Example 1 with SamlIdPProperties
use of org.apereo.cas.configuration.model.support.saml.idp.SamlIdPProperties in project cas by apereo.
the class SamlIdPConfiguration method casSamlIdPMetadataResolver.
@Bean
public MetadataResolver casSamlIdPMetadataResolver() {
try {
final SamlIdPProperties idp = casProperties.getAuthn().getSamlIdp();
final ResourceBackedMetadataResolver resolver = new ResourceBackedMetadataResolver(ResourceHelper.of(new FileSystemResource(idp.getMetadata().getMetadataFile())));
resolver.setParserPool(this.openSamlConfigBean.getParserPool());
resolver.setFailFastInitialization(idp.getMetadata().isFailFast());
resolver.setRequireValidMetadata(idp.getMetadata().isRequireValidMetadata());
resolver.setId(idp.getEntityId());
resolver.initialize();
return resolver;
} catch (final Exception e) {
throw new BeanCreationException(e.getMessage(), e);
}
}
Also used :
BeanCreationException(org.springframework.beans.factory.BeanCreationException)
SamlIdPProperties(org.apereo.cas.configuration.model.support.saml.idp.SamlIdPProperties)
ResourceBackedMetadataResolver(org.opensaml.saml.metadata.resolver.impl.ResourceBackedMetadataResolver)
FileSystemResource(org.springframework.core.io.FileSystemResource)
BeanCreationException(org.springframework.beans.factory.BeanCreationException)
ConditionalOnMissingBean(org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean)
OpenSamlConfigBean(org.apereo.cas.support.saml.OpenSamlConfigBean)
Bean(org.springframework.context.annotation.Bean)
Example 2 with SamlIdPProperties
use of org.apereo.cas.configuration.model.support.saml.idp.SamlIdPProperties in project cas by apereo.
the class BaseSamlObjectSigner method getSignatureSigningConfiguration.
/**
* Gets signature signing configuration.
*
* @return the signature signing configuration
* @throws Exception the exception
*/
protected SignatureSigningConfiguration getSignatureSigningConfiguration() throws Exception {
final BasicSignatureSigningConfiguration config = DefaultSecurityConfigurationBootstrap.buildDefaultSignatureSigningConfiguration();
final SamlIdPProperties samlIdp = casProperties.getAuthn().getSamlIdp();
if (this.overrideBlackListedSignatureAlgorithms != null && !samlIdp.getAlgs().getOverrideBlackListedSignatureSigningAlgorithms().isEmpty()) {
config.setBlacklistedAlgorithms(this.overrideBlackListedSignatureAlgorithms);
}
if (this.overrideSignatureAlgorithms != null && !this.overrideSignatureAlgorithms.isEmpty()) {
config.setSignatureAlgorithms(this.overrideSignatureAlgorithms);
}
if (this.overrideSignatureReferenceDigestMethods != null && !this.overrideSignatureReferenceDigestMethods.isEmpty()) {
config.setSignatureReferenceDigestMethods(this.overrideSignatureReferenceDigestMethods);
}
if (this.overrideWhiteListedAlgorithms != null && !this.overrideWhiteListedAlgorithms.isEmpty()) {
config.setWhitelistedAlgorithms(this.overrideWhiteListedAlgorithms);
}
if (StringUtils.isNotBlank(samlIdp.getAlgs().getOverrideSignatureCanonicalizationAlgorithm())) {
config.setSignatureCanonicalizationAlgorithm(samlIdp.getAlgs().getOverrideSignatureCanonicalizationAlgorithm());
}
LOGGER.debug("Signature signing blacklisted algorithms: [{}]", config.getBlacklistedAlgorithms());
LOGGER.debug("Signature signing signature algorithms: [{}]", config.getSignatureAlgorithms());
LOGGER.debug("Signature signing signature canonicalization algorithm: [{}]", config.getSignatureCanonicalizationAlgorithm());
LOGGER.debug("Signature signing whitelisted algorithms: [{}]", config.getWhitelistedAlgorithms());
LOGGER.debug("Signature signing reference digest methods: [{}]", config.getSignatureReferenceDigestMethods());
final PrivateKey privateKey = getSigningPrivateKey();
final X509Certificate certificate = getSigningCertificate();
final List<Credential> creds = new ArrayList<>();
creds.add(new BasicX509Credential(certificate, privateKey));
config.setSigningCredentials(creds);
LOGGER.debug("Signature signing credentials configured");
return config;
}
Also used :
Credential(org.opensaml.security.credential.Credential)
BasicX509Credential(org.opensaml.security.x509.BasicX509Credential)
PrivateKey(java.security.PrivateKey)
SamlIdPProperties(org.apereo.cas.configuration.model.support.saml.idp.SamlIdPProperties)
BasicX509Credential(org.opensaml.security.x509.BasicX509Credential)
ArrayList(java.util.ArrayList)
BasicSignatureSigningConfiguration(org.opensaml.xmlsec.impl.BasicSignatureSigningConfiguration)
X509Certificate(java.security.cert.X509Certificate)
Example 3 with SamlIdPProperties
use of org.apereo.cas.configuration.model.support.saml.idp.SamlIdPProperties in project cas by apereo.
the class SamlObjectEncrypter method getKeyEncryptionCredential.
/**
* Gets key encryption credential.
*
* @param peerEntityId the peer entity id
* @param adaptor the adaptor
* @param service the service
* @return the key encryption credential
* @throws Exception the exception
*/
protected Credential getKeyEncryptionCredential(final String peerEntityId, final SamlRegisteredServiceServiceProviderMetadataFacade adaptor, final SamlRegisteredService service) throws Exception {
final SamlIdPProperties idp = casProperties.getAuthn().getSamlIdp();
final BasicEncryptionConfiguration config = DefaultSecurityConfigurationBootstrap.buildDefaultEncryptionConfiguration();
if (this.overrideBlackListedEncryptionAlgorithms != null && !this.overrideBlackListedEncryptionAlgorithms.isEmpty()) {
config.setBlacklistedAlgorithms(this.overrideBlackListedEncryptionAlgorithms);
}
if (this.overrideWhiteListedAlgorithms != null && !this.overrideWhiteListedAlgorithms.isEmpty()) {
config.setWhitelistedAlgorithms(this.overrideWhiteListedAlgorithms);
}
if (this.overrideDataEncryptionAlgorithms != null && !this.overrideDataEncryptionAlgorithms.isEmpty()) {
config.setDataEncryptionAlgorithms(this.overrideDataEncryptionAlgorithms);
}
if (this.overrideKeyEncryptionAlgorithms != null && !this.overrideKeyEncryptionAlgorithms.isEmpty()) {
config.setKeyTransportEncryptionAlgorithms(this.overrideKeyEncryptionAlgorithms);
}
LOGGER.debug("Encryption blacklisted algorithms: [{}]", config.getBlacklistedAlgorithms());
LOGGER.debug("Encryption key algorithms: [{}]", config.getKeyTransportEncryptionAlgorithms());
LOGGER.debug("Signature data algorithms: [{}]", config.getDataEncryptionAlgorithms());
LOGGER.debug("Encryption whitelisted algorithms: [{}]", config.getWhitelistedAlgorithms());
final MetadataCredentialResolver kekCredentialResolver = new MetadataCredentialResolver();
final List<KeyInfoProvider> providers = new ArrayList<>();
providers.add(new RSAKeyValueProvider());
providers.add(new DSAKeyValueProvider());
providers.add(new InlineX509DataProvider());
providers.add(new DEREncodedKeyValueProvider());
providers.add(new KeyInfoReferenceProvider());
final BasicProviderKeyInfoCredentialResolver keyInfoResolver = new BasicProviderKeyInfoCredentialResolver(providers);
kekCredentialResolver.setKeyInfoCredentialResolver(keyInfoResolver);
final PredicateRoleDescriptorResolver roleDescriptorResolver = new PredicateRoleDescriptorResolver(adaptor.getMetadataResolver());
roleDescriptorResolver.setSatisfyAnyPredicates(true);
roleDescriptorResolver.setUseDefaultPredicateRegistry(true);
roleDescriptorResolver.setRequireValidMetadata(idp.getMetadata().isRequireValidMetadata());
roleDescriptorResolver.initialize();
kekCredentialResolver.setRoleDescriptorResolver(roleDescriptorResolver);
kekCredentialResolver.initialize();
final CriteriaSet criteriaSet = new CriteriaSet();
criteriaSet.add(new EncryptionConfigurationCriterion(config));
criteriaSet.add(new EntityIdCriterion(peerEntityId));
criteriaSet.add(new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME));
criteriaSet.add(new UsageCriterion(UsageType.ENCRYPTION));
LOGGER.debug("Attempting to resolve the encryption key for entity id [{}]", peerEntityId);
return kekCredentialResolver.resolveSingle(criteriaSet);
}
Also used :
UsageCriterion(org.opensaml.security.criteria.UsageCriterion)
RSAKeyValueProvider(org.opensaml.xmlsec.keyinfo.impl.provider.RSAKeyValueProvider)
EncryptionConfigurationCriterion(org.opensaml.xmlsec.criterion.EncryptionConfigurationCriterion)
ArrayList(java.util.ArrayList)
EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion)
MetadataCredentialResolver(org.opensaml.saml.security.impl.MetadataCredentialResolver)
PredicateRoleDescriptorResolver(org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver)
InlineX509DataProvider(org.opensaml.xmlsec.keyinfo.impl.provider.InlineX509DataProvider)
KeyInfoReferenceProvider(org.opensaml.xmlsec.keyinfo.impl.provider.KeyInfoReferenceProvider)
BasicProviderKeyInfoCredentialResolver(org.opensaml.xmlsec.keyinfo.impl.BasicProviderKeyInfoCredentialResolver)
KeyInfoProvider(org.opensaml.xmlsec.keyinfo.impl.KeyInfoProvider)
SamlIdPProperties(org.apereo.cas.configuration.model.support.saml.idp.SamlIdPProperties)
CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet)
EntityRoleCriterion(org.opensaml.saml.criterion.EntityRoleCriterion)
BasicEncryptionConfiguration(org.opensaml.xmlsec.impl.BasicEncryptionConfiguration)
DSAKeyValueProvider(org.opensaml.xmlsec.keyinfo.impl.provider.DSAKeyValueProvider)
DEREncodedKeyValueProvider(org.opensaml.xmlsec.keyinfo.impl.provider.DEREncodedKeyValueProvider)
Example 4 with SamlIdPProperties
use of org.apereo.cas.configuration.model.support.saml.idp.SamlIdPProperties in project cas by apereo.
the class BaseSamlObjectSigner method getSigningCertificate.
/**
* Gets signing certificate.
*
* @return the signing certificate
* @throws Exception the exception
*/
protected X509Certificate getSigningCertificate() throws Exception {
final SamlIdPProperties samlIdp = casProperties.getAuthn().getSamlIdp();
LOGGER.debug("Locating signature signing certificate file from [{}]", samlIdp.getMetadata().getSigningCertFile());
return SamlUtils.readCertificate(new FileSystemResource(samlIdp.getMetadata().getSigningCertFile().getFile()));
}
Also used :
SamlIdPProperties(org.apereo.cas.configuration.model.support.saml.idp.SamlIdPProperties)
FileSystemResource(org.springframework.core.io.FileSystemResource)
Example 5 with SamlIdPProperties
use of org.apereo.cas.configuration.model.support.saml.idp.SamlIdPProperties in project cas by apereo.
the class TemplatedMetadataAndCertificatesGenerationService method initialize.
/**
* Initializes a new Generate saml metadata.
*/
@PostConstruct
public void initialize() {
try {
final SamlIdPProperties idp = casProperties.getAuthn().getSamlIdp();
final Resource metadataLocation = idp.getMetadata().getLocation();
if (!metadataLocation.exists()) {
if (!metadataLocation.getFile().mkdir()) {
throw new IllegalArgumentException("Metadata directory location " + metadataLocation + " cannot be located/created");
}
}
LOGGER.info("Metadata directory location is at [{}] with entityID [{}]", metadataLocation, idp.getEntityId());
} catch (final Exception e) {
throw Throwables.propagate(e);
}
}
Also used :
SamlIdPProperties(org.apereo.cas.configuration.model.support.saml.idp.SamlIdPProperties)
Resource(org.springframework.core.io.Resource)
PostConstruct(javax.annotation.PostConstruct)
Aggregations
SamlIdPProperties (org.apereo.cas.configuration.model.support.saml.idp.SamlIdPProperties)11
FileSystemResource (org.springframework.core.io.FileSystemResource)3
ArrayList (java.util.ArrayList)2
SelfSignedCertificateGenerator (net.shibboleth.utilities.java.support.security.SelfSignedCertificateGenerator)2
Resource (org.springframework.core.io.Resource)2
StringWriter (java.io.StringWriter)1
PrivateKey (java.security.PrivateKey)1
X509Certificate (java.security.cert.X509Certificate)1
PostConstruct (javax.annotation.PostConstruct)1
CriteriaSet (net.shibboleth.utilities.java.support.resolver.CriteriaSet)1
OpenSamlConfigBean (org.apereo.cas.support.saml.OpenSamlConfigBean)1
PrivateKeyFactoryBean (org.apereo.cas.util.crypto.PrivateKeyFactoryBean)1
EntityIdCriterion (org.opensaml.core.criterion.EntityIdCriterion)1
EntityRoleCriterion (org.opensaml.saml.criterion.EntityRoleCriterion)1
PredicateRoleDescriptorResolver (org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver)1
ResourceBackedMetadataResolver (org.opensaml.saml.metadata.resolver.impl.ResourceBackedMetadataResolver)1
MetadataCredentialResolver (org.opensaml.saml.security.impl.MetadataCredentialResolver)1
Credential (org.opensaml.security.credential.Credential)1
UsageCriterion (org.opensaml.security.criteria.UsageCriterion)1
BasicX509Credential (org.opensaml.security.x509.BasicX509Credential)1
