Example 81 with Attribute
use of org.opensaml.saml.saml2.core.Attribute in project ddf by codice.
the class AuthnResponseValidator method validate.
public void validate(XMLObject xmlObject) throws ValidationException {
if (!(xmlObject instanceof Response)) {
throw new ValidationException("Invalid AuthN response XML.");
}
Response authnResponse = (Response) xmlObject;
String status = authnResponse.getStatus().getStatusCode().getValue();
if (!StatusCode.SUCCESS.equals(status)) {
throw new ValidationException("AuthN request was unsuccessful. Received status: " + status);
}
if (authnResponse.getAssertions().size() < 1) {
throw new ValidationException("Assertion missing in AuthN response.");
}
if (authnResponse.getAssertions().size() > 1) {
LOGGER.info("Received multiple assertions in AuthN response. Only using the first assertion.");
}
if (wasRedirectSigned) {
if (authnResponse.getDestination() == null) {
throw new ValidationException("Invalid Destination attribute, must be not null for signed responses.");
} else if (!authnResponse.getDestination().equals(getSpAssertionConsumerServiceUrl(getSpIssuerId()))) {
throw new ValidationException("Invalid Destination attribute, does not match requested destination.");
}
}
if (authnResponse.getSignature() != null) {
try {
simpleSign.validateSignature(authnResponse.getSignature(), authnResponse.getDOM().getOwnerDocument());
} catch (SignatureException e) {
throw new ValidationException("Invalid or untrusted signature.");
}
}
}
Also used :
Response(org.opensaml.saml.saml2.core.Response)
ValidationException(ddf.security.samlp.impl.ValidationException)
SignatureException(ddf.security.samlp.SignatureException)
Example 82 with Attribute
use of org.opensaml.saml.saml2.core.Attribute in project carbon-apimgt by wso2.
the class SystemScopeUtils method getRolesFromAssertion.
/**
* Get the role list from the SAML2 Assertion
*
* @param assertion SAML2 assertion
* @return Role list from the assertion
*/
public static String[] getRolesFromAssertion(Assertion assertion) {
List<String> roles = new ArrayList<String>();
String roleClaim = getRoleClaim();
List<AttributeStatement> attributeStatementList = assertion.getAttributeStatements();
if (attributeStatementList != null) {
for (AttributeStatement statement : attributeStatementList) {
List<Attribute> attributesList = statement.getAttributes();
for (Attribute attribute : attributesList) {
String attributeName = attribute.getName();
if (attributeName != null && roleClaim.equals(attributeName)) {
List<XMLObject> attributeValues = attribute.getAttributeValues();
if (attributeValues != null && attributeValues.size() == 1) {
String attributeValueString = getAttributeValue(attributeValues.get(0));
String multiAttributeSeparator = getAttributeSeparator();
String[] attributeValuesArray = attributeValueString.split(multiAttributeSeparator);
if (log.isDebugEnabled()) {
log.debug("Adding attributes for Assertion: " + assertion + " AttributeName : " + attributeName + ", AttributeValue : " + Arrays.toString(attributeValuesArray));
}
roles.addAll(Arrays.asList(attributeValuesArray));
} else if (attributeValues != null && attributeValues.size() > 1) {
for (XMLObject attributeValue : attributeValues) {
String attributeValueString = getAttributeValue(attributeValue);
if (log.isDebugEnabled()) {
log.debug("Adding attributes for Assertion: " + assertion + " AttributeName : " + attributeName + ", AttributeValue : " + attributeValue);
}
roles.add(attributeValueString);
}
}
}
}
}
}
if (log.isDebugEnabled()) {
log.debug("Role list found for assertion: " + assertion + ", roles: " + roles);
}
return roles.toArray(new String[roles.size()]);
}
Also used :
Attribute(org.opensaml.saml.saml2.core.Attribute)
AttributeStatement(org.opensaml.saml.saml2.core.AttributeStatement)
XMLObject(org.opensaml.core.xml.XMLObject)
XSString(org.opensaml.core.xml.schema.XSString)
Example 83 with Attribute
use of org.opensaml.saml.saml2.core.Attribute in project ddf by codice.
the class SamlAssertionValidatorImplTest method createAssertion.
private Assertion createAssertion(boolean sign, boolean validSignature, String issuerString, DateTime notOnOrAfter) throws Exception {
Assertion assertion = new AssertionBuilder().buildObject();
assertion.setID(UUID.randomUUID().toString());
assertion.setIssueInstant(new DateTime());
Issuer issuer = new IssuerBuilder().buildObject();
issuer.setValue(issuerString);
assertion.setIssuer(issuer);
NameID nameID = new NameIDBuilder().buildObject();
nameID.setFormat("urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified");
nameID.setNameQualifier("http://cxf.apache.org/sts");
nameID.setValue("admin");
SubjectConfirmation subjectConfirmation = new SubjectConfirmationBuilder().buildObject();
subjectConfirmation.setMethod("urn:oasis:names:tc:SAML:2.0:cm:bearer");
Subject subject = new SubjectBuilder().buildObject();
subject.setNameID(nameID);
subject.getSubjectConfirmations().add(subjectConfirmation);
assertion.setSubject(subject);
Conditions conditions = new ConditionsBuilder().buildObject();
conditions.setNotBefore(new DateTime().minusDays(3));
conditions.setNotOnOrAfter(notOnOrAfter);
assertion.setConditions(conditions);
AuthnStatement authnStatement = new AuthnStatementBuilder().buildObject();
authnStatement.setAuthnInstant(new DateTime());
AuthnContext authnContext = new AuthnContextBuilder().buildObject();
AuthnContextClassRef authnContextClassRef = new AuthnContextClassRefBuilder().buildObject();
authnContextClassRef.setAuthnContextClassRef("urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified");
authnContext.setAuthnContextClassRef(authnContextClassRef);
authnStatement.setAuthnContext(authnContext);
assertion.getAuthnStatements().add(authnStatement);
AttributeStatement attributeStatement = new AttributeStatementBuilder().buildObject();
Attribute attribute = new AttributeBuilder().buildObject();
AttributeValueType attributeValue = new AttributeValueTypeImplBuilder().buildObject();
attributeValue.setValue("admin");
attribute.setName("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role");
attribute.setNameFormat("urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified");
attribute.getAttributeValues().add(attributeValue);
attributeStatement.getAttributes().add(attribute);
assertion.getAttributeStatements().add(attributeStatement);
if (sign) {
Signature signature = OpenSAMLUtil.buildSignature();
signature.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
signature.setSignatureAlgorithm(WSS4JConstants.RSA);
BasicX509Credential signingCredential;
if (validSignature) {
signingCredential = new BasicX509Credential(certificate);
signingCredential.setPrivateKey(privateKey);
signature.setSigningCredential(signingCredential);
} else {
try (InputStream inputStream = getClass().getResourceAsStream("/localhost.crt")) {
CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
X509Certificate cert = (X509Certificate) certificateFactory.generateCertificate(inputStream);
signingCredential = new BasicX509Credential(cert);
signature.setSigningCredential(signingCredential);
}
}
X509KeyInfoGeneratorFactory x509KeyInfoGeneratorFactory = new X509KeyInfoGeneratorFactory();
x509KeyInfoGeneratorFactory.setEmitEntityCertificate(true);
KeyInfo keyInfo = x509KeyInfoGeneratorFactory.newInstance().generate(signingCredential);
signature.setKeyInfo(keyInfo);
assertion.setSignature(signature);
}
return assertion;
}
Also used :
Issuer(org.opensaml.saml.saml2.core.Issuer)
Attribute(org.opensaml.saml.saml2.core.Attribute)
AuthnStatementBuilder(org.opensaml.saml.saml2.core.impl.AuthnStatementBuilder)
AuthnContextClassRefBuilder(org.opensaml.saml.saml2.core.impl.AuthnContextClassRefBuilder)
CertificateFactory(java.security.cert.CertificateFactory)
DateTime(org.joda.time.DateTime)
Conditions(org.opensaml.saml.saml2.core.Conditions)
AuthnContext(org.opensaml.saml.saml2.core.AuthnContext)
NameIDBuilder(org.opensaml.saml.saml2.core.impl.NameIDBuilder)
SubjectConfirmation(org.opensaml.saml.saml2.core.SubjectConfirmation)
KeyInfo(org.opensaml.xmlsec.signature.KeyInfo)
SubjectBuilder(org.opensaml.saml.saml2.core.impl.SubjectBuilder)
SubjectConfirmationBuilder(org.opensaml.saml.saml2.core.impl.SubjectConfirmationBuilder)
X509KeyInfoGeneratorFactory(org.opensaml.xmlsec.keyinfo.impl.X509KeyInfoGeneratorFactory)
AttributeStatementBuilder(org.opensaml.saml.saml2.core.impl.AttributeStatementBuilder)
AttributeBuilder(org.opensaml.saml.saml2.core.impl.AttributeBuilder)
NameID(org.opensaml.saml.saml2.core.NameID)
AttributeValueType(org.opensaml.xacml.ctx.AttributeValueType)
InputStream(java.io.InputStream)
AuthnContextBuilder(org.opensaml.saml.saml2.core.impl.AuthnContextBuilder)
Assertion(org.opensaml.saml.saml2.core.Assertion)
AuthnContextClassRef(org.opensaml.saml.saml2.core.AuthnContextClassRef)
AssertionBuilder(org.opensaml.saml.saml2.core.impl.AssertionBuilder)
Subject(org.opensaml.saml.saml2.core.Subject)
X509Certificate(java.security.cert.X509Certificate)
ConditionsBuilder(org.opensaml.saml.saml2.core.impl.ConditionsBuilder)
BasicX509Credential(org.opensaml.security.x509.BasicX509Credential)
AttributeStatement(org.opensaml.saml.saml2.core.AttributeStatement)
Signature(org.opensaml.xmlsec.signature.Signature)
AuthnStatement(org.opensaml.saml.saml2.core.AuthnStatement)
IssuerBuilder(org.opensaml.saml.saml2.core.impl.IssuerBuilder)
AttributeValueTypeImplBuilder(org.opensaml.xacml.ctx.impl.AttributeValueTypeImplBuilder)
Example 84 with Attribute
use of org.opensaml.saml.saml2.core.Attribute in project cxf by apache.
the class SAMLClaimsTest method testSaml2StaticClaims.
/**
* Test the creation of a SAML2 Assertion with StaticClaimsHandler
*/
@org.junit.Test
public void testSaml2StaticClaims() throws Exception {
TokenProvider samlTokenProvider = new SAMLTokenProvider();
TokenProviderParameters providerParameters = createProviderParameters(WSS4JConstants.WSS_SAML2_TOKEN_TYPE, STSConstants.BEARER_KEY_KEYTYPE, null);
ClaimsManager claimsManager = new ClaimsManager();
StaticClaimsHandler claimsHandler = new StaticClaimsHandler();
Map<String, String> staticClaimsMap = new HashMap<>();
staticClaimsMap.put(CLAIM_STATIC_COMPANY, CLAIM_STATIC_COMPANY_VALUE);
claimsHandler.setGlobalClaims(staticClaimsMap);
claimsManager.setClaimHandlers(Collections.singletonList((ClaimsHandler) claimsHandler));
providerParameters.setClaimsManager(claimsManager);
ClaimCollection claims = new ClaimCollection();
Claim claim = new Claim();
claim.setClaimType(CLAIM_STATIC_COMPANY);
claims.add(claim);
providerParameters.setRequestedPrimaryClaims(claims);
assertTrue(samlTokenProvider.canHandleToken(WSS4JConstants.WSS_SAML2_TOKEN_TYPE));
TokenProviderResponse providerResponse = samlTokenProvider.createToken(providerParameters);
assertNotNull(providerResponse);
assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null);
Element token = (Element) providerResponse.getToken();
String tokenString = DOM2Writer.nodeToString(token);
assertTrue(tokenString.contains(providerResponse.getTokenId()));
assertTrue(tokenString.contains("AttributeStatement"));
assertTrue(tokenString.contains("alice"));
assertTrue(tokenString.contains(SAML2Constants.CONF_BEARER));
SamlAssertionWrapper assertion = new SamlAssertionWrapper(token);
List<Attribute> attributes = assertion.getSaml2().getAttributeStatements().get(0).getAttributes();
assertEquals(attributes.size(), 1);
assertEquals(attributes.get(0).getName(), CLAIM_STATIC_COMPANY);
XMLObject valueObj = attributes.get(0).getAttributeValues().get(0);
assertEquals(valueObj.getDOM().getTextContent(), CLAIM_STATIC_COMPANY_VALUE);
}
Also used :
StaticEndpointClaimsHandler(org.apache.cxf.sts.claims.StaticEndpointClaimsHandler)
ClaimsHandler(org.apache.cxf.sts.claims.ClaimsHandler)
StaticClaimsHandler(org.apache.cxf.sts.claims.StaticClaimsHandler)
CustomClaimsHandler(org.apache.cxf.sts.common.CustomClaimsHandler)
HashMap(java.util.HashMap)
Attribute(org.opensaml.saml.saml2.core.Attribute)
StaticClaimsHandler(org.apache.cxf.sts.claims.StaticClaimsHandler)
Element(org.w3c.dom.Element)
SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper)
XMLObject(org.opensaml.core.xml.XMLObject)
ClaimsManager(org.apache.cxf.sts.claims.ClaimsManager)
ClaimCollection(org.apache.cxf.rt.security.claims.ClaimCollection)
Claim(org.apache.cxf.rt.security.claims.Claim)
Example 85 with Attribute
use of org.opensaml.saml.saml2.core.Attribute in project cxf by apache.
the class SAMLClaimsTest method testSaml2StaticEndpointClaims.
/**
* Test the creation of a SAML2 Assertion with StaticEndpointClaimsHandler
*/
@org.junit.Test
public void testSaml2StaticEndpointClaims() throws Exception {
TokenProvider samlTokenProvider = new SAMLTokenProvider();
TokenProviderParameters providerParameters = createProviderParameters(WSS4JConstants.WSS_SAML2_TOKEN_TYPE, STSConstants.BEARER_KEY_KEYTYPE, null);
ClaimsManager claimsManager = new ClaimsManager();
StaticEndpointClaimsHandler claimsHandler = new StaticEndpointClaimsHandler();
// Create claims map for specific application
Map<String, String> endpointClaimsMap = new HashMap<>();
endpointClaimsMap.put(CLAIM_APPLICATION, CLAIM_APPLICATION_VALUE);
Map<String, Map<String, String>> staticClaims = new HashMap<>();
staticClaims.put(APPLICATION_APPLIES_TO, endpointClaimsMap);
claimsHandler.setEndpointClaims(staticClaims);
claimsHandler.setSupportedClaims(Collections.singletonList(CLAIM_APPLICATION));
claimsManager.setClaimHandlers(Collections.singletonList((ClaimsHandler) claimsHandler));
providerParameters.setClaimsManager(claimsManager);
ClaimCollection claims = new ClaimCollection();
Claim claim = new Claim();
claim.setClaimType(CLAIM_APPLICATION);
claims.add(claim);
providerParameters.setRequestedPrimaryClaims(claims);
assertTrue(samlTokenProvider.canHandleToken(WSS4JConstants.WSS_SAML2_TOKEN_TYPE));
TokenProviderResponse providerResponse = samlTokenProvider.createToken(providerParameters);
assertNotNull(providerResponse);
assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null);
Element token = (Element) providerResponse.getToken();
String tokenString = DOM2Writer.nodeToString(token);
assertTrue(tokenString.contains(providerResponse.getTokenId()));
assertTrue(tokenString.contains("AttributeStatement"));
assertTrue(tokenString.contains("alice"));
assertTrue(tokenString.contains(SAML2Constants.CONF_BEARER));
SamlAssertionWrapper assertion = new SamlAssertionWrapper(token);
List<Attribute> attributes = assertion.getSaml2().getAttributeStatements().get(0).getAttributes();
assertEquals(attributes.size(), 1);
assertEquals(attributes.get(0).getName(), CLAIM_APPLICATION);
XMLObject valueObj = attributes.get(0).getAttributeValues().get(0);
assertEquals(valueObj.getDOM().getTextContent(), CLAIM_APPLICATION_VALUE);
}
Also used :
StaticEndpointClaimsHandler(org.apache.cxf.sts.claims.StaticEndpointClaimsHandler)
ClaimsHandler(org.apache.cxf.sts.claims.ClaimsHandler)
StaticClaimsHandler(org.apache.cxf.sts.claims.StaticClaimsHandler)
CustomClaimsHandler(org.apache.cxf.sts.common.CustomClaimsHandler)
HashMap(java.util.HashMap)
Attribute(org.opensaml.saml.saml2.core.Attribute)
Element(org.w3c.dom.Element)
SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper)
XMLObject(org.opensaml.core.xml.XMLObject)
ClaimsManager(org.apache.cxf.sts.claims.ClaimsManager)
StaticEndpointClaimsHandler(org.apache.cxf.sts.claims.StaticEndpointClaimsHandler)
HashMap(java.util.HashMap)
Map(java.util.Map)
ClaimCollection(org.apache.cxf.rt.security.claims.ClaimCollection)
Claim(org.apache.cxf.rt.security.claims.Claim)
Aggregations
Attribute (org.opensaml.saml.saml2.core.Attribute)63
AttributeStatement (org.opensaml.saml.saml2.core.AttributeStatement)44
Test (org.junit.jupiter.api.Test)27
Assertion (org.opensaml.saml.saml2.core.Assertion)23
List (java.util.List)18
XMLObject (org.opensaml.core.xml.XMLObject)18
lombok.val (lombok.val)15
AttributeBuilder (org.opensaml.saml.saml2.core.impl.AttributeBuilder)13
Map (java.util.Map)12
EncryptedAttribute (org.opensaml.saml.saml2.core.EncryptedAttribute)12
ArrayList (java.util.ArrayList)11
HashMap (java.util.HashMap)11
XSString (org.opensaml.core.xml.schema.XSString)11
NameID (org.opensaml.saml.saml2.core.NameID)10
Slf4j (lombok.extern.slf4j.Slf4j)9
SimpleStringAttributeBuilder.aSimpleStringAttribute (uk.gov.ida.saml.core.test.builders.SimpleStringAttributeBuilder.aSimpleStringAttribute)9
Element (org.w3c.dom.Element)8
SamlTransformationErrorFactory.emptyAttribute (uk.gov.ida.saml.core.errors.SamlTransformationErrorFactory.emptyAttribute)8
Issuer (org.opensaml.saml.saml2.core.Issuer)7
AttributeStatementLogData (uk.gov.ida.hub.samlengine.logging.data.AttributeStatementLogData)7
