Search in sources :

Example 36 with AuthnRequest

use of org.opensaml.saml.saml2.core.AuthnRequest in project cxf by apache.

the class AuthnRequestBuilderTest method testAuthnRequestID.

@org.junit.Test
public void testAuthnRequestID() throws Exception {
    AuthnRequestBuilder authnRequestBuilder = new DefaultAuthnRequestBuilder();
    AuthnRequest authnRequest = authnRequestBuilder.createAuthnRequest(new MessageImpl(), "http://localhost:9001/app", "http://localhost:9001/sso");
    assertTrue("ID must start with a letter or underscore, and can only contain letters, digits, " + "underscores, hyphens, and periods.", authnRequest.getID().matches("^[_a-zA-Z][-_0-9a-zA-Z\\.]+$"));
}
Also used : AuthnRequest(org.opensaml.saml.saml2.core.AuthnRequest) MessageImpl(org.apache.cxf.message.MessageImpl)

Example 37 with AuthnRequest

use of org.opensaml.saml.saml2.core.AuthnRequest in project cas by apereo.

the class SamlProfileSamlAssertionBuilder method build.

@Override
public Assertion build(final AuthnRequest authnRequest, final HttpServletRequest request, final HttpServletResponse response, final org.jasig.cas.client.validation.Assertion casAssertion, final SamlRegisteredService service, final SamlRegisteredServiceServiceProviderMetadataFacade adaptor) throws SamlException {
    final List<Statement> statements = new ArrayList<>();
    statements.add(this.samlProfileSamlAuthNStatementBuilder.build(authnRequest, request, response, casAssertion, service, adaptor));
    statements.add(this.samlProfileSamlAttributeStatementBuilder.build(authnRequest, request, response, casAssertion, service, adaptor));
    final String id = '_' + String.valueOf(Math.abs(new SecureRandom().nextLong()));
    final Assertion assertion = newAssertion(statements, casProperties.getAuthn().getSamlIdp().getEntityId(), ZonedDateTime.now(ZoneOffset.UTC), id);
    assertion.setSubject(this.samlProfileSamlSubjectBuilder.build(authnRequest, request, response, casAssertion, service, adaptor));
    assertion.setConditions(this.samlProfileSamlConditionsBuilder.build(authnRequest, request, response, casAssertion, service, adaptor));
    signAssertion(assertion, request, response, service, adaptor);
    return assertion;
}
Also used : AuthnStatement(org.opensaml.saml.saml2.core.AuthnStatement) AttributeStatement(org.opensaml.saml.saml2.core.AttributeStatement) Statement(org.opensaml.saml.saml2.core.Statement) ArrayList(java.util.ArrayList) Assertion(org.opensaml.saml.saml2.core.Assertion) SecureRandom(java.security.SecureRandom)

Example 38 with AuthnRequest

use of org.opensaml.saml.saml2.core.AuthnRequest in project cas by apereo.

the class SamlProfileSamlAuthNStatementBuilder method buildAuthnStatement.

/**
     * Creates an authentication statement for the current request.
     *
     * @param assertion    the assertion
     * @param authnRequest the authn request
     * @param adaptor      the adaptor
     * @param service      the service
     * @return constructed authentication statement
     * @throws SamlException the saml exception
     */
private AuthnStatement buildAuthnStatement(final Assertion assertion, final AuthnRequest authnRequest, final SamlRegisteredServiceServiceProviderMetadataFacade adaptor, final SamlRegisteredService service) throws SamlException {
    final String authenticationMethod = this.authnContextClassRefBuilder.build(assertion, authnRequest, adaptor, service);
    final String id = '_' + String.valueOf(Math.abs(new SecureRandom().nextLong()));
    final AuthnStatement statement = newAuthnStatement(authenticationMethod, DateTimeUtils.zonedDateTimeOf(assertion.getAuthenticationDate()), id);
    if (assertion.getValidUntilDate() != null) {
        final ZonedDateTime dt = DateTimeUtils.zonedDateTimeOf(assertion.getValidUntilDate());
        statement.setSessionNotOnOrAfter(DateTimeUtils.dateTimeOf(dt.plusSeconds(casProperties.getAuthn().getSamlIdp().getResponse().getSkewAllowance())));
    }
    statement.setSubjectLocality(buildSubjectLocality(assertion, authnRequest, adaptor));
    return statement;
}
Also used : ZonedDateTime(java.time.ZonedDateTime) AuthnStatement(org.opensaml.saml.saml2.core.AuthnStatement) SecureRandom(java.security.SecureRandom)

Example 39 with AuthnRequest

use of org.opensaml.saml.saml2.core.AuthnRequest in project cas by apereo.

the class SamlProfileSamlNameIdBuilder method buildNameId.

/**
     * Build name id.
     * If there are no explicitly defined NameIDFormats, include the default format.
     * see: http://saml2int.org/profile/current/#section92
     *
     * @param authnRequest the authn request
     * @param assertion    the assertion
     * @param service      the service
     * @param adaptor      the adaptor
     * @return the name id
     * @throws SamlException the saml exception
     */
private NameID buildNameId(final AuthnRequest authnRequest, final Assertion assertion, final SamlRegisteredService service, final SamlRegisteredServiceServiceProviderMetadataFacade adaptor) throws SamlException {
    final List<String> supportedNameFormats = adaptor.getSupportedNameIdFormats();
    LOGGER.debug("Metadata for [{}] declares support for the following NameIDs [{}]", adaptor.getEntityId(), supportedNameFormats);
    if (supportedNameFormats.isEmpty()) {
        supportedNameFormats.add(NameIDType.TRANSIENT);
        LOGGER.debug("No supported nameId formats could be determined from metadata. Added default [{}]", NameIDType.TRANSIENT);
    }
    if (StringUtils.isNotBlank(service.getRequiredNameIdFormat())) {
        final String fmt = parseAndBuildRequiredNameIdFormat(service);
        supportedNameFormats.add(0, fmt);
        LOGGER.debug("Added required nameId format [{}] based on saml service configuration for [{}]", fmt, service.getServiceId());
    }
    String requiredNameFormat = null;
    if (authnRequest.getNameIDPolicy() != null) {
        requiredNameFormat = authnRequest.getNameIDPolicy().getFormat();
        LOGGER.debug("AuthN request indicates [{}] is the required NameID format", requiredNameFormat);
        if (NameID.ENCRYPTED.equals(requiredNameFormat)) {
            LOGGER.warn("Encrypted NameID formats are not supported");
            requiredNameFormat = null;
        }
    }
    if (StringUtils.isNotBlank(requiredNameFormat) && !supportedNameFormats.contains(requiredNameFormat)) {
        LOGGER.warn("Required NameID format [{}] in the AuthN request issued by [{}] is not supported based on the metadata for [{}]", requiredNameFormat, SamlIdPUtils.getIssuerFromSamlRequest(authnRequest), adaptor.getEntityId());
        throw new SamlException("Required NameID format cannot be provided because it is not supported");
    }
    for (final String nameFormat : supportedNameFormats) {
        try {
            LOGGER.debug("Evaluating NameID format [{}]", nameFormat);
            final SAML2StringNameIDEncoder encoder = new SAML2StringNameIDEncoder();
            encoder.setNameFormat(nameFormat);
            if (authnRequest.getNameIDPolicy() != null) {
                final String qualifier = authnRequest.getNameIDPolicy().getSPNameQualifier();
                LOGGER.debug("NameID qualifier is set to [{}]", qualifier);
                encoder.setNameQualifier(qualifier);
            }
            final IdPAttribute attribute = new IdPAttribute(AttributePrincipal.class.getName());
            final IdPAttributeValue<String> value = new StringAttributeValue(assertion.getPrincipal().getName());
            LOGGER.debug("NameID attribute value is set to [{}]", assertion.getPrincipal().getName());
            attribute.setValues(Collections.singletonList(value));
            LOGGER.debug("Encoding NameID based on [{}]", nameFormat);
            final NameID nameid = encoder.encode(attribute);
            LOGGER.debug("Final NameID encoded is [{}] with value [{}]", nameid.getFormat(), nameid.getValue());
            return nameid;
        } catch (final Exception e) {
            LOGGER.error(e.getMessage(), e);
        }
    }
    return null;
}
Also used : NameID(org.opensaml.saml.saml2.core.NameID) SamlException(org.apereo.cas.support.saml.SamlException) IdPAttribute(net.shibboleth.idp.attribute.IdPAttribute) StringAttributeValue(net.shibboleth.idp.attribute.StringAttributeValue) SAML2StringNameIDEncoder(net.shibboleth.idp.saml.attribute.encoding.impl.SAML2StringNameIDEncoder) AttributePrincipal(org.jasig.cas.client.authentication.AttributePrincipal) SamlException(org.apereo.cas.support.saml.SamlException)

Example 40 with AuthnRequest

use of org.opensaml.saml.saml2.core.AuthnRequest in project cas by apereo.

the class SamlProfileSamlSubjectBuilder method buildSubject.

private Subject buildSubject(final HttpServletRequest request, final HttpServletResponse response, final AuthnRequest authnRequest, final Assertion assertion, final SamlRegisteredService service, final SamlRegisteredServiceServiceProviderMetadataFacade adaptor) throws SamlException {
    final NameID nameID = this.ssoPostProfileSamlNameIdBuilder.build(authnRequest, request, response, assertion, service, adaptor);
    final ZonedDateTime validFromDate = ZonedDateTime.ofInstant(assertion.getValidFromDate().toInstant(), ZoneOffset.UTC);
    final Subject subject = newSubject(nameID.getFormat(), nameID.getValue(), authnRequest.getAssertionConsumerServiceURL(), validFromDate.plusSeconds(this.skewAllowance), authnRequest.getID());
    subject.setNameID(nameID);
    return subject;
}
Also used : NameID(org.opensaml.saml.saml2.core.NameID) ZonedDateTime(java.time.ZonedDateTime) Subject(org.opensaml.saml.saml2.core.Subject)

Aggregations

AuthnRequest (org.opensaml.saml.saml2.core.AuthnRequest)40 Test (org.junit.Test)11 IOException (java.io.IOException)9 AuthnRequestBuilder.anAuthnRequest (uk.gov.ida.saml.core.test.builders.AuthnRequestBuilder.anAuthnRequest)9 WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)7 Assertion (org.jasig.cas.client.validation.Assertion)7 MessageContext (org.opensaml.messaging.context.MessageContext)7 Document (org.w3c.dom.Document)7 ZonedDateTime (java.time.ZonedDateTime)6 HttpServletResponse (javax.servlet.http.HttpServletResponse)6 SamlRegisteredService (org.apereo.cas.support.saml.services.SamlRegisteredService)6 SamlRegisteredServiceServiceProviderMetadataFacade (org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade)6 Assertion (org.opensaml.saml.saml2.core.Assertion)6 AuthnContextClassRef (org.opensaml.saml.saml2.core.AuthnContextClassRef)6 NameID (org.opensaml.saml.saml2.core.NameID)6 RequestedAuthnContext (org.opensaml.saml.saml2.core.RequestedAuthnContext)6 Envelope (org.opensaml.soap.soap11.Envelope)6 Response (javax.ws.rs.core.Response)5 AssertionConsumerService (org.opensaml.saml.saml2.metadata.AssertionConsumerService)5 SimpleSign (ddf.security.samlp.SimpleSign)4