Search in sources :

Example 1 with SAML2SPService

use of org.apache.syncope.common.rest.api.service.SAML2SPService in project syncope by apache.

the class SAML2ITCase method spMetadata.

@Test
public void spMetadata() {
    assumeTrue(SAML2SPDetector.isSAML2SPAvailable());
    try {
        SAML2SPService service = anonymous.getService(SAML2SPService.class);
        WebClient.client(service).accept(MediaType.APPLICATION_XML_TYPE);
        Response response = service.getMetadata(ADDRESS, "saml2sp");
        assertNotNull(response);
        Document responseDoc = StaxUtils.read(new InputStreamReader((InputStream) response.getEntity(), StandardCharsets.UTF_8));
        assertEquals("EntityDescriptor", responseDoc.getDocumentElement().getLocalName());
        assertEquals("urn:oasis:names:tc:SAML:2.0:metadata", responseDoc.getDocumentElement().getNamespaceURI());
        // Get the signature
        QName signatureQName = new QName(SignatureConstants.XMLSIG_NS, "Signature");
        Element signatureElement = DOMUtils.getFirstChildWithName(responseDoc.getDocumentElement(), signatureQName);
        assertNotNull(signatureElement);
        // Validate the signature
        XMLSignature signature = new XMLSignature(signatureElement, null);
        KeyStore keystore = KeyStore.getInstance("JKS");
        keystore.load(Loader.getResourceAsStream("keystore"), "changeit".toCharArray());
        assertTrue(signature.checkSignatureValue((X509Certificate) keystore.getCertificate("sp")));
    } catch (Exception e) {
        LOG.error("During SAML 2.0 SP metadata parsing", e);
        fail(e.getMessage());
    }
}
Also used : SAML2SPService(org.apache.syncope.common.rest.api.service.SAML2SPService) Response(javax.ws.rs.core.Response) InputStreamReader(java.io.InputStreamReader) InputStream(java.io.InputStream) QName(javax.xml.namespace.QName) XMLSignature(org.apache.xml.security.signature.XMLSignature) Element(org.w3c.dom.Element) Document(org.w3c.dom.Document) KeyStore(java.security.KeyStore) X509Certificate(java.security.cert.X509Certificate) SyncopeClientException(org.apache.syncope.common.lib.SyncopeClientException) Test(org.junit.jupiter.api.Test)

Example 2 with SAML2SPService

use of org.apache.syncope.common.rest.api.service.SAML2SPService in project syncope by apache.

the class SAML2ITCase method validateIdpInitiatedLoginResponseFailure.

// Make sure that the IdP initiated case is only supported when "supportUnsolicited" is true for that IdP
@Test
public void validateIdpInitiatedLoginResponseFailure() throws Exception {
    assumeTrue(SAML2SPDetector.isSAML2SPAvailable());
    SAML2SPService saml2Service = anonymous.getService(SAML2SPService.class);
    // Create a SAML Response using WSS4J
    SAML2ReceivedResponseTO response = new SAML2ReceivedResponseTO();
    response.setSpEntityID("http://recipient.apache.org/");
    response.setUrlContext("saml2sp");
    org.opensaml.saml.saml2.core.Response samlResponse = createResponse(null, true, SAML2Constants.CONF_BEARER, "urn:org:apache:cxf:fediz:idp:realm-A");
    Document doc = DOMUtils.newDocument();
    Element responseElement = OpenSAMLUtil.toDom(samlResponse, doc);
    String responseStr = DOM2Writer.nodeToString(responseElement);
    // Validate the SAML Response
    response.setSamlResponse(Base64.getEncoder().encodeToString(responseStr.getBytes()));
    response.setRelayState("idpInitiated");
    try {
        saml2Service.validateLoginResponse(response);
        fail("Failure expected on an unsolicited login");
    } catch (SyncopeClientException e) {
        assertNotNull(e);
    }
}
Also used : SAML2SPService(org.apache.syncope.common.rest.api.service.SAML2SPService) SAML2ReceivedResponseTO(org.apache.syncope.common.lib.to.SAML2ReceivedResponseTO) Element(org.w3c.dom.Element) SyncopeClientException(org.apache.syncope.common.lib.SyncopeClientException) Document(org.w3c.dom.Document) Test(org.junit.jupiter.api.Test)

Example 3 with SAML2SPService

use of org.apache.syncope.common.rest.api.service.SAML2SPService in project syncope by apache.

the class SAML2ITCase method validateIdpInitiatedLoginResponse.

@Test
public void validateIdpInitiatedLoginResponse() throws Exception {
    assumeTrue(SAML2SPDetector.isSAML2SPAvailable());
    SAML2SPService saml2Service = anonymous.getService(SAML2SPService.class);
    // Create a SAML Response using WSS4J
    SAML2ReceivedResponseTO response = new SAML2ReceivedResponseTO();
    response.setSpEntityID("http://recipient.apache.org/");
    response.setUrlContext("saml2sp");
    org.opensaml.saml.saml2.core.Response samlResponse = createResponse(null, true, SAML2Constants.CONF_BEARER, "urn:org:apache:cxf:fediz:idp:realm-B");
    Document doc = DOMUtils.newDocument();
    Element responseElement = OpenSAMLUtil.toDom(samlResponse, doc);
    String responseStr = DOM2Writer.nodeToString(responseElement);
    // Validate the SAML Response
    response.setSamlResponse(Base64.getEncoder().encodeToString(responseStr.getBytes()));
    response.setRelayState("idpInitiated");
    SAML2LoginResponseTO loginResponse = saml2Service.validateLoginResponse(response);
    assertNotNull(loginResponse.getAccessToken());
    assertEquals("puccini", loginResponse.getNameID());
}
Also used : SAML2SPService(org.apache.syncope.common.rest.api.service.SAML2SPService) SAML2LoginResponseTO(org.apache.syncope.common.lib.to.SAML2LoginResponseTO) SAML2ReceivedResponseTO(org.apache.syncope.common.lib.to.SAML2ReceivedResponseTO) Element(org.w3c.dom.Element) Document(org.w3c.dom.Document) Test(org.junit.jupiter.api.Test)

Example 4 with SAML2SPService

use of org.apache.syncope.common.rest.api.service.SAML2SPService in project syncope by apache.

the class Metadata method doGet.

@Override
protected void doGet(final HttpServletRequest request, final HttpServletResponse response) throws ServletException, IOException {
    SyncopeClient anonymous = (SyncopeClient) request.getServletContext().getAttribute(Constants.SYNCOPE_ANONYMOUS_CLIENT);
    SAML2SPService service = anonymous.getService(SAML2SPService.class);
    WebClient.client(service).accept(MediaType.APPLICATION_XML_TYPE).type(MediaType.APPLICATION_XML_TYPE);
    try {
        Response metadataResponse = service.getMetadata(StringUtils.substringBefore(request.getRequestURL().toString(), "/saml2sp"), "saml2sp");
        response.setContentType(metadataResponse.getMediaType().toString());
        IOUtils.copy((InputStream) metadataResponse.getEntity(), response.getOutputStream());
        ((InputStream) metadataResponse.getEntity()).close();
    } catch (Exception e) {
        throw new ServletException(e.getMessage());
    }
}
Also used : SAML2SPService(org.apache.syncope.common.rest.api.service.SAML2SPService) HttpServletResponse(javax.servlet.http.HttpServletResponse) Response(javax.ws.rs.core.Response) ServletException(javax.servlet.ServletException) InputStream(java.io.InputStream) SyncopeClient(org.apache.syncope.client.lib.SyncopeClient) ServletException(javax.servlet.ServletException) IOException(java.io.IOException)

Example 5 with SAML2SPService

use of org.apache.syncope.common.rest.api.service.SAML2SPService in project syncope by apache.

the class SAML2ITCase method unsignedAssertionInLoginResponse.

@Test
public void unsignedAssertionInLoginResponse() throws Exception {
    assumeTrue(SAML2SPDetector.isSAML2SPAvailable());
    // Get a valid login request for the Fediz realm
    SAML2SPService saml2Service = anonymous.getService(SAML2SPService.class);
    SAML2RequestTO loginRequest = saml2Service.createLoginRequest(ADDRESS, "urn:org:apache:cxf:fediz:idp:realm-A");
    assertNotNull(loginRequest);
    SAML2ReceivedResponseTO response = new SAML2ReceivedResponseTO();
    response.setSpEntityID("http://recipient.apache.org/");
    response.setUrlContext("saml2sp");
    response.setRelayState(loginRequest.getRelayState());
    // Create a SAML Response using WSS4J
    JwsJwtCompactConsumer relayState = new JwsJwtCompactConsumer(response.getRelayState());
    String inResponseTo = relayState.getJwtClaims().getSubject();
    org.opensaml.saml.saml2.core.Response samlResponse = createResponse(inResponseTo, false, SAML2Constants.CONF_SENDER_VOUCHES, "urn:org:apache:cxf:fediz:idp:realm-A");
    Document doc = DOMUtils.newDocument();
    Element responseElement = OpenSAMLUtil.toDom(samlResponse, doc);
    String responseStr = DOM2Writer.nodeToString(responseElement);
    // Validate the SAML Response
    response.setSamlResponse(Base64.getEncoder().encodeToString(responseStr.getBytes()));
    try {
        saml2Service.validateLoginResponse(response);
        fail("Failure expected on an unsigned Assertion");
    } catch (SyncopeClientException e) {
        assertNotNull(e);
    }
}
Also used : SAML2SPService(org.apache.syncope.common.rest.api.service.SAML2SPService) SAML2RequestTO(org.apache.syncope.common.lib.to.SAML2RequestTO) SAML2ReceivedResponseTO(org.apache.syncope.common.lib.to.SAML2ReceivedResponseTO) Element(org.w3c.dom.Element) SyncopeClientException(org.apache.syncope.common.lib.SyncopeClientException) JwsJwtCompactConsumer(org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer) Document(org.w3c.dom.Document) Test(org.junit.jupiter.api.Test)

Aggregations

SAML2SPService (org.apache.syncope.common.rest.api.service.SAML2SPService)7 Test (org.junit.jupiter.api.Test)6 Document (org.w3c.dom.Document)6 Element (org.w3c.dom.Element)6 SyncopeClientException (org.apache.syncope.common.lib.SyncopeClientException)5 SAML2ReceivedResponseTO (org.apache.syncope.common.lib.to.SAML2ReceivedResponseTO)5 JwsJwtCompactConsumer (org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer)3 SAML2RequestTO (org.apache.syncope.common.lib.to.SAML2RequestTO)3 InputStream (java.io.InputStream)2 Response (javax.ws.rs.core.Response)2 SAML2LoginResponseTO (org.apache.syncope.common.lib.to.SAML2LoginResponseTO)2 IOException (java.io.IOException)1 InputStreamReader (java.io.InputStreamReader)1 KeyStore (java.security.KeyStore)1 X509Certificate (java.security.cert.X509Certificate)1 ServletException (javax.servlet.ServletException)1 HttpServletResponse (javax.servlet.http.HttpServletResponse)1 QName (javax.xml.namespace.QName)1 SyncopeClient (org.apache.syncope.client.lib.SyncopeClient)1 XMLSignature (org.apache.xml.security.signature.XMLSignature)1