Example 16 with AttributeStatement
use of org.opensaml.saml.saml1.core.AttributeStatement in project cas by apereo.
the class SamlProfileSamlAssertionBuilder method build.
@Override
public Assertion build(final RequestAbstractType authnRequest, final HttpServletRequest request, final HttpServletResponse response, final Object casAssertion, final SamlRegisteredService service, final SamlRegisteredServiceServiceProviderMetadataFacade adaptor, final String binding) throws SamlException {
final List<Statement> statements = new ArrayList<>();
final AuthnStatement authnStatement = this.samlProfileSamlAuthNStatementBuilder.build(authnRequest, request, response, casAssertion, service, adaptor, binding);
statements.add(authnStatement);
final AttributeStatement attrStatement = this.samlProfileSamlAttributeStatementBuilder.build(authnRequest, request, response, casAssertion, service, adaptor, binding);
if (!attrStatement.getAttributes().isEmpty() || !attrStatement.getEncryptedAttributes().isEmpty()) {
statements.add(attrStatement);
}
final String id = '_' + String.valueOf(Math.abs(RandomUtils.getNativeInstance().nextLong()));
final Assertion assertion = newAssertion(statements, casProperties.getAuthn().getSamlIdp().getEntityId(), ZonedDateTime.now(ZoneOffset.UTC), id);
assertion.setSubject(this.samlProfileSamlSubjectBuilder.build(authnRequest, request, response, casAssertion, service, adaptor, binding));
assertion.setConditions(this.samlProfileSamlConditionsBuilder.build(authnRequest, request, response, casAssertion, service, adaptor, binding));
signAssertion(assertion, request, response, service, adaptor, binding);
return assertion;
}
Also used :
AuthnStatement(org.opensaml.saml.saml2.core.AuthnStatement)
AttributeStatement(org.opensaml.saml.saml2.core.AttributeStatement)
Statement(org.opensaml.saml.saml2.core.Statement)
AttributeStatement(org.opensaml.saml.saml2.core.AttributeStatement)
ArrayList(java.util.ArrayList)
AuthnStatement(org.opensaml.saml.saml2.core.AuthnStatement)
Assertion(org.opensaml.saml.saml2.core.Assertion)
Example 17 with AttributeStatement
use of org.opensaml.saml.saml1.core.AttributeStatement in project cas by apereo.
the class AbstractSaml20ObjectBuilder method newAttributeStatement.
/**
* New attribute statement.
*
* @param attributes the attributes
* @param attributeFriendlyNames the attribute friendly names
* @param configuredNameFormats the configured name formats
* @param defaultNameFormat the default name format
* @return the attribute statement
*/
public AttributeStatement newAttributeStatement(final Map<String, Object> attributes, final Map<String, String> attributeFriendlyNames, final Map<String, String> configuredNameFormats, final String defaultNameFormat) {
final AttributeStatement attrStatement = newSamlObject(AttributeStatement.class);
for (final Map.Entry<String, Object> e : attributes.entrySet()) {
if (e.getValue() instanceof Collection<?> && ((Collection<?>) e.getValue()).isEmpty()) {
LOGGER.info("Skipping attribute [{}] because it does not have any values.", e.getKey());
continue;
}
final String friendlyName = attributeFriendlyNames.getOrDefault(e.getKey(), null);
final Attribute attribute = newAttribute(friendlyName, e, configuredNameFormats, defaultNameFormat);
attrStatement.getAttributes().add(attribute);
}
return attrStatement;
}
Also used :
Attribute(org.opensaml.saml.saml2.core.Attribute)
AttributeStatement(org.opensaml.saml.saml2.core.AttributeStatement)
XMLObject(org.opensaml.core.xml.XMLObject)
Map(java.util.Map)
Example 18 with AttributeStatement
use of org.opensaml.saml.saml1.core.AttributeStatement in project cas by apereo.
the class WsFederationHelper method createCredentialFromToken.
/**
* createCredentialFromToken converts a SAML 1.1 assertion to a WSFederationCredential.
*
* @param assertion the provided assertion
* @return an equivalent credential.
*/
public WsFederationCredential createCredentialFromToken(final Assertion assertion) {
final ZonedDateTime retrievedOn = ZonedDateTime.now();
LOGGER.debug("Retrieved on [{}]", retrievedOn);
final WsFederationCredential credential = new WsFederationCredential();
credential.setRetrievedOn(retrievedOn);
credential.setId(assertion.getID());
credential.setIssuer(assertion.getIssuer());
credential.setIssuedOn(ZonedDateTime.parse(assertion.getIssueInstant().toDateTimeISO().toString()));
final Conditions conditions = assertion.getConditions();
if (conditions != null) {
credential.setNotBefore(ZonedDateTime.parse(conditions.getNotBefore().toDateTimeISO().toString()));
credential.setNotOnOrAfter(ZonedDateTime.parse(conditions.getNotOnOrAfter().toDateTimeISO().toString()));
if (!conditions.getAudienceRestrictionConditions().isEmpty()) {
credential.setAudience(conditions.getAudienceRestrictionConditions().get(0).getAudiences().get(0).getUri());
}
}
if (!assertion.getAuthenticationStatements().isEmpty()) {
credential.setAuthenticationMethod(assertion.getAuthenticationStatements().get(0).getAuthenticationMethod());
}
// retrieve an attributes from the assertion
final HashMap<String, List<Object>> attributes = new HashMap<>();
assertion.getAttributeStatements().stream().flatMap(attributeStatement -> attributeStatement.getAttributes().stream()).forEach(item -> {
LOGGER.debug("Processed attribute: [{}]", item.getAttributeName());
final List<Object> itemList = IntStream.range(0, item.getAttributeValues().size()).mapToObj(i -> ((XSAny) item.getAttributeValues().get(i)).getTextContent()).collect(Collectors.toList());
if (!itemList.isEmpty()) {
attributes.put(item.getAttributeName(), itemList);
}
});
credential.setAttributes(attributes);
LOGGER.debug("Credential: [{}]", credential);
return credential;
}
Also used :
XSAny(org.opensaml.core.xml.schema.XSAny)
ChainingEncryptedKeyResolver(org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver)
KeyPair(java.security.KeyPair)
ExplicitKeySignatureTrustEngine(org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine)
SneakyThrows(lombok.SneakyThrows)
Assertion(org.opensaml.saml.saml1.core.Assertion)
ZonedDateTime(java.time.ZonedDateTime)
RequiredArgsConstructor(lombok.RequiredArgsConstructor)
StaticCredentialResolver(org.opensaml.security.credential.impl.StaticCredentialResolver)
Security(java.security.Security)
Signature(org.opensaml.xmlsec.signature.Signature)
SamlUtils(org.apereo.cas.support.saml.SamlUtils)
Conditions(org.opensaml.saml.saml1.core.Conditions)
Pair(org.apache.commons.lang3.tuple.Pair)
StaticKeyInfoCredentialResolver(org.opensaml.xmlsec.keyinfo.impl.StaticKeyInfoCredentialResolver)
ByteArrayInputStream(java.io.ByteArrayInputStream)
SignatureException(org.opensaml.xmlsec.signature.support.SignatureException)
Document(org.w3c.dom.Document)
PEMEncryptedKeyPair(org.bouncycastle.openssl.PEMEncryptedKeyPair)
WsFederationCredential(org.apereo.cas.support.wsfederation.authentication.principal.WsFederationCredential)
UsageType(org.opensaml.security.credential.UsageType)
SecurityException(org.opensaml.security.SecurityException)
PEMParser(org.bouncycastle.openssl.PEMParser)
Collection(java.util.Collection)
PEMDecryptorProvider(org.bouncycastle.openssl.PEMDecryptorProvider)
ProtocolCriterion(org.opensaml.saml.criterion.ProtocolCriterion)
BasicX509Credential(org.opensaml.security.x509.BasicX509Credential)
Collectors(java.util.stream.Collectors)
StandardCharsets(java.nio.charset.StandardCharsets)
OpenSamlConfigBean(org.apereo.cas.support.saml.OpenSamlConfigBean)
Slf4j(lombok.extern.slf4j.Slf4j)
List(java.util.List)
KeyInfoCredentialResolver(org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver)
EntityRoleCriterion(org.opensaml.saml.criterion.EntityRoleCriterion)
CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet)
RequestedSecurityToken(org.opensaml.soap.wsfed.RequestedSecurityToken)
UnmarshallerFactory(org.opensaml.core.xml.io.UnmarshallerFactory)
EncryptedData(org.opensaml.xmlsec.encryption.EncryptedData)
EncryptedElementTypeEncryptedKeyResolver(org.opensaml.saml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver)
IntStream(java.util.stream.IntStream)
EncryptedKeyResolver(org.opensaml.xmlsec.encryption.support.EncryptedKeyResolver)
Setter(lombok.Setter)
JcaPEMKeyConverter(org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter)
UsageCriterion(org.opensaml.security.criteria.UsageCriterion)
RegisteredServiceProperty(org.apereo.cas.services.RegisteredServiceProperty)
RegisteredServiceAccessStrategyUtils(org.apereo.cas.services.RegisteredServiceAccessStrategyUtils)
HashMap(java.util.HashMap)
SignaturePrevalidator(org.opensaml.xmlsec.signature.support.SignaturePrevalidator)
ArrayList(java.util.ArrayList)
Decrypter(org.opensaml.saml.saml2.encryption.Decrypter)
JcePEMDecryptorProviderBuilder(org.bouncycastle.openssl.jcajce.JcePEMDecryptorProviderBuilder)
X509CertParser(org.bouncycastle.jce.provider.X509CertParser)
SAMLSignatureProfileValidator(org.opensaml.saml.security.impl.SAMLSignatureProfileValidator)
IDPSSODescriptor(org.opensaml.saml.saml2.metadata.IDPSSODescriptor)
XMLObject(org.opensaml.core.xml.XMLObject)
X509CertificateObject(org.bouncycastle.jce.provider.X509CertificateObject)
SAMLConstants(org.opensaml.saml.common.xml.SAMLConstants)
CredentialResolver(org.opensaml.security.credential.CredentialResolver)
SignatureTrustEngine(org.opensaml.xmlsec.signature.support.SignatureTrustEngine)
ServicesManager(org.apereo.cas.services.ServicesManager)
InlineEncryptedKeyResolver(org.opensaml.xmlsec.encryption.support.InlineEncryptedKeyResolver)
RequestSecurityTokenResponse(org.opensaml.soap.wsfed.RequestSecurityTokenResponse)
Iterator(java.util.Iterator)
Credential(org.opensaml.security.credential.Credential)
Unmarshaller(org.opensaml.core.xml.io.Unmarshaller)
InputStreamReader(java.io.InputStreamReader)
RegisteredService(org.apereo.cas.services.RegisteredService)
BouncyCastleProvider(org.bouncycastle.jce.provider.BouncyCastleProvider)
Element(org.w3c.dom.Element)
Service(org.apereo.cas.authentication.principal.Service)
EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion)
PEMKeyPair(org.bouncycastle.openssl.PEMKeyPair)
BufferedReader(java.io.BufferedReader)
SimpleRetrievalMethodEncryptedKeyResolver(org.opensaml.xmlsec.encryption.support.SimpleRetrievalMethodEncryptedKeyResolver)
InputStream(java.io.InputStream)
ZonedDateTime(java.time.ZonedDateTime)
HashMap(java.util.HashMap)
List(java.util.List)
ArrayList(java.util.ArrayList)
XMLObject(org.opensaml.core.xml.XMLObject)
X509CertificateObject(org.bouncycastle.jce.provider.X509CertificateObject)
Conditions(org.opensaml.saml.saml1.core.Conditions)
WsFederationCredential(org.apereo.cas.support.wsfederation.authentication.principal.WsFederationCredential)
XSAny(org.opensaml.core.xml.schema.XSAny)
Example 19 with AttributeStatement
use of org.opensaml.saml.saml1.core.AttributeStatement in project cxf by apache.
the class CustomSaml2Validator method validate.
@Override
public Credential validate(Credential credential, RequestData data) throws WSSecurityException {
Credential validatedCredential = super.validate(credential, data);
SamlAssertionWrapper assertion = validatedCredential.getSamlAssertion();
if (!"sts".equals(assertion.getIssuerString())) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
Assertion saml2Assertion = assertion.getSaml2();
if (saml2Assertion == null) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
List<AttributeStatement> attributeStatements = saml2Assertion.getAttributeStatements();
if (attributeStatements == null || attributeStatements.isEmpty()) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
return validatedCredential;
}
Also used :
Credential(org.apache.wss4j.dom.validate.Credential)
AttributeStatement(org.opensaml.saml.saml2.core.AttributeStatement)
Assertion(org.opensaml.saml.saml2.core.Assertion)
SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
Example 20 with AttributeStatement
use of org.opensaml.saml.saml1.core.AttributeStatement in project verify-hub by alphagov.
the class EidasAttributeStatementAssertionValidator method validateAttributes.
private void validateAttributes(Assertion assertion) {
final List<AttributeStatement> attributeStatements = assertion.getAttributeStatements();
if (attributeStatements.isEmpty()) {
SamlValidationSpecificationFailure failure = SamlTransformationErrorFactory.mdsStatementMissing();
throw new SamlTransformationErrorException(failure.getErrorMessage(), failure.getLogLevel());
}
if (attributeStatements.size() > 1) {
SamlValidationSpecificationFailure failure = SamlTransformationErrorFactory.mdsMultipleStatements();
throw new SamlTransformationErrorException(failure.getErrorMessage(), failure.getLogLevel());
}
final List<Attribute> attributes = attributeStatements.get(0).getAttributes();
if (attributes.isEmpty()) {
SamlValidationSpecificationFailure failure = attributeStatementEmpty(assertion.getID());
throw new SamlTransformationErrorException(failure.getErrorMessage(), failure.getLogLevel());
}
Set<String> attributeNames = attributes.stream().map(Attribute::getName).collect(Collectors.toSet());
if (!attributeNames.containsAll(MANDATORY_ATTRIBUTES.keySet())) {
throw new SamlTransformationErrorException(String.format("Mandatory attributes not provided. Expected %s but got %s", MANDATORY_ATTRIBUTES.values().stream().collect(Collectors.joining(",")), attributes.stream().map(Attribute::getFriendlyName).collect(Collectors.joining(","))), Level.ERROR);
}
for (Attribute attribute : attributes) {
final String attributeName = attribute.getName();
if (!VALID_EIDAS_ATTRIBUTE_NAMES.contains(attributeName)) {
SamlValidationSpecificationFailure failure = SamlTransformationErrorFactory.mdsAttributeNotRecognised(attributeName);
throw new SamlTransformationErrorException(failure.getErrorMessage(), failure.getLogLevel());
}
if (attribute.getAttributeValues().isEmpty()) {
SamlValidationSpecificationFailure failure = SamlTransformationErrorFactory.emptyAttribute(attributeName);
throw new SamlTransformationErrorException(failure.getErrorMessage(), failure.getLogLevel());
}
if (!VALID_TYPE_FOR_ATTRIBUTE.get(attributeName).equals(attribute.getAttributeValues().get(0).getSchemaType())) {
final QName schemaType = attribute.getAttributeValues().get(0).getSchemaType();
SamlValidationSpecificationFailure failure = SamlTransformationErrorFactory.attributeWithIncorrectType(attributeName, VALID_TYPE_FOR_ATTRIBUTE.get(attributeName), schemaType);
throw new SamlTransformationErrorException(failure.getErrorMessage(), failure.getLogLevel());
}
if (!VALID_ATTRIBUTE_NAME_FORMATS.contains(attribute.getNameFormat())) {
SamlTransformationErrorManager.warn(invalidAttributeNameFormat(attribute.getNameFormat()));
}
}
}
Also used :
SamlValidationSpecificationFailure(uk.gov.ida.saml.core.validation.SamlValidationSpecificationFailure)
Attribute(org.opensaml.saml.saml2.core.Attribute)
AttributeStatement(org.opensaml.saml.saml2.core.AttributeStatement)
SamlTransformationErrorException(uk.gov.ida.saml.core.validation.SamlTransformationErrorException)
QName(javax.xml.namespace.QName)
Aggregations
AttributeStatement (org.opensaml.saml.saml2.core.AttributeStatement)17
Attribute (org.opensaml.saml.saml2.core.Attribute)10
XMLObject (org.opensaml.core.xml.XMLObject)8
Subject (org.opensaml.saml.saml2.core.Subject)5
Map (java.util.Map)4
Assertion (org.opensaml.saml.saml2.core.Assertion)4
AttributeStatement (org.opensaml.saml2.core.AttributeStatement)4
SecurityAssertion (ddf.security.assertion.SecurityAssertion)3
HashMap (java.util.HashMap)3
WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)3
SamlAssertionWrapper (org.apache.wss4j.common.saml.SamlAssertionWrapper)3
Credential (org.apache.wss4j.dom.validate.Credential)3
Credential (org.opensaml.security.credential.Credential)3
ArrayList (java.util.ArrayList)2
HashSet (java.util.HashSet)2
XSString (org.opensaml.core.xml.schema.XSString)2
Attribute (org.opensaml.saml2.core.Attribute)2
Signature (org.opensaml.xmlsec.signature.Signature)2
UTF8NameValueMicroformat (com.intel.mtwilson.datatypes.UTF8NameValueMicroformat)1
UTF8NameValueSequence (com.intel.mtwilson.datatypes.UTF8NameValueSequence)1
