Search in sources :

Example 26 with Endpoint

use of org.opensaml.saml.saml2.metadata.Endpoint in project pac4j by pac4j.

the class SAML2AuthnResponseValidator method validateSamlProtocolResponse.

/**
 * Validates the SAML protocol response:
 * - IssueInstant
 * - Issuer
 * - StatusCode
 * - Signature
 *
 * @param response the response
 * @param context  the context
 * @param engine   the engine
 */
protected void validateSamlProtocolResponse(final Response response, final SAML2MessageContext context, final SignatureTrustEngine engine) {
    var configContext = context.getConfigurationContext();
    validateSuccess(response.getStatus());
    if (!response.getVersion().equals(SAMLVersion.VERSION_20)) {
        throw new SAMLException("Invalid SAML version assigned to the response " + response.getVersion());
    }
    if (configContext.isWantsResponsesSigned() && response.getSignature() == null) {
        logger.debug("Unable to find a signature on the SAML response returned. Pac4j is configured to enforce " + "signatures on SAML2 responses from identity providers and the returned response\n{}\n" + "does not contain any signature", Configuration.serializeSamlObject(response));
        throw new SAMLSignatureValidationException("Unable to find a signature on the SAML response returned");
    }
    validateSignatureIfItExists(response.getSignature(), context, engine);
    validateIssueInstant(response.getIssueInstant());
    AuthnRequest request = null;
    final var messageStorage = context.getSAMLMessageStore();
    if (messageStorage != null && response.getInResponseTo() != null) {
        final var xmlObject = messageStorage.get(response.getInResponseTo());
        if (xmlObject.isEmpty()) {
            throw new SAMLInResponseToMismatchException("InResponseToField of the Response doesn't correspond to sent message " + response.getInResponseTo());
        } else if (xmlObject.get() instanceof AuthnRequest) {
            request = (AuthnRequest) xmlObject.get();
        } else {
            throw new SAMLInResponseToMismatchException("Sent request was of different type than the expected AuthnRequest " + response.getInResponseTo());
        }
    }
    final var endpoint = Objects.requireNonNull(context.getSAMLEndpointContext().getEndpoint());
    final List<String> expected = new ArrayList<>();
    if (endpoint.getLocation() != null) {
        expected.add(endpoint.getLocation());
    }
    if (endpoint.getResponseLocation() != null) {
        expected.add(endpoint.getResponseLocation());
    }
    final boolean isDestinationMandatory = context.getSAML2Configuration().isResponseDestinationAttributeMandatory();
    verifyEndpoint(expected, response.getDestination(), isDestinationMandatory);
    if (request != null) {
        verifyRequest(request, context);
    }
    validateIssuerIfItExists(response.getIssuer(), context);
}
Also used : SAMLInResponseToMismatchException(org.pac4j.saml.exceptions.SAMLInResponseToMismatchException) SAMLSignatureValidationException(org.pac4j.saml.exceptions.SAMLSignatureValidationException) AuthnRequest(org.opensaml.saml.saml2.core.AuthnRequest) ArrayList(java.util.ArrayList) SAMLException(org.pac4j.saml.exceptions.SAMLException)

Example 27 with Endpoint

use of org.opensaml.saml.saml2.metadata.Endpoint in project MaxKey by dromara.

the class EndpointGenerator method generateEndpoint.

public Endpoint generateEndpoint(String location, String responseLocation, QName service) {
    logger.debug("end point service: {}", service);
    logger.debug("end point location: {}", location);
    logger.debug("end point responseLocation: {}", responseLocation);
    Endpoint samlEndpoint;
    if (null == service) {
        service = AssertionConsumerService.DEFAULT_ELEMENT_NAME;
    }
    samlEndpoint = new AssertionConsumerServiceBuilder().buildObject(service);
    samlEndpoint.setLocation(location);
    // this does not have to be set
    if (StringUtils.isNotEmpty(responseLocation)) {
        samlEndpoint.setResponseLocation(responseLocation);
    }
    return samlEndpoint;
}
Also used : Endpoint(org.opensaml.saml2.metadata.Endpoint) AssertionConsumerServiceBuilder(org.opensaml.saml2.metadata.impl.AssertionConsumerServiceBuilder)

Example 28 with Endpoint

use of org.opensaml.saml.saml2.metadata.Endpoint in project identity-inbound-auth-oauth by wso2-extensions.

the class SAML2BearerGrantHandler method processSubjectConfirmation.

/**
 * The <Subject> element MUST contain at least one <SubjectConfirmation> element that allows the authorization
 * server to confirm it as a Bearer Assertion.  Such a <SubjectConfirmation> element MUST have a Method attribute
 * with a value of "urn:oasis:names:tc:SAML:2.0:cm:bearer". The <SubjectConfirmation> element MUST contain a
 * <SubjectConfirmationData> element, unless the Assertion has a suitable NotOnOrAfter attribute on the
 * <Conditions> element, in which case the <SubjectConfirmationData> element MAY be omitted. When present,
 * the <SubjectConfirmationData> element MUST have a Recipient attribute with a value indicating the token endpoint
 * URL of the authorization server (or an acceptable alias).  The authorization server MUST verify that the
 * value of the Recipient attribute matches the token endpoint URL (or an acceptable alias) to which the
 * Assertion was delivered. The <SubjectConfirmationData> element MUST have a NotOnOrAfter attribute that limits the
 * window during which the Assertion can be confirmed.  The <SubjectConfirmationData> element MAY also contain an
 * Address attribute limiting the client address from which the Assertion can be delivered.  Verification of the
 * Address is at the discretion of the authorization server.
 * @param tokReqMsgCtx
 * @param assertion
 * @param identityProvider
 * @param tenantDomain
 * @param timeSkew
 * @throws IdentityOAuth2Exception
 */
private void processSubjectConfirmation(OAuthTokenReqMessageContext tokReqMsgCtx, Assertion assertion, IdentityProvider identityProvider, String tenantDomain, long timeSkew) throws IdentityOAuth2Exception {
    boolean bearerFound = false;
    Map<DateTime, DateTime> notOnOrAfterAndNotBeforeFromSubjectConfirmation = new HashMap<>();
    List<String> recipientURLS = new ArrayList<>();
    List<SubjectConfirmation> subjectConfirmations = getSubjectConfirmations(assertion);
    for (SubjectConfirmation subjectConfirmation : subjectConfirmations) {
        bearerFound = updateBearerFound(subjectConfirmation, bearerFound);
        if (subjectConfirmation.getSubjectConfirmationData() != null) {
            recipientURLS.addAll(getRecipientUrls(subjectConfirmation.getSubjectConfirmationData()));
            notOnOrAfterAndNotBeforeFromSubjectConfirmation = getValidNotBeforeAndAfterDetails(subjectConfirmation.getSubjectConfirmationData(), timeSkew);
        }
    }
    validateBearer(bearerFound);
    String tokenEPAlias = getTokenEPAlias(assertion, identityProvider, tenantDomain);
    validateRecipient(assertion, tokenEPAlias, recipientURLS);
    setValidityPeriod(tokReqMsgCtx, assertion, notOnOrAfterAndNotBeforeFromSubjectConfirmation);
}
Also used : SubjectConfirmation(org.opensaml.saml.saml2.core.SubjectConfirmation) HashMap(java.util.HashMap) ArrayList(java.util.ArrayList) DateTime(org.joda.time.DateTime)

Example 29 with Endpoint

use of org.opensaml.saml.saml2.metadata.Endpoint in project datarouter by hotpads.

the class SamlTool method buildIdpEndpoint.

private static Endpoint buildIdpEndpoint(String identityProviderSingleSignOnServiceUrl) {
    SingleSignOnService endpoint = build(SingleSignOnService.DEFAULT_ELEMENT_NAME);
    endpoint.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
    endpoint.setLocation(identityProviderSingleSignOnServiceUrl);
    return endpoint;
}
Also used : SingleSignOnService(org.opensaml.saml.saml2.metadata.SingleSignOnService)

Aggregations

Endpoint (org.opensaml.saml.saml2.metadata.Endpoint)6 SAMLObject (org.opensaml.saml.common.SAMLObject)5 AuthnRequest (org.opensaml.saml.saml2.core.AuthnRequest)5 RequestAbstractType (org.opensaml.saml.saml2.core.RequestAbstractType)5 lombok.val (lombok.val)4 MessageDecodingException (org.opensaml.messaging.decoder.MessageDecodingException)4 MessageEncodingException (org.opensaml.messaging.encoder.MessageEncodingException)4 StatusResponseType (org.opensaml.saml.saml2.core.StatusResponseType)4 ArrayList (java.util.ArrayList)3 UnauthorizedServiceException (org.apereo.cas.services.UnauthorizedServiceException)3 DateTime (org.joda.time.DateTime)3 SignableSAMLObject (org.opensaml.saml.common.SignableSAMLObject)3 AssertionConsumerService (org.opensaml.saml.saml2.metadata.AssertionConsumerService)3 IDPSSODescriptor (org.opensaml.saml.saml2.metadata.IDPSSODescriptor)3 Endpoint (org.opensaml.saml2.metadata.Endpoint)3 MalformedURLException (java.net.MalformedURLException)2 URI (java.net.URI)2 URISyntaxException (java.net.URISyntaxException)2 HashMap (java.util.HashMap)2 Nonnull (javax.annotation.Nonnull)2