Search in sources :

Example 6 with SAMLPeerEntityContext

use of org.opensaml.saml.common.messaging.context.SAMLPeerEntityContext in project cas by apereo.

the class SamlIdPUtils method preparePeerEntitySamlEndpointContext.

/**
 * Prepare peer entity saml endpoint.
 *
 * @param outboundContext the outbound context
 * @param adaptor         the adaptor
 * @param binding         the binding
 * @throws SamlException the saml exception
 */
public static void preparePeerEntitySamlEndpointContext(final MessageContext outboundContext, final SamlRegisteredServiceServiceProviderMetadataFacade adaptor, final String binding) throws SamlException {
    if (!adaptor.containsAssertionConsumerServices()) {
        throw new SamlException("No assertion consumer service could be found for entity " + adaptor.getEntityId());
    }
    final SAMLPeerEntityContext peerEntityContext = outboundContext.getSubcontext(SAMLPeerEntityContext.class, true);
    if (peerEntityContext == null) {
        throw new SamlException("SAMLPeerEntityContext could not be defined for entity " + adaptor.getEntityId());
    }
    peerEntityContext.setEntityId(adaptor.getEntityId());
    final SAMLEndpointContext endpointContext = peerEntityContext.getSubcontext(SAMLEndpointContext.class, true);
    if (endpointContext == null) {
        throw new SamlException("SAMLEndpointContext could not be defined for entity " + adaptor.getEntityId());
    }
    final Endpoint endpoint = adaptor.getAssertionConsumerService(binding);
    if (StringUtils.isBlank(endpoint.getBinding()) || StringUtils.isBlank(endpoint.getLocation())) {
        throw new SamlException("Assertion consumer service does not define a binding or location for " + adaptor.getEntityId());
    }
    LOGGER.debug("Configured peer entity endpoint to be [{}] with binding [{}]", endpoint.getLocation(), endpoint.getBinding());
    endpointContext.setEndpoint(endpoint);
}
Also used : SAMLEndpointContext(org.opensaml.saml.common.messaging.context.SAMLEndpointContext) Endpoint(org.opensaml.saml.saml2.metadata.Endpoint) SAMLPeerEntityContext(org.opensaml.saml.common.messaging.context.SAMLPeerEntityContext)

Example 7 with SAMLPeerEntityContext

use of org.opensaml.saml.common.messaging.context.SAMLPeerEntityContext in project cas by apereo.

the class SamlObjectSignatureValidator method validateSignatureOnAuthenticationRequest.

private void validateSignatureOnAuthenticationRequest(final RequestAbstractType profileRequest, final HttpServletRequest request, final MessageContext context, final RoleDescriptorResolver roleDescriptorResolver) throws Exception {
    final SAML2HTTPRedirectDeflateSignatureSecurityHandler handler = new SAML2HTTPRedirectDeflateSignatureSecurityHandler();
    final SAMLPeerEntityContext peer = context.getSubcontext(SAMLPeerEntityContext.class, true);
    peer.setEntityId(SamlIdPUtils.getIssuerFromSamlRequest(profileRequest));
    LOGGER.debug("Validating request signature for [{}] via [{}]...", peer.getEntityId(), handler.getClass().getSimpleName());
    LOGGER.debug("Resolving role descriptor for [{}]", peer.getEntityId());
    final RoleDescriptor roleDescriptor = roleDescriptorResolver.resolveSingle(new CriteriaSet(new EntityIdCriterion(peer.getEntityId()), new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME)));
    peer.setRole(roleDescriptor.getElementQName());
    final SAMLProtocolContext protocol = context.getSubcontext(SAMLProtocolContext.class, true);
    protocol.setProtocol(SAMLConstants.SAML20P_NS);
    LOGGER.debug("Building security parameters context for signature validation of [{}]", peer.getEntityId());
    final SecurityParametersContext secCtx = context.getSubcontext(SecurityParametersContext.class, true);
    final SignatureValidationParameters validationParams = new SignatureValidationParameters();
    if (overrideBlackListedSignatureAlgorithms != null && !overrideBlackListedSignatureAlgorithms.isEmpty()) {
        validationParams.setBlacklistedAlgorithms(this.overrideBlackListedSignatureAlgorithms);
        LOGGER.debug("Validation override blacklisted algorithms are [{}]", this.overrideWhiteListedAlgorithms);
    }
    if (overrideWhiteListedAlgorithms != null && !overrideWhiteListedAlgorithms.isEmpty()) {
        validationParams.setWhitelistedAlgorithms(this.overrideWhiteListedAlgorithms);
        LOGGER.debug("Validation override whitelisted algorithms are [{}]", this.overrideWhiteListedAlgorithms);
    }
    LOGGER.debug("Resolving signing credentials for [{}]", peer.getEntityId());
    final Set<Credential> credentials = getSigningCredential(roleDescriptorResolver, profileRequest);
    if (credentials == null || credentials.isEmpty()) {
        throw new SamlException("Signing credentials for validation could not be resolved");
    }
    boolean foundValidCredential = false;
    final Iterator<Credential> it = credentials.iterator();
    while (!foundValidCredential && it.hasNext()) {
        try {
            final Credential c = it.next();
            final CredentialResolver resolver = new StaticCredentialResolver(c);
            final KeyInfoCredentialResolver keyResolver = new StaticKeyInfoCredentialResolver(c);
            final SignatureTrustEngine trustEngine = new ExplicitKeySignatureTrustEngine(resolver, keyResolver);
            validationParams.setSignatureTrustEngine(trustEngine);
            secCtx.setSignatureValidationParameters(validationParams);
            handler.setHttpServletRequest(request);
            LOGGER.debug("Initializing [{}] to execute signature validation for [{}]", handler.getClass().getSimpleName(), peer.getEntityId());
            handler.initialize();
            LOGGER.debug("Invoking [{}] to handle signature validation for [{}]", handler.getClass().getSimpleName(), peer.getEntityId());
            handler.invoke(context);
            LOGGER.debug("Successfully validated request signature for [{}].", profileRequest.getIssuer());
            foundValidCredential = true;
        } catch (final Exception e) {
            LOGGER.debug(e.getMessage(), e);
        } finally {
            handler.destroy();
        }
    }
    if (!foundValidCredential) {
        LOGGER.error("No valid credentials could be found to verify the signature for [{}]", profileRequest.getIssuer());
        throw new SamlException("No valid signing credentials for validation could not be resolved");
    }
}
Also used : Credential(org.opensaml.security.credential.Credential) ExplicitKeySignatureTrustEngine(org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine) SignatureTrustEngine(org.opensaml.xmlsec.signature.support.SignatureTrustEngine) SAMLPeerEntityContext(org.opensaml.saml.common.messaging.context.SAMLPeerEntityContext) EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion) SAML2HTTPRedirectDeflateSignatureSecurityHandler(org.opensaml.saml.saml2.binding.security.impl.SAML2HTTPRedirectDeflateSignatureSecurityHandler) SamlException(org.apereo.cas.support.saml.SamlException) SamlException(org.apereo.cas.support.saml.SamlException) SignatureValidationParameters(org.opensaml.xmlsec.SignatureValidationParameters) StaticKeyInfoCredentialResolver(org.opensaml.xmlsec.keyinfo.impl.StaticKeyInfoCredentialResolver) SAMLProtocolContext(org.opensaml.saml.common.messaging.context.SAMLProtocolContext) StaticCredentialResolver(org.opensaml.security.credential.impl.StaticCredentialResolver) ExplicitKeySignatureTrustEngine(org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine) RoleDescriptor(org.opensaml.saml.saml2.metadata.RoleDescriptor) CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet) EntityRoleCriterion(org.opensaml.saml.criterion.EntityRoleCriterion) SecurityParametersContext(org.opensaml.xmlsec.context.SecurityParametersContext) StaticKeyInfoCredentialResolver(org.opensaml.xmlsec.keyinfo.impl.StaticKeyInfoCredentialResolver) KeyInfoCredentialResolver(org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver) MetadataCredentialResolver(org.opensaml.saml.security.impl.MetadataCredentialResolver) StaticCredentialResolver(org.opensaml.security.credential.impl.StaticCredentialResolver) StaticKeyInfoCredentialResolver(org.opensaml.xmlsec.keyinfo.impl.StaticKeyInfoCredentialResolver) CredentialResolver(org.opensaml.security.credential.CredentialResolver) KeyInfoCredentialResolver(org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver)

Example 8 with SAMLPeerEntityContext

use of org.opensaml.saml.common.messaging.context.SAMLPeerEntityContext in project pac4j by pac4j.

the class SAML2LogoutResponseValidator method validateAssertionSignature.

/**
 * Validate assertion signature. If none is found and the SAML response did not have one and the SP requires
 * the assertions to be signed, the validation fails.
 *
 * @param signature the signature
 * @param context the context
 * @param engine the engine
 */
protected final void validateAssertionSignature(final Signature signature, final SAML2MessageContext context, final SignatureTrustEngine engine) {
    final SAMLPeerEntityContext peerContext = context.getSAMLPeerEntityContext();
    if (signature != null) {
        final String entityId = peerContext.getEntityId();
        validateSignature(signature, entityId, engine);
    } else {
        if (!peerContext.isAuthenticated()) {
            throw new SAMLSignatureRequiredException("Assertion or response must be signed");
        }
    }
}
Also used : SAMLPeerEntityContext(org.opensaml.saml.common.messaging.context.SAMLPeerEntityContext) SAMLSignatureRequiredException(org.pac4j.saml.exceptions.SAMLSignatureRequiredException)

Example 9 with SAMLPeerEntityContext

use of org.opensaml.saml.common.messaging.context.SAMLPeerEntityContext in project pac4j by pac4j.

the class SAML2WebSSOMessageReceiver method receiveMessage.

@Override
public Credentials receiveMessage(final SAML2MessageContext context) {
    final SAMLPeerEntityContext peerContext = context.getSAMLPeerEntityContext();
    peerContext.setRole(IDPSSODescriptor.DEFAULT_ELEMENT_NAME);
    context.getSAMLSelfProtocolContext().setProtocol(SAMLConstants.SAML20P_NS);
    final Pac4jHTTPPostDecoder decoder = new Pac4jHTTPPostDecoder(context.getWebContext());
    try {
        decoder.setParserPool(Configuration.getParserPool());
        decoder.initialize();
        decoder.decode();
    } catch (final Exception e) {
        throw new SAMLException("Error decoding saml message", e);
    }
    final SAML2MessageContext decodedCtx = new SAML2MessageContext(decoder.getMessageContext());
    decodedCtx.setMessage(decoder.getMessageContext().getMessage());
    decodedCtx.setSAMLMessageStorage(context.getSAMLMessageStorage());
    final SAMLBindingContext bindingContext = decodedCtx.getParent().getSubcontext(SAMLBindingContext.class);
    decodedCtx.getSAMLBindingContext().setBindingDescriptor(bindingContext.getBindingDescriptor());
    decodedCtx.getSAMLBindingContext().setBindingUri(bindingContext.getBindingUri());
    decodedCtx.getSAMLBindingContext().setHasBindingSignature(bindingContext.hasBindingSignature());
    decodedCtx.getSAMLBindingContext().setIntendedDestinationEndpointURIRequired(bindingContext.isIntendedDestinationEndpointURIRequired());
    decodedCtx.getSAMLBindingContext().setRelayState(bindingContext.getRelayState());
    final AssertionConsumerService acsService = context.getSPAssertionConsumerService();
    decodedCtx.getSAMLEndpointContext().setEndpoint(acsService);
    final EntityDescriptor metadata = context.getSAMLPeerMetadataContext().getEntityDescriptor();
    if (metadata == null) {
        throw new SAMLException("IDP Metadata cannot be null");
    }
    decodedCtx.getSAMLPeerEntityContext().setEntityId(metadata.getEntityID());
    decodedCtx.getSAMLSelfEntityContext().setEntityId(context.getSAMLSelfEntityContext().getEntityId());
    decodedCtx.getSAMLSelfEndpointContext().setEndpoint(context.getSAMLSelfEndpointContext().getEndpoint());
    decodedCtx.getSAMLSelfEntityContext().setRole(context.getSAMLSelfEntityContext().getRole());
    decodedCtx.getProfileRequestContext().setProfileId(SAML2_WEBSSO_PROFILE_URI);
    decodedCtx.getSAMLSelfMetadataContext().setRoleDescriptor(context.getSPSSODescriptor());
    return this.validator.validate(decodedCtx);
}
Also used : SAMLBindingContext(org.opensaml.saml.common.messaging.context.SAMLBindingContext) SAML2MessageContext(org.pac4j.saml.context.SAML2MessageContext) EntityDescriptor(org.opensaml.saml.saml2.metadata.EntityDescriptor) SAMLPeerEntityContext(org.opensaml.saml.common.messaging.context.SAMLPeerEntityContext) AssertionConsumerService(org.opensaml.saml.saml2.metadata.AssertionConsumerService) Pac4jHTTPPostDecoder(org.pac4j.saml.transport.Pac4jHTTPPostDecoder) SAMLException(org.pac4j.saml.exceptions.SAMLException) SAMLException(org.pac4j.saml.exceptions.SAMLException)

Aggregations

SAMLPeerEntityContext (org.opensaml.saml.common.messaging.context.SAMLPeerEntityContext)9 SAML2MessageContext (org.pac4j.saml.context.SAML2MessageContext)3 Test (org.junit.Test)2 SAMLEndpointContext (org.opensaml.saml.common.messaging.context.SAMLEndpointContext)2 AssertionConsumerService (org.opensaml.saml.saml2.metadata.AssertionConsumerService)2 Endpoint (org.opensaml.saml.saml2.metadata.Endpoint)2 SAMLSignatureRequiredException (org.pac4j.saml.exceptions.SAMLSignatureRequiredException)2 CriteriaSet (net.shibboleth.utilities.java.support.resolver.CriteriaSet)1 SamlException (org.apereo.cas.support.saml.SamlException)1 EntityIdCriterion (org.opensaml.core.criterion.EntityIdCriterion)1 SAMLBindingContext (org.opensaml.saml.common.messaging.context.SAMLBindingContext)1 SAMLProtocolContext (org.opensaml.saml.common.messaging.context.SAMLProtocolContext)1 EntityRoleCriterion (org.opensaml.saml.criterion.EntityRoleCriterion)1 SAML2HTTPRedirectDeflateSignatureSecurityHandler (org.opensaml.saml.saml2.binding.security.impl.SAML2HTTPRedirectDeflateSignatureSecurityHandler)1 EntityDescriptor (org.opensaml.saml.saml2.metadata.EntityDescriptor)1 RoleDescriptor (org.opensaml.saml.saml2.metadata.RoleDescriptor)1 MetadataCredentialResolver (org.opensaml.saml.security.impl.MetadataCredentialResolver)1 Credential (org.opensaml.security.credential.Credential)1 CredentialResolver (org.opensaml.security.credential.CredentialResolver)1 StaticCredentialResolver (org.opensaml.security.credential.impl.StaticCredentialResolver)1