use of org.forgerock.openam.sts.config.user.SAML2Config in project OpenAM by OpenRock.
the class TokenDelegationHandlersProviderTest method createInstanceConfig.
private SoapSTSInstanceConfig createInstanceConfig(boolean delegationValidatorsSpecified, boolean customDelegationHandler) throws UnsupportedEncodingException {
AuthTargetMapping mapping = AuthTargetMapping.builder().addMapping(TokenType.USERNAME, "service", "ldap").build();
SoapDeploymentConfig deploymentConfig = SoapDeploymentConfig.builder().portQName(AMSTSConstants.STANDARD_STS_PORT_QNAME).serviceQName(AMSTSConstants.STANDARD_STS_SERVICE_NAME).wsdlLocation("wsdl_loc").realm("realm").amDeploymentUrl("http://host.com/am:443").uriElement("inst1222").authTargetMapping(mapping).build();
SoapSTSKeystoreConfig keystoreConfig;
keystoreConfig = SoapSTSKeystoreConfig.builder().keystoreFileName("stsstore.jks").keystorePassword("stsspass".getBytes(AMSTSConstants.UTF_8_CHARSET_ID)).encryptionKeyAlias("mystskey").signatureKeyAlias("mystskey").encryptionKeyPassword("stskpass".getBytes(AMSTSConstants.UTF_8_CHARSET_ID)).signatureKeyPassword("stskpass".getBytes(AMSTSConstants.UTF_8_CHARSET_ID)).build();
SoapSTSInstanceConfig.SoapSTSInstanceConfigBuilderBase<?> builder = SoapSTSInstanceConfig.builder();
builder.addSecurityPolicyTokenValidationConfiguration(TokenType.OPENAM, false);
builder.addIssueTokenType(TokenType.SAML2);
Map<String, String> attributeMap = new HashMap<>();
attributeMap.put("mail", "email");
attributeMap.put("uid", "id");
SAML2Config saml2Config = SAML2Config.builder().nameIdFormat("transient").tokenLifetimeInSeconds(500000).spEntityId("http://host.com/saml2/sp/entity/id").encryptAssertion(true).signAssertion(true).encryptionAlgorithm("http://www.w3.org/2001/04/xmlenc#aes128-cbc").encryptionKeyAlias("test").signatureKeyAlias("test").signatureKeyPassword("super.secret".getBytes()).encryptionAlgorithmStrength(128).keystoreFile("da/directory/file").keystorePassword("super.secret".getBytes()).attributeMap(attributeMap).idpId("da_idp").build();
boolean delegationRelationshipsSupported = customDelegationHandler || delegationValidatorsSpecified;
if (delegationRelationshipsSupported) {
SoapDelegationConfig.SoapDelegationConfigBuilder delegationConfigBuilder = SoapDelegationConfig.builder();
if (delegationValidatorsSpecified) {
delegationConfigBuilder.addValidatedDelegationTokenType(TokenType.USERNAME, true).addValidatedDelegationTokenType(TokenType.OPENAM, false);
}
if (customDelegationHandler) {
delegationConfigBuilder.addCustomDelegationTokenHandler("org.forgerock.openam.sts.soap.token.delegation.DefaultTokenDelegationHandler");
}
builder.soapDelegationConfig(delegationConfigBuilder.build());
}
return builder.deploymentConfig(deploymentConfig).soapSTSKeystoreConfig(keystoreConfig).saml2Config(saml2Config).delegationRelationshipsSupported(delegationRelationshipsSupported).build();
}
use of org.forgerock.openam.sts.config.user.SAML2Config in project OpenAM by OpenRock.
the class SoapSTSInstanceStateProviderTest method createInstanceConfig.
private SoapSTSInstanceConfig createInstanceConfig() throws UnsupportedEncodingException {
AuthTargetMapping mapping = AuthTargetMapping.builder().addMapping(TokenType.USERNAME, "service", "ldap").build();
SoapDeploymentConfig deploymentConfig = SoapDeploymentConfig.builder().portQName(AMSTSConstants.STANDARD_STS_PORT_QNAME).serviceQName(AMSTSConstants.STANDARD_STS_SERVICE_NAME).wsdlLocation("wsdl_loc").realm("realm").amDeploymentUrl(AM_DEPLOYMENT_URL).uriElement(DEPLOYMENT_URL_ELEMENT).authTargetMapping(mapping).build();
SoapSTSKeystoreConfig keystoreConfig = SoapSTSKeystoreConfig.builder().keystoreFileName("stsstore.jks").keystorePassword("stsspass".getBytes(AMSTSConstants.UTF_8_CHARSET_ID)).encryptionKeyAlias("mystskey").signatureKeyAlias("mystskey").encryptionKeyPassword("stskpass".getBytes(AMSTSConstants.UTF_8_CHARSET_ID)).signatureKeyPassword("stskpass".getBytes(AMSTSConstants.UTF_8_CHARSET_ID)).build();
Map<String, String> attributes = new HashMap<>();
attributes.put("email", "mail");
SAML2Config saml2Config = SAML2Config.builder().attributeMap(attributes).nameIdFormat("urn:oasis:names:tc:SAML:2.0:nameid-format:persistent").spEntityId("http://host.com/sp/entity/id").idpId("da_idp").build();
return SoapSTSInstanceConfig.builder().addIssueTokenType(TokenType.SAML2).addSecurityPolicyTokenValidationConfiguration(TokenType.OPENAM, false).deploymentConfig(deploymentConfig).soapSTSKeystoreConfig(keystoreConfig).saml2Config(saml2Config).build();
}
use of org.forgerock.openam.sts.config.user.SAML2Config in project OpenAM by OpenRock.
the class SAML2TokenGenerationImpl method generate.
public String generate(SSOToken subjectToken, STSInstanceState stsInstanceState, TokenGenerationServiceInvocationState invocationState) throws TokenCreationException {
final SAML2Config saml2Config = stsInstanceState.getConfig().getSaml2Config();
if (saml2Config == null) {
throw new TokenCreationException(ResourceException.BAD_REQUEST, "Invocation targets a SAML2 token, but no SAML2Config was specified in the published sts!");
}
final String subjectId = ssoTokenIdentity.validateAndGetTokenPrincipal(subjectToken);
final Assertion assertion = AssertionFactory.getInstance().createAssertion();
setVersionAndId(assertion);
setIssuer(assertion, saml2Config);
final Date issueInstant = new Date();
setIssueInstant(assertion, issueInstant);
final SAML2TokenGenerationState tokenGenerationState = invocationState.getSaml2TokenGenerationState();
setConditions(assertion, saml2Config, issueInstant, tokenGenerationState.getSaml2SubjectConfirmation());
setSubject(assertion, subjectId, saml2Config.getSpAcsUrl(), saml2Config, invocationState.getSaml2TokenGenerationState().getSaml2SubjectConfirmation(), issueInstant, tokenGenerationState.getProofTokenState());
setAuthenticationStatements(assertion, saml2Config, tokenGenerationState.getAuthnContextClassRef());
setAttributeStatements(assertion, subjectToken, saml2Config);
setAuthzDecisionStatements(assertion, subjectToken, saml2Config);
/*
entering this branch handles both encryption and signing, as the encryption of the entire assertion must be
proceeded by signing.
*/
String assertionString;
if (saml2Config.encryptAssertion()) {
EncryptedAssertion encryptedAssertion = handleSingingAndEncryptionOfEntireAssertion(assertion, saml2Config, stsInstanceState);
try {
assertionString = encryptedAssertion.toXMLString(ASSERTION_TO_STRING_INCLUDE_NAMESPACE_PREFIX, ASSERTION_TO_STRING_DECLARE_NAMESPACE_PREFIX);
} catch (SAML2Exception e) {
throw new TokenCreationException(ResourceException.INTERNAL_ERROR, "Exception caught calling Assertion.toXMLString: " + e, e);
}
} else {
if (saml2Config.encryptAttributes()) {
encryptAttributeStatement(assertion, saml2Config, stsInstanceState);
}
if (saml2Config.encryptNameID()) {
encryptNameID(assertion, saml2Config, stsInstanceState);
}
if (saml2Config.signAssertion()) {
signAssertion(assertion, stsInstanceState);
}
try {
assertionString = assertion.toXMLString(ASSERTION_TO_STRING_INCLUDE_NAMESPACE_PREFIX, ASSERTION_TO_STRING_DECLARE_NAMESPACE_PREFIX);
} catch (SAML2Exception e) {
throw new TokenCreationException(ResourceException.INTERNAL_ERROR, "Exception caught calling Assertion.toXMLString: " + e, e);
}
}
if (stsInstanceState.getConfig().persistIssuedTokensInCTS()) {
try {
ctsTokenPersistence.persistToken(invocationState.getStsInstanceId(), TokenType.SAML2, assertionString, subjectId, issueInstant.getTime(), saml2Config.getTokenLifetimeInSeconds());
} catch (CTSTokenPersistenceException e) {
throw new TokenCreationException(e.getCode(), e.getMessage(), e);
}
}
return assertionString;
}
use of org.forgerock.openam.sts.config.user.SAML2Config in project OpenAM by OpenRock.
the class SoapSTSInstancePublisherImplTest method createInstanceConfig.
private SoapSTSInstanceConfig createInstanceConfig(String uriElement, String amDeploymentUrl) throws UnsupportedEncodingException {
AuthTargetMapping mapping = AuthTargetMapping.builder().addMapping(TokenType.USERNAME, "service", "ldap").build();
SoapDeploymentConfig deploymentConfig = SoapDeploymentConfig.builder().portQName(AMSTSConstants.STANDARD_STS_PORT_QNAME).serviceQName(AMSTSConstants.STANDARD_STS_SERVICE_NAME).wsdlLocation("wsdl_loc").realm("realm").amDeploymentUrl(amDeploymentUrl).uriElement(uriElement).authTargetMapping(mapping).build();
SoapSTSKeystoreConfig keystoreConfig = SoapSTSKeystoreConfig.builder().keystoreFileName("stsstore.jks").keystorePassword("frstssrvkspw".getBytes(AMSTSConstants.UTF_8_CHARSET_ID)).encryptionKeyAlias("frstssrval").encryptionKeyPassword("frstssrvpw".getBytes(AMSTSConstants.UTF_8_CHARSET_ID)).signatureKeyAlias("frstssrval").signatureKeyPassword("frstssrvpw".getBytes(AMSTSConstants.UTF_8_CHARSET_ID)).build();
SoapSTSInstanceConfig.SoapSTSInstanceConfigBuilderBase<?> builder = SoapSTSInstanceConfig.builder();
builder.addSecurityPolicyTokenValidationConfiguration(TokenType.OPENAM, false);
builder.addSecurityPolicyTokenValidationConfiguration(TokenType.USERNAME, true);
builder.addIssueTokenType(TokenType.SAML2);
Map<String, String> attributeMap = new HashMap<>();
attributeMap.put("mail", "email");
attributeMap.put("uid", "id");
SAML2Config saml2Config = SAML2Config.builder().nameIdFormat("transient").tokenLifetimeInSeconds(500000).spEntityId("http://host.com/saml2/sp/entity/id").encryptAssertion(true).signAssertion(true).encryptionAlgorithm("http://www.w3.org/2001/04/xmlenc#aes128-cbc").encryptionKeyAlias("test").signatureKeyAlias("test").signatureKeyPassword("super.secret".getBytes()).encryptionAlgorithmStrength(128).keystoreFile("da/directory/file").keystorePassword("super.secret".getBytes()).attributeMap(attributeMap).idpId("da_idp").build();
return builder.deploymentConfig(deploymentConfig).soapSTSKeystoreConfig(keystoreConfig).saml2Config(saml2Config).build();
}
use of org.forgerock.openam.sts.config.user.SAML2Config in project OpenAM by OpenRock.
the class RestSTSInstanceStateProviderTest method createSAMLRestInstanceConfig.
private RestSTSInstanceConfig createSAMLRestInstanceConfig() {
Map<String, String> context = new HashMap<>();
context.put(AMSTSConstants.OPEN_ID_CONNECT_ID_TOKEN_AUTH_TARGET_HEADER_KEY, "oidc_id_token");
AuthTargetMapping mapping = AuthTargetMapping.builder().addMapping(TokenType.USERNAME, "service", "ldapService").addMapping(TokenType.OPENIDCONNECT, "module", "oidc", context).build();
DeploymentConfig deploymentConfig = DeploymentConfig.builder().uriElement(DEPLOYMENT_URL_ELEMENT).authTargetMapping(mapping).build();
Map<String, String> attributes = new HashMap<>();
attributes.put("email", "mail");
SAML2Config saml2Config = SAML2Config.builder().attributeMap(attributes).nameIdFormat("urn:oasis:names:tc:SAML:2.0:nameid-format:persistent").spEntityId("http://host.com/sp/entity/id").idpId("da_idp").build();
return RestSTSInstanceConfig.builder().deploymentConfig(deploymentConfig).saml2Config(saml2Config).addSupportedTokenTransform(TokenType.X509, TokenType.SAML2, !AMSTSConstants.INVALIDATE_INTERIM_OPENAM_SESSION).addSupportedTokenTransform(TokenType.USERNAME, TokenType.SAML2, AMSTSConstants.INVALIDATE_INTERIM_OPENAM_SESSION).addSupportedTokenTransform(TokenType.OPENAM, TokenType.SAML2, !AMSTSConstants.INVALIDATE_INTERIM_OPENAM_SESSION).addSupportedTokenTransform(TokenType.OPENIDCONNECT, TokenType.SAML2, AMSTSConstants.INVALIDATE_INTERIM_OPENAM_SESSION).build();
}
Aggregations