Search in sources :

Example 16 with Assertion

use of org.opensaml.saml.saml1.core.Assertion in project cas by apereo.

the class WsFederationHelper method buildAndVerifyAssertion.

/**
 * converts a token into an assertion.
 *
 * @param reqToken the req token
 * @param config   the config
 * @return an assertion
 */
public Pair<Assertion, WsFederationConfiguration> buildAndVerifyAssertion(final RequestedSecurityToken reqToken, final Collection<WsFederationConfiguration> config) {
    final XMLObject securityToken = getSecurityTokenFromRequestedToken(reqToken, config);
    if (securityToken instanceof Assertion) {
        LOGGER.debug("Security token is an assertion.");
        final Assertion assertion = Assertion.class.cast(securityToken);
        LOGGER.debug("Extracted assertion successfully: [{}]", assertion);
        final WsFederationConfiguration cfg = config.stream().filter(c -> c.getIdentityProviderIdentifier().equals(assertion.getIssuer())).findFirst().orElse(null);
        if (cfg == null) {
            throw new IllegalArgumentException("Could not locate wsfed configuration for security token provided. The assertion issuer " + assertion.getIssuer() + "does not match any of the identity provider identifiers defined in the configuration");
        }
        return Pair.of(assertion, cfg);
    }
    throw new IllegalArgumentException("Could not extract or decrypt an assertion based on the security token provided");
}
Also used : Assertion(org.opensaml.saml.saml1.core.Assertion) XMLObject(org.opensaml.core.xml.XMLObject)

Example 17 with Assertion

use of org.opensaml.saml.saml1.core.Assertion in project cas by apereo.

the class WsFederationHelperTests method verifyCreateCredentialFromToken.

@Test
public void verifyCreateCredentialFromToken() {
    final String wresult = testTokens.get(GOOD_TOKEN);
    final Pair<Assertion, WsFederationConfiguration> assertion = wsFederationHelper.buildAndVerifyAssertion(wsFederationHelper.getRequestSecurityTokenFromResult(wresult), wsFederationConfigurations);
    final WsFederationCredential expResult = new WsFederationCredential();
    expResult.setIssuedOn(ZonedDateTime.parse("2014-02-26T22:51:16.504Z"));
    expResult.setNotBefore(ZonedDateTime.parse("2014-02-26T22:51:16.474Z"));
    expResult.setNotOnOrAfter(ZonedDateTime.parse("2014-02-26T23:51:16.474Z"));
    expResult.setIssuer("http://adfs.example.com/adfs/services/trust");
    expResult.setAudience("urn:federation:cas");
    expResult.setId("_6257b2bf-7361-4081-ae1f-ec58d4310f61");
    final WsFederationCredential result = wsFederationHelper.createCredentialFromToken(assertion.getKey());
    assertNotNull("testCreateCredentialFromToken() - Not Null", result);
    assertEquals("testCreateCredentialFromToken() - IssuedOn", expResult.getIssuedOn(), result.getIssuedOn());
    assertEquals("testCreateCredentialFromToken() - NotBefore", expResult.getNotBefore(), result.getNotBefore());
    assertEquals("testCreateCredentialFromToken() - NotOnOrAfter", expResult.getNotOnOrAfter(), result.getNotOnOrAfter());
    assertEquals("testCreateCredentialFromToken() - Issuer", expResult.getIssuer(), result.getIssuer());
    assertEquals("testCreateCredentialFromToken() - Audience", expResult.getAudience(), result.getAudience());
    assertEquals("testCreateCredentialFromToken() - Id", expResult.getId(), result.getId());
}
Also used : Assertion(org.opensaml.saml.saml1.core.Assertion) WsFederationCredential(org.apereo.cas.support.wsfederation.authentication.principal.WsFederationCredential) Test(org.junit.Test)

Example 18 with Assertion

use of org.opensaml.saml.saml1.core.Assertion in project cas by apereo.

the class SamlProfileSaml2ResponseBuilder method buildResponse.

@Override
public Response buildResponse(final Assertion assertion, final Object casAssertion, final RequestAbstractType authnRequest, final SamlRegisteredService service, final SamlRegisteredServiceServiceProviderMetadataFacade adaptor, final HttpServletRequest request, final HttpServletResponse response, final String binding) throws SamlException {
    final String id = '_' + String.valueOf(Math.abs(RandomUtils.getNativeInstance().nextLong()));
    Response samlResponse = newResponse(id, ZonedDateTime.now(ZoneOffset.UTC), authnRequest.getID(), null);
    samlResponse.setVersion(SAMLVersion.VERSION_20);
    samlResponse.setIssuer(buildEntityIssuer());
    if (casProperties.getAuthn().getSamlIdp().isAttributeQueryProfileEnabled()) {
        storeAttributeQueryTicketInRegistry(assertion, request, adaptor);
    }
    final SAMLObject finalAssertion = encryptAssertion(assertion, request, response, service, adaptor);
    if (finalAssertion instanceof EncryptedAssertion) {
        LOGGER.debug("Built assertion is encrypted, so the response will add it to the encrypted assertions collection");
        samlResponse.getEncryptedAssertions().add(EncryptedAssertion.class.cast(finalAssertion));
    } else {
        LOGGER.debug("Built assertion is not encrypted, so the response will add it to the assertions collection");
        samlResponse.getAssertions().add(Assertion.class.cast(finalAssertion));
    }
    final Status status = newStatus(StatusCode.SUCCESS, null);
    samlResponse.setStatus(status);
    SamlUtils.logSamlObject(this.configBean, samlResponse);
    if (service.isSignResponses()) {
        LOGGER.debug("SAML entity id [{}] indicates that SAML responses should be signed", adaptor.getEntityId());
        samlResponse = this.samlObjectSigner.encode(samlResponse, service, adaptor, response, request, binding);
        SamlUtils.logSamlObject(configBean, samlResponse);
    }
    return samlResponse;
}
Also used : Response(org.opensaml.saml.saml2.core.Response) HttpServletResponse(javax.servlet.http.HttpServletResponse) Status(org.opensaml.saml.saml2.core.Status) SAMLObject(org.opensaml.saml.common.SAMLObject) EncryptedAssertion(org.opensaml.saml.saml2.core.EncryptedAssertion) EncryptedAssertion(org.opensaml.saml.saml2.core.EncryptedAssertion) Assertion(org.opensaml.saml.saml2.core.Assertion)

Example 19 with Assertion

use of org.opensaml.saml.saml1.core.Assertion in project cxf by apache.

the class DifferentRealmValidator method validate.

public Credential validate(Credential credential, RequestData data) throws WSSecurityException {
    Credential validatedCredential = super.validate(credential, data);
    SamlAssertionWrapper transformedToken = validatedCredential.getTransformedToken();
    if (transformedToken == null || transformedToken.getSaml2() == null || !"B-Issuer".equals(transformedToken.getIssuerString())) {
        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE);
    }
    Assertion assertion = transformedToken.getSaml2();
    if (!"B-Principal".equals(assertion.getSubject().getNameID().getValue())) {
        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE);
    }
    return validatedCredential;
}
Also used : Credential(org.apache.wss4j.dom.validate.Credential) Assertion(org.opensaml.saml.saml2.core.Assertion) SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)

Example 20 with Assertion

use of org.opensaml.saml.saml1.core.Assertion in project cxf by apache.

the class ActAsValidator method validate.

@Override
public Credential validate(Credential credential, RequestData data) throws WSSecurityException {
    Credential validatedCredential = super.validate(credential, data);
    SamlAssertionWrapper assertion = validatedCredential.getSamlAssertion();
    Assertion saml2Assertion = assertion.getSaml2();
    if (saml2Assertion == null) {
        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
    }
    // The technical user should be in the Subject
    Subject subject = saml2Assertion.getSubject();
    if (subject == null || subject.getNameID() == null || !subject.getNameID().getValue().contains("www.client.com")) {
        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
    }
    List<AttributeStatement> attributeStatements = saml2Assertion.getAttributeStatements();
    if (attributeStatements == null || attributeStatements.isEmpty()) {
        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
    }
    for (AttributeStatement statement : attributeStatements) {
        List<Attribute> attributes = statement.getAttributes();
        for (Attribute attribute : attributes) {
            if (!"CustomActAs".equals(attribute.getName()) && !"ActAs".equals(attribute.getName())) {
                continue;
            }
            for (XMLObject attributeValue : attribute.getAttributeValues()) {
                Element attributeValueElement = attributeValue.getDOM();
                String text = attributeValueElement.getTextContent();
                if (text.contains("alice") || text.contains("bob")) {
                    return validatedCredential;
                }
            }
        }
    }
    throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
Also used : Credential(org.apache.wss4j.dom.validate.Credential) Attribute(org.opensaml.saml.saml2.core.Attribute) AttributeStatement(org.opensaml.saml.saml2.core.AttributeStatement) Element(org.w3c.dom.Element) Assertion(org.opensaml.saml.saml2.core.Assertion) SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper) XMLObject(org.opensaml.core.xml.XMLObject) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) Subject(org.opensaml.saml.saml2.core.Subject)

Aggregations

Assertion (org.opensaml.saml.saml2.core.Assertion)33 Test (org.junit.Test)16 Assertion (org.opensaml.saml.saml1.core.Assertion)13 AssertionBuilder.anAssertion (uk.gov.ida.saml.core.test.builders.AssertionBuilder.anAssertion)9 Response (org.opensaml.saml.saml2.core.Response)8 DateTime (org.joda.time.DateTime)6 Assertion (org.opensaml.saml2.core.Assertion)6 Element (org.w3c.dom.Element)6 PassthroughAssertion (uk.gov.ida.saml.core.domain.PassthroughAssertion)6 Subject (org.opensaml.saml.saml2.core.Subject)5 MetricRegistry (com.codahale.metrics.MetricRegistry)4 ZonedDateTime (java.time.ZonedDateTime)4 ArrayList (java.util.ArrayList)4 WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)4 SamlAssertionWrapper (org.apache.wss4j.common.saml.SamlAssertionWrapper)4 Credential (org.apache.wss4j.dom.validate.Credential)4 Service (org.apereo.cas.authentication.principal.Service)4 RegisteredService (org.apereo.cas.services.RegisteredService)4 WsFederationCredential (org.apereo.cas.support.wsfederation.authentication.principal.WsFederationCredential)4 XMLObject (org.opensaml.core.xml.XMLObject)4