Search in sources :

Example 11 with Endpoint

use of org.opensaml.saml.saml2.metadata.Endpoint in project pac4j by pac4j.

the class Pac4jHTTPPostEncoder method populateVelocityContext.

/**
 * Populate the Velocity context instance which will be used to render the POST body.
 *
 * @param velocityContext the Velocity context instance to populate with data
 * @param messageContext the SAML message context source of data
 * @param endpointURL endpoint URL to which to encode message
 * @throws MessageEncodingException thrown if there is a problem encoding the message
 */
protected void populateVelocityContext(VelocityContext velocityContext, MessageContext<SAMLObject> messageContext, String endpointURL) throws MessageEncodingException {
    String encodedEndpointURL = HTMLEncoder.encodeForHTMLAttribute(endpointURL);
    log.debug("Encoding action url of '{}' with encoded value '{}'", endpointURL, encodedEndpointURL);
    velocityContext.put("action", encodedEndpointURL);
    velocityContext.put("binding", getBindingURI());
    SAMLObject outboundMessage = messageContext.getMessage();
    log.debug("Marshalling and Base64 encoding SAML message");
    Element domMessage = marshallMessage(outboundMessage);
    String messageXML = SerializeSupport.nodeToString(domMessage);
    log.trace("Output XML message: {}", messageXML);
    String encodedMessage = Base64Support.encode(messageXML.getBytes(StandardCharsets.UTF_8), Base64Support.UNCHUNKED);
    if (outboundMessage instanceof RequestAbstractType) {
        velocityContext.put("SAMLRequest", encodedMessage);
    } else if (outboundMessage instanceof StatusResponseType) {
        velocityContext.put("SAMLResponse", encodedMessage);
    } else {
        throw new MessageEncodingException("SAML message is neither a SAML RequestAbstractType or StatusResponseType");
    }
    String relayState = SAMLBindingSupport.getRelayState(messageContext);
    if (SAMLBindingSupport.checkRelayState(relayState)) {
        String encodedRelayState = HTMLEncoder.encodeForHTMLAttribute(relayState);
        log.debug("Setting RelayState parameter to: '{}', encoded as '{}'", relayState, encodedRelayState);
        velocityContext.put("RelayState", encodedRelayState);
    }
}
Also used : SAMLObject(org.opensaml.saml.common.SAMLObject) Element(org.w3c.dom.Element) RequestAbstractType(org.opensaml.saml.saml2.core.RequestAbstractType) MessageEncodingException(org.opensaml.messaging.encoder.MessageEncodingException) StatusResponseType(org.opensaml.saml.saml2.core.StatusResponseType)

Example 12 with Endpoint

use of org.opensaml.saml.saml2.metadata.Endpoint in project pac4j by pac4j.

the class Pac4jHTTPRedirectDeflateEncoder method buildRedirectURL.

/**
 * Builds the URL to redirect the client to.
 *
 * @param messageContext current message context
 * @param endpoint endpoint URL to send encoded message to
 * @param message Deflated and Base64 encoded message
 *
 * @return URL to redirect client to
 *
 * @throws MessageEncodingException thrown if the SAML message is neither a RequestAbstractType or Response
 */
protected String buildRedirectURL(final MessageContext messageContext, final String endpoint, final String message) throws MessageEncodingException {
    log.debug("Building URL to redirect client to");
    final URLBuilder urlBuilder;
    try {
        urlBuilder = new URLBuilder(endpoint);
    } catch (final MalformedURLException e) {
        throw new MessageEncodingException("Endpoint URL " + endpoint + " is not a valid URL", e);
    }
    final var queryParams = urlBuilder.getQueryParams();
    // remove the query parameters set below
    queryParams.removeIf(p -> p.getFirst().equals("SAMLRequest") || p.getFirst().equals("SAMLResponse") || p.getFirst().equals("RelayState") || p.getFirst().equals("SigAlg") || p.getFirst().equals("Signature"));
    final var outboundMessage = (SAMLObject) messageContext.getMessage();
    if (outboundMessage instanceof RequestAbstractType) {
        queryParams.add(new Pair<>("SAMLRequest", message));
    } else if (outboundMessage instanceof StatusResponseType) {
        queryParams.add(new Pair<>("SAMLResponse", message));
    } else {
        throw new MessageEncodingException("SAML message is neither a SAML RequestAbstractType or StatusResponseType");
    }
    final var relayState = SAMLBindingSupport.getRelayState(messageContext);
    if (SAMLBindingSupport.checkRelayState(relayState)) {
        queryParams.add(new Pair<>("RelayState", relayState));
    }
    if (isAuthnRequestSigned) {
        final var signingParameters = SAMLMessageSecuritySupport.getContextSigningParameters(messageContext);
        if (signingParameters != null && signingParameters.getSigningCredential() != null) {
            final var sigAlgURI = getSignatureAlgorithmURI(signingParameters);
            final var sigAlg = new Pair<String, String>("SigAlg", sigAlgURI);
            queryParams.add(sigAlg);
            final var sigMaterial = urlBuilder.buildQueryString();
            queryParams.add(new Pair<>("Signature", generateSignature(signingParameters.getSigningCredential(), sigAlgURI, sigMaterial)));
        } else {
            log.debug("No signing credential was supplied, skipping HTTP-Redirect DEFLATE signing");
        }
    }
    return urlBuilder.buildURL();
}
Also used : MalformedURLException(java.net.MalformedURLException) SignableSAMLObject(org.opensaml.saml.common.SignableSAMLObject) SAMLObject(org.opensaml.saml.common.SAMLObject) RequestAbstractType(org.opensaml.saml.saml2.core.RequestAbstractType) MessageEncodingException(org.opensaml.messaging.encoder.MessageEncodingException) StatusResponseType(org.opensaml.saml.saml2.core.StatusResponseType) URLBuilder(net.shibboleth.utilities.java.support.net.URLBuilder) Pair(net.shibboleth.utilities.java.support.collection.Pair)

Example 13 with Endpoint

use of org.opensaml.saml.saml2.metadata.Endpoint in project pac4j by pac4j.

the class Pac4jHTTPArtifactDecoder method dereferenceArtifact.

/**
 * De-reference the supplied artifact into the corresponding SAML protocol message.
 *
 * @param artifact           the artifact to de-reference
 * @param peerRoleDescriptor the peer RoleDescriptor
 * @param ars                the peer's artifact resolution service endpoint
 * @return the de-referenced artifact
 * @throws MessageDecodingException if there is fatal error, or if the artifact was not successfully resolved
 */
@Nonnull
private SAMLObject dereferenceArtifact(@Nonnull final SAML2Artifact artifact, @Nonnull final RoleDescriptor peerRoleDescriptor, @Nonnull final ArtifactResolutionService ars) throws MessageDecodingException {
    try {
        final var selfEntityID = resolveSelfEntityID(peerRoleDescriptor);
        // TODO can assume/enforce response as ArtifactResponse here?
        final var opContext = new SAMLSOAPClientContextBuilder().setOutboundMessage(buildArtifactResolveRequestMessage(artifact, ars.getLocation(), selfEntityID)).setProtocol(SAMLConstants.SAML20P_NS).setPipelineName(getSOAPPipelineName()).setSecurityConfigurationProfileId(getSOAPClientSecurityConfigurationProfileId()).setPeerRoleDescriptor(peerRoleDescriptor).setSelfEntityID(selfEntityID).build();
        log.trace("Executing ArtifactResolve over SOAP 1.1 binding to endpoint: {}", ars.getLocation());
        soapClient.send(ars.getLocation(), opContext);
        final var response = (SAMLObject) opContext.getInboundMessageContext().getMessage();
        if (response instanceof ArtifactResponse) {
            return validateAndExtractResponseMessage((ArtifactResponse) response);
        } else {
            throw new MessageDecodingException("SOAP message payload was not an instance of ArtifactResponse: " + response.getClass().getName());
        }
    } catch (final MessageException | SOAPException | SecurityException e) {
        throw new MessageDecodingException("Error dereferencing artifact", e);
    }
}
Also used : MessageDecodingException(org.opensaml.messaging.decoder.MessageDecodingException) SAMLObject(org.opensaml.saml.common.SAMLObject) MessageException(org.opensaml.messaging.MessageException) ArtifactResponse(org.opensaml.saml.saml2.core.ArtifactResponse) SOAPException(org.opensaml.soap.common.SOAPException) SecurityException(org.opensaml.security.SecurityException) SAMLSOAPClientContextBuilder(org.opensaml.saml.common.messaging.soap.SAMLSOAPClientContextBuilder) Nonnull(javax.annotation.Nonnull)

Example 14 with Endpoint

use of org.opensaml.saml.saml2.metadata.Endpoint in project pac4j by pac4j.

the class Pac4jHTTPPostEncoder method populateVelocityContext.

/**
 * Populate the Velocity context instance which will be used to render the POST body.
 *
 * @param velocityContext the Velocity context instance to populate with data
 * @param messageContext  the SAML message context source of data
 * @param endpointURL     endpoint URL to which to encode message
 * @throws MessageEncodingException thrown if there is a problem encoding the message
 */
protected void populateVelocityContext(final VelocityContext velocityContext, final MessageContext messageContext, final String endpointURL) throws MessageEncodingException {
    final var encodedEndpointURL = HTMLEncoder.encodeForHTMLAttribute(endpointURL);
    log.debug("Encoding action url of '{}' with encoded value '{}'", endpointURL, encodedEndpointURL);
    velocityContext.put("action", encodedEndpointURL);
    velocityContext.put("binding", getBindingURI());
    final var outboundMessage = (SAMLObject) messageContext.getMessage();
    log.debug("Marshalling and Base64 encoding SAML message");
    final var domMessage = marshallMessage(outboundMessage);
    final var messageXML = SerializeSupport.nodeToString(domMessage);
    log.trace("Output XML message: {}", messageXML);
    final String encodedMessage;
    try {
        encodedMessage = Base64Support.encode(messageXML.getBytes(StandardCharsets.UTF_8), Base64Support.UNCHUNKED);
    } catch (final Exception e) {
        throw new MessageEncodingException(e);
    }
    if (outboundMessage instanceof RequestAbstractType) {
        velocityContext.put("SAMLRequest", encodedMessage);
    } else if (outboundMessage instanceof StatusResponseType) {
        velocityContext.put("SAMLResponse", encodedMessage);
    } else {
        throw new MessageEncodingException("SAML message is neither a SAML RequestAbstractType or StatusResponseType");
    }
    final var relayState = SAMLBindingSupport.getRelayState(messageContext);
    if (SAMLBindingSupport.checkRelayState(relayState)) {
        final var encodedRelayState = HTMLEncoder.encodeForHTMLAttribute(relayState);
        log.debug("Setting RelayState parameter to: '{}', encoded as '{}'", relayState, encodedRelayState);
        velocityContext.put("RelayState", encodedRelayState);
    }
}
Also used : SAMLObject(org.opensaml.saml.common.SAMLObject) RequestAbstractType(org.opensaml.saml.saml2.core.RequestAbstractType) MessageEncodingException(org.opensaml.messaging.encoder.MessageEncodingException) BindingException(org.opensaml.saml.common.binding.BindingException) ComponentInitializationException(net.shibboleth.utilities.java.support.component.ComponentInitializationException) MarshallingException(org.opensaml.core.xml.io.MarshallingException) MessageEncodingException(org.opensaml.messaging.encoder.MessageEncodingException) StatusResponseType(org.opensaml.saml.saml2.core.StatusResponseType)

Example 15 with Endpoint

use of org.opensaml.saml.saml2.metadata.Endpoint in project pac4j by pac4j.

the class SAML2LogoutValidator method validateDestinationEndpoint.

protected void validateDestinationEndpoint(final LogoutResponse logoutResponse, final SAML2MessageContext context) {
    final List<String> expected = new ArrayList<>();
    if (StringUtils.isBlank(this.expectedDestination)) {
        final Endpoint endpoint = Objects.requireNonNull(context.getSPSSODescriptor().getSingleLogoutServices().get(0));
        if (endpoint.getLocation() != null) {
            expected.add(endpoint.getLocation());
        }
        if (endpoint.getResponseLocation() != null) {
            expected.add(endpoint.getResponseLocation());
        }
    } else {
        expected.add(this.expectedDestination);
    }
    final boolean isDestinationMandatory = context.getSAML2Configuration().isResponseDestinationAttributeMandatory();
    verifyEndpoint(expected, logoutResponse.getDestination(), isDestinationMandatory);
}
Also used : Endpoint(org.opensaml.saml.saml2.metadata.Endpoint) ArrayList(java.util.ArrayList)

Aggregations

Endpoint (org.opensaml.saml.saml2.metadata.Endpoint)6 SAMLObject (org.opensaml.saml.common.SAMLObject)5 AuthnRequest (org.opensaml.saml.saml2.core.AuthnRequest)5 RequestAbstractType (org.opensaml.saml.saml2.core.RequestAbstractType)5 lombok.val (lombok.val)4 MessageDecodingException (org.opensaml.messaging.decoder.MessageDecodingException)4 MessageEncodingException (org.opensaml.messaging.encoder.MessageEncodingException)4 StatusResponseType (org.opensaml.saml.saml2.core.StatusResponseType)4 ArrayList (java.util.ArrayList)3 UnauthorizedServiceException (org.apereo.cas.services.UnauthorizedServiceException)3 DateTime (org.joda.time.DateTime)3 SignableSAMLObject (org.opensaml.saml.common.SignableSAMLObject)3 AssertionConsumerService (org.opensaml.saml.saml2.metadata.AssertionConsumerService)3 IDPSSODescriptor (org.opensaml.saml.saml2.metadata.IDPSSODescriptor)3 Endpoint (org.opensaml.saml2.metadata.Endpoint)3 MalformedURLException (java.net.MalformedURLException)2 URI (java.net.URI)2 URISyntaxException (java.net.URISyntaxException)2 HashMap (java.util.HashMap)2 Nonnull (javax.annotation.Nonnull)2