Search in sources :

Example 6 with Endpoint

use of org.opensaml.saml.saml2.metadata.Endpoint in project cas by apereo.

the class AbstractSamlIdPProfileHandlerController method verifySamlAuthenticationRequest.

/**
 * Verify saml authentication request.
 *
 * @param authenticationContext the pair
 * @param request               the request
 * @return the pair
 * @throws Exception the exception
 */
protected Pair<SamlRegisteredService, SamlRegisteredServiceServiceProviderMetadataFacade> verifySamlAuthenticationRequest(final Pair<? extends RequestAbstractType, MessageContext> authenticationContext, final HttpServletRequest request) throws Exception {
    val authnRequest = (AuthnRequest) authenticationContext.getKey();
    val issuer = SamlIdPUtils.getIssuerFromSamlObject(authnRequest);
    LOGGER.debug("Located issuer [{}] from authentication request", issuer);
    val registeredService = verifySamlRegisteredService(issuer);
    LOGGER.debug("Fetching SAML2 metadata adaptor for [{}]", issuer);
    val adaptor = SamlRegisteredServiceServiceProviderMetadataFacade.get(configurationContext.getSamlRegisteredServiceCachingMetadataResolver(), registeredService, authnRequest);
    if (adaptor.isEmpty()) {
        LOGGER.warn("No metadata could be found for [{}]", issuer);
        throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE, "Cannot find metadata linked to " + issuer);
    }
    val facade = adaptor.get();
    verifyAuthenticationContextSignature(authenticationContext, request, authnRequest, facade, registeredService);
    val binding = determineProfileBinding(authenticationContext);
    val acs = SamlIdPUtils.determineEndpointForRequest(Pair.of(authnRequest, authenticationContext.getRight()), facade, binding);
    LOGGER.debug("Determined SAML2 endpoint for authentication request as [{}]", StringUtils.defaultIfBlank(acs.getResponseLocation(), acs.getLocation()));
    SamlUtils.logSamlObject(configurationContext.getOpenSamlConfigBean(), authnRequest);
    return Pair.of(registeredService, facade);
}
Also used : lombok.val(lombok.val) AuthnRequest(org.opensaml.saml.saml2.core.AuthnRequest) UnauthorizedServiceException(org.apereo.cas.services.UnauthorizedServiceException)

Example 7 with Endpoint

use of org.opensaml.saml.saml2.metadata.Endpoint in project ddf by codice.

the class IdpMetadata method initSingleSignOn.

private void initSingleSignOn() {
    IDPSSODescriptor descriptor = getDescriptor();
    if (descriptor != null) {
        // Prefer HTTP-Redirect over HTTP-POST if both are present
        Optional<? extends Endpoint> service = initSingleSomething(descriptor.getSingleSignOnServices());
        if (service.isPresent()) {
            singleSignOnBinding = service.get().getBinding();
            singleSignOnLocation = service.get().getLocation();
        }
    }
}
Also used : IDPSSODescriptor(org.opensaml.saml.saml2.metadata.IDPSSODescriptor)

Example 8 with Endpoint

use of org.opensaml.saml.saml2.metadata.Endpoint in project ddf by codice.

the class IdpMetadata method initSingleLogout.

private void initSingleLogout() {
    IDPSSODescriptor descriptor = getDescriptor();
    if (descriptor != null) {
        // Prefer HTTP-Redirect over HTTP-POST if both are present
        Optional<? extends Endpoint> service = initSingleSomething(descriptor.getSingleLogoutServices());
        if (service.isPresent()) {
            singleLogoutBinding = service.get().getBinding();
            singleLogoutLocation = service.get().getLocation();
        }
    }
}
Also used : IDPSSODescriptor(org.opensaml.saml.saml2.metadata.IDPSSODescriptor)

Example 9 with Endpoint

use of org.opensaml.saml.saml2.metadata.Endpoint in project pac4j by pac4j.

the class SAML2DefaultResponseValidator method verifyRequest.

protected void verifyRequest(final AuthnRequest request, final SAML2MessageContext context) {
    // Verify endpoint requested in the original request
    final AssertionConsumerService assertionConsumerService = (AssertionConsumerService) context.getSAMLEndpointContext().getEndpoint();
    if (request.getAssertionConsumerServiceIndex() != null) {
        if (!request.getAssertionConsumerServiceIndex().equals(assertionConsumerService.getIndex())) {
            logger.warn("Response was received at a different endpoint index than was requested");
        }
    } else {
        final String requestedResponseURL = request.getAssertionConsumerServiceURL();
        final String requestedBinding = request.getProtocolBinding();
        if (requestedResponseURL != null) {
            final String responseLocation;
            if (assertionConsumerService.getResponseLocation() != null) {
                responseLocation = assertionConsumerService.getResponseLocation();
            } else {
                responseLocation = assertionConsumerService.getLocation();
            }
            if (!requestedResponseURL.equals(responseLocation)) {
                logger.warn("Response was received at a different endpoint URL {} than was requested {}", responseLocation, requestedResponseURL);
            }
        }
        if (requestedBinding != null && !requestedBinding.equals(context.getSAMLBindingContext().getBindingUri())) {
            logger.warn("Response was received using a different binding {} than was requested {}", context.getSAMLBindingContext().getBindingUri(), requestedBinding);
        }
    }
}
Also used : AssertionConsumerService(org.opensaml.saml.saml2.metadata.AssertionConsumerService)

Example 10 with Endpoint

use of org.opensaml.saml.saml2.metadata.Endpoint in project pac4j by pac4j.

the class SAML2LogoutResponseValidator method isValidBearerSubjectConfirmationData.

/**
 * Validate Bearer subject confirmation data
 *  - notBefore
 *  - NotOnOrAfter
 *  - recipient
 *
 * @param data the data
 * @param context the context
 * @return true if all Bearer subject checks are passing
 */
protected final boolean isValidBearerSubjectConfirmationData(final SubjectConfirmationData data, final SAML2MessageContext context) {
    if (data == null) {
        logger.debug("SubjectConfirmationData cannot be null for Bearer confirmation");
        return false;
    }
    if (data.getNotBefore() != null) {
        logger.debug("SubjectConfirmationData notBefore must be null for Bearer confirmation");
        return false;
    }
    if (data.getNotOnOrAfter() == null) {
        logger.debug("SubjectConfirmationData notOnOrAfter cannot be null for Bearer confirmation");
        return false;
    }
    if (data.getNotOnOrAfter().plusSeconds(acceptedSkew).isBeforeNow()) {
        logger.debug("SubjectConfirmationData notOnOrAfter is too old");
        return false;
    }
    try {
        if (data.getRecipient() == null) {
            logger.debug("SubjectConfirmationData recipient cannot be null for Bearer confirmation");
            return false;
        } else {
            final Endpoint endpoint = context.getSAMLEndpointContext().getEndpoint();
            if (endpoint == null) {
                logger.warn("No endpoint was found in the SAML endpoint context");
                return false;
            }
            final URI recipientUri = new URI(data.getRecipient());
            final URI appEndpointUri = new URI(endpoint.getLocation());
            if (!UriUtils.urisEqualAfterPortNormalization(recipientUri, appEndpointUri)) {
                logger.debug("SubjectConfirmationData recipient {} does not match SP assertion consumer URL, found. " + "SP ACS URL from context: {}", recipientUri, appEndpointUri);
                return false;
            }
        }
    } catch (URISyntaxException use) {
        logger.error("Unable to check SubjectConfirmationData recipient, a URI has invalid syntax.", use);
        return false;
    }
    return true;
}
Also used : Endpoint(org.opensaml.saml.saml2.metadata.Endpoint) URISyntaxException(java.net.URISyntaxException) URI(java.net.URI)

Aggregations

Endpoint (org.opensaml.saml.saml2.metadata.Endpoint)6 SAMLObject (org.opensaml.saml.common.SAMLObject)5 AuthnRequest (org.opensaml.saml.saml2.core.AuthnRequest)5 RequestAbstractType (org.opensaml.saml.saml2.core.RequestAbstractType)5 lombok.val (lombok.val)4 MessageDecodingException (org.opensaml.messaging.decoder.MessageDecodingException)4 MessageEncodingException (org.opensaml.messaging.encoder.MessageEncodingException)4 StatusResponseType (org.opensaml.saml.saml2.core.StatusResponseType)4 ArrayList (java.util.ArrayList)3 UnauthorizedServiceException (org.apereo.cas.services.UnauthorizedServiceException)3 DateTime (org.joda.time.DateTime)3 SignableSAMLObject (org.opensaml.saml.common.SignableSAMLObject)3 AssertionConsumerService (org.opensaml.saml.saml2.metadata.AssertionConsumerService)3 IDPSSODescriptor (org.opensaml.saml.saml2.metadata.IDPSSODescriptor)3 Endpoint (org.opensaml.saml2.metadata.Endpoint)3 MalformedURLException (java.net.MalformedURLException)2 URI (java.net.URI)2 URISyntaxException (java.net.URISyntaxException)2 HashMap (java.util.HashMap)2 Nonnull (javax.annotation.Nonnull)2