use of org.opensaml.saml.criterion.EntityRoleCriterion in project cas by apereo.
the class SamlIdPObjectSignatureValidator method buildEntityCriteriaForSigningCredential.
@Override
protected void buildEntityCriteriaForSigningCredential(final RequestAbstractType profileRequest, final CriteriaSet criteriaSet) {
criteriaSet.add(new EntityIdCriterion(casSamlIdPMetadataResolver.getId()));
criteriaSet.add(new EntityRoleCriterion(IDPSSODescriptor.DEFAULT_ELEMENT_NAME));
}
use of org.opensaml.saml.criterion.EntityRoleCriterion in project cas by apereo.
the class SamlObjectSignatureValidator method buildEntityCriteriaForSigningCredential.
/**
* Build entity criteria for signing credential.
*
* @param profileRequest the profile request
* @param criteriaSet the criteria set
*/
protected void buildEntityCriteriaForSigningCredential(final RequestAbstractType profileRequest, final CriteriaSet criteriaSet) {
criteriaSet.add(new EntityIdCriterion(SamlIdPUtils.getIssuerFromSamlObject(profileRequest)));
criteriaSet.add(new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME));
}
use of org.opensaml.saml.criterion.EntityRoleCriterion in project cas by apereo.
the class SamlObjectSignatureValidator method validateSignatureOnAuthenticationRequest.
private void validateSignatureOnAuthenticationRequest(final RequestAbstractType profileRequest, final HttpServletRequest request, final MessageContext context, final RoleDescriptorResolver roleDescriptorResolver) throws Exception {
val peer = context.getSubcontext(SAMLPeerEntityContext.class, true);
peer.setEntityId(SamlIdPUtils.getIssuerFromSamlObject(profileRequest));
val peerEntityId = Objects.requireNonNull(peer.getEntityId());
LOGGER.debug("Validating request signature for [{}]...", peerEntityId);
val roleDescriptor = roleDescriptorResolver.resolveSingle(new CriteriaSet(new EntityIdCriterion(peerEntityId), new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME)));
peer.setRole(roleDescriptor.getElementQName());
val protocol = context.getSubcontext(SAMLProtocolContext.class, true);
protocol.setProtocol(SAMLConstants.SAML20P_NS);
LOGGER.debug("Building security parameters context for signature validation of [{}]", peerEntityId);
val secCtx = context.getSubcontext(SecurityParametersContext.class, true);
val validationParams = new SignatureValidationParameters();
if (overrideBlockedSignatureAlgorithms != null && !overrideBlockedSignatureAlgorithms.isEmpty()) {
validationParams.setExcludedAlgorithms(this.overrideBlockedSignatureAlgorithms);
LOGGER.debug("Validation override blocked algorithms are [{}]", this.overrideAllowedAlgorithms);
}
if (overrideAllowedAlgorithms != null && !overrideAllowedAlgorithms.isEmpty()) {
validationParams.setIncludedAlgorithms(this.overrideAllowedAlgorithms);
LOGGER.debug("Validation override allowed algorithms are [{}]", this.overrideAllowedAlgorithms);
}
LOGGER.debug("Resolving signing credentials for [{}]", peerEntityId);
val credentials = getSigningCredential(roleDescriptorResolver, profileRequest);
if (credentials.isEmpty()) {
throw new SamlException("Signing credentials for validation could not be resolved");
}
var foundValidCredential = false;
val it = credentials.iterator();
while (!foundValidCredential && it.hasNext()) {
val handler = new SAML2HTTPRedirectDeflateSignatureSecurityHandler();
try {
val credential = it.next();
val resolver = new StaticCredentialResolver(credential);
val keyResolver = new StaticKeyInfoCredentialResolver(credential);
val trustEngine = new ExplicitKeySignatureTrustEngine(resolver, keyResolver);
validationParams.setSignatureTrustEngine(trustEngine);
secCtx.setSignatureValidationParameters(validationParams);
handler.setHttpServletRequest(request);
LOGGER.debug("Initializing [{}] to execute signature validation for [{}]", handler.getClass().getSimpleName(), peerEntityId);
handler.initialize();
LOGGER.debug("Invoking [{}] to handle signature validation for [{}]", handler.getClass().getSimpleName(), peerEntityId);
handler.invoke(context);
LOGGER.debug("Successfully validated request signature for [{}].", profileRequest.getIssuer());
foundValidCredential = true;
} catch (final Exception e) {
LOGGER.debug(e.getMessage(), e);
} finally {
handler.destroy();
}
}
if (!foundValidCredential) {
LOGGER.error("No valid credentials could be found to verify the signature for [{}]", profileRequest.getIssuer());
throw new SamlException("No valid signing credentials for validation could not be resolved");
}
}
use of org.opensaml.saml.criterion.EntityRoleCriterion in project cas by apereo.
the class SamlIdPUtilsTests method verifyMetadataForAllServices.
@Test
public void verifyMetadataForAllServices() throws Exception {
val service = getSamlRegisteredServiceForTestShib();
servicesManager.save(service);
val md = SamlIdPUtils.getMetadataResolverForAllSamlServices(servicesManager, service.getServiceId(), samlRegisteredServiceCachingMetadataResolver);
assertNotNull(md);
val criteriaSet = new CriteriaSet();
criteriaSet.add(new EntityIdCriterion(service.getServiceId()));
criteriaSet.add(new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME));
criteriaSet.add(new BindingCriterion(CollectionUtils.wrap(SAMLConstants.SAML2_POST_BINDING_URI)));
val it = md.resolve(criteriaSet).iterator();
assertTrue(it.hasNext());
assertEquals(service.getServiceId(), it.next().getEntityID());
}
use of org.opensaml.saml.criterion.EntityRoleCriterion in project cas by apereo.
the class DefaultDelegatedClientAuthenticationWebflowManagerTests method setupTestContextFor.
private Pair<SAML2Client, SAML2MessageContext> setupTestContextFor(final String spMetadataPath, final String spEntityId) throws Exception {
val idpMetadata = new File("src/test/resources/idp-metadata.xml").getCanonicalPath();
val keystorePath = new File(FileUtils.getTempDirectory(), "keystore").getCanonicalPath();
val saml2ClientConfiguration = new SAML2Configuration(keystorePath, "changeit", "changeit", idpMetadata);
saml2ClientConfiguration.setServiceProviderEntityId(spEntityId);
saml2ClientConfiguration.setServiceProviderMetadataPath(spMetadataPath);
saml2ClientConfiguration.setForceKeystoreGeneration(true);
saml2ClientConfiguration.setForceServiceProviderMetadataGeneration(true);
saml2ClientConfiguration.init();
val saml2Client = new SAML2Client(saml2ClientConfiguration);
saml2Client.setCallbackUrl("http://callback.example.org");
saml2Client.init();
val saml2MessageContext = new SAML2MessageContext();
saml2MessageContext.setSaml2Configuration(saml2ClientConfiguration);
saml2MessageContext.setWebContext(context);
val peer = saml2MessageContext.getMessageContext().getSubcontext(SAMLPeerEntityContext.class, true);
assertNotNull(peer);
peer.setEntityId("https://cas.example.org/idp");
val md = peer.getSubcontext(SAMLMetadataContext.class, true);
assertNotNull(md);
val roleDescriptorResolver = new PredicateRoleDescriptorResolver(saml2Client.getIdpMetadataResolver().resolve());
roleDescriptorResolver.initialize();
md.setRoleDescriptor(roleDescriptorResolver.resolveSingle(new CriteriaSet(new EntityIdCriterion(Objects.requireNonNull(peer.getEntityId())), new EntityRoleCriterion(IDPSSODescriptor.DEFAULT_ELEMENT_NAME))));
val self = saml2MessageContext.getMessageContext().getSubcontext(SAMLSelfEntityContext.class, true);
assertNotNull(self);
self.setEntityId(saml2ClientConfiguration.getServiceProviderEntityId());
val sp = self.getSubcontext(SAMLMetadataContext.class, true);
assertNotNull(sp);
val spResolver = new PredicateRoleDescriptorResolver(saml2Client.getSpMetadataResolver().resolve());
spResolver.initialize();
sp.setRoleDescriptor(spResolver.resolveSingle(new CriteriaSet(new EntityIdCriterion(Objects.requireNonNull(self.getEntityId())), new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME))));
return Pair.of(saml2Client, saml2MessageContext);
}
Aggregations