Example 46 with Issuer
use of org.opensaml.saml.saml2.core.Issuer in project spring-security by spring-projects.
the class OpenSaml4AuthenticationRequestFactory method createAuthnRequest.
private AuthnRequest createAuthnRequest(Saml2AuthenticationRequestContext context) {
String issuer = context.getIssuer();
String destination = context.getDestination();
String assertionConsumerServiceUrl = context.getAssertionConsumerServiceUrl();
String protocolBinding = context.getRelyingPartyRegistration().getAssertionConsumerServiceBinding().getUrn();
AuthnRequest auth = this.authnRequestBuilder.buildObject();
if (auth.getID() == null) {
auth.setID("ARQ" + UUID.randomUUID().toString().substring(1));
}
if (auth.getIssueInstant() == null) {
auth.setIssueInstant(Instant.now(this.clock));
}
if (auth.isForceAuthn() == null) {
auth.setForceAuthn(Boolean.FALSE);
}
if (auth.isPassive() == null) {
auth.setIsPassive(Boolean.FALSE);
}
if (auth.getProtocolBinding() == null) {
auth.setProtocolBinding(SAMLConstants.SAML2_POST_BINDING_URI);
}
auth.setProtocolBinding(protocolBinding);
if (auth.getNameIDPolicy() == null) {
setNameIdPolicy(auth, context.getRelyingPartyRegistration());
}
Issuer iss = this.issuerBuilder.buildObject();
iss.setValue(issuer);
auth.setIssuer(iss);
auth.setDestination(destination);
auth.setAssertionConsumerServiceURL(assertionConsumerServiceUrl);
return auth;
}
Also used :
AuthnRequest(org.opensaml.saml.saml2.core.AuthnRequest)
Issuer(org.opensaml.saml.saml2.core.Issuer)
Example 47 with Issuer
use of org.opensaml.saml.saml2.core.Issuer in project spring-security by spring-projects.
the class OpenSaml4AuthenticationRequestFactory method createAuthenticationRequest.
/**
* {@inheritDoc}
*/
@Override
@Deprecated
public String createAuthenticationRequest(Saml2AuthenticationRequest request) {
RelyingPartyRegistration registration = RelyingPartyRegistration.withRegistrationId("noId").assertionConsumerServiceBinding(Saml2MessageBinding.POST).assertionConsumerServiceLocation(request.getAssertionConsumerServiceUrl()).entityId(request.getIssuer()).remoteIdpEntityId("noIssuer").idpWebSsoUrl("noUrl").credentials((credentials) -> credentials.addAll(request.getCredentials())).build();
Saml2AuthenticationRequestContext context = Saml2AuthenticationRequestContext.builder().relyingPartyRegistration(registration).issuer(request.getIssuer()).assertionConsumerServiceUrl(request.getAssertionConsumerServiceUrl()).build();
AuthnRequest authnRequest = this.authenticationRequestContextConverter.convert(context);
return OpenSamlSigningUtils.serialize(OpenSamlSigningUtils.sign(authnRequest, registration));
}
Also used :
RelyingPartyRegistration(org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration)
Converter(org.springframework.core.convert.converter.Converter)
OpenSamlInitializationService(org.springframework.security.saml2.core.OpenSamlInitializationService)
AuthnRequest(org.opensaml.saml.saml2.core.AuthnRequest)
ConfigurationService(org.opensaml.core.config.ConfigurationService)
NameIDPolicyBuilder(org.opensaml.saml.saml2.core.impl.NameIDPolicyBuilder)
UUID(java.util.UUID)
Instant(java.time.Instant)
StandardCharsets(java.nio.charset.StandardCharsets)
XMLObjectProviderRegistry(org.opensaml.core.xml.config.XMLObjectProviderRegistry)
RelyingPartyRegistration(org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration)
IssuerBuilder(org.opensaml.saml.saml2.core.impl.IssuerBuilder)
Saml2MessageBinding(org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding)
AuthnRequestBuilder(org.opensaml.saml.saml2.core.impl.AuthnRequestBuilder)
Saml2ParameterNames(org.springframework.security.saml2.core.Saml2ParameterNames)
Issuer(org.opensaml.saml.saml2.core.Issuer)
Map(java.util.Map)
Clock(java.time.Clock)
NameIDPolicy(org.opensaml.saml.saml2.core.NameIDPolicy)
SAMLConstants(org.opensaml.saml.common.xml.SAMLConstants)
QueryParametersPartial(org.springframework.security.saml2.provider.service.authentication.OpenSamlSigningUtils.QueryParametersPartial)
Assert(org.springframework.util.Assert)
StringUtils(org.springframework.util.StringUtils)
AuthnRequest(org.opensaml.saml.saml2.core.AuthnRequest)
Example 48 with Issuer
use of org.opensaml.saml.saml2.core.Issuer in project cloudstack by apache.
the class SAML2LoginAPIAuthenticatorCmd method authenticate.
@Override
public String authenticate(final String command, final Map<String, Object[]> params, final HttpSession session, final InetAddress remoteAddress, final String responseType, final StringBuilder auditTrailSb, final HttpServletRequest req, final HttpServletResponse resp) throws ServerApiException {
try {
if (!params.containsKey(SAMLPluginConstants.SAML_RESPONSE) && !params.containsKey("SAMLart")) {
String idpId = null;
String domainPath = null;
if (params.containsKey(ApiConstants.IDP_ID)) {
idpId = ((String[]) params.get(ApiConstants.IDP_ID))[0];
}
if (params.containsKey(ApiConstants.DOMAIN)) {
domainPath = ((String[]) params.get(ApiConstants.DOMAIN))[0];
}
if (domainPath != null && !domainPath.isEmpty()) {
if (!domainPath.startsWith("/")) {
domainPath = "/" + domainPath;
}
if (!domainPath.endsWith("/")) {
domainPath = domainPath + "/";
}
}
SAMLProviderMetadata spMetadata = samlAuthManager.getSPMetadata();
SAMLProviderMetadata idpMetadata = samlAuthManager.getIdPMetadata(idpId);
if (idpMetadata == null) {
throw new ServerApiException(ApiErrorCode.PARAM_ERROR, apiServer.getSerializedApiError(ApiErrorCode.PARAM_ERROR.getHttpCode(), "IdP ID (" + idpId + ") is not found in our list of supported IdPs, cannot proceed.", params, responseType));
}
if (idpMetadata.getSsoUrl() == null || idpMetadata.getSsoUrl().isEmpty()) {
throw new ServerApiException(ApiErrorCode.PARAM_ERROR, apiServer.getSerializedApiError(ApiErrorCode.PARAM_ERROR.getHttpCode(), "IdP ID (" + idpId + ") has no Single Sign On URL defined please contact " + idpMetadata.getContactPersonName() + " <" + idpMetadata.getContactPersonEmail() + ">, cannot proceed.", params, responseType));
}
String authnId = SAMLUtils.generateSecureRandomId();
samlAuthManager.saveToken(authnId, domainPath, idpMetadata.getEntityId());
s_logger.debug("Sending SAMLRequest id=" + authnId);
String redirectUrl = SAMLUtils.buildAuthnRequestUrl(authnId, spMetadata, idpMetadata, SAML2AuthManager.SAMLSignatureAlgorithm.value());
resp.sendRedirect(redirectUrl);
return "";
}
if (params.containsKey("SAMLart")) {
throw new ServerApiException(ApiErrorCode.UNSUPPORTED_ACTION_ERROR, apiServer.getSerializedApiError(ApiErrorCode.UNSUPPORTED_ACTION_ERROR.getHttpCode(), "SAML2 HTTP Artifact Binding is not supported", params, responseType));
} else {
final String samlResponse = ((String[]) params.get(SAMLPluginConstants.SAML_RESPONSE))[0];
Response processedSAMLResponse = this.processSAMLResponse(samlResponse);
String statusCode = processedSAMLResponse.getStatus().getStatusCode().getValue();
if (!statusCode.equals(StatusCode.SUCCESS_URI)) {
throw new ServerApiException(ApiErrorCode.ACCOUNT_ERROR, apiServer.getSerializedApiError(ApiErrorCode.ACCOUNT_ERROR.getHttpCode(), "Identity Provider send a non-successful authentication status code", params, responseType));
}
String username = null;
Issuer issuer = processedSAMLResponse.getIssuer();
SAMLProviderMetadata spMetadata = samlAuthManager.getSPMetadata();
SAMLProviderMetadata idpMetadata = samlAuthManager.getIdPMetadata(issuer.getValue());
String responseToId = processedSAMLResponse.getInResponseTo();
s_logger.debug("Received SAMLResponse in response to id=" + responseToId);
SAMLTokenVO token = samlAuthManager.getToken(responseToId);
if (token != null) {
if (!(token.getEntity().equalsIgnoreCase(issuer.getValue()))) {
throw new ServerApiException(ApiErrorCode.ACCOUNT_ERROR, apiServer.getSerializedApiError(ApiErrorCode.ACCOUNT_ERROR.getHttpCode(), "The SAML response contains Issuer Entity ID that is different from the original SAML request", params, responseType));
}
} else {
throw new ServerApiException(ApiErrorCode.ACCOUNT_ERROR, apiServer.getSerializedApiError(ApiErrorCode.ACCOUNT_ERROR.getHttpCode(), "Received SAML response for a SSO request that we may not have made or has expired, please try logging in again", params, responseType));
}
// Set IdpId for this session
session.setAttribute(SAMLPluginConstants.SAML_IDPID, issuer.getValue());
Signature sig = processedSAMLResponse.getSignature();
if (idpMetadata.getSigningCertificate() != null && sig != null) {
BasicX509Credential credential = new BasicX509Credential();
credential.setEntityCertificate(idpMetadata.getSigningCertificate());
SignatureValidator validator = new SignatureValidator(credential);
try {
validator.validate(sig);
} catch (ValidationException e) {
s_logger.error("SAML Response's signature failed to be validated by IDP signing key:" + e.getMessage());
throw new ServerApiException(ApiErrorCode.ACCOUNT_ERROR, apiServer.getSerializedApiError(ApiErrorCode.ACCOUNT_ERROR.getHttpCode(), "SAML Response's signature failed to be validated by IDP signing key", params, responseType));
}
}
if (username == null) {
username = SAMLUtils.getValueFromAssertions(processedSAMLResponse.getAssertions(), SAML2AuthManager.SAMLUserAttributeName.value());
}
for (Assertion assertion : processedSAMLResponse.getAssertions()) {
if (assertion != null && assertion.getSubject() != null && assertion.getSubject().getNameID() != null) {
session.setAttribute(SAMLPluginConstants.SAML_NAMEID, assertion.getSubject().getNameID().getValue());
break;
}
}
if (idpMetadata.getEncryptionCertificate() != null && spMetadata != null && spMetadata.getKeyPair() != null && spMetadata.getKeyPair().getPrivate() != null) {
Credential credential = SecurityHelper.getSimpleCredential(idpMetadata.getEncryptionCertificate().getPublicKey(), spMetadata.getKeyPair().getPrivate());
StaticKeyInfoCredentialResolver keyInfoResolver = new StaticKeyInfoCredentialResolver(credential);
EncryptedKeyResolver keyResolver = new InlineEncryptedKeyResolver();
Decrypter decrypter = new Decrypter(null, keyInfoResolver, keyResolver);
decrypter.setRootInNewDocument(true);
List<EncryptedAssertion> encryptedAssertions = processedSAMLResponse.getEncryptedAssertions();
if (encryptedAssertions != null) {
for (EncryptedAssertion encryptedAssertion : encryptedAssertions) {
Assertion assertion = null;
try {
assertion = decrypter.decrypt(encryptedAssertion);
} catch (DecryptionException e) {
s_logger.warn("SAML EncryptedAssertion error: " + e.toString());
}
if (assertion == null) {
continue;
}
Signature encSig = assertion.getSignature();
if (idpMetadata.getSigningCertificate() != null && encSig != null) {
BasicX509Credential sigCredential = new BasicX509Credential();
sigCredential.setEntityCertificate(idpMetadata.getSigningCertificate());
SignatureValidator validator = new SignatureValidator(sigCredential);
try {
validator.validate(encSig);
} catch (ValidationException e) {
s_logger.error("SAML Response's signature failed to be validated by IDP signing key:" + e.getMessage());
throw new ServerApiException(ApiErrorCode.ACCOUNT_ERROR, apiServer.getSerializedApiError(ApiErrorCode.ACCOUNT_ERROR.getHttpCode(), "SAML Response's signature failed to be validated by IDP signing key", params, responseType));
}
}
if (assertion.getSubject() != null && assertion.getSubject().getNameID() != null) {
session.setAttribute(SAMLPluginConstants.SAML_NAMEID, assertion.getSubject().getNameID().getValue());
}
if (username == null) {
username = SAMLUtils.getValueFromAttributeStatements(assertion.getAttributeStatements(), SAML2AuthManager.SAMLUserAttributeName.value());
}
}
}
}
if (username == null) {
throw new ServerApiException(ApiErrorCode.ACCOUNT_ERROR, apiServer.getSerializedApiError(ApiErrorCode.ACCOUNT_ERROR.getHttpCode(), "Failed to find admin configured username attribute in the SAML Response. Please ask your administrator to check SAML user attribute name.", params, responseType));
}
UserAccount userAccount = null;
List<UserAccountVO> possibleUserAccounts = userAccountDao.getAllUsersByNameAndEntity(username, issuer.getValue());
if (possibleUserAccounts != null && possibleUserAccounts.size() > 0) {
// Users can switch to other allowed accounts later
for (UserAccountVO possibleUserAccount : possibleUserAccounts) {
if (possibleUserAccount.getAccountState().equals(Account.State.enabled.toString())) {
userAccount = possibleUserAccount;
break;
}
}
}
whenFailToAuthenticateThrowExceptionOrRedirectToUrl(params, responseType, resp, issuer, userAccount);
try {
if (apiServer.verifyUser(userAccount.getId())) {
LoginCmdResponse loginResponse = (LoginCmdResponse) apiServer.loginUser(session, userAccount.getUsername(), userAccount.getUsername() + userAccount.getSource().toString(), userAccount.getDomainId(), null, remoteAddress, params);
SAMLUtils.setupSamlUserCookies(loginResponse, resp);
resp.sendRedirect(SAML2AuthManager.SAMLCloudStackRedirectionUrl.value());
return ApiResponseSerializer.toSerializedString(loginResponse, responseType);
}
} catch (CloudAuthenticationException | IOException exception) {
s_logger.debug("SAML Login failed to log in the user due to: " + exception.getMessage());
}
}
} catch (IOException e) {
auditTrailSb.append("SP initiated SAML authentication using HTTP redirection failed:");
auditTrailSb.append(e.getMessage());
}
throw new ServerApiException(ApiErrorCode.ACCOUNT_ERROR, apiServer.getSerializedApiError(ApiErrorCode.ACCOUNT_ERROR.getHttpCode(), "Unable to authenticate user while performing SAML based SSO. Please make sure your user/account has been added, enable and authorized by the admin before you can authenticate. Please contact your administrator.", params, responseType));
}
Also used :
ValidationException(org.opensaml.xml.validation.ValidationException)
Issuer(org.opensaml.saml2.core.Issuer)
SAMLTokenVO(org.apache.cloudstack.saml.SAMLTokenVO)
CloudAuthenticationException(com.cloud.exception.CloudAuthenticationException)
StaticKeyInfoCredentialResolver(org.opensaml.xml.security.keyinfo.StaticKeyInfoCredentialResolver)
ServerApiException(org.apache.cloudstack.api.ServerApiException)
SAMLProviderMetadata(org.apache.cloudstack.saml.SAMLProviderMetadata)
BasicX509Credential(org.opensaml.xml.security.x509.BasicX509Credential)
Credential(org.opensaml.xml.security.credential.Credential)
Assertion(org.opensaml.saml2.core.Assertion)
EncryptedAssertion(org.opensaml.saml2.core.EncryptedAssertion)
Decrypter(org.opensaml.saml2.encryption.Decrypter)
IOException(java.io.IOException)
LoginCmdResponse(org.apache.cloudstack.api.response.LoginCmdResponse)
Response(org.opensaml.saml2.core.Response)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
UserAccountVO(com.cloud.user.UserAccountVO)
BasicX509Credential(org.opensaml.xml.security.x509.BasicX509Credential)
EncryptedAssertion(org.opensaml.saml2.core.EncryptedAssertion)
Signature(org.opensaml.xml.signature.Signature)
SignatureValidator(org.opensaml.xml.signature.SignatureValidator)
InlineEncryptedKeyResolver(org.opensaml.xml.encryption.InlineEncryptedKeyResolver)
DecryptionException(org.opensaml.xml.encryption.DecryptionException)
UserAccount(com.cloud.user.UserAccount)
LoginCmdResponse(org.apache.cloudstack.api.response.LoginCmdResponse)
InlineEncryptedKeyResolver(org.opensaml.xml.encryption.InlineEncryptedKeyResolver)
EncryptedKeyResolver(org.opensaml.xml.encryption.EncryptedKeyResolver)
Example 49 with Issuer
use of org.opensaml.saml.saml2.core.Issuer in project cloudstack by apache.
the class SAMLUtils method buildAuthnRequestObject.
public static AuthnRequest buildAuthnRequestObject(final String authnId, final String spId, final String idpUrl, final String consumerUrl) {
// Issuer object
IssuerBuilder issuerBuilder = new IssuerBuilder();
Issuer issuer = issuerBuilder.buildObject();
issuer.setValue(spId);
// AuthnContextClass
AuthnContextClassRefBuilder authnContextClassRefBuilder = new AuthnContextClassRefBuilder();
AuthnContextClassRef authnContextClassRef = authnContextClassRefBuilder.buildObject(SAMLConstants.SAML20_NS, "AuthnContextClassRef", "saml");
authnContextClassRef.setAuthnContextClassRef(AuthnContext.PPT_AUTHN_CTX);
// AuthnContext
RequestedAuthnContextBuilder requestedAuthnContextBuilder = new RequestedAuthnContextBuilder();
RequestedAuthnContext requestedAuthnContext = requestedAuthnContextBuilder.buildObject();
requestedAuthnContext.setComparison(AuthnContextComparisonTypeEnumeration.EXACT);
requestedAuthnContext.getAuthnContextClassRefs().add(authnContextClassRef);
// Creation of AuthRequestObject
AuthnRequestBuilder authRequestBuilder = new AuthnRequestBuilder();
AuthnRequest authnRequest = authRequestBuilder.buildObject();
authnRequest.setID(authnId);
authnRequest.setDestination(idpUrl);
authnRequest.setVersion(SAMLVersion.VERSION_20);
authnRequest.setForceAuthn(false);
authnRequest.setIsPassive(false);
authnRequest.setIssueInstant(new DateTime());
authnRequest.setProtocolBinding(SAMLConstants.SAML2_POST_BINDING_URI);
authnRequest.setAssertionConsumerServiceURL(consumerUrl);
authnRequest.setProviderName(spId);
authnRequest.setIssuer(issuer);
authnRequest.setRequestedAuthnContext(requestedAuthnContext);
return authnRequest;
}
Also used :
RequestedAuthnContextBuilder(org.opensaml.saml2.core.impl.RequestedAuthnContextBuilder)
RequestedAuthnContext(org.opensaml.saml2.core.RequestedAuthnContext)
AuthnRequest(org.opensaml.saml2.core.AuthnRequest)
Issuer(org.opensaml.saml2.core.Issuer)
AuthnContextClassRef(org.opensaml.saml2.core.AuthnContextClassRef)
IssuerBuilder(org.opensaml.saml2.core.impl.IssuerBuilder)
AuthnRequestBuilder(org.opensaml.saml2.core.impl.AuthnRequestBuilder)
AuthnContextClassRefBuilder(org.opensaml.saml2.core.impl.AuthnContextClassRefBuilder)
DateTime(org.joda.time.DateTime)
Example 50 with Issuer
use of org.opensaml.saml.saml2.core.Issuer in project ddf by codice.
the class SamlProtocol method createAttributeQuery.
public static AttributeQuery createAttributeQuery(Issuer issuer, Subject subject, String destination) {
AttributeQuery attributeQuery = attributeQueryBuilder.buildObject();
attributeQuery.setID(UUID.randomUUID().toString());
attributeQuery.setIssueInstant(new DateTime());
attributeQuery.setIssuer(issuer);
attributeQuery.setSubject(subject);
attributeQuery.setVersion(SAMLVersion.VERSION_20);
if (StringUtils.isNotBlank(destination)) {
attributeQuery.setDestination(destination);
}
return attributeQuery;
}
Also used :
AttributeQuery(org.opensaml.saml.saml2.core.AttributeQuery)
DateTime(org.joda.time.DateTime)
Aggregations
Issuer (org.opensaml.saml.saml2.core.Issuer)79
Response (org.opensaml.saml.saml2.core.Response)59
DateTime (org.joda.time.DateTime)57
Test (org.junit.jupiter.api.Test)37
AuthnRequest (org.opensaml.saml.saml2.core.AuthnRequest)36
Element (org.w3c.dom.Element)34
WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)32
lombok.val (lombok.val)28
SamlAssertionWrapper (org.apache.wss4j.common.saml.SamlAssertionWrapper)26
Document (org.w3c.dom.Document)25
Status (org.opensaml.saml.saml2.core.Status)24
Assertion (org.opensaml.saml.saml2.core.Assertion)22
SAMLCallback (org.apache.wss4j.common.saml.SAMLCallback)20
SubjectConfirmationDataBean (org.apache.wss4j.common.saml.bean.SubjectConfirmationDataBean)20
SAMLObjectBuilder (org.opensaml.saml.common.SAMLObjectBuilder)17
LogoutRequest (org.opensaml.saml.saml2.core.LogoutRequest)16
InputStream (java.io.InputStream)15
IssuerBuilder (org.opensaml.saml.saml2.core.impl.IssuerBuilder)15
Crypto (org.apache.wss4j.common.crypto.Crypto)14
KeyStore (java.security.KeyStore)13
