Search in sources :

Example 1 with Conditions

use of org.opensaml.saml2.core.Conditions in project cas by apereo.

the class GoogleAccountsServiceResponseBuilder method constructSamlResponse.

/**
     * Construct SAML response.
     * <a href="http://bit.ly/1uI8Ggu">See this reference for more info.</a>
     *
     * @param service the service
     * @return the SAML response
     */
protected String constructSamlResponse(final GoogleAccountsService service) {
    final ZonedDateTime currentDateTime = ZonedDateTime.now(ZoneOffset.UTC);
    final ZonedDateTime notBeforeIssueInstant = ZonedDateTime.parse("2003-04-17T00:46:02Z");
    final RegisteredService registeredService = servicesManager.findServiceBy(service);
    if (registeredService == null || !registeredService.getAccessStrategy().isServiceAccessAllowed()) {
        throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE);
    }
    final String userId = registeredService.getUsernameAttributeProvider().resolveUsername(service.getPrincipal(), service);
    final org.opensaml.saml.saml2.core.Response response = this.samlObjectBuilder.newResponse(this.samlObjectBuilder.generateSecureRandomId(), currentDateTime, service.getId(), service);
    response.setStatus(this.samlObjectBuilder.newStatus(StatusCode.SUCCESS, null));
    final String sessionIndex = '_' + String.valueOf(Math.abs(new SecureRandom().nextLong()));
    final AuthnStatement authnStatement = this.samlObjectBuilder.newAuthnStatement(AuthnContext.PASSWORD_AUTHN_CTX, currentDateTime, sessionIndex);
    final Assertion assertion = this.samlObjectBuilder.newAssertion(authnStatement, casServerPrefix, notBeforeIssueInstant, this.samlObjectBuilder.generateSecureRandomId());
    final Conditions conditions = this.samlObjectBuilder.newConditions(notBeforeIssueInstant, currentDateTime.plusSeconds(this.skewAllowance), service.getId());
    assertion.setConditions(conditions);
    final Subject subject = this.samlObjectBuilder.newSubject(NameID.EMAIL, userId, service.getId(), currentDateTime.plusSeconds(this.skewAllowance), service.getRequestId());
    assertion.setSubject(subject);
    response.getAssertions().add(assertion);
    final StringWriter writer = new StringWriter();
    this.samlObjectBuilder.marshalSamlXmlObject(response, writer);
    final String result = writer.toString();
    LOGGER.debug("Generated Google SAML response: [{}]", result);
    return result;
}
Also used : RegisteredService(org.apereo.cas.services.RegisteredService) Assertion(org.opensaml.saml.saml2.core.Assertion) UnauthorizedServiceException(org.apereo.cas.services.UnauthorizedServiceException) SecureRandom(java.security.SecureRandom) Conditions(org.opensaml.saml.saml2.core.Conditions) Subject(org.opensaml.saml.saml2.core.Subject) StringWriter(java.io.StringWriter) ZonedDateTime(java.time.ZonedDateTime) AuthnStatement(org.opensaml.saml.saml2.core.AuthnStatement)

Example 2 with Conditions

use of org.opensaml.saml2.core.Conditions in project cas by apereo.

the class SamlProfileSamlConditionsBuilder method buildConditions.

private Conditions buildConditions(final AuthnRequest authnRequest, final Assertion assertion, final SamlRegisteredService service, final SamlRegisteredServiceServiceProviderMetadataFacade adaptor) throws SamlException {
    final ZonedDateTime currentDateTime = ZonedDateTime.now(ZoneOffset.UTC);
    final Conditions conditions = newConditions(currentDateTime, currentDateTime.plusSeconds(casProperties.getAuthn().getSamlIdp().getResponse().getSkewAllowance()), adaptor.getEntityId());
    return conditions;
}
Also used : ZonedDateTime(java.time.ZonedDateTime) Conditions(org.opensaml.saml.saml2.core.Conditions)

Example 3 with Conditions

use of org.opensaml.saml2.core.Conditions in project cas by apereo.

the class SamlProfileSamlConditionsBuilder method buildConditions.

/**
 * Build conditions conditions.
 *
 * @param authnRequest the authn request
 * @param assertion    the assertion
 * @param service      the service
 * @param adaptor      the adaptor
 * @return the conditions
 * @throws SamlException the saml exception
 */
protected Conditions buildConditions(final RequestAbstractType authnRequest, final Object assertion, final SamlRegisteredService service, final SamlRegisteredServiceServiceProviderMetadataFacade adaptor) throws SamlException {
    final ZonedDateTime currentDateTime = ZonedDateTime.now(ZoneOffset.UTC);
    int skewAllowance = casProperties.getAuthn().getSamlIdp().getResponse().getSkewAllowance();
    if (skewAllowance <= 0) {
        skewAllowance = casProperties.getSamlCore().getSkewAllowance();
    }
    final List<String> audienceUrls = new ArrayList<>();
    audienceUrls.add(adaptor.getEntityId());
    if (StringUtils.isNotBlank(service.getAssertionAudiences())) {
        final Set<String> audiences = org.springframework.util.StringUtils.commaDelimitedListToSet(service.getAssertionAudiences());
        audienceUrls.addAll(audiences);
    }
    final Conditions conditions = newConditions(currentDateTime, currentDateTime.plusSeconds(skewAllowance), audienceUrls.toArray(new String[] {}));
    return conditions;
}
Also used : ZonedDateTime(java.time.ZonedDateTime) ArrayList(java.util.ArrayList) Conditions(org.opensaml.saml.saml2.core.Conditions)

Example 4 with Conditions

use of org.opensaml.saml2.core.Conditions in project verify-hub by alphagov.

the class AuthnResponseFactory method aResponseFromIdpBuilder.

public ResponseBuilder aResponseFromIdpBuilder(String idpEntityId, String ipAddressSeenByIdp, String requestId, DateTime issueInstant, String authnStatementAssertionId, String authnAssertionSubjectPid, String authnAssertionIssuer, String authnAssertionInResponseTo, String mdsStatementAssertionId, String mdsAssertionSubjectPid, String mdsAssertionIssuer, String mdsAssertionInResponseTo, Optional<BasicCredential> basicCredential) {
    TestCredentialFactory idpSigningCredentialFactory = new TestCredentialFactory(publicSigningCerts.get(idpEntityId), privateSigningKeys.get(idpEntityId));
    final Subject mdsAssertionSubject = SubjectBuilder.aSubject().withPersistentId(mdsAssertionSubjectPid).withSubjectConfirmation(SubjectConfirmationBuilder.aSubjectConfirmation().withSubjectConfirmationData(SubjectConfirmationDataBuilder.aSubjectConfirmationData().withInResponseTo(mdsAssertionInResponseTo).build()).build()).build();
    final Subject authnAssertionSubject = SubjectBuilder.aSubject().withNameId(buildNameID(authnAssertionSubjectPid)).withSubjectConfirmation(SubjectConfirmationBuilder.aSubjectConfirmation().withSubjectConfirmationData(SubjectConfirmationDataBuilder.aSubjectConfirmationData().withInResponseTo(authnAssertionInResponseTo).build()).build()).build();
    final Conditions mdsAssertionConditions = ConditionsBuilder.aConditions().validFor(new Duration(1000 * 60 * 60)).build();
    final AttributeStatement matchingDatasetAttributeStatement = MatchingDatasetAttributeStatementBuilder_1_1.aMatchingDatasetAttributeStatement_1_1().build();
    final Credential encryptingCredential;
    if (basicCredential.isPresent()) {
        encryptingCredential = basicCredential.get();
    } else {
        encryptingCredential = hubEncryptionCredentialFactory.getEncryptingCredential();
    }
    final Credential signingCredential = idpSigningCredentialFactory.getSigningCredential();
    final AssertionBuilder mdsAssertion = AssertionBuilder.anAssertion().withId(generateId()).withIssuer(IssuerBuilder.anIssuer().withIssuerId(mdsAssertionIssuer).build()).withSubject(mdsAssertionSubject).withConditions(mdsAssertionConditions).withId(mdsStatementAssertionId).addAttributeStatement(matchingDatasetAttributeStatement);
    final AssertionBuilder authnAssertion = AssertionBuilder.anAssertion().withId(generateId()).addAttributeStatement(anAttributeStatement().addAttribute(anIPAddress().withValue(ipAddressSeenByIdp).build()).build()).withIssuer(IssuerBuilder.anIssuer().withIssuerId(authnAssertionIssuer).build()).withSubject(authnAssertionSubject).withId(authnStatementAssertionId).withIssueInstant(issueInstant).addAuthnStatement(AuthnStatementBuilder.anAuthnStatement().build());
    ResponseBuilder responseBuilder = ResponseBuilder.aResponse().withId(generateId()).withIssuer(IssuerBuilder.anIssuer().withIssuerId(idpEntityId).build()).withSigningCredential(signingCredential).withInResponseTo(requestId).addEncryptedAssertion(mdsAssertion.withSignature(SignatureBuilder.aSignature().withSigningCredential(signingCredential).build()).buildWithEncrypterCredential(encryptingCredential)).addEncryptedAssertion(authnAssertion.withSignature(SignatureBuilder.aSignature().withSigningCredential(signingCredential).build()).buildWithEncrypterCredential(encryptingCredential));
    return responseBuilder;
}
Also used : TestCredentialFactory(uk.gov.ida.saml.core.test.TestCredentialFactory) BasicCredential(org.opensaml.security.credential.BasicCredential) Credential(org.opensaml.security.credential.Credential) AttributeStatementBuilder.anAttributeStatement(uk.gov.ida.saml.core.test.builders.AttributeStatementBuilder.anAttributeStatement) AttributeStatement(org.opensaml.saml.saml2.core.AttributeStatement) Duration(org.joda.time.Duration) AssertionBuilder(uk.gov.ida.saml.core.test.builders.AssertionBuilder) ResponseBuilder(uk.gov.ida.saml.core.test.builders.ResponseBuilder) Subject(org.opensaml.saml.saml2.core.Subject) Conditions(org.opensaml.saml.saml2.core.Conditions)

Example 5 with Conditions

use of org.opensaml.saml2.core.Conditions in project verify-hub by alphagov.

the class MatchingServiceAssertionToAssertionTransformer method transform.

public Assertion transform(MatchingServiceAssertion originalAssertion) {
    Assertion transformedAssertion = openSamlXmlObjectFactory.createAssertion();
    transformedAssertion.setIssueInstant(originalAssertion.getIssueInstant());
    Issuer transformedIssuer = openSamlXmlObjectFactory.createIssuer(originalAssertion.getIssuerId());
    transformedAssertion.setIssuer(transformedIssuer);
    transformedAssertion.setID(originalAssertion.getId());
    Subject subject = outboundAssertionToSubjectTransformer.transform(originalAssertion);
    transformedAssertion.setSubject(subject);
    MatchingServiceAuthnStatement authnStatement = originalAssertion.getAuthnStatement();
    transformedAssertion.getAuthnStatements().add(matchingServiceAuthnStatementToAuthnStatementTransformer.transform(authnStatement));
    Conditions conditions = openSamlXmlObjectFactory.createConditions();
    AudienceRestriction audienceRestriction = openSamlXmlObjectFactory.createAudienceRestriction(originalAssertion.getAudience());
    conditions.getAudienceRestrictions().add(audienceRestriction);
    transformedAssertion.setConditions(conditions);
    List<Attribute> userAttributesForAccountCreation = originalAssertion.getUserAttributesForAccountCreation();
    if (!userAttributesForAccountCreation.isEmpty()) {
        addAttributes(transformedAssertion, userAttributesForAccountCreation);
    }
    return transformedAssertion;
}
Also used : AudienceRestriction(org.opensaml.saml.saml2.core.AudienceRestriction) Issuer(org.opensaml.saml.saml2.core.Issuer) Attribute(org.opensaml.saml.saml2.core.Attribute) MatchingServiceAssertion(uk.gov.ida.saml.msa.test.domain.MatchingServiceAssertion) Assertion(org.opensaml.saml.saml2.core.Assertion) MatchingServiceAuthnStatement(uk.gov.ida.saml.core.domain.MatchingServiceAuthnStatement) Subject(org.opensaml.saml.saml2.core.Subject) Conditions(org.opensaml.saml.saml2.core.Conditions)

Aggregations

Conditions (org.opensaml.saml.saml2.core.Conditions)16 DateTime (org.joda.time.DateTime)8 Assertion (org.opensaml.saml.saml2.core.Assertion)8 Subject (org.opensaml.saml.saml2.core.Subject)7 Attribute (org.opensaml.saml.saml2.core.Attribute)5 AttributeStatement (org.opensaml.saml.saml2.core.AttributeStatement)5 AuthnStatement (org.opensaml.saml.saml2.core.AuthnStatement)5 SubjectConfirmation (org.opensaml.saml.saml2.core.SubjectConfirmation)5 ArrayList (java.util.ArrayList)4 EncryptedAssertion (org.opensaml.saml.saml2.core.EncryptedAssertion)4 Issuer (org.opensaml.saml.saml2.core.Issuer)4 NameID (org.opensaml.saml.saml2.core.NameID)4 ZonedDateTime (java.time.ZonedDateTime)3 AudienceRestriction (org.opensaml.saml.saml2.core.AudienceRestriction)3 AuthnContext (org.opensaml.saml.saml2.core.AuthnContext)3 AuthnContextClassRef (org.opensaml.saml.saml2.core.AuthnContextClassRef)3 SubjectConfirmationData (org.opensaml.saml.saml2.core.SubjectConfirmationData)3 AssertionBuilder (org.opensaml.saml.saml2.core.impl.AssertionBuilder)3 AttributeBuilder (org.opensaml.saml.saml2.core.impl.AttributeBuilder)3 AttributeStatementBuilder (org.opensaml.saml.saml2.core.impl.AttributeStatementBuilder)3