Example 1 with SamlRegisteredServiceServiceProviderMetadataFacade
use of org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade in project cas by apereo.
the class AbstractSamlProfileHandlerController method buildSamlResponse.
/**
* Build saml response.
*
* @param response the response
* @param request the request
* @param authenticationContext the authentication context
* @param casAssertion the cas assertion
*/
protected void buildSamlResponse(final HttpServletResponse response, final HttpServletRequest request, final Pair<AuthnRequest, MessageContext> authenticationContext, final Assertion casAssertion) {
final String issuer = SamlIdPUtils.getIssuerFromSamlRequest(authenticationContext.getKey());
LOGGER.debug("Located issuer [{}] from authentication context", issuer);
final SamlRegisteredService registeredService = verifySamlRegisteredService(issuer);
final Optional<SamlRegisteredServiceServiceProviderMetadataFacade> adaptor = getSamlMetadataFacadeFor(registeredService, authenticationContext.getKey());
if (!adaptor.isPresent()) {
throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE, "Cannot find metadata linked to " + issuer);
}
LOGGER.debug("Preparing SAML response for [{}]", adaptor.get().getEntityId());
this.responseBuilder.build(authenticationContext.getKey(), request, response, casAssertion, registeredService, adaptor.get());
LOGGER.info("Built the SAML response for [{}]", adaptor.get().getEntityId());
}
Also used :
SamlRegisteredServiceServiceProviderMetadataFacade(org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade)
SamlRegisteredService(org.apereo.cas.support.saml.services.SamlRegisteredService)
UnauthorizedServiceException(org.apereo.cas.services.UnauthorizedServiceException)
Example 2 with SamlRegisteredServiceServiceProviderMetadataFacade
use of org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade in project cas by apereo.
the class ECPProfileHandlerController method handleEcpRequest.
/**
* Handle ecp request.
*
* @param response the response
* @param request the request
* @param soapContext the soap context
* @param credential the credential
*/
protected void handleEcpRequest(final HttpServletResponse response, final HttpServletRequest request, final MessageContext soapContext, final Credential credential) {
final Envelope envelope = soapContext.getSubcontext(SOAP11Context.class).getEnvelope();
SamlUtils.logSamlObject(configBean, envelope);
final AuthnRequest authnRequest = (AuthnRequest) soapContext.getMessage();
final Pair<AuthnRequest, MessageContext> authenticationContext = Pair.of(authnRequest, soapContext);
try {
final Pair<SamlRegisteredService, SamlRegisteredServiceServiceProviderMetadataFacade> serviceRequest = verifySamlAuthenticationRequest(authenticationContext, request);
final Authentication authentication = authenticateEcpRequest(credential, authenticationContext);
buildSamlResponse(response, request, authenticationContext, buildEcpCasAssertion(authentication, serviceRequest.getKey()));
} catch (final AuthenticationException e) {
LOGGER.error(e.getMessage(), e);
final String error = e.getHandlerErrors().values().stream().map(Class::getSimpleName).collect(Collectors.joining(","));
buildEcpFaultResponse(response, request, Pair.of(authnRequest, error));
} catch (final Exception e) {
LOGGER.error(e.getMessage(), e);
buildEcpFaultResponse(response, request, Pair.of(authnRequest, e.getMessage()));
}
}
Also used :
AuthenticationException(org.apereo.cas.authentication.AuthenticationException)
SamlRegisteredServiceServiceProviderMetadataFacade(org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade)
Envelope(org.opensaml.soap.soap11.Envelope)
AuthenticationException(org.apereo.cas.authentication.AuthenticationException)
SOAP11Context(org.opensaml.soap.messaging.context.SOAP11Context)
AuthnRequest(org.opensaml.saml.saml2.core.AuthnRequest)
Authentication(org.apereo.cas.authentication.Authentication)
SamlRegisteredService(org.apereo.cas.support.saml.services.SamlRegisteredService)
MessageContext(org.opensaml.messaging.context.MessageContext)
Example 3 with SamlRegisteredServiceServiceProviderMetadataFacade
use of org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade in project cas by apereo.
the class IdPInitiatedProfileHandlerController method handleIdPInitiatedSsoRequest.
/**
* Handle idp initiated sso requests.
*
* @param response the response
* @param request the request
* @throws Exception the exception
*/
@GetMapping(path = SamlIdPConstants.ENDPOINT_SAML2_IDP_INIT_PROFILE_SSO)
protected void handleIdPInitiatedSsoRequest(final HttpServletResponse response, final HttpServletRequest request) throws Exception {
// The name (i.e., the entity ID) of the service provider.
final String providerId = CommonUtils.safeGetParameter(request, SamlIdPConstants.PROVIDER_ID);
if (StringUtils.isBlank(providerId)) {
LOGGER.warn("No providerId parameter given in unsolicited SSO authentication request.");
throw new MessageDecodingException("No providerId parameter given in unsolicited SSO authentication request.");
}
final SamlRegisteredService registeredService = verifySamlRegisteredService(providerId);
final Optional<SamlRegisteredServiceServiceProviderMetadataFacade> adaptor = getSamlMetadataFacadeFor(registeredService, providerId);
if (!adaptor.isPresent()) {
throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE, "Cannot find metadata linked to " + providerId);
}
// The URL of the response location at the SP (called the "Assertion Consumer Service")
// but can be omitted in favor of the IdP picking the default endpoint location from metadata.
String shire = CommonUtils.safeGetParameter(request, SamlIdPConstants.SHIRE);
if (StringUtils.isBlank(shire)) {
shire = adaptor.get().getAssertionConsumerService().getLocation();
}
if (StringUtils.isBlank(shire)) {
LOGGER.warn("Unable to resolve SP ACS URL for AuthnRequest construction for entityID: [{}]", providerId);
throw new MessageDecodingException("Unable to resolve SP ACS URL for AuthnRequest construction");
}
// The target resource at the SP, or a state token generated by an SP to represent the resource.
final String target = CommonUtils.safeGetParameter(request, SamlIdPConstants.TARGET);
// A timestamp to help with stale request detection.
final String time = CommonUtils.safeGetParameter(request, SamlIdPConstants.TIME);
final SAMLObjectBuilder builder = (SAMLObjectBuilder) configBean.getBuilderFactory().getBuilder(AuthnRequest.DEFAULT_ELEMENT_NAME);
final AuthnRequest authnRequest = (AuthnRequest) builder.buildObject();
authnRequest.setAssertionConsumerServiceURL(shire);
final SAMLObjectBuilder isBuilder = (SAMLObjectBuilder) configBean.getBuilderFactory().getBuilder(Issuer.DEFAULT_ELEMENT_NAME);
final Issuer issuer = (Issuer) isBuilder.buildObject();
issuer.setValue(providerId);
authnRequest.setIssuer(issuer);
authnRequest.setProtocolBinding(SAMLConstants.SAML2_POST_BINDING_URI);
final SAMLObjectBuilder pBuilder = (SAMLObjectBuilder) configBean.getBuilderFactory().getBuilder(NameIDPolicy.DEFAULT_ELEMENT_NAME);
final NameIDPolicy nameIDPolicy = (NameIDPolicy) pBuilder.buildObject();
nameIDPolicy.setAllowCreate(Boolean.TRUE);
authnRequest.setNameIDPolicy(nameIDPolicy);
if (NumberUtils.isCreatable(time)) {
authnRequest.setIssueInstant(new DateTime(TimeUnit.SECONDS.convert(Long.parseLong(time), TimeUnit.MILLISECONDS), ISOChronology.getInstanceUTC()));
} else {
authnRequest.setIssueInstant(new DateTime(DateTime.now(), ISOChronology.getInstanceUTC()));
}
authnRequest.setForceAuthn(Boolean.FALSE);
if (StringUtils.isNotBlank(target)) {
request.setAttribute(SamlProtocolConstants.PARAMETER_SAML_RELAY_STATE, target);
}
final MessageContext ctx = new MessageContext();
ctx.setAutoCreateSubcontexts(true);
if (adaptor.get().isAuthnRequestsSigned()) {
samlObjectSigner.encode(authnRequest, registeredService, adaptor.get(), response, request);
}
ctx.setMessage(authnRequest);
ctx.getSubcontext(SAMLBindingContext.class, true).setHasBindingSignature(false);
final Pair<SignableSAMLObject, MessageContext> pair = Pair.of(authnRequest, ctx);
initiateAuthenticationRequest(pair, response, request);
}
Also used :
SAMLBindingContext(org.opensaml.saml.common.messaging.context.SAMLBindingContext)
SAMLObjectBuilder(org.opensaml.saml.common.SAMLObjectBuilder)
Issuer(org.opensaml.saml.saml2.core.Issuer)
NameIDPolicy(org.opensaml.saml.saml2.core.NameIDPolicy)
SamlRegisteredServiceServiceProviderMetadataFacade(org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade)
UnauthorizedServiceException(org.apereo.cas.services.UnauthorizedServiceException)
DateTime(org.joda.time.DateTime)
MessageDecodingException(org.opensaml.messaging.decoder.MessageDecodingException)
AuthnRequest(org.opensaml.saml.saml2.core.AuthnRequest)
SignableSAMLObject(org.opensaml.saml.common.SignableSAMLObject)
SamlRegisteredService(org.apereo.cas.support.saml.services.SamlRegisteredService)
MessageContext(org.opensaml.messaging.context.MessageContext)
GetMapping(org.springframework.web.bind.annotation.GetMapping)
Example 4 with SamlRegisteredServiceServiceProviderMetadataFacade
use of org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade in project cas by apereo.
the class BaseSamlRegisteredServiceAttributeReleasePolicy method getAttributesInternal.
@Override
protected Map<String, Object> getAttributesInternal(final Map<String, Object> attrs, final RegisteredService service) {
if (service instanceof SamlRegisteredService) {
final SamlRegisteredService saml = (SamlRegisteredService) service;
final HttpServletRequest request = WebUtils.getHttpServletRequestFromRequestAttributes();
if (request == null) {
LOGGER.warn("Could not locate the request context to process attributes");
return super.getAttributesInternal(attrs, service);
}
String entityId = request.getParameter(SamlProtocolConstants.PARAMETER_ENTITY_ID);
if (StringUtils.isBlank(entityId)) {
final String svcParam = request.getParameter(CasProtocolConstants.PARAMETER_SERVICE);
if (StringUtils.isNotBlank(svcParam)) {
try {
final URIBuilder builder = new URIBuilder(svcParam);
entityId = builder.getQueryParams().stream().filter(p -> p.getName().equals(SamlProtocolConstants.PARAMETER_ENTITY_ID)).map(NameValuePair::getValue).findFirst().orElse(StringUtils.EMPTY);
} catch (final Exception e) {
LOGGER.error(e.getMessage());
}
}
}
final ApplicationContext ctx = ApplicationContextProvider.getApplicationContext();
if (ctx == null) {
LOGGER.warn("Could not locate the application context to process attributes");
return super.getAttributesInternal(attrs, service);
}
final SamlRegisteredServiceCachingMetadataResolver resolver = ctx.getBean("defaultSamlRegisteredServiceCachingMetadataResolver", SamlRegisteredServiceCachingMetadataResolver.class);
final Optional<SamlRegisteredServiceServiceProviderMetadataFacade> facade = SamlRegisteredServiceServiceProviderMetadataFacade.get(resolver, saml, entityId);
if (facade == null || !facade.isPresent()) {
LOGGER.warn("Could not locate metadata for [{}] to process attributes", entityId);
return super.getAttributesInternal(attrs, service);
}
final EntityDescriptor input = facade.get().getEntityDescriptor();
if (input == null) {
LOGGER.warn("Could not locate entity descriptor for [{}] to process attributes", entityId);
return super.getAttributesInternal(attrs, service);
}
return getAttributesForSamlRegisteredService(attrs, saml, ctx, resolver, facade.get(), input);
}
return super.getAttributesInternal(attrs, service);
}
Also used :
HttpServletRequest(javax.servlet.http.HttpServletRequest)
EntityDescriptor(org.opensaml.saml.saml2.metadata.EntityDescriptor)
ApplicationContext(org.springframework.context.ApplicationContext)
SamlRegisteredServiceServiceProviderMetadataFacade(org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade)
SamlRegisteredServiceCachingMetadataResolver(org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceCachingMetadataResolver)
URIBuilder(org.apache.http.client.utils.URIBuilder)
Example 5 with SamlRegisteredServiceServiceProviderMetadataFacade
use of org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade in project cas by apereo.
the class SamlIdPMetadataUIAction method doExecute.
@Override
protected Event doExecute(final RequestContext requestContext) throws Exception {
final Service service = this.serviceSelectionStrategy.resolveService(WebUtils.getService(requestContext));
final RegisteredService registeredService = this.servicesManager.findServiceBy(service);
RegisteredServiceAccessStrategyUtils.ensureServiceAccessIsAllowed(service, registeredService);
if (registeredService instanceof SamlRegisteredService) {
final SamlRegisteredService samlService = SamlRegisteredService.class.cast(registeredService);
final Optional<SamlRegisteredServiceServiceProviderMetadataFacade> adaptor = SamlRegisteredServiceServiceProviderMetadataFacade.get(resolver, samlService, service.getId());
if (!adaptor.isPresent()) {
throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE, "Cannot find metadata linked to " + service.getId());
}
final SamlMetadataUIInfo mdui = MetadataUIUtils.locateMetadataUserInterfaceForEntityId(adaptor.get().getEntityDescriptor(), service.getId(), registeredService);
WebUtils.putServiceUserInterfaceMetadata(requestContext, mdui);
}
return success();
}
Also used :
RegisteredService(org.apereo.cas.services.RegisteredService)
SamlRegisteredService(org.apereo.cas.support.saml.services.SamlRegisteredService)
SamlMetadataUIInfo(org.apereo.cas.support.saml.mdui.SamlMetadataUIInfo)
SamlRegisteredServiceServiceProviderMetadataFacade(org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade)
SamlRegisteredService(org.apereo.cas.support.saml.services.SamlRegisteredService)
RegisteredService(org.apereo.cas.services.RegisteredService)
SamlRegisteredService(org.apereo.cas.support.saml.services.SamlRegisteredService)
Service(org.apereo.cas.authentication.principal.Service)
UnauthorizedServiceException(org.apereo.cas.services.UnauthorizedServiceException)
Aggregations
SamlRegisteredServiceServiceProviderMetadataFacade (org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade)7
SamlRegisteredService (org.apereo.cas.support.saml.services.SamlRegisteredService)6
UnauthorizedServiceException (org.apereo.cas.services.UnauthorizedServiceException)4
AuthnRequest (org.opensaml.saml.saml2.core.AuthnRequest)4
MessageContext (org.opensaml.messaging.context.MessageContext)3
RegisteredService (org.apereo.cas.services.RegisteredService)2
SamlRegisteredServiceCachingMetadataResolver (org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceCachingMetadataResolver)2
EntityDescriptor (org.opensaml.saml.saml2.metadata.EntityDescriptor)2
Arrays (java.util.Arrays)1
Collection (java.util.Collection)1
List (java.util.List)1
Optional (java.util.Optional)1
Collectors (java.util.stream.Collectors)1
HttpServletRequest (javax.servlet.http.HttpServletRequest)1
CriteriaSet (net.shibboleth.utilities.java.support.resolver.CriteriaSet)1
StringUtils (org.apache.commons.lang3.StringUtils)1
URIBuilder (org.apache.http.client.utils.URIBuilder)1
Authentication (org.apereo.cas.authentication.Authentication)1
AuthenticationException (org.apereo.cas.authentication.AuthenticationException)1
Service (org.apereo.cas.authentication.principal.Service)1
