use of org.opensaml.saml2.core.AuthnRequest in project pac4j by pac4j.
the class SAML2DefaultResponseValidator method validateSamlProtocolResponse.
/**
* Validates the SAML protocol response:
* - IssueInstant
* - Issuer
* - StatusCode
* - Signature
*
* @param response the response
* @param context the context
* @param engine the engine
*/
protected final void validateSamlProtocolResponse(final Response response, final SAML2MessageContext context, final SignatureTrustEngine engine) {
if (!StatusCode.SUCCESS.equals(response.getStatus().getStatusCode().getValue())) {
String status = response.getStatus().getStatusCode().getValue();
if (response.getStatus().getStatusMessage() != null) {
status += " / " + response.getStatus().getStatusMessage().getMessage();
}
throw new SAMLException("Authentication response is not success ; actual " + status);
}
if (response.getSignature() != null) {
final String entityId = context.getSAMLPeerEntityContext().getEntityId();
validateSignature(response.getSignature(), entityId, engine);
context.getSAMLPeerEntityContext().setAuthenticated(true);
}
if (!isIssueInstantValid(response.getIssueInstant())) {
throw new SAMLIssueInstantException("Response issue instant is too old or in the future");
}
AuthnRequest request = null;
final SAMLMessageStorage messageStorage = context.getSAMLMessageStorage();
if (messageStorage != null && response.getInResponseTo() != null) {
final XMLObject xmlObject = messageStorage.retrieveMessage(response.getInResponseTo());
if (xmlObject == null) {
throw new SAMLInResponseToMismatchException("InResponseToField of the Response doesn't correspond to sent message " + response.getInResponseTo());
} else if (xmlObject instanceof AuthnRequest) {
request = (AuthnRequest) xmlObject;
} else {
throw new SAMLInResponseToMismatchException("Sent request was of different type than the expected AuthnRequest " + response.getInResponseTo());
}
}
verifyEndpoint(context.getSAMLEndpointContext().getEndpoint(), response.getDestination());
if (request != null) {
verifyRequest(request, context);
}
if (response.getIssuer() != null) {
validateIssuer(response.getIssuer(), context);
}
}
use of org.opensaml.saml2.core.AuthnRequest in project pac4j by pac4j.
the class SAML2RedirectActionBuilder method redirect.
@Override
public RedirectAction redirect(final WebContext wc) {
final SAML2MessageContext context = this.client.getContextProvider().buildContext(wc);
final String relayState = this.client.getStateParameter(wc);
final AuthnRequest authnRequest = this.saml2ObjectBuilder.build(context);
this.client.getProfileHandler().send(context, authnRequest, relayState);
final Pac4jSAMLResponse adapter = context.getProfileRequestContextOutboundMessageTransportResponse();
if (this.client.getConfiguration().getDestinationBindingType().equalsIgnoreCase(SAMLConstants.SAML2_POST_BINDING_URI)) {
final String content = adapter.getOutgoingContent();
return RedirectAction.success(content);
}
final String location = adapter.getRedirectUrl();
return RedirectAction.redirect(location);
}
use of org.opensaml.saml2.core.AuthnRequest in project testcases by coheigea.
the class SamlSso method login.
@GET
public javax.ws.rs.core.Response login(@QueryParam("SAMLRequest") String samlRequest, @QueryParam("RelayState") String relayState) throws Exception {
byte[] deflatedToken = Base64Utility.decode(samlRequest);
InputStream tokenStream = new DeflateEncoderDecoder().inflateToken(deflatedToken);
Document responseDoc = StaxUtils.read(new InputStreamReader(tokenStream, "UTF-8"));
AuthnRequest request = (AuthnRequest) OpenSAMLUtil.fromDom(responseDoc.getDocumentElement());
System.out.println(DOM2Writer.nodeToString(responseDoc));
String racs = request.getAssertionConsumerServiceURL();
String requestIssuer = request.getIssuer().getValue();
// Match the RACS + Issuer against known values
boolean match = false;
if (serviceProviders != null) {
for (ServiceProvider sp : serviceProviders) {
if (sp.getIssuer() != null && sp.getIssuer().equals(requestIssuer) && ((sp.getRacs() != null && sp.getRacs().equals(racs)) || sp.getRacs() == null)) {
match = true;
}
}
}
if (!match) {
throw new BadRequestException();
}
// Create the response
Element response = createResponse(request.getID(), racs, requestIssuer);
String responseStr = encodeResponse(response);
// Perform Redirect to RACS
UriBuilder ub = UriBuilder.fromUri(racs);
ub.queryParam("SAMLResponse", responseStr);
ub.queryParam("RelayState", relayState);
return javax.ws.rs.core.Response.seeOther(ub.build()).build();
}
use of org.opensaml.saml2.core.AuthnRequest in project cloudstack by apache.
the class SAMLUtils method buildAuthnRequestUrl.
public static String buildAuthnRequestUrl(final String authnId, final SAMLProviderMetadata spMetadata, final SAMLProviderMetadata idpMetadata, final String signatureAlgorithm) {
String redirectUrl = "";
try {
DefaultBootstrap.bootstrap();
AuthnRequest authnRequest = SAMLUtils.buildAuthnRequestObject(authnId, spMetadata.getEntityId(), idpMetadata.getSsoUrl(), spMetadata.getSsoUrl());
PrivateKey privateKey = null;
if (spMetadata.getKeyPair() != null) {
privateKey = spMetadata.getKeyPair().getPrivate();
}
redirectUrl = idpMetadata.getSsoUrl() + "?" + SAMLUtils.generateSAMLRequestSignature("SAMLRequest=" + SAMLUtils.encodeSAMLRequest(authnRequest), privateKey, signatureAlgorithm);
} catch (ConfigurationException | FactoryConfigurationError | MarshallingException | IOException | NoSuchAlgorithmException | InvalidKeyException | java.security.SignatureException e) {
s_logger.error("SAML AuthnRequest message building error: " + e.getMessage());
}
return redirectUrl;
}
use of org.opensaml.saml2.core.AuthnRequest in project cloudstack by apache.
the class SAMLUtilsTest method testBuildAuthnRequestObject.
@Test
public void testBuildAuthnRequestObject() throws Exception {
String consumerUrl = "http://someurl.com";
String idpUrl = "http://idp.domain.example";
String spId = "cloudstack";
String authnId = SAMLUtils.generateSecureRandomId();
AuthnRequest req = SAMLUtils.buildAuthnRequestObject(authnId, spId, idpUrl, consumerUrl);
assertEquals(req.getAssertionConsumerServiceURL(), consumerUrl);
assertEquals(req.getDestination(), idpUrl);
assertEquals(req.getIssuer().getValue(), spId);
}
Aggregations