Example 6 with Attribute
use of org.opensaml.saml.saml2.core.Attribute in project ddf by codice.
the class AttributeQueryClaimsHandler method getAttributes.
/**
* Gets the attributes for the supplied user from the external attribute store.
* Returns null if the AttributeQueryClient is null.
*
* @param nameId used for the request.
* @return The collection of attributes retrieved from the external attribute store.
* @throws URISyntaxException
*/
protected ProcessedClaimCollection getAttributes(String nameId) throws URISyntaxException {
ProcessedClaimCollection claimCollection = new ProcessedClaimCollection();
LOGGER.debug("Sending AttributeQuery Request.");
AttributeQueryClient attributeQueryClient;
Assertion assertion;
try {
attributeQueryClient = createAttributeQueryClient(simpleSign, externalAttributeStoreUrl, issuer, destination);
if (attributeQueryClient == null) {
return null;
}
assertion = attributeQueryClient.query(nameId);
if (assertion != null) {
createClaims(claimCollection, assertion);
}
} catch (AttributeQueryException ex) {
LOGGER.info("Error occurred in AttributeQueryClient, did not retrieve response. Set log level for \"org.codice.ddf.security.claims.attributequery.common\" to DEBUG for more information.");
LOGGER.debug("Error occurred in AttributeQueryClient, did not retrieve response.", ex);
}
return claimCollection;
}
Also used :
ProcessedClaimCollection(org.apache.cxf.sts.claims.ProcessedClaimCollection)
Assertion(org.opensaml.saml.saml2.core.Assertion)
Example 7 with Attribute
use of org.opensaml.saml.saml2.core.Attribute in project ddf by codice.
the class SecurityAssertionImpl method toString.
/*
* (non-Javadoc)
*
* @see java.lang.Object#toString()
*/
@Override
public String toString() {
StringBuilder result = new StringBuilder();
result.append("Principal: ");
result.append(getPrincipal());
result.append(", Attributes: ");
for (AttributeStatement attributeStatement : getAttributeStatements()) {
for (Attribute attr : attributeStatement.getAttributes()) {
result.append("[ ");
result.append(attr.getName());
result.append(" : ");
for (int i = 0; i < attr.getAttributeValues().size(); i++) {
result.append(((XSString) attr.getAttributeValues().get(i)).getValue());
}
result.append("] ");
}
}
// add this back in when we support parsing this information
result.append(", AuthnStatements: ");
for (AuthnStatement authStatement : getAuthnStatements()) {
result.append("[ ");
result.append(authStatement.getAuthnInstant());
result.append(" : ");
result.append(authStatement.getAuthnContext().getAuthnContextClassRef().getAuthnContextClassRef());
result.append("] ");
}
// }
return result.toString();
}
Also used :
Attribute(org.opensaml.saml.saml2.core.Attribute)
EncryptedAttribute(org.opensaml.saml.saml2.core.EncryptedAttribute)
AttributeStatement(org.opensaml.saml.saml2.core.AttributeStatement)
AuthnStatement(org.opensaml.saml.saml2.core.AuthnStatement)
Example 8 with Attribute
use of org.opensaml.saml.saml2.core.Attribute in project cas by apereo.
the class WsFederationHelper method createCredentialFromToken.
/**
* createCredentialFromToken converts a SAML 1.1 assertion to a WSFederationCredential.
*
* @param assertion the provided assertion
* @return an equivalent credential.
*/
public WsFederationCredential createCredentialFromToken(final Assertion assertion) {
final ZonedDateTime retrievedOn = ZonedDateTime.now();
LOGGER.debug("Retrieved on [{}]", retrievedOn);
final WsFederationCredential credential = new WsFederationCredential();
credential.setRetrievedOn(retrievedOn);
credential.setId(assertion.getID());
credential.setIssuer(assertion.getIssuer());
credential.setIssuedOn(ZonedDateTime.parse(assertion.getIssueInstant().toDateTimeISO().toString()));
final Conditions conditions = assertion.getConditions();
if (conditions != null) {
credential.setNotBefore(ZonedDateTime.parse(conditions.getNotBefore().toDateTimeISO().toString()));
credential.setNotOnOrAfter(ZonedDateTime.parse(conditions.getNotOnOrAfter().toDateTimeISO().toString()));
if (!conditions.getAudienceRestrictionConditions().isEmpty()) {
credential.setAudience(conditions.getAudienceRestrictionConditions().get(0).getAudiences().get(0).getUri());
}
}
if (!assertion.getAuthenticationStatements().isEmpty()) {
credential.setAuthenticationMethod(assertion.getAuthenticationStatements().get(0).getAuthenticationMethod());
}
//retrieve an attributes from the assertion
final HashMap<String, List<Object>> attributes = new HashMap<>();
assertion.getAttributeStatements().stream().flatMap(attributeStatement -> attributeStatement.getAttributes().stream()).forEach(item -> {
LOGGER.debug("Processed attribute: [{}]", item.getAttributeName());
final List<Object> itemList = IntStream.range(0, item.getAttributeValues().size()).mapToObj(i -> ((XSAny) item.getAttributeValues().get(i)).getTextContent()).collect(Collectors.toList());
if (!itemList.isEmpty()) {
attributes.put(item.getAttributeName(), itemList);
}
});
credential.setAttributes(attributes);
LOGGER.debug("Credential: [{}]", credential);
return credential;
}
Also used :
XSAny(org.opensaml.core.xml.schema.XSAny)
ChainingEncryptedKeyResolver(org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver)
KeyPair(java.security.KeyPair)
ExplicitKeySignatureTrustEngine(org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine)
Assertion(org.opensaml.saml.saml1.core.Assertion)
ZonedDateTime(java.time.ZonedDateTime)
StaticCredentialResolver(org.opensaml.security.credential.impl.StaticCredentialResolver)
LoggerFactory(org.slf4j.LoggerFactory)
Security(java.security.Security)
SamlUtils(org.apereo.cas.support.saml.SamlUtils)
Conditions(org.opensaml.saml.saml1.core.Conditions)
StaticKeyInfoCredentialResolver(org.opensaml.xmlsec.keyinfo.impl.StaticKeyInfoCredentialResolver)
ByteArrayInputStream(java.io.ByteArrayInputStream)
SignatureException(org.opensaml.xmlsec.signature.support.SignatureException)
Document(org.w3c.dom.Document)
PEMEncryptedKeyPair(org.bouncycastle.openssl.PEMEncryptedKeyPair)
WsFederationCredential(org.apereo.cas.support.wsfederation.authentication.principal.WsFederationCredential)
UsageType(org.opensaml.security.credential.UsageType)
SecurityException(org.opensaml.security.SecurityException)
PEMParser(org.bouncycastle.openssl.PEMParser)
PEMDecryptorProvider(org.bouncycastle.openssl.PEMDecryptorProvider)
ProtocolCriterion(org.opensaml.saml.criterion.ProtocolCriterion)
BasicX509Credential(org.opensaml.security.x509.BasicX509Credential)
Collectors(java.util.stream.Collectors)
StandardCharsets(java.nio.charset.StandardCharsets)
OpenSamlConfigBean(org.apereo.cas.support.saml.OpenSamlConfigBean)
List(java.util.List)
KeyInfoCredentialResolver(org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver)
EntityRoleCriterion(org.opensaml.saml.criterion.EntityRoleCriterion)
CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet)
RequestedSecurityToken(org.opensaml.soap.wsfed.RequestedSecurityToken)
UnmarshallerFactory(org.opensaml.core.xml.io.UnmarshallerFactory)
EncryptedData(org.opensaml.xmlsec.encryption.EncryptedData)
EncryptedElementTypeEncryptedKeyResolver(org.opensaml.saml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver)
IntStream(java.util.stream.IntStream)
EncryptedKeyResolver(org.opensaml.xmlsec.encryption.support.EncryptedKeyResolver)
JcaPEMKeyConverter(org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter)
UsageCriterion(org.opensaml.security.criteria.UsageCriterion)
HashMap(java.util.HashMap)
SignaturePrevalidator(org.opensaml.xmlsec.signature.support.SignaturePrevalidator)
ArrayList(java.util.ArrayList)
Decrypter(org.opensaml.saml.saml2.encryption.Decrypter)
JcePEMDecryptorProviderBuilder(org.bouncycastle.openssl.jcajce.JcePEMDecryptorProviderBuilder)
X509CertParser(org.bouncycastle.jce.provider.X509CertParser)
SAMLSignatureProfileValidator(org.opensaml.saml.security.impl.SAMLSignatureProfileValidator)
IDPSSODescriptor(org.opensaml.saml.saml2.metadata.IDPSSODescriptor)
XMLObject(org.opensaml.core.xml.XMLObject)
X509CertificateObject(org.bouncycastle.jce.provider.X509CertificateObject)
SAMLConstants(org.opensaml.saml.common.xml.SAMLConstants)
CredentialResolver(org.opensaml.security.credential.CredentialResolver)
SignatureTrustEngine(org.opensaml.xmlsec.signature.support.SignatureTrustEngine)
InlineEncryptedKeyResolver(org.opensaml.xmlsec.encryption.support.InlineEncryptedKeyResolver)
RequestSecurityTokenResponse(org.opensaml.soap.wsfed.RequestSecurityTokenResponse)
Logger(org.slf4j.Logger)
Credential(org.opensaml.security.credential.Credential)
Unmarshaller(org.opensaml.core.xml.io.Unmarshaller)
Throwables(com.google.common.base.Throwables)
InputStreamReader(java.io.InputStreamReader)
BouncyCastleProvider(org.bouncycastle.jce.provider.BouncyCastleProvider)
Element(org.w3c.dom.Element)
EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion)
PEMKeyPair(org.bouncycastle.openssl.PEMKeyPair)
BufferedReader(java.io.BufferedReader)
SimpleRetrievalMethodEncryptedKeyResolver(org.opensaml.xmlsec.encryption.support.SimpleRetrievalMethodEncryptedKeyResolver)
InputStream(java.io.InputStream)
ZonedDateTime(java.time.ZonedDateTime)
HashMap(java.util.HashMap)
List(java.util.List)
ArrayList(java.util.ArrayList)
XMLObject(org.opensaml.core.xml.XMLObject)
X509CertificateObject(org.bouncycastle.jce.provider.X509CertificateObject)
Conditions(org.opensaml.saml.saml1.core.Conditions)
WsFederationCredential(org.apereo.cas.support.wsfederation.authentication.principal.WsFederationCredential)
XSAny(org.opensaml.core.xml.schema.XSAny)
Example 9 with Attribute
use of org.opensaml.saml.saml2.core.Attribute in project cas by apereo.
the class AbstractSaml20ObjectBuilder method newAttribute.
/**
* New attribute.
*
* @param setFriendlyName the set friendly name
* @param e the entry to process and turn into a saml attribute
* @param configuredNameFormats the configured name formats. If an attribute is found in this collection, the linked name format
* will be used.
* @return the attribute
*/
protected Attribute newAttribute(final boolean setFriendlyName, final Map.Entry<String, Object> e, final Map<String, String> configuredNameFormats) {
final Attribute attribute = newSamlObject(Attribute.class);
attribute.setName(e.getKey());
if (setFriendlyName) {
attribute.setFriendlyName(e.getKey());
}
addAttributeValuesToSaml2Attribute(e.getKey(), e.getValue(), attribute.getAttributeValues());
if (!configuredNameFormats.isEmpty() && configuredNameFormats.containsKey(attribute.getName())) {
final String nameFormat = configuredNameFormats.get(attribute.getName());
LOGGER.debug("Found name format [{}] for attribute [{}]", nameFormat, attribute.getName());
switch(nameFormat.trim().toLowerCase()) {
case "basic":
attribute.setNameFormat(Attribute.BASIC);
break;
case "uri":
attribute.setNameFormat(Attribute.URI_REFERENCE);
break;
case "unspecified":
attribute.setNameFormat(Attribute.UNSPECIFIED);
break;
default:
attribute.setNameFormat(nameFormat);
break;
}
LOGGER.debug("Attribute [{}] is assigned the name format of [{}]", attribute.getName(), attribute.getNameFormat());
} else {
LOGGER.debug("Skipped name format, as no name formats are defined or none is found for attribute [{}]", attribute.getName());
}
LOGGER.debug("Attribute [{}] has [{}] value(s)", attribute.getName(), attribute.getAttributeValues().size());
return attribute;
}
Also used :
Attribute(org.opensaml.saml.saml2.core.Attribute)
Example 10 with Attribute
use of org.opensaml.saml.saml2.core.Attribute in project cas by apereo.
the class SamlProfileSamlNameIdBuilder method buildNameId.
/**
* Build name id.
* If there are no explicitly defined NameIDFormats, include the default format.
* see: http://saml2int.org/profile/current/#section92
*
* @param authnRequest the authn request
* @param assertion the assertion
* @param service the service
* @param adaptor the adaptor
* @return the name id
* @throws SamlException the saml exception
*/
private NameID buildNameId(final AuthnRequest authnRequest, final Assertion assertion, final SamlRegisteredService service, final SamlRegisteredServiceServiceProviderMetadataFacade adaptor) throws SamlException {
final List<String> supportedNameFormats = adaptor.getSupportedNameIdFormats();
LOGGER.debug("Metadata for [{}] declares support for the following NameIDs [{}]", adaptor.getEntityId(), supportedNameFormats);
if (supportedNameFormats.isEmpty()) {
supportedNameFormats.add(NameIDType.TRANSIENT);
LOGGER.debug("No supported nameId formats could be determined from metadata. Added default [{}]", NameIDType.TRANSIENT);
}
if (StringUtils.isNotBlank(service.getRequiredNameIdFormat())) {
final String fmt = parseAndBuildRequiredNameIdFormat(service);
supportedNameFormats.add(0, fmt);
LOGGER.debug("Added required nameId format [{}] based on saml service configuration for [{}]", fmt, service.getServiceId());
}
String requiredNameFormat = null;
if (authnRequest.getNameIDPolicy() != null) {
requiredNameFormat = authnRequest.getNameIDPolicy().getFormat();
LOGGER.debug("AuthN request indicates [{}] is the required NameID format", requiredNameFormat);
if (NameID.ENCRYPTED.equals(requiredNameFormat)) {
LOGGER.warn("Encrypted NameID formats are not supported");
requiredNameFormat = null;
}
}
if (StringUtils.isNotBlank(requiredNameFormat) && !supportedNameFormats.contains(requiredNameFormat)) {
LOGGER.warn("Required NameID format [{}] in the AuthN request issued by [{}] is not supported based on the metadata for [{}]", requiredNameFormat, SamlIdPUtils.getIssuerFromSamlRequest(authnRequest), adaptor.getEntityId());
throw new SamlException("Required NameID format cannot be provided because it is not supported");
}
for (final String nameFormat : supportedNameFormats) {
try {
LOGGER.debug("Evaluating NameID format [{}]", nameFormat);
final SAML2StringNameIDEncoder encoder = new SAML2StringNameIDEncoder();
encoder.setNameFormat(nameFormat);
if (authnRequest.getNameIDPolicy() != null) {
final String qualifier = authnRequest.getNameIDPolicy().getSPNameQualifier();
LOGGER.debug("NameID qualifier is set to [{}]", qualifier);
encoder.setNameQualifier(qualifier);
}
final IdPAttribute attribute = new IdPAttribute(AttributePrincipal.class.getName());
final IdPAttributeValue<String> value = new StringAttributeValue(assertion.getPrincipal().getName());
LOGGER.debug("NameID attribute value is set to [{}]", assertion.getPrincipal().getName());
attribute.setValues(Collections.singletonList(value));
LOGGER.debug("Encoding NameID based on [{}]", nameFormat);
final NameID nameid = encoder.encode(attribute);
LOGGER.debug("Final NameID encoded is [{}] with value [{}]", nameid.getFormat(), nameid.getValue());
return nameid;
} catch (final Exception e) {
LOGGER.error(e.getMessage(), e);
}
}
return null;
}
Also used :
NameID(org.opensaml.saml.saml2.core.NameID)
SamlException(org.apereo.cas.support.saml.SamlException)
IdPAttribute(net.shibboleth.idp.attribute.IdPAttribute)
StringAttributeValue(net.shibboleth.idp.attribute.StringAttributeValue)
SAML2StringNameIDEncoder(net.shibboleth.idp.saml.attribute.encoding.impl.SAML2StringNameIDEncoder)
AttributePrincipal(org.jasig.cas.client.authentication.AttributePrincipal)
SamlException(org.apereo.cas.support.saml.SamlException)
Aggregations
Attribute (org.opensaml.saml.saml2.core.Attribute)9
AttributeStatement (org.opensaml.saml.saml2.core.AttributeStatement)7
XMLObject (org.opensaml.core.xml.XMLObject)5
Attribute (org.opensaml.saml2.core.Attribute)5
SecurityAssertion (ddf.security.assertion.SecurityAssertion)3
Map (java.util.Map)3
PrincipalCollection (org.apache.shiro.subject.PrincipalCollection)3
SAMLObjectBuilder (org.opensaml.common.SAMLObjectBuilder)3
XMLObjectBuilder (org.opensaml.xml.XMLObjectBuilder)3
GuestPrincipal (ddf.security.principal.GuestPrincipal)2
Principal (java.security.Principal)2
HashMap (java.util.HashMap)2
List (java.util.List)2
Collectors (java.util.stream.Collectors)2
KerberosPrincipal (javax.security.auth.kerberos.KerberosPrincipal)2
X500Principal (javax.security.auth.x500.X500Principal)2
XSString (org.opensaml.core.xml.schema.XSString)2
AttributeStatement (org.opensaml.saml2.core.AttributeStatement)2
XSAny (org.opensaml.xml.schema.XSAny)2
Throwables (com.google.common.base.Throwables)1
