Example 36 with org.opensaml.saml.saml2.metadata
use of org.opensaml.saml.saml2.metadata in project cas by apereo.
the class SamlIdPUtils method getAssertionConsumerServiceFor.
/**
* Gets assertion consumer service for.
*
* @param authnRequest the authn request
* @param servicesManager the services manager
* @param resolver the resolver
* @return the assertion consumer service for
*/
public static AssertionConsumerService getAssertionConsumerServiceFor(final AuthnRequest authnRequest, final ServicesManager servicesManager, final SamlRegisteredServiceCachingMetadataResolver resolver) {
try {
final AssertionConsumerService acs = new AssertionConsumerServiceBuilder().buildObject();
if (authnRequest.getAssertionConsumerServiceIndex() != null) {
final String issuer = getIssuerFromSamlRequest(authnRequest);
final MetadataResolver samlResolver = getMetadataResolverForAllSamlServices(servicesManager, issuer, resolver);
final CriteriaSet criteriaSet = new CriteriaSet();
criteriaSet.add(new EntityIdCriterion(issuer));
criteriaSet.add(new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME));
criteriaSet.add(new BindingCriterion(CollectionUtils.wrap(SAMLConstants.SAML2_POST_BINDING_URI)));
final Iterable<EntityDescriptor> it = samlResolver.resolve(criteriaSet);
it.forEach(entityDescriptor -> {
final SPSSODescriptor spssoDescriptor = entityDescriptor.getSPSSODescriptor(SAMLConstants.SAML20P_NS);
final List<AssertionConsumerService> acsEndpoints = spssoDescriptor.getAssertionConsumerServices();
if (acsEndpoints.isEmpty()) {
throw new IllegalArgumentException("Metadata resolved for entity id " + issuer + " has no defined ACS endpoints");
}
final int acsIndex = authnRequest.getAssertionConsumerServiceIndex();
if (acsIndex + 1 > acsEndpoints.size()) {
throw new IllegalArgumentException("AssertionConsumerService index specified in the request " + acsIndex + " is invalid " + "since the total endpoints available to " + issuer + " is " + acsEndpoints.size());
}
final AssertionConsumerService foundAcs = acsEndpoints.get(acsIndex);
acs.setBinding(foundAcs.getBinding());
acs.setLocation(foundAcs.getLocation());
acs.setResponseLocation(foundAcs.getResponseLocation());
acs.setIndex(acsIndex);
});
} else {
acs.setBinding(authnRequest.getProtocolBinding());
acs.setLocation(authnRequest.getAssertionConsumerServiceURL());
acs.setResponseLocation(authnRequest.getAssertionConsumerServiceURL());
acs.setIndex(0);
acs.setIsDefault(Boolean.TRUE);
}
LOGGER.debug("Resolved AssertionConsumerService from the request is [{}]", acs);
if (StringUtils.isBlank(acs.getBinding())) {
throw new SamlException("AssertionConsumerService has no protocol binding defined");
}
if (StringUtils.isBlank(acs.getLocation()) && StringUtils.isBlank(acs.getResponseLocation())) {
throw new SamlException("AssertionConsumerService has no location or response location defined");
}
return acs;
} catch (final Exception e) {
throw new IllegalArgumentException(new SamlException(e.getMessage(), e));
}
}
Also used :
AssertionConsumerServiceBuilder(org.opensaml.saml.saml2.metadata.impl.AssertionConsumerServiceBuilder)
EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion)
BindingCriterion(org.opensaml.saml.criterion.BindingCriterion)
SamlRegisteredServiceCachingMetadataResolver(org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceCachingMetadataResolver)
MetadataResolver(org.opensaml.saml.metadata.resolver.MetadataResolver)
ChainingMetadataResolver(org.opensaml.saml.metadata.resolver.ChainingMetadataResolver)
Endpoint(org.opensaml.saml.saml2.metadata.Endpoint)
EntityDescriptor(org.opensaml.saml.saml2.metadata.EntityDescriptor)
SPSSODescriptor(org.opensaml.saml.saml2.metadata.SPSSODescriptor)
CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet)
EntityRoleCriterion(org.opensaml.saml.criterion.EntityRoleCriterion)
AssertionConsumerService(org.opensaml.saml.saml2.metadata.AssertionConsumerService)
Example 37 with org.opensaml.saml.saml2.metadata
use of org.opensaml.saml.saml2.metadata in project cas by apereo.
the class AbstractSamlProfileHandlerController method verifySamlAuthenticationRequest.
/**
* Verify saml authentication request.
*
* @param authenticationContext the pair
* @param request the request
* @return the pair
* @throws Exception the exception
*/
protected Pair<SamlRegisteredService, SamlRegisteredServiceServiceProviderMetadataFacade> verifySamlAuthenticationRequest(final Pair<? extends SignableSAMLObject, MessageContext> authenticationContext, final HttpServletRequest request) throws Exception {
final AuthnRequest authnRequest = AuthnRequest.class.cast(authenticationContext.getKey());
final String issuer = SamlIdPUtils.getIssuerFromSamlRequest(authnRequest);
LOGGER.debug("Located issuer [{}] from authentication request", issuer);
final SamlRegisteredService registeredService = verifySamlRegisteredService(issuer);
LOGGER.debug("Fetching saml metadata adaptor for [{}]", issuer);
final Optional<SamlRegisteredServiceServiceProviderMetadataFacade> adaptor = SamlRegisteredServiceServiceProviderMetadataFacade.get(this.samlRegisteredServiceCachingMetadataResolver, registeredService, authnRequest);
if (!adaptor.isPresent()) {
LOGGER.warn("No metadata could be found for [{}]", issuer);
throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE, "Cannot find metadata linked to " + issuer);
}
final SamlRegisteredServiceServiceProviderMetadataFacade facade = adaptor.get();
verifyAuthenticationContextSignature(authenticationContext, request, authnRequest, facade);
SamlUtils.logSamlObject(this.configBean, authnRequest);
return Pair.of(registeredService, facade);
}
Also used :
AuthnRequest(org.opensaml.saml.saml2.core.AuthnRequest)
SamlRegisteredServiceServiceProviderMetadataFacade(org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade)
SamlRegisteredService(org.apereo.cas.support.saml.services.SamlRegisteredService)
UnauthorizedServiceException(org.apereo.cas.services.UnauthorizedServiceException)
Example 38 with org.opensaml.saml.saml2.metadata
use of org.opensaml.saml.saml2.metadata in project cas by apereo.
the class Saml1ArtifactResolutionProfileHandlerController method handlePostRequest.
/**
* Handle post request.
*
* @param response the response
* @param request the request
*/
@PostMapping(path = SamlIdPConstants.ENDPOINT_SAML1_SOAP_ARTIFACT_RESOLUTION)
protected void handlePostRequest(final HttpServletResponse response, final HttpServletRequest request) {
final MessageContext ctx = decodeSoapRequest(request);
final ArtifactResolve artifactMsg = (ArtifactResolve) ctx.getMessage();
try {
final String issuer = artifactMsg.getIssuer().getValue();
final SamlRegisteredService service = verifySamlRegisteredService(issuer);
final Optional<SamlRegisteredServiceServiceProviderMetadataFacade> adaptor = getSamlMetadataFacadeFor(service, artifactMsg);
if (!adaptor.isPresent()) {
throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE, "Cannot find metadata linked to " + issuer);
}
final SamlRegisteredServiceServiceProviderMetadataFacade facade = adaptor.get();
verifyAuthenticationContextSignature(ctx, request, artifactMsg, facade);
final String artifactId = artifactMsg.getArtifact().getArtifact();
final String ticketId = artifactTicketFactory.createTicketIdFor(artifactId);
final SamlArtifactTicket ticket = this.ticketRegistry.getTicket(ticketId, SamlArtifactTicket.class);
final Service issuerService = webApplicationServiceFactory.createService(issuer);
final Assertion casAssertion = buildCasAssertion(ticket.getTicketGrantingTicket().getAuthentication(), issuerService, service, CollectionUtils.wrap("artifact", ticket));
this.responseBuilder.build(artifactMsg, request, response, casAssertion, service, facade, SAMLConstants.SAML2_ARTIFACT_BINDING_URI);
} catch (final Exception e) {
LOGGER.error(e.getMessage(), e);
request.setAttribute(SamlIdPConstants.REQUEST_ATTRIBUTE_ERROR, e.getMessage());
samlFaultResponseBuilder.build(artifactMsg, request, response, null, null, null, SAMLConstants.SAML2_ARTIFACT_BINDING_URI);
}
}
Also used :
ArtifactResolve(org.opensaml.saml.saml2.core.ArtifactResolve)
SamlRegisteredServiceServiceProviderMetadataFacade(org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade)
SamlRegisteredService(org.apereo.cas.support.saml.services.SamlRegisteredService)
Assertion(org.jasig.cas.client.validation.Assertion)
UnauthorizedServiceException(org.apereo.cas.services.UnauthorizedServiceException)
WebApplicationService(org.apereo.cas.authentication.principal.WebApplicationService)
SamlRegisteredService(org.apereo.cas.support.saml.services.SamlRegisteredService)
Service(org.apereo.cas.authentication.principal.Service)
MessageContext(org.opensaml.messaging.context.MessageContext)
SamlArtifactTicket(org.apereo.cas.ticket.artifact.SamlArtifactTicket)
UnauthorizedServiceException(org.apereo.cas.services.UnauthorizedServiceException)
PostMapping(org.springframework.web.bind.annotation.PostMapping)
Example 39 with org.opensaml.saml.saml2.metadata
use of org.opensaml.saml.saml2.metadata in project cas by apereo.
the class SamlProfileSamlSoap11ResponseBuilder method buildResponse.
@Override
protected Envelope buildResponse(final Assertion assertion, final Object casAssertion, final RequestAbstractType authnRequest, final SamlRegisteredService service, final SamlRegisteredServiceServiceProviderMetadataFacade adaptor, final HttpServletRequest request, final HttpServletResponse response, final String binding) throws SamlException {
LOGGER.debug("Locating the assertion consumer service url for binding [{}]", binding);
@NonNull final AssertionConsumerService acs = adaptor.getAssertionConsumerService(binding);
LOGGER.debug("Located assertion consumer service url [{}]", acs);
final Response ecpResponse = newEcpResponse(acs.getLocation());
final Header header = newSoapObject(Header.class);
header.getUnknownXMLObjects().add(ecpResponse);
final Body body = newSoapObject(Body.class);
final org.opensaml.saml.saml2.core.Response saml2Response = buildSaml2Response(casAssertion, authnRequest, service, adaptor, request, binding);
body.getUnknownXMLObjects().add(saml2Response);
final Envelope envelope = newSoapObject(Envelope.class);
envelope.setHeader(header);
envelope.setBody(body);
SamlUtils.logSamlObject(this.configBean, envelope);
return envelope;
}
Also used :
HttpServletResponse(javax.servlet.http.HttpServletResponse)
Response(org.opensaml.saml.saml2.ecp.Response)
Header(org.opensaml.soap.soap11.Header)
NonNull(lombok.NonNull)
AssertionConsumerService(org.opensaml.saml.saml2.metadata.AssertionConsumerService)
Envelope(org.opensaml.soap.soap11.Envelope)
Body(org.opensaml.soap.soap11.Body)
Example 40 with org.opensaml.saml.saml2.metadata
use of org.opensaml.saml.saml2.metadata in project cas by apereo.
the class SamlProfileSamlSubjectBuilder method buildSubject.
private Subject buildSubject(final HttpServletRequest request, final HttpServletResponse response, final RequestAbstractType authnRequest, final Object casAssertion, final SamlRegisteredService service, final SamlRegisteredServiceServiceProviderMetadataFacade adaptor, final String binding) throws SamlException {
final Assertion assertion = Assertion.class.cast(casAssertion);
final ZonedDateTime validFromDate = ZonedDateTime.ofInstant(assertion.getValidFromDate().toInstant(), ZoneOffset.UTC);
LOGGER.debug("Locating the assertion consumer service url for binding [{}]", binding);
@NonNull final AssertionConsumerService acs = adaptor.getAssertionConsumerService(binding);
final String location = StringUtils.isBlank(acs.getResponseLocation()) ? acs.getLocation() : acs.getResponseLocation();
if (StringUtils.isBlank(location)) {
LOGGER.warn("Subject recipient is not defined from either authentication request or metadata for [{}]", adaptor.getEntityId());
}
final NameID nameId = getNameIdForService(request, response, authnRequest, service, adaptor, binding, assertion);
final Subject subject = newSubject(nameId, service.isSkipGeneratingSubjectConfirmationRecipient() ? null : location, service.isSkipGeneratingSubjectConfirmationNotOnOrAfter() ? null : validFromDate.plusSeconds(this.skewAllowance), service.isSkipGeneratingSubjectConfirmationInResponseTo() ? null : authnRequest.getID(), service.isSkipGeneratingSubjectConfirmationNotBefore() ? null : ZonedDateTime.now());
LOGGER.debug("Created SAML subject [{}]", subject);
return subject;
}
Also used :
ZonedDateTime(java.time.ZonedDateTime)
NameID(org.opensaml.saml.saml2.core.NameID)
NonNull(lombok.NonNull)
Assertion(org.jasig.cas.client.validation.Assertion)
AssertionConsumerService(org.opensaml.saml.saml2.metadata.AssertionConsumerService)
Subject(org.opensaml.saml.saml2.core.Subject)
Aggregations
EntityDescriptor (org.opensaml.saml.saml2.metadata.EntityDescriptor)24
SamlRegisteredServiceServiceProviderMetadataFacade (org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade)12
lombok.val (lombok.val)11
AuthnRequest (org.opensaml.saml.saml2.core.AuthnRequest)11
InputStream (java.io.InputStream)10
ArrayList (java.util.ArrayList)10
IOException (java.io.IOException)9
UnauthorizedServiceException (org.apereo.cas.services.UnauthorizedServiceException)9
Document (org.w3c.dom.Document)9
Element (org.w3c.dom.Element)9
List (java.util.List)8
CriteriaSet (net.shibboleth.utilities.java.support.resolver.CriteriaSet)8
SamlRegisteredServiceCachingMetadataResolver (org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceCachingMetadataResolver)8
Map (java.util.Map)7
SamlRegisteredService (org.apereo.cas.support.saml.services.SamlRegisteredService)7
XMLObject (org.opensaml.core.xml.XMLObject)7
X509Certificate (java.security.cert.X509Certificate)6
HashMap (java.util.HashMap)6
Slf4j (lombok.extern.slf4j.Slf4j)6
EntityIdCriterion (org.opensaml.core.criterion.EntityIdCriterion)6
