Search in sources :

Example 11 with Assertion

use of org.opensaml.saml2.core.Assertion in project ddf by codice.

the class IdpEndpoint method createCookie.

private NewCookie createCookie(HttpServletRequest request, org.opensaml.saml.saml2.core.Response response) {
    LOGGER.debug("Creating cookie for user.");
    if (response.getAssertions() != null && response.getAssertions().size() > 0) {
        Assertion assertion = response.getAssertions().get(0);
        if (assertion != null) {
            UUID uuid = UUID.randomUUID();
            cookieCache.cacheSamlAssertion(uuid.toString(), assertion.getDOM());
            URL url;
            try {
                url = new URL(request.getRequestURL().toString());
                LOGGER.debug("Returning new cookie for user.");
                return new NewCookie(COOKIE, uuid.toString(), SERVICES_IDP_PATH, url.getHost(), NewCookie.DEFAULT_VERSION, null, -1, null, true, true);
            } catch (MalformedURLException e) {
                LOGGER.info("Unable to create session cookie. Client will need to log in again.", e);
            }
        }
    }
    return null;
}
Also used : MalformedURLException(java.net.MalformedURLException) SecurityAssertion(ddf.security.assertion.SecurityAssertion) Assertion(org.opensaml.saml.saml2.core.Assertion) UUID(java.util.UUID) URL(java.net.URL) NewCookie(javax.ws.rs.core.NewCookie)

Example 12 with Assertion

use of org.opensaml.saml2.core.Assertion in project ddf by codice.

the class AttributeQueryClaimsHandler method getAttributes.

/**
     * Gets the attributes for the supplied user from the external attribute store.
     * Returns null if the AttributeQueryClient is null.
     *
     * @param nameId used for the request.
     * @return The collection of attributes retrieved from the external attribute store.
     * @throws URISyntaxException
     */
protected ProcessedClaimCollection getAttributes(String nameId) throws URISyntaxException {
    ProcessedClaimCollection claimCollection = new ProcessedClaimCollection();
    LOGGER.debug("Sending AttributeQuery Request.");
    AttributeQueryClient attributeQueryClient;
    Assertion assertion;
    try {
        attributeQueryClient = createAttributeQueryClient(simpleSign, externalAttributeStoreUrl, issuer, destination);
        if (attributeQueryClient == null) {
            return null;
        }
        assertion = attributeQueryClient.query(nameId);
        if (assertion != null) {
            createClaims(claimCollection, assertion);
        }
    } catch (AttributeQueryException ex) {
        LOGGER.info("Error occurred in AttributeQueryClient, did not retrieve response. Set log level for \"org.codice.ddf.security.claims.attributequery.common\" to DEBUG for more information.");
        LOGGER.debug("Error occurred in AttributeQueryClient, did not retrieve response.", ex);
    }
    return claimCollection;
}
Also used : ProcessedClaimCollection(org.apache.cxf.sts.claims.ProcessedClaimCollection) Assertion(org.opensaml.saml.saml2.core.Assertion)

Example 13 with Assertion

use of org.opensaml.saml2.core.Assertion in project cas by apereo.

the class Saml10ObjectBuilder method newAssertion.

/**
     * Create a new SAML1 response object.
     *
     * @param authnStatement the authn statement
     * @param issuer the issuer
     * @param issuedAt the issued at
     * @param id the id
     * @return the assertion
     */
public Assertion newAssertion(final AuthenticationStatement authnStatement, final String issuer, final ZonedDateTime issuedAt, final String id) {
    final Assertion assertion = newSamlObject(Assertion.class);
    assertion.setID(id);
    assertion.setIssueInstant(DateTimeUtils.dateTimeOf(issuedAt));
    assertion.setIssuer(issuer);
    assertion.getAuthenticationStatements().add(authnStatement);
    return assertion;
}
Also used : Assertion(org.opensaml.saml.saml1.core.Assertion)

Example 14 with Assertion

use of org.opensaml.saml2.core.Assertion in project cas by apereo.

the class Saml10SuccessResponseView method prepareResponse.

@Override
protected void prepareResponse(final Response response, final Map<String, Object> model) {
    final ZonedDateTime issuedAt = DateTimeUtils.zonedDateTimeOf(response.getIssueInstant());
    final Service service = getAssertionFrom(model).getService();
    LOGGER.debug("Preparing SAML response for service [{}]", service);
    final Authentication authentication = getPrimaryAuthenticationFrom(model);
    final Collection<Object> authnMethods = CollectionUtils.toCollection(authentication.getAttributes().get(SamlAuthenticationMetaDataPopulator.ATTRIBUTE_AUTHENTICATION_METHOD));
    LOGGER.debug("Authentication methods found are [{}]", authnMethods);
    final Principal principal = getPrincipal(model);
    final AuthenticationStatement authnStatement = this.samlObjectBuilder.newAuthenticationStatement(authentication.getAuthenticationDate(), authnMethods, principal.getId());
    LOGGER.debug("Built authentication statement for [{}] dated at [{}]", principal, authentication.getAuthenticationDate());
    final Assertion assertion = this.samlObjectBuilder.newAssertion(authnStatement, this.issuer, issuedAt, this.samlObjectBuilder.generateSecureRandomId());
    LOGGER.debug("Built assertion for issuer [{}] dated at [{}]", this.issuer, issuedAt);
    final Conditions conditions = this.samlObjectBuilder.newConditions(issuedAt, service.getId(), this.skewAllowance);
    assertion.setConditions(conditions);
    LOGGER.debug("Built assertion conditions for issuer [{}] and service [{}] ", this.issuer, service.getId());
    final Subject subject = this.samlObjectBuilder.newSubject(principal.getId());
    LOGGER.debug("Built subject for principal [{}]", principal);
    final Map<String, Object> attributesToSend = prepareSamlAttributes(model, service);
    LOGGER.debug("Authentication statement shall include these attributes [{}]", attributesToSend);
    if (!attributesToSend.isEmpty()) {
        assertion.getAttributeStatements().add(this.samlObjectBuilder.newAttributeStatement(subject, attributesToSend, this.defaultAttributeNamespace));
    }
    response.setStatus(this.samlObjectBuilder.newStatus(StatusCode.SUCCESS, null));
    LOGGER.debug("Set response status code to [{}]", response.getStatus());
    response.getAssertions().add(assertion);
}
Also used : ZonedDateTime(java.time.ZonedDateTime) Authentication(org.apereo.cas.authentication.Authentication) Assertion(org.opensaml.saml.saml1.core.Assertion) RegisteredService(org.apereo.cas.services.RegisteredService) Service(org.apereo.cas.authentication.principal.Service) Principal(org.apereo.cas.authentication.principal.Principal) AuthenticationStatement(org.opensaml.saml.saml1.core.AuthenticationStatement) Conditions(org.opensaml.saml.saml1.core.Conditions) Subject(org.opensaml.saml.saml1.core.Subject)

Example 15 with Assertion

use of org.opensaml.saml2.core.Assertion in project cas by apereo.

the class WsFederationHelper method createCredentialFromToken.

/**
     * createCredentialFromToken converts a SAML 1.1 assertion to a WSFederationCredential.
     *
     * @param assertion the provided assertion
     * @return an equivalent credential.
     */
public WsFederationCredential createCredentialFromToken(final Assertion assertion) {
    final ZonedDateTime retrievedOn = ZonedDateTime.now();
    LOGGER.debug("Retrieved on [{}]", retrievedOn);
    final WsFederationCredential credential = new WsFederationCredential();
    credential.setRetrievedOn(retrievedOn);
    credential.setId(assertion.getID());
    credential.setIssuer(assertion.getIssuer());
    credential.setIssuedOn(ZonedDateTime.parse(assertion.getIssueInstant().toDateTimeISO().toString()));
    final Conditions conditions = assertion.getConditions();
    if (conditions != null) {
        credential.setNotBefore(ZonedDateTime.parse(conditions.getNotBefore().toDateTimeISO().toString()));
        credential.setNotOnOrAfter(ZonedDateTime.parse(conditions.getNotOnOrAfter().toDateTimeISO().toString()));
        if (!conditions.getAudienceRestrictionConditions().isEmpty()) {
            credential.setAudience(conditions.getAudienceRestrictionConditions().get(0).getAudiences().get(0).getUri());
        }
    }
    if (!assertion.getAuthenticationStatements().isEmpty()) {
        credential.setAuthenticationMethod(assertion.getAuthenticationStatements().get(0).getAuthenticationMethod());
    }
    //retrieve an attributes from the assertion
    final HashMap<String, List<Object>> attributes = new HashMap<>();
    assertion.getAttributeStatements().stream().flatMap(attributeStatement -> attributeStatement.getAttributes().stream()).forEach(item -> {
        LOGGER.debug("Processed attribute: [{}]", item.getAttributeName());
        final List<Object> itemList = IntStream.range(0, item.getAttributeValues().size()).mapToObj(i -> ((XSAny) item.getAttributeValues().get(i)).getTextContent()).collect(Collectors.toList());
        if (!itemList.isEmpty()) {
            attributes.put(item.getAttributeName(), itemList);
        }
    });
    credential.setAttributes(attributes);
    LOGGER.debug("Credential: [{}]", credential);
    return credential;
}
Also used : XSAny(org.opensaml.core.xml.schema.XSAny) ChainingEncryptedKeyResolver(org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver) KeyPair(java.security.KeyPair) ExplicitKeySignatureTrustEngine(org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine) Assertion(org.opensaml.saml.saml1.core.Assertion) ZonedDateTime(java.time.ZonedDateTime) StaticCredentialResolver(org.opensaml.security.credential.impl.StaticCredentialResolver) LoggerFactory(org.slf4j.LoggerFactory) Security(java.security.Security) SamlUtils(org.apereo.cas.support.saml.SamlUtils) Conditions(org.opensaml.saml.saml1.core.Conditions) StaticKeyInfoCredentialResolver(org.opensaml.xmlsec.keyinfo.impl.StaticKeyInfoCredentialResolver) ByteArrayInputStream(java.io.ByteArrayInputStream) SignatureException(org.opensaml.xmlsec.signature.support.SignatureException) Document(org.w3c.dom.Document) PEMEncryptedKeyPair(org.bouncycastle.openssl.PEMEncryptedKeyPair) WsFederationCredential(org.apereo.cas.support.wsfederation.authentication.principal.WsFederationCredential) UsageType(org.opensaml.security.credential.UsageType) SecurityException(org.opensaml.security.SecurityException) PEMParser(org.bouncycastle.openssl.PEMParser) PEMDecryptorProvider(org.bouncycastle.openssl.PEMDecryptorProvider) ProtocolCriterion(org.opensaml.saml.criterion.ProtocolCriterion) BasicX509Credential(org.opensaml.security.x509.BasicX509Credential) Collectors(java.util.stream.Collectors) StandardCharsets(java.nio.charset.StandardCharsets) OpenSamlConfigBean(org.apereo.cas.support.saml.OpenSamlConfigBean) List(java.util.List) KeyInfoCredentialResolver(org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver) EntityRoleCriterion(org.opensaml.saml.criterion.EntityRoleCriterion) CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet) RequestedSecurityToken(org.opensaml.soap.wsfed.RequestedSecurityToken) UnmarshallerFactory(org.opensaml.core.xml.io.UnmarshallerFactory) EncryptedData(org.opensaml.xmlsec.encryption.EncryptedData) EncryptedElementTypeEncryptedKeyResolver(org.opensaml.saml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver) IntStream(java.util.stream.IntStream) EncryptedKeyResolver(org.opensaml.xmlsec.encryption.support.EncryptedKeyResolver) JcaPEMKeyConverter(org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter) UsageCriterion(org.opensaml.security.criteria.UsageCriterion) HashMap(java.util.HashMap) SignaturePrevalidator(org.opensaml.xmlsec.signature.support.SignaturePrevalidator) ArrayList(java.util.ArrayList) Decrypter(org.opensaml.saml.saml2.encryption.Decrypter) JcePEMDecryptorProviderBuilder(org.bouncycastle.openssl.jcajce.JcePEMDecryptorProviderBuilder) X509CertParser(org.bouncycastle.jce.provider.X509CertParser) SAMLSignatureProfileValidator(org.opensaml.saml.security.impl.SAMLSignatureProfileValidator) IDPSSODescriptor(org.opensaml.saml.saml2.metadata.IDPSSODescriptor) XMLObject(org.opensaml.core.xml.XMLObject) X509CertificateObject(org.bouncycastle.jce.provider.X509CertificateObject) SAMLConstants(org.opensaml.saml.common.xml.SAMLConstants) CredentialResolver(org.opensaml.security.credential.CredentialResolver) SignatureTrustEngine(org.opensaml.xmlsec.signature.support.SignatureTrustEngine) InlineEncryptedKeyResolver(org.opensaml.xmlsec.encryption.support.InlineEncryptedKeyResolver) RequestSecurityTokenResponse(org.opensaml.soap.wsfed.RequestSecurityTokenResponse) Logger(org.slf4j.Logger) Credential(org.opensaml.security.credential.Credential) Unmarshaller(org.opensaml.core.xml.io.Unmarshaller) Throwables(com.google.common.base.Throwables) InputStreamReader(java.io.InputStreamReader) BouncyCastleProvider(org.bouncycastle.jce.provider.BouncyCastleProvider) Element(org.w3c.dom.Element) EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion) PEMKeyPair(org.bouncycastle.openssl.PEMKeyPair) BufferedReader(java.io.BufferedReader) SimpleRetrievalMethodEncryptedKeyResolver(org.opensaml.xmlsec.encryption.support.SimpleRetrievalMethodEncryptedKeyResolver) InputStream(java.io.InputStream) ZonedDateTime(java.time.ZonedDateTime) HashMap(java.util.HashMap) List(java.util.List) ArrayList(java.util.ArrayList) XMLObject(org.opensaml.core.xml.XMLObject) X509CertificateObject(org.bouncycastle.jce.provider.X509CertificateObject) Conditions(org.opensaml.saml.saml1.core.Conditions) WsFederationCredential(org.apereo.cas.support.wsfederation.authentication.principal.WsFederationCredential) XSAny(org.opensaml.core.xml.schema.XSAny)

Aggregations

Assertion (org.opensaml.saml.saml1.core.Assertion)11 Assertion (org.opensaml.saml.saml2.core.Assertion)10 Test (org.junit.Test)7 Assertion (org.opensaml.saml2.core.Assertion)6 WsFederationCredential (org.apereo.cas.support.wsfederation.authentication.principal.WsFederationCredential)4 Element (org.w3c.dom.Element)4 SecureRandom (java.security.SecureRandom)3 ZonedDateTime (java.time.ZonedDateTime)3 ArrayList (java.util.ArrayList)3 RegisteredService (org.apereo.cas.services.RegisteredService)3 DateTime (org.joda.time.DateTime)3 SAMLObjectBuilder (org.opensaml.common.SAMLObjectBuilder)3 Unmarshaller (org.opensaml.core.xml.io.Unmarshaller)3 Response (org.opensaml.saml.saml2.core.Response)3 ByteArrayInputStream (java.io.ByteArrayInputStream)2 IOException (java.io.IOException)2 InputStream (java.io.InputStream)2 HashMap (java.util.HashMap)2 HttpServletResponse (javax.servlet.http.HttpServletResponse)2 Service (org.apereo.cas.authentication.principal.Service)2