Example 6 with IDPSSODescriptor
use of org.opensaml.saml2.metadata.IDPSSODescriptor in project verify-hub by alphagov.
the class CountrySingleSignOnServiceHelper method getSingleSignOn.
public URI getSingleSignOn(String entityId) {
EidasMetadataResolver metadataResolver = new EidasMetadataResolver(new Timer(), client, URI.create(entityId));
try {
EntityDescriptor idpEntityDescriptor;
try {
CriteriaSet criteria = new CriteriaSet(new EntityIdCriterion(entityId));
idpEntityDescriptor = metadataResolver.resolveSingle(criteria);
} catch (ResolverException e) {
LOG.error(format("Exception when accessing metadata: {0}", e));
throw propagate(e);
}
if (idpEntityDescriptor != null) {
final IDPSSODescriptor idpssoDescriptor = idpEntityDescriptor.getIDPSSODescriptor(SAMLConstants.SAML20P_NS);
final List<SingleSignOnService> singleSignOnServices = idpssoDescriptor.getSingleSignOnServices();
if (singleSignOnServices.isEmpty()) {
LOG.error(format("No singleSignOnServices present for IDP entityId: {0}", entityId));
} else {
if (singleSignOnServices.size() > 1) {
LOG.warn(format("More than one singleSignOnService present: {0} for {1}", singleSignOnServices.size(), entityId));
}
return URI.create(singleSignOnServices.get(0).getLocation());
}
}
throw ApplicationException.createUnauditedException(ExceptionType.NOT_FOUND, UUID.randomUUID(), new RuntimeException(format("no entity descriptor for IDP: {0}", entityId)));
} finally {
if (metadataResolver != null) {
metadataResolver.destroy();
}
}
}
Also used :
EidasMetadataResolver(uk.gov.ida.hub.samlengine.EidasMetadataResolver)
EntityDescriptor(org.opensaml.saml.saml2.metadata.EntityDescriptor)
ResolverException(net.shibboleth.utilities.java.support.resolver.ResolverException)
Timer(java.util.Timer)
IDPSSODescriptor(org.opensaml.saml.saml2.metadata.IDPSSODescriptor)
CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet)
EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion)
SingleSignOnService(org.opensaml.saml.saml2.metadata.SingleSignOnService)
Example 7 with IDPSSODescriptor
use of org.opensaml.saml2.metadata.IDPSSODescriptor in project ddf by codice.
the class IdpMetadata method initCertificates.
private void initCertificates() {
IDPSSODescriptor descriptor = getDescriptor();
if (descriptor != null) {
for (KeyDescriptor key : descriptor.getKeyDescriptors()) {
String certificate = null;
if (key.getKeyInfo().getX509Datas().size() > 0 && key.getKeyInfo().getX509Datas().get(0).getX509Certificates().size() > 0) {
certificate = key.getKeyInfo().getX509Datas().get(0).getX509Certificates().get(0).getValue();
}
if (StringUtils.isBlank(certificate)) {
break;
}
if (UsageType.UNSPECIFIED.equals(key.getUse())) {
encryptionCertificate = certificate;
signingCertificate = certificate;
}
if (UsageType.ENCRYPTION.equals(key.getUse())) {
encryptionCertificate = certificate;
}
if (UsageType.SIGNING.equals(key.getUse())) {
signingCertificate = certificate;
}
}
}
}
Also used :
IDPSSODescriptor(org.opensaml.saml.saml2.metadata.IDPSSODescriptor)
KeyDescriptor(org.opensaml.saml.saml2.metadata.KeyDescriptor)
Example 8 with IDPSSODescriptor
use of org.opensaml.saml2.metadata.IDPSSODescriptor in project ddf by codice.
the class IdpHandler method doPaosRequest.
private HandlerResult doPaosRequest(ServletRequest request, ServletResponse response) {
HttpServletResponse httpServletResponse = (HttpServletResponse) response;
HandlerResult handlerResult = new HandlerResult(HandlerResult.Status.REDIRECTED, null);
handlerResult.setSource("idp-" + SOURCE);
String paosHeader = ((HttpServletRequest) request).getHeader(PAOS);
//some of these options aren't currently used, leaving these here as a marker for what
//isn't implemented
boolean wantChannelBind = paosHeader.contains("urn:oasis:names:tc:SAML:protocol:ext:channel-binding");
boolean wantHok = paosHeader.contains("urn:oasis:names:tc:SAML:2.0:cm:holder-of-key");
boolean wantSigned = paosHeader.contains("urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp:2.0:WantAuthnRequestsSigned");
boolean wantDelegation = paosHeader.contains("urn:oasis:names:tc:SAML:2.0:conditions:delegation");
LOGGER.trace("ECP Client requested: channel bind {}, holder of key {}, signatures {}, delegation {}", wantChannelBind, wantHok, wantSigned, wantDelegation);
LOGGER.trace("Configuring SAML Response for POST.");
Document doc = DOMUtils.createDocument();
doc.appendChild(doc.createElement("root"));
LOGGER.trace("Signing SAML POST Response.");
String authnRequest;
String paosRequest;
String ecpRequest;
String ecpRelayState;
try {
IDPSSODescriptor idpssoDescriptor = idpMetadata.getDescriptor();
if (idpssoDescriptor == null) {
throw new ServletException("IdP metadata is missing. No IDPSSODescriptor present.");
}
authnRequest = createAndSignAuthnRequest(true, wantSigned && idpssoDescriptor.getWantAuthnRequestsSigned());
paosRequest = createPaosRequest((HttpServletRequest) request);
ecpRequest = createEcpRequest();
ecpRelayState = createEcpRelayState((HttpServletRequest) request);
} catch (ServletException | WSSecurityException e) {
LOGGER.debug("Unable to create and sign AuthnRequest.", e);
httpServletResponse.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
try {
httpServletResponse.flushBuffer();
} catch (IOException e1) {
LOGGER.debug("Failed to send error response: {}", e1);
}
return handlerResult;
}
LOGGER.trace("Converting SAML Response to DOM");
String soapMessage = soapMessageTemplate.replace("{{" + PAOS_REQUEST + "}}", paosRequest);
soapMessage = soapMessage.replace("{{" + ECP_REQUEST + "}}", ecpRequest);
soapMessage = soapMessage.replace("{{" + SAML_REQUEST + "}}", authnRequest);
soapMessage = soapMessage.replace("{{" + ECP_RELAY_STATE + "}}", ecpRelayState);
soapMessage = soapMessage.replace("{{" + PAOS_RESPONSE + "}}", "");
try {
httpServletResponse.setStatus(HttpServletResponse.SC_OK);
httpServletResponse.setContentType("application/vnd.paos+xml");
httpServletResponse.getOutputStream().print(soapMessage);
httpServletResponse.flushBuffer();
} catch (IOException ioe) {
LOGGER.debug("Failed to send auth response: {}", ioe);
}
return handlerResult;
}
Also used :
HttpServletRequest(javax.servlet.http.HttpServletRequest)
ServletException(javax.servlet.ServletException)
IDPSSODescriptor(org.opensaml.saml.saml2.metadata.IDPSSODescriptor)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
HandlerResult(org.codice.ddf.security.handler.api.HandlerResult)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
IOException(java.io.IOException)
Document(org.w3c.dom.Document)
Example 9 with IDPSSODescriptor
use of org.opensaml.saml2.metadata.IDPSSODescriptor in project ddf by codice.
the class SamlProtocol method createIdpMetadata.
public static EntityDescriptor createIdpMetadata(String entityId, String signingCert, String encryptionCert, List<String> nameIds, String singleSignOnLocationRedirect, String singleSignOnLocationPost, String singleLogOutLocation) {
EntityDescriptor entityDescriptor = entityDescriptorBuilder.buildObject();
entityDescriptor.setEntityID(entityId);
IDPSSODescriptor idpssoDescriptor = idpssoDescriptorBuilder.buildObject();
//signing
KeyDescriptor signingKeyDescriptor = keyDescriptorBuilder.buildObject();
signingKeyDescriptor.setUse(UsageType.SIGNING);
KeyInfo signingKeyInfo = keyInfoBuilder.buildObject(KeyInfo.DEFAULT_ELEMENT_NAME);
X509Data signingX509Data = x509DataBuilder.buildObject(X509Data.DEFAULT_ELEMENT_NAME);
X509Certificate signingX509Certificate = x509CertificateBuilder.buildObject(X509Certificate.DEFAULT_ELEMENT_NAME);
signingX509Certificate.setValue(signingCert);
signingX509Data.getX509Certificates().add(signingX509Certificate);
signingKeyInfo.getX509Datas().add(signingX509Data);
signingKeyDescriptor.setKeyInfo(signingKeyInfo);
idpssoDescriptor.getKeyDescriptors().add(signingKeyDescriptor);
//encryption
KeyDescriptor encKeyDescriptor = keyDescriptorBuilder.buildObject();
encKeyDescriptor.setUse(UsageType.ENCRYPTION);
KeyInfo encKeyInfo = keyInfoBuilder.buildObject(KeyInfo.DEFAULT_ELEMENT_NAME);
X509Data encX509Data = x509DataBuilder.buildObject(X509Data.DEFAULT_ELEMENT_NAME);
X509Certificate encX509Certificate = x509CertificateBuilder.buildObject(X509Certificate.DEFAULT_ELEMENT_NAME);
encX509Certificate.setValue(encryptionCert);
encX509Data.getX509Certificates().add(encX509Certificate);
encKeyInfo.getX509Datas().add(encX509Data);
encKeyDescriptor.setKeyInfo(encKeyInfo);
idpssoDescriptor.getKeyDescriptors().add(encKeyDescriptor);
for (String nameId : nameIds) {
NameIDFormat nameIDFormat = nameIdFormatBuilder.buildObject();
nameIDFormat.setFormat(nameId);
idpssoDescriptor.getNameIDFormats().add(nameIDFormat);
}
if (StringUtils.isNotBlank(singleSignOnLocationRedirect)) {
SingleSignOnService singleSignOnServiceRedirect = singleSignOnServiceBuilder.buildObject();
singleSignOnServiceRedirect.setBinding(REDIRECT_BINDING);
singleSignOnServiceRedirect.setLocation(singleSignOnLocationRedirect);
idpssoDescriptor.getSingleSignOnServices().add(singleSignOnServiceRedirect);
}
if (StringUtils.isNotBlank(singleSignOnLocationPost)) {
SingleSignOnService singleSignOnServicePost = singleSignOnServiceBuilder.buildObject();
singleSignOnServicePost.setBinding(POST_BINDING);
singleSignOnServicePost.setLocation(singleSignOnLocationPost);
idpssoDescriptor.getSingleSignOnServices().add(singleSignOnServicePost);
}
if (StringUtils.isNotBlank(singleLogOutLocation)) {
SingleLogoutService singleLogoutServiceRedir = singleLogOutServiceBuilder.buildObject();
singleLogoutServiceRedir.setBinding(REDIRECT_BINDING);
singleLogoutServiceRedir.setLocation(singleLogOutLocation);
idpssoDescriptor.getSingleLogoutServices().add(singleLogoutServiceRedir);
SingleLogoutService singleLogoutServicePost = singleLogOutServiceBuilder.buildObject();
singleLogoutServicePost.setBinding(POST_BINDING);
singleLogoutServicePost.setLocation(singleLogOutLocation);
idpssoDescriptor.getSingleLogoutServices().add(singleLogoutServicePost);
}
idpssoDescriptor.setWantAuthnRequestsSigned(true);
idpssoDescriptor.addSupportedProtocol(SUPPORTED_PROTOCOL);
entityDescriptor.getRoleDescriptors().add(idpssoDescriptor);
return entityDescriptor;
}
Also used :
EntityDescriptor(org.opensaml.saml.saml2.metadata.EntityDescriptor)
NameIDFormat(org.opensaml.saml.saml2.metadata.NameIDFormat)
IDPSSODescriptor(org.opensaml.saml.saml2.metadata.IDPSSODescriptor)
KeyInfo(org.opensaml.xmlsec.signature.KeyInfo)
SingleLogoutService(org.opensaml.saml.saml2.metadata.SingleLogoutService)
KeyDescriptor(org.opensaml.saml.saml2.metadata.KeyDescriptor)
SingleSignOnService(org.opensaml.saml.saml2.metadata.SingleSignOnService)
X509Data(org.opensaml.xmlsec.signature.X509Data)
X509Certificate(org.opensaml.xmlsec.signature.X509Certificate)
Example 10 with IDPSSODescriptor
use of org.opensaml.saml2.metadata.IDPSSODescriptor in project verify-hub by alphagov.
the class CountrySingleSignOnServiceHelperTest method getSingleSignOn.
@Test
public void getSingleSignOn() throws Exception {
// Given
SingleSignOnServiceBuilder singleSignOnServiceBuilder = new SingleSignOnServiceBuilder();
SingleSignOnService singleSignOnService = singleSignOnServiceBuilder.buildObject();
singleSignOnService.setLocation("http://the-sso-location");
IDPSSODescriptorBuilder idpssoDescriptorBuilder = new IDPSSODescriptorBuilder();
IDPSSODescriptor idpssoDescriptor = idpssoDescriptorBuilder.buildObject();
idpssoDescriptor.getSingleSignOnServices().add(singleSignOnService);
idpssoDescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS);
EntityDescriptorBuilder entityDescriptorBuilder = new EntityDescriptorBuilder();
EntityDescriptor entityDescriptor = entityDescriptorBuilder.buildObject();
entityDescriptor.setEntityID("the-entity-id");
entityDescriptor.getRoleDescriptors().add(idpssoDescriptor);
when(metadataResolver.resolveSingle(new CriteriaSet(new EntityIdCriterion(entityDescriptor.getEntityID())))).thenReturn(entityDescriptor);
// When
URI singleSignOnUri = service.getSingleSignOn(entityDescriptor.getEntityID());
// Then
assertThat(singleSignOnUri.toString(), equalTo(singleSignOnService.getLocation()));
verify(metadataResolver).resolveSingle(any(CriteriaSet.class));
}
Also used :
EntityDescriptor(org.opensaml.saml.saml2.metadata.EntityDescriptor)
IDPSSODescriptor(org.opensaml.saml.saml2.metadata.IDPSSODescriptor)
CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet)
EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion)
SingleSignOnService(org.opensaml.saml.saml2.metadata.SingleSignOnService)
SingleSignOnServiceBuilder(org.opensaml.saml.saml2.metadata.impl.SingleSignOnServiceBuilder)
URI(java.net.URI)
EntityDescriptorBuilder(org.opensaml.saml.saml2.metadata.impl.EntityDescriptorBuilder)
IDPSSODescriptorBuilder(org.opensaml.saml.saml2.metadata.impl.IDPSSODescriptorBuilder)
Test(org.junit.Test)
Aggregations
IDPSSODescriptor (org.opensaml.saml.saml2.metadata.IDPSSODescriptor)12
EntityDescriptor (org.opensaml.saml.saml2.metadata.EntityDescriptor)4
KeyDescriptor (org.opensaml.saml.saml2.metadata.KeyDescriptor)4
SingleSignOnService (org.opensaml.saml.saml2.metadata.SingleSignOnService)4
IOException (java.io.IOException)3
ServletException (javax.servlet.ServletException)3
CriteriaSet (net.shibboleth.utilities.java.support.resolver.CriteriaSet)3
EntityIdCriterion (org.opensaml.core.criterion.EntityIdCriterion)3
URI (java.net.URI)2
ResolverException (net.shibboleth.utilities.java.support.resolver.ResolverException)2
MarshallingException (org.opensaml.core.xml.io.MarshallingException)2
Signature (org.opensaml.xmlsec.signature.Signature)2
SignatureException (org.opensaml.xmlsec.signature.support.SignatureException)2
SimpleSign (ddf.security.samlp.SimpleSign)1
UnsupportedEncodingException (java.io.UnsupportedEncodingException)1
URISyntaxException (java.net.URISyntaxException)1
CertificateException (java.security.cert.CertificateException)1
X509Certificate (java.security.cert.X509Certificate)1
Timer (java.util.Timer)1
HttpServletRequest (javax.servlet.http.HttpServletRequest)1
