Example 16 with SingleSignOnService
use of org.opensaml.saml.saml2.metadata.SingleSignOnService in project spring-security by spring-projects.
the class OpenSamlMetadataAssertingPartyDetailsConverter method convert.
RelyingPartyRegistration.AssertingPartyDetails.Builder convert(EntityDescriptor descriptor) {
IDPSSODescriptor idpssoDescriptor = descriptor.getIDPSSODescriptor(SAMLConstants.SAML20P_NS);
if (idpssoDescriptor == null) {
throw new Saml2Exception("Metadata response is missing the necessary IDPSSODescriptor element");
}
List<Saml2X509Credential> verification = new ArrayList<>();
List<Saml2X509Credential> encryption = new ArrayList<>();
for (KeyDescriptor keyDescriptor : idpssoDescriptor.getKeyDescriptors()) {
if (keyDescriptor.getUse().equals(UsageType.SIGNING)) {
List<X509Certificate> certificates = certificates(keyDescriptor);
for (X509Certificate certificate : certificates) {
verification.add(Saml2X509Credential.verification(certificate));
}
}
if (keyDescriptor.getUse().equals(UsageType.ENCRYPTION)) {
List<X509Certificate> certificates = certificates(keyDescriptor);
for (X509Certificate certificate : certificates) {
encryption.add(Saml2X509Credential.encryption(certificate));
}
}
if (keyDescriptor.getUse().equals(UsageType.UNSPECIFIED)) {
List<X509Certificate> certificates = certificates(keyDescriptor);
for (X509Certificate certificate : certificates) {
verification.add(Saml2X509Credential.verification(certificate));
encryption.add(Saml2X509Credential.encryption(certificate));
}
}
}
if (verification.isEmpty()) {
throw new Saml2Exception("Metadata response is missing verification certificates, necessary for verifying SAML assertions");
}
RelyingPartyRegistration.AssertingPartyDetails.Builder party = OpenSamlAssertingPartyDetails.withEntityDescriptor(descriptor).entityId(descriptor.getEntityID()).wantAuthnRequestsSigned(Boolean.TRUE.equals(idpssoDescriptor.getWantAuthnRequestsSigned())).verificationX509Credentials((c) -> c.addAll(verification)).encryptionX509Credentials((c) -> c.addAll(encryption));
List<SigningMethod> signingMethods = signingMethods(idpssoDescriptor);
for (SigningMethod method : signingMethods) {
party.signingAlgorithms((algorithms) -> algorithms.add(method.getAlgorithm()));
}
if (idpssoDescriptor.getSingleSignOnServices().isEmpty()) {
throw new Saml2Exception("Metadata response is missing a SingleSignOnService, necessary for sending AuthnRequests");
}
for (SingleSignOnService singleSignOnService : idpssoDescriptor.getSingleSignOnServices()) {
Saml2MessageBinding binding;
if (singleSignOnService.getBinding().equals(Saml2MessageBinding.POST.getUrn())) {
binding = Saml2MessageBinding.POST;
} else if (singleSignOnService.getBinding().equals(Saml2MessageBinding.REDIRECT.getUrn())) {
binding = Saml2MessageBinding.REDIRECT;
} else {
continue;
}
party.singleSignOnServiceLocation(singleSignOnService.getLocation()).singleSignOnServiceBinding(binding);
break;
}
for (SingleLogoutService singleLogoutService : idpssoDescriptor.getSingleLogoutServices()) {
Saml2MessageBinding binding;
if (singleLogoutService.getBinding().equals(Saml2MessageBinding.POST.getUrn())) {
binding = Saml2MessageBinding.POST;
} else if (singleLogoutService.getBinding().equals(Saml2MessageBinding.REDIRECT.getUrn())) {
binding = Saml2MessageBinding.REDIRECT;
} else {
continue;
}
String responseLocation = (singleLogoutService.getResponseLocation() == null) ? singleLogoutService.getLocation() : singleLogoutService.getResponseLocation();
party.singleLogoutServiceLocation(singleLogoutService.getLocation()).singleLogoutServiceResponseLocation(responseLocation).singleLogoutServiceBinding(binding);
break;
}
return party;
}
Also used :
X509Certificate(java.security.cert.X509Certificate)
Arrays(java.util.Arrays)
OpenSamlInitializationService(org.springframework.security.saml2.core.OpenSamlInitializationService)
KeyDescriptor(org.opensaml.saml.saml2.metadata.KeyDescriptor)
XMLObjectProviderRegistry(org.opensaml.core.xml.config.XMLObjectProviderRegistry)
Extensions(org.opensaml.saml.saml2.metadata.Extensions)
ArrayList(java.util.ArrayList)
SigningMethod(org.opensaml.saml.ext.saml2alg.SigningMethod)
SingleSignOnService(org.opensaml.saml.saml2.metadata.SingleSignOnService)
Document(org.w3c.dom.Document)
IDPSSODescriptor(org.opensaml.saml.saml2.metadata.IDPSSODescriptor)
XMLObject(org.opensaml.core.xml.XMLObject)
SAMLConstants(org.opensaml.saml.common.xml.SAMLConstants)
EntitiesDescriptor(org.opensaml.saml.saml2.metadata.EntitiesDescriptor)
UsageType(org.opensaml.security.credential.UsageType)
SingleLogoutService(org.opensaml.saml.saml2.metadata.SingleLogoutService)
Collection(java.util.Collection)
Unmarshaller(org.opensaml.core.xml.io.Unmarshaller)
Saml2Exception(org.springframework.security.saml2.Saml2Exception)
ConfigurationService(org.opensaml.core.config.ConfigurationService)
Saml2X509Credential(org.springframework.security.saml2.core.Saml2X509Credential)
CertificateException(java.security.cert.CertificateException)
KeyInfoSupport(org.opensaml.xmlsec.keyinfo.KeyInfoSupport)
ParserPool(net.shibboleth.utilities.java.support.xml.ParserPool)
List(java.util.List)
Element(org.w3c.dom.Element)
EntityDescriptor(org.opensaml.saml.saml2.metadata.EntityDescriptor)
InputStream(java.io.InputStream)
IDPSSODescriptor(org.opensaml.saml.saml2.metadata.IDPSSODescriptor)
SingleLogoutService(org.opensaml.saml.saml2.metadata.SingleLogoutService)
KeyDescriptor(org.opensaml.saml.saml2.metadata.KeyDescriptor)
Saml2X509Credential(org.springframework.security.saml2.core.Saml2X509Credential)
ArrayList(java.util.ArrayList)
SingleSignOnService(org.opensaml.saml.saml2.metadata.SingleSignOnService)
Saml2Exception(org.springframework.security.saml2.Saml2Exception)
X509Certificate(java.security.cert.X509Certificate)
SigningMethod(org.opensaml.saml.ext.saml2alg.SigningMethod)
Example 17 with SingleSignOnService
use of org.opensaml.saml.saml2.metadata.SingleSignOnService in project pac4j by pac4j.
the class SAML2AuthnRequestBuilder method buildAuthnRequest.
@SuppressWarnings("unchecked")
protected final AuthnRequest buildAuthnRequest(final SAML2MessageContext context, final AssertionConsumerService assertionConsumerService, final SingleSignOnService ssoService) {
final var configContext = context.getConfigurationContext();
final var builder = (SAMLObjectBuilder<AuthnRequest>) this.builderFactory.getBuilder(AuthnRequest.DEFAULT_ELEMENT_NAME);
final var request = builder.buildObject();
final var comparisonType = getComparisonTypeEnumFromString(configContext.getComparisonType());
if (comparisonType != null) {
final var authnContext = new RequestedAuthnContextBuilder().buildObject();
authnContext.setComparison(comparisonType);
if (configContext.getAuthnContextClassRefs() != null && !configContext.getAuthnContextClassRefs().isEmpty()) {
final var refs = authnContext.getAuthnContextClassRefs();
configContext.getAuthnContextClassRefs().forEach(r -> refs.add(buildAuthnContextClassRef(r)));
}
request.setRequestedAuthnContext(authnContext);
}
final var selfContext = context.getSAMLSelfEntityContext();
request.setID(SAML2Utils.generateID());
request.setIssuer(getIssuer(context, selfContext.getEntityId()));
request.setIssueInstant(ZonedDateTime.now(ZoneOffset.UTC).plusSeconds(this.issueInstantSkewSeconds).toInstant());
request.setVersion(SAMLVersion.VERSION_20);
request.setIsPassive(configContext.isPassive());
request.setForceAuthn(configContext.isForceAuth());
if (StringUtils.isNotBlank(configContext.getProviderName())) {
request.setProviderName(configContext.getProviderName());
}
if (configContext.getNameIdPolicyFormat() != null) {
final var nameIdPolicy = new NameIDPolicyBuilder().buildObject();
if (configContext.isNameIdPolicyAllowCreate() != null) {
nameIdPolicy.setAllowCreate(configContext.isNameIdPolicyAllowCreate());
}
nameIdPolicy.setFormat(configContext.getNameIdPolicyFormat());
request.setNameIDPolicy(nameIdPolicy);
}
request.setDestination(ssoService.getLocation());
if (configContext.getAssertionConsumerServiceIndex() >= 0) {
request.setAssertionConsumerServiceIndex(configContext.getAssertionConsumerServiceIndex());
} else {
request.setAssertionConsumerServiceURL(assertionConsumerService.getLocation());
request.setProtocolBinding(assertionConsumerService.getBinding());
}
if (configContext.getAttributeConsumingServiceIndex() >= 0) {
request.setAttributeConsumingServiceIndex(configContext.getAttributeConsumingServiceIndex());
}
final var extensions = ((SAMLObjectBuilder<Extensions>) this.builderFactory.getBuilder(Extensions.DEFAULT_ELEMENT_NAME)).buildObject();
if (!configContext.getSAML2Configuration().getRequestedServiceProviderAttributes().isEmpty()) {
final var attrBuilder = (SAMLObjectBuilder<RequestedAttribute>) this.builderFactory.getBuilder(RequestedAttribute.DEFAULT_ELEMENT_NAME);
configContext.getSAML2Configuration().getRequestedServiceProviderAttributes().forEach(attribute -> {
final var requestAttribute = attrBuilder.buildObject(RequestedAttribute.DEFAULT_ELEMENT_NAME);
requestAttribute.setIsRequired(attribute.isRequired());
requestAttribute.setName(attribute.getName());
requestAttribute.setFriendlyName(attribute.getFriendlyName());
requestAttribute.setNameFormat(attribute.getNameFormat());
extensions.getUnknownXMLObjects().add(requestAttribute);
});
}
// Setting extensions if they are defined
if (configContext.getSAML2Configuration().getAuthnRequestExtensions() != null) {
extensions.getUnknownXMLObjects().addAll(configContext.getSAML2Configuration().getAuthnRequestExtensions().get());
}
if (!extensions.getUnknownXMLObjects().isEmpty()) {
request.setExtensions(extensions);
}
final var givenIdPs = configContext.getSAML2Configuration().getScopingIdentityProviders();
if (!givenIdPs.isEmpty()) {
final var scopingBuilder = (SAMLObjectBuilder<Scoping>) this.builderFactory.getBuilder(Scoping.DEFAULT_ELEMENT_NAME);
final var scoping = scopingBuilder.buildObject();
final var idpEntryBuilder = (SAMLObjectBuilder<IDPEntry>) this.builderFactory.getBuilder(IDPEntry.DEFAULT_ELEMENT_NAME);
final var idpListBuilder = (SAMLObjectBuilder<IDPList>) this.builderFactory.getBuilder(IDPList.DEFAULT_ELEMENT_NAME);
scoping.setIDPList(idpListBuilder.buildObject());
givenIdPs.forEach(idp -> {
final var idpEntry = idpEntryBuilder.buildObject();
idpEntry.setProviderID(idp.getProviderId());
idpEntry.setName(idp.getName());
scoping.getIDPList().getIDPEntrys().add(idpEntry);
});
if (!scoping.getIDPList().getIDPEntrys().isEmpty()) {
request.setScoping(scoping);
}
}
return request;
}
Also used :
RequestedAuthnContextBuilder(org.opensaml.saml.saml2.core.impl.RequestedAuthnContextBuilder)
NameIDPolicyBuilder(org.opensaml.saml.saml2.core.impl.NameIDPolicyBuilder)
SAMLObjectBuilder(org.opensaml.saml.common.SAMLObjectBuilder)
Example 18 with SingleSignOnService
use of org.opensaml.saml.saml2.metadata.SingleSignOnService in project OpenUnison by TremoloSecurity.
the class OpenUnisonUtils method exportIdPMetadata.
private static void exportIdPMetadata(Options options, CommandLine cmd, TremoloType tt, KeyStore ks) throws Exception, KeyStoreException, CertificateEncodingException, NoSuchAlgorithmException, UnrecoverableKeyException, SecurityException, MarshallingException, SignatureException {
InitializationService.initialize();
logger.info("Finding IdP...");
String idpName = loadOption(cmd, "idpName", options);
ApplicationType idp = null;
for (ApplicationType app : tt.getApplications().getApplication()) {
if (app.getName().equalsIgnoreCase(idpName)) {
idp = app;
}
}
if (idp == null) {
throw new Exception("IdP '" + idpName + "' not found");
}
logger.info("Loading the base URL");
String baseURL = loadOption(cmd, "urlBase", options);
String url = baseURL + idp.getUrls().getUrl().get(0).getUri();
SecureRandom random = new SecureRandom();
byte[] idBytes = new byte[20];
random.nextBytes(idBytes);
StringBuffer b = new StringBuffer();
b.append('f').append(Hex.encodeHexString(idBytes));
String id = b.toString();
EntityDescriptorBuilder edb = new EntityDescriptorBuilder();
EntityDescriptor ed = edb.buildObject();
ed.setID(id);
ed.setEntityID(url);
IDPSSODescriptorBuilder idpssdb = new IDPSSODescriptorBuilder();
// ed.getSPSSODescriptor("urn:oasis:names:tc:SAML:2.0:protocol");
IDPSSODescriptor sd = idpssdb.buildObject();
sd.addSupportedProtocol("urn:oasis:names:tc:SAML:2.0:protocol");
ed.getRoleDescriptors().add(sd);
HashMap<String, List<String>> params = new HashMap<String, List<String>>();
for (ParamType pt : idp.getUrls().getUrl().get(0).getIdp().getParams()) {
List<String> vals = params.get(pt.getName());
if (vals == null) {
vals = new ArrayList<String>();
params.put(pt.getName(), vals);
}
vals.add(pt.getValue());
}
sd.setWantAuthnRequestsSigned(params.containsKey("requireSignedAuthn") && params.get("requireSignedAuthn").get(0).equalsIgnoreCase("true"));
KeyDescriptorBuilder kdb = new KeyDescriptorBuilder();
if (params.get("encKey") != null && !params.get("encKey").isEmpty() && (ks.getCertificate(params.get("encKey").get(0)) != null)) {
KeyDescriptor kd = kdb.buildObject();
kd.setUse(UsageType.ENCRYPTION);
KeyInfoBuilder kib = new KeyInfoBuilder();
KeyInfo ki = kib.buildObject();
X509DataBuilder x509b = new X509DataBuilder();
X509Data x509 = x509b.buildObject();
X509CertificateBuilder certb = new X509CertificateBuilder();
org.opensaml.xmlsec.signature.X509Certificate cert = certb.buildObject();
cert.setValue(Base64.encode(ks.getCertificate(params.get("encKey").get(0)).getEncoded()));
x509.getX509Certificates().add(cert);
ki.getX509Datas().add(x509);
kd.setKeyInfo(ki);
sd.getKeyDescriptors().add(kd);
}
if (params.get("sigKey") != null && !params.get("sigKey").isEmpty() && (ks.getCertificate(params.get("sigKey").get(0)) != null)) {
KeyDescriptor kd = kdb.buildObject();
kd.setUse(UsageType.SIGNING);
KeyInfoBuilder kib = new KeyInfoBuilder();
KeyInfo ki = kib.buildObject();
X509DataBuilder x509b = new X509DataBuilder();
X509Data x509 = x509b.buildObject();
X509CertificateBuilder certb = new X509CertificateBuilder();
org.opensaml.xmlsec.signature.X509Certificate cert = certb.buildObject();
cert.setValue(Base64.encode(ks.getCertificate(params.get("sigKey").get(0)).getEncoded()));
x509.getX509Certificates().add(cert);
ki.getX509Datas().add(x509);
kd.setKeyInfo(ki);
sd.getKeyDescriptors().add(kd);
}
HashSet<String> nameids = new HashSet<String>();
for (TrustType trustType : idp.getUrls().getUrl().get(0).getIdp().getTrusts().getTrust()) {
for (ParamType pt : trustType.getParam()) {
if (pt.getName().equalsIgnoreCase("nameIdMap")) {
String val = pt.getValue().substring(0, pt.getValue().indexOf('='));
if (!nameids.contains(val)) {
nameids.add(val);
}
}
}
}
NameIDFormatBuilder nifb = new NameIDFormatBuilder();
for (String nidf : nameids) {
NameIDFormat nif = nifb.buildObject();
nif.setFormat(nidf);
sd.getNameIDFormats().add(nif);
}
SingleSignOnServiceBuilder ssosb = new SingleSignOnServiceBuilder();
SingleSignOnService sso = ssosb.buildObject();
sso.setBinding("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
sso.setLocation(url + "/httpPost");
sd.getSingleSignOnServices().add(sso);
sso = ssosb.buildObject();
sso.setBinding("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect");
sso.setLocation(url + "/httpRedirect");
sd.getSingleSignOnServices().add(sso);
String signingKey = loadOptional(cmd, "signMetadataWithKey", options);
if (signingKey != null && ks.getCertificate(signingKey) != null) {
BasicX509Credential signingCredential = new BasicX509Credential((X509Certificate) ks.getCertificate(signingKey), (PrivateKey) ks.getKey(signingKey, tt.getKeyStorePassword().toCharArray()));
Signature signature = OpenSAMLUtils.buildSAMLObject(Signature.class);
signature.setSigningCredential(signingCredential);
signature.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1);
signature.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
ed.setSignature(signature);
try {
XMLObjectProviderRegistrySupport.getMarshallerFactory().getMarshaller(ed).marshall(ed);
} catch (MarshallingException e) {
throw new RuntimeException(e);
}
Signer.signObject(signature);
}
// Get the Subject marshaller
EntityDescriptorMarshaller marshaller = new EntityDescriptorMarshaller();
// Marshall the Subject
Element assertionElement = marshaller.marshall(ed);
logger.info(net.shibboleth.utilities.java.support.xml.SerializeSupport.nodeToString(assertionElement));
}
Also used :
IDPSSODescriptor(org.opensaml.saml.saml2.metadata.IDPSSODescriptor)
HashMap(java.util.HashMap)
KeyInfoBuilder(org.opensaml.xmlsec.signature.impl.KeyInfoBuilder)
KeyDescriptor(org.opensaml.saml.saml2.metadata.KeyDescriptor)
JAXBElement(javax.xml.bind.JAXBElement)
Element(org.w3c.dom.Element)
SingleSignOnService(org.opensaml.saml.saml2.metadata.SingleSignOnService)
NameIDFormatBuilder(org.opensaml.saml.saml2.metadata.impl.NameIDFormatBuilder)
EntityDescriptorMarshaller(org.opensaml.saml.saml2.metadata.impl.EntityDescriptorMarshaller)
X509Data(org.opensaml.xmlsec.signature.X509Data)
SingleSignOnServiceBuilder(org.opensaml.saml.saml2.metadata.impl.SingleSignOnServiceBuilder)
EntityDescriptorBuilder(org.opensaml.saml.saml2.metadata.impl.EntityDescriptorBuilder)
X509DataBuilder(org.opensaml.xmlsec.signature.impl.X509DataBuilder)
MarshallingException(org.opensaml.core.xml.io.MarshallingException)
KeyInfo(org.opensaml.xmlsec.signature.KeyInfo)
ArrayList(java.util.ArrayList)
List(java.util.List)
HashSet(java.util.HashSet)
X509CertificateBuilder(org.opensaml.xmlsec.signature.impl.X509CertificateBuilder)
SecureRandom(java.security.SecureRandom)
TrustType(com.tremolosecurity.config.xml.TrustType)
KeyStoreException(java.security.KeyStoreException)
SignatureException(org.opensaml.xmlsec.signature.support.SignatureException)
SecurityException(org.opensaml.security.SecurityException)
UnmarshallingException(org.opensaml.core.xml.io.UnmarshallingException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
CertificateEncodingException(java.security.cert.CertificateEncodingException)
MarshallingException(org.opensaml.core.xml.io.MarshallingException)
IOException(java.io.IOException)
Base64DecodingException(org.apache.xml.security.exceptions.Base64DecodingException)
ServletException(javax.servlet.ServletException)
PropertyException(javax.xml.bind.PropertyException)
JAXBException(javax.xml.bind.JAXBException)
FileNotFoundException(java.io.FileNotFoundException)
SAXException(org.xml.sax.SAXException)
UnrecoverableKeyException(java.security.UnrecoverableKeyException)
CertificateException(java.security.cert.CertificateException)
ParserConfigurationException(javax.xml.parsers.ParserConfigurationException)
AuthMechParamType(com.tremolosecurity.config.xml.AuthMechParamType)
ParamType(com.tremolosecurity.config.xml.ParamType)
ApplicationType(com.tremolosecurity.config.xml.ApplicationType)
EntityDescriptor(org.opensaml.saml.saml2.metadata.EntityDescriptor)
NameIDFormat(org.opensaml.saml.saml2.metadata.NameIDFormat)
BasicX509Credential(org.opensaml.security.x509.BasicX509Credential)
Signature(org.opensaml.xmlsec.signature.Signature)
KeyDescriptorBuilder(org.opensaml.saml.saml2.metadata.impl.KeyDescriptorBuilder)
IDPSSODescriptorBuilder(org.opensaml.saml.saml2.metadata.impl.IDPSSODescriptorBuilder)
Aggregations
SingleSignOnService (org.opensaml.saml.saml2.metadata.SingleSignOnService)13
EntityDescriptor (org.opensaml.saml.saml2.metadata.EntityDescriptor)9
IDPSSODescriptor (org.opensaml.saml.saml2.metadata.IDPSSODescriptor)9
KeyDescriptor (org.opensaml.saml.saml2.metadata.KeyDescriptor)6
SingleLogoutService (org.opensaml.saml.saml2.metadata.SingleLogoutService)5
X509Certificate (java.security.cert.X509Certificate)4
CertificateException (java.security.cert.CertificateException)3
List (java.util.List)3
CriteriaSet (net.shibboleth.utilities.java.support.resolver.CriteriaSet)3
EntityIdCriterion (org.opensaml.core.criterion.EntityIdCriterion)3
AssertionConsumerService (org.opensaml.saml.saml2.metadata.AssertionConsumerService)3
SingleSignOnService (org.opensaml.saml2.metadata.SingleSignOnService)3
ArrayList (java.util.ArrayList)2
Arrays (java.util.Arrays)2
HashMap (java.util.HashMap)2
NameIDFormat (org.opensaml.saml.saml2.metadata.NameIDFormat)2
EntityDescriptorBuilder (org.opensaml.saml.saml2.metadata.impl.EntityDescriptorBuilder)2
IDPSSODescriptorBuilder (org.opensaml.saml.saml2.metadata.impl.IDPSSODescriptorBuilder)2
SingleSignOnServiceBuilder (org.opensaml.saml.saml2.metadata.impl.SingleSignOnServiceBuilder)2
IDPSSODescriptor (org.opensaml.saml2.metadata.IDPSSODescriptor)2
