Search in sources :

Example 1 with EntityDescriptor

use of org.opensaml.saml.saml2.metadata.EntityDescriptor in project cas by apereo.

the class SamlSPUtils method newSamlServiceProviderService.

/**
     * New saml service provider registration.
     *
     * @param sp       the properties
     * @param resolver the resolver
     * @return the saml registered service
     */
public static SamlRegisteredService newSamlServiceProviderService(final AbstractSamlSPProperties sp, final SamlRegisteredServiceCachingMetadataResolver resolver) {
    if (StringUtils.isBlank(sp.getMetadata())) {
        LOGGER.debug("Skipped registration of [{}] since no metadata location is found", sp.getName());
        return null;
    }
    try {
        final SamlRegisteredService service = new SamlRegisteredService();
        service.setName(sp.getName());
        service.setDescription(sp.getDescription());
        service.setEvaluationOrder(Integer.MIN_VALUE);
        service.setMetadataLocation(sp.getMetadata());
        final List<String> attributesToRelease = new ArrayList<>(sp.getAttributes());
        if (StringUtils.isNotBlank(sp.getNameIdAttribute())) {
            attributesToRelease.add(sp.getNameIdAttribute());
            service.setUsernameAttributeProvider(new PrincipalAttributeRegisteredServiceUsernameProvider(sp.getNameIdAttribute()));
        }
        if (StringUtils.isNotBlank(sp.getNameIdFormat())) {
            service.setRequiredNameIdFormat(sp.getNameIdFormat());
        }
        final Map<String, String> attributes = Beans.transformPrincipalAttributesListIntoMap(attributesToRelease);
        service.setAttributeReleasePolicy(new ReturnMappedAttributeReleasePolicy(attributes));
        service.setMetadataCriteriaRoles(SPSSODescriptor.DEFAULT_ELEMENT_NAME.getLocalPart());
        service.setMetadataCriteriaRemoveEmptyEntitiesDescriptors(true);
        service.setMetadataCriteriaRemoveRolelessEntityDescriptors(true);
        if (StringUtils.isNotBlank(sp.getSignatureLocation())) {
            service.setMetadataSignatureLocation(sp.getSignatureLocation());
        }
        final List<String> entityIDList = sp.getEntityIds();
        if (entityIDList.isEmpty()) {
            final ChainingMetadataResolver chainingResolver = resolver.resolve(service);
            if (chainingResolver.getResolvers().isEmpty()) {
                LOGGER.warn("Skipped registration of [{}] since no metadata resolver could be constructed", sp.getName());
                return null;
            }
            chainingResolver.getResolvers().forEach(r -> {
                if (r instanceof AbstractBatchMetadataResolver) {
                    final Iterator<EntityDescriptor> it = ((AbstractBatchMetadataResolver) r).iterator();
                    final Optional<EntityDescriptor> descriptor = StreamSupport.stream(Spliterators.spliteratorUnknownSize(it, Spliterator.ORDERED), false).filter(e -> e.getSPSSODescriptor(SAMLConstants.SAML20P_NS) != null).findFirst();
                    if (descriptor.isPresent()) {
                        entityIDList.add(descriptor.get().getEntityID());
                    } else {
                        LOGGER.warn("Skipped registration of [{}] since no entity id could be found", sp.getName());
                    }
                }
            });
        }
        if (entityIDList.isEmpty()) {
            LOGGER.warn("Skipped registration of [{}] since no metadata entity ids could be found", sp.getName());
            return null;
        }
        final String entityIds = org.springframework.util.StringUtils.collectionToDelimitedString(entityIDList, "|");
        service.setMetadataCriteriaDirection(PredicateFilter.Direction.INCLUDE.name());
        service.setMetadataCriteriaPattern(entityIds);
        LOGGER.debug("Registering saml service [{}] by entity id [{}]", sp.getName(), entityIds);
        service.setServiceId(entityIds);
        return service;
    } catch (final Exception e) {
        throw Throwables.propagate(e);
    }
}
Also used : AbstractBatchMetadataResolver(org.opensaml.saml.metadata.resolver.impl.AbstractBatchMetadataResolver) PrincipalAttributeRegisteredServiceUsernameProvider(org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider) Spliterators(java.util.Spliterators) SamlRegisteredServiceCachingMetadataResolver(org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceCachingMetadataResolver) LoggerFactory(org.slf4j.LoggerFactory) Beans(org.apereo.cas.configuration.support.Beans) StringUtils(org.apache.commons.lang3.StringUtils) AbstractBatchMetadataResolver(org.opensaml.saml.metadata.resolver.impl.AbstractBatchMetadataResolver) ArrayList(java.util.ArrayList) SamlRegisteredService(org.apereo.cas.support.saml.services.SamlRegisteredService) Map(java.util.Map) StreamSupport(java.util.stream.StreamSupport) SAMLConstants(org.opensaml.saml.common.xml.SAMLConstants) ServicesManager(org.apereo.cas.services.ServicesManager) Logger(org.slf4j.Logger) Iterator(java.util.Iterator) Throwables(com.google.common.base.Throwables) RegisteredService(org.apereo.cas.services.RegisteredService) SPSSODescriptor(org.opensaml.saml.saml2.metadata.SPSSODescriptor) List(java.util.List) AbstractSamlSPProperties(org.apereo.cas.configuration.model.support.saml.sps.AbstractSamlSPProperties) ReturnMappedAttributeReleasePolicy(org.apereo.cas.services.ReturnMappedAttributeReleasePolicy) ChainingMetadataResolver(org.opensaml.saml.metadata.resolver.ChainingMetadataResolver) Optional(java.util.Optional) EntityDescriptor(org.opensaml.saml.saml2.metadata.EntityDescriptor) PredicateFilter(org.opensaml.saml.metadata.resolver.filter.impl.PredicateFilter) Spliterator(java.util.Spliterator) ArrayList(java.util.ArrayList) EntityDescriptor(org.opensaml.saml.saml2.metadata.EntityDescriptor) ChainingMetadataResolver(org.opensaml.saml.metadata.resolver.ChainingMetadataResolver) PrincipalAttributeRegisteredServiceUsernameProvider(org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider) SamlRegisteredService(org.apereo.cas.support.saml.services.SamlRegisteredService) ReturnMappedAttributeReleasePolicy(org.apereo.cas.services.ReturnMappedAttributeReleasePolicy)

Example 2 with EntityDescriptor

use of org.opensaml.saml.saml2.metadata.EntityDescriptor in project cas by apereo.

the class BaseSamlRegisteredServiceAttributeReleasePolicy method getAttributesInternal.

@Override
protected Map<String, Object> getAttributesInternal(final Map<String, Object> attrs, final RegisteredService service) {
    if (service instanceof SamlRegisteredService) {
        final SamlRegisteredService saml = (SamlRegisteredService) service;
        final HttpServletRequest request = WebUtils.getHttpServletRequestFromRequestAttributes();
        if (request == null) {
            LOGGER.warn("Could not locate the request context to process attributes");
            return super.getAttributesInternal(attrs, service);
        }
        String entityId = request.getParameter(SamlProtocolConstants.PARAMETER_ENTITY_ID);
        if (StringUtils.isBlank(entityId)) {
            final String svcParam = request.getParameter(CasProtocolConstants.PARAMETER_SERVICE);
            if (StringUtils.isNotBlank(svcParam)) {
                try {
                    final URIBuilder builder = new URIBuilder(svcParam);
                    entityId = builder.getQueryParams().stream().filter(p -> p.getName().equals(SamlProtocolConstants.PARAMETER_ENTITY_ID)).map(NameValuePair::getValue).findFirst().orElse(StringUtils.EMPTY);
                } catch (final Exception e) {
                    LOGGER.error(e.getMessage());
                }
            }
        }
        final ApplicationContext ctx = ApplicationContextProvider.getApplicationContext();
        if (ctx == null) {
            LOGGER.warn("Could not locate the application context to process attributes");
            return super.getAttributesInternal(attrs, service);
        }
        final SamlRegisteredServiceCachingMetadataResolver resolver = ctx.getBean("defaultSamlRegisteredServiceCachingMetadataResolver", SamlRegisteredServiceCachingMetadataResolver.class);
        final Optional<SamlRegisteredServiceServiceProviderMetadataFacade> facade = SamlRegisteredServiceServiceProviderMetadataFacade.get(resolver, saml, entityId);
        if (facade == null || !facade.isPresent()) {
            LOGGER.warn("Could not locate metadata for [{}] to process attributes", entityId);
            return super.getAttributesInternal(attrs, service);
        }
        final EntityDescriptor input = facade.get().getEntityDescriptor();
        if (input == null) {
            LOGGER.warn("Could not locate entity descriptor for [{}] to process attributes", entityId);
            return super.getAttributesInternal(attrs, service);
        }
        return getAttributesForSamlRegisteredService(attrs, saml, ctx, resolver, facade.get(), input);
    }
    return super.getAttributesInternal(attrs, service);
}
Also used : HttpServletRequest(javax.servlet.http.HttpServletRequest) EntityDescriptor(org.opensaml.saml.saml2.metadata.EntityDescriptor) ApplicationContext(org.springframework.context.ApplicationContext) SamlRegisteredServiceServiceProviderMetadataFacade(org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade) SamlRegisteredServiceCachingMetadataResolver(org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceCachingMetadataResolver) URIBuilder(org.apache.http.client.utils.URIBuilder)

Example 3 with EntityDescriptor

use of org.opensaml.saml.saml2.metadata.EntityDescriptor in project cas by apereo.

the class MetadataUIUtils method locateMetadataUserInterfaceForEntityId.

/**
     * Locate mdui for entity id simple metadata ui info.
     *
     * @param entityDescriptor  the entity descriptor
     * @param entityId          the entity id
     * @param registeredService the registered service
     * @return the simple metadata ui info
     */
public static SamlMetadataUIInfo locateMetadataUserInterfaceForEntityId(final EntityDescriptor entityDescriptor, final String entityId, final RegisteredService registeredService) {
    final SamlMetadataUIInfo mdui = new SamlMetadataUIInfo(registeredService);
    if (entityDescriptor == null) {
        LOGGER.debug("Entity descriptor not found for [{}]", entityId);
        return mdui;
    }
    final SPSSODescriptor spssoDescriptor = getSPSsoDescriptor(entityDescriptor);
    if (spssoDescriptor == null) {
        LOGGER.debug("SP SSO descriptor not found for [{}]", entityId);
        return mdui;
    }
    final Extensions extensions = spssoDescriptor.getExtensions();
    if (extensions == null) {
        LOGGER.debug("No extensions in the SP SSO descriptor are found for [{}]", UIInfo.DEFAULT_ELEMENT_NAME.getNamespaceURI());
        return mdui;
    }
    final List<XMLObject> spExtensions = extensions.getUnknownXMLObjects(UIInfo.DEFAULT_ELEMENT_NAME);
    if (spExtensions.isEmpty()) {
        LOGGER.debug("No extensions in the SP SSO descriptor are located for [{}]", UIInfo.DEFAULT_ELEMENT_NAME.getNamespaceURI());
        return mdui;
    }
    spExtensions.stream().filter(UIInfo.class::isInstance).forEach(obj -> {
        final UIInfo uiInfo = (UIInfo) obj;
        LOGGER.debug("Found MDUI info for [{}]", entityId);
        mdui.setUIInfo(uiInfo);
    });
    return mdui;
}
Also used : SPSSODescriptor(org.opensaml.saml.saml2.metadata.SPSSODescriptor) UIInfo(org.opensaml.saml.ext.saml2mdui.UIInfo) XMLObject(org.opensaml.core.xml.XMLObject) Extensions(org.opensaml.saml.saml2.metadata.Extensions)

Example 4 with EntityDescriptor

use of org.opensaml.saml.saml2.metadata.EntityDescriptor in project cas by apereo.

the class MetadataUIUtils method getSPSsoDescriptor.

/**
     * Gets SP SSO descriptor.
     *
     * @param entityDescriptor the entity descriptor
     * @return the SP SSO descriptor
     */
public static SPSSODescriptor getSPSsoDescriptor(final EntityDescriptor entityDescriptor) {
    LOGGER.debug("Locating SP SSO descriptor for SAML2 protocol...");
    SPSSODescriptor spssoDescriptor = entityDescriptor.getSPSSODescriptor(SAMLConstants.SAML20P_NS);
    if (spssoDescriptor == null) {
        LOGGER.debug("Locating SP SSO descriptor for SAML11 protocol...");
        spssoDescriptor = entityDescriptor.getSPSSODescriptor(SAMLConstants.SAML11P_NS);
    }
    if (spssoDescriptor == null) {
        LOGGER.debug("Locating SP SSO descriptor for SAML1 protocol...");
        spssoDescriptor = entityDescriptor.getSPSSODescriptor(SAMLConstants.SAML10P_NS);
    }
    LOGGER.debug("SP SSO descriptor resolved to be [{}]", spssoDescriptor);
    return spssoDescriptor;
}
Also used : SPSSODescriptor(org.opensaml.saml.saml2.metadata.SPSSODescriptor)

Example 5 with EntityDescriptor

use of org.opensaml.saml.saml2.metadata.EntityDescriptor in project ddf by codice.

the class IdpEndpoint method retrieveMetadata.

@GET
@Path("/login/metadata")
@Produces("application/xml")
public Response retrieveMetadata() throws WSSecurityException, CertificateEncodingException {
    List<String> nameIdFormats = new ArrayList<>();
    nameIdFormats.add(SAML2Constants.NAMEID_FORMAT_PERSISTENT);
    nameIdFormats.add(SAML2Constants.NAMEID_FORMAT_UNSPECIFIED);
    nameIdFormats.add(SAML2Constants.NAMEID_FORMAT_X509_SUBJECT_NAME);
    CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
    cryptoType.setAlias(systemCrypto.getSignatureCrypto().getDefaultX509Identifier());
    X509Certificate[] certs = systemCrypto.getSignatureCrypto().getX509Certificates(cryptoType);
    X509Certificate issuerCert = null;
    if (certs != null && certs.length > 0) {
        issuerCert = certs[0];
    }
    cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
    cryptoType.setAlias(systemCrypto.getEncryptionCrypto().getDefaultX509Identifier());
    certs = systemCrypto.getEncryptionCrypto().getX509Certificates(cryptoType);
    X509Certificate encryptionCert = null;
    if (certs != null && certs.length > 0) {
        encryptionCert = certs[0];
    }
    EntityDescriptor entityDescriptor = SamlProtocol.createIdpMetadata(SystemBaseUrl.constructUrl("/idp/login", true), Base64.getEncoder().encodeToString(issuerCert != null ? issuerCert.getEncoded() : new byte[0]), Base64.getEncoder().encodeToString(encryptionCert != null ? encryptionCert.getEncoded() : new byte[0]), nameIdFormats, SystemBaseUrl.constructUrl("/idp/login", true), SystemBaseUrl.constructUrl("/idp/login", true), SystemBaseUrl.constructUrl("/idp/logout", true));
    Document doc = DOMUtils.createDocument();
    doc.appendChild(doc.createElement("root"));
    return Response.ok(DOM2Writer.nodeToString(OpenSAMLUtil.toDom(entityDescriptor, doc, false))).build();
}
Also used : EntityDescriptor(org.opensaml.saml.saml2.metadata.EntityDescriptor) ArrayList(java.util.ArrayList) CryptoType(org.apache.wss4j.common.crypto.CryptoType) Document(org.w3c.dom.Document) X509Certificate(java.security.cert.X509Certificate) Path(javax.ws.rs.Path) Produces(javax.ws.rs.Produces) GET(javax.ws.rs.GET)

Aggregations

EntityDescriptor (org.opensaml.saml.saml2.metadata.EntityDescriptor)13 SPSSODescriptor (org.opensaml.saml.saml2.metadata.SPSSODescriptor)6 IOException (java.io.IOException)3 SamlRegisteredServiceCachingMetadataResolver (org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceCachingMetadataResolver)3 Document (org.w3c.dom.Document)3 InputStream (java.io.InputStream)2 InputStreamReader (java.io.InputStreamReader)2 NoSuchFileException (java.nio.file.NoSuchFileException)2 Path (java.nio.file.Path)2 X509Certificate (java.security.cert.X509Certificate)2 ArrayList (java.util.ArrayList)2 GET (javax.ws.rs.GET)2 Path (javax.ws.rs.Path)2 Produces (javax.ws.rs.Produces)2 EntityIdCriterion (org.opensaml.core.criterion.EntityIdCriterion)2 BindingCriterion (org.opensaml.saml.criterion.BindingCriterion)2 ChainingMetadataResolver (org.opensaml.saml.metadata.resolver.ChainingMetadataResolver)2 AssertionConsumerService (org.opensaml.saml.saml2.metadata.AssertionConsumerService)2 KeyDescriptor (org.opensaml.saml.saml2.metadata.KeyDescriptor)2 SingleLogoutService (org.opensaml.saml.saml2.metadata.SingleLogoutService)2