Example 6 with Assertion
use of org.opensaml.saml2.core.Assertion in project cas by apereo.
the class WsFederationHelper method parseTokenFromString.
/**
* parseTokenFromString converts a raw wresult and extracts it into an assertion.
*
* @param wresult the raw token returned by the IdP
* @param config the config
* @return an assertion
*/
public Assertion parseTokenFromString(final String wresult, final WsFederationConfiguration config) {
LOGGER.debug("Result token received from ADFS is [{}]", wresult);
try (InputStream in = new ByteArrayInputStream(wresult.getBytes(StandardCharsets.UTF_8))) {
LOGGER.debug("Parsing token into a document");
final Document document = configBean.getParserPool().parse(in);
final Element metadataRoot = document.getDocumentElement();
final UnmarshallerFactory unmarshallerFactory = configBean.getUnmarshallerFactory();
final Unmarshaller unmarshaller = unmarshallerFactory.getUnmarshaller(metadataRoot);
if (unmarshaller == null) {
throw new IllegalArgumentException("Unmarshaller for the metadata root element cannot be determined");
}
LOGGER.debug("Unmarshalling the document into a security token response");
final RequestSecurityTokenResponse rsToken = (RequestSecurityTokenResponse) unmarshaller.unmarshall(metadataRoot);
if (rsToken == null || rsToken.getRequestedSecurityToken() == null) {
throw new IllegalArgumentException("Request security token response is null");
}
//Get our SAML token
LOGGER.debug("Locating list of requested security tokens");
final List<RequestedSecurityToken> rst = rsToken.getRequestedSecurityToken();
if (rst.isEmpty()) {
throw new IllegalArgumentException("No requested security token response is provided in the response");
}
LOGGER.debug("Locating the first occurrence of a requested security token in the list");
final RequestedSecurityToken reqToken = rst.get(0);
if (reqToken.getSecurityTokens() == null || reqToken.getSecurityTokens().isEmpty()) {
throw new IllegalArgumentException("Requested security token response is not carrying any security tokens");
}
Assertion assertion = null;
LOGGER.debug("Locating the first occurrence of a security token from the requested security token");
XMLObject securityToken = reqToken.getSecurityTokens().get(0);
if (securityToken instanceof EncryptedData) {
try {
LOGGER.debug("Security token is encrypted. Attempting to decrypt to extract the assertion");
final EncryptedData encryptedData = EncryptedData.class.cast(securityToken);
final Decrypter decrypter = buildAssertionDecrypter(config);
LOGGER.debug("Built an instance of [{}]", decrypter.getClass().getName());
securityToken = decrypter.decryptData(encryptedData);
} catch (final Exception e) {
throw new IllegalArgumentException("Unable to decrypt security token", e);
}
}
if (securityToken instanceof Assertion) {
LOGGER.debug("Security token is an assertion.");
assertion = Assertion.class.cast(securityToken);
}
if (assertion == null) {
throw new IllegalArgumentException("Could not extract or decrypt an assertion based on the security token provided");
}
LOGGER.debug("Extracted assertion successfully: [{}]", assertion);
return assertion;
} catch (final Exception ex) {
LOGGER.warn(ex.getMessage());
return null;
}
}
Also used :
RequestedSecurityToken(org.opensaml.soap.wsfed.RequestedSecurityToken)
ByteArrayInputStream(java.io.ByteArrayInputStream)
InputStream(java.io.InputStream)
Element(org.w3c.dom.Element)
Assertion(org.opensaml.saml.saml1.core.Assertion)
XMLObject(org.opensaml.core.xml.XMLObject)
Decrypter(org.opensaml.saml.saml2.encryption.Decrypter)
UnmarshallerFactory(org.opensaml.core.xml.io.UnmarshallerFactory)
Document(org.w3c.dom.Document)
SignatureException(org.opensaml.xmlsec.signature.support.SignatureException)
SecurityException(org.opensaml.security.SecurityException)
ByteArrayInputStream(java.io.ByteArrayInputStream)
EncryptedData(org.opensaml.xmlsec.encryption.EncryptedData)
Unmarshaller(org.opensaml.core.xml.io.Unmarshaller)
RequestSecurityTokenResponse(org.opensaml.soap.wsfed.RequestSecurityTokenResponse)
Example 7 with Assertion
use of org.opensaml.saml2.core.Assertion in project cas by apereo.
the class WsFederationHelperTests method verifyValidateSignatureModifiedAttribute.
@Test
public void verifyValidateSignatureModifiedAttribute() throws Exception {
final String wresult = testTokens.get("badTokenModifiedAttribute");
final Assertion assertion = wsFederationHelper.parseTokenFromString(wresult, wsFedConfig);
final boolean result = wsFederationHelper.validateSignature(assertion, wsFedConfig);
assertFalse("testValidateSignatureModifiedAttribute() - False", result);
}Example 8 with Assertion
use of org.opensaml.saml2.core.Assertion in project cas by apereo.
the class WsFederationHelperTests method verifyCreateCredentialFromToken.
@Test
public void verifyCreateCredentialFromToken() throws Exception {
final String wresult = testTokens.get(GOOD_TOKEN);
final Assertion assertion = wsFederationHelper.parseTokenFromString(wresult, wsFedConfig);
final WsFederationCredential expResult = new WsFederationCredential();
expResult.setIssuedOn(ZonedDateTime.parse("2014-02-26T22:51:16.504Z"));
expResult.setNotBefore(ZonedDateTime.parse("2014-02-26T22:51:16.474Z"));
expResult.setNotOnOrAfter(ZonedDateTime.parse("2014-02-26T23:51:16.474Z"));
expResult.setIssuer("http://adfs.example.com/adfs/services/trust");
expResult.setAudience("urn:federation:cas");
expResult.setId("_6257b2bf-7361-4081-ae1f-ec58d4310f61");
final WsFederationCredential result = wsFederationHelper.createCredentialFromToken(assertion);
assertNotNull("testCreateCredentialFromToken() - Not Null", result);
assertEquals("testCreateCredentialFromToken() - IssuedOn", expResult.getIssuedOn(), result.getIssuedOn());
assertEquals("testCreateCredentialFromToken() - NotBefore", expResult.getNotBefore(), result.getNotBefore());
assertEquals("testCreateCredentialFromToken() - NotOnOrAfter", expResult.getNotOnOrAfter(), result.getNotOnOrAfter());
assertEquals("testCreateCredentialFromToken() - Issuer", expResult.getIssuer(), result.getIssuer());
assertEquals("testCreateCredentialFromToken() - Audience", expResult.getAudience(), result.getAudience());
assertEquals("testCreateCredentialFromToken() - Id", expResult.getId(), result.getId());
}
Also used :
Assertion(org.opensaml.saml.saml1.core.Assertion)
WsFederationCredential(org.apereo.cas.support.wsfederation.authentication.principal.WsFederationCredential)
Test(org.junit.Test)
Example 9 with Assertion
use of org.opensaml.saml2.core.Assertion in project cas by apereo.
the class WsFederationHelperTests method verifyValidateSignatureBadKey.
@Test
@DirtiesContext
public void verifyValidateSignatureBadKey() throws Exception {
final List<Credential> signingWallet = new ArrayList<>();
final WsFederationConfiguration cfg = new WsFederationConfiguration();
cfg.setSigningCertificateResources(ctx.getResource("classpath:bad-signing.crt"));
signingWallet.addAll(cfg.getSigningCertificates());
final String wresult = testTokens.get(GOOD_TOKEN);
final Assertion assertion = wsFederationHelper.parseTokenFromString(wresult, wsFedConfig);
wsFedConfig.getSigningCertificates().clear();
wsFedConfig.getSigningCertificates().addAll(signingWallet);
final boolean result = wsFederationHelper.validateSignature(assertion, wsFedConfig);
assertFalse("testValidateSignatureModifiedKey() - False", result);
}
Also used :
Credential(org.opensaml.security.credential.Credential)
WsFederationCredential(org.apereo.cas.support.wsfederation.authentication.principal.WsFederationCredential)
ArrayList(java.util.ArrayList)
Assertion(org.opensaml.saml.saml1.core.Assertion)
Test(org.junit.Test)
DirtiesContext(org.springframework.test.annotation.DirtiesContext)
Example 10 with Assertion
use of org.opensaml.saml2.core.Assertion in project cloudstack by apache.
the class SAML2LoginAPIAuthenticatorCmd method authenticate.
@Override
public String authenticate(final String command, final Map<String, Object[]> params, final HttpSession session, final InetAddress remoteAddress, final String responseType, final StringBuilder auditTrailSb, final HttpServletRequest req, final HttpServletResponse resp) throws ServerApiException {
try {
if (!params.containsKey(SAMLPluginConstants.SAML_RESPONSE) && !params.containsKey("SAMLart")) {
String idpId = null;
String domainPath = null;
if (params.containsKey(ApiConstants.IDP_ID)) {
idpId = ((String[]) params.get(ApiConstants.IDP_ID))[0];
}
if (params.containsKey(ApiConstants.DOMAIN)) {
domainPath = ((String[]) params.get(ApiConstants.DOMAIN))[0];
}
if (domainPath != null && !domainPath.isEmpty()) {
if (!domainPath.startsWith("/")) {
domainPath = "/" + domainPath;
}
if (!domainPath.endsWith("/")) {
domainPath = domainPath + "/";
}
}
SAMLProviderMetadata spMetadata = _samlAuthManager.getSPMetadata();
SAMLProviderMetadata idpMetadata = _samlAuthManager.getIdPMetadata(idpId);
if (idpMetadata == null) {
throw new ServerApiException(ApiErrorCode.PARAM_ERROR, _apiServer.getSerializedApiError(ApiErrorCode.PARAM_ERROR.getHttpCode(), "IdP ID (" + idpId + ") is not found in our list of supported IdPs, cannot proceed.", params, responseType));
}
if (idpMetadata.getSsoUrl() == null || idpMetadata.getSsoUrl().isEmpty()) {
throw new ServerApiException(ApiErrorCode.PARAM_ERROR, _apiServer.getSerializedApiError(ApiErrorCode.PARAM_ERROR.getHttpCode(), "IdP ID (" + idpId + ") has no Single Sign On URL defined please contact " + idpMetadata.getContactPersonName() + " <" + idpMetadata.getContactPersonEmail() + ">, cannot proceed.", params, responseType));
}
String authnId = SAMLUtils.generateSecureRandomId();
_samlAuthManager.saveToken(authnId, domainPath, idpMetadata.getEntityId());
s_logger.debug("Sending SAMLRequest id=" + authnId);
String redirectUrl = SAMLUtils.buildAuthnRequestUrl(authnId, spMetadata, idpMetadata, SAML2AuthManager.SAMLSignatureAlgorithm.value());
resp.sendRedirect(redirectUrl);
return "";
}
if (params.containsKey("SAMLart")) {
throw new ServerApiException(ApiErrorCode.UNSUPPORTED_ACTION_ERROR, _apiServer.getSerializedApiError(ApiErrorCode.UNSUPPORTED_ACTION_ERROR.getHttpCode(), "SAML2 HTTP Artifact Binding is not supported", params, responseType));
} else {
final String samlResponse = ((String[]) params.get(SAMLPluginConstants.SAML_RESPONSE))[0];
Response processedSAMLResponse = this.processSAMLResponse(samlResponse);
String statusCode = processedSAMLResponse.getStatus().getStatusCode().getValue();
if (!statusCode.equals(StatusCode.SUCCESS_URI)) {
throw new ServerApiException(ApiErrorCode.ACCOUNT_ERROR, _apiServer.getSerializedApiError(ApiErrorCode.ACCOUNT_ERROR.getHttpCode(), "Identity Provider send a non-successful authentication status code", params, responseType));
}
String username = null;
Issuer issuer = processedSAMLResponse.getIssuer();
SAMLProviderMetadata spMetadata = _samlAuthManager.getSPMetadata();
SAMLProviderMetadata idpMetadata = _samlAuthManager.getIdPMetadata(issuer.getValue());
String responseToId = processedSAMLResponse.getInResponseTo();
s_logger.debug("Received SAMLResponse in response to id=" + responseToId);
SAMLTokenVO token = _samlAuthManager.getToken(responseToId);
if (token != null) {
if (!(token.getEntity().equalsIgnoreCase(issuer.getValue()))) {
throw new ServerApiException(ApiErrorCode.ACCOUNT_ERROR, _apiServer.getSerializedApiError(ApiErrorCode.ACCOUNT_ERROR.getHttpCode(), "The SAML response contains Issuer Entity ID that is different from the original SAML request", params, responseType));
}
} else {
throw new ServerApiException(ApiErrorCode.ACCOUNT_ERROR, _apiServer.getSerializedApiError(ApiErrorCode.ACCOUNT_ERROR.getHttpCode(), "Received SAML response for a SSO request that we may not have made or has expired, please try logging in again", params, responseType));
}
// Set IdpId for this session
session.setAttribute(SAMLPluginConstants.SAML_IDPID, issuer.getValue());
Signature sig = processedSAMLResponse.getSignature();
if (idpMetadata.getSigningCertificate() != null && sig != null) {
BasicX509Credential credential = new BasicX509Credential();
credential.setEntityCertificate(idpMetadata.getSigningCertificate());
SignatureValidator validator = new SignatureValidator(credential);
try {
validator.validate(sig);
} catch (ValidationException e) {
s_logger.error("SAML Response's signature failed to be validated by IDP signing key:" + e.getMessage());
throw new ServerApiException(ApiErrorCode.ACCOUNT_ERROR, _apiServer.getSerializedApiError(ApiErrorCode.ACCOUNT_ERROR.getHttpCode(), "SAML Response's signature failed to be validated by IDP signing key", params, responseType));
}
}
if (username == null) {
username = SAMLUtils.getValueFromAssertions(processedSAMLResponse.getAssertions(), SAML2AuthManager.SAMLUserAttributeName.value());
}
for (Assertion assertion : processedSAMLResponse.getAssertions()) {
if (assertion != null && assertion.getSubject() != null && assertion.getSubject().getNameID() != null) {
session.setAttribute(SAMLPluginConstants.SAML_NAMEID, assertion.getSubject().getNameID().getValue());
break;
}
}
if (idpMetadata.getEncryptionCertificate() != null && spMetadata != null && spMetadata.getKeyPair() != null && spMetadata.getKeyPair().getPrivate() != null) {
Credential credential = SecurityHelper.getSimpleCredential(idpMetadata.getEncryptionCertificate().getPublicKey(), spMetadata.getKeyPair().getPrivate());
StaticKeyInfoCredentialResolver keyInfoResolver = new StaticKeyInfoCredentialResolver(credential);
EncryptedKeyResolver keyResolver = new InlineEncryptedKeyResolver();
Decrypter decrypter = new Decrypter(null, keyInfoResolver, keyResolver);
decrypter.setRootInNewDocument(true);
List<EncryptedAssertion> encryptedAssertions = processedSAMLResponse.getEncryptedAssertions();
if (encryptedAssertions != null) {
for (EncryptedAssertion encryptedAssertion : encryptedAssertions) {
Assertion assertion = null;
try {
assertion = decrypter.decrypt(encryptedAssertion);
} catch (DecryptionException e) {
s_logger.warn("SAML EncryptedAssertion error: " + e.toString());
}
if (assertion == null) {
continue;
}
Signature encSig = assertion.getSignature();
if (idpMetadata.getSigningCertificate() != null && encSig != null) {
BasicX509Credential sigCredential = new BasicX509Credential();
sigCredential.setEntityCertificate(idpMetadata.getSigningCertificate());
SignatureValidator validator = new SignatureValidator(sigCredential);
try {
validator.validate(encSig);
} catch (ValidationException e) {
s_logger.error("SAML Response's signature failed to be validated by IDP signing key:" + e.getMessage());
throw new ServerApiException(ApiErrorCode.ACCOUNT_ERROR, _apiServer.getSerializedApiError(ApiErrorCode.ACCOUNT_ERROR.getHttpCode(), "SAML Response's signature failed to be validated by IDP signing key", params, responseType));
}
}
if (assertion.getSubject() != null && assertion.getSubject().getNameID() != null) {
session.setAttribute(SAMLPluginConstants.SAML_NAMEID, assertion.getSubject().getNameID().getValue());
}
if (username == null) {
username = SAMLUtils.getValueFromAttributeStatements(assertion.getAttributeStatements(), SAML2AuthManager.SAMLUserAttributeName.value());
}
}
}
}
if (username == null) {
throw new ServerApiException(ApiErrorCode.ACCOUNT_ERROR, _apiServer.getSerializedApiError(ApiErrorCode.ACCOUNT_ERROR.getHttpCode(), "Failed to find admin configured username attribute in the SAML Response. Please ask your administrator to check SAML user attribute name.", params, responseType));
}
UserAccount userAccount = null;
List<UserAccountVO> possibleUserAccounts = _userAccountDao.getAllUsersByNameAndEntity(username, issuer.getValue());
if (possibleUserAccounts != null && possibleUserAccounts.size() > 0) {
// Users can switch to other allowed accounts later
for (UserAccountVO possibleUserAccount : possibleUserAccounts) {
if (possibleUserAccount.getAccountState().equals(Account.State.enabled.toString())) {
userAccount = possibleUserAccount;
break;
}
}
}
if (userAccount == null || userAccount.getExternalEntity() == null || !_samlAuthManager.isUserAuthorized(userAccount.getId(), issuer.getValue())) {
throw new ServerApiException(ApiErrorCode.ACCOUNT_ERROR, _apiServer.getSerializedApiError(ApiErrorCode.ACCOUNT_ERROR.getHttpCode(), "Your authenticated user is not authorized for SAML Single Sign-On, please contact your administrator", params, responseType));
}
try {
if (_apiServer.verifyUser(userAccount.getId())) {
LoginCmdResponse loginResponse = (LoginCmdResponse) _apiServer.loginUser(session, userAccount.getUsername(), userAccount.getUsername() + userAccount.getSource().toString(), userAccount.getDomainId(), null, remoteAddress, params);
SAMLUtils.setupSamlUserCookies(loginResponse, resp);
resp.sendRedirect(SAML2AuthManager.SAMLCloudStackRedirectionUrl.value());
return ApiResponseSerializer.toSerializedString(loginResponse, responseType);
}
} catch (CloudAuthenticationException | IOException exception) {
s_logger.debug("SAML Login failed to log in the user due to: " + exception.getMessage());
}
}
} catch (IOException e) {
auditTrailSb.append("SP initiated SAML authentication using HTTP redirection failed:");
auditTrailSb.append(e.getMessage());
}
throw new ServerApiException(ApiErrorCode.ACCOUNT_ERROR, _apiServer.getSerializedApiError(ApiErrorCode.ACCOUNT_ERROR.getHttpCode(), "Unable to authenticate user while performing SAML based SSO. Please make sure your user/account has been added, enable and authorized by the admin before you can authenticate. Please contact your administrator.", params, responseType));
}
Also used :
ValidationException(org.opensaml.xml.validation.ValidationException)
Issuer(org.opensaml.saml2.core.Issuer)
SAMLTokenVO(org.apache.cloudstack.saml.SAMLTokenVO)
CloudAuthenticationException(com.cloud.exception.CloudAuthenticationException)
StaticKeyInfoCredentialResolver(org.opensaml.xml.security.keyinfo.StaticKeyInfoCredentialResolver)
ServerApiException(org.apache.cloudstack.api.ServerApiException)
SAMLProviderMetadata(org.apache.cloudstack.saml.SAMLProviderMetadata)
BasicX509Credential(org.opensaml.xml.security.x509.BasicX509Credential)
Credential(org.opensaml.xml.security.credential.Credential)
Assertion(org.opensaml.saml2.core.Assertion)
EncryptedAssertion(org.opensaml.saml2.core.EncryptedAssertion)
Decrypter(org.opensaml.saml2.encryption.Decrypter)
IOException(java.io.IOException)
LoginCmdResponse(org.apache.cloudstack.api.response.LoginCmdResponse)
Response(org.opensaml.saml2.core.Response)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
UserAccountVO(com.cloud.user.UserAccountVO)
BasicX509Credential(org.opensaml.xml.security.x509.BasicX509Credential)
EncryptedAssertion(org.opensaml.saml2.core.EncryptedAssertion)
Signature(org.opensaml.xml.signature.Signature)
SignatureValidator(org.opensaml.xml.signature.SignatureValidator)
InlineEncryptedKeyResolver(org.opensaml.xml.encryption.InlineEncryptedKeyResolver)
DecryptionException(org.opensaml.xml.encryption.DecryptionException)
UserAccount(com.cloud.user.UserAccount)
LoginCmdResponse(org.apache.cloudstack.api.response.LoginCmdResponse)
InlineEncryptedKeyResolver(org.opensaml.xml.encryption.InlineEncryptedKeyResolver)
EncryptedKeyResolver(org.opensaml.xml.encryption.EncryptedKeyResolver)
Aggregations
Assertion (org.opensaml.saml.saml1.core.Assertion)11
Assertion (org.opensaml.saml.saml2.core.Assertion)10
Test (org.junit.Test)7
Assertion (org.opensaml.saml2.core.Assertion)6
WsFederationCredential (org.apereo.cas.support.wsfederation.authentication.principal.WsFederationCredential)4
Element (org.w3c.dom.Element)4
SecureRandom (java.security.SecureRandom)3
ZonedDateTime (java.time.ZonedDateTime)3
ArrayList (java.util.ArrayList)3
RegisteredService (org.apereo.cas.services.RegisteredService)3
DateTime (org.joda.time.DateTime)3
SAMLObjectBuilder (org.opensaml.common.SAMLObjectBuilder)3
Unmarshaller (org.opensaml.core.xml.io.Unmarshaller)3
Response (org.opensaml.saml.saml2.core.Response)3
ByteArrayInputStream (java.io.ByteArrayInputStream)2
IOException (java.io.IOException)2
InputStream (java.io.InputStream)2
HashMap (java.util.HashMap)2
HttpServletResponse (javax.servlet.http.HttpServletResponse)2
Service (org.apereo.cas.authentication.principal.Service)2
