Examples with Endpoint org.opensaml.saml.saml2.metadata.Endpoint used on opensource projects

Example 1 with Endpoint

use of org.opensaml.saml.saml2.metadata.Endpoint in project cas by apereo.

the class SamlIdPUtils method preparePeerEntitySamlEndpointContext.

/**
     * Prepare peer entity saml endpoint.
     *
     * @param outboundContext the outbound context
     * @param adaptor         the adaptor
     * @throws SamlException the saml exception
     */
public static void preparePeerEntitySamlEndpointContext(final MessageContext outboundContext, final SamlRegisteredServiceServiceProviderMetadataFacade adaptor) throws SamlException {
    final List<AssertionConsumerService> assertionConsumerServices = adaptor.getAssertionConsumerServices();
    if (assertionConsumerServices.isEmpty()) {
        throw new SamlException("No assertion consumer service could be found for entity " + adaptor.getEntityId());
    }
    final SAMLPeerEntityContext peerEntityContext = outboundContext.getSubcontext(SAMLPeerEntityContext.class, true);
    if (peerEntityContext == null) {
        throw new SamlException("SAMLPeerEntityContext could not be defined for entity " + adaptor.getEntityId());
    }
    final SAMLEndpointContext endpointContext = peerEntityContext.getSubcontext(SAMLEndpointContext.class, true);
    if (endpointContext == null) {
        throw new SamlException("SAMLEndpointContext could not be defined for entity " + adaptor.getEntityId());
    }
    final Endpoint endpoint = assertionConsumerServices.get(0);
    if (StringUtils.isBlank(endpoint.getBinding()) || StringUtils.isBlank(endpoint.getLocation())) {
        throw new SamlException("Assertion consumer service does not define a binding or location for " + adaptor.getEntityId());
    }
    LOGGER.debug("Configured peer entity endpoint to be [{}] with binding [{}]", endpoint.getLocation(), endpoint.getBinding());
    endpointContext.setEndpoint(endpoint);
}

Example 2 with Endpoint

use of org.opensaml.saml.saml2.metadata.Endpoint in project ddf by codice.

the class IdpMetadata method initSingleSignOut.

private void initSingleSignOut() {
    IDPSSODescriptor descriptor = getDescriptor();
    if (descriptor != null) {
        // Prefer HTTP-Redirect over HTTP-POST if both are present
        Optional<? extends Endpoint> service = initSingleSomething(descriptor.getSingleLogoutServices());
        if (service.isPresent()) {
            singleLogoutBinding = service.get().getBinding();
            singleLogoutLocation = service.get().getLocation();
        }
    }
}

Example 3 with Endpoint

use of org.opensaml.saml.saml2.metadata.Endpoint in project cas by apereo.

the class IdPInitiatedProfileHandlerController method handleIdPInitiatedSsoRequest.

/**
 * Handle idp initiated sso requests.
 *
 * @param response the response
 * @param request  the request
 * @throws Exception the exception
 */
@GetMapping(path = SamlIdPConstants.ENDPOINT_SAML2_IDP_INIT_PROFILE_SSO)
protected void handleIdPInitiatedSsoRequest(final HttpServletResponse response, final HttpServletRequest request) throws Exception {
    // The name (i.e., the entity ID) of the service provider.
    final String providerId = CommonUtils.safeGetParameter(request, SamlIdPConstants.PROVIDER_ID);
    if (StringUtils.isBlank(providerId)) {
        LOGGER.warn("No providerId parameter given in unsolicited SSO authentication request.");
        throw new MessageDecodingException("No providerId parameter given in unsolicited SSO authentication request.");
    }
    final SamlRegisteredService registeredService = verifySamlRegisteredService(providerId);
    final Optional<SamlRegisteredServiceServiceProviderMetadataFacade> adaptor = getSamlMetadataFacadeFor(registeredService, providerId);
    if (!adaptor.isPresent()) {
        throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE, "Cannot find metadata linked to " + providerId);
    }
    // The URL of the response location at the SP (called the "Assertion Consumer Service")
    // but can be omitted in favor of the IdP picking the default endpoint location from metadata.
    String shire = CommonUtils.safeGetParameter(request, SamlIdPConstants.SHIRE);
    final SamlRegisteredServiceServiceProviderMetadataFacade facade = adaptor.get();
    if (StringUtils.isBlank(shire)) {
        LOGGER.warn("Resolving service provider assertion consumer service URL for [{}] and binding [{}]", providerId, SAMLConstants.SAML2_POST_BINDING_URI);
        @NonNull final AssertionConsumerService acs = facade.getAssertionConsumerService(SAMLConstants.SAML2_POST_BINDING_URI);
        shire = acs.getLocation();
    }
    if (StringUtils.isBlank(shire)) {
        LOGGER.warn("Unable to resolve service provider assertion consumer service URL for AuthnRequest construction for entityID: [{}]", providerId);
        throw new MessageDecodingException("Unable to resolve SP ACS URL for AuthnRequest construction");
    }
    // The target resource at the SP, or a state token generated by an SP to represent the resource.
    final String target = CommonUtils.safeGetParameter(request, SamlIdPConstants.TARGET);
    // A timestamp to help with stale request detection.
    final String time = CommonUtils.safeGetParameter(request, SamlIdPConstants.TIME);
    final SAMLObjectBuilder builder = (SAMLObjectBuilder) configBean.getBuilderFactory().getBuilder(AuthnRequest.DEFAULT_ELEMENT_NAME);
    final AuthnRequest authnRequest = (AuthnRequest) builder.buildObject();
    authnRequest.setAssertionConsumerServiceURL(shire);
    final SAMLObjectBuilder isBuilder = (SAMLObjectBuilder) configBean.getBuilderFactory().getBuilder(Issuer.DEFAULT_ELEMENT_NAME);
    final Issuer issuer = (Issuer) isBuilder.buildObject();
    issuer.setValue(providerId);
    authnRequest.setIssuer(issuer);
    authnRequest.setProtocolBinding(SAMLConstants.SAML2_POST_BINDING_URI);
    final SAMLObjectBuilder pBuilder = (SAMLObjectBuilder) configBean.getBuilderFactory().getBuilder(NameIDPolicy.DEFAULT_ELEMENT_NAME);
    final NameIDPolicy nameIDPolicy = (NameIDPolicy) pBuilder.buildObject();
    nameIDPolicy.setAllowCreate(Boolean.TRUE);
    authnRequest.setNameIDPolicy(nameIDPolicy);
    if (NumberUtils.isCreatable(time)) {
        authnRequest.setIssueInstant(new DateTime(TimeUnit.SECONDS.convert(Long.parseLong(time), TimeUnit.MILLISECONDS), ISOChronology.getInstanceUTC()));
    } else {
        authnRequest.setIssueInstant(new DateTime(DateTime.now(), ISOChronology.getInstanceUTC()));
    }
    authnRequest.setForceAuthn(Boolean.FALSE);
    if (StringUtils.isNotBlank(target)) {
        request.setAttribute(SamlProtocolConstants.PARAMETER_SAML_RELAY_STATE, target);
    }
    final MessageContext ctx = new MessageContext();
    ctx.setAutoCreateSubcontexts(true);
    if (facade.isAuthnRequestsSigned()) {
        samlObjectSigner.encode(authnRequest, registeredService, facade, response, request, SAMLConstants.SAML2_POST_BINDING_URI);
    }
    ctx.setMessage(authnRequest);
    ctx.getSubcontext(SAMLBindingContext.class, true).setHasBindingSignature(false);
    final Pair<SignableSAMLObject, MessageContext> pair = Pair.of(authnRequest, ctx);
    initiateAuthenticationRequest(pair, response, request);
}

Example 4 with Endpoint

use of org.opensaml.saml.saml2.metadata.Endpoint in project pac4j by pac4j.

the class SAML2DefaultResponseValidator method verifyRequest.

protected void verifyRequest(final AuthnRequest request, final SAML2MessageContext context) {
    // Verify endpoint requested in the original request
    final AssertionConsumerService assertionConsumerService = (AssertionConsumerService) context.getSAMLEndpointContext().getEndpoint();
    if (request.getAssertionConsumerServiceIndex() != null) {
        if (!request.getAssertionConsumerServiceIndex().equals(assertionConsumerService.getIndex())) {
            logger.warn("Response was received at a different endpoint index than was requested");
        }
    } else {
        final String requestedResponseURL = request.getAssertionConsumerServiceURL();
        final String requestedBinding = request.getProtocolBinding();
        if (requestedResponseURL != null) {
            final String responseLocation;
            if (assertionConsumerService.getResponseLocation() != null) {
                responseLocation = assertionConsumerService.getResponseLocation();
            } else {
                responseLocation = assertionConsumerService.getLocation();
            }
            if (!requestedResponseURL.equals(responseLocation)) {
                logger.warn("Response was received at a different endpoint URL {} than was requested {}", responseLocation, requestedResponseURL);
            }
        }
        if (requestedBinding != null && !requestedBinding.equals(context.getSAMLBindingContext().getBindingUri())) {
            logger.warn("Response was received using a different binding {} than was requested {}", context.getSAMLBindingContext().getBindingUri(), requestedBinding);
        }
    }
}

Example 5 with Endpoint

use of org.opensaml.saml.saml2.metadata.Endpoint in project pac4j by pac4j.

the class SAML2LogoutResponseValidator method isValidBearerSubjectConfirmationData.

/**
 * Validate Bearer subject confirmation data
 *  - notBefore
 *  - NotOnOrAfter
 *  - recipient
 *
 * @param data the data
 * @param context the context
 * @return true if all Bearer subject checks are passing
 */
protected final boolean isValidBearerSubjectConfirmationData(final SubjectConfirmationData data, final SAML2MessageContext context) {
    if (data == null) {
        logger.debug("SubjectConfirmationData cannot be null for Bearer confirmation");
        return false;
    }
    if (data.getNotBefore() != null) {
        logger.debug("SubjectConfirmationData notBefore must be null for Bearer confirmation");
        return false;
    }
    if (data.getNotOnOrAfter() == null) {
        logger.debug("SubjectConfirmationData notOnOrAfter cannot be null for Bearer confirmation");
        return false;
    }
    if (data.getNotOnOrAfter().plusSeconds(acceptedSkew).isBeforeNow()) {
        logger.debug("SubjectConfirmationData notOnOrAfter is too old");
        return false;
    }
    try {
        if (data.getRecipient() == null) {
            logger.debug("SubjectConfirmationData recipient cannot be null for Bearer confirmation");
            return false;
        } else {
            final Endpoint endpoint = context.getSAMLEndpointContext().getEndpoint();
            if (endpoint == null) {
                logger.warn("No endpoint was found in the SAML endpoint context");
                return false;
            }
            final URI recipientUri = new URI(data.getRecipient());
            final URI appEndpointUri = new URI(endpoint.getLocation());
            if (!UriUtils.urisEqualAfterPortNormalization(recipientUri, appEndpointUri)) {
                logger.debug("SubjectConfirmationData recipient {} does not match SP assertion consumer URL, found. " + "SP ACS URL from context: {}", recipientUri, appEndpointUri);
                return false;
            }
        }
    } catch (URISyntaxException use) {
        logger.error("Unable to check SubjectConfirmationData recipient, a URI has invalid syntax.", use);
        return false;
    }
    return true;
}