use of org.opensaml.saml.saml2.core.Issuer in project cas by apereo.
the class SLOSamlIdPPostProfileHandlerControllerTests method verifyOperation.
@Test
@Order(1)
public void verifyOperation() throws Exception {
val request = new MockHttpServletRequest();
request.setMethod("POST");
val response = new MockHttpServletResponse();
val service = getSamlRegisteredServiceFor(false, false, false, "https://cassp.example.org");
servicesManager.save(service);
var builder = (SAMLObjectBuilder) openSamlConfigBean.getBuilderFactory().getBuilder(LogoutRequest.DEFAULT_ELEMENT_NAME);
var logoutRequest = (LogoutRequest) builder.buildObject();
builder = (SAMLObjectBuilder) openSamlConfigBean.getBuilderFactory().getBuilder(Issuer.DEFAULT_ELEMENT_NAME);
val issuer = (Issuer) builder.buildObject();
issuer.setValue(service.getServiceId());
logoutRequest.setIssuer(issuer);
val adaptor = SamlRegisteredServiceServiceProviderMetadataFacade.get(samlRegisteredServiceCachingMetadataResolver, service, service.getServiceId()).get();
logoutRequest = samlIdPObjectSigner.encode(logoutRequest, service, adaptor, response, request, SAMLConstants.SAML2_POST_BINDING_URI, logoutRequest, new MessageContext());
val xml = SamlUtils.transformSamlObject(openSamlConfigBean, logoutRequest).toString();
request.addParameter(SamlProtocolConstants.PARAMETER_SAML_REQUEST, EncodingUtils.encodeBase64(xml));
controller.handleSaml2ProfileSLOPostRequest(response, request);
assertEquals(HttpStatus.SC_OK, response.getStatus());
}
use of org.opensaml.saml.saml2.core.Issuer in project cas by apereo.
the class SamlProfileSaml2ResponseBuilder method buildResponse.
@Override
public Response buildResponse(final Assertion assertion, final SamlProfileBuilderContext context) throws Exception {
val id = '_' + String.valueOf(RandomUtils.nextLong());
val samlResponse = newResponse(id, ZonedDateTime.now(ZoneOffset.UTC), context.getSamlRequest().getID(), null);
samlResponse.setVersion(SAMLVersion.VERSION_20);
val issuerId = FunctionUtils.doIf(StringUtils.isNotBlank(context.getRegisteredService().getIssuerEntityId()), context.getRegisteredService()::getIssuerEntityId, Unchecked.supplier(() -> {
val criteriaSet = new CriteriaSet(new EvaluableEntityRoleEntityDescriptorCriterion(IDPSSODescriptor.DEFAULT_ELEMENT_NAME), new SamlIdPSamlRegisteredServiceCriterion(context.getRegisteredService()));
LOGGER.trace("Resolving entity id from SAML2 IdP metadata to determine issuer for [{}]", context.getRegisteredService().getName());
val entityDescriptor = Objects.requireNonNull(getConfigurationContext().getSamlIdPMetadataResolver().resolveSingle(criteriaSet));
return entityDescriptor.getEntityID();
})).get();
samlResponse.setIssuer(buildSamlResponseIssuer(issuerId));
val acs = SamlIdPUtils.determineEndpointForRequest(Pair.of(context.getSamlRequest(), context.getMessageContext()), context.getAdaptor(), context.getBinding());
val location = StringUtils.isBlank(acs.getResponseLocation()) ? acs.getLocation() : acs.getResponseLocation();
samlResponse.setDestination(location);
if (getConfigurationContext().getCasProperties().getAuthn().getSamlIdp().getCore().isAttributeQueryProfileEnabled()) {
storeAttributeQueryTicketInRegistry(assertion, context);
}
val finalAssertion = encryptAssertion(assertion, context);
if (finalAssertion instanceof EncryptedAssertion) {
LOGGER.trace("Built assertion is encrypted, so the response will add it to the encrypted assertions collection");
samlResponse.getEncryptedAssertions().add(EncryptedAssertion.class.cast(finalAssertion));
} else {
LOGGER.trace("Built assertion is not encrypted, so the response will add it to the assertions collection");
samlResponse.getAssertions().add(Assertion.class.cast(finalAssertion));
}
val status = newStatus(StatusCode.SUCCESS, null);
samlResponse.setStatus(status);
SamlUtils.logSamlObject(this.openSamlConfigBean, samlResponse);
if (context.getRegisteredService().isSignResponses()) {
LOGGER.debug("SAML entity id [{}] indicates that SAML responses should be signed", context.getAdaptor().getEntityId());
val samlResponseSigned = getConfigurationContext().getSamlObjectSigner().encode(samlResponse, context.getRegisteredService(), context.getAdaptor(), context.getHttpResponse(), context.getHttpRequest(), context.getBinding(), context.getSamlRequest(), context.getMessageContext());
SamlUtils.logSamlObject(openSamlConfigBean, samlResponseSigned);
return samlResponseSigned;
}
return samlResponse;
}
use of org.opensaml.saml.saml2.core.Issuer in project cas by apereo.
the class ECPSamlIdPProfileHandlerController method handleEcpRequest.
/**
* Handle ecp request.
*
* @param context the context
* @param credential the credential
* @throws Exception the exception
*/
protected void handleEcpRequest(final SamlProfileBuilderContext context, final Credential credential) throws Exception {
LOGGER.debug("Handling ECP request for SOAP context [{}]", context.getMessageContext());
val envelope = context.getMessageContext().getSubcontext(SOAP11Context.class).getEnvelope();
SamlUtils.logSamlObject(getConfigurationContext().getOpenSamlConfigBean(), envelope);
val authnRequest = (AuthnRequest) context.getMessageContext().getMessage();
val authenticationContext = Pair.of(authnRequest, context.getMessageContext());
try {
LOGGER.trace("Verifying ECP authentication request [{}]", authnRequest);
val serviceRequest = verifySamlAuthenticationRequest(authenticationContext, context.getHttpRequest());
LOGGER.trace("Attempting to authenticate ECP request for credential id [{}]", credential.getId());
val authentication = authenticateEcpRequest(credential, authenticationContext);
LOGGER.debug("Authenticated [{}] successfully with authenticated principal [{}]", credential.getId(), authentication.getPrincipal());
LOGGER.trace("Building ECP SAML response for [{}]", credential.getId());
val issuer = SamlIdPUtils.getIssuerFromSamlObject(authnRequest);
val service = getConfigurationContext().getWebApplicationServiceFactory().createService(issuer);
val casAssertion = buildCasAssertion(authentication, service, serviceRequest.getKey(), new LinkedHashMap<>(0));
LOGGER.trace("CAS assertion to use for building ECP SAML2 response is [{}]", casAssertion);
buildSamlResponse(context.getHttpResponse(), context.getHttpRequest(), authenticationContext, casAssertion, context.getBinding());
} catch (final AuthenticationException e) {
LoggingUtils.error(LOGGER, e);
val error = e.getHandlerErrors().values().stream().map(Throwable::getMessage).filter(Objects::nonNull).collect(Collectors.joining(","));
buildEcpFaultResponse(context, error);
} catch (final Exception e) {
LoggingUtils.error(LOGGER, e);
buildEcpFaultResponse(context, e.getMessage());
}
}
use of org.opensaml.saml.saml2.core.Issuer in project cas by apereo.
the class SamlIdPSaml1ArtifactResolutionProfileHandlerController method handlePostRequest.
/**
* Handle post request.
*
* @param response the response
* @param request the request
* @throws Exception the exception
*/
@PostMapping(path = SamlIdPConstants.ENDPOINT_SAML1_SOAP_ARTIFACT_RESOLUTION)
protected void handlePostRequest(final HttpServletResponse response, final HttpServletRequest request) throws Exception {
val ctx = decodeSoapRequest(request);
val artifactMsg = (ArtifactResolve) ctx.getMessage();
try {
val issuer = Objects.requireNonNull(artifactMsg).getIssuer().getValue();
val registeredService = verifySamlRegisteredService(issuer);
val adaptor = getSamlMetadataFacadeFor(registeredService, artifactMsg);
if (adaptor.isEmpty()) {
throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE, "Cannot find metadata linked to " + issuer);
}
val facade = adaptor.get();
verifyAuthenticationContextSignature(ctx, request, artifactMsg, facade, registeredService);
val artifactId = artifactMsg.getArtifact().getValue();
val factory = (SamlArtifactTicketFactory) getConfigurationContext().getTicketFactory().get(SamlArtifactTicket.class);
val ticketId = factory.createTicketIdFor(artifactId);
val ticket = getConfigurationContext().getTicketRegistry().getTicket(ticketId, SamlArtifactTicket.class);
if (ticket == null) {
throw new InvalidTicketException(ticketId);
}
val issuerService = getConfigurationContext().getWebApplicationServiceFactory().createService(issuer);
val casAssertion = buildCasAssertion(ticket.getTicketGrantingTicket().getAuthentication(), issuerService, registeredService, CollectionUtils.wrap("artifact", ticket));
val buildContext = SamlProfileBuilderContext.builder().samlRequest(artifactMsg).httpRequest(request).httpResponse(response).authenticatedAssertion(casAssertion).registeredService(registeredService).adaptor(facade).binding(SAMLConstants.SAML2_ARTIFACT_BINDING_URI).messageContext(ctx).build();
getConfigurationContext().getResponseBuilder().build(buildContext);
} catch (final Exception e) {
LoggingUtils.error(LOGGER, e);
request.setAttribute(SamlIdPConstants.REQUEST_ATTRIBUTE_ERROR, "Unable to build SOAP response: " + StringUtils.defaultString(e.getMessage()));
val buildContext = SamlProfileBuilderContext.builder().samlRequest(artifactMsg).httpRequest(request).httpResponse(response).binding(SAMLConstants.SAML2_ARTIFACT_BINDING_URI).messageContext(ctx).build();
getConfigurationContext().getSamlFaultResponseBuilder().build(buildContext);
}
}
use of org.opensaml.saml.saml2.core.Issuer in project cas by apereo.
the class AbstractSamlIdPProfileHandlerController method singleSignOnSessionExists.
/**
* Single sign on session exists.
*
* @param pair the pair
* @param request the request
* @param response the response
* @return the boolean
*/
protected Optional<TicketGrantingTicket> singleSignOnSessionExists(final Pair<? extends SignableSAMLObject, MessageContext> pair, final HttpServletRequest request, final HttpServletResponse response) {
val authnRequest = AuthnRequest.class.cast(pair.getLeft());
if (authnRequest.isForceAuthn()) {
LOGGER.trace("Authentication request asks for forced authn. Ignoring existing single sign-on session, if any");
return Optional.empty();
}
val cookie = configurationContext.getTicketGrantingTicketCookieGenerator().retrieveCookieValue(request);
if (StringUtils.isBlank(cookie)) {
LOGGER.trace("Single sign-on session cannot be found or determined. Ignoring single sign-on session");
return Optional.empty();
}
val ticketGrantingTicket = configurationContext.getTicketRegistrySupport().getTicketGrantingTicket(cookie);
if (ticketGrantingTicket == null) {
LOGGER.debug("Authentication transaction linked to single sign-on session cannot determined.");
return Optional.empty();
}
val authn = ticketGrantingTicket.getAuthentication();
LOGGER.debug("Located single sign-on authentication for principal [{}]", authn.getPrincipal());
val issuer = SamlIdPUtils.getIssuerFromSamlObject(authnRequest);
val service = configurationContext.getWebApplicationServiceFactory().createService(issuer);
val registeredService = configurationContext.getServicesManager().findServiceBy(service);
val ssoRequest = SingleSignOnParticipationRequest.builder().httpServletRequest(request).build().attribute(Service.class.getName(), service).attribute(RegisteredService.class.getName(), registeredService).attribute(Issuer.class.getName(), issuer).attribute(Authentication.class.getName(), authn).attribute(TicketGrantingTicket.class.getName(), cookie).attribute(AuthnRequest.class.getName(), authnRequest);
val ssoStrategy = configurationContext.getSingleSignOnParticipationStrategy();
LOGGER.debug("Checking for single sign-on participation for issuer [{}]", issuer);
val ssoAvailable = ssoStrategy.supports(ssoRequest) && ssoStrategy.isParticipating(ssoRequest);
return ssoAvailable ? Optional.of(ticketGrantingTicket) : Optional.empty();
}
Aggregations