Search in sources :

Example 16 with AuthnContextClassRef

use of org.opensaml.saml.saml2.core.AuthnContextClassRef in project pac4j by pac4j.

the class SAML2AuthnRequestBuilder method buildAuthnRequest.

@SuppressWarnings("unchecked")
protected final AuthnRequest buildAuthnRequest(final SAML2MessageContext context, final AssertionConsumerService assertionConsumerService, final SingleSignOnService ssoService) {
    final SAMLObjectBuilder<AuthnRequest> builder = (SAMLObjectBuilder<AuthnRequest>) this.builderFactory.getBuilder(AuthnRequest.DEFAULT_ELEMENT_NAME);
    final AuthnRequest request = builder.buildObject();
    if (comparisonType != null) {
        final RequestedAuthnContext authnContext = new RequestedAuthnContextBuilder().buildObject();
        authnContext.setComparison(comparisonType);
        if (authnContextClassRef != null) {
            final AuthnContextClassRef classRef = new AuthnContextClassRefBuilder().buildObject();
            classRef.setAuthnContextClassRef(authnContextClassRef);
            authnContext.getAuthnContextClassRefs().add(classRef);
        }
        request.setRequestedAuthnContext(authnContext);
    }
    final SAMLSelfEntityContext selfContext = context.getSAMLSelfEntityContext();
    request.setID(generateID());
    request.setIssuer(getIssuer(selfContext.getEntityId()));
    request.setIssueInstant(DateTime.now(DateTimeZone.UTC).plusSeconds(this.issueInstantSkewSeconds));
    request.setVersion(SAMLVersion.VERSION_20);
    request.setIsPassive(this.passive);
    request.setForceAuthn(this.forceAuth);
    request.setProviderName("pac4j-saml");
    if (nameIdPolicyFormat != null) {
        final NameIDPolicy nameIdPolicy = new NameIDPolicyBuilder().buildObject();
        nameIdPolicy.setAllowCreate(true);
        nameIdPolicy.setFormat(nameIdPolicyFormat);
        request.setNameIDPolicy(nameIdPolicy);
    }
    request.setDestination(ssoService.getLocation());
    if (assertionConsumerServiceIndex >= 0) {
        request.setAssertionConsumerServiceIndex(assertionConsumerServiceIndex);
    } else {
        request.setAssertionConsumerServiceURL(assertionConsumerService.getLocation());
    }
    request.setProtocolBinding(assertionConsumerService.getBinding());
    if (attributeConsumingServiceIndex >= 0) {
        request.setAttributeConsumingServiceIndex(attributeConsumingServiceIndex);
    }
    return request;
}
Also used : RequestedAuthnContextBuilder(org.opensaml.saml.saml2.core.impl.RequestedAuthnContextBuilder) RequestedAuthnContext(org.opensaml.saml.saml2.core.RequestedAuthnContext) SAMLSelfEntityContext(org.opensaml.saml.common.messaging.context.SAMLSelfEntityContext) NameIDPolicyBuilder(org.opensaml.saml.saml2.core.impl.NameIDPolicyBuilder) AuthnRequest(org.opensaml.saml.saml2.core.AuthnRequest) SAMLObjectBuilder(org.opensaml.saml.common.SAMLObjectBuilder) NameIDPolicy(org.opensaml.saml.saml2.core.NameIDPolicy) AuthnContextClassRef(org.opensaml.saml.saml2.core.AuthnContextClassRef) AuthnContextClassRefBuilder(org.opensaml.saml.saml2.core.impl.AuthnContextClassRefBuilder)

Example 17 with AuthnContextClassRef

use of org.opensaml.saml.saml2.core.AuthnContextClassRef in project syncope by apache.

the class SAML2PResponseComponentBuilder method createAuthnContextClassRef.

public static AuthnContextClassRef createAuthnContextClassRef(final String newAuthnContextClassRef) {
    if (authnContextClassRefBuilder == null) {
        authnContextClassRefBuilder = new AuthnContextClassRefBuilder();
    }
    AuthnContextClassRef authnContextClassRef = authnContextClassRefBuilder.buildObject();
    authnContextClassRef.setAuthnContextClassRef(newAuthnContextClassRef);
    return authnContextClassRef;
}
Also used : AuthnContextClassRef(org.opensaml.saml.saml2.core.AuthnContextClassRef) AuthnContextClassRefBuilder(org.opensaml.saml.saml2.core.impl.AuthnContextClassRefBuilder)

Example 18 with AuthnContextClassRef

use of org.opensaml.saml.saml2.core.AuthnContextClassRef in project ddf by codice.

the class SamlAssertionValidatorImplTest method createAssertion.

private Assertion createAssertion(boolean sign, boolean validSignature, String issuerString, DateTime notOnOrAfter) throws Exception {
    Assertion assertion = new AssertionBuilder().buildObject();
    assertion.setID(UUID.randomUUID().toString());
    assertion.setIssueInstant(new DateTime());
    Issuer issuer = new IssuerBuilder().buildObject();
    issuer.setValue(issuerString);
    assertion.setIssuer(issuer);
    NameID nameID = new NameIDBuilder().buildObject();
    nameID.setFormat("urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified");
    nameID.setNameQualifier("http://cxf.apache.org/sts");
    nameID.setValue("admin");
    SubjectConfirmation subjectConfirmation = new SubjectConfirmationBuilder().buildObject();
    subjectConfirmation.setMethod("urn:oasis:names:tc:SAML:2.0:cm:bearer");
    Subject subject = new SubjectBuilder().buildObject();
    subject.setNameID(nameID);
    subject.getSubjectConfirmations().add(subjectConfirmation);
    assertion.setSubject(subject);
    Conditions conditions = new ConditionsBuilder().buildObject();
    conditions.setNotBefore(new DateTime().minusDays(3));
    conditions.setNotOnOrAfter(notOnOrAfter);
    assertion.setConditions(conditions);
    AuthnStatement authnStatement = new AuthnStatementBuilder().buildObject();
    authnStatement.setAuthnInstant(new DateTime());
    AuthnContext authnContext = new AuthnContextBuilder().buildObject();
    AuthnContextClassRef authnContextClassRef = new AuthnContextClassRefBuilder().buildObject();
    authnContextClassRef.setAuthnContextClassRef("urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified");
    authnContext.setAuthnContextClassRef(authnContextClassRef);
    authnStatement.setAuthnContext(authnContext);
    assertion.getAuthnStatements().add(authnStatement);
    AttributeStatement attributeStatement = new AttributeStatementBuilder().buildObject();
    Attribute attribute = new AttributeBuilder().buildObject();
    AttributeValueType attributeValue = new AttributeValueTypeImplBuilder().buildObject();
    attributeValue.setValue("admin");
    attribute.setName("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role");
    attribute.setNameFormat("urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified");
    attribute.getAttributeValues().add(attributeValue);
    attributeStatement.getAttributes().add(attribute);
    assertion.getAttributeStatements().add(attributeStatement);
    if (sign) {
        Signature signature = OpenSAMLUtil.buildSignature();
        signature.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
        signature.setSignatureAlgorithm(WSS4JConstants.RSA);
        BasicX509Credential signingCredential;
        if (validSignature) {
            signingCredential = new BasicX509Credential(certificate);
            signingCredential.setPrivateKey(privateKey);
            signature.setSigningCredential(signingCredential);
        } else {
            try (InputStream inputStream = getClass().getResourceAsStream("/localhost.crt")) {
                CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
                X509Certificate cert = (X509Certificate) certificateFactory.generateCertificate(inputStream);
                signingCredential = new BasicX509Credential(cert);
                signature.setSigningCredential(signingCredential);
            }
        }
        X509KeyInfoGeneratorFactory x509KeyInfoGeneratorFactory = new X509KeyInfoGeneratorFactory();
        x509KeyInfoGeneratorFactory.setEmitEntityCertificate(true);
        KeyInfo keyInfo = x509KeyInfoGeneratorFactory.newInstance().generate(signingCredential);
        signature.setKeyInfo(keyInfo);
        assertion.setSignature(signature);
    }
    return assertion;
}
Also used : Issuer(org.opensaml.saml.saml2.core.Issuer) Attribute(org.opensaml.saml.saml2.core.Attribute) AuthnStatementBuilder(org.opensaml.saml.saml2.core.impl.AuthnStatementBuilder) AuthnContextClassRefBuilder(org.opensaml.saml.saml2.core.impl.AuthnContextClassRefBuilder) CertificateFactory(java.security.cert.CertificateFactory) DateTime(org.joda.time.DateTime) Conditions(org.opensaml.saml.saml2.core.Conditions) AuthnContext(org.opensaml.saml.saml2.core.AuthnContext) NameIDBuilder(org.opensaml.saml.saml2.core.impl.NameIDBuilder) SubjectConfirmation(org.opensaml.saml.saml2.core.SubjectConfirmation) KeyInfo(org.opensaml.xmlsec.signature.KeyInfo) SubjectBuilder(org.opensaml.saml.saml2.core.impl.SubjectBuilder) SubjectConfirmationBuilder(org.opensaml.saml.saml2.core.impl.SubjectConfirmationBuilder) X509KeyInfoGeneratorFactory(org.opensaml.xmlsec.keyinfo.impl.X509KeyInfoGeneratorFactory) AttributeStatementBuilder(org.opensaml.saml.saml2.core.impl.AttributeStatementBuilder) AttributeBuilder(org.opensaml.saml.saml2.core.impl.AttributeBuilder) NameID(org.opensaml.saml.saml2.core.NameID) AttributeValueType(org.opensaml.xacml.ctx.AttributeValueType) InputStream(java.io.InputStream) AuthnContextBuilder(org.opensaml.saml.saml2.core.impl.AuthnContextBuilder) Assertion(org.opensaml.saml.saml2.core.Assertion) AuthnContextClassRef(org.opensaml.saml.saml2.core.AuthnContextClassRef) AssertionBuilder(org.opensaml.saml.saml2.core.impl.AssertionBuilder) Subject(org.opensaml.saml.saml2.core.Subject) X509Certificate(java.security.cert.X509Certificate) ConditionsBuilder(org.opensaml.saml.saml2.core.impl.ConditionsBuilder) BasicX509Credential(org.opensaml.security.x509.BasicX509Credential) AttributeStatement(org.opensaml.saml.saml2.core.AttributeStatement) Signature(org.opensaml.xmlsec.signature.Signature) AuthnStatement(org.opensaml.saml.saml2.core.AuthnStatement) IssuerBuilder(org.opensaml.saml.saml2.core.impl.IssuerBuilder) AttributeValueTypeImplBuilder(org.opensaml.xacml.ctx.impl.AttributeValueTypeImplBuilder)

Example 19 with AuthnContextClassRef

use of org.opensaml.saml.saml2.core.AuthnContextClassRef in project cas by apereo.

the class DefaultAuthnContextClassRefBuilder method getAuthenticationContextByAssertion.

/**
 * Gets authentication context by assertion.
 * This is more of a template method for the time being,
 * and may be enhanced later to support more advanced parsing of classes
 * from the assertion.
 *
 * @param context               the context
 * @param requestedAuthnContext the requested authn context
 * @param authnContextClassRefs the authn context class refs
 * @return the authentication context by assertion
 */
protected String getAuthenticationContextByAssertion(final SamlProfileBuilderContext context, final RequestedAuthnContext requestedAuthnContext, final List<AuthnContextClassRef> authnContextClassRefs) {
    LOGGER.debug("AuthN Context comparison is requested to use [{}]", requestedAuthnContext.getComparison());
    authnContextClassRefs.forEach(c -> LOGGER.debug("Requested AuthN Context [{}]", c.getURI()));
    val authnContexts = casProperties.getAuthn().getSamlIdp().getCore().getAuthenticationContextClassMappings();
    val definedContexts = CollectionUtils.convertDirectedListToMap(authnContexts);
    val mappedMethod = authnContextClassRefs.stream().filter(ref -> StringUtils.isNotBlank(ref.getURI())).filter(ref -> definedContexts.containsKey(ref.getURI())).map(ref -> Pair.of(ref, definedContexts.get(ref.getURI()))).findFirst().orElse(null);
    val attributes = context.getAuthenticatedAssertion().getAttributes();
    val contextAttribute = casProperties.getAuthn().getMfa().getCore().getAuthenticationContextAttribute();
    if (attributes.containsKey(contextAttribute) && mappedMethod != null) {
        val authnContext = attributes.get(contextAttribute);
        val satisfiedContext = CollectionUtils.firstElement(authnContext).map(Object::toString).orElse(null);
        if (StringUtils.equals(mappedMethod.getValue(), satisfiedContext)) {
            return mappedMethod.getLeft().getURI();
        }
    }
    return null;
}
Also used : lombok.val(lombok.val) CasConfigurationProperties(org.apereo.cas.configuration.CasConfigurationProperties) AuthnContext(org.opensaml.saml.saml2.core.AuthnContext) RequiredArgsConstructor(lombok.RequiredArgsConstructor) lombok.val(lombok.val) AuthnRequest(org.opensaml.saml.saml2.core.AuthnRequest) AuthnContextClassRef(org.opensaml.saml.saml2.core.AuthnContextClassRef) StringUtils(org.apache.commons.lang3.StringUtils) Slf4j(lombok.extern.slf4j.Slf4j) List(java.util.List) SamlProfileBuilderContext(org.apereo.cas.support.saml.web.idp.profile.builders.SamlProfileBuilderContext) Pair(org.apache.commons.lang3.tuple.Pair) CollectionUtils(org.apereo.cas.util.CollectionUtils) RequestedAuthnContext(org.opensaml.saml.saml2.core.RequestedAuthnContext)

Example 20 with AuthnContextClassRef

use of org.opensaml.saml.saml2.core.AuthnContextClassRef in project cxf by apache.

the class DefaultAuthnRequestBuilder method createAuthnRequest.

/**
 * Create a SAML 2.0 Protocol AuthnRequest
 */
public AuthnRequest createAuthnRequest(Message message, String issuerId, String assertionConsumerServiceAddress) throws Exception {
    Issuer issuer = SamlpRequestComponentBuilder.createIssuer(issuerId);
    NameIDPolicy nameIDPolicy = SamlpRequestComponentBuilder.createNameIDPolicy(true, nameIDFormat, issuerId);
    AuthnContextClassRef authnCtxClassRef = SamlpRequestComponentBuilder.createAuthnCtxClassRef("urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport");
    RequestedAuthnContext authnCtx = SamlpRequestComponentBuilder.createRequestedAuthnCtxPolicy(AuthnContextComparisonTypeEnumeration.EXACT, Collections.singletonList(authnCtxClassRef), null);
    // CHECKSTYLE:OFF
    return SamlpRequestComponentBuilder.createAuthnRequest(assertionConsumerServiceAddress, forceAuthn, isPassive, protocolBinding, SAMLVersion.VERSION_20, issuer, nameIDPolicy, authnCtx);
}
Also used : RequestedAuthnContext(org.opensaml.saml.saml2.core.RequestedAuthnContext) Issuer(org.opensaml.saml.saml2.core.Issuer) NameIDPolicy(org.opensaml.saml.saml2.core.NameIDPolicy) AuthnContextClassRef(org.opensaml.saml.saml2.core.AuthnContextClassRef)

Aggregations

AuthnContextClassRef (org.opensaml.saml.saml2.core.AuthnContextClassRef)21 RequestedAuthnContext (org.opensaml.saml.saml2.core.RequestedAuthnContext)14 AuthnRequest (org.opensaml.saml.saml2.core.AuthnRequest)8 Test (org.junit.jupiter.api.Test)7 Issuer (org.opensaml.saml.saml2.core.Issuer)6 AuthnContextClassRefBuilder (org.opensaml.saml.saml2.core.impl.AuthnContextClassRefBuilder)6 DateTime (org.joda.time.DateTime)5 Assertion (org.opensaml.saml.saml2.core.Assertion)5 AuthnContext (org.opensaml.saml.saml2.core.AuthnContext)4 lombok.val (lombok.val)3 SAMLObjectBuilder (org.opensaml.saml.common.SAMLObjectBuilder)3 AuthnStatement (org.opensaml.saml.saml2.core.AuthnStatement)3 NameIDPolicy (org.opensaml.saml.saml2.core.NameIDPolicy)3 IssuerBuilder (org.opensaml.saml.saml2.core.impl.IssuerBuilder)3 XMLObject (org.opensaml.core.xml.XMLObject)2 MessageContext (org.opensaml.messaging.context.MessageContext)2 RequestedAuthnContextBuilder (org.opensaml.saml.saml2.core.impl.RequestedAuthnContextBuilder)2 AuthnContextClassRef (org.opensaml.saml2.core.AuthnContextClassRef)2 AuthnContextClassRefBuilder (org.opensaml.saml2.core.impl.AuthnContextClassRefBuilder)2 JEEContext (org.pac4j.core.context.JEEContext)2