Example 26 with Response
use of org.opensaml.saml.saml2.core.Response in project cas by apereo.
the class AbstractSamlProfileHandlerController method issueAuthenticationRequestRedirect.
/**
* Redirect request for authentication.
*
* @param pair the pair
* @param request the request
* @param response the response
* @throws Exception the exception
*/
protected void issueAuthenticationRequestRedirect(final Pair<? extends SignableSAMLObject, MessageContext> pair, final HttpServletRequest request, final HttpServletResponse response) throws Exception {
final AuthnRequest authnRequest = AuthnRequest.class.cast(pair.getLeft());
final String serviceUrl = constructServiceUrl(request, response, pair);
LOGGER.debug("Created service url [{}]", serviceUrl);
final String initialUrl = CommonUtils.constructRedirectUrl(casProperties.getServer().getLoginUrl(), CasProtocolConstants.PARAMETER_SERVICE, serviceUrl, authnRequest.isForceAuthn(), authnRequest.isPassive());
final String urlToRedirectTo = buildRedirectUrlByRequestedAuthnContext(initialUrl, authnRequest, request);
LOGGER.debug("Redirecting SAML authN request to [{}]", urlToRedirectTo);
final AuthenticationRedirectStrategy authenticationRedirectStrategy = new DefaultAuthenticationRedirectStrategy();
authenticationRedirectStrategy.redirect(request, response, urlToRedirectTo);
}
Also used :
DefaultAuthenticationRedirectStrategy(org.jasig.cas.client.authentication.DefaultAuthenticationRedirectStrategy)
AuthnRequest(org.opensaml.saml.saml2.core.AuthnRequest)
DefaultAuthenticationRedirectStrategy(org.jasig.cas.client.authentication.DefaultAuthenticationRedirectStrategy)
AuthenticationRedirectStrategy(org.jasig.cas.client.authentication.AuthenticationRedirectStrategy)
Example 27 with Response
use of org.opensaml.saml.saml2.core.Response in project cas by apereo.
the class IdPInitiatedProfileHandlerController method handleIdPInitiatedSsoRequest.
/**
* Handle idp initiated sso requests.
*
* @param response the response
* @param request the request
* @throws Exception the exception
*/
@GetMapping(path = SamlIdPConstants.ENDPOINT_SAML2_IDP_INIT_PROFILE_SSO)
protected void handleIdPInitiatedSsoRequest(final HttpServletResponse response, final HttpServletRequest request) throws Exception {
// The name (i.e., the entity ID) of the service provider.
final String providerId = CommonUtils.safeGetParameter(request, SamlIdPConstants.PROVIDER_ID);
if (StringUtils.isBlank(providerId)) {
LOGGER.warn("No providerId parameter given in unsolicited SSO authentication request.");
throw new MessageDecodingException("No providerId parameter given in unsolicited SSO authentication request.");
}
final SamlRegisteredService registeredService = verifySamlRegisteredService(providerId);
final Optional<SamlRegisteredServiceServiceProviderMetadataFacade> adaptor = getSamlMetadataFacadeFor(registeredService, providerId);
if (!adaptor.isPresent()) {
throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE, "Cannot find metadata linked to " + providerId);
}
// The URL of the response location at the SP (called the "Assertion Consumer Service")
// but can be omitted in favor of the IdP picking the default endpoint location from metadata.
String shire = CommonUtils.safeGetParameter(request, SamlIdPConstants.SHIRE);
final SamlRegisteredServiceServiceProviderMetadataFacade facade = adaptor.get();
if (StringUtils.isBlank(shire)) {
LOGGER.warn("Resolving service provider assertion consumer service URL for [{}] and binding [{}]", providerId, SAMLConstants.SAML2_POST_BINDING_URI);
@NonNull final AssertionConsumerService acs = facade.getAssertionConsumerService(SAMLConstants.SAML2_POST_BINDING_URI);
shire = acs.getLocation();
}
if (StringUtils.isBlank(shire)) {
LOGGER.warn("Unable to resolve service provider assertion consumer service URL for AuthnRequest construction for entityID: [{}]", providerId);
throw new MessageDecodingException("Unable to resolve SP ACS URL for AuthnRequest construction");
}
// The target resource at the SP, or a state token generated by an SP to represent the resource.
final String target = CommonUtils.safeGetParameter(request, SamlIdPConstants.TARGET);
// A timestamp to help with stale request detection.
final String time = CommonUtils.safeGetParameter(request, SamlIdPConstants.TIME);
final SAMLObjectBuilder builder = (SAMLObjectBuilder) configBean.getBuilderFactory().getBuilder(AuthnRequest.DEFAULT_ELEMENT_NAME);
final AuthnRequest authnRequest = (AuthnRequest) builder.buildObject();
authnRequest.setAssertionConsumerServiceURL(shire);
final SAMLObjectBuilder isBuilder = (SAMLObjectBuilder) configBean.getBuilderFactory().getBuilder(Issuer.DEFAULT_ELEMENT_NAME);
final Issuer issuer = (Issuer) isBuilder.buildObject();
issuer.setValue(providerId);
authnRequest.setIssuer(issuer);
authnRequest.setProtocolBinding(SAMLConstants.SAML2_POST_BINDING_URI);
final SAMLObjectBuilder pBuilder = (SAMLObjectBuilder) configBean.getBuilderFactory().getBuilder(NameIDPolicy.DEFAULT_ELEMENT_NAME);
final NameIDPolicy nameIDPolicy = (NameIDPolicy) pBuilder.buildObject();
nameIDPolicy.setAllowCreate(Boolean.TRUE);
authnRequest.setNameIDPolicy(nameIDPolicy);
if (NumberUtils.isCreatable(time)) {
authnRequest.setIssueInstant(new DateTime(TimeUnit.SECONDS.convert(Long.parseLong(time), TimeUnit.MILLISECONDS), ISOChronology.getInstanceUTC()));
} else {
authnRequest.setIssueInstant(new DateTime(DateTime.now(), ISOChronology.getInstanceUTC()));
}
authnRequest.setForceAuthn(Boolean.FALSE);
if (StringUtils.isNotBlank(target)) {
request.setAttribute(SamlProtocolConstants.PARAMETER_SAML_RELAY_STATE, target);
}
final MessageContext ctx = new MessageContext();
ctx.setAutoCreateSubcontexts(true);
if (facade.isAuthnRequestsSigned()) {
samlObjectSigner.encode(authnRequest, registeredService, facade, response, request, SAMLConstants.SAML2_POST_BINDING_URI);
}
ctx.setMessage(authnRequest);
ctx.getSubcontext(SAMLBindingContext.class, true).setHasBindingSignature(false);
final Pair<SignableSAMLObject, MessageContext> pair = Pair.of(authnRequest, ctx);
initiateAuthenticationRequest(pair, response, request);
}
Also used :
SAMLBindingContext(org.opensaml.saml.common.messaging.context.SAMLBindingContext)
SAMLObjectBuilder(org.opensaml.saml.common.SAMLObjectBuilder)
Issuer(org.opensaml.saml.saml2.core.Issuer)
NameIDPolicy(org.opensaml.saml.saml2.core.NameIDPolicy)
SamlRegisteredServiceServiceProviderMetadataFacade(org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade)
UnauthorizedServiceException(org.apereo.cas.services.UnauthorizedServiceException)
DateTime(org.joda.time.DateTime)
MessageDecodingException(org.opensaml.messaging.decoder.MessageDecodingException)
AuthnRequest(org.opensaml.saml.saml2.core.AuthnRequest)
SignableSAMLObject(org.opensaml.saml.common.SignableSAMLObject)
SamlRegisteredService(org.apereo.cas.support.saml.services.SamlRegisteredService)
NonNull(lombok.NonNull)
AssertionConsumerService(org.opensaml.saml.saml2.metadata.AssertionConsumerService)
MessageContext(org.opensaml.messaging.context.MessageContext)
GetMapping(org.springframework.web.bind.annotation.GetMapping)
Example 28 with Response
use of org.opensaml.saml.saml2.core.Response in project cas by apereo.
the class BaseSamlResponseEncoder method encode.
/**
* Encode.
*
* @param samlResponse the saml response
* @param relayState the relay state
* @return the response
* @throws SamlException the saml exception
*/
@SneakyThrows
public final Response encode(final Response samlResponse, final String relayState) throws SamlException {
if (httpResponse != null) {
final BaseSAML2MessageEncoder encoder = getMessageEncoderInstance();
encoder.setHttpServletResponse(httpResponse);
final MessageContext ctx = getEncoderMessageContext(samlResponse, relayState);
encoder.setMessageContext(ctx);
finalizeEncode(encoder, samlResponse, relayState);
}
return samlResponse;
}
Also used :
BaseSAML2MessageEncoder(org.opensaml.saml.saml2.binding.encoding.impl.BaseSAML2MessageEncoder)
MessageContext(org.opensaml.messaging.context.MessageContext)
SneakyThrows(lombok.SneakyThrows)
Example 29 with Response
use of org.opensaml.saml.saml2.core.Response in project cas by apereo.
the class SamlResponseArtifactEncoder method finalizeEncode.
@Override
protected void finalizeEncode(final BaseSAML2MessageEncoder e, final Response samlResponse, final String relayState) throws Exception {
final HTTPArtifactEncoder encoder = (HTTPArtifactEncoder) e;
encoder.setArtifactMap(this.samlArtifactMap);
final MessageContext ctx = getEncoderMessageContext(samlResponse, relayState);
prepareArtifactContext(samlResponse, ctx);
encoder.setMessageContext(ctx);
super.finalizeEncode(encoder, samlResponse, relayState);
}
Also used :
MessageContext(org.opensaml.messaging.context.MessageContext)
HTTPArtifactEncoder(org.opensaml.saml.saml2.binding.encoding.impl.HTTPArtifactEncoder)
Example 30 with Response
use of org.opensaml.saml.saml2.core.Response in project cas by apereo.
the class BaseSamlProfileSamlResponseBuilder method encryptAssertion.
/**
* Encrypt assertion.
*
* @param assertion the assertion
* @param request the request
* @param response the response
* @param service the service
* @param adaptor the adaptor
* @return the saml object
* @throws SamlException the saml exception
*/
protected SAMLObject encryptAssertion(final Assertion assertion, final HttpServletRequest request, final HttpServletResponse response, final SamlRegisteredService service, final SamlRegisteredServiceServiceProviderMetadataFacade adaptor) throws SamlException {
if (service.isEncryptAssertions()) {
LOGGER.debug("SAML service [{}] requires assertions to be encrypted", adaptor.getEntityId());
final EncryptedAssertion encryptedAssertion = this.samlObjectEncrypter.encode(assertion, service, adaptor, response, request);
return encryptedAssertion;
}
LOGGER.debug("SAML registered service [{}] does not require assertions to be encrypted", adaptor.getEntityId());
return assertion;
}
Also used :
EncryptedAssertion(org.opensaml.saml.saml2.core.EncryptedAssertion)
Aggregations
Response (org.opensaml.saml.saml2.core.Response)241
Test (org.junit.jupiter.api.Test)183
ResponseBuilder.aResponse (uk.gov.ida.saml.core.test.builders.ResponseBuilder.aResponse)94
Assertion (org.opensaml.saml.saml2.core.Assertion)82
EncryptedAssertion (org.opensaml.saml.saml2.core.EncryptedAssertion)61
LogoutResponse (org.opensaml.saml.saml2.core.LogoutResponse)52
Element (org.w3c.dom.Element)51
Status (org.opensaml.saml.saml2.core.Status)50
Document (org.w3c.dom.Document)43
WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)42
DateTime (org.joda.time.DateTime)42
Response (javax.ws.rs.core.Response)38
AuthnRequest (org.opensaml.saml.saml2.core.AuthnRequest)34
lombok.val (lombok.val)32
ArgumentMatchers.anyString (org.mockito.ArgumentMatchers.anyString)30
Issuer (org.opensaml.saml.saml2.core.Issuer)30
SamlAssertionWrapper (org.apache.wss4j.common.saml.SamlAssertionWrapper)27
Test (org.junit.Test)26
IOException (java.io.IOException)25
LogoutRequest (org.opensaml.saml.saml2.core.LogoutRequest)24
