Search in sources :

Example 1 with NameIDBuilder

use of org.opensaml.saml.saml2.core.impl.NameIDBuilder in project pac4j by pac4j.

the class SAML2LogoutRequestBuilder method buildLogoutRequest.

@SuppressWarnings("unchecked")
protected final LogoutRequest buildLogoutRequest(final SAML2MessageContext context, final AssertionConsumerService assertionConsumerService, final SingleLogoutService ssoService) {
    final SAMLObjectBuilder<LogoutRequest> builder = (SAMLObjectBuilder<LogoutRequest>) this.builderFactory.getBuilder(LogoutRequest.DEFAULT_ELEMENT_NAME);
    final LogoutRequest request = builder.buildObject();
    final SAMLSelfEntityContext selfContext = context.getSAMLSelfEntityContext();
    request.setID(generateID());
    request.setIssuer(getIssuer(selfContext.getEntityId()));
    request.setIssueInstant(DateTime.now(DateTimeZone.UTC).plusSeconds(this.issueInstantSkewSeconds));
    request.setVersion(SAMLVersion.VERSION_20);
    request.setDestination(ssoService.getLocation());
    // very very bad...
    ProfileManager manager = new ProfileManager(context.getWebContext());
    Optional<UserProfile> p = manager.get(true);
    if (p.isPresent() && p.get() instanceof SAML2Profile) {
        final SAML2Profile samlP = (SAML2Profile) p.get();
        // name id added (id of profile)
        final SAMLObjectBuilder<NameID> nameIdBuilder = (SAMLObjectBuilder<NameID>) this.builderFactory.getBuilder(NameID.DEFAULT_ELEMENT_NAME);
        final NameID nameId = nameIdBuilder.buildObject();
        nameId.setValue(samlP.getId());
        nameId.setFormat(samlP.getSamlNameIdFormat());
        nameId.setNameQualifier(samlP.getSamlNameIdNameQualifier());
        nameId.setSPNameQualifier(samlP.getSamlNameIdSpNameQualifier());
        nameId.setSPProvidedID(samlP.getSamlNameIdSpProviderId());
        request.setNameID(nameId);
        // session index added
        final String sessIdx = (String) samlP.getAttribute("sessionindex");
        final SAMLObjectBuilder<SessionIndex> sessionIndexBuilder = (SAMLObjectBuilder<SessionIndex>) this.builderFactory.getBuilder(SessionIndex.DEFAULT_ELEMENT_NAME);
        final SessionIndex sessionIdx = sessionIndexBuilder.buildObject();
        sessionIdx.setSessionIndex(sessIdx);
        request.getSessionIndexes().add(sessionIdx);
    }
    return request;
}
Also used : ProfileManager(org.pac4j.core.profile.ProfileManager) SAMLSelfEntityContext(org.opensaml.saml.common.messaging.context.SAMLSelfEntityContext) UserProfile(org.pac4j.core.profile.UserProfile) SAMLObjectBuilder(org.opensaml.saml.common.SAMLObjectBuilder) NameID(org.opensaml.saml.saml2.core.NameID) SAML2Profile(org.pac4j.saml.profile.SAML2Profile) SessionIndex(org.opensaml.saml.saml2.core.SessionIndex) LogoutRequest(org.opensaml.saml.saml2.core.LogoutRequest)

Example 2 with NameIDBuilder

use of org.opensaml.saml.saml2.core.impl.NameIDBuilder in project syncope by apache.

the class SAML2SPLogic method createLogoutRequest.

@PreAuthorize("isAuthenticated() and not(hasRole('" + StandardEntitlement.ANONYMOUS + "'))")
public SAML2RequestTO createLogoutRequest(final String accessToken, final String spEntityID) {
    check();
    // 1. fetch the current JWT used for Syncope authentication
    JwsJwtCompactConsumer consumer = new JwsJwtCompactConsumer(accessToken);
    if (!consumer.verifySignatureWith(jwsSignatureVerifier)) {
        throw new IllegalArgumentException("Invalid signature found in Access Token");
    }
    // 2. look for IdP
    String idpEntityID = (String) consumer.getJwtClaims().getClaim(JWT_CLAIM_IDP_ENTITYID);
    if (idpEntityID == null) {
        throw new NotFoundException("No SAML 2.0 IdP information found in the access token");
    }
    SAML2IdPEntity idp = cache.get(idpEntityID);
    if (idp == null) {
        throw new NotFoundException("SAML 2.0 IdP '" + idpEntityID + "'");
    }
    if (idp.getSLOLocation(idp.getBindingType()) == null) {
        throw new IllegalArgumentException("No SingleLogoutService available for " + idp.getId());
    }
    // 3. create LogoutRequest
    LogoutRequest logoutRequest = new LogoutRequestBuilder().buildObject();
    logoutRequest.setID("_" + UUID_GENERATOR.generate().toString());
    logoutRequest.setDestination(idp.getSLOLocation(idp.getBindingType()).getLocation());
    DateTime now = new DateTime();
    logoutRequest.setIssueInstant(now);
    logoutRequest.setNotOnOrAfter(now.plusMinutes(5));
    Issuer issuer = new IssuerBuilder().buildObject();
    issuer.setValue(spEntityID);
    logoutRequest.setIssuer(issuer);
    NameID nameID = new NameIDBuilder().buildObject();
    nameID.setFormat((String) consumer.getJwtClaims().getClaim(JWT_CLAIM_NAMEID_FORMAT));
    nameID.setValue((String) consumer.getJwtClaims().getClaim(JWT_CLAIM_NAMEID_VALUE));
    logoutRequest.setNameID(nameID);
    SessionIndex sessionIndex = new SessionIndexBuilder().buildObject();
    sessionIndex.setSessionIndex((String) consumer.getJwtClaims().getClaim(JWT_CLAIM_SESSIONINDEX));
    logoutRequest.getSessionIndexes().add(sessionIndex);
    SAML2RequestTO requestTO = new SAML2RequestTO();
    requestTO.setIdpServiceAddress(logoutRequest.getDestination());
    requestTO.setBindingType(idp.getBindingType());
    try {
        // 3. generate relay state as JWT
        Map<String, Object> claims = new HashMap<>();
        claims.put(JWT_CLAIM_IDP_DEFLATE, idp.getBindingType() == SAML2BindingType.REDIRECT ? true : idp.isUseDeflateEncoding());
        Triple<String, String, Date> relayState = accessTokenDataBinder.generateJWT(logoutRequest.getID(), JWT_RELAY_STATE_DURATION, claims);
        requestTO.setRelayState(relayState.getMiddle());
        // 4. sign and encode AuthnRequest
        switch(idp.getBindingType()) {
            case REDIRECT:
                requestTO.setContent(saml2rw.encode(logoutRequest, true));
                requestTO.setSignAlg(saml2rw.getSigAlgo());
                requestTO.setSignature(saml2rw.sign(requestTO.getContent(), requestTO.getRelayState()));
                break;
            case POST:
            default:
                saml2rw.sign(logoutRequest);
                requestTO.setContent(saml2rw.encode(logoutRequest, idp.isUseDeflateEncoding()));
        }
    } catch (Exception e) {
        LOG.error("While generating LogoutRequest", e);
        SyncopeClientException sce = SyncopeClientException.build(ClientExceptionType.Unknown);
        sce.getElements().add(e.getMessage());
        throw sce;
    }
    return requestTO;
}
Also used : SessionIndexBuilder(org.opensaml.saml.saml2.core.impl.SessionIndexBuilder) SAML2RequestTO(org.apache.syncope.common.lib.to.SAML2RequestTO) Issuer(org.opensaml.saml.saml2.core.Issuer) NameID(org.opensaml.saml.saml2.core.NameID) HashMap(java.util.HashMap) SyncopeClientException(org.apache.syncope.common.lib.SyncopeClientException) NotFoundException(org.apache.syncope.core.persistence.api.dao.NotFoundException) XSString(org.opensaml.core.xml.schema.XSString) DateTime(org.joda.time.DateTime) Date(java.util.Date) SyncopeClientException(org.apache.syncope.common.lib.SyncopeClientException) NotFoundException(org.apache.syncope.core.persistence.api.dao.NotFoundException) NameIDBuilder(org.opensaml.saml.saml2.core.impl.NameIDBuilder) LogoutRequestBuilder(org.opensaml.saml.saml2.core.impl.LogoutRequestBuilder) SAML2IdPEntity(org.apache.syncope.core.logic.saml2.SAML2IdPEntity) SessionIndex(org.opensaml.saml.saml2.core.SessionIndex) JwsJwtCompactConsumer(org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer) LogoutRequest(org.opensaml.saml.saml2.core.LogoutRequest) XMLObject(org.opensaml.core.xml.XMLObject) IssuerBuilder(org.opensaml.saml.saml2.core.impl.IssuerBuilder) PreAuthorize(org.springframework.security.access.prepost.PreAuthorize)

Example 3 with NameIDBuilder

use of org.opensaml.saml.saml2.core.impl.NameIDBuilder in project webcert by sklintyg.

the class FakeElegAuthenticationProvider method createSamlCredential.

private SAMLCredential createSamlCredential(Authentication token) {
    FakeElegCredentials fakeCredentials = (FakeElegCredentials) token.getCredentials();
    Assertion assertion = new AssertionBuilder().buildObject();
    attachAuthenticationContext(assertion, FAKE_AUTHENTICATION_ELEG_CONTEXT_REF);
    AttributeStatement attributeStatement = new AttributeStatementBuilder().buildObject();
    assertion.getAttributeStatements().add(attributeStatement);
    attributeStatement.getAttributes().add(createAttribute(CgiElegAssertion.PERSON_ID_ATTRIBUTE, fakeCredentials.getPersonId()));
    attributeStatement.getAttributes().add(createAttribute(CgiElegAssertion.FORNAMN_ATTRIBUTE, fakeCredentials.getFirstName()));
    attributeStatement.getAttributes().add(createAttribute(CgiElegAssertion.MELLAN_OCH_EFTERNAMN_ATTRIBUTE, fakeCredentials.getLastName()));
    NameID nameId = new NameIDBuilder().buildObject();
    nameId.setValue(token.getCredentials().toString());
    return new SAMLCredential(nameId, assertion, "fake-idp", "webcert");
}
Also used : NameIDBuilder(org.opensaml.saml2.core.impl.NameIDBuilder) AttributeStatementBuilder(org.opensaml.saml2.core.impl.AttributeStatementBuilder) SAMLCredential(org.springframework.security.saml.SAMLCredential) NameID(org.opensaml.saml2.core.NameID) AttributeStatement(org.opensaml.saml2.core.AttributeStatement) Assertion(org.opensaml.saml2.core.Assertion) AssertionBuilder(org.opensaml.saml2.core.impl.AssertionBuilder)

Example 4 with NameIDBuilder

use of org.opensaml.saml.saml2.core.impl.NameIDBuilder in project webcert by sklintyg.

the class CommonFakeAuthenticationProvider method createSamlCredential.

private SAMLCredential createSamlCredential(Authentication token) {
    FakeCredentials fakeCredentials = (FakeCredentials) token.getCredentials();
    Assertion assertion = new AssertionBuilder().buildObject();
    attachAuthenticationContext(assertion, FAKE_AUTHENTICATION_SITHS_CONTEXT_REF);
    AttributeStatement attributeStatement = new AttributeStatementBuilder().buildObject();
    assertion.getAttributeStatements().add(attributeStatement);
    addAttribute(attributeStatement, BaseSakerhetstjanstAssertion.HSA_ID_ATTRIBUTE, fakeCredentials.getHsaId());
    NameID nameId = new NameIDBuilder().buildObject();
    nameId.setValue(token.getCredentials().toString());
    return new SAMLCredential(nameId, assertion, "fake-idp", "webcert");
}
Also used : NameIDBuilder(org.opensaml.saml2.core.impl.NameIDBuilder) AttributeStatementBuilder(org.opensaml.saml2.core.impl.AttributeStatementBuilder) FakeCredentials(se.inera.intyg.webcert.web.auth.fake.FakeCredentials) SAMLCredential(org.springframework.security.saml.SAMLCredential) NameID(org.opensaml.saml2.core.NameID) AttributeStatement(org.opensaml.saml2.core.AttributeStatement) Assertion(org.opensaml.saml2.core.Assertion) BaseSakerhetstjanstAssertion(se.inera.intyg.infra.security.siths.BaseSakerhetstjanstAssertion) AssertionBuilder(org.opensaml.saml2.core.impl.AssertionBuilder)

Example 5 with NameIDBuilder

use of org.opensaml.saml.saml2.core.impl.NameIDBuilder in project cloudstack by apache.

the class SAML2LoginAPIAuthenticatorCmdTest method buildMockResponse.

private Response buildMockResponse() throws Exception {
    Response samlMessage = new ResponseBuilder().buildObject();
    samlMessage.setID("foo");
    samlMessage.setVersion(SAMLVersion.VERSION_20);
    samlMessage.setIssueInstant(new DateTime(0));
    Issuer issuer = new IssuerBuilder().buildObject();
    issuer.setValue("MockedIssuer");
    samlMessage.setIssuer(issuer);
    Status status = new StatusBuilder().buildObject();
    StatusCode statusCode = new StatusCodeBuilder().buildObject();
    statusCode.setValue(StatusCode.SUCCESS_URI);
    status.setStatusCode(statusCode);
    samlMessage.setStatus(status);
    Assertion assertion = new AssertionBuilder().buildObject();
    Subject subject = new SubjectBuilder().buildObject();
    NameID nameID = new NameIDBuilder().buildObject();
    nameID.setValue("SOME-UNIQUE-ID");
    nameID.setFormat(NameIDType.PERSISTENT);
    subject.setNameID(nameID);
    assertion.setSubject(subject);
    AuthnStatement authnStatement = new AuthnStatementBuilder().buildObject();
    authnStatement.setSessionIndex("Some Session String");
    assertion.getAuthnStatements().add(authnStatement);
    AttributeStatement attributeStatement = new AttributeStatementBuilder().buildObject();
    assertion.getAttributeStatements().add(attributeStatement);
    samlMessage.getAssertions().add(assertion);
    return samlMessage;
}
Also used : Status(org.opensaml.saml2.core.Status) AttributeStatementBuilder(org.opensaml.saml2.core.impl.AttributeStatementBuilder) StatusCodeBuilder(org.opensaml.saml2.core.impl.StatusCodeBuilder) Issuer(org.opensaml.saml2.core.Issuer) NameID(org.opensaml.saml2.core.NameID) Assertion(org.opensaml.saml2.core.Assertion) AssertionBuilder(org.opensaml.saml2.core.impl.AssertionBuilder) AuthnStatementBuilder(org.opensaml.saml2.core.impl.AuthnStatementBuilder) StatusCode(org.opensaml.saml2.core.StatusCode) DateTime(org.joda.time.DateTime) Subject(org.opensaml.saml2.core.Subject) Response(org.opensaml.saml2.core.Response) HttpServletResponse(javax.servlet.http.HttpServletResponse) NameIDBuilder(org.opensaml.saml2.core.impl.NameIDBuilder) AttributeStatement(org.opensaml.saml2.core.AttributeStatement) AuthnStatement(org.opensaml.saml2.core.AuthnStatement) StatusBuilder(org.opensaml.saml2.core.impl.StatusBuilder) IssuerBuilder(org.opensaml.saml2.core.impl.IssuerBuilder) ResponseBuilder(org.opensaml.saml2.core.impl.ResponseBuilder) SubjectBuilder(org.opensaml.saml2.core.impl.SubjectBuilder)

Aggregations

NameID (org.opensaml.saml2.core.NameID)4 NameIDBuilder (org.opensaml.saml2.core.impl.NameIDBuilder)4 DateTime (org.joda.time.DateTime)3 Assertion (org.opensaml.saml2.core.Assertion)3 AttributeStatement (org.opensaml.saml2.core.AttributeStatement)3 AssertionBuilder (org.opensaml.saml2.core.impl.AssertionBuilder)3 AttributeStatementBuilder (org.opensaml.saml2.core.impl.AttributeStatementBuilder)3 LogoutRequest (org.opensaml.saml.saml2.core.LogoutRequest)2 NameID (org.opensaml.saml.saml2.core.NameID)2 SessionIndex (org.opensaml.saml.saml2.core.SessionIndex)2 Issuer (org.opensaml.saml2.core.Issuer)2 IssuerBuilder (org.opensaml.saml2.core.impl.IssuerBuilder)2 SAMLCredential (org.springframework.security.saml.SAMLCredential)2 Date (java.util.Date)1 HashMap (java.util.HashMap)1 HttpServletResponse (javax.servlet.http.HttpServletResponse)1 JwsJwtCompactConsumer (org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer)1 SyncopeClientException (org.apache.syncope.common.lib.SyncopeClientException)1 SAML2RequestTO (org.apache.syncope.common.lib.to.SAML2RequestTO)1 SAML2IdPEntity (org.apache.syncope.core.logic.saml2.SAML2IdPEntity)1