use of org.apache.syncope.common.rest.api.service.SAML2SPService in project syncope by apache.
the class SAML2ITCase method spMetadata.
@Test
public void spMetadata() {
assumeTrue(SAML2SPDetector.isSAML2SPAvailable());
try {
SAML2SPService service = anonymous.getService(SAML2SPService.class);
WebClient.client(service).accept(MediaType.APPLICATION_XML_TYPE);
Response response = service.getMetadata(ADDRESS, "saml2sp");
assertNotNull(response);
Document responseDoc = StaxUtils.read(new InputStreamReader((InputStream) response.getEntity(), StandardCharsets.UTF_8));
assertEquals("EntityDescriptor", responseDoc.getDocumentElement().getLocalName());
assertEquals("urn:oasis:names:tc:SAML:2.0:metadata", responseDoc.getDocumentElement().getNamespaceURI());
// Get the signature
QName signatureQName = new QName(SignatureConstants.XMLSIG_NS, "Signature");
Element signatureElement = DOMUtils.getFirstChildWithName(responseDoc.getDocumentElement(), signatureQName);
assertNotNull(signatureElement);
// Validate the signature
XMLSignature signature = new XMLSignature(signatureElement, null);
KeyStore keystore = KeyStore.getInstance("JKS");
keystore.load(Loader.getResourceAsStream("keystore"), "changeit".toCharArray());
assertTrue(signature.checkSignatureValue((X509Certificate) keystore.getCertificate("sp")));
} catch (Exception e) {
LOG.error("During SAML 2.0 SP metadata parsing", e);
fail(e.getMessage());
}
}
use of org.apache.syncope.common.rest.api.service.SAML2SPService in project syncope by apache.
the class SAML2ITCase method validateIdpInitiatedLoginResponseFailure.
// Make sure that the IdP initiated case is only supported when "supportUnsolicited" is true for that IdP
@Test
public void validateIdpInitiatedLoginResponseFailure() throws Exception {
assumeTrue(SAML2SPDetector.isSAML2SPAvailable());
SAML2SPService saml2Service = anonymous.getService(SAML2SPService.class);
// Create a SAML Response using WSS4J
SAML2ReceivedResponseTO response = new SAML2ReceivedResponseTO();
response.setSpEntityID("http://recipient.apache.org/");
response.setUrlContext("saml2sp");
org.opensaml.saml.saml2.core.Response samlResponse = createResponse(null, true, SAML2Constants.CONF_BEARER, "urn:org:apache:cxf:fediz:idp:realm-A");
Document doc = DOMUtils.newDocument();
Element responseElement = OpenSAMLUtil.toDom(samlResponse, doc);
String responseStr = DOM2Writer.nodeToString(responseElement);
// Validate the SAML Response
response.setSamlResponse(Base64.getEncoder().encodeToString(responseStr.getBytes()));
response.setRelayState("idpInitiated");
try {
saml2Service.validateLoginResponse(response);
fail("Failure expected on an unsolicited login");
} catch (SyncopeClientException e) {
assertNotNull(e);
}
}
use of org.apache.syncope.common.rest.api.service.SAML2SPService in project syncope by apache.
the class SAML2ITCase method validateIdpInitiatedLoginResponse.
@Test
public void validateIdpInitiatedLoginResponse() throws Exception {
assumeTrue(SAML2SPDetector.isSAML2SPAvailable());
SAML2SPService saml2Service = anonymous.getService(SAML2SPService.class);
// Create a SAML Response using WSS4J
SAML2ReceivedResponseTO response = new SAML2ReceivedResponseTO();
response.setSpEntityID("http://recipient.apache.org/");
response.setUrlContext("saml2sp");
org.opensaml.saml.saml2.core.Response samlResponse = createResponse(null, true, SAML2Constants.CONF_BEARER, "urn:org:apache:cxf:fediz:idp:realm-B");
Document doc = DOMUtils.newDocument();
Element responseElement = OpenSAMLUtil.toDom(samlResponse, doc);
String responseStr = DOM2Writer.nodeToString(responseElement);
// Validate the SAML Response
response.setSamlResponse(Base64.getEncoder().encodeToString(responseStr.getBytes()));
response.setRelayState("idpInitiated");
SAML2LoginResponseTO loginResponse = saml2Service.validateLoginResponse(response);
assertNotNull(loginResponse.getAccessToken());
assertEquals("puccini", loginResponse.getNameID());
}
use of org.apache.syncope.common.rest.api.service.SAML2SPService in project syncope by apache.
the class Metadata method doGet.
@Override
protected void doGet(final HttpServletRequest request, final HttpServletResponse response) throws ServletException, IOException {
SyncopeClient anonymous = (SyncopeClient) request.getServletContext().getAttribute(Constants.SYNCOPE_ANONYMOUS_CLIENT);
SAML2SPService service = anonymous.getService(SAML2SPService.class);
WebClient.client(service).accept(MediaType.APPLICATION_XML_TYPE).type(MediaType.APPLICATION_XML_TYPE);
try {
Response metadataResponse = service.getMetadata(StringUtils.substringBefore(request.getRequestURL().toString(), "/saml2sp"), "saml2sp");
response.setContentType(metadataResponse.getMediaType().toString());
IOUtils.copy((InputStream) metadataResponse.getEntity(), response.getOutputStream());
((InputStream) metadataResponse.getEntity()).close();
} catch (Exception e) {
throw new ServletException(e.getMessage());
}
}
use of org.apache.syncope.common.rest.api.service.SAML2SPService in project syncope by apache.
the class SAML2ITCase method unsignedAssertionInLoginResponse.
@Test
public void unsignedAssertionInLoginResponse() throws Exception {
assumeTrue(SAML2SPDetector.isSAML2SPAvailable());
// Get a valid login request for the Fediz realm
SAML2SPService saml2Service = anonymous.getService(SAML2SPService.class);
SAML2RequestTO loginRequest = saml2Service.createLoginRequest(ADDRESS, "urn:org:apache:cxf:fediz:idp:realm-A");
assertNotNull(loginRequest);
SAML2ReceivedResponseTO response = new SAML2ReceivedResponseTO();
response.setSpEntityID("http://recipient.apache.org/");
response.setUrlContext("saml2sp");
response.setRelayState(loginRequest.getRelayState());
// Create a SAML Response using WSS4J
JwsJwtCompactConsumer relayState = new JwsJwtCompactConsumer(response.getRelayState());
String inResponseTo = relayState.getJwtClaims().getSubject();
org.opensaml.saml.saml2.core.Response samlResponse = createResponse(inResponseTo, false, SAML2Constants.CONF_SENDER_VOUCHES, "urn:org:apache:cxf:fediz:idp:realm-A");
Document doc = DOMUtils.newDocument();
Element responseElement = OpenSAMLUtil.toDom(samlResponse, doc);
String responseStr = DOM2Writer.nodeToString(responseElement);
// Validate the SAML Response
response.setSamlResponse(Base64.getEncoder().encodeToString(responseStr.getBytes()));
try {
saml2Service.validateLoginResponse(response);
fail("Failure expected on an unsigned Assertion");
} catch (SyncopeClientException e) {
assertNotNull(e);
}
}
Aggregations