Search in sources :

Example 1 with SAML2Config

use of org.forgerock.openam.sts.config.user.SAML2Config in project OpenAM by OpenRock.

the class TokenDelegationHandlersProviderTest method createInstanceConfig.

private SoapSTSInstanceConfig createInstanceConfig(boolean delegationValidatorsSpecified, boolean customDelegationHandler) throws UnsupportedEncodingException {
    AuthTargetMapping mapping = AuthTargetMapping.builder().addMapping(TokenType.USERNAME, "service", "ldap").build();
    SoapDeploymentConfig deploymentConfig = SoapDeploymentConfig.builder().portQName(AMSTSConstants.STANDARD_STS_PORT_QNAME).serviceQName(AMSTSConstants.STANDARD_STS_SERVICE_NAME).wsdlLocation("wsdl_loc").realm("realm").amDeploymentUrl("http://host.com/am:443").uriElement("inst1222").authTargetMapping(mapping).build();
    SoapSTSKeystoreConfig keystoreConfig;
    keystoreConfig = SoapSTSKeystoreConfig.builder().keystoreFileName("stsstore.jks").keystorePassword("stsspass".getBytes(AMSTSConstants.UTF_8_CHARSET_ID)).encryptionKeyAlias("mystskey").signatureKeyAlias("mystskey").encryptionKeyPassword("stskpass".getBytes(AMSTSConstants.UTF_8_CHARSET_ID)).signatureKeyPassword("stskpass".getBytes(AMSTSConstants.UTF_8_CHARSET_ID)).build();
    SoapSTSInstanceConfig.SoapSTSInstanceConfigBuilderBase<?> builder = SoapSTSInstanceConfig.builder();
    builder.addSecurityPolicyTokenValidationConfiguration(TokenType.OPENAM, false);
    builder.addIssueTokenType(TokenType.SAML2);
    Map<String, String> attributeMap = new HashMap<>();
    attributeMap.put("mail", "email");
    attributeMap.put("uid", "id");
    SAML2Config saml2Config = SAML2Config.builder().nameIdFormat("transient").tokenLifetimeInSeconds(500000).spEntityId("http://host.com/saml2/sp/entity/id").encryptAssertion(true).signAssertion(true).encryptionAlgorithm("http://www.w3.org/2001/04/xmlenc#aes128-cbc").encryptionKeyAlias("test").signatureKeyAlias("test").signatureKeyPassword("super.secret".getBytes()).encryptionAlgorithmStrength(128).keystoreFile("da/directory/file").keystorePassword("super.secret".getBytes()).attributeMap(attributeMap).idpId("da_idp").build();
    boolean delegationRelationshipsSupported = customDelegationHandler || delegationValidatorsSpecified;
    if (delegationRelationshipsSupported) {
        SoapDelegationConfig.SoapDelegationConfigBuilder delegationConfigBuilder = SoapDelegationConfig.builder();
        if (delegationValidatorsSpecified) {
            delegationConfigBuilder.addValidatedDelegationTokenType(TokenType.USERNAME, true).addValidatedDelegationTokenType(TokenType.OPENAM, false);
        }
        if (customDelegationHandler) {
            delegationConfigBuilder.addCustomDelegationTokenHandler("org.forgerock.openam.sts.soap.token.delegation.DefaultTokenDelegationHandler");
        }
        builder.soapDelegationConfig(delegationConfigBuilder.build());
    }
    return builder.deploymentConfig(deploymentConfig).soapSTSKeystoreConfig(keystoreConfig).saml2Config(saml2Config).delegationRelationshipsSupported(delegationRelationshipsSupported).build();
}
Also used : SoapSTSKeystoreConfig(org.forgerock.openam.sts.soap.config.user.SoapSTSKeystoreConfig) SAML2Config(org.forgerock.openam.sts.config.user.SAML2Config) SoapSTSInstanceConfig(org.forgerock.openam.sts.soap.config.user.SoapSTSInstanceConfig) SoapDelegationConfig(org.forgerock.openam.sts.soap.config.user.SoapDelegationConfig) AuthTargetMapping(org.forgerock.openam.sts.config.user.AuthTargetMapping) HashMap(java.util.HashMap) SoapDeploymentConfig(org.forgerock.openam.sts.soap.config.user.SoapDeploymentConfig)

Example 2 with SAML2Config

use of org.forgerock.openam.sts.config.user.SAML2Config in project OpenAM by OpenRock.

the class SoapSTSInstanceStateProviderTest method createInstanceConfig.

private SoapSTSInstanceConfig createInstanceConfig() throws UnsupportedEncodingException {
    AuthTargetMapping mapping = AuthTargetMapping.builder().addMapping(TokenType.USERNAME, "service", "ldap").build();
    SoapDeploymentConfig deploymentConfig = SoapDeploymentConfig.builder().portQName(AMSTSConstants.STANDARD_STS_PORT_QNAME).serviceQName(AMSTSConstants.STANDARD_STS_SERVICE_NAME).wsdlLocation("wsdl_loc").realm("realm").amDeploymentUrl(AM_DEPLOYMENT_URL).uriElement(DEPLOYMENT_URL_ELEMENT).authTargetMapping(mapping).build();
    SoapSTSKeystoreConfig keystoreConfig = SoapSTSKeystoreConfig.builder().keystoreFileName("stsstore.jks").keystorePassword("stsspass".getBytes(AMSTSConstants.UTF_8_CHARSET_ID)).encryptionKeyAlias("mystskey").signatureKeyAlias("mystskey").encryptionKeyPassword("stskpass".getBytes(AMSTSConstants.UTF_8_CHARSET_ID)).signatureKeyPassword("stskpass".getBytes(AMSTSConstants.UTF_8_CHARSET_ID)).build();
    Map<String, String> attributes = new HashMap<>();
    attributes.put("email", "mail");
    SAML2Config saml2Config = SAML2Config.builder().attributeMap(attributes).nameIdFormat("urn:oasis:names:tc:SAML:2.0:nameid-format:persistent").spEntityId("http://host.com/sp/entity/id").idpId("da_idp").build();
    return SoapSTSInstanceConfig.builder().addIssueTokenType(TokenType.SAML2).addSecurityPolicyTokenValidationConfiguration(TokenType.OPENAM, false).deploymentConfig(deploymentConfig).soapSTSKeystoreConfig(keystoreConfig).saml2Config(saml2Config).build();
}
Also used : SoapSTSKeystoreConfig(org.forgerock.openam.sts.soap.config.user.SoapSTSKeystoreConfig) SAML2Config(org.forgerock.openam.sts.config.user.SAML2Config) AuthTargetMapping(org.forgerock.openam.sts.config.user.AuthTargetMapping) HashMap(java.util.HashMap) SoapDeploymentConfig(org.forgerock.openam.sts.soap.config.user.SoapDeploymentConfig)

Example 3 with SAML2Config

use of org.forgerock.openam.sts.config.user.SAML2Config in project OpenAM by OpenRock.

the class SAML2TokenGenerationImpl method generate.

public String generate(SSOToken subjectToken, STSInstanceState stsInstanceState, TokenGenerationServiceInvocationState invocationState) throws TokenCreationException {
    final SAML2Config saml2Config = stsInstanceState.getConfig().getSaml2Config();
    if (saml2Config == null) {
        throw new TokenCreationException(ResourceException.BAD_REQUEST, "Invocation targets a SAML2 token, but no SAML2Config was specified in the published sts!");
    }
    final String subjectId = ssoTokenIdentity.validateAndGetTokenPrincipal(subjectToken);
    final Assertion assertion = AssertionFactory.getInstance().createAssertion();
    setVersionAndId(assertion);
    setIssuer(assertion, saml2Config);
    final Date issueInstant = new Date();
    setIssueInstant(assertion, issueInstant);
    final SAML2TokenGenerationState tokenGenerationState = invocationState.getSaml2TokenGenerationState();
    setConditions(assertion, saml2Config, issueInstant, tokenGenerationState.getSaml2SubjectConfirmation());
    setSubject(assertion, subjectId, saml2Config.getSpAcsUrl(), saml2Config, invocationState.getSaml2TokenGenerationState().getSaml2SubjectConfirmation(), issueInstant, tokenGenerationState.getProofTokenState());
    setAuthenticationStatements(assertion, saml2Config, tokenGenerationState.getAuthnContextClassRef());
    setAttributeStatements(assertion, subjectToken, saml2Config);
    setAuthzDecisionStatements(assertion, subjectToken, saml2Config);
    /*
        entering this branch handles both encryption and signing, as the encryption of the entire assertion must be
        proceeded by signing.
         */
    String assertionString;
    if (saml2Config.encryptAssertion()) {
        EncryptedAssertion encryptedAssertion = handleSingingAndEncryptionOfEntireAssertion(assertion, saml2Config, stsInstanceState);
        try {
            assertionString = encryptedAssertion.toXMLString(ASSERTION_TO_STRING_INCLUDE_NAMESPACE_PREFIX, ASSERTION_TO_STRING_DECLARE_NAMESPACE_PREFIX);
        } catch (SAML2Exception e) {
            throw new TokenCreationException(ResourceException.INTERNAL_ERROR, "Exception caught calling Assertion.toXMLString: " + e, e);
        }
    } else {
        if (saml2Config.encryptAttributes()) {
            encryptAttributeStatement(assertion, saml2Config, stsInstanceState);
        }
        if (saml2Config.encryptNameID()) {
            encryptNameID(assertion, saml2Config, stsInstanceState);
        }
        if (saml2Config.signAssertion()) {
            signAssertion(assertion, stsInstanceState);
        }
        try {
            assertionString = assertion.toXMLString(ASSERTION_TO_STRING_INCLUDE_NAMESPACE_PREFIX, ASSERTION_TO_STRING_DECLARE_NAMESPACE_PREFIX);
        } catch (SAML2Exception e) {
            throw new TokenCreationException(ResourceException.INTERNAL_ERROR, "Exception caught calling Assertion.toXMLString: " + e, e);
        }
    }
    if (stsInstanceState.getConfig().persistIssuedTokensInCTS()) {
        try {
            ctsTokenPersistence.persistToken(invocationState.getStsInstanceId(), TokenType.SAML2, assertionString, subjectId, issueInstant.getTime(), saml2Config.getTokenLifetimeInSeconds());
        } catch (CTSTokenPersistenceException e) {
            throw new TokenCreationException(e.getCode(), e.getMessage(), e);
        }
    }
    return assertionString;
}
Also used : SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) SAML2Config(org.forgerock.openam.sts.config.user.SAML2Config) EncryptedAssertion(com.sun.identity.saml2.assertion.EncryptedAssertion) EncryptedAssertion(com.sun.identity.saml2.assertion.EncryptedAssertion) Assertion(com.sun.identity.saml2.assertion.Assertion) TokenCreationException(org.forgerock.openam.sts.TokenCreationException) CTSTokenPersistenceException(org.forgerock.openam.sts.CTSTokenPersistenceException) Date(java.util.Date) SAML2TokenGenerationState(org.forgerock.openam.sts.service.invocation.SAML2TokenGenerationState)

Example 4 with SAML2Config

use of org.forgerock.openam.sts.config.user.SAML2Config in project OpenAM by OpenRock.

the class SoapSTSInstancePublisherImplTest method createInstanceConfig.

private SoapSTSInstanceConfig createInstanceConfig(String uriElement, String amDeploymentUrl) throws UnsupportedEncodingException {
    AuthTargetMapping mapping = AuthTargetMapping.builder().addMapping(TokenType.USERNAME, "service", "ldap").build();
    SoapDeploymentConfig deploymentConfig = SoapDeploymentConfig.builder().portQName(AMSTSConstants.STANDARD_STS_PORT_QNAME).serviceQName(AMSTSConstants.STANDARD_STS_SERVICE_NAME).wsdlLocation("wsdl_loc").realm("realm").amDeploymentUrl(amDeploymentUrl).uriElement(uriElement).authTargetMapping(mapping).build();
    SoapSTSKeystoreConfig keystoreConfig = SoapSTSKeystoreConfig.builder().keystoreFileName("stsstore.jks").keystorePassword("frstssrvkspw".getBytes(AMSTSConstants.UTF_8_CHARSET_ID)).encryptionKeyAlias("frstssrval").encryptionKeyPassword("frstssrvpw".getBytes(AMSTSConstants.UTF_8_CHARSET_ID)).signatureKeyAlias("frstssrval").signatureKeyPassword("frstssrvpw".getBytes(AMSTSConstants.UTF_8_CHARSET_ID)).build();
    SoapSTSInstanceConfig.SoapSTSInstanceConfigBuilderBase<?> builder = SoapSTSInstanceConfig.builder();
    builder.addSecurityPolicyTokenValidationConfiguration(TokenType.OPENAM, false);
    builder.addSecurityPolicyTokenValidationConfiguration(TokenType.USERNAME, true);
    builder.addIssueTokenType(TokenType.SAML2);
    Map<String, String> attributeMap = new HashMap<>();
    attributeMap.put("mail", "email");
    attributeMap.put("uid", "id");
    SAML2Config saml2Config = SAML2Config.builder().nameIdFormat("transient").tokenLifetimeInSeconds(500000).spEntityId("http://host.com/saml2/sp/entity/id").encryptAssertion(true).signAssertion(true).encryptionAlgorithm("http://www.w3.org/2001/04/xmlenc#aes128-cbc").encryptionKeyAlias("test").signatureKeyAlias("test").signatureKeyPassword("super.secret".getBytes()).encryptionAlgorithmStrength(128).keystoreFile("da/directory/file").keystorePassword("super.secret".getBytes()).attributeMap(attributeMap).idpId("da_idp").build();
    return builder.deploymentConfig(deploymentConfig).soapSTSKeystoreConfig(keystoreConfig).saml2Config(saml2Config).build();
}
Also used : SoapSTSKeystoreConfig(org.forgerock.openam.sts.soap.config.user.SoapSTSKeystoreConfig) SAML2Config(org.forgerock.openam.sts.config.user.SAML2Config) SoapSTSInstanceConfig(org.forgerock.openam.sts.soap.config.user.SoapSTSInstanceConfig) AuthTargetMapping(org.forgerock.openam.sts.config.user.AuthTargetMapping) HashMap(java.util.HashMap) SoapDeploymentConfig(org.forgerock.openam.sts.soap.config.user.SoapDeploymentConfig)

Example 5 with SAML2Config

use of org.forgerock.openam.sts.config.user.SAML2Config in project OpenAM by OpenRock.

the class RestSTSInstanceStateProviderTest method createSAMLRestInstanceConfig.

private RestSTSInstanceConfig createSAMLRestInstanceConfig() {
    Map<String, String> context = new HashMap<>();
    context.put(AMSTSConstants.OPEN_ID_CONNECT_ID_TOKEN_AUTH_TARGET_HEADER_KEY, "oidc_id_token");
    AuthTargetMapping mapping = AuthTargetMapping.builder().addMapping(TokenType.USERNAME, "service", "ldapService").addMapping(TokenType.OPENIDCONNECT, "module", "oidc", context).build();
    DeploymentConfig deploymentConfig = DeploymentConfig.builder().uriElement(DEPLOYMENT_URL_ELEMENT).authTargetMapping(mapping).build();
    Map<String, String> attributes = new HashMap<>();
    attributes.put("email", "mail");
    SAML2Config saml2Config = SAML2Config.builder().attributeMap(attributes).nameIdFormat("urn:oasis:names:tc:SAML:2.0:nameid-format:persistent").spEntityId("http://host.com/sp/entity/id").idpId("da_idp").build();
    return RestSTSInstanceConfig.builder().deploymentConfig(deploymentConfig).saml2Config(saml2Config).addSupportedTokenTransform(TokenType.X509, TokenType.SAML2, !AMSTSConstants.INVALIDATE_INTERIM_OPENAM_SESSION).addSupportedTokenTransform(TokenType.USERNAME, TokenType.SAML2, AMSTSConstants.INVALIDATE_INTERIM_OPENAM_SESSION).addSupportedTokenTransform(TokenType.OPENAM, TokenType.SAML2, !AMSTSConstants.INVALIDATE_INTERIM_OPENAM_SESSION).addSupportedTokenTransform(TokenType.OPENIDCONNECT, TokenType.SAML2, AMSTSConstants.INVALIDATE_INTERIM_OPENAM_SESSION).build();
}
Also used : SAML2Config(org.forgerock.openam.sts.config.user.SAML2Config) HashMap(java.util.HashMap) AuthTargetMapping(org.forgerock.openam.sts.config.user.AuthTargetMapping) DeploymentConfig(org.forgerock.openam.sts.config.user.DeploymentConfig)

Aggregations

SAML2Config (org.forgerock.openam.sts.config.user.SAML2Config)16 HashMap (java.util.HashMap)9 AuthTargetMapping (org.forgerock.openam.sts.config.user.AuthTargetMapping)9 DeploymentConfig (org.forgerock.openam.sts.config.user.DeploymentConfig)6 OpenIdConnectTokenConfig (org.forgerock.openam.sts.config.user.OpenIdConnectTokenConfig)5 SoapDeploymentConfig (org.forgerock.openam.sts.soap.config.user.SoapDeploymentConfig)4 SoapSTSKeystoreConfig (org.forgerock.openam.sts.soap.config.user.SoapSTSKeystoreConfig)4 SoapSTSInstanceConfig (org.forgerock.openam.sts.soap.config.user.SoapSTSInstanceConfig)3 SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)2 HashSet (java.util.HashSet)2 JsonValue (org.forgerock.json.JsonValue)2 TokenCreationException (org.forgerock.openam.sts.TokenCreationException)2 Test (org.testng.annotations.Test)2 Assertion (com.sun.identity.saml2.assertion.Assertion)1 EncryptedAssertion (com.sun.identity.saml2.assertion.EncryptedAssertion)1 UnsupportedEncodingException (java.io.UnsupportedEncodingException)1 PrivateKey (java.security.PrivateKey)1 ArrayList (java.util.ArrayList)1 Date (java.util.Date)1 QName (javax.xml.namespace.QName)1