use of org.opensaml.saml.saml2.metadata.Endpoint in project pac4j by pac4j.
the class SAML2AuthnResponseValidator method validateSamlProtocolResponse.
/**
* Validates the SAML protocol response:
* - IssueInstant
* - Issuer
* - StatusCode
* - Signature
*
* @param response the response
* @param context the context
* @param engine the engine
*/
protected void validateSamlProtocolResponse(final Response response, final SAML2MessageContext context, final SignatureTrustEngine engine) {
var configContext = context.getConfigurationContext();
validateSuccess(response.getStatus());
if (!response.getVersion().equals(SAMLVersion.VERSION_20)) {
throw new SAMLException("Invalid SAML version assigned to the response " + response.getVersion());
}
if (configContext.isWantsResponsesSigned() && response.getSignature() == null) {
logger.debug("Unable to find a signature on the SAML response returned. Pac4j is configured to enforce " + "signatures on SAML2 responses from identity providers and the returned response\n{}\n" + "does not contain any signature", Configuration.serializeSamlObject(response));
throw new SAMLSignatureValidationException("Unable to find a signature on the SAML response returned");
}
validateSignatureIfItExists(response.getSignature(), context, engine);
validateIssueInstant(response.getIssueInstant());
AuthnRequest request = null;
final var messageStorage = context.getSAMLMessageStore();
if (messageStorage != null && response.getInResponseTo() != null) {
final var xmlObject = messageStorage.get(response.getInResponseTo());
if (xmlObject.isEmpty()) {
throw new SAMLInResponseToMismatchException("InResponseToField of the Response doesn't correspond to sent message " + response.getInResponseTo());
} else if (xmlObject.get() instanceof AuthnRequest) {
request = (AuthnRequest) xmlObject.get();
} else {
throw new SAMLInResponseToMismatchException("Sent request was of different type than the expected AuthnRequest " + response.getInResponseTo());
}
}
final var endpoint = Objects.requireNonNull(context.getSAMLEndpointContext().getEndpoint());
final List<String> expected = new ArrayList<>();
if (endpoint.getLocation() != null) {
expected.add(endpoint.getLocation());
}
if (endpoint.getResponseLocation() != null) {
expected.add(endpoint.getResponseLocation());
}
final boolean isDestinationMandatory = context.getSAML2Configuration().isResponseDestinationAttributeMandatory();
verifyEndpoint(expected, response.getDestination(), isDestinationMandatory);
if (request != null) {
verifyRequest(request, context);
}
validateIssuerIfItExists(response.getIssuer(), context);
}
use of org.opensaml.saml.saml2.metadata.Endpoint in project MaxKey by dromara.
the class EndpointGenerator method generateEndpoint.
public Endpoint generateEndpoint(String location, String responseLocation, QName service) {
logger.debug("end point service: {}", service);
logger.debug("end point location: {}", location);
logger.debug("end point responseLocation: {}", responseLocation);
Endpoint samlEndpoint;
if (null == service) {
service = AssertionConsumerService.DEFAULT_ELEMENT_NAME;
}
samlEndpoint = new AssertionConsumerServiceBuilder().buildObject(service);
samlEndpoint.setLocation(location);
// this does not have to be set
if (StringUtils.isNotEmpty(responseLocation)) {
samlEndpoint.setResponseLocation(responseLocation);
}
return samlEndpoint;
}
use of org.opensaml.saml.saml2.metadata.Endpoint in project identity-inbound-auth-oauth by wso2-extensions.
the class SAML2BearerGrantHandler method processSubjectConfirmation.
/**
* The <Subject> element MUST contain at least one <SubjectConfirmation> element that allows the authorization
* server to confirm it as a Bearer Assertion. Such a <SubjectConfirmation> element MUST have a Method attribute
* with a value of "urn:oasis:names:tc:SAML:2.0:cm:bearer". The <SubjectConfirmation> element MUST contain a
* <SubjectConfirmationData> element, unless the Assertion has a suitable NotOnOrAfter attribute on the
* <Conditions> element, in which case the <SubjectConfirmationData> element MAY be omitted. When present,
* the <SubjectConfirmationData> element MUST have a Recipient attribute with a value indicating the token endpoint
* URL of the authorization server (or an acceptable alias). The authorization server MUST verify that the
* value of the Recipient attribute matches the token endpoint URL (or an acceptable alias) to which the
* Assertion was delivered. The <SubjectConfirmationData> element MUST have a NotOnOrAfter attribute that limits the
* window during which the Assertion can be confirmed. The <SubjectConfirmationData> element MAY also contain an
* Address attribute limiting the client address from which the Assertion can be delivered. Verification of the
* Address is at the discretion of the authorization server.
* @param tokReqMsgCtx
* @param assertion
* @param identityProvider
* @param tenantDomain
* @param timeSkew
* @throws IdentityOAuth2Exception
*/
private void processSubjectConfirmation(OAuthTokenReqMessageContext tokReqMsgCtx, Assertion assertion, IdentityProvider identityProvider, String tenantDomain, long timeSkew) throws IdentityOAuth2Exception {
boolean bearerFound = false;
Map<DateTime, DateTime> notOnOrAfterAndNotBeforeFromSubjectConfirmation = new HashMap<>();
List<String> recipientURLS = new ArrayList<>();
List<SubjectConfirmation> subjectConfirmations = getSubjectConfirmations(assertion);
for (SubjectConfirmation subjectConfirmation : subjectConfirmations) {
bearerFound = updateBearerFound(subjectConfirmation, bearerFound);
if (subjectConfirmation.getSubjectConfirmationData() != null) {
recipientURLS.addAll(getRecipientUrls(subjectConfirmation.getSubjectConfirmationData()));
notOnOrAfterAndNotBeforeFromSubjectConfirmation = getValidNotBeforeAndAfterDetails(subjectConfirmation.getSubjectConfirmationData(), timeSkew);
}
}
validateBearer(bearerFound);
String tokenEPAlias = getTokenEPAlias(assertion, identityProvider, tenantDomain);
validateRecipient(assertion, tokenEPAlias, recipientURLS);
setValidityPeriod(tokReqMsgCtx, assertion, notOnOrAfterAndNotBeforeFromSubjectConfirmation);
}
use of org.opensaml.saml.saml2.metadata.Endpoint in project datarouter by hotpads.
the class SamlTool method buildIdpEndpoint.
private static Endpoint buildIdpEndpoint(String identityProviderSingleSignOnServiceUrl) {
SingleSignOnService endpoint = build(SingleSignOnService.DEFAULT_ELEMENT_NAME);
endpoint.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
endpoint.setLocation(identityProviderSingleSignOnServiceUrl);
return endpoint;
}
Aggregations