Example 36 with AttributeStatement
use of org.opensaml.saml.saml1.core.AttributeStatement in project cas by apereo.
the class AbstractSaml20ObjectBuilder method newAttributeStatement.
/**
* New attribute statement.
*
* @param attributes the attributes
* @param attributeFriendlyNames the attribute friendly names
* @param configuredNameFormats the configured name formats
* @param defaultNameFormat the default name format
* @return the attribute statement
*/
public AttributeStatement newAttributeStatement(final Map<String, Object> attributes, final Map<String, String> attributeFriendlyNames, final Map<String, String> configuredNameFormats, final String defaultNameFormat) {
final AttributeStatement attrStatement = newSamlObject(AttributeStatement.class);
for (final Map.Entry<String, Object> e : attributes.entrySet()) {
if (e.getValue() instanceof Collection<?> && ((Collection<?>) e.getValue()).isEmpty()) {
LOGGER.info("Skipping attribute [{}] because it does not have any values.", e.getKey());
continue;
}
final String friendlyName = attributeFriendlyNames.getOrDefault(e.getKey(), null);
final Attribute attribute = newAttribute(friendlyName, e, configuredNameFormats, defaultNameFormat);
attrStatement.getAttributes().add(attribute);
}
return attrStatement;
}
Also used :
Attribute(org.opensaml.saml.saml2.core.Attribute)
AttributeStatement(org.opensaml.saml.saml2.core.AttributeStatement)
XMLObject(org.opensaml.core.xml.XMLObject)
Map(java.util.Map)
Example 37 with AttributeStatement
use of org.opensaml.saml.saml1.core.AttributeStatement in project verify-hub by alphagov.
the class EidasAttributeStatementAssertionValidator method validateAttributes.
private void validateAttributes(Assertion assertion) {
final List<AttributeStatement> attributeStatements = assertion.getAttributeStatements();
if (attributeStatements.isEmpty()) {
SamlValidationSpecificationFailure failure = SamlTransformationErrorFactory.mdsStatementMissing();
throw new SamlTransformationErrorException(failure.getErrorMessage(), failure.getLogLevel());
}
if (attributeStatements.size() > 1) {
SamlValidationSpecificationFailure failure = SamlTransformationErrorFactory.mdsMultipleStatements();
throw new SamlTransformationErrorException(failure.getErrorMessage(), failure.getLogLevel());
}
final List<Attribute> attributes = attributeStatements.get(0).getAttributes();
if (attributes.isEmpty()) {
SamlValidationSpecificationFailure failure = attributeStatementEmpty(assertion.getID());
throw new SamlTransformationErrorException(failure.getErrorMessage(), failure.getLogLevel());
}
Set<String> attributeNames = attributes.stream().map(Attribute::getName).collect(Collectors.toSet());
if (!attributeNames.containsAll(MANDATORY_ATTRIBUTES.keySet())) {
throw new SamlTransformationErrorException(String.format("Mandatory attributes not provided. Expected %s but got %s", MANDATORY_ATTRIBUTES.values().stream().collect(Collectors.joining(",")), attributes.stream().map(Attribute::getFriendlyName).collect(Collectors.joining(","))), Level.ERROR);
}
for (Attribute attribute : attributes) {
final String attributeName = attribute.getName();
if (!VALID_EIDAS_ATTRIBUTE_NAMES.contains(attributeName)) {
SamlValidationSpecificationFailure failure = SamlTransformationErrorFactory.mdsAttributeNotRecognised(attributeName);
throw new SamlTransformationErrorException(failure.getErrorMessage(), failure.getLogLevel());
}
if (attribute.getAttributeValues().isEmpty()) {
SamlValidationSpecificationFailure failure = SamlTransformationErrorFactory.emptyAttribute(attributeName);
throw new SamlTransformationErrorException(failure.getErrorMessage(), failure.getLogLevel());
}
if (!VALID_TYPE_FOR_ATTRIBUTE.get(attributeName).equals(attribute.getAttributeValues().get(0).getSchemaType())) {
final QName schemaType = attribute.getAttributeValues().get(0).getSchemaType();
SamlValidationSpecificationFailure failure = SamlTransformationErrorFactory.attributeWithIncorrectType(attributeName, VALID_TYPE_FOR_ATTRIBUTE.get(attributeName), schemaType);
throw new SamlTransformationErrorException(failure.getErrorMessage(), failure.getLogLevel());
}
if (!VALID_ATTRIBUTE_NAME_FORMATS.contains(attribute.getNameFormat())) {
SamlTransformationErrorManager.warn(invalidAttributeNameFormat(attribute.getNameFormat()));
}
}
}
Also used :
SamlValidationSpecificationFailure(uk.gov.ida.saml.core.validation.SamlValidationSpecificationFailure)
Attribute(org.opensaml.saml.saml2.core.Attribute)
AttributeStatement(org.opensaml.saml.saml2.core.AttributeStatement)
SamlTransformationErrorException(uk.gov.ida.saml.core.validation.SamlTransformationErrorException)
QName(javax.xml.namespace.QName)
Example 38 with AttributeStatement
use of org.opensaml.saml.saml1.core.AttributeStatement in project pac4j by pac4j.
the class SAML2DefaultResponseValidator method buildSAML2Credentials.
protected final SAML2Credentials buildSAML2Credentials(final SAML2MessageContext context) {
final NameID nameId = context.getSAMLSubjectNameIdentifierContext().getSAML2SubjectNameID();
final Assertion subjectAssertion = context.getSubjectAssertion();
final String sessionIndex = getSessionIndex(subjectAssertion);
final String issuerEntityId = subjectAssertion.getIssuer().getValue();
List<AuthnStatement> authnStatements = subjectAssertion.getAuthnStatements();
List<String> authnContexts = new ArrayList<String>();
for (AuthnStatement authnStatement : authnStatements) {
authnContexts.add(authnStatement.getAuthnContext().getAuthnContextClassRef().getAuthnContextClassRef());
}
final List<Attribute> attributes = new ArrayList<Attribute>();
for (final AttributeStatement attributeStatement : subjectAssertion.getAttributeStatements()) {
for (final Attribute attribute : attributeStatement.getAttributes()) {
attributes.add(attribute);
}
if (!attributeStatement.getEncryptedAttributes().isEmpty()) {
if (decrypter == null) {
logger.warn("Encrypted attributes returned, but no keystore was provided.");
} else {
for (final EncryptedAttribute encryptedAttribute : attributeStatement.getEncryptedAttributes()) {
try {
attributes.add(decrypter.decrypt(encryptedAttribute));
} catch (final DecryptionException e) {
logger.warn("Decryption of attribute failed, continue with the next one", e);
}
}
}
}
}
return new SAML2Credentials(nameId, issuerEntityId, attributes, subjectAssertion.getConditions(), sessionIndex, authnContexts);
}
Also used :
EncryptedAttribute(org.opensaml.saml.saml2.core.EncryptedAttribute)
NameID(org.opensaml.saml.saml2.core.NameID)
Attribute(org.opensaml.saml.saml2.core.Attribute)
EncryptedAttribute(org.opensaml.saml.saml2.core.EncryptedAttribute)
SAML2Credentials(org.pac4j.saml.credentials.SAML2Credentials)
EncryptedAssertion(org.opensaml.saml.saml2.core.EncryptedAssertion)
Assertion(org.opensaml.saml.saml2.core.Assertion)
ArrayList(java.util.ArrayList)
AttributeStatement(org.opensaml.saml.saml2.core.AttributeStatement)
AuthnStatement(org.opensaml.saml.saml2.core.AuthnStatement)
DecryptionException(org.opensaml.xmlsec.encryption.support.DecryptionException)
SAMLNameIdDecryptionException(org.pac4j.saml.exceptions.SAMLNameIdDecryptionException)
Example 39 with AttributeStatement
use of org.opensaml.saml.saml1.core.AttributeStatement in project syncope by apache.
the class SAML2SPLogic method validateLoginResponse.
@PreAuthorize("hasRole('" + StandardEntitlement.ANONYMOUS + "')")
public SAML2LoginResponseTO validateLoginResponse(final SAML2ReceivedResponseTO response) {
check();
// 1. first checks for the provided relay state
if (response.getRelayState() == null) {
throw new IllegalArgumentException("No Relay State was provided");
}
Boolean useDeflateEncoding = false;
String requestId = null;
if (!IDP_INITIATED_RELAY_STATE.equals(response.getRelayState())) {
JwsJwtCompactConsumer relayState = new JwsJwtCompactConsumer(response.getRelayState());
if (!relayState.verifySignatureWith(jwsSignatureVerifier)) {
throw new IllegalArgumentException("Invalid signature found in Relay State");
}
useDeflateEncoding = Boolean.valueOf(relayState.getJwtClaims().getClaim(JWT_CLAIM_IDP_DEFLATE).toString());
requestId = relayState.getJwtClaims().getSubject();
Long expiryTime = relayState.getJwtClaims().getExpiryTime();
if (expiryTime == null || (expiryTime * 1000L) < new Date().getTime()) {
throw new IllegalArgumentException("Relay State is expired");
}
}
// 2. parse the provided SAML response
if (response.getSamlResponse() == null) {
throw new IllegalArgumentException("No SAML Response was provided");
}
Response samlResponse;
try {
XMLObject responseObject = saml2rw.read(useDeflateEncoding, response.getSamlResponse());
if (!(responseObject instanceof Response)) {
throw new IllegalArgumentException("Expected " + Response.class.getName() + ", got " + responseObject.getClass().getName());
}
samlResponse = (Response) responseObject;
} catch (Exception e) {
LOG.error("While parsing AuthnResponse", e);
SyncopeClientException sce = SyncopeClientException.build(ClientExceptionType.Unknown);
sce.getElements().add(e.getMessage());
throw sce;
}
// 3. validate the SAML response and, if needed, decrypt the provided assertion(s)
if (samlResponse.getIssuer() == null || samlResponse.getIssuer().getValue() == null) {
throw new IllegalArgumentException("The SAML Response must contain an Issuer");
}
final SAML2IdPEntity idp = getIdP(samlResponse.getIssuer().getValue());
if (idp.getConnObjectKeyItem() == null) {
throw new IllegalArgumentException("No mapping provided for SAML 2.0 IdP '" + idp.getId() + "'");
}
if (IDP_INITIATED_RELAY_STATE.equals(response.getRelayState()) && !idp.isSupportUnsolicited()) {
throw new IllegalArgumentException("An unsolicited request is not allowed for idp: " + idp.getId());
}
SSOValidatorResponse validatorResponse = null;
try {
validatorResponse = saml2rw.validate(samlResponse, idp, getAssertionConsumerURL(response.getSpEntityID(), response.getUrlContext()), requestId, response.getSpEntityID());
} catch (Exception e) {
LOG.error("While validating AuthnResponse", e);
SyncopeClientException sce = SyncopeClientException.build(ClientExceptionType.Unknown);
sce.getElements().add(e.getMessage());
throw sce;
}
// 4. prepare the result: find matching user (if any) and return the received attributes
final SAML2LoginResponseTO responseTO = new SAML2LoginResponseTO();
responseTO.setIdp(idp.getId());
responseTO.setSloSupported(idp.getSLOLocation(idp.getBindingType()) != null);
Assertion assertion = validatorResponse.getOpensamlAssertion();
NameID nameID = assertion.getSubject().getNameID();
if (nameID == null) {
throw new IllegalArgumentException("NameID not found");
}
String keyValue = null;
if (StringUtils.isNotBlank(nameID.getValue()) && idp.getConnObjectKeyItem().getExtAttrName().equals("NameID")) {
keyValue = nameID.getValue();
}
if (assertion.getConditions().getNotOnOrAfter() != null) {
responseTO.setNotOnOrAfter(assertion.getConditions().getNotOnOrAfter().toDate());
}
assertion.getAuthnStatements().forEach(authnStmt -> {
responseTO.setSessionIndex(authnStmt.getSessionIndex());
responseTO.setAuthInstant(authnStmt.getAuthnInstant().toDate());
if (authnStmt.getSessionNotOnOrAfter() != null) {
responseTO.setNotOnOrAfter(authnStmt.getSessionNotOnOrAfter().toDate());
}
});
for (AttributeStatement attrStmt : assertion.getAttributeStatements()) {
for (Attribute attr : attrStmt.getAttributes()) {
if (!attr.getAttributeValues().isEmpty()) {
String attrName = attr.getFriendlyName() == null ? attr.getName() : attr.getFriendlyName();
if (attrName.equals(idp.getConnObjectKeyItem().getExtAttrName())) {
if (attr.getAttributeValues().get(0) instanceof XSString) {
keyValue = ((XSString) attr.getAttributeValues().get(0)).getValue();
} else if (attr.getAttributeValues().get(0) instanceof XSAny) {
keyValue = ((XSAny) attr.getAttributeValues().get(0)).getTextContent();
}
}
AttrTO attrTO = new AttrTO();
attrTO.setSchema(attrName);
attr.getAttributeValues().stream().filter(value -> value.getDOM() != null).forEachOrdered(value -> {
attrTO.getValues().add(value.getDOM().getTextContent());
});
responseTO.getAttrs().add(attrTO);
}
}
}
final List<String> matchingUsers = keyValue == null ? Collections.<String>emptyList() : userManager.findMatchingUser(keyValue, idp.getKey());
LOG.debug("Found {} matching users for {}", matchingUsers.size(), keyValue);
String username;
if (matchingUsers.isEmpty()) {
if (idp.isCreateUnmatching()) {
LOG.debug("No user matching {}, about to create", keyValue);
username = AuthContextUtils.execWithAuthContext(AuthContextUtils.getDomain(), () -> userManager.create(idp, responseTO, nameID.getValue()));
} else if (idp.isSelfRegUnmatching()) {
responseTO.setNameID(nameID.getValue());
UserTO userTO = new UserTO();
userManager.fill(idp.getKey(), responseTO, userTO);
responseTO.getAttrs().clear();
responseTO.getAttrs().addAll(userTO.getPlainAttrs());
responseTO.getAttrs().addAll(userTO.getVirAttrs());
if (StringUtils.isNotBlank(userTO.getUsername())) {
responseTO.setUsername(userTO.getUsername());
}
responseTO.setSelfReg(true);
return responseTO;
} else {
throw new NotFoundException("User matching the provided value " + keyValue);
}
} else if (matchingUsers.size() > 1) {
throw new IllegalArgumentException("Several users match the provided value " + keyValue);
} else {
if (idp.isUpdateMatching()) {
LOG.debug("About to update {} for {}", matchingUsers.get(0), keyValue);
username = AuthContextUtils.execWithAuthContext(AuthContextUtils.getDomain(), () -> userManager.update(matchingUsers.get(0), idp, responseTO));
} else {
username = matchingUsers.get(0);
}
}
responseTO.setUsername(username);
responseTO.setNameID(nameID.getValue());
// 5. generate JWT for further access
Map<String, Object> claims = new HashMap<>();
claims.put(JWT_CLAIM_IDP_ENTITYID, idp.getId());
claims.put(JWT_CLAIM_NAMEID_FORMAT, nameID.getFormat());
claims.put(JWT_CLAIM_NAMEID_VALUE, nameID.getValue());
claims.put(JWT_CLAIM_SESSIONINDEX, responseTO.getSessionIndex());
byte[] authorities = null;
try {
authorities = ENCRYPTOR.encode(POJOHelper.serialize(authDataAccessor.getAuthorities(responseTO.getUsername())), CipherAlgorithm.AES).getBytes();
} catch (Exception e) {
LOG.error("Could not fetch authorities", e);
}
Pair<String, Date> accessTokenInfo = accessTokenDataBinder.create(responseTO.getUsername(), claims, authorities, true);
responseTO.setAccessToken(accessTokenInfo.getLeft());
responseTO.setAccessTokenExpiryTime(accessTokenInfo.getRight());
return responseTO;
}
Also used :
SAMLVersion(org.opensaml.saml.common.SAMLVersion)
XSAny(org.opensaml.core.xml.schema.XSAny)
JwsJwtCompactConsumer(org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer)
SyncopeClientException(org.apache.syncope.common.lib.SyncopeClientException)
Date(java.util.Date)
PreAuthorize(org.springframework.security.access.prepost.PreAuthorize)
AuthnRequest(org.opensaml.saml.saml2.core.AuthnRequest)
Autowired(org.springframework.beans.factory.annotation.Autowired)
SAML2ReaderWriter(org.apache.syncope.core.logic.saml2.SAML2ReaderWriter)
KeyDescriptor(org.opensaml.saml.saml2.metadata.KeyDescriptor)
SAML2IdP(org.apache.syncope.core.persistence.api.entity.SAML2IdP)
KeyInfoGenerator(org.opensaml.xmlsec.keyinfo.KeyInfoGenerator)
StringUtils(org.apache.commons.lang3.StringUtils)
AuthnRequestBuilder(org.opensaml.saml.saml2.core.impl.AuthnRequestBuilder)
LogoutRequest(org.opensaml.saml.saml2.core.LogoutRequest)
Attribute(org.opensaml.saml.saml2.core.Attribute)
AuthnContextComparisonTypeEnumeration(org.opensaml.saml.saml2.core.AuthnContextComparisonTypeEnumeration)
Pair(org.apache.commons.lang3.tuple.Pair)
SAML2ReceivedResponseTO(org.apache.syncope.common.lib.to.SAML2ReceivedResponseTO)
AttributeStatement(org.opensaml.saml.saml2.core.AttributeStatement)
Map(java.util.Map)
RequestedAuthnContext(org.opensaml.saml.saml2.core.RequestedAuthnContext)
SAML2IdPDAO(org.apache.syncope.core.persistence.api.dao.SAML2IdPDAO)
AuthContextUtils(org.apache.syncope.core.spring.security.AuthContextUtils)
XSString(org.opensaml.core.xml.schema.XSString)
Method(java.lang.reflect.Method)
Triple(org.apache.commons.lang3.tuple.Triple)
Response(org.opensaml.saml.saml2.core.Response)
AssertionConsumerServiceBuilder(org.opensaml.saml.saml2.metadata.impl.AssertionConsumerServiceBuilder)
RandomBasedGenerator(com.fasterxml.uuid.impl.RandomBasedGenerator)
AssertionConsumerService(org.opensaml.saml.saml2.metadata.AssertionConsumerService)
NameIDFormat(org.opensaml.saml.saml2.metadata.NameIDFormat)
Resource(javax.annotation.Resource)
AccessTokenDataBinder(org.apache.syncope.core.provisioning.api.data.AccessTokenDataBinder)
AuthnContextClassRef(org.opensaml.saml.saml2.core.AuthnContextClassRef)
SSOValidatorResponse(org.apache.cxf.rs.security.saml.sso.SSOValidatorResponse)
NotFoundException(org.apache.syncope.core.persistence.api.dao.NotFoundException)
StandardCharsets(java.nio.charset.StandardCharsets)
IssuerBuilder(org.opensaml.saml.saml2.core.impl.IssuerBuilder)
SPSSODescriptor(org.opensaml.saml.saml2.metadata.SPSSODescriptor)
List(java.util.List)
Issuer(org.opensaml.saml.saml2.core.Issuer)
NameIDFormatBuilder(org.opensaml.saml.saml2.metadata.impl.NameIDFormatBuilder)
EntityDescriptor(org.opensaml.saml.saml2.metadata.EntityDescriptor)
AuthnContextClassRefBuilder(org.opensaml.saml.saml2.core.impl.AuthnContextClassRefBuilder)
AbstractBaseBean(org.apache.syncope.common.lib.AbstractBaseBean)
AuthnContext(org.opensaml.saml.saml2.core.AuthnContext)
StandardEntitlement(org.apache.syncope.common.lib.types.StandardEntitlement)
POJOHelper(org.apache.syncope.core.provisioning.api.serialization.POJOHelper)
AttrTO(org.apache.syncope.common.lib.to.AttrTO)
SAML2RequestTO(org.apache.syncope.common.lib.to.SAML2RequestTO)
SAML2BindingType(org.apache.syncope.common.lib.types.SAML2BindingType)
LogoutResponse(org.opensaml.saml.saml2.core.LogoutResponse)
HashMap(java.util.HashMap)
NameIDPolicyBuilder(org.opensaml.saml.saml2.core.impl.NameIDPolicyBuilder)
StatusCode(org.opensaml.saml.saml2.core.StatusCode)
SPSSODescriptorBuilder(org.opensaml.saml.saml2.metadata.impl.SPSSODescriptorBuilder)
EntityDescriptorBuilder(org.opensaml.saml.saml2.metadata.impl.EntityDescriptorBuilder)
SingleLogoutServiceBuilder(org.opensaml.saml.saml2.metadata.impl.SingleLogoutServiceBuilder)
SAML2LoginResponseTO(org.apache.syncope.common.lib.to.SAML2LoginResponseTO)
Assertion(org.opensaml.saml.saml2.core.Assertion)
OutputStreamWriter(java.io.OutputStreamWriter)
ClientExceptionType(org.apache.syncope.common.lib.types.ClientExceptionType)
SAML2IdPCache(org.apache.syncope.core.logic.saml2.SAML2IdPCache)
XMLObject(org.opensaml.core.xml.XMLObject)
SAMLConstants(org.opensaml.saml.common.xml.SAMLConstants)
CipherAlgorithm(org.apache.syncope.common.lib.types.CipherAlgorithm)
OutputStream(java.io.OutputStream)
KeyDescriptorBuilder(org.opensaml.saml.saml2.metadata.impl.KeyDescriptorBuilder)
Encryptor(org.apache.syncope.core.spring.security.Encryptor)
SingleLogoutService(org.opensaml.saml.saml2.metadata.SingleLogoutService)
DateTime(org.joda.time.DateTime)
SessionIndexBuilder(org.opensaml.saml.saml2.core.impl.SessionIndexBuilder)
SAML2UserManager(org.apache.syncope.core.logic.saml2.SAML2UserManager)
LogoutRequestBuilder(org.opensaml.saml.saml2.core.impl.LogoutRequestBuilder)
AuthDataAccessor(org.apache.syncope.core.spring.security.AuthDataAccessor)
AccessTokenDAO(org.apache.syncope.core.persistence.api.dao.AccessTokenDAO)
JwsSignatureVerifier(org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier)
NameIDBuilder(org.opensaml.saml.saml2.core.impl.NameIDBuilder)
ResourceUtils(org.springframework.util.ResourceUtils)
SessionIndex(org.opensaml.saml.saml2.core.SessionIndex)
URLEncoder(java.net.URLEncoder)
Component(org.springframework.stereotype.Component)
X509KeyInfoGeneratorFactory(org.opensaml.xmlsec.keyinfo.impl.X509KeyInfoGeneratorFactory)
RequestedAuthnContextBuilder(org.opensaml.saml.saml2.core.impl.RequestedAuthnContextBuilder)
NameIDType(org.opensaml.saml.saml2.core.NameIDType)
Generators(com.fasterxml.uuid.Generators)
NameIDPolicy(org.opensaml.saml.saml2.core.NameIDPolicy)
UserTO(org.apache.syncope.common.lib.to.UserTO)
Collections(java.util.Collections)
NameID(org.opensaml.saml.saml2.core.NameID)
SAML2IdPEntity(org.apache.syncope.core.logic.saml2.SAML2IdPEntity)
Attribute(org.opensaml.saml.saml2.core.Attribute)
HashMap(java.util.HashMap)
AttrTO(org.apache.syncope.common.lib.to.AttrTO)
NotFoundException(org.apache.syncope.core.persistence.api.dao.NotFoundException)
XSString(org.opensaml.core.xml.schema.XSString)
XSAny(org.opensaml.core.xml.schema.XSAny)
JwsJwtCompactConsumer(org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer)
SSOValidatorResponse(org.apache.cxf.rs.security.saml.sso.SSOValidatorResponse)
SAML2LoginResponseTO(org.apache.syncope.common.lib.to.SAML2LoginResponseTO)
NameID(org.opensaml.saml.saml2.core.NameID)
SyncopeClientException(org.apache.syncope.common.lib.SyncopeClientException)
Assertion(org.opensaml.saml.saml2.core.Assertion)
XMLObject(org.opensaml.core.xml.XMLObject)
XSString(org.opensaml.core.xml.schema.XSString)
Date(java.util.Date)
SyncopeClientException(org.apache.syncope.common.lib.SyncopeClientException)
NotFoundException(org.apache.syncope.core.persistence.api.dao.NotFoundException)
Response(org.opensaml.saml.saml2.core.Response)
SSOValidatorResponse(org.apache.cxf.rs.security.saml.sso.SSOValidatorResponse)
LogoutResponse(org.opensaml.saml.saml2.core.LogoutResponse)
SAML2IdPEntity(org.apache.syncope.core.logic.saml2.SAML2IdPEntity)
AttributeStatement(org.opensaml.saml.saml2.core.AttributeStatement)
UserTO(org.apache.syncope.common.lib.to.UserTO)
XMLObject(org.opensaml.core.xml.XMLObject)
PreAuthorize(org.springframework.security.access.prepost.PreAuthorize)
Example 40 with AttributeStatement
use of org.opensaml.saml.saml1.core.AttributeStatement in project ddf by codice.
the class SamlAssertionValidatorImplTest method createAssertion.
private Assertion createAssertion(boolean sign, boolean validSignature, String issuerString, DateTime notOnOrAfter) throws Exception {
Assertion assertion = new AssertionBuilder().buildObject();
assertion.setID(UUID.randomUUID().toString());
assertion.setIssueInstant(new DateTime());
Issuer issuer = new IssuerBuilder().buildObject();
issuer.setValue(issuerString);
assertion.setIssuer(issuer);
NameID nameID = new NameIDBuilder().buildObject();
nameID.setFormat("urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified");
nameID.setNameQualifier("http://cxf.apache.org/sts");
nameID.setValue("admin");
SubjectConfirmation subjectConfirmation = new SubjectConfirmationBuilder().buildObject();
subjectConfirmation.setMethod("urn:oasis:names:tc:SAML:2.0:cm:bearer");
Subject subject = new SubjectBuilder().buildObject();
subject.setNameID(nameID);
subject.getSubjectConfirmations().add(subjectConfirmation);
assertion.setSubject(subject);
Conditions conditions = new ConditionsBuilder().buildObject();
conditions.setNotBefore(new DateTime().minusDays(3));
conditions.setNotOnOrAfter(notOnOrAfter);
assertion.setConditions(conditions);
AuthnStatement authnStatement = new AuthnStatementBuilder().buildObject();
authnStatement.setAuthnInstant(new DateTime());
AuthnContext authnContext = new AuthnContextBuilder().buildObject();
AuthnContextClassRef authnContextClassRef = new AuthnContextClassRefBuilder().buildObject();
authnContextClassRef.setAuthnContextClassRef("urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified");
authnContext.setAuthnContextClassRef(authnContextClassRef);
authnStatement.setAuthnContext(authnContext);
assertion.getAuthnStatements().add(authnStatement);
AttributeStatement attributeStatement = new AttributeStatementBuilder().buildObject();
Attribute attribute = new AttributeBuilder().buildObject();
AttributeValueType attributeValue = new AttributeValueTypeImplBuilder().buildObject();
attributeValue.setValue("admin");
attribute.setName("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role");
attribute.setNameFormat("urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified");
attribute.getAttributeValues().add(attributeValue);
attributeStatement.getAttributes().add(attribute);
assertion.getAttributeStatements().add(attributeStatement);
if (sign) {
Signature signature = OpenSAMLUtil.buildSignature();
signature.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
signature.setSignatureAlgorithm(WSS4JConstants.RSA);
BasicX509Credential signingCredential;
if (validSignature) {
signingCredential = new BasicX509Credential(certificate);
signingCredential.setPrivateKey(privateKey);
signature.setSigningCredential(signingCredential);
} else {
try (InputStream inputStream = getClass().getResourceAsStream("/localhost.crt")) {
CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
X509Certificate cert = (X509Certificate) certificateFactory.generateCertificate(inputStream);
signingCredential = new BasicX509Credential(cert);
signature.setSigningCredential(signingCredential);
}
}
X509KeyInfoGeneratorFactory x509KeyInfoGeneratorFactory = new X509KeyInfoGeneratorFactory();
x509KeyInfoGeneratorFactory.setEmitEntityCertificate(true);
KeyInfo keyInfo = x509KeyInfoGeneratorFactory.newInstance().generate(signingCredential);
signature.setKeyInfo(keyInfo);
assertion.setSignature(signature);
}
return assertion;
}
Also used :
Issuer(org.opensaml.saml.saml2.core.Issuer)
Attribute(org.opensaml.saml.saml2.core.Attribute)
AuthnStatementBuilder(org.opensaml.saml.saml2.core.impl.AuthnStatementBuilder)
AuthnContextClassRefBuilder(org.opensaml.saml.saml2.core.impl.AuthnContextClassRefBuilder)
CertificateFactory(java.security.cert.CertificateFactory)
DateTime(org.joda.time.DateTime)
Conditions(org.opensaml.saml.saml2.core.Conditions)
AuthnContext(org.opensaml.saml.saml2.core.AuthnContext)
NameIDBuilder(org.opensaml.saml.saml2.core.impl.NameIDBuilder)
SubjectConfirmation(org.opensaml.saml.saml2.core.SubjectConfirmation)
KeyInfo(org.opensaml.xmlsec.signature.KeyInfo)
SubjectBuilder(org.opensaml.saml.saml2.core.impl.SubjectBuilder)
SubjectConfirmationBuilder(org.opensaml.saml.saml2.core.impl.SubjectConfirmationBuilder)
X509KeyInfoGeneratorFactory(org.opensaml.xmlsec.keyinfo.impl.X509KeyInfoGeneratorFactory)
AttributeStatementBuilder(org.opensaml.saml.saml2.core.impl.AttributeStatementBuilder)
AttributeBuilder(org.opensaml.saml.saml2.core.impl.AttributeBuilder)
NameID(org.opensaml.saml.saml2.core.NameID)
AttributeValueType(org.opensaml.xacml.ctx.AttributeValueType)
InputStream(java.io.InputStream)
AuthnContextBuilder(org.opensaml.saml.saml2.core.impl.AuthnContextBuilder)
Assertion(org.opensaml.saml.saml2.core.Assertion)
AuthnContextClassRef(org.opensaml.saml.saml2.core.AuthnContextClassRef)
AssertionBuilder(org.opensaml.saml.saml2.core.impl.AssertionBuilder)
Subject(org.opensaml.saml.saml2.core.Subject)
X509Certificate(java.security.cert.X509Certificate)
ConditionsBuilder(org.opensaml.saml.saml2.core.impl.ConditionsBuilder)
BasicX509Credential(org.opensaml.security.x509.BasicX509Credential)
AttributeStatement(org.opensaml.saml.saml2.core.AttributeStatement)
Signature(org.opensaml.xmlsec.signature.Signature)
AuthnStatement(org.opensaml.saml.saml2.core.AuthnStatement)
IssuerBuilder(org.opensaml.saml.saml2.core.impl.IssuerBuilder)
AttributeValueTypeImplBuilder(org.opensaml.xacml.ctx.impl.AttributeValueTypeImplBuilder)
Aggregations
AttributeStatement (org.opensaml.saml.saml2.core.AttributeStatement)61
Attribute (org.opensaml.saml.saml2.core.Attribute)38
Assertion (org.opensaml.saml.saml2.core.Assertion)36
Test (org.junit.jupiter.api.Test)24
AssertionBuilder.anAssertion (uk.gov.ida.saml.core.test.builders.AssertionBuilder.anAssertion)17
XMLObject (org.opensaml.core.xml.XMLObject)15
EncryptedAttribute (org.opensaml.saml.saml2.core.EncryptedAttribute)10
SimpleStringAttributeBuilder.aSimpleStringAttribute (uk.gov.ida.saml.core.test.builders.SimpleStringAttributeBuilder.aSimpleStringAttribute)9
ArrayList (java.util.ArrayList)8
SamlTransformationErrorFactory.emptyAttribute (uk.gov.ida.saml.core.errors.SamlTransformationErrorFactory.emptyAttribute)8
XSString (org.opensaml.core.xml.schema.XSString)7
NameID (org.opensaml.saml.saml2.core.NameID)7
Response (org.opensaml.saml.saml2.core.Response)7
Subject (org.opensaml.saml.saml2.core.Subject)7
EncryptedAssertion (org.opensaml.saml.saml2.core.EncryptedAssertion)6
AttributeBuilder (org.opensaml.saml.saml2.core.impl.AttributeBuilder)6
AttributeStatement (org.opensaml.saml2.core.AttributeStatement)6
HashMap (java.util.HashMap)5
List (java.util.List)5
Map (java.util.Map)5
