Examples with SAML2Config org.forgerock.openam.sts.config.user.SAML2Config used on opensource projects

Example 11 with SAML2Config

use of org.forgerock.openam.sts.config.user.SAML2Config in project OpenAM by OpenRock.

the class SoapSTSInstanceConfigTest method createIncompleteInstanceConfig.

/*
    the incompleteSaml and incompleteOidc indicate that oidc or saml2 tokens should be specified in the issued token types,
    but no corresponding config should be specified.
     */
private SoapSTSInstanceConfig createIncompleteInstanceConfig(boolean withDeploymentConfig, boolean incompleteSaml, boolean incompleteOidc) throws UnsupportedEncodingException {
    SoapDeploymentConfig deploymentConfig = null;
    if (withDeploymentConfig) {
        deploymentConfig = SoapDeploymentConfig.builder().uriElement("whatever").amDeploymentUrl("whatever").authTargetMapping(AuthTargetMapping.builder().addMapping(TokenType.USERNAME, "module", "foo").build()).serviceQName(new QName("namespace", "localpart")).portQName(new QName("namspace", "localpart")).wsdlLocation("webservice.wsdl").build();
    }
    SAML2Config saml2Config = null;
    if (!incompleteSaml) {
        saml2Config = buildSAML2Config(Collections.<String, String>emptyMap());
    }
    OpenIdConnectTokenConfig oidcConfig = null;
    if (!incompleteOidc) {
        oidcConfig = buildOIDCConfig(Collections.<String, String>emptyMap());
    }
    return SoapSTSInstanceConfig.builder().addIssueTokenType(TokenType.OPENIDCONNECT).addIssueTokenType(TokenType.SAML2).deploymentConfig(deploymentConfig).oidcIdTokenConfig(oidcConfig).saml2Config(saml2Config).build();
}

Example 12 with SAML2Config

use of org.forgerock.openam.sts.config.user.SAML2Config in project OpenAM by OpenRock.

the class SoapSTSInstanceConfigTest method createInstanceConfig.

private SoapSTSInstanceConfig createInstanceConfig(String uriElement, String amDeploymentUrl, boolean withKeystoreConfig, boolean withValidationConfig, boolean delegationValidatorsSpecified, boolean customDelegationHandler, boolean withSAML2Config, boolean withOIDCConfig, boolean withCTSTokenPersistence) throws UnsupportedEncodingException {
    AuthTargetMapping mapping = AuthTargetMapping.builder().addMapping(TokenType.USERNAME, "service", "ldap").build();
    SoapDeploymentConfig deploymentConfig = SoapDeploymentConfig.builder().portQName(AMSTSConstants.STANDARD_STS_PORT_QNAME).serviceQName(AMSTSConstants.STANDARD_STS_SERVICE_NAME).wsdlLocation("wsdl_loc").realm("realm").amDeploymentUrl(amDeploymentUrl).uriElement(uriElement).authTargetMapping(mapping).build();
    SoapSTSKeystoreConfig keystoreConfig = null;
    if (withKeystoreConfig) {
        keystoreConfig = SoapSTSKeystoreConfig.builder().keystoreFileName("stsstore.jks").keystorePassword("stsspass".getBytes(AMSTSConstants.UTF_8_CHARSET_ID)).encryptionKeyAlias("mystskey").signatureKeyAlias("mystskey").encryptionKeyPassword("stskpass".getBytes(AMSTSConstants.UTF_8_CHARSET_ID)).signatureKeyPassword("stskpass".getBytes(AMSTSConstants.UTF_8_CHARSET_ID)).build();
    }
    SoapSTSInstanceConfig.SoapSTSInstanceConfigBuilderBase<?> builder = SoapSTSInstanceConfig.builder();
    if (withValidationConfig) {
        builder.addSecurityPolicyTokenValidationConfiguration(TokenType.OPENAM, false);
        builder.addSecurityPolicyTokenValidationConfiguration(TokenType.USERNAME, true);
        builder.addSecurityPolicyTokenValidationConfiguration(TokenType.X509, true);
    }
    Map<String, String> attributeMap = new HashMap<>();
    attributeMap.put("mail", "email");
    attributeMap.put("uid", "id");
    SAML2Config saml2Config = null;
    if (withSAML2Config) {
        builder.addIssueTokenType(TokenType.SAML2);
        saml2Config = buildSAML2Config(attributeMap);
    }
    OpenIdConnectTokenConfig openIdConnectTokenConfig = null;
    if (withOIDCConfig) {
        builder.addIssueTokenType(TokenType.OPENIDCONNECT);
        openIdConnectTokenConfig = buildOIDCConfig(attributeMap);
    }
    boolean delegationRelationshipsSupported = customDelegationHandler || delegationValidatorsSpecified;
    if (delegationRelationshipsSupported) {
        SoapDelegationConfig.SoapDelegationConfigBuilder delegationConfigBuilder = SoapDelegationConfig.builder();
        if (delegationValidatorsSpecified) {
            delegationConfigBuilder.addValidatedDelegationTokenType(TokenType.USERNAME, true).addValidatedDelegationTokenType(TokenType.OPENAM, false);
        }
        if (customDelegationHandler) {
            delegationConfigBuilder.addCustomDelegationTokenHandler("com.org.TokenDelegationHandlerImpl");
        }
        builder.soapDelegationConfig(delegationConfigBuilder.build());
    }
    return builder.deploymentConfig(deploymentConfig).soapSTSKeystoreConfig(keystoreConfig).saml2Config(saml2Config).oidcIdTokenConfig(openIdConnectTokenConfig).delegationRelationshipsSupported(delegationRelationshipsSupported).persistIssuedTokensInCTS(withCTSTokenPersistence).build();
}

Example 13 with SAML2Config

use of org.forgerock.openam.sts.config.user.SAML2Config in project OpenAM by OpenRock.

the class SoapSTSInstanceConfig method marshalFromAttributeMap.

/**
     *
     * @param attributeMap The attributeMap corresponding to the STS-persisted format of a soap-sts instance. Cannot be null.
     * @return the SoapSTSInstanceConfig instance corresponding to attributeMap state. An IllegalStateException will be thrown
     * if marshaling cannot be successfully performed.
     */
public static SoapSTSInstanceConfig marshalFromAttributeMap(Map<String, Set<String>> attributeMap) {
    /*
        When we are marshaling back from a Map<String, Set<String>>, this Map contains all of the values, also those
        contributed by encapsulated complex objects. So the structure must be 'un-flattened', where the top-level map
        is passed to encapsulated complex-objects, so that they may re-constitute themselves, and then the top-level json entry
        key is set to point at these re-constituted complex objects.

        Not that the marshalToAttributeMap first calls toJson to obtain the map representation, albeit with hierarchical
        elements, which must be subsequently flattened. The 'flattening' performed by the marshalToAttributeMap must then
        be 'inverted' by this method, where all complex objects are re-constituted, using the state in the flattened map.

        */
    Map<String, Object> jsonAttributes = MapMarshallUtils.toJsonValueMap(attributeMap);
    DeploymentConfig deploymentConfig = SoapDeploymentConfig.marshalFromAttributeMap(attributeMap);
    jsonAttributes.remove(DEPLOYMENT_CONFIG);
    jsonAttributes.put(DEPLOYMENT_CONFIG, deploymentConfig.toJson());
    SAML2Config saml2Config = SAML2Config.marshalFromAttributeMap(attributeMap);
    if (saml2Config != null) {
        jsonAttributes.remove(SAML2_CONFIG);
        jsonAttributes.put(SAML2_CONFIG, saml2Config.toJson());
    }
    OpenIdConnectTokenConfig openIdConnectTokenConfig = OpenIdConnectTokenConfig.marshalFromAttributeMap(attributeMap);
    if (openIdConnectTokenConfig != null) {
        jsonAttributes.remove(OIDC_ID_TOKEN_CONFIG);
        jsonAttributes.put(OIDC_ID_TOKEN_CONFIG, openIdConnectTokenConfig.toJson());
    }
    SoapSTSKeystoreConfig keystoreConfig = SoapSTSKeystoreConfig.marshalFromAttributeMap(attributeMap);
    if (keystoreConfig != null) {
        jsonAttributes.remove(SOAP_KEYSTORE_CONFIG);
        jsonAttributes.put(SOAP_KEYSTORE_CONFIG, keystoreConfig.toJson());
    }
    /*
         The SECURITY_POLICY_VALIDATED_TOKEN_CONFIG are currently each in a String representation in the Set<String> map entry corresponding
         to the SECURITY_POLICY_VALIDATED_TOKEN_CONFIG key. I need to marshal each back into a TokenValidationConfig instance, and then
         call toJson on each, and put them in a JsonValue wrapping a list.
         */
    ArrayList<JsonValue> jsonValidationConfigList = new ArrayList<>();
    JsonValue jsonTranslations = new JsonValue(jsonValidationConfigList);
    jsonAttributes.remove(SECURITY_POLICY_VALIDATED_TOKEN_CONFIG);
    jsonAttributes.put(SECURITY_POLICY_VALIDATED_TOKEN_CONFIG, jsonTranslations);
    Set<String> stringTokenTranslations = attributeMap.get(SECURITY_POLICY_VALIDATED_TOKEN_CONFIG);
    for (String translation : stringTokenTranslations) {
        jsonValidationConfigList.add(TokenValidationConfig.fromSMSString(translation).toJson());
    }
    /*
        Ultimately, the ISSUE_TOKEN_TYPES is a set, but it's set type gets stripped by the MapMarshalUtils.toJsonValueMap
        method. Thus it is a 'complex' object, which must be reconstituted in this method.
         */
    Set<String> jsonIssueSet = new HashSet<>();
    JsonValue jsonIssueTypes = new JsonValue(jsonIssueSet);
    jsonAttributes.remove(ISSUE_TOKEN_TYPES);
    jsonAttributes.put(ISSUE_TOKEN_TYPES, jsonIssueTypes);
    Set<String> issueTypes = attributeMap.get(ISSUE_TOKEN_TYPES);
    for (String issueType : issueTypes) {
        jsonIssueSet.add(issueType);
    }
    SoapDelegationConfig delegationConfig = SoapDelegationConfig.marshalFromAttributeMap(attributeMap);
    if (delegationConfig != null) {
        jsonAttributes.remove(SOAP_DELEGATION_CONFIG);
        jsonAttributes.put(SOAP_DELEGATION_CONFIG, delegationConfig.toJson());
    }
    return fromJson(new JsonValue(jsonAttributes));
}

Example 14 with SAML2Config

use of org.forgerock.openam.sts.config.user.SAML2Config in project OpenAM by OpenRock.

the class RestSTSInstanceConfigTest method createInstanceConfig.

private RestSTSInstanceConfig createInstanceConfig(String uriElement, boolean withTlsOffloadConfig, boolean withSAML2Config, boolean withOIDCConfig, boolean withCustomValidator, boolean withCustomProvider, boolean withCTSTokenPersistence) throws UnsupportedEncodingException {
    Map<String, String> oidcContext = new HashMap<>();
    oidcContext.put("context_key_1", "context_value_1");
    AuthTargetMapping mapping = AuthTargetMapping.builder().addMapping(TokenType.USERNAME, "service", "ldapService").addMapping(TokenType.OPENIDCONNECT, "module", "oidc", oidcContext).build();
    Set<String> offloadHosts = new HashSet<>(1);
    offloadHosts.add(TLS_OFFLOAD_HOST_IP);
    DeploymentConfig deploymentConfig;
    if (withTlsOffloadConfig) {
        deploymentConfig = DeploymentConfig.builder().uriElement(uriElement).authTargetMapping(mapping).tlsOffloadEngineHostIpAddrs(offloadHosts).offloadedTwoWayTLSHeaderKey(TLS_CLIENT_CERT_HEADER).build();
    } else {
        deploymentConfig = DeploymentConfig.builder().uriElement(uriElement).authTargetMapping(mapping).build();
    }
    RestSTSInstanceConfig.RestSTSInstanceConfigBuilder restSTSInstanceConfigBuilder = RestSTSInstanceConfig.builder();
    Map<String, String> attributeMap = new HashMap<>();
    attributeMap.put("mail", "email");
    attributeMap.put("uid", "id");
    SAML2Config saml2Config = null;
    if (withSAML2Config) {
        addOutputTokenTypeTranslationSuite(TokenType.SAML2, restSTSInstanceConfigBuilder);
        saml2Config = SAML2Config.builder().nameIdFormat("transient").tokenLifetimeInSeconds(500000).spEntityId("http://host.com/saml2/sp/entity/id").encryptAssertion(true).signAssertion(true).encryptionAlgorithm("http://www.w3.org/2001/04/xmlenc#aes128-cbc").encryptionKeyAlias("test").signatureKeyAlias("test").signatureKeyPassword("super.secret".getBytes()).encryptionAlgorithmStrength(128).keystoreFile("da/directory/file").keystorePassword("super.secret".getBytes()).attributeMap(attributeMap).idpId("da_idp").build();
    }
    OpenIdConnectTokenConfig openIdConnectTokenConfig = null;
    if (withOIDCConfig) {
        addOutputTokenTypeTranslationSuite(TokenType.OPENIDCONNECT, restSTSInstanceConfigBuilder);
        openIdConnectTokenConfig = OpenIdConnectTokenConfig.builder().keystoreLocation("keystore.jks").keystorePassword("bobo".getBytes(AMSTSConstants.UTF_8_CHARSET_ID)).signatureKeyAlias("test").signatureKeyPassword("bobo".getBytes(AMSTSConstants.UTF_8_CHARSET_ID)).signatureAlgorithm("RS256").addAudience("oidcTokenAudience").tokenLifetimeInSeconds(900).issuer("oidcTokenIssuer").build();
    }
    if (withCustomValidator) {
        restSTSInstanceConfigBuilder.addCustomTokenValidator(CUSTOM_TOKEN_NAME, CUSTOM_TOKEN_VALIDATOR);
        restSTSInstanceConfigBuilder.addCustomTokenTransform(CUSTOM_TOKEN_NAME, "SAML2", true);
    }
    if (withCustomProvider) {
        restSTSInstanceConfigBuilder.addCustomTokenProvider(CUSTOM_TOKEN_NAME, CUSTOM_TOKEN_PROVIDER);
        restSTSInstanceConfigBuilder.addCustomTokenTransform("OPENAM", CUSTOM_TOKEN_NAME, true);
    }
    return restSTSInstanceConfigBuilder.deploymentConfig(deploymentConfig).saml2Config(saml2Config).oidcIdTokenConfig(openIdConnectTokenConfig).persistIssuedTokensInCTS(withCTSTokenPersistence).build();
}

Example 15 with SAML2Config

use of org.forgerock.openam.sts.config.user.SAML2Config in project OpenAM by OpenRock.

the class SAML2TokenGenerationImpl method signAssertion.

private void signAssertion(Assertion assertion, STSInstanceState instanceState) throws TokenCreationException {
    final SAML2CryptoProvider saml2CryptoProvider = instanceState.getSAML2CryptoProvider();
    final SAML2Config saml2Config = instanceState.getConfig().getSaml2Config();
    String signatureKeyPassword;
    try {
        signatureKeyPassword = new String(saml2Config.getSignatureKeyPassword(), AMSTSConstants.UTF_8_CHARSET_ID);
    } catch (UnsupportedEncodingException e) {
        throw new TokenCreationException(ResourceException.INTERNAL_ERROR, "Could not obtain string representation of signature key password in SAML2TokenGenerationImpl: ");
    }
    /*
        Note: the cert alias and private-key alias are the same. If there is a key entry in the keystore, it seems like
        they are represented by the same alias.
         */
    PrivateKey privateKey = saml2CryptoProvider.getIDPPrivateKey(saml2Config.getSignatureKeyAlias(), signatureKeyPassword);
    try {
        assertion.sign(privateKey, saml2CryptoProvider.getIDPX509Certificate(saml2Config.getSignatureKeyAlias()));
    } catch (SAML2Exception e) {
        throw new TokenCreationException(ResourceException.INTERNAL_ERROR, "Exception caught signing assertion in SAML2TokenGenerationImpl: " + e, e);
    }
}