use of org.opensaml.saml.saml2.metadata.Endpoint in project cas by apereo.
the class AbstractSamlIdPProfileHandlerController method verifySamlAuthenticationRequest.
/**
* Verify saml authentication request.
*
* @param authenticationContext the pair
* @param request the request
* @return the pair
* @throws Exception the exception
*/
protected Pair<SamlRegisteredService, SamlRegisteredServiceServiceProviderMetadataFacade> verifySamlAuthenticationRequest(final Pair<? extends RequestAbstractType, MessageContext> authenticationContext, final HttpServletRequest request) throws Exception {
val authnRequest = (AuthnRequest) authenticationContext.getKey();
val issuer = SamlIdPUtils.getIssuerFromSamlObject(authnRequest);
LOGGER.debug("Located issuer [{}] from authentication request", issuer);
val registeredService = verifySamlRegisteredService(issuer);
LOGGER.debug("Fetching SAML2 metadata adaptor for [{}]", issuer);
val adaptor = SamlRegisteredServiceServiceProviderMetadataFacade.get(configurationContext.getSamlRegisteredServiceCachingMetadataResolver(), registeredService, authnRequest);
if (adaptor.isEmpty()) {
LOGGER.warn("No metadata could be found for [{}]", issuer);
throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE, "Cannot find metadata linked to " + issuer);
}
val facade = adaptor.get();
verifyAuthenticationContextSignature(authenticationContext, request, authnRequest, facade, registeredService);
val binding = determineProfileBinding(authenticationContext);
val acs = SamlIdPUtils.determineEndpointForRequest(Pair.of(authnRequest, authenticationContext.getRight()), facade, binding);
LOGGER.debug("Determined SAML2 endpoint for authentication request as [{}]", StringUtils.defaultIfBlank(acs.getResponseLocation(), acs.getLocation()));
SamlUtils.logSamlObject(configurationContext.getOpenSamlConfigBean(), authnRequest);
return Pair.of(registeredService, facade);
}
use of org.opensaml.saml.saml2.metadata.Endpoint in project ddf by codice.
the class IdpMetadata method initSingleSignOn.
private void initSingleSignOn() {
IDPSSODescriptor descriptor = getDescriptor();
if (descriptor != null) {
// Prefer HTTP-Redirect over HTTP-POST if both are present
Optional<? extends Endpoint> service = initSingleSomething(descriptor.getSingleSignOnServices());
if (service.isPresent()) {
singleSignOnBinding = service.get().getBinding();
singleSignOnLocation = service.get().getLocation();
}
}
}
use of org.opensaml.saml.saml2.metadata.Endpoint in project ddf by codice.
the class IdpMetadata method initSingleLogout.
private void initSingleLogout() {
IDPSSODescriptor descriptor = getDescriptor();
if (descriptor != null) {
// Prefer HTTP-Redirect over HTTP-POST if both are present
Optional<? extends Endpoint> service = initSingleSomething(descriptor.getSingleLogoutServices());
if (service.isPresent()) {
singleLogoutBinding = service.get().getBinding();
singleLogoutLocation = service.get().getLocation();
}
}
}
use of org.opensaml.saml.saml2.metadata.Endpoint in project pac4j by pac4j.
the class SAML2DefaultResponseValidator method verifyRequest.
protected void verifyRequest(final AuthnRequest request, final SAML2MessageContext context) {
// Verify endpoint requested in the original request
final AssertionConsumerService assertionConsumerService = (AssertionConsumerService) context.getSAMLEndpointContext().getEndpoint();
if (request.getAssertionConsumerServiceIndex() != null) {
if (!request.getAssertionConsumerServiceIndex().equals(assertionConsumerService.getIndex())) {
logger.warn("Response was received at a different endpoint index than was requested");
}
} else {
final String requestedResponseURL = request.getAssertionConsumerServiceURL();
final String requestedBinding = request.getProtocolBinding();
if (requestedResponseURL != null) {
final String responseLocation;
if (assertionConsumerService.getResponseLocation() != null) {
responseLocation = assertionConsumerService.getResponseLocation();
} else {
responseLocation = assertionConsumerService.getLocation();
}
if (!requestedResponseURL.equals(responseLocation)) {
logger.warn("Response was received at a different endpoint URL {} than was requested {}", responseLocation, requestedResponseURL);
}
}
if (requestedBinding != null && !requestedBinding.equals(context.getSAMLBindingContext().getBindingUri())) {
logger.warn("Response was received using a different binding {} than was requested {}", context.getSAMLBindingContext().getBindingUri(), requestedBinding);
}
}
}
use of org.opensaml.saml.saml2.metadata.Endpoint in project pac4j by pac4j.
the class SAML2LogoutResponseValidator method isValidBearerSubjectConfirmationData.
/**
* Validate Bearer subject confirmation data
* - notBefore
* - NotOnOrAfter
* - recipient
*
* @param data the data
* @param context the context
* @return true if all Bearer subject checks are passing
*/
protected final boolean isValidBearerSubjectConfirmationData(final SubjectConfirmationData data, final SAML2MessageContext context) {
if (data == null) {
logger.debug("SubjectConfirmationData cannot be null for Bearer confirmation");
return false;
}
if (data.getNotBefore() != null) {
logger.debug("SubjectConfirmationData notBefore must be null for Bearer confirmation");
return false;
}
if (data.getNotOnOrAfter() == null) {
logger.debug("SubjectConfirmationData notOnOrAfter cannot be null for Bearer confirmation");
return false;
}
if (data.getNotOnOrAfter().plusSeconds(acceptedSkew).isBeforeNow()) {
logger.debug("SubjectConfirmationData notOnOrAfter is too old");
return false;
}
try {
if (data.getRecipient() == null) {
logger.debug("SubjectConfirmationData recipient cannot be null for Bearer confirmation");
return false;
} else {
final Endpoint endpoint = context.getSAMLEndpointContext().getEndpoint();
if (endpoint == null) {
logger.warn("No endpoint was found in the SAML endpoint context");
return false;
}
final URI recipientUri = new URI(data.getRecipient());
final URI appEndpointUri = new URI(endpoint.getLocation());
if (!UriUtils.urisEqualAfterPortNormalization(recipientUri, appEndpointUri)) {
logger.debug("SubjectConfirmationData recipient {} does not match SP assertion consumer URL, found. " + "SP ACS URL from context: {}", recipientUri, appEndpointUri);
return false;
}
}
} catch (URISyntaxException use) {
logger.error("Unable to check SubjectConfirmationData recipient, a URI has invalid syntax.", use);
return false;
}
return true;
}
Aggregations