Search in sources :

Example 16 with Subject

use of org.opensaml.saml2.core.Subject in project cas by apereo.

the class AbstractSaml20ObjectBuilder method newSubject.

/**
 * New subject element.
 *
 * @param nameId       the nameId
 * @param recipient    the recipient
 * @param notOnOrAfter the not on or after
 * @param inResponseTo the in response to
 * @param notBefore    the not before
 * @return the subject
 */
public Subject newSubject(final NameID nameId, final String recipient, final ZonedDateTime notOnOrAfter, final String inResponseTo, final ZonedDateTime notBefore) {
    LOGGER.debug("Building subject for NameID [{}] and recipient [{}], in response to [{}]", nameId, recipient, inResponseTo);
    final SubjectConfirmation confirmation = newSamlObject(SubjectConfirmation.class);
    confirmation.setMethod(SubjectConfirmation.METHOD_BEARER);
    final SubjectConfirmationData data = newSamlObject(SubjectConfirmationData.class);
    if (StringUtils.isNotBlank(recipient)) {
        data.setRecipient(recipient);
    }
    if (notOnOrAfter != null) {
        data.setNotOnOrAfter(DateTimeUtils.dateTimeOf(notOnOrAfter));
    }
    if (StringUtils.isNotBlank(inResponseTo)) {
        data.setInResponseTo(inResponseTo);
        final InetAddress ip = InetAddressUtils.getByName(inResponseTo);
        if (ip != null) {
            data.setAddress(ip.getHostName());
        }
    }
    if (notBefore != null) {
        data.setNotBefore(DateTimeUtils.dateTimeOf(notBefore));
    }
    confirmation.setSubjectConfirmationData(data);
    final Subject subject = newSamlObject(Subject.class);
    if (nameId != null) {
        subject.setNameID(nameId);
    }
    subject.getSubjectConfirmations().add(confirmation);
    LOGGER.debug("Built subject [{}]", subject);
    return subject;
}
Also used : SubjectConfirmation(org.opensaml.saml.saml2.core.SubjectConfirmation) SubjectConfirmationData(org.opensaml.saml.saml2.core.SubjectConfirmationData) InetAddress(java.net.InetAddress) Subject(org.opensaml.saml.saml2.core.Subject)

Example 17 with Subject

use of org.opensaml.saml2.core.Subject in project cas by apereo.

the class Saml10ObjectBuilder method newSubject.

/**
 * New subject element with given confirmation method.
 *
 * @param identifier         the identifier
 * @param confirmationMethod the confirmation method
 * @return the subject
 */
public Subject newSubject(final String identifier, final String confirmationMethod) {
    final SubjectConfirmation confirmation = newSamlObject(SubjectConfirmation.class);
    final ConfirmationMethod method = newSamlObject(ConfirmationMethod.class);
    method.setConfirmationMethod(confirmationMethod);
    confirmation.getConfirmationMethods().add(method);
    final NameIdentifier nameIdentifier = newSamlObject(NameIdentifier.class);
    nameIdentifier.setNameIdentifier(identifier);
    final Subject subject = newSamlObject(Subject.class);
    subject.setNameIdentifier(nameIdentifier);
    subject.setSubjectConfirmation(confirmation);
    return subject;
}
Also used : SubjectConfirmation(org.opensaml.saml.saml1.core.SubjectConfirmation) NameIdentifier(org.opensaml.saml.saml1.core.NameIdentifier) ConfirmationMethod(org.opensaml.saml.saml1.core.ConfirmationMethod) Subject(org.opensaml.saml.saml1.core.Subject)

Example 18 with Subject

use of org.opensaml.saml2.core.Subject in project cas by apereo.

the class Saml10SuccessResponseView method prepareResponse.

@Override
protected void prepareResponse(final Response response, final Map<String, Object> model) {
    final ZonedDateTime issuedAt = DateTimeUtils.zonedDateTimeOf(response.getIssueInstant());
    final Service service = getAssertionFrom(model).getService();
    LOGGER.debug("Preparing SAML response for service [{}]", service);
    final Authentication authentication = getPrimaryAuthenticationFrom(model);
    final Collection<Object> authnMethods = CollectionUtils.toCollection(authentication.getAttributes().get(SamlAuthenticationMetaDataPopulator.ATTRIBUTE_AUTHENTICATION_METHOD));
    LOGGER.debug("Authentication methods found are [{}]", authnMethods);
    final Principal principal = getPrincipal(model);
    final AuthenticationStatement authnStatement = this.samlObjectBuilder.newAuthenticationStatement(authentication.getAuthenticationDate(), authnMethods, principal.getId());
    LOGGER.debug("Built authentication statement for [{}] dated at [{}]", principal, authentication.getAuthenticationDate());
    final Assertion assertion = this.samlObjectBuilder.newAssertion(authnStatement, this.issuer, issuedAt, this.samlObjectBuilder.generateSecureRandomId());
    LOGGER.debug("Built assertion for issuer [{}] dated at [{}]", this.issuer, issuedAt);
    final Conditions conditions = this.samlObjectBuilder.newConditions(issuedAt, service.getId(), this.issueLength);
    assertion.setConditions(conditions);
    LOGGER.debug("Built assertion conditions for issuer [{}] and service [{}] ", this.issuer, service.getId());
    final Subject subject = this.samlObjectBuilder.newSubject(principal.getId());
    LOGGER.debug("Built subject for principal [{}]", principal);
    final Map<String, Object> attributesToSend = prepareSamlAttributes(model, service);
    LOGGER.debug("Authentication statement shall include these attributes [{}]", attributesToSend);
    if (!attributesToSend.isEmpty()) {
        assertion.getAttributeStatements().add(this.samlObjectBuilder.newAttributeStatement(subject, attributesToSend, this.defaultAttributeNamespace));
    }
    response.setStatus(this.samlObjectBuilder.newStatus(StatusCode.SUCCESS, null));
    LOGGER.debug("Set response status code to [{}]", response.getStatus());
    response.getAssertions().add(assertion);
}
Also used : ZonedDateTime(java.time.ZonedDateTime) Authentication(org.apereo.cas.authentication.Authentication) Assertion(org.opensaml.saml.saml1.core.Assertion) RegisteredService(org.apereo.cas.services.RegisteredService) Service(org.apereo.cas.authentication.principal.Service) Principal(org.apereo.cas.authentication.principal.Principal) AuthenticationStatement(org.opensaml.saml.saml1.core.AuthenticationStatement) Conditions(org.opensaml.saml.saml1.core.Conditions) Subject(org.opensaml.saml.saml1.core.Subject)

Example 19 with Subject

use of org.opensaml.saml2.core.Subject in project verify-hub by alphagov.

the class IdpAuthnResponseTranslatorServiceTest method setup.

@Before
public void setup() {
    IdaSamlBootstrap.bootstrap();
    final String idpEntityId = TestEntityIds.STUB_IDP_ONE;
    final String assertionId1 = randomUUID().toString();
    final String assertionId2 = randomUUID().toString();
    final String requestId = randomUUID().toString();
    final SignatureAlgorithm signatureAlgorithm = new SignatureRSASHA1();
    final DigestAlgorithm digestAlgorithm = new DigestSHA256();
    final Subject mdsAssertionSubject = aSubject().withSubjectConfirmation(aSubjectConfirmation().withSubjectConfirmationData(aSubjectConfirmationData().withInResponseTo(requestId).build()).build()).build();
    final AttributeStatement matchingDatasetAttributeStatement = MatchingDatasetAttributeStatementBuilder_1_1.aMatchingDatasetAttributeStatement_1_1().build();
    final Subject authnAssertionSubject = aSubject().withSubjectConfirmation(aSubjectConfirmation().withSubjectConfirmationData(aSubjectConfirmationData().withInResponseTo(requestId).build()).build()).build();
    final AttributeStatement ipAddress = anAttributeStatement().addAttribute(IPAddressAttributeBuilder.anIPAddress().build()).build();
    final Optional<Signature> signature = of(SignatureBuilder.aSignature().build());
    final SignatureImpl signatureImpl = ((SignatureImpl) signature.get());
    signatureImpl.setXMLSignature(BuilderHelper.createXMLSignature(signatureAlgorithm, digestAlgorithm));
    authnStatementAssertion = AssertionBuilder.anAssertion().withId(assertionId1).withIssuer(IssuerBuilder.anIssuer().withIssuerId(idpEntityId).build()).withSubject(authnAssertionSubject).addAttributeStatement(ipAddress).addAuthnStatement(AuthnStatementBuilder.anAuthnStatement().build()).withSignature(SignatureBuilder.aSignature().withSignatureAlgorithm(signatureAlgorithm).withDigestAlgorithm(assertionId1, digestAlgorithm).build()).buildUnencrypted();
    matchingDatasetAssertion = AssertionBuilder.anAssertion().withId(assertionId2).withIssuer(IssuerBuilder.anIssuer().withIssuerId(idpEntityId).build()).withSubject(mdsAssertionSubject).addAttributeStatement(matchingDatasetAttributeStatement).withSignature(SignatureBuilder.aSignature().withSignatureAlgorithm(signatureAlgorithm).withDigestAlgorithm(assertionId2, digestAlgorithm).build()).buildUnencrypted();
    when(responseContainer.getSamlResponse()).thenReturn(saml);
    when(stringToOpenSamlResponseTransformer.apply(saml)).thenReturn(samlResponse);
    when(samlResponseToIdaResponseIssuedByIdpTransformer.apply(samlResponse)).thenReturn(responseFromIdp);
    when(authStatementAssertion.getUnderlyingAssertionBlob()).thenReturn(authStatementUnderlyingAssertionBlob);
    when(authStatementAssertion.getAuthnContext()).thenReturn(Optional.empty());
    when(authStatementAssertion.getFraudDetectedDetails()).thenReturn(Optional.empty());
    when(authStatementAssertion.getPrincipalIpAddressAsSeenByIdp()).thenReturn(Optional.of(principalIpAddressSeenByIdp));
    when(authnStatementPersistentId.getNameId()).thenReturn("a name id");
    when(authnStatementPersistentId.getNameId()).thenReturn(persistentIdName);
    when(authStatementAssertion.getPersistentId()).thenReturn(authnStatementPersistentId);
    when(responseFromIdp.getIssuer()).thenReturn(responseIssuer);
    when(responseFromIdp.getStatus()).thenReturn(status);
    when(responseFromIdp.getMatchingDatasetAssertion()).thenReturn(empty());
    when(responseFromIdp.getAuthnStatementAssertion()).thenReturn(empty());
    when(responseFromIdp.getSignature()).thenReturn(signature);
    ;
    when(samlResponse.getIssuer()).thenReturn(issuer);
    when(stringToAssertionTransformer.apply(authStatementUnderlyingAssertionBlob)).thenReturn(authnStatementAssertion);
    when(stringToAssertionTransformer.apply(matchingDatasetUnderlyingAssertionBlob)).thenReturn(matchingDatasetAssertion);
    InboundResponseFromIdpDataGenerator inboundResponseFromIdpDataGenerator = new InboundResponseFromIdpDataGenerator(assertionBlobEncrypter);
    service = new IdpAuthnResponseTranslatorService(stringToOpenSamlResponseTransformer, stringToAssertionTransformer, samlResponseToIdaResponseIssuedByIdpTransformer, inboundResponseFromIdpDataGenerator, idpAssertionMetricsCollector);
}
Also used : DigestSHA256(org.opensaml.xmlsec.algorithm.descriptors.DigestSHA256) SignatureRSASHA1(org.opensaml.xmlsec.algorithm.descriptors.SignatureRSASHA1) AttributeStatement(org.opensaml.saml.saml2.core.AttributeStatement) AttributeStatementBuilder.anAttributeStatement(uk.gov.ida.saml.idp.test.builders.AttributeStatementBuilder.anAttributeStatement) Signature(org.opensaml.xmlsec.signature.Signature) SignatureAlgorithm(org.opensaml.xmlsec.algorithm.SignatureAlgorithm) SignatureImpl(org.opensaml.xmlsec.signature.impl.SignatureImpl) InboundResponseFromIdpDataGenerator(uk.gov.ida.saml.hub.transformers.inbound.InboundResponseFromIdpDataGenerator) Subject(org.opensaml.saml.saml2.core.Subject) SubjectBuilder.aSubject(uk.gov.ida.saml.idp.test.builders.SubjectBuilder.aSubject) DigestAlgorithm(org.opensaml.xmlsec.algorithm.DigestAlgorithm) Before(org.junit.Before)

Example 20 with Subject

use of org.opensaml.saml2.core.Subject in project verify-hub by alphagov.

the class AuthnResponseFactory method aFraudResponseFromIdpBuilder.

public ResponseBuilder aFraudResponseFromIdpBuilder(String idpEntityId, String persistentId) throws Exception {
    TestCredentialFactory idpSigningCredentialFactory = new TestCredentialFactory(publicSigningCerts.get(idpEntityId), privateSigningKeys.get(idpEntityId));
    String requestId = generateId();
    final Subject mdsAssertionSubject = SubjectBuilder.aSubject().withPersistentId(persistentId).withSubjectConfirmation(SubjectConfirmationBuilder.aSubjectConfirmation().withSubjectConfirmationData(SubjectConfirmationDataBuilder.aSubjectConfirmationData().withInResponseTo(requestId).build()).build()).build();
    final Subject authnAssertionSubject = SubjectBuilder.aSubject().withNameId(buildNameID(persistentId)).withSubjectConfirmation(SubjectConfirmationBuilder.aSubjectConfirmation().withSubjectConfirmationData(SubjectConfirmationDataBuilder.aSubjectConfirmationData().withInResponseTo(requestId).build()).build()).build();
    final AttributeStatement matchingDatasetAttributeStatement = MatchingDatasetAttributeStatementBuilder_1_1.aMatchingDatasetAttributeStatement_1_1().build();
    final Credential encryptingCredential = hubEncryptionCredentialFactory.getEncryptingCredential();
    final Credential signingCredential = idpSigningCredentialFactory.getSigningCredential();
    final AssertionBuilder mdsAssertion = AssertionBuilder.anAssertion().withId(generateId()).withIssuer(IssuerBuilder.anIssuer().withIssuerId(idpEntityId).build()).withSubject(mdsAssertionSubject).addAttributeStatement(matchingDatasetAttributeStatement);
    final AssertionBuilder authnAssertion = AssertionBuilder.anAssertion().withId(generateId()).addAttributeStatement(anAttributeStatement().addAttribute(IdpFraudEventIdAttributeBuilder.anIdpFraudEventIdAttribute().withValue("a-fraud-event").build()).addAttribute(Gpg45StatusAttributeBuilder.aGpg45StatusAttribute().withValue("IT01").build()).addAttribute(anIPAddress().build()).build()).withIssuer(IssuerBuilder.anIssuer().withIssuerId(idpEntityId).build()).withSubject(authnAssertionSubject).addAuthnStatement(AuthnStatementBuilder.anAuthnStatement().withAuthnContext(AuthnContextBuilder.anAuthnContext().withAuthnContextClassRef(AuthnContextClassRefBuilder.anAuthnContextClassRef().withAuthnContextClasRefValue(IdaAuthnContext.LEVEL_X_AUTHN_CTX).build()).build()).build());
    ResponseBuilder responseBuilder = ResponseBuilder.aResponse().withId(generateId()).withIssuer(IssuerBuilder.anIssuer().withIssuerId(idpEntityId).build()).withInResponseTo(requestId).addEncryptedAssertion(mdsAssertion.withSignature(SignatureBuilder.aSignature().withSigningCredential(signingCredential).build()).buildWithEncrypterCredential(encryptingCredential)).addEncryptedAssertion(authnAssertion.withSignature(SignatureBuilder.aSignature().withSigningCredential(signingCredential).build()).buildWithEncrypterCredential(encryptingCredential));
    return responseBuilder;
}
Also used : TestCredentialFactory(uk.gov.ida.saml.core.test.TestCredentialFactory) BasicCredential(org.opensaml.security.credential.BasicCredential) Credential(org.opensaml.security.credential.Credential) AttributeStatementBuilder.anAttributeStatement(uk.gov.ida.saml.core.test.builders.AttributeStatementBuilder.anAttributeStatement) AttributeStatement(org.opensaml.saml.saml2.core.AttributeStatement) AssertionBuilder(uk.gov.ida.saml.core.test.builders.AssertionBuilder) ResponseBuilder(uk.gov.ida.saml.core.test.builders.ResponseBuilder) Subject(org.opensaml.saml.saml2.core.Subject)

Aggregations

Subject (org.opensaml.saml.saml2.core.Subject)13 ZonedDateTime (java.time.ZonedDateTime)5 Assertion (org.opensaml.saml.saml2.core.Assertion)5 AttributeStatement (org.opensaml.saml.saml2.core.AttributeStatement)5 SAMLObjectBuilder (org.opensaml.common.SAMLObjectBuilder)4 NameID (org.opensaml.saml.saml2.core.NameID)4 RegisteredService (org.apereo.cas.services.RegisteredService)3 Assertion (org.opensaml.saml2.core.Assertion)3 NameID (org.opensaml.saml2.core.NameID)3 WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)2 SamlAssertionWrapper (org.apache.wss4j.common.saml.SamlAssertionWrapper)2 Credential (org.apache.wss4j.dom.validate.Credential)2 Principal (org.apereo.cas.authentication.principal.Principal)2 UnauthorizedServiceException (org.apereo.cas.services.UnauthorizedServiceException)2 DateTime (org.joda.time.DateTime)2 Subject (org.opensaml.saml.saml1.core.Subject)2 AuthnStatement (org.opensaml.saml.saml2.core.AuthnStatement)2 Conditions (org.opensaml.saml.saml2.core.Conditions)2 Strings.isNullOrEmpty (com.google.common.base.Strings.isNullOrEmpty)1 IOException (java.io.IOException)1