Search in sources :

Example 1 with IDPSSODescriptor

use of org.opensaml.saml.saml2.metadata.IDPSSODescriptor in project cloudstack by apache.

the class SAML2AuthManagerImpl method addIdpToMap.

private void addIdpToMap(EntityDescriptor descriptor, Map<String, SAMLProviderMetadata> idpMap) {
    SAMLProviderMetadata idpMetadata = new SAMLProviderMetadata();
    idpMetadata.setEntityId(descriptor.getEntityID());
    s_logger.debug("Adding IdP to the list of discovered IdPs: " + descriptor.getEntityID());
    if (descriptor.getOrganization() != null) {
        if (descriptor.getOrganization().getDisplayNames() != null) {
            for (OrganizationDisplayName orgName : descriptor.getOrganization().getDisplayNames()) {
                if (orgName != null && orgName.getName() != null) {
                    idpMetadata.setOrganizationName(orgName.getName().getLocalString());
                    break;
                }
            }
        }
        if (idpMetadata.getOrganizationName() == null && descriptor.getOrganization().getOrganizationNames() != null) {
            for (OrganizationName orgName : descriptor.getOrganization().getOrganizationNames()) {
                if (orgName != null && orgName.getName() != null) {
                    idpMetadata.setOrganizationName(orgName.getName().getLocalString());
                    break;
                }
            }
        }
        if (descriptor.getOrganization().getURLs() != null) {
            for (OrganizationURL organizationURL : descriptor.getOrganization().getURLs()) {
                if (organizationURL != null && organizationURL.getURL() != null) {
                    idpMetadata.setOrganizationUrl(organizationURL.getURL().getLocalString());
                    break;
                }
            }
        }
    }
    if (descriptor.getContactPersons() != null) {
        for (ContactPerson person : descriptor.getContactPersons()) {
            if (person == null || (person.getGivenName() == null && person.getSurName() == null) || person.getEmailAddresses() == null) {
                continue;
            }
            if (person.getGivenName() != null) {
                idpMetadata.setContactPersonName(person.getGivenName().getName());
            } else if (person.getSurName() != null) {
                idpMetadata.setContactPersonName(person.getSurName().getName());
            }
            for (EmailAddress emailAddress : person.getEmailAddresses()) {
                if (emailAddress != null && emailAddress.getAddress() != null) {
                    idpMetadata.setContactPersonEmail(emailAddress.getAddress());
                }
            }
            if (idpMetadata.getContactPersonName() != null && idpMetadata.getContactPersonEmail() != null) {
                break;
            }
        }
    }
    IDPSSODescriptor idpDescriptor = descriptor.getIDPSSODescriptor(SAMLConstants.SAML20P_NS);
    if (idpDescriptor != null) {
        if (idpDescriptor.getSingleSignOnServices() != null) {
            for (SingleSignOnService ssos : idpDescriptor.getSingleSignOnServices()) {
                if (ssos.getBinding().equals(SAMLConstants.SAML2_REDIRECT_BINDING_URI)) {
                    idpMetadata.setSsoUrl(ssos.getLocation());
                }
            }
        }
        if (idpDescriptor.getSingleLogoutServices() != null) {
            for (SingleLogoutService slos : idpDescriptor.getSingleLogoutServices()) {
                if (slos.getBinding().equals(SAMLConstants.SAML2_REDIRECT_BINDING_URI)) {
                    idpMetadata.setSloUrl(slos.getLocation());
                }
            }
        }
        X509Certificate unspecifiedKey = null;
        if (idpDescriptor.getKeyDescriptors() != null) {
            for (KeyDescriptor kd : idpDescriptor.getKeyDescriptors()) {
                if (kd.getUse() == UsageType.SIGNING) {
                    try {
                        idpMetadata.setSigningCertificate(KeyInfoHelper.getCertificates(kd.getKeyInfo()).get(0));
                    } catch (CertificateException ignored) {
                        s_logger.info("[ignored] encountered invalid certificate signing.", ignored);
                    }
                }
                if (kd.getUse() == UsageType.ENCRYPTION) {
                    try {
                        idpMetadata.setEncryptionCertificate(KeyInfoHelper.getCertificates(kd.getKeyInfo()).get(0));
                    } catch (CertificateException ignored) {
                        s_logger.info("[ignored] encountered invalid certificate encryption.", ignored);
                    }
                }
                if (kd.getUse() == UsageType.UNSPECIFIED) {
                    try {
                        unspecifiedKey = KeyInfoHelper.getCertificates(kd.getKeyInfo()).get(0);
                    } catch (CertificateException ignored) {
                        s_logger.info("[ignored] encountered invalid certificate.", ignored);
                    }
                }
            }
        }
        if (idpMetadata.getSigningCertificate() == null && unspecifiedKey != null) {
            idpMetadata.setSigningCertificate(unspecifiedKey);
        }
        if (idpMetadata.getEncryptionCertificate() == null && unspecifiedKey != null) {
            idpMetadata.setEncryptionCertificate(unspecifiedKey);
        }
        if (idpMap.containsKey(idpMetadata.getEntityId())) {
            s_logger.warn("Duplicate IdP metadata found with entity Id: " + idpMetadata.getEntityId());
        }
        idpMap.put(idpMetadata.getEntityId(), idpMetadata);
    }
}
Also used : OrganizationName(org.opensaml.saml2.metadata.OrganizationName) OrganizationDisplayName(org.opensaml.saml2.metadata.OrganizationDisplayName) IDPSSODescriptor(org.opensaml.saml2.metadata.IDPSSODescriptor) SingleLogoutService(org.opensaml.saml2.metadata.SingleLogoutService) KeyDescriptor(org.opensaml.saml2.metadata.KeyDescriptor) SingleSignOnService(org.opensaml.saml2.metadata.SingleSignOnService) CertificateException(java.security.cert.CertificateException) ContactPerson(org.opensaml.saml2.metadata.ContactPerson) EmailAddress(org.opensaml.saml2.metadata.EmailAddress) X509Certificate(java.security.cert.X509Certificate) OrganizationURL(org.opensaml.saml2.metadata.OrganizationURL)

Example 2 with IDPSSODescriptor

use of org.opensaml.saml.saml2.metadata.IDPSSODescriptor in project ddf by codice.

the class IdpHandler method doHttpPostBinding.

private void doHttpPostBinding(HttpServletRequest request, HttpServletResponse response) throws ServletException {
    try {
        IDPSSODescriptor idpssoDescriptor = idpMetadata.getDescriptor();
        if (idpssoDescriptor == null) {
            throw new ServletException("IdP metadata is missing. No IDPSSODescriptor present.");
        }
        response.getWriter().printf(postBindingTemplate, idpMetadata.getSingleSignOnLocation(), encodeAuthnRequest(createAndSignAuthnRequest(true, idpssoDescriptor.getWantAuthnRequestsSigned()), true), createRelayState(request));
        response.setStatus(200);
        response.flushBuffer();
    } catch (IOException e) {
        LOGGER.info("Unable to post AuthnRequest to IdP", e);
        throw new ServletException("Unable to post to IdP");
    }
}
Also used : ServletException(javax.servlet.ServletException) IDPSSODescriptor(org.opensaml.saml.saml2.metadata.IDPSSODescriptor) IOException(java.io.IOException)

Example 3 with IDPSSODescriptor

use of org.opensaml.saml.saml2.metadata.IDPSSODescriptor in project ddf by codice.

the class IdpHandler method doHttpRedirectBinding.

private void doHttpRedirectBinding(HttpServletRequest request, HttpServletResponse response) throws ServletException {
    String redirectUrl;
    String idpRequest = null;
    String relayState = createRelayState(request);
    try {
        IDPSSODescriptor idpssoDescriptor = idpMetadata.getDescriptor();
        if (idpssoDescriptor == null) {
            throw new ServletException("IdP metadata is missing. No IDPSSODescriptor present.");
        }
        String queryParams = String.format("SAMLRequest=%s&RelayState=%s", encodeAuthnRequest(createAndSignAuthnRequest(false, idpssoDescriptor.getWantAuthnRequestsSigned()), false), URLEncoder.encode(relayState, "UTF-8"));
        idpRequest = idpMetadata.getSingleSignOnLocation() + "?" + queryParams;
        UriBuilder idpUri = new UriBuilderImpl(new URI(idpRequest));
        simpleSign.signUriString(queryParams, idpUri);
        redirectUrl = idpUri.build().toString();
    } catch (UnsupportedEncodingException e) {
        LOGGER.info("Unable to encode relay state: {}", relayState, e);
        throw new ServletException("Unable to create return location");
    } catch (SimpleSign.SignatureException e) {
        String msg = "Unable to sign request";
        LOGGER.info(msg, e);
        throw new ServletException(msg);
    } catch (URISyntaxException e) {
        LOGGER.info("Unable to parse IDP request location: {}", idpRequest, e);
        throw new ServletException("Unable to determine IDP location.");
    }
    try {
        response.sendRedirect(redirectUrl);
        response.flushBuffer();
    } catch (IOException e) {
        LOGGER.info("Unable to redirect AuthnRequest to {}", redirectUrl, e);
        throw new ServletException("Unable to redirect to IdP");
    }
}
Also used : ServletException(javax.servlet.ServletException) SimpleSign(ddf.security.samlp.SimpleSign) IDPSSODescriptor(org.opensaml.saml.saml2.metadata.IDPSSODescriptor) UnsupportedEncodingException(java.io.UnsupportedEncodingException) URISyntaxException(java.net.URISyntaxException) IOException(java.io.IOException) UriBuilder(javax.ws.rs.core.UriBuilder) UriBuilderImpl(org.apache.cxf.jaxrs.impl.UriBuilderImpl) URI(java.net.URI)

Example 4 with IDPSSODescriptor

use of org.opensaml.saml.saml2.metadata.IDPSSODescriptor in project ddf by codice.

the class IdpMetadata method initSingleSignOut.

private void initSingleSignOut() {
    IDPSSODescriptor descriptor = getDescriptor();
    if (descriptor != null) {
        // Prefer HTTP-Redirect over HTTP-POST if both are present
        Optional<? extends Endpoint> service = initSingleSomething(descriptor.getSingleLogoutServices());
        if (service.isPresent()) {
            singleLogoutBinding = service.get().getBinding();
            singleLogoutLocation = service.get().getLocation();
        }
    }
}
Also used : IDPSSODescriptor(org.opensaml.saml.saml2.metadata.IDPSSODescriptor)

Example 5 with IDPSSODescriptor

use of org.opensaml.saml.saml2.metadata.IDPSSODescriptor in project ddf by codice.

the class IdpMetadata method initSingleSignOn.

private void initSingleSignOn() {
    IDPSSODescriptor descriptor = getDescriptor();
    if (descriptor != null) {
        // Prefer HTTP-Redirect over HTTP-POST if both are present
        Optional<? extends Endpoint> service = initSingleSomething(descriptor.getSingleSignOnServices());
        if (service.isPresent()) {
            singleSignOnBinding = service.get().getBinding();
            singleSignOnLocation = service.get().getLocation();
        }
    }
}
Also used : IDPSSODescriptor(org.opensaml.saml.saml2.metadata.IDPSSODescriptor)

Aggregations

IDPSSODescriptor (org.opensaml.saml.saml2.metadata.IDPSSODescriptor)7 IOException (java.io.IOException)3 ServletException (javax.servlet.ServletException)3 KeyDescriptor (org.opensaml.saml.saml2.metadata.KeyDescriptor)2 SimpleSign (ddf.security.samlp.SimpleSign)1 UnsupportedEncodingException (java.io.UnsupportedEncodingException)1 URI (java.net.URI)1 URISyntaxException (java.net.URISyntaxException)1 CertificateException (java.security.cert.CertificateException)1 X509Certificate (java.security.cert.X509Certificate)1 HttpServletRequest (javax.servlet.http.HttpServletRequest)1 HttpServletResponse (javax.servlet.http.HttpServletResponse)1 UriBuilder (javax.ws.rs.core.UriBuilder)1 UriBuilderImpl (org.apache.cxf.jaxrs.impl.UriBuilderImpl)1 WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)1 HandlerResult (org.codice.ddf.security.handler.api.HandlerResult)1 EntityDescriptor (org.opensaml.saml.saml2.metadata.EntityDescriptor)1 NameIDFormat (org.opensaml.saml.saml2.metadata.NameIDFormat)1 SingleLogoutService (org.opensaml.saml.saml2.metadata.SingleLogoutService)1 SingleSignOnService (org.opensaml.saml.saml2.metadata.SingleSignOnService)1