Search in sources :

Example 11 with Subject

use of org.opensaml.saml2.core.Subject in project OpenAttestation by OpenAttestation.

the class SamlGenerator method generateHostAssertions.

/**
     * Generates a multi-host SAML assertion which contains an AttributeStatement
     * for each host containing a Host_Address attribute with the host IP address
     * or hostname and the trust attributes as for a single-host assertion.
     * The Subject of the multi-host SAML assertion should not be used because
     * it is simply the collection hosts in the assertion and no statements
     * are made about the collection as a whole.
     * 
     * @param hosts
     * @return
     * @throws SamlException 
     */
public SamlAssertion generateHostAssertions(Collection<TxtHostWithAssetTag> hosts) throws SamlException {
    try {
        samlAssertion = new SamlAssertion();
        Assertion assertion = createAssertion(hosts);
        AssertionMarshaller marshaller = new AssertionMarshaller();
        Element plaintextElement = marshaller.marshall(assertion);
        String originalAssertionString = XMLHelper.nodeToString(plaintextElement);
        System.out.println("Assertion String: " + originalAssertionString);
        // add signatures and/or encryption
        signAssertion(plaintextElement);
        samlAssertion.assertion = XMLHelper.nodeToString(plaintextElement);
        System.out.println("Signed Assertion String: " + samlAssertion.assertion);
        return samlAssertion;
    } catch (Exception e) {
        throw new SamlException(e);
    }
}
Also used : AssertionMarshaller(org.opensaml.saml2.core.impl.AssertionMarshaller) Element(org.w3c.dom.Element) Assertion(org.opensaml.saml2.core.Assertion) XSString(org.opensaml.xml.schema.XSString) MarshalException(javax.xml.crypto.MarshalException) KeyStoreException(java.security.KeyStoreException) GeneralSecurityException(java.security.GeneralSecurityException) XMLSignatureException(javax.xml.crypto.dsig.XMLSignatureException) UnrecoverableEntryException(java.security.UnrecoverableEntryException) MarshallingException(org.opensaml.xml.io.MarshallingException) IOException(java.io.IOException) CertificateException(java.security.cert.CertificateException) UnknownHostException(java.net.UnknownHostException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) ConfigurationException(org.opensaml.xml.ConfigurationException)

Example 12 with Subject

use of org.opensaml.saml2.core.Subject in project OpenAttestation by OpenAttestation.

the class SamlGenerator method createNameID.

// create the Subject Name
private NameID createNameID(String hostName) {
    // Create the NameIdentifier
    SAMLObjectBuilder nameIdBuilder = (SAMLObjectBuilder) builderFactory.getBuilder(NameID.DEFAULT_ELEMENT_NAME);
    NameID nameId = (NameID) nameIdBuilder.buildObject();
    nameId.setValue(hostName);
    //            nameId.setNameQualifier(input.getStrNameQualifier()); optional:  
    // !!! CAN ALSO USE X509 SUBJECT FROM HOST CERTIFICATE instead of host name in database   
    nameId.setFormat(NameID.UNSPECIFIED);
    return nameId;
}
Also used : SAMLObjectBuilder(org.opensaml.common.SAMLObjectBuilder) NameID(org.opensaml.saml2.core.NameID)

Example 13 with Subject

use of org.opensaml.saml2.core.Subject in project cloudstack by apache.

the class SAML2LoginAPIAuthenticatorCmdTest method buildMockResponse.

private Response buildMockResponse() throws Exception {
    Response samlMessage = new ResponseBuilder().buildObject();
    samlMessage.setID("foo");
    samlMessage.setVersion(SAMLVersion.VERSION_20);
    samlMessage.setIssueInstant(new DateTime(0));
    Issuer issuer = new IssuerBuilder().buildObject();
    issuer.setValue("MockedIssuer");
    samlMessage.setIssuer(issuer);
    Status status = new StatusBuilder().buildObject();
    StatusCode statusCode = new StatusCodeBuilder().buildObject();
    statusCode.setValue(StatusCode.SUCCESS_URI);
    status.setStatusCode(statusCode);
    samlMessage.setStatus(status);
    Assertion assertion = new AssertionBuilder().buildObject();
    Subject subject = new SubjectBuilder().buildObject();
    NameID nameID = new NameIDBuilder().buildObject();
    nameID.setValue("SOME-UNIQUE-ID");
    nameID.setFormat(NameIDType.PERSISTENT);
    subject.setNameID(nameID);
    assertion.setSubject(subject);
    AuthnStatement authnStatement = new AuthnStatementBuilder().buildObject();
    authnStatement.setSessionIndex("Some Session String");
    assertion.getAuthnStatements().add(authnStatement);
    AttributeStatement attributeStatement = new AttributeStatementBuilder().buildObject();
    assertion.getAttributeStatements().add(attributeStatement);
    samlMessage.getAssertions().add(assertion);
    return samlMessage;
}
Also used : Status(org.opensaml.saml2.core.Status) AttributeStatementBuilder(org.opensaml.saml2.core.impl.AttributeStatementBuilder) StatusCodeBuilder(org.opensaml.saml2.core.impl.StatusCodeBuilder) Issuer(org.opensaml.saml2.core.Issuer) NameID(org.opensaml.saml2.core.NameID) Assertion(org.opensaml.saml2.core.Assertion) AssertionBuilder(org.opensaml.saml2.core.impl.AssertionBuilder) AuthnStatementBuilder(org.opensaml.saml2.core.impl.AuthnStatementBuilder) StatusCode(org.opensaml.saml2.core.StatusCode) DateTime(org.joda.time.DateTime) Subject(org.opensaml.saml2.core.Subject) Response(org.opensaml.saml2.core.Response) HttpServletResponse(javax.servlet.http.HttpServletResponse) NameIDBuilder(org.opensaml.saml2.core.impl.NameIDBuilder) AttributeStatement(org.opensaml.saml2.core.AttributeStatement) AuthnStatement(org.opensaml.saml2.core.AuthnStatement) StatusBuilder(org.opensaml.saml2.core.impl.StatusBuilder) IssuerBuilder(org.opensaml.saml2.core.impl.IssuerBuilder) ResponseBuilder(org.opensaml.saml2.core.impl.ResponseBuilder) SubjectBuilder(org.opensaml.saml2.core.impl.SubjectBuilder)

Example 14 with Subject

use of org.opensaml.saml2.core.Subject in project cas by apereo.

the class GoogleAccountsServiceResponseBuilder method constructSamlResponse.

/**
 * Construct SAML response.
 * <a href="http://bit.ly/1uI8Ggu">See this reference for more info.</a>
 *
 * @param service        the service
 * @param authentication the authentication
 * @return the SAML response
 */
protected String constructSamlResponse(final GoogleAccountsService service, final Authentication authentication) {
    final ZonedDateTime currentDateTime = ZonedDateTime.now(ZoneOffset.UTC);
    final ZonedDateTime notBeforeIssueInstant = ZonedDateTime.parse("2003-04-17T00:46:02Z");
    final RegisteredService registeredService = servicesManager.findServiceBy(service);
    if (registeredService == null || !registeredService.getAccessStrategy().isServiceAccessAllowed()) {
        throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE);
    }
    final Principal principal = authentication.getPrincipal();
    final String userId = registeredService.getUsernameAttributeProvider().resolveUsername(principal, service, registeredService);
    final org.opensaml.saml.saml2.core.Response response = this.samlObjectBuilder.newResponse(this.samlObjectBuilder.generateSecureRandomId(), currentDateTime, null, service);
    response.setStatus(this.samlObjectBuilder.newStatus(StatusCode.SUCCESS, null));
    final String sessionIndex = '_' + String.valueOf(Math.abs(RandomUtils.getNativeInstance().nextLong()));
    final AuthnStatement authnStatement = this.samlObjectBuilder.newAuthnStatement(AuthnContext.PASSWORD_AUTHN_CTX, currentDateTime, sessionIndex);
    final Assertion assertion = this.samlObjectBuilder.newAssertion(authnStatement, casServerPrefix, notBeforeIssueInstant, this.samlObjectBuilder.generateSecureRandomId());
    final Conditions conditions = this.samlObjectBuilder.newConditions(notBeforeIssueInstant, currentDateTime.plusSeconds(this.skewAllowance), service.getId());
    assertion.setConditions(conditions);
    final Subject subject = this.samlObjectBuilder.newSubject(NameID.EMAIL, userId, service.getId(), currentDateTime.plusSeconds(this.skewAllowance), service.getRequestId(), null);
    assertion.setSubject(subject);
    response.getAssertions().add(assertion);
    final String result = SamlUtils.transformSamlObject(this.samlObjectBuilder.getConfigBean(), response, true).toString();
    LOGGER.debug("Generated Google SAML response: [{}]", result);
    return result;
}
Also used : RegisteredService(org.apereo.cas.services.RegisteredService) Assertion(org.opensaml.saml.saml2.core.Assertion) UnauthorizedServiceException(org.apereo.cas.services.UnauthorizedServiceException) Conditions(org.opensaml.saml.saml2.core.Conditions) Subject(org.opensaml.saml.saml2.core.Subject) ZonedDateTime(java.time.ZonedDateTime) AuthnStatement(org.opensaml.saml.saml2.core.AuthnStatement) Principal(org.apereo.cas.authentication.principal.Principal)

Example 15 with Subject

use of org.opensaml.saml2.core.Subject in project cas by apereo.

the class SamlProfileSamlSubjectBuilder method buildSubject.

private Subject buildSubject(final HttpServletRequest request, final HttpServletResponse response, final RequestAbstractType authnRequest, final Object casAssertion, final SamlRegisteredService service, final SamlRegisteredServiceServiceProviderMetadataFacade adaptor, final String binding) throws SamlException {
    final Assertion assertion = Assertion.class.cast(casAssertion);
    final ZonedDateTime validFromDate = ZonedDateTime.ofInstant(assertion.getValidFromDate().toInstant(), ZoneOffset.UTC);
    LOGGER.debug("Locating the assertion consumer service url for binding [{}]", binding);
    @NonNull final AssertionConsumerService acs = adaptor.getAssertionConsumerService(binding);
    final String location = StringUtils.isBlank(acs.getResponseLocation()) ? acs.getLocation() : acs.getResponseLocation();
    if (StringUtils.isBlank(location)) {
        LOGGER.warn("Subject recipient is not defined from either authentication request or metadata for [{}]", adaptor.getEntityId());
    }
    final NameID nameId = getNameIdForService(request, response, authnRequest, service, adaptor, binding, assertion);
    final Subject subject = newSubject(nameId, service.isSkipGeneratingSubjectConfirmationRecipient() ? null : location, service.isSkipGeneratingSubjectConfirmationNotOnOrAfter() ? null : validFromDate.plusSeconds(this.skewAllowance), service.isSkipGeneratingSubjectConfirmationInResponseTo() ? null : authnRequest.getID(), service.isSkipGeneratingSubjectConfirmationNotBefore() ? null : ZonedDateTime.now());
    LOGGER.debug("Created SAML subject [{}]", subject);
    return subject;
}
Also used : ZonedDateTime(java.time.ZonedDateTime) NameID(org.opensaml.saml.saml2.core.NameID) NonNull(lombok.NonNull) Assertion(org.jasig.cas.client.validation.Assertion) AssertionConsumerService(org.opensaml.saml.saml2.metadata.AssertionConsumerService) Subject(org.opensaml.saml.saml2.core.Subject)

Aggregations

Subject (org.opensaml.saml.saml2.core.Subject)13 ZonedDateTime (java.time.ZonedDateTime)5 Assertion (org.opensaml.saml.saml2.core.Assertion)5 AttributeStatement (org.opensaml.saml.saml2.core.AttributeStatement)5 SAMLObjectBuilder (org.opensaml.common.SAMLObjectBuilder)4 NameID (org.opensaml.saml.saml2.core.NameID)4 RegisteredService (org.apereo.cas.services.RegisteredService)3 Assertion (org.opensaml.saml2.core.Assertion)3 NameID (org.opensaml.saml2.core.NameID)3 WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)2 SamlAssertionWrapper (org.apache.wss4j.common.saml.SamlAssertionWrapper)2 Credential (org.apache.wss4j.dom.validate.Credential)2 Principal (org.apereo.cas.authentication.principal.Principal)2 UnauthorizedServiceException (org.apereo.cas.services.UnauthorizedServiceException)2 DateTime (org.joda.time.DateTime)2 Subject (org.opensaml.saml.saml1.core.Subject)2 AuthnStatement (org.opensaml.saml.saml2.core.AuthnStatement)2 Conditions (org.opensaml.saml.saml2.core.Conditions)2 Strings.isNullOrEmpty (com.google.common.base.Strings.isNullOrEmpty)1 IOException (java.io.IOException)1