Example 81 with Request
use of org.opensaml.saml.saml2.ecp.Request in project cas by apereo.
the class AbstractSamlSLOProfileHandlerController method handleSloProfileRequest.
/**
* Handle profile request.
*
* @param response the response
* @param request the request
* @param decoder the decoder
* @throws Exception the exception
*/
protected void handleSloProfileRequest(final HttpServletResponse response, final HttpServletRequest request, final BaseHttpServletRequestXMLMessageDecoder decoder) throws Exception {
final SamlIdPLogoutProperties logout = casProperties.getAuthn().getSamlIdp().getLogout();
if (logout.isSingleLogoutCallbacksDisabled()) {
LOGGER.info("Processing SAML IdP SLO requests is disabled");
return;
}
final Pair<? extends SignableSAMLObject, MessageContext> pair = this.samlHttpRequestExtractor.extract(request, decoder, LogoutRequest.class);
final LogoutRequest logoutRequest = LogoutRequest.class.cast(pair.getKey());
final MessageContext ctx = pair.getValue();
if (logout.isForceSignedLogoutRequests() && !SAMLBindingSupport.isMessageSigned(ctx)) {
throw new SAMLException("Logout request is not signed but should be.");
}
if (SAMLBindingSupport.isMessageSigned(ctx)) {
final String entityId = SamlIdPUtils.getIssuerFromSamlRequest(logoutRequest);
final SamlRegisteredService registeredService = this.servicesManager.findServiceBy(entityId, SamlRegisteredService.class);
final SamlRegisteredServiceServiceProviderMetadataFacade facade = SamlRegisteredServiceServiceProviderMetadataFacade.get(this.samlRegisteredServiceCachingMetadataResolver, registeredService, entityId).get();
this.samlObjectSignatureValidator.verifySamlProfileRequestIfNeeded(logoutRequest, facade, request, ctx);
}
SamlUtils.logSamlObject(this.configBean, logoutRequest);
response.sendRedirect(casProperties.getServer().getLogoutUrl());
}
Also used :
SamlRegisteredServiceServiceProviderMetadataFacade(org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade)
SamlRegisteredService(org.apereo.cas.support.saml.services.SamlRegisteredService)
SamlIdPLogoutProperties(org.apereo.cas.configuration.model.support.saml.idp.SamlIdPLogoutProperties)
LogoutRequest(org.opensaml.saml.saml2.core.LogoutRequest)
MessageContext(org.opensaml.messaging.context.MessageContext)
SAMLException(org.opensaml.saml.common.SAMLException)
Example 82 with Request
use of org.opensaml.saml.saml2.ecp.Request in project cas by apereo.
the class SSOSamlProfileCallbackHandlerController method determineProfileBinding.
/**
* Determine profile binding.
*
* @param authenticationContext the authentication context
* @param assertion the assertion
* @return the string
*/
protected String determineProfileBinding(final Pair<AuthnRequest, MessageContext> authenticationContext, final Assertion assertion) {
final AuthnRequest authnRequest = authenticationContext.getKey();
final Pair<SamlRegisteredService, SamlRegisteredServiceServiceProviderMetadataFacade> pair = getRegisteredServiceAndFacade(authnRequest);
final SamlRegisteredServiceServiceProviderMetadataFacade facade = pair.getValue();
final String binding = StringUtils.defaultIfBlank(authnRequest.getProtocolBinding(), SAMLConstants.SAML2_POST_BINDING_URI);
LOGGER.debug("Determined authentication request binding is [{}], issued by [{}]", binding, authnRequest.getIssuer().getValue());
LOGGER.debug("Checking metadata for [{}] to see if binding [{}] is supported", facade.getEntityId(), binding);
@NonNull final AssertionConsumerService svc = facade.getAssertionConsumerService(binding);
LOGGER.debug("Binding [{}] is supported by [{}]", svc.getBinding(), facade.getEntityId());
return binding;
}
Also used :
AuthnRequest(org.opensaml.saml.saml2.core.AuthnRequest)
SamlRegisteredServiceServiceProviderMetadataFacade(org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade)
SamlRegisteredService(org.apereo.cas.support.saml.services.SamlRegisteredService)
NonNull(lombok.NonNull)
AssertionConsumerService(org.opensaml.saml.saml2.metadata.AssertionConsumerService)
Example 83 with Request
use of org.opensaml.saml.saml2.ecp.Request in project cas by apereo.
the class SSOSamlProfileCallbackHandlerController method handleCallbackProfileRequest.
/**
* Handle callback profile request.
*
* @param response the response
* @param request the request
* @throws Exception the exception
*/
@GetMapping(path = SamlIdPConstants.ENDPOINT_SAML2_SSO_PROFILE_POST_CALLBACK)
protected void handleCallbackProfileRequest(final HttpServletResponse response, final HttpServletRequest request) throws Exception {
LOGGER.info("Received SAML callback profile request [{}]", request.getRequestURI());
final AuthnRequest authnRequest = retrieveSamlAuthenticationRequestFromHttpRequest(request);
if (authnRequest == null) {
LOGGER.error("Can not validate the request because the original Authn request can not be found.");
response.setStatus(HttpServletResponse.SC_FORBIDDEN);
return;
}
final String ticket = CommonUtils.safeGetParameter(request, CasProtocolConstants.PARAMETER_TICKET);
if (StringUtils.isBlank(ticket)) {
LOGGER.error("Can not validate the request because no [{}] is provided via the request", CasProtocolConstants.PARAMETER_TICKET);
response.setStatus(HttpServletResponse.SC_FORBIDDEN);
return;
}
final Pair<AuthnRequest, MessageContext> authenticationContext = buildAuthenticationContextPair(request, authnRequest);
final Assertion assertion = validateRequestAndBuildCasAssertion(response, request, authenticationContext);
final String binding = determineProfileBinding(authenticationContext, assertion);
buildSamlResponse(response, request, authenticationContext, assertion, binding);
}
Also used :
AuthnRequest(org.opensaml.saml.saml2.core.AuthnRequest)
Assertion(org.jasig.cas.client.validation.Assertion)
MessageContext(org.opensaml.messaging.context.MessageContext)
GetMapping(org.springframework.web.bind.annotation.GetMapping)
Example 84 with Request
use of org.opensaml.saml.saml2.ecp.Request in project cas by apereo.
the class MetadataUIUtils method locateMetadataUserInterfaceForEntityId.
/**
* Locate mdui for entity id simple metadata ui info.
*
* @param entityDescriptor the entity descriptor
* @param entityId the entity id
* @param registeredService the registered service
* @param requestContext the request context
* @return the simple metadata ui info
*/
public static SamlMetadataUIInfo locateMetadataUserInterfaceForEntityId(final EntityDescriptor entityDescriptor, final String entityId, final RegisteredService registeredService, final HttpServletRequest requestContext) {
final SamlMetadataUIInfo mdui = new SamlMetadataUIInfo(registeredService, requestContext.getLocale().getLanguage());
if (entityDescriptor == null) {
LOGGER.trace("Entity descriptor not found for [{}]", entityId);
return mdui;
}
final SPSSODescriptor spssoDescriptor = getSPSsoDescriptor(entityDescriptor);
if (spssoDescriptor == null) {
LOGGER.trace("SP SSO descriptor not found for [{}]", entityId);
return mdui;
}
final Extensions extensions = spssoDescriptor.getExtensions();
if (extensions == null) {
LOGGER.trace("No extensions in the SP SSO descriptor are found for [{}]", UIInfo.DEFAULT_ELEMENT_NAME.getNamespaceURI());
return mdui;
}
final List<XMLObject> spExtensions = extensions.getUnknownXMLObjects(UIInfo.DEFAULT_ELEMENT_NAME);
if (spExtensions.isEmpty()) {
LOGGER.trace("No extensions in the SP SSO descriptor are located for [{}]", UIInfo.DEFAULT_ELEMENT_NAME.getNamespaceURI());
return mdui;
}
spExtensions.stream().filter(UIInfo.class::isInstance).forEach(obj -> {
final UIInfo uiInfo = (UIInfo) obj;
LOGGER.trace("Found MDUI info for [{}]", entityId);
mdui.setUiInfo(uiInfo);
});
return mdui;
}
Also used :
SPSSODescriptor(org.opensaml.saml.saml2.metadata.SPSSODescriptor)
UIInfo(org.opensaml.saml.ext.saml2mdui.UIInfo)
XMLObject(org.opensaml.core.xml.XMLObject)
Extensions(org.opensaml.saml.saml2.metadata.Extensions)
Example 85 with Request
use of org.opensaml.saml.saml2.ecp.Request in project verify-hub by alphagov.
the class HubMetadataIntegrationTests method getIdpMetadataFromApi_shouldWork.
@Test
public void getIdpMetadataFromApi_shouldWork() throws Exception {
final DateTime time = DateTime.now(DateTimeZone.UTC).plusHours(1);
SamlDto samlDto = client.target(UriBuilder.fromUri(samlProxyAppRule.getUri("/API/metadata/idp"))).request().get(SamlDto.class);
EntityDescriptor entityDescriptor = getEntityDescriptor(samlDto);
assertThat(entityDescriptor.getEntityID()).isEqualTo(HUB_ENTITY_ID);
assertThat(entityDescriptor.getSPSSODescriptor(SAMLConstants.SAML20P_NS)).isNull();
assertThat(entityDescriptor.getIDPSSODescriptor(SAMLConstants.SAML20P_NS)).isNotNull();
List<KeyDescriptor> keyDescriptors = entityDescriptor.getIDPSSODescriptor(SAMLConstants.SAML20P_NS).getKeyDescriptors();
// this is a bit fragile and dependent on the ordering of IDPs and in federation metadata
// this endpoint should be removed soon though...
assertThat(keyDescriptors).hasSize(7);
// signing certificates
validateKeyDescriptor(keyDescriptors, 0, HUB_ENTITY_ID);
validateKeyDescriptor(keyDescriptors, 1, HUB_ENTITY_ID, TestCertificateStrings.PUBLIC_SIGNING_CERTS.get(HUB_SECONDARY_ENTITY_ID));
validateKeyDescriptor(keyDescriptors, 2, STUB_IDP_ONE);
validateKeyDescriptor(keyDescriptors, 3, STUB_IDP_TWO);
validateKeyDescriptor(keyDescriptors, 4, STUB_IDP_THREE);
validateKeyDescriptor(keyDescriptors, 5, STUB_IDP_FOUR);
// encryption certificate
assertThat(getKeyName(keyDescriptors, 6)).isEqualTo(HUB_ENTITY_ID);
assertThat(getCertificateData(keyDescriptors, 6)).isEqualTo(TestCertificateStrings.getPrimaryPublicEncryptionCert(HUB_ENTITY_ID));
assertThat(entityDescriptor.getValidUntil()).isEqualTo(DateTime.now(DateTimeZone.UTC).plusHours(1));
}
Also used :
EntityDescriptor(org.opensaml.saml.saml2.metadata.EntityDescriptor)
KeyDescriptor(org.opensaml.saml.saml2.metadata.KeyDescriptor)
DateTime(org.joda.time.DateTime)
SamlDto(uk.gov.ida.hub.samlproxy.domain.SamlDto)
Test(org.junit.Test)
Aggregations
AuthnRequest (org.opensaml.saml.saml2.core.AuthnRequest)24
IOException (java.io.IOException)13
LogoutResponse (org.opensaml.saml.saml2.core.LogoutResponse)13
WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)12
SamlRegisteredServiceServiceProviderMetadataFacade (org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade)11
Test (org.junit.Test)10
ValidationException (ddf.security.samlp.ValidationException)9
Response (javax.ws.rs.core.Response)9
SamlRegisteredService (org.apereo.cas.support.saml.services.SamlRegisteredService)9
Assertion (org.jasig.cas.client.validation.Assertion)9
MessageContext (org.opensaml.messaging.context.MessageContext)9
Assertion (org.opensaml.saml.saml2.core.Assertion)9
Document (org.w3c.dom.Document)9
XMLStreamException (javax.xml.stream.XMLStreamException)8
LogoutRequest (org.opensaml.saml.saml2.core.LogoutRequest)8
NameID (org.opensaml.saml.saml2.core.NameID)7
ByteArrayInputStream (java.io.ByteArrayInputStream)6
SimpleSign (ddf.security.samlp.SimpleSign)5
ZonedDateTime (java.time.ZonedDateTime)5
Path (javax.ws.rs.Path)5
