Examples with SubjectConfirmation org.opensaml.saml.saml2.core.SubjectConfirmation used on opensource projects

Example 6 with SubjectConfirmation

use of org.opensaml.saml.saml2.core.SubjectConfirmation in project verify-hub by alphagov.

the class MatchingServiceHealthCheckRequestToSamlAttributeQueryTransformer method apply.

public AttributeQuery apply(MatchingServiceHealthCheckRequest originalQuery) {
    AttributeQuery transformedQuery = samlObjectFactory.createAttributeQuery();
    Issuer issuer = samlObjectFactory.createIssuer(originalQuery.getIssuer());
    transformedQuery.setID(originalQuery.getId());
    transformedQuery.setIssuer(issuer);
    transformedQuery.setIssueInstant(DateTime.now());
    Subject subject = samlObjectFactory.createSubject();
    NameID nameId = samlObjectFactory.createNameId(originalQuery.getPersistentId().getNameId());
    nameId.setSPNameQualifier(originalQuery.getAuthnRequestIssuerEntityId());
    nameId.setNameQualifier(originalQuery.getAssertionConsumerServiceUrl().toASCIIString());
    subject.setNameID(nameId);
    SubjectConfirmation subjectConfirmation = samlObjectFactory.createSubjectConfirmation();
    SubjectConfirmationData subjectConfirmationData = samlObjectFactory.createSubjectConfirmationData();
    subjectConfirmation.setSubjectConfirmationData(subjectConfirmationData);
    subject.getSubjectConfirmations().add(subjectConfirmation);
    transformedQuery.setSubject(subject);
    return transformedQuery;
}

Example 7 with SubjectConfirmation

use of org.opensaml.saml.saml2.core.SubjectConfirmation in project cxf by apache.

the class CombinedValidatorTest method testWrappingAttack3.

@org.junit.Test
public void testWrappingAttack3() throws Exception {
    Document doc = DOMUtils.createDocument();
    Response response = createResponse(doc);
    Element responseElement = OpenSAMLUtil.toDom(response, doc);
    doc.appendChild(responseElement);
    assertNotNull(responseElement);
    // Get Assertion Element
    Element assertionElement = (Element) responseElement.getElementsByTagNameNS(SAMLConstants.SAML20_NS, "Assertion").item(0);
    assertNotNull(assertionElement);
    // Clone it, strip the Signature, modify the Subject, change Subj Conf
    Element clonedAssertion = (Element) assertionElement.cloneNode(true);
    clonedAssertion.setAttributeNS(null, "ID", "_12345623562");
    Element sigElement = (Element) clonedAssertion.getElementsByTagNameNS(WSS4JConstants.SIG_NS, "Signature").item(0);
    clonedAssertion.removeChild(sigElement);
    Element subjElement = (Element) clonedAssertion.getElementsByTagNameNS(SAMLConstants.SAML20_NS, "Subject").item(0);
    Element subjNameIdElement = (Element) subjElement.getElementsByTagNameNS(SAMLConstants.SAML20_NS, "NameID").item(0);
    subjNameIdElement.setTextContent("bob");
    Element subjConfElement = (Element) subjElement.getElementsByTagNameNS(SAMLConstants.SAML20_NS, "SubjectConfirmation").item(0);
    subjConfElement.setAttributeNS(null, "Method", SAML2Constants.CONF_SENDER_VOUCHES);
    // Now insert the modified cloned Assertion into the Response before actual assertion
    responseElement.insertBefore(clonedAssertion, assertionElement);
    // System.out.println(DOM2Writer.nodeToString(responseElement));
    Response marshalledResponse = (Response) OpenSAMLUtil.fromDom(responseElement);
    Crypto issuerCrypto = new Merlin();
    KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
    ClassLoader loader = Loader.getClassLoader(CombinedValidatorTest.class);
    InputStream input = Merlin.loadInputStream(loader, "alice.jks");
    keyStore.load(input, "password".toCharArray());
    ((Merlin) issuerCrypto).setKeyStore(keyStore);
    // Validate the Response
    SAMLProtocolResponseValidator validator = new SAMLProtocolResponseValidator();
    validator.validateSamlResponse(marshalledResponse, issuerCrypto, new KeystorePasswordCallback());
    // Test SSO validation
    SAMLSSOResponseValidator ssoValidator = new SAMLSSOResponseValidator();
    ssoValidator.setEnforceAssertionsSigned(false);
    ssoValidator.setIssuerIDP("http://cxf.apache.org/issuer");
    ssoValidator.setAssertionConsumerURL("http://recipient.apache.org");
    ssoValidator.setClientAddress("http://apache.org");
    ssoValidator.setRequestId("12345");
    ssoValidator.setSpIdentifier("http://service.apache.org");
    // Parse the response
    SSOValidatorResponse ssoResponse = ssoValidator.validateSamlResponse(marshalledResponse, false);
    SamlAssertionWrapper parsedAssertion = new SamlAssertionWrapper(ssoResponse.getAssertionElement());
    assertEquals("alice", parsedAssertion.getSubjectName());
}

Example 8 with SubjectConfirmation

use of org.opensaml.saml.saml2.core.SubjectConfirmation in project OpenAttestation by OpenAttestation.

the class SamlGenerator method createSubjectConfirmation.

// create the Subject and Subject Confirmation
private SubjectConfirmation createSubjectConfirmation(TxtHost host) throws ConfigurationException, UnknownHostException {
    SAMLObjectBuilder subjectConfirmationBuilder = (SAMLObjectBuilder) builderFactory.getBuilder(SubjectConfirmation.DEFAULT_ELEMENT_NAME);
    SubjectConfirmation subjectConfirmation = (SubjectConfirmation) subjectConfirmationBuilder.buildObject();
    subjectConfirmation.setMethod(SubjectConfirmation.METHOD_SENDER_VOUCHES);
    subjectConfirmation.setSubjectConfirmationData(createSubjectConfirmationData(host));
    // Create the NameIdentifier
    SAMLObjectBuilder nameIdBuilder = (SAMLObjectBuilder) builderFactory.getBuilder(NameID.DEFAULT_ELEMENT_NAME);
    NameID nameId = (NameID) nameIdBuilder.buildObject();
    nameId.setValue(issuerServiceName);
    //            nameId.setNameQualifier(input.getStrNameQualifier()); optional:  
    // !!! CAN ALSO USE X509 SUBJECT FROM HOST CERTIFICATE instead of host name in database   
    nameId.setFormat(NameID.UNSPECIFIED);
    subjectConfirmation.setNameID(nameId);
    return subjectConfirmation;
}

Example 9 with SubjectConfirmation

use of org.opensaml.saml.saml2.core.SubjectConfirmation in project cas by apereo.

the class AbstractSaml20ObjectBuilder method newSubject.

/**
 * New subject element.
 *
 * @param nameId       the nameId
 * @param recipient    the recipient
 * @param notOnOrAfter the not on or after
 * @param inResponseTo the in response to
 * @param notBefore    the not before
 * @return the subject
 */
public Subject newSubject(final NameID nameId, final String recipient, final ZonedDateTime notOnOrAfter, final String inResponseTo, final ZonedDateTime notBefore) {
    LOGGER.debug("Building subject for NameID [{}] and recipient [{}], in response to [{}]", nameId, recipient, inResponseTo);
    final SubjectConfirmation confirmation = newSamlObject(SubjectConfirmation.class);
    confirmation.setMethod(SubjectConfirmation.METHOD_BEARER);
    final SubjectConfirmationData data = newSamlObject(SubjectConfirmationData.class);
    if (StringUtils.isNotBlank(recipient)) {
        data.setRecipient(recipient);
    }
    if (notOnOrAfter != null) {
        data.setNotOnOrAfter(DateTimeUtils.dateTimeOf(notOnOrAfter));
    }
    if (StringUtils.isNotBlank(inResponseTo)) {
        data.setInResponseTo(inResponseTo);
        final InetAddress ip = InetAddressUtils.getByName(inResponseTo);
        if (ip != null) {
            data.setAddress(ip.getHostName());
        }
    }
    if (notBefore != null) {
        data.setNotBefore(DateTimeUtils.dateTimeOf(notBefore));
    }
    confirmation.setSubjectConfirmationData(data);
    final Subject subject = newSamlObject(Subject.class);
    if (nameId != null) {
        subject.setNameID(nameId);
    }
    subject.getSubjectConfirmations().add(confirmation);
    LOGGER.debug("Built subject [{}]", subject);
    return subject;
}

Example 10 with SubjectConfirmation

use of org.opensaml.saml.saml2.core.SubjectConfirmation in project pac4j by pac4j.

the class SAML2DefaultResponseValidator method validateSubject.

/**
 * Validate the given subject by finding a valid Bearer confirmation. If the subject is valid, put its nameID in the context.
 * <p>
 * NameID / BaseID / EncryptedID is first looked up directly in the Subject. If not present there, then all relevant
 * SubjectConfirmations are parsed and the IDs are taken from them.
 *
 * @param subject   The Subject from an assertion.
 * @param context   SAML message context.
 * @param decrypter Decrypter used to decrypt some encrypted IDs, if they are present.
 *                  May be {@code null}, no decryption will be possible then.
 */
@SuppressWarnings("unchecked")
protected final void validateSubject(final Subject subject, final SAML2MessageContext context, final Decrypter decrypter) {
    boolean samlIDFound = false;
    // Read NameID/BaseID/EncryptedID from the subject. If not present directly in the subject, try to find it in subject confirmations.
    NameID nameIdFromSubject = subject.getNameID();
    final BaseID baseIdFromSubject = subject.getBaseID();
    final EncryptedID encryptedIdFromSubject = subject.getEncryptedID();
    // Encrypted ID can overwrite the non-encrypted one, if present
    final NameID decryptedNameIdFromSubject = decryptEncryptedId(encryptedIdFromSubject, decrypter);
    if (decryptedNameIdFromSubject != null) {
        nameIdFromSubject = decryptedNameIdFromSubject;
    }
    // At least one should be present but we don't care at this point.
    if (nameIdFromSubject != null || baseIdFromSubject != null) {
        context.getSAMLSubjectNameIdentifierContext().setSubjectNameIdentifier(nameIdFromSubject);
        context.setBaseID(baseIdFromSubject);
        samlIDFound = true;
    }
    for (final SubjectConfirmation confirmation : subject.getSubjectConfirmations()) {
        if (SubjectConfirmation.METHOD_BEARER.equals(confirmation.getMethod()) && isValidBearerSubjectConfirmationData(confirmation.getSubjectConfirmationData(), context)) {
            NameID nameIDFromConfirmation = confirmation.getNameID();
            final BaseID baseIDFromConfirmation = confirmation.getBaseID();
            final EncryptedID encryptedIDFromConfirmation = confirmation.getEncryptedID();
            // Encrypted ID can overwrite the non-encrypted one, if present
            final NameID decryptedNameIdFromConfirmation = decryptEncryptedId(encryptedIDFromConfirmation, decrypter);
            if (decryptedNameIdFromConfirmation != null) {
                nameIDFromConfirmation = decryptedNameIdFromConfirmation;
            }
            if (!samlIDFound && (nameIDFromConfirmation != null || baseIDFromConfirmation != null)) {
                context.getSAMLSubjectNameIdentifierContext().setSubjectNameIdentifier(nameIDFromConfirmation);
                context.setBaseID(baseIDFromConfirmation);
                context.getSubjectConfirmations().add(confirmation);
                samlIDFound = true;
            }
            if (!samlIDFound) {
                logger.warn("Could not find any Subject NameID/BaseID/EncryptedID, neither directly in the Subject nor in any Subject " + "Confirmation.");
            }
            return;
        }
    }
    throw new SAMLSubjectConfirmationException("Subject confirmation validation failed");
}