Search in sources :

Example 6 with RequestAbstractType

use of org.opensaml.saml.saml2.core.RequestAbstractType in project cas by apereo.

the class SamlIdPUtils method retrieveSamlRequest.

/**
 * Retrieve authn request authn request.
 *
 * @param context            the context
 * @param sessionStore       the session store
 * @param openSamlConfigBean the open saml config bean
 * @param clazz              the clazz
 * @return the request
 */
public static Optional<Pair<? extends RequestAbstractType, MessageContext>> retrieveSamlRequest(final WebContext context, final SessionStore sessionStore, final OpenSamlConfigBean openSamlConfigBean, final Class<? extends RequestAbstractType> clazz) {
    LOGGER.trace("Retrieving authentication request from scope");
    val authnContext = sessionStore.get(context, SamlProtocolConstants.PARAMETER_SAML_REQUEST).map(String.class::cast).map(value -> retrieveSamlRequest(openSamlConfigBean, clazz, value)).flatMap(authnRequest -> sessionStore.get(context, MessageContext.class.getName()).map(String.class::cast).map(result -> SamlIdPAuthenticationContext.decode(result).toMessageContext(authnRequest)));
    return authnContext.map(ctx -> Pair.of((AuthnRequest) ctx.getMessage(), ctx));
}
Also used : lombok.val(lombok.val) MessageContext(org.opensaml.messaging.context.MessageContext) SneakyThrows(lombok.SneakyThrows) Inflater(java.util.zip.Inflater) SamlIdPAuthenticationContext(org.apereo.cas.support.saml.authentication.SamlIdPAuthenticationContext) AuthnRequest(org.opensaml.saml.saml2.core.AuthnRequest) StringUtils(org.apache.commons.lang3.StringUtils) LogoutRequest(org.opensaml.saml.saml2.core.LogoutRequest) StatusResponseType(org.opensaml.saml.saml2.core.StatusResponseType) FunctionUtils(org.apereo.cas.util.function.FunctionUtils) SAMLBindingSupport(org.opensaml.saml.common.binding.SAMLBindingSupport) Pair(org.apache.commons.lang3.tuple.Pair) ByteArrayInputStream(java.io.ByteArrayInputStream) AssertionConsumerServiceBuilder(org.opensaml.saml.saml2.metadata.impl.AssertionConsumerServiceBuilder) Unchecked(org.jooq.lambda.Unchecked) SignableSAMLObject(org.opensaml.saml.common.SignableSAMLObject) AssertionConsumerService(org.opensaml.saml.saml2.metadata.AssertionConsumerService) Base64Support(net.shibboleth.utilities.java.support.codec.Base64Support) MetadataResolver(org.opensaml.saml.metadata.resolver.MetadataResolver) RequestAbstractType(org.opensaml.saml.saml2.core.RequestAbstractType) SessionStore(org.pac4j.core.context.session.SessionStore) Collectors(java.util.stream.Collectors) StandardCharsets(java.nio.charset.StandardCharsets) Objects(java.util.Objects) Slf4j(lombok.extern.slf4j.Slf4j) SAMLObject(org.opensaml.saml.common.SAMLObject) SamlRegisteredServiceServiceProviderMetadataFacade(org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade) CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet) SAMLPeerEntityContext(org.opensaml.saml.common.messaging.context.SAMLPeerEntityContext) Optional(java.util.Optional) EncodingUtils(org.apereo.cas.util.EncodingUtils) InflaterInputStream(java.util.zip.InflaterInputStream) SamlRegisteredServiceCachingMetadataResolver(org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceCachingMetadataResolver) XMLObjectSupport(org.opensaml.core.xml.util.XMLObjectSupport) UtilityClass(lombok.experimental.UtilityClass) WebContext(org.pac4j.core.context.WebContext) SamlRegisteredService(org.apereo.cas.support.saml.services.SamlRegisteredService) SamlIdPSamlRegisteredServiceCriterion(org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPSamlRegisteredServiceCriterion) Assertion(org.opensaml.saml.saml2.core.Assertion) RoleDescriptorResolver(org.opensaml.saml.metadata.resolver.RoleDescriptorResolver) IDPSSODescriptor(org.opensaml.saml.saml2.metadata.IDPSSODescriptor) JEEContext(org.pac4j.core.context.JEEContext) ServicesManager(org.apereo.cas.services.ServicesManager) lombok.val(lombok.val) PredicateRoleDescriptorResolver(org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver) Endpoint(org.opensaml.saml.saml2.metadata.Endpoint) EvaluableEntityRoleEntityDescriptorCriterion(org.opensaml.saml.metadata.criteria.entity.impl.EvaluableEntityRoleEntityDescriptorCriterion) SAMLEndpointContext(org.opensaml.saml.common.messaging.context.SAMLEndpointContext) ChainingMetadataResolver(org.opensaml.saml.metadata.resolver.ChainingMetadataResolver) NameIDPolicy(org.opensaml.saml.saml2.core.NameIDPolicy) AuthnRequest(org.opensaml.saml.saml2.core.AuthnRequest)

Example 7 with RequestAbstractType

use of org.opensaml.saml.saml2.core.RequestAbstractType in project cas by apereo.

the class SamlIdPSingleLogoutRedirectionStrategy method supports.

@Override
public boolean supports(final RequestContext context) {
    val request = WebUtils.getHttpServletRequestFromExternalWebflowContext(context);
    val registeredService = WebUtils.getRegisteredService(request);
    if (registeredService instanceof SamlRegisteredService) {
        val logout = configurationContext.getCasProperties().getAuthn().getSamlIdp().getLogout();
        val samlRegisteredService = (SamlRegisteredService) registeredService;
        val sloRequest = WebUtils.getSingleLogoutRequest(request);
        val async = new AtomicBoolean(false);
        if (StringUtils.isNotBlank(sloRequest)) {
            async.set(getLogoutRequest(request).map(RequestAbstractType::getExtensions).stream().filter(Objects::nonNull).anyMatch(extensions -> !extensions.getUnknownXMLObjects(Asynchronous.DEFAULT_ELEMENT_NAME).isEmpty()));
        }
        return logout.isSendLogoutResponse() && samlRegisteredService != null && samlRegisteredService.isLogoutResponseEnabled() && sloRequest != null && !async.get();
    }
    return false;
}
Also used : lombok.val(lombok.val) MessageContext(org.opensaml.messaging.context.MessageContext) RandomUtils(org.apereo.cas.util.RandomUtils) SneakyThrows(lombok.SneakyThrows) RequiredArgsConstructor(lombok.RequiredArgsConstructor) LogoutResponse(org.opensaml.saml.saml2.core.LogoutResponse) AtomicBoolean(java.util.concurrent.atomic.AtomicBoolean) StringUtils(org.apache.commons.lang3.StringUtils) XMLObjectSupport(org.opensaml.core.xml.util.XMLObjectSupport) RequestContext(org.springframework.webflow.execution.RequestContext) SamlUtils(org.apereo.cas.support.saml.SamlUtils) LogoutRequest(org.opensaml.saml.saml2.core.LogoutRequest) StatusCode(org.opensaml.saml.saml2.core.StatusCode) FunctionUtils(org.apereo.cas.util.function.FunctionUtils) HttpServletRequest(javax.servlet.http.HttpServletRequest) SamlRegisteredService(org.apereo.cas.support.saml.services.SamlRegisteredService) SerializeSupport(net.shibboleth.utilities.java.support.xml.SerializeSupport) LogoutRedirectionStrategy(org.apereo.cas.logout.LogoutRedirectionStrategy) CollectionUtils(org.apereo.cas.util.CollectionUtils) SAMLConstants(org.opensaml.saml.common.xml.SAMLConstants) SingleLogoutService(org.opensaml.saml.saml2.metadata.SingleLogoutService) lombok.val(lombok.val) RequestAbstractType(org.opensaml.saml.saml2.core.RequestAbstractType) SamlIdPUtils(org.apereo.cas.support.saml.SamlIdPUtils) SamlProtocolConstants(org.apereo.cas.support.saml.SamlProtocolConstants) Objects(java.util.Objects) SamlProfileHandlerConfigurationContext(org.apereo.cas.support.saml.web.idp.profile.SamlProfileHandlerConfigurationContext) Slf4j(lombok.extern.slf4j.Slf4j) Asynchronous(org.opensaml.saml.ext.saml2aslo.Asynchronous) SamlRegisteredServiceServiceProviderMetadataFacade(org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade) Optional(java.util.Optional) EncodingUtils(org.apereo.cas.util.EncodingUtils) WebUtils(org.apereo.cas.web.support.WebUtils) AtomicBoolean(java.util.concurrent.atomic.AtomicBoolean) SamlRegisteredService(org.apereo.cas.support.saml.services.SamlRegisteredService) RequestAbstractType(org.opensaml.saml.saml2.core.RequestAbstractType) Objects(java.util.Objects)

Example 8 with RequestAbstractType

use of org.opensaml.saml.saml2.core.RequestAbstractType in project cas by apereo.

the class SamlIdPUtils method getAssertionConsumerServiceFromRequest.

private static AssertionConsumerService getAssertionConsumerServiceFromRequest(final RequestAbstractType request, final String binding, final SamlRegisteredServiceServiceProviderMetadataFacade adapter) {
    if (request instanceof AuthnRequest) {
        val authnRequest = AuthnRequest.class.cast(request);
        var acsUrl = authnRequest.getAssertionConsumerServiceURL();
        val acsIndex = authnRequest.getAssertionConsumerServiceIndex();
        if (StringUtils.isBlank(acsUrl) && acsIndex == null) {
            LOGGER.debug("No assertion consumer service url or index is supplied in the authentication request");
            return null;
        }
        if (StringUtils.isBlank(acsUrl) && acsIndex != null) {
            LOGGER.debug("Locating assertion consumer service url for binding [{}] and index [{}]", acsUrl, acsIndex);
            acsUrl = adapter.getAssertionConsumerServiceFor(binding, acsIndex).orElseGet(() -> {
                LOGGER.warn("Unable to locate acs url in for entity [{}] and binding [{}] with index [{}]", adapter.getEntityId(), binding, acsIndex);
                return null;
            });
        }
        if (StringUtils.isNotBlank(acsUrl)) {
            LOGGER.debug("Fetched assertion consumer service url [{}] with binding [{}] from authentication request", acsUrl, binding);
            val builder = new AssertionConsumerServiceBuilder();
            val endpoint = builder.buildObject(AssertionConsumerService.DEFAULT_ELEMENT_NAME);
            endpoint.setBinding(binding);
            endpoint.setResponseLocation(acsUrl);
            endpoint.setLocation(acsUrl);
            endpoint.setIndex(acsIndex);
            return endpoint;
        }
    }
    return null;
}
Also used : lombok.val(lombok.val) AuthnRequest(org.opensaml.saml.saml2.core.AuthnRequest) AssertionConsumerServiceBuilder(org.opensaml.saml.saml2.metadata.impl.AssertionConsumerServiceBuilder)

Example 9 with RequestAbstractType

use of org.opensaml.saml.saml2.core.RequestAbstractType in project cas by apereo.

the class AbstractSamlIdPProfileHandlerController method retrieveAuthenticationRequest.

/**
 * Retrieve authentication request.
 *
 * @param response the response
 * @param request  the request
 * @return the authn request
 */
@Synchronized
protected final Pair<? extends RequestAbstractType, MessageContext> retrieveAuthenticationRequest(final HttpServletResponse response, final HttpServletRequest request) {
    LOGGER.info("Received SAML callback profile request [{}]", request.getRequestURI());
    val webContext = new JEEContext(request, response);
    return SamlIdPUtils.retrieveSamlRequest(webContext, configurationContext.getSessionStore(), configurationContext.getOpenSamlConfigBean(), AuthnRequest.class).orElseThrow(() -> new IllegalArgumentException("SAML request or context could not be determined from session store"));
}
Also used : lombok.val(lombok.val) AuthnRequest(org.opensaml.saml.saml2.core.AuthnRequest) JEEContext(org.pac4j.core.context.JEEContext) Synchronized(lombok.Synchronized)

Example 10 with RequestAbstractType

use of org.opensaml.saml.saml2.core.RequestAbstractType in project cas by apereo.

the class AbstractSamlIdPProfileHandlerController method buildResponseBasedSingleSignOnSession.

/**
 * Build response based single sign on session.
 * The http response before encoding the SAML response is reset
 * to ensure a clean slate from previous attempts, specially
 * when requests/responses are produced rapidly.
 *
 * @param context              the pair
 * @param ticketGrantingTicket the authentication
 * @param request              the request
 * @param response             the response
 * @throws Exception the exception
 */
protected void buildResponseBasedSingleSignOnSession(final Pair<? extends RequestAbstractType, MessageContext> context, final TicketGrantingTicket ticketGrantingTicket, final HttpServletRequest request, final HttpServletResponse response) throws Exception {
    val authnRequest = (AuthnRequest) context.getLeft();
    val id = SamlIdPUtils.getIssuerFromSamlObject(authnRequest);
    val service = configurationContext.getWebApplicationServiceFactory().createService(id);
    service.getAttributes().put(SamlProtocolConstants.PARAMETER_ENTITY_ID, CollectionUtils.wrapList(id));
    val registeredService = configurationContext.getServicesManager().findServiceBy(service, SamlRegisteredService.class);
    val audit = AuditableContext.builder().service(service).authentication(ticketGrantingTicket.getAuthentication()).registeredService(registeredService).httpRequest(request).httpResponse(response).build();
    val accessResult = configurationContext.getRegisteredServiceAccessStrategyEnforcer().execute(audit);
    accessResult.throwExceptionIfNeeded();
    val assertion = buildCasAssertion(ticketGrantingTicket.getAuthentication(), service, registeredService, Map.of());
    val authenticationContext = buildAuthenticationContextPair(request, response, context);
    val binding = determineProfileBinding(authenticationContext);
    val messageContext = authenticationContext.getRight();
    val relayState = SAMLBindingSupport.getRelayState(messageContext);
    SAMLBindingSupport.setRelayState(authenticationContext.getRight(), relayState);
    response.reset();
    val factory = (ServiceTicketFactory) getConfigurationContext().getTicketFactory().get(ServiceTicket.class);
    val st = factory.create(ticketGrantingTicket, service, false, ServiceTicket.class);
    getConfigurationContext().getTicketRegistry().addTicket(st);
    getConfigurationContext().getTicketRegistry().updateTicket(ticketGrantingTicket);
    buildSamlResponse(response, request, authenticationContext, assertion, binding);
}
Also used : lombok.val(lombok.val) AuthnRequest(org.opensaml.saml.saml2.core.AuthnRequest) ServiceTicketFactory(org.apereo.cas.ticket.ServiceTicketFactory) ServiceTicket(org.apereo.cas.ticket.ServiceTicket)

Aggregations

lombok.val (lombok.val)11 AuthnRequest (org.opensaml.saml.saml2.core.AuthnRequest)8 SAMLObject (org.opensaml.saml.common.SAMLObject)5 RequestAbstractType (org.opensaml.saml.saml2.core.RequestAbstractType)5 MessageContext (org.opensaml.messaging.context.MessageContext)4 Assertion (org.opensaml.saml.saml2.core.Assertion)4 NameID (org.opensaml.saml.saml2.core.NameID)4 ZonedDateTime (java.time.ZonedDateTime)3 HttpServletResponse (javax.servlet.http.HttpServletResponse)3 SneakyThrows (lombok.SneakyThrows)3 CriteriaSet (net.shibboleth.utilities.java.support.resolver.CriteriaSet)3 SamlException (org.apereo.cas.support.saml.SamlException)3 LogoutRequest (org.opensaml.saml.saml2.core.LogoutRequest)3 AssertionConsumerService (org.opensaml.saml.saml2.metadata.AssertionConsumerService)3 Body (org.opensaml.soap.soap11.Body)3 Envelope (org.opensaml.soap.soap11.Envelope)3 Header (org.opensaml.soap.soap11.Header)3 ArrayList (java.util.ArrayList)2 Objects (java.util.Objects)2 Optional (java.util.Optional)2