Example 76 with Assertion
use of org.opensaml.saml.saml2.core.Assertion in project cas by apereo.
the class SamlIdPUtils method getAssertionConsumerServiceFor.
/**
* Gets assertion consumer service for.
*
* @param authnRequest the authn request
* @param servicesManager the services manager
* @param resolver the resolver
* @return the assertion consumer service for
*/
public static AssertionConsumerService getAssertionConsumerServiceFor(final AuthnRequest authnRequest, final ServicesManager servicesManager, final SamlRegisteredServiceCachingMetadataResolver resolver) {
try {
final AssertionConsumerService acs = new AssertionConsumerServiceBuilder().buildObject();
if (authnRequest.getAssertionConsumerServiceIndex() != null) {
final String issuer = getIssuerFromSamlRequest(authnRequest);
final MetadataResolver samlResolver = getMetadataResolverForAllSamlServices(servicesManager, issuer, resolver);
final CriteriaSet criteriaSet = new CriteriaSet();
criteriaSet.add(new EntityIdCriterion(issuer));
criteriaSet.add(new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME));
criteriaSet.add(new BindingCriterion(CollectionUtils.wrap(SAMLConstants.SAML2_POST_BINDING_URI)));
final Iterable<EntityDescriptor> it = samlResolver.resolve(criteriaSet);
it.forEach(entityDescriptor -> {
final SPSSODescriptor spssoDescriptor = entityDescriptor.getSPSSODescriptor(SAMLConstants.SAML20P_NS);
final List<AssertionConsumerService> acsEndpoints = spssoDescriptor.getAssertionConsumerServices();
if (acsEndpoints.isEmpty()) {
throw new IllegalArgumentException("Metadata resolved for entity id " + issuer + " has no defined ACS endpoints");
}
final int acsIndex = authnRequest.getAssertionConsumerServiceIndex();
if (acsIndex + 1 > acsEndpoints.size()) {
throw new IllegalArgumentException("AssertionConsumerService index specified in the request " + acsIndex + " is invalid " + "since the total endpoints available to " + issuer + " is " + acsEndpoints.size());
}
final AssertionConsumerService foundAcs = acsEndpoints.get(acsIndex);
acs.setBinding(foundAcs.getBinding());
acs.setLocation(foundAcs.getLocation());
acs.setResponseLocation(foundAcs.getResponseLocation());
acs.setIndex(acsIndex);
});
} else {
acs.setBinding(authnRequest.getProtocolBinding());
acs.setLocation(authnRequest.getAssertionConsumerServiceURL());
acs.setResponseLocation(authnRequest.getAssertionConsumerServiceURL());
acs.setIndex(0);
acs.setIsDefault(Boolean.TRUE);
}
LOGGER.debug("Resolved AssertionConsumerService from the request is [{}]", acs);
if (StringUtils.isBlank(acs.getBinding())) {
throw new SamlException("AssertionConsumerService has no protocol binding defined");
}
if (StringUtils.isBlank(acs.getLocation()) && StringUtils.isBlank(acs.getResponseLocation())) {
throw new SamlException("AssertionConsumerService has no location or response location defined");
}
return acs;
} catch (final Exception e) {
throw new IllegalArgumentException(new SamlException(e.getMessage(), e));
}
}
Also used :
AssertionConsumerServiceBuilder(org.opensaml.saml.saml2.metadata.impl.AssertionConsumerServiceBuilder)
EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion)
BindingCriterion(org.opensaml.saml.criterion.BindingCriterion)
SamlRegisteredServiceCachingMetadataResolver(org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceCachingMetadataResolver)
MetadataResolver(org.opensaml.saml.metadata.resolver.MetadataResolver)
ChainingMetadataResolver(org.opensaml.saml.metadata.resolver.ChainingMetadataResolver)
Endpoint(org.opensaml.saml.saml2.metadata.Endpoint)
EntityDescriptor(org.opensaml.saml.saml2.metadata.EntityDescriptor)
SPSSODescriptor(org.opensaml.saml.saml2.metadata.SPSSODescriptor)
CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet)
EntityRoleCriterion(org.opensaml.saml.criterion.EntityRoleCriterion)
AssertionConsumerService(org.opensaml.saml.saml2.metadata.AssertionConsumerService)
Example 77 with Assertion
use of org.opensaml.saml.saml2.core.Assertion in project cas by apereo.
the class AbstractSamlProfileHandlerController method buildSamlResponse.
/**
* Build saml response.
*
* @param response the response
* @param request the request
* @param authenticationContext the authentication context
* @param casAssertion the cas assertion
* @param binding the binding
*/
protected void buildSamlResponse(final HttpServletResponse response, final HttpServletRequest request, final Pair<AuthnRequest, MessageContext> authenticationContext, final Assertion casAssertion, final String binding) {
final Pair<SamlRegisteredService, SamlRegisteredServiceServiceProviderMetadataFacade> pair = getRegisteredServiceAndFacade(authenticationContext.getKey());
final String entityId = pair.getValue().getEntityId();
LOGGER.debug("Preparing SAML response for [{}]", entityId);
final AuthnRequest authnRequest = authenticationContext.getKey();
this.responseBuilder.build(authnRequest, request, response, casAssertion, pair.getKey(), pair.getValue(), binding);
LOGGER.info("Built the SAML response for [{}]", entityId);
}
Also used :
AuthnRequest(org.opensaml.saml.saml2.core.AuthnRequest)
SamlRegisteredServiceServiceProviderMetadataFacade(org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade)
SamlRegisteredService(org.apereo.cas.support.saml.services.SamlRegisteredService)
Example 78 with Assertion
use of org.opensaml.saml.saml2.core.Assertion in project cas by apereo.
the class Saml1ArtifactResolutionProfileHandlerController method handlePostRequest.
/**
* Handle post request.
*
* @param response the response
* @param request the request
*/
@PostMapping(path = SamlIdPConstants.ENDPOINT_SAML1_SOAP_ARTIFACT_RESOLUTION)
protected void handlePostRequest(final HttpServletResponse response, final HttpServletRequest request) {
final MessageContext ctx = decodeSoapRequest(request);
final ArtifactResolve artifactMsg = (ArtifactResolve) ctx.getMessage();
try {
final String issuer = artifactMsg.getIssuer().getValue();
final SamlRegisteredService service = verifySamlRegisteredService(issuer);
final Optional<SamlRegisteredServiceServiceProviderMetadataFacade> adaptor = getSamlMetadataFacadeFor(service, artifactMsg);
if (!adaptor.isPresent()) {
throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE, "Cannot find metadata linked to " + issuer);
}
final SamlRegisteredServiceServiceProviderMetadataFacade facade = adaptor.get();
verifyAuthenticationContextSignature(ctx, request, artifactMsg, facade);
final String artifactId = artifactMsg.getArtifact().getArtifact();
final String ticketId = artifactTicketFactory.createTicketIdFor(artifactId);
final SamlArtifactTicket ticket = this.ticketRegistry.getTicket(ticketId, SamlArtifactTicket.class);
final Service issuerService = webApplicationServiceFactory.createService(issuer);
final Assertion casAssertion = buildCasAssertion(ticket.getTicketGrantingTicket().getAuthentication(), issuerService, service, CollectionUtils.wrap("artifact", ticket));
this.responseBuilder.build(artifactMsg, request, response, casAssertion, service, facade, SAMLConstants.SAML2_ARTIFACT_BINDING_URI);
} catch (final Exception e) {
LOGGER.error(e.getMessage(), e);
request.setAttribute(SamlIdPConstants.REQUEST_ATTRIBUTE_ERROR, e.getMessage());
samlFaultResponseBuilder.build(artifactMsg, request, response, null, null, null, SAMLConstants.SAML2_ARTIFACT_BINDING_URI);
}
}
Also used :
ArtifactResolve(org.opensaml.saml.saml2.core.ArtifactResolve)
SamlRegisteredServiceServiceProviderMetadataFacade(org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade)
SamlRegisteredService(org.apereo.cas.support.saml.services.SamlRegisteredService)
Assertion(org.jasig.cas.client.validation.Assertion)
UnauthorizedServiceException(org.apereo.cas.services.UnauthorizedServiceException)
WebApplicationService(org.apereo.cas.authentication.principal.WebApplicationService)
SamlRegisteredService(org.apereo.cas.support.saml.services.SamlRegisteredService)
Service(org.apereo.cas.authentication.principal.Service)
MessageContext(org.opensaml.messaging.context.MessageContext)
SamlArtifactTicket(org.apereo.cas.ticket.artifact.SamlArtifactTicket)
UnauthorizedServiceException(org.apereo.cas.services.UnauthorizedServiceException)
PostMapping(org.springframework.web.bind.annotation.PostMapping)
Example 79 with Assertion
use of org.opensaml.saml.saml2.core.Assertion in project cas by apereo.
the class SamlProfileSamlAssertionBuilder method build.
@Override
public Assertion build(final RequestAbstractType authnRequest, final HttpServletRequest request, final HttpServletResponse response, final Object casAssertion, final SamlRegisteredService service, final SamlRegisteredServiceServiceProviderMetadataFacade adaptor, final String binding) throws SamlException {
final List<Statement> statements = new ArrayList<>();
final AuthnStatement authnStatement = this.samlProfileSamlAuthNStatementBuilder.build(authnRequest, request, response, casAssertion, service, adaptor, binding);
statements.add(authnStatement);
final AttributeStatement attrStatement = this.samlProfileSamlAttributeStatementBuilder.build(authnRequest, request, response, casAssertion, service, adaptor, binding);
if (!attrStatement.getAttributes().isEmpty() || !attrStatement.getEncryptedAttributes().isEmpty()) {
statements.add(attrStatement);
}
final String id = '_' + String.valueOf(Math.abs(RandomUtils.getNativeInstance().nextLong()));
final Assertion assertion = newAssertion(statements, casProperties.getAuthn().getSamlIdp().getEntityId(), ZonedDateTime.now(ZoneOffset.UTC), id);
assertion.setSubject(this.samlProfileSamlSubjectBuilder.build(authnRequest, request, response, casAssertion, service, adaptor, binding));
assertion.setConditions(this.samlProfileSamlConditionsBuilder.build(authnRequest, request, response, casAssertion, service, adaptor, binding));
signAssertion(assertion, request, response, service, adaptor, binding);
return assertion;
}
Also used :
AuthnStatement(org.opensaml.saml.saml2.core.AuthnStatement)
AttributeStatement(org.opensaml.saml.saml2.core.AttributeStatement)
Statement(org.opensaml.saml.saml2.core.Statement)
AttributeStatement(org.opensaml.saml.saml2.core.AttributeStatement)
ArrayList(java.util.ArrayList)
AuthnStatement(org.opensaml.saml.saml2.core.AuthnStatement)
Assertion(org.opensaml.saml.saml2.core.Assertion)
Example 80 with Assertion
use of org.opensaml.saml.saml2.core.Assertion in project cas by apereo.
the class DefaultAuthnContextClassRefBuilder method build.
@Override
public String build(final Object assertion, final RequestAbstractType authnRequest, final SamlRegisteredServiceServiceProviderMetadataFacade adaptor, final SamlRegisteredService service) {
if (StringUtils.isNotBlank(service.getRequiredAuthenticationContextClass())) {
LOGGER.debug("Using [{}] as indicated by SAML registered service [{}]", service.getRequiredAuthenticationContextClass(), service.getName());
return service.getRequiredAuthenticationContextClass();
}
final String defClass = StringUtils.defaultIfBlank(casProperties.getAuthn().getSamlIdp().getResponse().getDefaultAuthenticationContextClass(), AuthnContext.PPT_AUTHN_CTX);
final RequestedAuthnContext requestedAuthnContext = (authnRequest instanceof AuthnRequest) ? AuthnRequest.class.cast(authnRequest).getRequestedAuthnContext() : null;
if (requestedAuthnContext == null) {
LOGGER.debug("No specific authN context is requested. Returning [{}]", defClass);
return defClass;
}
final List<AuthnContextClassRef> authnContextClassRefs = requestedAuthnContext.getAuthnContextClassRefs();
if (authnContextClassRefs == null || authnContextClassRefs.isEmpty()) {
LOGGER.debug("Requested authN context class ref is unspecified. Returning [{}]", defClass);
return defClass;
}
final String finalCtx = StringUtils.defaultIfBlank(getAuthenticationContextByAssertion(assertion, requestedAuthnContext, authnContextClassRefs), defClass);
LOGGER.debug("Returning authN context [{}]", finalCtx);
return finalCtx;
}
Also used :
RequestedAuthnContext(org.opensaml.saml.saml2.core.RequestedAuthnContext)
AuthnRequest(org.opensaml.saml.saml2.core.AuthnRequest)
AuthnContextClassRef(org.opensaml.saml.saml2.core.AuthnContextClassRef)
Aggregations
Assertion (org.opensaml.saml.saml2.core.Assertion)33
Response (org.opensaml.saml.saml2.core.Response)31
Element (org.w3c.dom.Element)31
SamlAssertionWrapper (org.apache.wss4j.common.saml.SamlAssertionWrapper)26
Document (org.w3c.dom.Document)22
WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)20
Status (org.opensaml.saml.saml2.core.Status)20
SAMLCallback (org.apache.wss4j.common.saml.SAMLCallback)18
DateTime (org.joda.time.DateTime)16
Test (org.junit.Test)16
Assertion (org.opensaml.saml.saml1.core.Assertion)13
InputStream (java.io.InputStream)11
Crypto (org.apache.wss4j.common.crypto.Crypto)11
AttributeStatement (org.opensaml.saml.saml2.core.AttributeStatement)11
ZonedDateTime (java.time.ZonedDateTime)10
XMLObject (org.opensaml.core.xml.XMLObject)10
KeyStore (java.security.KeyStore)9
Merlin (org.apache.wss4j.common.crypto.Merlin)9
Assertion (org.jasig.cas.client.validation.Assertion)9
AuthnRequest (org.opensaml.saml.saml2.core.AuthnRequest)9
