use of org.opensaml.saml.saml2.core.Issuer in project cas by apereo.
the class AbstractSamlIdPProfileHandlerController method verifySamlAuthenticationRequest.
/**
* Verify saml authentication request.
*
* @param authenticationContext the pair
* @param request the request
* @return the pair
* @throws Exception the exception
*/
protected Pair<SamlRegisteredService, SamlRegisteredServiceServiceProviderMetadataFacade> verifySamlAuthenticationRequest(final Pair<? extends RequestAbstractType, MessageContext> authenticationContext, final HttpServletRequest request) throws Exception {
val authnRequest = (AuthnRequest) authenticationContext.getKey();
val issuer = SamlIdPUtils.getIssuerFromSamlObject(authnRequest);
LOGGER.debug("Located issuer [{}] from authentication request", issuer);
val registeredService = verifySamlRegisteredService(issuer);
LOGGER.debug("Fetching SAML2 metadata adaptor for [{}]", issuer);
val adaptor = SamlRegisteredServiceServiceProviderMetadataFacade.get(configurationContext.getSamlRegisteredServiceCachingMetadataResolver(), registeredService, authnRequest);
if (adaptor.isEmpty()) {
LOGGER.warn("No metadata could be found for [{}]", issuer);
throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE, "Cannot find metadata linked to " + issuer);
}
val facade = adaptor.get();
verifyAuthenticationContextSignature(authenticationContext, request, authnRequest, facade, registeredService);
val binding = determineProfileBinding(authenticationContext);
val acs = SamlIdPUtils.determineEndpointForRequest(Pair.of(authnRequest, authenticationContext.getRight()), facade, binding);
LOGGER.debug("Determined SAML2 endpoint for authentication request as [{}]", StringUtils.defaultIfBlank(acs.getResponseLocation(), acs.getLocation()));
SamlUtils.logSamlObject(configurationContext.getOpenSamlConfigBean(), authnRequest);
return Pair.of(registeredService, facade);
}
use of org.opensaml.saml.saml2.core.Issuer in project cas by apereo.
the class BaseSamlRegisteredServiceAttributeReleasePolicy method getEntityIdFromRequest.
/**
* Gets entity id from request.
*
* @param selectedService the selected service
* @return the entity id from request
*/
protected static String getEntityIdFromRequest(final Service selectedService) {
val request = HttpRequestUtils.getHttpServletRequestFromRequestAttributes();
if (request == null || selectedService == null) {
LOGGER.debug("No http request could be identified to locate the entity id");
return null;
}
LOGGER.debug("Attempting to determine entity id for service [{}]", selectedService);
val entityIdAttribute = selectedService.getAttributes().get(SamlProtocolConstants.PARAMETER_ENTITY_ID);
if (entityIdAttribute != null && !entityIdAttribute.isEmpty()) {
LOGGER.debug("Found entity id [{}] as a service attribute", entityIdAttribute);
return CollectionUtils.firstElement(entityIdAttribute).map(Object::toString).orElseThrow();
}
val providerIdAttribute = selectedService.getAttributes().get(SamlIdPConstants.PROVIDER_ID);
if (providerIdAttribute != null && !providerIdAttribute.isEmpty()) {
LOGGER.debug("Found provider entity id [{}] as a service attribute", providerIdAttribute);
return CollectionUtils.firstElement(providerIdAttribute).map(Object::toString).orElseThrow();
}
val samlRequest = selectedService.getAttributes().get(SamlProtocolConstants.PARAMETER_SAML_REQUEST);
if (samlRequest != null && !samlRequest.isEmpty()) {
val applicationContext = ApplicationContextProvider.getApplicationContext();
val resolver = applicationContext.getBean(SamlRegisteredServiceCachingMetadataResolver.DEFAULT_BEAN_NAME, SamlRegisteredServiceCachingMetadataResolver.class);
val attributeValue = CollectionUtils.firstElement(samlRequest).map(Object::toString).orElseThrow();
val openSamlConfigBean = resolver.getOpenSamlConfigBean();
val authnRequest = SamlIdPUtils.retrieveSamlRequest(openSamlConfigBean, RequestAbstractType.class, attributeValue);
SamlUtils.logSamlObject(openSamlConfigBean, authnRequest);
val issuer = SamlIdPUtils.getIssuerFromSamlObject(authnRequest);
LOGGER.debug("Found entity id [{}] from SAML request issuer", issuer);
return issuer;
}
val entityId = request.getParameter(SamlProtocolConstants.PARAMETER_ENTITY_ID);
if (StringUtils.isNotBlank(entityId)) {
LOGGER.debug("Found entity id [{}] as a request parameter", entityId);
return entityId;
}
val svcParam = request.getParameter(CasProtocolConstants.PARAMETER_SERVICE);
return FunctionUtils.doIf(StringUtils.isNotBlank(svcParam), () -> FunctionUtils.doAndHandle(o -> {
val builder = new URIBuilder(svcParam);
return builder.getQueryParams().stream().filter(p -> p.getName().equals(SamlProtocolConstants.PARAMETER_ENTITY_ID)).map(NameValuePair::getValue).findFirst().orElse(StringUtils.EMPTY);
}, throwable -> {
LoggingUtils.error(LOGGER, throwable);
return null;
}).apply(svcParam), () -> null).get();
}
use of org.opensaml.saml.saml2.core.Issuer in project cas by apereo.
the class SSOSamlIdPPostSimpleSignProfileHandlerControllerTests method getAuthnRequest.
private AuthnRequest getAuthnRequest() {
var builder = (SAMLObjectBuilder) openSamlConfigBean.getBuilderFactory().getBuilder(AuthnRequest.DEFAULT_ELEMENT_NAME);
val authnRequest = (AuthnRequest) builder.buildObject();
authnRequest.setProtocolBinding(SAMLConstants.SAML2_POST_SIMPLE_SIGN_BINDING_URI);
builder = (SAMLObjectBuilder) openSamlConfigBean.getBuilderFactory().getBuilder(Issuer.DEFAULT_ELEMENT_NAME);
val issuer = (Issuer) builder.buildObject();
issuer.setValue(samlRegisteredService.getServiceId());
authnRequest.setIssuer(issuer);
return authnRequest;
}
use of org.opensaml.saml.saml2.core.Issuer in project cas by apereo.
the class SamlIdPSingleSignOnParticipationStrategyTests method verifyForcedAuthn.
@Test
public void verifyForcedAuthn() {
val context = new MockRequestContext();
val request = new MockHttpServletRequest();
val response = new MockHttpServletResponse();
context.setExternalContext(new ServletExternalContext(new MockServletContext(), request, response));
RequestContextHolder.setRequestContext(context);
ExternalContextHolder.setExternalContext(context.getExternalContext());
val issuer = UUID.randomUUID().toString();
val authnRequest = getAuthnRequestFor(issuer);
when(authnRequest.isForceAuthn()).thenReturn(Boolean.TRUE);
val ssoRequest = SingleSignOnParticipationRequest.builder().httpServletRequest(request).requestContext(context).build().attribute(AuthnRequest.class.getName(), authnRequest).attribute(Issuer.class.getName(), issuer);
assertTrue(samlIdPSingleSignOnParticipationStrategy.supports(ssoRequest));
assertFalse(samlIdPSingleSignOnParticipationStrategy.isParticipating(ssoRequest));
}
use of org.opensaml.saml.saml2.core.Issuer in project cas by apereo.
the class SamlIdPConsentSingleSignOnParticipationStrategyTests method verifyIdPNeedsConsentOperation.
@Test
public void verifyIdPNeedsConsentOperation() {
val context = new MockRequestContext();
val request = new MockHttpServletRequest();
val response = new MockHttpServletResponse();
context.setExternalContext(new ServletExternalContext(new MockServletContext(), request, response));
RequestContextHolder.setRequestContext(context);
ExternalContextHolder.setExternalContext(context.getExternalContext());
val principal = RegisteredServiceTestUtils.getPrincipal("casuser", CollectionUtils.wrap("uid", "CAS-System"));
val authn = RegisteredServiceTestUtils.getAuthentication(principal);
val cookie = new MockTicketGrantingTicket(authn);
val issuer = UUID.randomUUID().toString();
val registeredService = SamlIdPTestUtils.getSamlRegisteredService(issuer);
registeredService.setAttributeReleasePolicy(new ReturnAllowedAttributeReleasePolicy(List.of("uid")));
val service = RegisteredServiceTestUtils.getService(issuer);
val authnRequest = getAuthnRequestFor(issuer);
val ssoRequest = SingleSignOnParticipationRequest.builder().httpServletRequest(request).requestContext(context).build().attribute(AuthnRequest.class.getName(), authnRequest).attribute(Issuer.class.getName(), issuer).attribute(Service.class.getName(), service).attribute(RegisteredService.class.getName(), registeredService).attribute(Authentication.class.getName(), authn).attribute(TicketGrantingTicket.class.getName(), cookie);
assertFalse(singleSignOnParticipationStrategy.isParticipating(ssoRequest));
}
Aggregations