Search in sources :

Example 6 with SubjectConfirmationType

use of org.keycloak.dom.saml.v2.assertion.SubjectConfirmationType in project keycloak by keycloak.

the class SAMLEndpoint method validateInResponseToAttribute.

private boolean validateInResponseToAttribute(ResponseType responseType, String expectedRequestId) {
    // If we are not expecting a request ID, don't bother
    if (expectedRequestId == null || expectedRequestId.isEmpty())
        return true;
    // We are expecting a request ID so we are in SP-initiated login, attribute InResponseTo must be present
    if (responseType.getInResponseTo() == null) {
        logger.error("Response Validation Error: InResponseTo attribute was expected but not present in received response");
        return false;
    }
    // Attribute is present, proceed with validation
    // 1) Attribute Response > InResponseTo must not be empty
    String responseInResponseToValue = responseType.getInResponseTo();
    if (responseInResponseToValue.isEmpty()) {
        logger.error("Response Validation Error: InResponseTo attribute was expected but it is empty in received response");
        return false;
    }
    // 2) Attribute Response > InResponseTo must match request ID
    if (!responseInResponseToValue.equals(expectedRequestId)) {
        logger.error("Response Validation Error: received InResponseTo attribute does not match the expected request ID");
        return false;
    }
    // If present, Assertion > Subject > Confirmation > SubjectConfirmationData > InResponseTo must also be validated
    if (responseType.getAssertions().isEmpty())
        return true;
    SubjectType subjectElement = responseType.getAssertions().get(0).getAssertion().getSubject();
    if (subjectElement != null) {
        if (subjectElement.getConfirmation() != null && !subjectElement.getConfirmation().isEmpty()) {
            SubjectConfirmationType subjectConfirmationElement = subjectElement.getConfirmation().get(0);
            if (subjectConfirmationElement != null) {
                SubjectConfirmationDataType subjectConfirmationDataElement = subjectConfirmationElement.getSubjectConfirmationData();
                if (subjectConfirmationDataElement != null) {
                    if (subjectConfirmationDataElement.getInResponseTo() != null) {
                        // 3) Assertion > Subject > Confirmation > SubjectConfirmationData > InResponseTo is empty
                        String subjectConfirmationDataInResponseToValue = subjectConfirmationDataElement.getInResponseTo();
                        if (subjectConfirmationDataInResponseToValue.isEmpty()) {
                            logger.error("Response Validation Error: SubjectConfirmationData InResponseTo attribute was expected but it is empty in received response");
                            return false;
                        }
                        // 4) Assertion > Subject > Confirmation > SubjectConfirmationData > InResponseTo does not match request ID
                        if (!subjectConfirmationDataInResponseToValue.equals(expectedRequestId)) {
                            logger.error("Response Validation Error: received SubjectConfirmationData InResponseTo attribute does not match the expected request ID");
                            return false;
                        }
                    }
                }
            }
        }
    }
    return true;
}
Also used : SubjectType(org.keycloak.dom.saml.v2.assertion.SubjectType) SubjectConfirmationDataType(org.keycloak.dom.saml.v2.assertion.SubjectConfirmationDataType) SubjectConfirmationType(org.keycloak.dom.saml.v2.assertion.SubjectConfirmationType)

Example 7 with SubjectConfirmationType

use of org.keycloak.dom.saml.v2.assertion.SubjectConfirmationType in project keycloak by keycloak.

the class SAML2Response method createResponseType.

/**
 * Create a ResponseType
 *
 * <b>NOTE:</b>: The PicketLink STS is used to issue/update the assertion
 *
 * If you want to control over the assertion being issued, then use
 * {@link #createResponseType(String, SPInfoHolder, IDPInfoHolder, IssuerInfoHolder, AssertionType)}
 *
 * @param ID id of the response
 * @param sp holder with the information about the Service Provider
 * @param idp holder with the information on the Identity Provider
 * @param issuerInfo holder with information on the issuer
 *
 * @return
 *
 * @throws ConfigurationException
 * @throws ProcessingException
 */
public ResponseType createResponseType(String ID, SPInfoHolder sp, IDPInfoHolder idp, IssuerInfoHolder issuerInfo) throws ProcessingException {
    String responseDestinationURI = sp.getResponseDestinationURI();
    XMLGregorianCalendar issueInstant = XMLTimeUtil.getIssueInstant();
    // Create assertion -> subject
    SubjectType subjectType = new SubjectType();
    // subject -> nameid
    NameIDType nameIDType = new NameIDType();
    nameIDType.setFormat(idp.getNameIDFormat() == null ? null : URI.create(idp.getNameIDFormat()));
    nameIDType.setValue(idp.getNameIDFormatValue());
    SubjectType.STSubType subType = new SubjectType.STSubType();
    subType.addBaseID(nameIDType);
    subjectType.setSubType(subType);
    SubjectConfirmationType subjectConfirmation = new SubjectConfirmationType();
    subjectConfirmation.setMethod(idp.getSubjectConfirmationMethod());
    SubjectConfirmationDataType subjectConfirmationData = new SubjectConfirmationDataType();
    subjectConfirmationData.setInResponseTo(sp.getRequestID());
    subjectConfirmationData.setRecipient(responseDestinationURI);
    // subjectConfirmationData.setNotBefore(issueInstant);
    subjectConfirmationData.setNotOnOrAfter(issueInstant);
    subjectConfirmation.setSubjectConfirmationData(subjectConfirmationData);
    subjectType.addConfirmation(subjectConfirmation);
    AssertionType assertionType;
    NameIDType issuerID = issuerInfo.getIssuer();
    issueInstant = XMLTimeUtil.getIssueInstant();
    ConditionsType conditions = null;
    List<StatementAbstractType> statements = new LinkedList<>();
    // generate an id for the new assertion.
    String assertionID = IDGenerator.create("ID_");
    assertionType = SAMLAssertionFactory.createAssertion(assertionID, issuerID, issueInstant, conditions, subjectType, statements);
    try {
        AssertionUtil.createTimedConditions(assertionType, ASSERTION_VALIDITY, CLOCK_SKEW);
    } catch (ConfigurationException e) {
        throw logger.processingError(e);
    } catch (IssueInstantMissingException e) {
        throw logger.processingError(e);
    }
    ResponseType responseType = createResponseType(ID, issuerInfo, assertionType);
    // InResponseTo ID
    responseType.setInResponseTo(sp.getRequestID());
    // Destination
    responseType.setDestination(responseDestinationURI);
    return responseType;
}
Also used : EncryptedAssertionType(org.keycloak.dom.saml.v2.assertion.EncryptedAssertionType) AssertionType(org.keycloak.dom.saml.v2.assertion.AssertionType) LinkedList(java.util.LinkedList) IssueInstantMissingException(org.keycloak.saml.common.exceptions.fed.IssueInstantMissingException) ResponseType(org.keycloak.dom.saml.v2.protocol.ResponseType) StatusResponseType(org.keycloak.dom.saml.v2.protocol.StatusResponseType) XMLGregorianCalendar(javax.xml.datatype.XMLGregorianCalendar) SubjectType(org.keycloak.dom.saml.v2.assertion.SubjectType) SubjectConfirmationDataType(org.keycloak.dom.saml.v2.assertion.SubjectConfirmationDataType) SubjectConfirmationType(org.keycloak.dom.saml.v2.assertion.SubjectConfirmationType) ConfigurationException(org.keycloak.saml.common.exceptions.ConfigurationException) ConditionsType(org.keycloak.dom.saml.v2.assertion.ConditionsType) NameIDType(org.keycloak.dom.saml.v2.assertion.NameIDType) StatementAbstractType(org.keycloak.dom.saml.v2.assertion.StatementAbstractType)

Example 8 with SubjectConfirmationType

use of org.keycloak.dom.saml.v2.assertion.SubjectConfirmationType in project keycloak by keycloak.

the class SAMLSubjectConfirmationParser method processSubElement.

@Override
protected void processSubElement(XMLEventReader xmlEventReader, SubjectConfirmationType target, SAMLAssertionQNames element, StartElement elementDetail) throws ParsingException {
    switch(element) {
        case NAMEID:
            NameIDType nameID = SAMLParserUtil.parseNameIDType(xmlEventReader);
            target.setNameID(nameID);
            break;
        case ENCRYPTED_ID:
            Element domElement = StaxParserUtil.getDOMElement(xmlEventReader);
            target.setEncryptedID(new EncryptedElementType(domElement));
            break;
        case SUBJECT_CONFIRMATION_DATA:
            SubjectConfirmationDataType subjectConfirmationData = SAMLSubjectConfirmationDataParser.INSTANCE.parse(xmlEventReader);
            target.setSubjectConfirmationData(subjectConfirmationData);
            break;
        default:
            throw LOGGER.parserUnknownTag(StaxParserUtil.getElementName(elementDetail), elementDetail.getLocation());
    }
}
Also used : SubjectConfirmationDataType(org.keycloak.dom.saml.v2.assertion.SubjectConfirmationDataType) Element(org.w3c.dom.Element) StartElement(javax.xml.stream.events.StartElement) NameIDType(org.keycloak.dom.saml.v2.assertion.NameIDType) EncryptedElementType(org.keycloak.dom.saml.v2.assertion.EncryptedElementType)

Example 9 with SubjectConfirmationType

use of org.keycloak.dom.saml.v2.assertion.SubjectConfirmationType in project keycloak by keycloak.

the class SAMLSubjectConfirmationParser method instantiateElement.

@Override
protected SubjectConfirmationType instantiateElement(XMLEventReader xmlEventReader, StartElement element) throws ParsingException {
    final SubjectConfirmationType res = new SubjectConfirmationType();
    res.setMethod(StaxParserUtil.getAttributeValue(element, SAMLAssertionQNames.ATTR_METHOD));
    return res;
}
Also used : SubjectConfirmationType(org.keycloak.dom.saml.v2.assertion.SubjectConfirmationType)

Example 10 with SubjectConfirmationType

use of org.keycloak.dom.saml.v2.assertion.SubjectConfirmationType in project keycloak by keycloak.

the class BaseWriter method write.

private void write(SubjectConfirmationType subjectConfirmationType) throws ProcessingException {
    StaxUtil.writeStartElement(writer, ASSERTION_PREFIX, JBossSAMLConstants.SUBJECT_CONFIRMATION.get(), ASSERTION_NSURI.get());
    StaxUtil.writeAttribute(writer, JBossSAMLConstants.METHOD.get(), subjectConfirmationType.getMethod());
    BaseIDAbstractType baseID = subjectConfirmationType.getBaseID();
    if (baseID != null) {
        write(baseID);
    }
    NameIDType nameIDType = subjectConfirmationType.getNameID();
    if (nameIDType != null) {
        write(nameIDType, new QName(ASSERTION_NSURI.get(), JBossSAMLConstants.NAMEID.get(), ASSERTION_PREFIX));
    }
    SubjectConfirmationDataType subjectConfirmationData = subjectConfirmationType.getSubjectConfirmationData();
    if (subjectConfirmationData != null) {
        write(subjectConfirmationData);
    }
    StaxUtil.writeEndElement(writer);
}
Also used : SubjectConfirmationDataType(org.keycloak.dom.saml.v2.assertion.SubjectConfirmationDataType) QName(javax.xml.namespace.QName) BaseIDAbstractType(org.keycloak.dom.saml.v2.assertion.BaseIDAbstractType) NameIDType(org.keycloak.dom.saml.v2.assertion.NameIDType)

Aggregations

SubjectConfirmationType (org.keycloak.dom.saml.v2.assertion.SubjectConfirmationType)7 SubjectConfirmationDataType (org.keycloak.dom.saml.v2.assertion.SubjectConfirmationDataType)6 NameIDType (org.keycloak.dom.saml.v2.assertion.NameIDType)5 SubjectType (org.keycloak.dom.saml.v2.assertion.SubjectType)5 ResponseType (org.keycloak.dom.saml.v2.protocol.ResponseType)3 QName (javax.xml.namespace.QName)2 StartElement (javax.xml.stream.events.StartElement)2 Test (org.junit.Test)2 AssertionType (org.keycloak.dom.saml.v2.assertion.AssertionType)2 BaseIDAbstractType (org.keycloak.dom.saml.v2.assertion.BaseIDAbstractType)2 ConditionsType (org.keycloak.dom.saml.v2.assertion.ConditionsType)2 EncryptedAssertionType (org.keycloak.dom.saml.v2.assertion.EncryptedAssertionType)2 EncryptedElementType (org.keycloak.dom.saml.v2.assertion.EncryptedElementType)2 StatementAbstractType (org.keycloak.dom.saml.v2.assertion.StatementAbstractType)2 StatusResponseType (org.keycloak.dom.saml.v2.protocol.StatusResponseType)2 Element (org.w3c.dom.Element)2 LinkedList (java.util.LinkedList)1 List (java.util.List)1 Set (java.util.Set)1 XMLGregorianCalendar (javax.xml.datatype.XMLGregorianCalendar)1