContent()).matches());
    assertNotNull(loginRequest.getRelayState());
    // Check a null relaystate
    SAML2ReceivedResponseTO response = new SAML2ReceivedResponseTO();
    response.setSpEntityID("http://recipient.apache.org/");
    response.setUrlContext("saml2sp");
    try {
        saml2Service.validateLoginResponse(response);
        fail("Failure expected on no Relay State");
    } catch (SyncopeClientException e) {
        assertTrue(e.getMessage().contains("No Relay State was provided"));
    }
    // Check a null Response
    response.setRelayState(loginRequest.getRelayState());
    try {
        saml2Service.validateLoginResponse(response);
        fail("Failure expected on no SAML Response");
    } catch (SyncopeClientException e) {
        assertTrue(e.getMessage().contains("No SAML Response was provided"));
    }
    // Create a SAML Response using WSS4J
    JwsJwtCompactConsumer relayState = new JwsJwtCompactConsumer(response.getRelayState());
    String inResponseTo = relayState.getJwtClaims().getSubject();
    org.opensaml.saml.saml2.core.Response samlResponse = createResponse(inResponseTo);
    Document doc = DOMUtils.newDocument();
    Element responseElement = OpenSAMLUtil.toDom(samlResponse, doc);
    String responseStr = DOM2Writer.nodeToString(responseElement);
    // Validate the SAML Response
    response.setSamlResponse(Base64.getEncoder().encodeToString(responseStr.getBytes()));
    SAML2LoginResponseTO loginResponse = saml2Service.validateLoginResponse(response);
    assertNotNull(loginResponse.getAccessToken());
    assertEquals("puccini", loginResponse.getNameID());
}
Also used : SAML2RequestTO(org.apache.syncope.common.lib.to.SAML2RequestTO) SAML2LoginResponseTO(org.apache.syncope.common.lib.to.SAML2LoginResponseTO) Element(org.w3c.dom.Element) SyncopeClientException(org.apache.syncope.common.lib.SyncopeClientException) Document(org.w3c.dom.Document) SAML2SPService(org.apache.syncope.common.rest.api.service.SAML2SPService) SAML2ReceivedResponseTO(org.apache.syncope.common.lib.to.SAML2ReceivedResponseTO) JwsJwtCompactConsumer(org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer) Test(org.junit.jupiter.api.Test)

Aggregations

SAML2RequestTO (org.apache.syncope.common.lib.to.SAML2RequestTO)8 SAML2SPService (org.apache.syncope.common.rest.api.service.SAML2SPService)6 SyncopeClientException (org.apache.syncope.common.lib.SyncopeClientException)5 JwsJwtCompactConsumer (org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer)4 SAML2ReceivedResponseTO (org.apache.syncope.common.lib.to.SAML2ReceivedResponseTO)4 Test (org.junit.jupiter.api.Test)4 Document (org.w3c.dom.Document)3 Element (org.w3c.dom.Element)3 IOException (java.io.IOException)2 Date (java.util.Date)2 HashMap (java.util.HashMap)2 ServletException (javax.servlet.ServletException)2 SyncopeClient (org.apache.syncope.client.lib.SyncopeClient)2 SAML2IdPEntity (org.apache.syncope.core.logic.saml2.SAML2IdPEntity)2 NotFoundException (org.apache.syncope.core.persistence.api.dao.NotFoundException)2 DateTime (org.joda.time.DateTime)2 XMLObject (org.opensaml.core.xml.XMLObject)2 XSString (org.opensaml.core.xml.schema.XSString)2 Issuer (org.opensaml.saml.saml2.core.Issuer)2 IssuerBuilder (org.opensaml.saml.saml2.core.impl.IssuerBuilder)2