Search in sources :

Example 46 with Request

use of org.opensaml.saml.saml2.ecp.Request in project cas by apereo.

the class SamlProfileSamlAssertionBuilder method build.

@Override
public Assertion build(final AuthnRequest authnRequest, final HttpServletRequest request, final HttpServletResponse response, final org.jasig.cas.client.validation.Assertion casAssertion, final SamlRegisteredService service, final SamlRegisteredServiceServiceProviderMetadataFacade adaptor) throws SamlException {
    final List<Statement> statements = new ArrayList<>();
    statements.add(this.samlProfileSamlAuthNStatementBuilder.build(authnRequest, request, response, casAssertion, service, adaptor));
    statements.add(this.samlProfileSamlAttributeStatementBuilder.build(authnRequest, request, response, casAssertion, service, adaptor));
    final String id = '_' + String.valueOf(Math.abs(new SecureRandom().nextLong()));
    final Assertion assertion = newAssertion(statements, casProperties.getAuthn().getSamlIdp().getEntityId(), ZonedDateTime.now(ZoneOffset.UTC), id);
    assertion.setSubject(this.samlProfileSamlSubjectBuilder.build(authnRequest, request, response, casAssertion, service, adaptor));
    assertion.setConditions(this.samlProfileSamlConditionsBuilder.build(authnRequest, request, response, casAssertion, service, adaptor));
    signAssertion(assertion, request, response, service, adaptor);
    return assertion;
}
Also used : AuthnStatement(org.opensaml.saml.saml2.core.AuthnStatement) AttributeStatement(org.opensaml.saml.saml2.core.AttributeStatement) Statement(org.opensaml.saml.saml2.core.Statement) ArrayList(java.util.ArrayList) Assertion(org.opensaml.saml.saml2.core.Assertion) SecureRandom(java.security.SecureRandom)

Example 47 with Request

use of org.opensaml.saml.saml2.ecp.Request in project cas by apereo.

the class SamlProfileSamlAuthNStatementBuilder method buildAuthnStatement.

/**
     * Creates an authentication statement for the current request.
     *
     * @param assertion    the assertion
     * @param authnRequest the authn request
     * @param adaptor      the adaptor
     * @param service      the service
     * @return constructed authentication statement
     * @throws SamlException the saml exception
     */
private AuthnStatement buildAuthnStatement(final Assertion assertion, final AuthnRequest authnRequest, final SamlRegisteredServiceServiceProviderMetadataFacade adaptor, final SamlRegisteredService service) throws SamlException {
    final String authenticationMethod = this.authnContextClassRefBuilder.build(assertion, authnRequest, adaptor, service);
    final String id = '_' + String.valueOf(Math.abs(new SecureRandom().nextLong()));
    final AuthnStatement statement = newAuthnStatement(authenticationMethod, DateTimeUtils.zonedDateTimeOf(assertion.getAuthenticationDate()), id);
    if (assertion.getValidUntilDate() != null) {
        final ZonedDateTime dt = DateTimeUtils.zonedDateTimeOf(assertion.getValidUntilDate());
        statement.setSessionNotOnOrAfter(DateTimeUtils.dateTimeOf(dt.plusSeconds(casProperties.getAuthn().getSamlIdp().getResponse().getSkewAllowance())));
    }
    statement.setSubjectLocality(buildSubjectLocality(assertion, authnRequest, adaptor));
    return statement;
}
Also used : ZonedDateTime(java.time.ZonedDateTime) AuthnStatement(org.opensaml.saml.saml2.core.AuthnStatement) SecureRandom(java.security.SecureRandom)

Example 48 with Request

use of org.opensaml.saml.saml2.ecp.Request in project cas by apereo.

the class SamlProfileSamlNameIdBuilder method buildNameId.

/**
     * Build name id.
     * If there are no explicitly defined NameIDFormats, include the default format.
     * see: http://saml2int.org/profile/current/#section92
     *
     * @param authnRequest the authn request
     * @param assertion    the assertion
     * @param service      the service
     * @param adaptor      the adaptor
     * @return the name id
     * @throws SamlException the saml exception
     */
private NameID buildNameId(final AuthnRequest authnRequest, final Assertion assertion, final SamlRegisteredService service, final SamlRegisteredServiceServiceProviderMetadataFacade adaptor) throws SamlException {
    final List<String> supportedNameFormats = adaptor.getSupportedNameIdFormats();
    LOGGER.debug("Metadata for [{}] declares support for the following NameIDs [{}]", adaptor.getEntityId(), supportedNameFormats);
    if (supportedNameFormats.isEmpty()) {
        supportedNameFormats.add(NameIDType.TRANSIENT);
        LOGGER.debug("No supported nameId formats could be determined from metadata. Added default [{}]", NameIDType.TRANSIENT);
    }
    if (StringUtils.isNotBlank(service.getRequiredNameIdFormat())) {
        final String fmt = parseAndBuildRequiredNameIdFormat(service);
        supportedNameFormats.add(0, fmt);
        LOGGER.debug("Added required nameId format [{}] based on saml service configuration for [{}]", fmt, service.getServiceId());
    }
    String requiredNameFormat = null;
    if (authnRequest.getNameIDPolicy() != null) {
        requiredNameFormat = authnRequest.getNameIDPolicy().getFormat();
        LOGGER.debug("AuthN request indicates [{}] is the required NameID format", requiredNameFormat);
        if (NameID.ENCRYPTED.equals(requiredNameFormat)) {
            LOGGER.warn("Encrypted NameID formats are not supported");
            requiredNameFormat = null;
        }
    }
    if (StringUtils.isNotBlank(requiredNameFormat) && !supportedNameFormats.contains(requiredNameFormat)) {
        LOGGER.warn("Required NameID format [{}] in the AuthN request issued by [{}] is not supported based on the metadata for [{}]", requiredNameFormat, SamlIdPUtils.getIssuerFromSamlRequest(authnRequest), adaptor.getEntityId());
        throw new SamlException("Required NameID format cannot be provided because it is not supported");
    }
    for (final String nameFormat : supportedNameFormats) {
        try {
            LOGGER.debug("Evaluating NameID format [{}]", nameFormat);
            final SAML2StringNameIDEncoder encoder = new SAML2StringNameIDEncoder();
            encoder.setNameFormat(nameFormat);
            if (authnRequest.getNameIDPolicy() != null) {
                final String qualifier = authnRequest.getNameIDPolicy().getSPNameQualifier();
                LOGGER.debug("NameID qualifier is set to [{}]", qualifier);
                encoder.setNameQualifier(qualifier);
            }
            final IdPAttribute attribute = new IdPAttribute(AttributePrincipal.class.getName());
            final IdPAttributeValue<String> value = new StringAttributeValue(assertion.getPrincipal().getName());
            LOGGER.debug("NameID attribute value is set to [{}]", assertion.getPrincipal().getName());
            attribute.setValues(Collections.singletonList(value));
            LOGGER.debug("Encoding NameID based on [{}]", nameFormat);
            final NameID nameid = encoder.encode(attribute);
            LOGGER.debug("Final NameID encoded is [{}] with value [{}]", nameid.getFormat(), nameid.getValue());
            return nameid;
        } catch (final Exception e) {
            LOGGER.error(e.getMessage(), e);
        }
    }
    return null;
}
Also used : NameID(org.opensaml.saml.saml2.core.NameID) SamlException(org.apereo.cas.support.saml.SamlException) IdPAttribute(net.shibboleth.idp.attribute.IdPAttribute) StringAttributeValue(net.shibboleth.idp.attribute.StringAttributeValue) SAML2StringNameIDEncoder(net.shibboleth.idp.saml.attribute.encoding.impl.SAML2StringNameIDEncoder) AttributePrincipal(org.jasig.cas.client.authentication.AttributePrincipal) SamlException(org.apereo.cas.support.saml.SamlException)

Example 49 with Request

use of org.opensaml.saml.saml2.ecp.Request in project cas by apereo.

the class SamlProfileSamlSubjectBuilder method buildSubject.

private Subject buildSubject(final HttpServletRequest request, final HttpServletResponse response, final AuthnRequest authnRequest, final Assertion assertion, final SamlRegisteredService service, final SamlRegisteredServiceServiceProviderMetadataFacade adaptor) throws SamlException {
    final NameID nameID = this.ssoPostProfileSamlNameIdBuilder.build(authnRequest, request, response, assertion, service, adaptor);
    final ZonedDateTime validFromDate = ZonedDateTime.ofInstant(assertion.getValidFromDate().toInstant(), ZoneOffset.UTC);
    final Subject subject = newSubject(nameID.getFormat(), nameID.getValue(), authnRequest.getAssertionConsumerServiceURL(), validFromDate.plusSeconds(this.skewAllowance), authnRequest.getID());
    subject.setNameID(nameID);
    return subject;
}
Also used : NameID(org.opensaml.saml.saml2.core.NameID) ZonedDateTime(java.time.ZonedDateTime) Subject(org.opensaml.saml.saml2.core.Subject)

Example 50 with Request

use of org.opensaml.saml.saml2.ecp.Request in project cas by apereo.

the class SamlProfileSamlSoap11ResponseBuilder method buildResponse.

@Override
protected Envelope buildResponse(final Assertion assertion, final org.jasig.cas.client.validation.Assertion casAssertion, final AuthnRequest authnRequest, final SamlRegisteredService service, final SamlRegisteredServiceServiceProviderMetadataFacade adaptor, final HttpServletRequest request, final HttpServletResponse response) throws SamlException {
    final Response ecpResponse = newEcpResponse(adaptor.getAssertionConsumerService().getLocation());
    final Header header = newSoapObject(Header.class);
    header.getUnknownXMLObjects().add(ecpResponse);
    final Body body = newSoapObject(Body.class);
    final org.opensaml.saml.saml2.core.Response saml2Response = (org.opensaml.saml.saml2.core.Response) saml2ResponseBuilder.build(authnRequest, request, response, casAssertion, service, adaptor);
    body.getUnknownXMLObjects().add(saml2Response);
    final Envelope envelope = newSoapObject(Envelope.class);
    envelope.setHeader(header);
    envelope.setBody(body);
    return envelope;
}
Also used : HttpServletResponse(javax.servlet.http.HttpServletResponse) Response(org.opensaml.saml.saml2.ecp.Response) Header(org.opensaml.soap.soap11.Header) Envelope(org.opensaml.soap.soap11.Envelope) Body(org.opensaml.soap.soap11.Body)

Aggregations

AuthnRequest (org.opensaml.saml.saml2.core.AuthnRequest)24 IOException (java.io.IOException)13 LogoutResponse (org.opensaml.saml.saml2.core.LogoutResponse)13 WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)12 SamlRegisteredServiceServiceProviderMetadataFacade (org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade)11 Test (org.junit.Test)10 ValidationException (ddf.security.samlp.ValidationException)9 Response (javax.ws.rs.core.Response)9 SamlRegisteredService (org.apereo.cas.support.saml.services.SamlRegisteredService)9 Assertion (org.jasig.cas.client.validation.Assertion)9 MessageContext (org.opensaml.messaging.context.MessageContext)9 Assertion (org.opensaml.saml.saml2.core.Assertion)9 Document (org.w3c.dom.Document)9 XMLStreamException (javax.xml.stream.XMLStreamException)8 LogoutRequest (org.opensaml.saml.saml2.core.LogoutRequest)8 NameID (org.opensaml.saml.saml2.core.NameID)7 ByteArrayInputStream (java.io.ByteArrayInputStream)6 SimpleSign (ddf.security.samlp.SimpleSign)5 ZonedDateTime (java.time.ZonedDateTime)5 Path (javax.ws.rs.Path)5