use of org.opensaml.saml2.metadata.Endpoint in project cas by apereo.
the class SamlIdPUtils method preparePeerEntitySamlEndpointContext.
/**
* Prepare peer entity saml endpoint.
*
* @param outboundContext the outbound context
* @param adaptor the adaptor
* @throws SamlException the saml exception
*/
public static void preparePeerEntitySamlEndpointContext(final MessageContext outboundContext, final SamlRegisteredServiceServiceProviderMetadataFacade adaptor) throws SamlException {
final List<AssertionConsumerService> assertionConsumerServices = adaptor.getAssertionConsumerServices();
if (assertionConsumerServices.isEmpty()) {
throw new SamlException("No assertion consumer service could be found for entity " + adaptor.getEntityId());
}
final SAMLPeerEntityContext peerEntityContext = outboundContext.getSubcontext(SAMLPeerEntityContext.class, true);
if (peerEntityContext == null) {
throw new SamlException("SAMLPeerEntityContext could not be defined for entity " + adaptor.getEntityId());
}
final SAMLEndpointContext endpointContext = peerEntityContext.getSubcontext(SAMLEndpointContext.class, true);
if (endpointContext == null) {
throw new SamlException("SAMLEndpointContext could not be defined for entity " + adaptor.getEntityId());
}
final Endpoint endpoint = assertionConsumerServices.get(0);
if (StringUtils.isBlank(endpoint.getBinding()) || StringUtils.isBlank(endpoint.getLocation())) {
throw new SamlException("Assertion consumer service does not define a binding or location for " + adaptor.getEntityId());
}
LOGGER.debug("Configured peer entity endpoint to be [{}] with binding [{}]", endpoint.getLocation(), endpoint.getBinding());
endpointContext.setEndpoint(endpoint);
}
use of org.opensaml.saml2.metadata.Endpoint in project cas by apereo.
the class SamlIdPUtils method determineEndpointForRequest.
/**
* Determine assertion consumer service assertion consumer service.
*
* @param authnContext the authn context
* @param adaptor the adaptor
* @param binding the binding
* @return the assertion consumer service
*/
public static Endpoint determineEndpointForRequest(final Pair<? extends RequestAbstractType, MessageContext> authnContext, final SamlRegisteredServiceServiceProviderMetadataFacade adaptor, final String binding) {
var endpoint = (Endpoint) null;
val authnRequest = authnContext.getLeft();
if (authnRequest instanceof LogoutRequest) {
endpoint = adaptor.getSingleLogoutService(binding);
} else {
val acsEndpointFromReq = getAssertionConsumerServiceFromRequest(authnRequest, binding, adaptor);
val acsEndpointFromMetadata = adaptor.getAssertionConsumerService(binding);
endpoint = determineEndpointForRequest(authnRequest, adaptor, binding, acsEndpointFromReq, acsEndpointFromMetadata, authnContext.getRight());
}
if (endpoint == null) {
throw new SamlException("Endpoint for " + authnRequest.getSchemaType() + " is not available or does not define a binding for " + binding);
}
val missingLocation = StringUtils.isBlank(endpoint.getResponseLocation()) && StringUtils.isBlank(endpoint.getLocation());
if (StringUtils.isBlank(endpoint.getBinding()) || missingLocation) {
throw new SamlException("Endpoint for " + authnRequest.getSchemaType() + " does not define a binding or location for binding " + binding);
}
return endpoint;
}
use of org.opensaml.saml2.metadata.Endpoint in project pac4j by pac4j.
the class SAML2LogoutResponseValidator method isValidBearerSubjectConfirmationData.
/**
* Validate Bearer subject confirmation data
* - notBefore
* - NotOnOrAfter
* - recipient
*
* @param data the data
* @param context the context
* @return true if all Bearer subject checks are passing
*/
protected final boolean isValidBearerSubjectConfirmationData(final SubjectConfirmationData data, final SAML2MessageContext context) {
if (data == null) {
logger.debug("SubjectConfirmationData cannot be null for Bearer confirmation");
return false;
}
if (data.getNotBefore() != null) {
logger.debug("SubjectConfirmationData notBefore must be null for Bearer confirmation");
return false;
}
if (data.getNotOnOrAfter() == null) {
logger.debug("SubjectConfirmationData notOnOrAfter cannot be null for Bearer confirmation");
return false;
}
if (data.getNotOnOrAfter().plusSeconds(acceptedSkew).isBeforeNow()) {
logger.debug("SubjectConfirmationData notOnOrAfter is too old");
return false;
}
try {
if (data.getRecipient() == null) {
logger.debug("SubjectConfirmationData recipient cannot be null for Bearer confirmation");
return false;
} else {
final Endpoint endpoint = context.getSAMLEndpointContext().getEndpoint();
if (endpoint == null) {
logger.warn("No endpoint was found in the SAML endpoint context");
return false;
}
final URI recipientUri = new URI(data.getRecipient());
final URI appEndpointUri = new URI(endpoint.getLocation());
if (!UriUtils.urisEqualAfterPortNormalization(recipientUri, appEndpointUri)) {
logger.debug("SubjectConfirmationData recipient {} does not match SP assertion consumer URL, found. " + "SP ACS URL from context: {}", recipientUri, appEndpointUri);
return false;
}
}
} catch (URISyntaxException use) {
logger.error("Unable to check SubjectConfirmationData recipient, a URI has invalid syntax.", use);
return false;
}
return true;
}
use of org.opensaml.saml2.metadata.Endpoint in project pac4j by pac4j.
the class SAML2LogoutValidator method validateDestinationEndpoint.
protected void validateDestinationEndpoint(final LogoutResponse logoutResponse, final SAML2MessageContext context) {
final List<String> expected = new ArrayList<>();
if (StringUtils.isBlank(this.expectedDestination)) {
final Endpoint endpoint = Objects.requireNonNull(context.getSPSSODescriptor().getSingleLogoutServices().get(0));
if (endpoint.getLocation() != null) {
expected.add(endpoint.getLocation());
}
if (endpoint.getResponseLocation() != null) {
expected.add(endpoint.getResponseLocation());
}
} else {
expected.add(this.expectedDestination);
}
final boolean isDestinationMandatory = context.getSAML2Configuration().isResponseDestinationAttributeMandatory();
verifyEndpoint(expected, logoutResponse.getDestination(), isDestinationMandatory);
}
use of org.opensaml.saml2.metadata.Endpoint in project MaxKey by dromara.
the class AssertionEndpoint method assertion.
@RequestMapping(value = "/authz/saml20/assertion")
public ModelAndView assertion(HttpServletRequest request, HttpServletResponse response) throws Exception {
logger.debug("saml20 assertion start.");
bindingAdapter = (BindingAdapter) request.getSession().getAttribute(WebConstants.AUTHORIZE_SIGN_ON_APP_SAMLV20_ADAPTER);
logger.debug("saml20 assertion get session samlv20Adapter " + bindingAdapter);
AppsSAML20Details saml20Details = bindingAdapter.getSaml20Details();
logger.debug("saml20Details " + saml20Details.getExtendAttr());
AuthnRequestInfo authnRequestInfo = bindingAdapter.getAuthnRequestInfo();
if (authnRequestInfo == null) {
logger.warn("Could not find AuthnRequest on the request. Responding with SC_FORBIDDEN.");
throw new Exception();
}
logger.debug("AuthnRequestInfo: {}", authnRequestInfo);
HashMap<String, String> attributeMap = new HashMap<String, String>();
attributeMap.put(WebConstants.ONLINE_TICKET_NAME, ((SigninPrincipal) WebContext.getAuthentication().getPrincipal()).getOnlineTicket().getTicketId());
// saml20Details
Response authResponse = authnResponseGenerator.generateAuthnResponse(saml20Details, authnRequestInfo, attributeMap, bindingAdapter);
Endpoint endpoint = endpointGenerator.generateEndpoint(saml20Details.getSpAcsUrl());
request.getSession().removeAttribute(AuthnRequestInfo.class.getName());
// request issuer...
try {
bindingAdapter.sendSAMLMessage(authResponse, endpoint, request, response);
} catch (MessageEncodingException mee) {
logger.error("Exception encoding SAML message", mee);
throw new Exception(mee);
}
return null;
}
Aggregations