use of org.opensaml.saml.saml2.core.Statement in project cas by apereo.
the class SamlProfileSamlAttributeStatementBuilderTests method verifyAttributeAsNameIDSameAsSubject.
@Test
public void verifyAttributeAsNameIDSameAsSubject() throws Exception {
val service = getSamlRegisteredServiceForTestShib();
service.getAttributeValueTypes().put("customNameId", NameIDType.class.getSimpleName());
val adaptor = SamlRegisteredServiceServiceProviderMetadataFacade.get(samlRegisteredServiceCachingMetadataResolver, service, service.getServiceId()).get();
val buildContext = SamlProfileBuilderContext.builder().samlRequest(getAuthnRequestFor(service)).httpRequest(new MockHttpServletRequest()).httpResponse(new MockHttpServletResponse()).authenticatedAssertion(getAssertion(Map.of("customNameId", List.of(UUID.randomUUID().toString())))).registeredService(service).adaptor(adaptor).binding(SAMLConstants.SAML2_POST_BINDING_URI).build();
val statement = samlProfileSamlAttributeStatementBuilder.build(buildContext);
val attributes = statement.getAttributes();
assertFalse(attributes.isEmpty());
val result = attributes.stream().filter(a -> a.getName().equals("customNameId")).findFirst();
assertTrue(result.isPresent());
assertTrue(result.get().getAttributeValues().get(0) instanceof NameIDType);
}
use of org.opensaml.saml.saml2.core.Statement in project cas by apereo.
the class SamlProfileSamlAttributeStatementBuilderTests method verifyTestAttributeDefns.
@Test
public void verifyTestAttributeDefns() throws Exception {
val service = getSamlRegisteredServiceForTestShib();
val adaptor = SamlRegisteredServiceServiceProviderMetadataFacade.get(samlRegisteredServiceCachingMetadataResolver, service, service.getServiceId()).get();
val buildContext = SamlProfileBuilderContext.builder().samlRequest(getAuthnRequestFor(service)).httpRequest(new MockHttpServletRequest()).httpResponse(new MockHttpServletResponse()).authenticatedAssertion(getAssertion(Map.of("emptyAttributeCol", List.of()))).registeredService(service).adaptor(adaptor).binding(SAMLConstants.SAML2_POST_BINDING_URI).build();
val statement = samlProfileSamlAttributeStatementBuilder.build(buildContext);
val attributes = statement.getAttributes();
assertFalse(attributes.isEmpty());
assertTrue(attributes.stream().anyMatch(a -> a.getName().equals("urn:oid:0.9.2342.19200300.100.1.3")));
assertTrue(attributes.stream().anyMatch(a -> a.getName().equals("alias")));
assertTrue(attributes.stream().anyMatch(a -> a.getName().equals("common-name")));
assertTrue(attributes.stream().anyMatch(a -> a.getName().equals("nickname")));
}
use of org.opensaml.saml.saml2.core.Statement in project cas by apereo.
the class SamlProfileSamlAttributeStatementBuilder method newAttributeStatement.
/**
* New attribute statement.
*
* @param context the context
* @param attributes the attributes
* @param builder the builder
* @return the attribute statement
* @throws Exception the exception
*/
public AttributeStatement newAttributeStatement(final SamlProfileBuilderContext context, final Map<String, Object> attributes, final Saml20AttributeBuilder builder) throws Exception {
val attrStatement = SamlUtils.newSamlObject(AttributeStatement.class);
val resp = samlIdPProperties.getResponse();
val nameFormats = new HashMap<>(resp.configureAttributeNameFormats());
nameFormats.putAll(context.getRegisteredService().getAttributeNameFormats());
val globalFriendlyNames = samlIdPProperties.getCore().getAttributeFriendlyNames();
val friendlyNames = new HashMap<>(CollectionUtils.convertDirectedListToMap(globalFriendlyNames));
val urns = new HashMap<String, String>();
attributeDefinitionStore.getAttributeDefinitions().stream().filter(defn -> defn instanceof SamlIdPAttributeDefinition).map(SamlIdPAttributeDefinition.class::cast).forEach(defn -> {
if (StringUtils.isNotBlank(defn.getFriendlyName())) {
friendlyNames.put(defn.getKey(), defn.getFriendlyName());
}
if (StringUtils.isNotBlank(defn.getUrn())) {
urns.put(defn.getKey(), defn.getUrn());
}
});
friendlyNames.putAll(context.getRegisteredService().getAttributeFriendlyNames());
SamlIdPAttributeDefinitionCatalog.load().filter(defn -> !friendlyNames.containsKey(defn.getKey())).forEach(defn -> {
friendlyNames.put(defn.getKey(), defn.getFriendlyName());
urns.put(defn.getKey(), defn.getUrn());
});
for (val entry : attributes.entrySet()) {
var attributeValue = entry.getValue();
if (attributeValue instanceof Collection<?> && ((Collection<?>) attributeValue).isEmpty()) {
LOGGER.info("Skipping attribute [{}] because it does not have any values.", entry.getKey());
continue;
}
val friendlyName = friendlyNames.getOrDefault(entry.getKey(), null);
val attributeNames = urns.containsKey(entry.getKey()) ? List.of(urns.get(entry.getKey())) : getMappedAttributeNamesFromAttributeDefinitionStore(entry);
for (val name : attributeNames) {
LOGGER.trace("Processing SAML attribute [{}] with value [{}], friendlyName [{}]", name, attributeValue, friendlyName);
val valueType = context.getRegisteredService().getAttributeValueTypes().get(name);
if (NameIDType.class.getSimpleName().equalsIgnoreCase(valueType)) {
val nameIdObject = samlNameIdBuilder.build(context);
if (nameIdObject instanceof NameID) {
val nameID = newSamlObject(NameID.class);
val nameId = (NameID) nameIdObject;
nameID.setFormat(nameId.getFormat());
nameID.setNameQualifier(nameId.getNameQualifier());
nameID.setSPNameQualifier(nameId.getSPNameQualifier());
nameID.setValue(nameId.getValue());
attributeValue = nameID;
}
}
if (NameID.PERSISTENT.equalsIgnoreCase(valueType)) {
val nameID = newSamlObject(NameID.class);
nameID.setFormat(NameID.PERSISTENT);
nameID.setNameQualifier(SamlIdPUtils.determineNameIdNameQualifier(context.getRegisteredService(), samlIdPMetadataResolver));
FunctionUtils.doIf(StringUtils.isNotBlank(context.getRegisteredService().getServiceProviderNameIdQualifier()), value -> nameID.setSPNameQualifier(context.getRegisteredService().getServiceProviderNameIdQualifier()), value -> nameID.setSPNameQualifier(context.getAdaptor().getEntityId())).accept(context.getRegisteredService());
CollectionUtils.firstElement(attributeValue).ifPresent(value -> nameID.setValue(value.toString()));
attributeValue = nameID;
}
LOGGER.debug("Creating SAML attribute [{}] with value [{}], friendlyName [{}]", name, attributeValue, friendlyName);
val attribute = newAttribute(friendlyName, name, attributeValue, nameFormats, resp.getDefaultAttributeNameFormat(), context.getRegisteredService().getAttributeValueTypes());
LOGGER.trace("Created SAML attribute [{}] with NameID format [{}]", attribute.getName(), attribute.getNameFormat());
builder.build(attrStatement, attribute);
}
}
return attrStatement;
}
use of org.opensaml.saml.saml2.core.Statement in project ddf by codice.
the class AttributeQueryClaimsHandler method createClaims.
/**
* Creates claims from the extracted attributes.
*
* @param claimsCollection The collection of claims.
* @param assertion Assertion from the response.
* @return The collection of claims.
* @throws URISyntaxException
*/
protected ClaimsCollection createClaims(ClaimsCollection claimsCollection, Assertion assertion) {
// Should only contain one Attribute Statement.
AttributeStatement attributeStatement = assertion.getAttributeStatements().get(0);
List<Attribute> attributeList = attributeStatement.getAttributes();
// and create the claim, otherwise, create the claim using its original attribute value.
for (Attribute attribute : attributeList) {
for (String claimType : supportedClaims) {
if (claimType.equalsIgnoreCase(attribute.getName())) {
String claimValue = attribute.getDOM().getTextContent();
claimsCollection.add(createSingleValuedClaim(claimType, attributeMap.getOrDefault(claimValue, claimValue)));
break;
}
}
}
return claimsCollection;
}
use of org.opensaml.saml.saml2.core.Statement in project ddf by codice.
the class LogoutRequestService method sendLogoutRequest.
@GET
@Path("/request")
public Response sendLogoutRequest(@QueryParam("EncryptedNameIdTime") String encryptedNameIdTime) {
String nameIdTime = encryptionService.decrypt(encryptedNameIdTime);
String[] nameIdTimeArray = StringUtils.split(nameIdTime, "\n");
if (nameIdTimeArray.length == 2) {
try {
String name = nameIdTimeArray[0];
long time = Long.parseLong(nameIdTimeArray[1]);
if (System.currentTimeMillis() - time > logOutPageTimeOut) {
String msg = String.format("Logout request was older than %sms old so it was rejected. Please refresh page and request again.", logOutPageTimeOut);
LOGGER.info(msg);
return buildLogoutResponse(msg);
}
Element idpSecToken = getIdpSecurityToken();
if (idpSecToken == null) {
LOGGER.info("Unable to logout. Please try again.");
return buildLogoutResponse("Unable to logout. Please try again.");
}
// Logout removes the SAML assertion. This statement must be called before the SAML
// assertion is removed.
List<String> sessionIndexes = new SecurityAssertionSaml(idpSecToken).getAuthnStatements().stream().filter(Objects::nonNull).map(AuthenticationStatement::getSessionIndex).collect(Collectors.toList());
logout();
if (logoutMessage == null) {
LOGGER.info("Logout message not available yet");
return buildLogoutResponse(UNABLE_TO_CREATE_LOGOUT_REQUEST);
}
LogoutWrapper<LogoutRequest> logoutRequest = logoutMessage.buildLogoutRequest(name, getEntityId(), sessionIndexes);
String relayState = relayStates.encode(name);
return getLogoutRequest(relayState, logoutRequest);
} catch (RuntimeException e) {
LOGGER.info(UNABLE_TO_CREATE_LOGOUT_REQUEST, e);
return buildLogoutResponse(UNABLE_TO_CREATE_LOGOUT_REQUEST);
}
} else {
LOGGER.info(UNABLE_TO_DECRYPT_LOGOUT_REQUEST);
return buildLogoutResponse(UNABLE_TO_DECRYPT_LOGOUT_REQUEST);
}
}
Aggregations