Search in sources :

Example 11 with AttributeStatement

use of org.opensaml.saml.saml2.core.AttributeStatement in project spring-security by spring-projects.

the class OpenSamlAuthenticationProvider method getAssertionAttributes.

private static Map<String, List<Object>> getAssertionAttributes(Assertion assertion) {
    Map<String, List<Object>> attributeMap = new LinkedHashMap<>();
    for (AttributeStatement attributeStatement : assertion.getAttributeStatements()) {
        for (Attribute attribute : attributeStatement.getAttributes()) {
            List<Object> attributeValues = new ArrayList<>();
            for (XMLObject xmlObject : attribute.getAttributeValues()) {
                Object attributeValue = getXmlObjectValue(xmlObject);
                if (attributeValue != null) {
                    attributeValues.add(attributeValue);
                }
            }
            attributeMap.put(attribute.getName(), attributeValues);
        }
    }
    return attributeMap;
}
Also used : Attribute(org.opensaml.saml.saml2.core.Attribute) AttributeStatement(org.opensaml.saml.saml2.core.AttributeStatement) ArrayList(java.util.ArrayList) XMLObject(org.opensaml.core.xml.XMLObject) List(java.util.List) ArrayList(java.util.ArrayList) XMLObject(org.opensaml.core.xml.XMLObject) XSString(org.opensaml.core.xml.schema.XSString) LinkedHashMap(java.util.LinkedHashMap)

Example 12 with AttributeStatement

use of org.opensaml.saml.saml2.core.AttributeStatement in project spring-security by spring-projects.

the class OpenSaml4AuthenticationProviderTests method authenticateWhenAssertionContainsAttributesThenItSucceeds.

@Test
public void authenticateWhenAssertionContainsAttributesThenItSucceeds() {
    Response response = response();
    Assertion assertion = assertion();
    List<AttributeStatement> attributes = attributeStatements();
    assertion.getAttributeStatements().addAll(attributes);
    TestOpenSamlObjects.signed(assertion, TestSaml2X509Credentials.assertingPartySigningCredential(), RELYING_PARTY_ENTITY_ID);
    response.getAssertions().add(assertion);
    Saml2AuthenticationToken token = token(response, verifying(registration()));
    Authentication authentication = this.provider.authenticate(token);
    Saml2AuthenticatedPrincipal principal = (Saml2AuthenticatedPrincipal) authentication.getPrincipal();
    Map<String, Object> expected = new LinkedHashMap<>();
    expected.put("email", Arrays.asList("john.doe@example.com", "doe.john@example.com"));
    expected.put("name", Collections.singletonList("John Doe"));
    expected.put("age", Collections.singletonList(21));
    expected.put("website", Collections.singletonList("https://johndoe.com/"));
    expected.put("registered", Collections.singletonList(true));
    Instant registeredDate = Instant.parse("1970-01-01T00:00:00Z");
    expected.put("registeredDate", Collections.singletonList(registeredDate));
    assertThat((String) principal.getFirstAttribute("name")).isEqualTo("John Doe");
    assertThat(principal.getAttributes()).isEqualTo(expected);
    assertThat(principal.getSessionIndexes()).contains("session-index");
}
Also used : Response(org.opensaml.saml.saml2.core.Response) AttributeStatement(org.opensaml.saml.saml2.core.AttributeStatement) Authentication(org.springframework.security.core.Authentication) Instant(java.time.Instant) EncryptedAssertion(org.opensaml.saml.saml2.core.EncryptedAssertion) Assertion(org.opensaml.saml.saml2.core.Assertion) XMLObject(org.opensaml.core.xml.XMLObject) CustomOpenSamlObject(org.springframework.security.saml2.provider.service.authentication.TestCustomOpenSamlObjects.CustomOpenSamlObject) LinkedHashMap(java.util.LinkedHashMap) Test(org.junit.jupiter.api.Test)

Example 13 with AttributeStatement

use of org.opensaml.saml.saml2.core.AttributeStatement in project spring-security by spring-projects.

the class OpenSaml4AuthenticationProviderTests method attributeStatements.

private List<AttributeStatement> attributeStatements() {
    List<AttributeStatement> attributeStatements = TestOpenSamlObjects.attributeStatements();
    AttributeBuilder attributeBuilder = new AttributeBuilder();
    Attribute registeredDateAttr = attributeBuilder.buildObject();
    registeredDateAttr.setName("registeredDate");
    XSDateTime registeredDate = new XSDateTimeBuilder().buildObject(AttributeValue.DEFAULT_ELEMENT_NAME, XSDateTime.TYPE_NAME);
    registeredDate.setValue(Instant.parse("1970-01-01T00:00:00Z"));
    registeredDateAttr.getAttributeValues().add(registeredDate);
    attributeStatements.iterator().next().getAttributes().add(registeredDateAttr);
    return attributeStatements;
}
Also used : AttributeBuilder(org.opensaml.saml.saml2.core.impl.AttributeBuilder) XSDateTime(org.opensaml.core.xml.schema.XSDateTime) XSDateTimeBuilder(org.opensaml.core.xml.schema.impl.XSDateTimeBuilder) Attribute(org.opensaml.saml.saml2.core.Attribute) EncryptedAttribute(org.opensaml.saml.saml2.core.EncryptedAttribute) AttributeStatement(org.opensaml.saml.saml2.core.AttributeStatement)

Example 14 with AttributeStatement

use of org.opensaml.saml.saml2.core.AttributeStatement in project cas by apereo.

the class SamlProfileSamlAttributeStatementBuilder method newAttributeStatement.

/**
 * New attribute statement.
 *
 * @param context    the context
 * @param attributes the attributes
 * @param builder    the builder
 * @return the attribute statement
 * @throws Exception the exception
 */
public AttributeStatement newAttributeStatement(final SamlProfileBuilderContext context, final Map<String, Object> attributes, final Saml20AttributeBuilder builder) throws Exception {
    val attrStatement = SamlUtils.newSamlObject(AttributeStatement.class);
    val resp = samlIdPProperties.getResponse();
    val nameFormats = new HashMap<>(resp.configureAttributeNameFormats());
    nameFormats.putAll(context.getRegisteredService().getAttributeNameFormats());
    val globalFriendlyNames = samlIdPProperties.getCore().getAttributeFriendlyNames();
    val friendlyNames = new HashMap<>(CollectionUtils.convertDirectedListToMap(globalFriendlyNames));
    val urns = new HashMap<String, String>();
    attributeDefinitionStore.getAttributeDefinitions().stream().filter(defn -> defn instanceof SamlIdPAttributeDefinition).map(SamlIdPAttributeDefinition.class::cast).forEach(defn -> {
        if (StringUtils.isNotBlank(defn.getFriendlyName())) {
            friendlyNames.put(defn.getKey(), defn.getFriendlyName());
        }
        if (StringUtils.isNotBlank(defn.getUrn())) {
            urns.put(defn.getKey(), defn.getUrn());
        }
    });
    friendlyNames.putAll(context.getRegisteredService().getAttributeFriendlyNames());
    SamlIdPAttributeDefinitionCatalog.load().filter(defn -> !friendlyNames.containsKey(defn.getKey())).forEach(defn -> {
        friendlyNames.put(defn.getKey(), defn.getFriendlyName());
        urns.put(defn.getKey(), defn.getUrn());
    });
    for (val entry : attributes.entrySet()) {
        var attributeValue = entry.getValue();
        if (attributeValue instanceof Collection<?> && ((Collection<?>) attributeValue).isEmpty()) {
            LOGGER.info("Skipping attribute [{}] because it does not have any values.", entry.getKey());
            continue;
        }
        val friendlyName = friendlyNames.getOrDefault(entry.getKey(), null);
        val attributeNames = urns.containsKey(entry.getKey()) ? List.of(urns.get(entry.getKey())) : getMappedAttributeNamesFromAttributeDefinitionStore(entry);
        for (val name : attributeNames) {
            LOGGER.trace("Processing SAML attribute [{}] with value [{}], friendlyName [{}]", name, attributeValue, friendlyName);
            val valueType = context.getRegisteredService().getAttributeValueTypes().get(name);
            if (NameIDType.class.getSimpleName().equalsIgnoreCase(valueType)) {
                val nameIdObject = samlNameIdBuilder.build(context);
                if (nameIdObject instanceof NameID) {
                    val nameID = newSamlObject(NameID.class);
                    val nameId = (NameID) nameIdObject;
                    nameID.setFormat(nameId.getFormat());
                    nameID.setNameQualifier(nameId.getNameQualifier());
                    nameID.setSPNameQualifier(nameId.getSPNameQualifier());
                    nameID.setValue(nameId.getValue());
                    attributeValue = nameID;
                }
            }
            if (NameID.PERSISTENT.equalsIgnoreCase(valueType)) {
                val nameID = newSamlObject(NameID.class);
                nameID.setFormat(NameID.PERSISTENT);
                nameID.setNameQualifier(SamlIdPUtils.determineNameIdNameQualifier(context.getRegisteredService(), samlIdPMetadataResolver));
                FunctionUtils.doIf(StringUtils.isNotBlank(context.getRegisteredService().getServiceProviderNameIdQualifier()), value -> nameID.setSPNameQualifier(context.getRegisteredService().getServiceProviderNameIdQualifier()), value -> nameID.setSPNameQualifier(context.getAdaptor().getEntityId())).accept(context.getRegisteredService());
                CollectionUtils.firstElement(attributeValue).ifPresent(value -> nameID.setValue(value.toString()));
                attributeValue = nameID;
            }
            LOGGER.debug("Creating SAML attribute [{}] with value [{}], friendlyName [{}]", name, attributeValue, friendlyName);
            val attribute = newAttribute(friendlyName, name, attributeValue, nameFormats, resp.getDefaultAttributeNameFormat(), context.getRegisteredService().getAttributeValueTypes());
            LOGGER.trace("Created SAML attribute [{}] with NameID format [{}]", attribute.getName(), attribute.getNameFormat());
            builder.build(attrStatement, attribute);
        }
    }
    return attrStatement;
}
Also used : lombok.val(lombok.val) AbstractSaml20ObjectBuilder(org.apereo.cas.support.saml.util.AbstractSaml20ObjectBuilder) HashMap(java.util.HashMap) StringUtils(org.apache.commons.lang3.StringUtils) WebApplicationService(org.apereo.cas.authentication.principal.WebApplicationService) SamlUtils(org.apereo.cas.support.saml.SamlUtils) ProtocolAttributeEncoder(org.apereo.cas.authentication.ProtocolAttributeEncoder) Saml20AttributeBuilder(org.apereo.cas.support.saml.util.Saml20AttributeBuilder) SamlIdPObjectEncrypter(org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectEncrypter) FunctionUtils(org.apereo.cas.util.function.FunctionUtils) AttributeStatement(org.opensaml.saml.saml2.core.AttributeStatement) Map(java.util.Map) CollectionUtils(org.apereo.cas.util.CollectionUtils) ServiceFactory(org.apereo.cas.authentication.principal.ServiceFactory) AttributeDefinitionStore(org.apereo.cas.authentication.attribute.AttributeDefinitionStore) Collection(java.util.Collection) SamlIdPProperties(org.apereo.cas.configuration.model.support.saml.idp.SamlIdPProperties) lombok.val(lombok.val) MetadataResolver(org.opensaml.saml.metadata.resolver.MetadataResolver) SamlIdPUtils(org.apereo.cas.support.saml.SamlIdPUtils) OpenSamlConfigBean(org.apereo.cas.support.saml.OpenSamlConfigBean) AttributeDefinition(org.apereo.cas.authentication.attribute.AttributeDefinition) Slf4j(lombok.extern.slf4j.Slf4j) List(java.util.List) SamlProfileBuilderContext(org.apereo.cas.support.saml.web.idp.profile.builders.SamlProfileBuilderContext) SAMLObject(org.opensaml.saml.common.SAMLObject) SamlProfileObjectBuilder(org.apereo.cas.support.saml.web.idp.profile.builders.SamlProfileObjectBuilder) NameIDType(org.opensaml.saml.saml2.core.NameIDType) NameID(org.opensaml.saml.saml2.core.NameID) HashMap(java.util.HashMap) NameID(org.opensaml.saml.saml2.core.NameID) NameIDType(org.opensaml.saml.saml2.core.NameIDType)

Example 15 with AttributeStatement

use of org.opensaml.saml.saml2.core.AttributeStatement in project ddf by codice.

the class AttributeQueryClaimsHandler method createClaims.

/**
 * Creates claims from the extracted attributes.
 *
 * @param claimsCollection The collection of claims.
 * @param assertion Assertion from the response.
 * @return The collection of claims.
 * @throws URISyntaxException
 */
protected ClaimsCollection createClaims(ClaimsCollection claimsCollection, Assertion assertion) {
    // Should only contain one Attribute Statement.
    AttributeStatement attributeStatement = assertion.getAttributeStatements().get(0);
    List<Attribute> attributeList = attributeStatement.getAttributes();
    // and create the claim, otherwise, create the claim using its original attribute value.
    for (Attribute attribute : attributeList) {
        for (String claimType : supportedClaims) {
            if (claimType.equalsIgnoreCase(attribute.getName())) {
                String claimValue = attribute.getDOM().getTextContent();
                claimsCollection.add(createSingleValuedClaim(claimType, attributeMap.getOrDefault(claimValue, claimValue)));
                break;
            }
        }
    }
    return claimsCollection;
}
Also used : Attribute(org.opensaml.saml.saml2.core.Attribute) AttributeStatement(org.opensaml.saml.saml2.core.AttributeStatement)

Aggregations

AttributeStatement (org.opensaml.saml.saml2.core.AttributeStatement)61 Attribute (org.opensaml.saml.saml2.core.Attribute)40 Assertion (org.opensaml.saml.saml2.core.Assertion)36 Test (org.junit.jupiter.api.Test)24 XMLObject (org.opensaml.core.xml.XMLObject)17 AssertionBuilder.anAssertion (uk.gov.ida.saml.core.test.builders.AssertionBuilder.anAssertion)17 EncryptedAttribute (org.opensaml.saml.saml2.core.EncryptedAttribute)10 SimpleStringAttributeBuilder.aSimpleStringAttribute (uk.gov.ida.saml.core.test.builders.SimpleStringAttributeBuilder.aSimpleStringAttribute)9 ArrayList (java.util.ArrayList)8 SamlTransformationErrorFactory.emptyAttribute (uk.gov.ida.saml.core.errors.SamlTransformationErrorFactory.emptyAttribute)8 HashMap (java.util.HashMap)7 XSString (org.opensaml.core.xml.schema.XSString)7 NameID (org.opensaml.saml.saml2.core.NameID)7 Response (org.opensaml.saml.saml2.core.Response)7 Subject (org.opensaml.saml.saml2.core.Subject)7 Map (java.util.Map)6 SamlAssertionWrapper (org.apache.wss4j.common.saml.SamlAssertionWrapper)6 EncryptedAssertion (org.opensaml.saml.saml2.core.EncryptedAssertion)6 AttributeStatement (org.opensaml.saml2.core.AttributeStatement)6 List (java.util.List)5