use of org.opensaml.saml.common.messaging.context.SAMLPeerEntityContext in project cas by apereo.
the class SamlIdPUtils method preparePeerEntitySamlEndpointContext.
/**
* Prepare peer entity saml endpoint.
*
* @param outboundContext the outbound context
* @param adaptor the adaptor
* @param binding the binding
* @throws SamlException the saml exception
*/
public static void preparePeerEntitySamlEndpointContext(final MessageContext outboundContext, final SamlRegisteredServiceServiceProviderMetadataFacade adaptor, final String binding) throws SamlException {
if (!adaptor.containsAssertionConsumerServices()) {
throw new SamlException("No assertion consumer service could be found for entity " + adaptor.getEntityId());
}
final SAMLPeerEntityContext peerEntityContext = outboundContext.getSubcontext(SAMLPeerEntityContext.class, true);
if (peerEntityContext == null) {
throw new SamlException("SAMLPeerEntityContext could not be defined for entity " + adaptor.getEntityId());
}
peerEntityContext.setEntityId(adaptor.getEntityId());
final SAMLEndpointContext endpointContext = peerEntityContext.getSubcontext(SAMLEndpointContext.class, true);
if (endpointContext == null) {
throw new SamlException("SAMLEndpointContext could not be defined for entity " + adaptor.getEntityId());
}
final Endpoint endpoint = adaptor.getAssertionConsumerService(binding);
if (StringUtils.isBlank(endpoint.getBinding()) || StringUtils.isBlank(endpoint.getLocation())) {
throw new SamlException("Assertion consumer service does not define a binding or location for " + adaptor.getEntityId());
}
LOGGER.debug("Configured peer entity endpoint to be [{}] with binding [{}]", endpoint.getLocation(), endpoint.getBinding());
endpointContext.setEndpoint(endpoint);
}
use of org.opensaml.saml.common.messaging.context.SAMLPeerEntityContext in project cas by apereo.
the class SamlObjectSignatureValidator method validateSignatureOnAuthenticationRequest.
private void validateSignatureOnAuthenticationRequest(final RequestAbstractType profileRequest, final HttpServletRequest request, final MessageContext context, final RoleDescriptorResolver roleDescriptorResolver) throws Exception {
final SAML2HTTPRedirectDeflateSignatureSecurityHandler handler = new SAML2HTTPRedirectDeflateSignatureSecurityHandler();
final SAMLPeerEntityContext peer = context.getSubcontext(SAMLPeerEntityContext.class, true);
peer.setEntityId(SamlIdPUtils.getIssuerFromSamlRequest(profileRequest));
LOGGER.debug("Validating request signature for [{}] via [{}]...", peer.getEntityId(), handler.getClass().getSimpleName());
LOGGER.debug("Resolving role descriptor for [{}]", peer.getEntityId());
final RoleDescriptor roleDescriptor = roleDescriptorResolver.resolveSingle(new CriteriaSet(new EntityIdCriterion(peer.getEntityId()), new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME)));
peer.setRole(roleDescriptor.getElementQName());
final SAMLProtocolContext protocol = context.getSubcontext(SAMLProtocolContext.class, true);
protocol.setProtocol(SAMLConstants.SAML20P_NS);
LOGGER.debug("Building security parameters context for signature validation of [{}]", peer.getEntityId());
final SecurityParametersContext secCtx = context.getSubcontext(SecurityParametersContext.class, true);
final SignatureValidationParameters validationParams = new SignatureValidationParameters();
if (overrideBlackListedSignatureAlgorithms != null && !overrideBlackListedSignatureAlgorithms.isEmpty()) {
validationParams.setBlacklistedAlgorithms(this.overrideBlackListedSignatureAlgorithms);
LOGGER.debug("Validation override blacklisted algorithms are [{}]", this.overrideWhiteListedAlgorithms);
}
if (overrideWhiteListedAlgorithms != null && !overrideWhiteListedAlgorithms.isEmpty()) {
validationParams.setWhitelistedAlgorithms(this.overrideWhiteListedAlgorithms);
LOGGER.debug("Validation override whitelisted algorithms are [{}]", this.overrideWhiteListedAlgorithms);
}
LOGGER.debug("Resolving signing credentials for [{}]", peer.getEntityId());
final Set<Credential> credentials = getSigningCredential(roleDescriptorResolver, profileRequest);
if (credentials == null || credentials.isEmpty()) {
throw new SamlException("Signing credentials for validation could not be resolved");
}
boolean foundValidCredential = false;
final Iterator<Credential> it = credentials.iterator();
while (!foundValidCredential && it.hasNext()) {
try {
final Credential c = it.next();
final CredentialResolver resolver = new StaticCredentialResolver(c);
final KeyInfoCredentialResolver keyResolver = new StaticKeyInfoCredentialResolver(c);
final SignatureTrustEngine trustEngine = new ExplicitKeySignatureTrustEngine(resolver, keyResolver);
validationParams.setSignatureTrustEngine(trustEngine);
secCtx.setSignatureValidationParameters(validationParams);
handler.setHttpServletRequest(request);
LOGGER.debug("Initializing [{}] to execute signature validation for [{}]", handler.getClass().getSimpleName(), peer.getEntityId());
handler.initialize();
LOGGER.debug("Invoking [{}] to handle signature validation for [{}]", handler.getClass().getSimpleName(), peer.getEntityId());
handler.invoke(context);
LOGGER.debug("Successfully validated request signature for [{}].", profileRequest.getIssuer());
foundValidCredential = true;
} catch (final Exception e) {
LOGGER.debug(e.getMessage(), e);
} finally {
handler.destroy();
}
}
if (!foundValidCredential) {
LOGGER.error("No valid credentials could be found to verify the signature for [{}]", profileRequest.getIssuer());
throw new SamlException("No valid signing credentials for validation could not be resolved");
}
}
use of org.opensaml.saml.common.messaging.context.SAMLPeerEntityContext in project pac4j by pac4j.
the class SAML2LogoutResponseValidator method validateAssertionSignature.
/**
* Validate assertion signature. If none is found and the SAML response did not have one and the SP requires
* the assertions to be signed, the validation fails.
*
* @param signature the signature
* @param context the context
* @param engine the engine
*/
protected final void validateAssertionSignature(final Signature signature, final SAML2MessageContext context, final SignatureTrustEngine engine) {
final SAMLPeerEntityContext peerContext = context.getSAMLPeerEntityContext();
if (signature != null) {
final String entityId = peerContext.getEntityId();
validateSignature(signature, entityId, engine);
} else {
if (!peerContext.isAuthenticated()) {
throw new SAMLSignatureRequiredException("Assertion or response must be signed");
}
}
}
use of org.opensaml.saml.common.messaging.context.SAMLPeerEntityContext in project pac4j by pac4j.
the class SAML2WebSSOMessageReceiver method receiveMessage.
@Override
public Credentials receiveMessage(final SAML2MessageContext context) {
final SAMLPeerEntityContext peerContext = context.getSAMLPeerEntityContext();
peerContext.setRole(IDPSSODescriptor.DEFAULT_ELEMENT_NAME);
context.getSAMLSelfProtocolContext().setProtocol(SAMLConstants.SAML20P_NS);
final Pac4jHTTPPostDecoder decoder = new Pac4jHTTPPostDecoder(context.getWebContext());
try {
decoder.setParserPool(Configuration.getParserPool());
decoder.initialize();
decoder.decode();
} catch (final Exception e) {
throw new SAMLException("Error decoding saml message", e);
}
final SAML2MessageContext decodedCtx = new SAML2MessageContext(decoder.getMessageContext());
decodedCtx.setMessage(decoder.getMessageContext().getMessage());
decodedCtx.setSAMLMessageStorage(context.getSAMLMessageStorage());
final SAMLBindingContext bindingContext = decodedCtx.getParent().getSubcontext(SAMLBindingContext.class);
decodedCtx.getSAMLBindingContext().setBindingDescriptor(bindingContext.getBindingDescriptor());
decodedCtx.getSAMLBindingContext().setBindingUri(bindingContext.getBindingUri());
decodedCtx.getSAMLBindingContext().setHasBindingSignature(bindingContext.hasBindingSignature());
decodedCtx.getSAMLBindingContext().setIntendedDestinationEndpointURIRequired(bindingContext.isIntendedDestinationEndpointURIRequired());
decodedCtx.getSAMLBindingContext().setRelayState(bindingContext.getRelayState());
final AssertionConsumerService acsService = context.getSPAssertionConsumerService();
decodedCtx.getSAMLEndpointContext().setEndpoint(acsService);
final EntityDescriptor metadata = context.getSAMLPeerMetadataContext().getEntityDescriptor();
if (metadata == null) {
throw new SAMLException("IDP Metadata cannot be null");
}
decodedCtx.getSAMLPeerEntityContext().setEntityId(metadata.getEntityID());
decodedCtx.getSAMLSelfEntityContext().setEntityId(context.getSAMLSelfEntityContext().getEntityId());
decodedCtx.getSAMLSelfEndpointContext().setEndpoint(context.getSAMLSelfEndpointContext().getEndpoint());
decodedCtx.getSAMLSelfEntityContext().setRole(context.getSAMLSelfEntityContext().getRole());
decodedCtx.getProfileRequestContext().setProfileId(SAML2_WEBSSO_PROFILE_URI);
decodedCtx.getSAMLSelfMetadataContext().setRoleDescriptor(context.getSPSSODescriptor());
return this.validator.validate(decodedCtx);
}
Aggregations