Examples with Endpoint org.opensaml.saml.saml2.metadata.Endpoint used on opensource projects

Example 26 with Endpoint

use of org.opensaml.saml.saml2.metadata.Endpoint in project pac4j by pac4j.

the class SAML2AuthnResponseValidator method validateSamlProtocolResponse.

/**
 * Validates the SAML protocol response:
 * - IssueInstant
 * - Issuer
 * - StatusCode
 * - Signature
 *
 * @param response the response
 * @param context  the context
 * @param engine   the engine
 */
protected void validateSamlProtocolResponse(final Response response, final SAML2MessageContext context, final SignatureTrustEngine engine) {
    var configContext = context.getConfigurationContext();
    validateSuccess(response.getStatus());
    if (!response.getVersion().equals(SAMLVersion.VERSION_20)) {
        throw new SAMLException("Invalid SAML version assigned to the response " + response.getVersion());
    }
    if (configContext.isWantsResponsesSigned() && response.getSignature() == null) {
        logger.debug("Unable to find a signature on the SAML response returned. Pac4j is configured to enforce " + "signatures on SAML2 responses from identity providers and the returned response\n{}\n" + "does not contain any signature", Configuration.serializeSamlObject(response));
        throw new SAMLSignatureValidationException("Unable to find a signature on the SAML response returned");
    }
    validateSignatureIfItExists(response.getSignature(), context, engine);
    validateIssueInstant(response.getIssueInstant());
    AuthnRequest request = null;
    final var messageStorage = context.getSAMLMessageStore();
    if (messageStorage != null && response.getInResponseTo() != null) {
        final var xmlObject = messageStorage.get(response.getInResponseTo());
        if (xmlObject.isEmpty()) {
            throw new SAMLInResponseToMismatchException("InResponseToField of the Response doesn't correspond to sent message " + response.getInResponseTo());
        } else if (xmlObject.get() instanceof AuthnRequest) {
            request = (AuthnRequest) xmlObject.get();
        } else {
            throw new SAMLInResponseToMismatchException("Sent request was of different type than the expected AuthnRequest " + response.getInResponseTo());
        }
    }
    final var endpoint = Objects.requireNonNull(context.getSAMLEndpointContext().getEndpoint());
    final List<String> expected = new ArrayList<>();
    if (endpoint.getLocation() != null) {
        expected.add(endpoint.getLocation());
    }
    if (endpoint.getResponseLocation() != null) {
        expected.add(endpoint.getResponseLocation());
    }
    final boolean isDestinationMandatory = context.getSAML2Configuration().isResponseDestinationAttributeMandatory();
    verifyEndpoint(expected, response.getDestination(), isDestinationMandatory);
    if (request != null) {
        verifyRequest(request, context);
    }
    validateIssuerIfItExists(response.getIssuer(), context);
}

Example 27 with Endpoint

use of org.opensaml.saml.saml2.metadata.Endpoint in project MaxKey by dromara.

the class EndpointGenerator method generateEndpoint.

public Endpoint generateEndpoint(String location, String responseLocation, QName service) {
    logger.debug("end point service: {}", service);
    logger.debug("end point location: {}", location);
    logger.debug("end point responseLocation: {}", responseLocation);
    Endpoint samlEndpoint;
    if (null == service) {
        service = AssertionConsumerService.DEFAULT_ELEMENT_NAME;
    }
    samlEndpoint = new AssertionConsumerServiceBuilder().buildObject(service);
    samlEndpoint.setLocation(location);
    // this does not have to be set
    if (StringUtils.isNotEmpty(responseLocation)) {
        samlEndpoint.setResponseLocation(responseLocation);
    }
    return samlEndpoint;
}

Example 28 with Endpoint

use of org.opensaml.saml.saml2.metadata.Endpoint in project identity-inbound-auth-oauth by wso2-extensions.

the class SAML2BearerGrantHandler method processSubjectConfirmation.

/**
 * The <Subject> element MUST contain at least one <SubjectConfirmation> element that allows the authorization
 * server to confirm it as a Bearer Assertion.  Such a <SubjectConfirmation> element MUST have a Method attribute
 * with a value of "urn:oasis:names:tc:SAML:2.0:cm:bearer". The <SubjectConfirmation> element MUST contain a
 * <SubjectConfirmationData> element, unless the Assertion has a suitable NotOnOrAfter attribute on the
 * <Conditions> element, in which case the <SubjectConfirmationData> element MAY be omitted. When present,
 * the <SubjectConfirmationData> element MUST have a Recipient attribute with a value indicating the token endpoint
 * URL of the authorization server (or an acceptable alias).  The authorization server MUST verify that the
 * value of the Recipient attribute matches the token endpoint URL (or an acceptable alias) to which the
 * Assertion was delivered. The <SubjectConfirmationData> element MUST have a NotOnOrAfter attribute that limits the
 * window during which the Assertion can be confirmed.  The <SubjectConfirmationData> element MAY also contain an
 * Address attribute limiting the client address from which the Assertion can be delivered.  Verification of the
 * Address is at the discretion of the authorization server.
 * @param tokReqMsgCtx
 * @param assertion
 * @param identityProvider
 * @param tenantDomain
 * @param timeSkew
 * @throws IdentityOAuth2Exception
 */
private void processSubjectConfirmation(OAuthTokenReqMessageContext tokReqMsgCtx, Assertion assertion, IdentityProvider identityProvider, String tenantDomain, long timeSkew) throws IdentityOAuth2Exception {
    boolean bearerFound = false;
    Map<DateTime, DateTime> notOnOrAfterAndNotBeforeFromSubjectConfirmation = new HashMap<>();
    List<String> recipientURLS = new ArrayList<>();
    List<SubjectConfirmation> subjectConfirmations = getSubjectConfirmations(assertion);
    for (SubjectConfirmation subjectConfirmation : subjectConfirmations) {
        bearerFound = updateBearerFound(subjectConfirmation, bearerFound);
        if (subjectConfirmation.getSubjectConfirmationData() != null) {
            recipientURLS.addAll(getRecipientUrls(subjectConfirmation.getSubjectConfirmationData()));
            notOnOrAfterAndNotBeforeFromSubjectConfirmation = getValidNotBeforeAndAfterDetails(subjectConfirmation.getSubjectConfirmationData(), timeSkew);
        }
    }
    validateBearer(bearerFound);
    String tokenEPAlias = getTokenEPAlias(assertion, identityProvider, tenantDomain);
    validateRecipient(assertion, tokenEPAlias, recipientURLS);
    setValidityPeriod(tokReqMsgCtx, assertion, notOnOrAfterAndNotBeforeFromSubjectConfirmation);
}

Example 29 with Endpoint

use of org.opensaml.saml.saml2.metadata.Endpoint in project datarouter by hotpads.

the class SamlTool method buildIdpEndpoint.

private static Endpoint buildIdpEndpoint(String identityProviderSingleSignOnServiceUrl) {
    SingleSignOnService endpoint = build(SingleSignOnService.DEFAULT_ELEMENT_NAME);
    endpoint.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
    endpoint.setLocation(identityProviderSingleSignOnServiceUrl);
    return endpoint;
}