Search in sources :

Example 21 with IDPSSODescriptor

use of org.opensaml.saml2.metadata.IDPSSODescriptor in project ddf by codice.

the class IdpHandler method doPaosRequest.

private HandlerResult doPaosRequest(ServletRequest request, ServletResponse response) {
    HttpServletResponse httpServletResponse = (HttpServletResponse) response;
    HandlerResult handlerResult = new HandlerResultImpl(HandlerResult.Status.REDIRECTED, null);
    handlerResult.setSource(SOURCE);
    String paosHeader = ((HttpServletRequest) request).getHeader(PAOS);
    // some of these options aren't currently used, leaving these here as a marker for what
    // isn't implemented
    boolean wantChannelBind = paosHeader.contains("urn:oasis:names:tc:SAML:protocol:ext:channel-binding");
    boolean wantHok = paosHeader.contains("urn:oasis:names:tc:SAML:2.0:cm:holder-of-key");
    boolean wantSigned = paosHeader.contains("urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp:2.0:WantAuthnRequestsSigned");
    boolean wantDelegation = paosHeader.contains("urn:oasis:names:tc:SAML:2.0:conditions:delegation");
    LOGGER.trace("ECP Client requested: channel bind {}, holder of key {}, signatures {}, delegation {}", wantChannelBind, wantHok, wantSigned, wantDelegation);
    LOGGER.trace("Configuring SAML Response for POST.");
    Document doc = DOMUtils.createDocument();
    doc.appendChild(doc.createElement("root"));
    LOGGER.trace("Signing SAML POST Response.");
    String authnRequest;
    String paosRequest;
    String ecpRequest;
    String ecpRelayState;
    try {
        IDPSSODescriptor idpssoDescriptor = idpMetadata.getDescriptor();
        if (idpssoDescriptor == null) {
            throw new AuthenticationFailureException(IDP_METADATA_MISSING);
        }
        authnRequest = createAndSignAuthnRequest(true, wantSigned && idpssoDescriptor.getWantAuthnRequestsSigned());
        paosRequest = createPaosRequest((HttpServletRequest) request);
        ecpRequest = createEcpRequest();
        ecpRelayState = createEcpRelayState((HttpServletRequest) request);
    } catch (WSSecurityException | AuthenticationFailureException e) {
        LOGGER.debug("Unable to create and sign AuthnRequest.", e);
        httpServletResponse.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
        try {
            httpServletResponse.flushBuffer();
        } catch (IOException e1) {
            LOGGER.debug("Failed to send error response", e1);
        }
        return handlerResult;
    }
    LOGGER.trace("Converting SAML Response to DOM");
    String soapMessage = soapMessageTemplate.replace("{{" + PAOS_REQUEST + "}}", paosRequest);
    soapMessage = soapMessage.replace("{{" + ECP_REQUEST + "}}", ecpRequest);
    soapMessage = soapMessage.replace("{{" + SAML_REQUEST + "}}", authnRequest);
    soapMessage = soapMessage.replace("{{" + ECP_RELAY_STATE + "}}", ecpRelayState);
    soapMessage = soapMessage.replace("{{" + PAOS_RESPONSE + "}}", "");
    try {
        httpServletResponse.setStatus(HttpServletResponse.SC_OK);
        httpServletResponse.setContentType(PAOS_MIME);
        httpServletResponse.getOutputStream().print(soapMessage);
        httpServletResponse.flushBuffer();
    } catch (IOException ioe) {
        LOGGER.debug("Failed to send auth response", ioe);
    }
    return handlerResult;
}
Also used : HttpServletRequest(javax.servlet.http.HttpServletRequest) IDPSSODescriptor(org.opensaml.saml.saml2.metadata.IDPSSODescriptor) HandlerResultImpl(org.codice.ddf.security.handler.HandlerResultImpl) HttpServletResponse(javax.servlet.http.HttpServletResponse) HandlerResult(org.codice.ddf.security.handler.api.HandlerResult) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) AuthenticationFailureException(org.codice.ddf.platform.filter.AuthenticationFailureException) IOException(java.io.IOException) Document(org.w3c.dom.Document)

Example 22 with IDPSSODescriptor

use of org.opensaml.saml2.metadata.IDPSSODescriptor in project ddf by codice.

the class IdpMetadata method initCertificates.

private void initCertificates() {
    IDPSSODescriptor descriptor = getDescriptor();
    if (descriptor == null) {
        return;
    }
    for (KeyDescriptor key : descriptor.getKeyDescriptors()) {
        String certificate = null;
        if (!key.getKeyInfo().getX509Datas().isEmpty() && !key.getKeyInfo().getX509Datas().get(0).getX509Certificates().isEmpty()) {
            certificate = key.getKeyInfo().getX509Datas().get(0).getX509Certificates().get(0).getValue();
        }
        if (StringUtils.isBlank(certificate)) {
            break;
        }
        if (UsageType.UNSPECIFIED.equals(key.getUse())) {
            encryptionCertificate = certificate;
            signingCertificate = certificate;
        }
        if (UsageType.ENCRYPTION.equals(key.getUse())) {
            encryptionCertificate = certificate;
        }
        if (UsageType.SIGNING.equals(key.getUse())) {
            signingCertificate = certificate;
        }
    }
}
Also used : IDPSSODescriptor(org.opensaml.saml.saml2.metadata.IDPSSODescriptor) KeyDescriptor(org.opensaml.saml.saml2.metadata.KeyDescriptor)

Example 23 with IDPSSODescriptor

use of org.opensaml.saml2.metadata.IDPSSODescriptor in project spring-security by spring-projects.

the class OpenSamlMetadataAssertingPartyDetailsConverter method convert.

RelyingPartyRegistration.AssertingPartyDetails.Builder convert(EntityDescriptor descriptor) {
    IDPSSODescriptor idpssoDescriptor = descriptor.getIDPSSODescriptor(SAMLConstants.SAML20P_NS);
    if (idpssoDescriptor == null) {
        throw new Saml2Exception("Metadata response is missing the necessary IDPSSODescriptor element");
    }
    List<Saml2X509Credential> verification = new ArrayList<>();
    List<Saml2X509Credential> encryption = new ArrayList<>();
    for (KeyDescriptor keyDescriptor : idpssoDescriptor.getKeyDescriptors()) {
        if (keyDescriptor.getUse().equals(UsageType.SIGNING)) {
            List<X509Certificate> certificates = certificates(keyDescriptor);
            for (X509Certificate certificate : certificates) {
                verification.add(Saml2X509Credential.verification(certificate));
            }
        }
        if (keyDescriptor.getUse().equals(UsageType.ENCRYPTION)) {
            List<X509Certificate> certificates = certificates(keyDescriptor);
            for (X509Certificate certificate : certificates) {
                encryption.add(Saml2X509Credential.encryption(certificate));
            }
        }
        if (keyDescriptor.getUse().equals(UsageType.UNSPECIFIED)) {
            List<X509Certificate> certificates = certificates(keyDescriptor);
            for (X509Certificate certificate : certificates) {
                verification.add(Saml2X509Credential.verification(certificate));
                encryption.add(Saml2X509Credential.encryption(certificate));
            }
        }
    }
    if (verification.isEmpty()) {
        throw new Saml2Exception("Metadata response is missing verification certificates, necessary for verifying SAML assertions");
    }
    RelyingPartyRegistration.AssertingPartyDetails.Builder party = OpenSamlAssertingPartyDetails.withEntityDescriptor(descriptor).entityId(descriptor.getEntityID()).wantAuthnRequestsSigned(Boolean.TRUE.equals(idpssoDescriptor.getWantAuthnRequestsSigned())).verificationX509Credentials((c) -> c.addAll(verification)).encryptionX509Credentials((c) -> c.addAll(encryption));
    List<SigningMethod> signingMethods = signingMethods(idpssoDescriptor);
    for (SigningMethod method : signingMethods) {
        party.signingAlgorithms((algorithms) -> algorithms.add(method.getAlgorithm()));
    }
    if (idpssoDescriptor.getSingleSignOnServices().isEmpty()) {
        throw new Saml2Exception("Metadata response is missing a SingleSignOnService, necessary for sending AuthnRequests");
    }
    for (SingleSignOnService singleSignOnService : idpssoDescriptor.getSingleSignOnServices()) {
        Saml2MessageBinding binding;
        if (singleSignOnService.getBinding().equals(Saml2MessageBinding.POST.getUrn())) {
            binding = Saml2MessageBinding.POST;
        } else if (singleSignOnService.getBinding().equals(Saml2MessageBinding.REDIRECT.getUrn())) {
            binding = Saml2MessageBinding.REDIRECT;
        } else {
            continue;
        }
        party.singleSignOnServiceLocation(singleSignOnService.getLocation()).singleSignOnServiceBinding(binding);
        break;
    }
    for (SingleLogoutService singleLogoutService : idpssoDescriptor.getSingleLogoutServices()) {
        Saml2MessageBinding binding;
        if (singleLogoutService.getBinding().equals(Saml2MessageBinding.POST.getUrn())) {
            binding = Saml2MessageBinding.POST;
        } else if (singleLogoutService.getBinding().equals(Saml2MessageBinding.REDIRECT.getUrn())) {
            binding = Saml2MessageBinding.REDIRECT;
        } else {
            continue;
        }
        String responseLocation = (singleLogoutService.getResponseLocation() == null) ? singleLogoutService.getLocation() : singleLogoutService.getResponseLocation();
        party.singleLogoutServiceLocation(singleLogoutService.getLocation()).singleLogoutServiceResponseLocation(responseLocation).singleLogoutServiceBinding(binding);
        break;
    }
    return party;
}
Also used : X509Certificate(java.security.cert.X509Certificate) Arrays(java.util.Arrays) OpenSamlInitializationService(org.springframework.security.saml2.core.OpenSamlInitializationService) KeyDescriptor(org.opensaml.saml.saml2.metadata.KeyDescriptor) XMLObjectProviderRegistry(org.opensaml.core.xml.config.XMLObjectProviderRegistry) Extensions(org.opensaml.saml.saml2.metadata.Extensions) ArrayList(java.util.ArrayList) SigningMethod(org.opensaml.saml.ext.saml2alg.SigningMethod) SingleSignOnService(org.opensaml.saml.saml2.metadata.SingleSignOnService) Document(org.w3c.dom.Document) IDPSSODescriptor(org.opensaml.saml.saml2.metadata.IDPSSODescriptor) XMLObject(org.opensaml.core.xml.XMLObject) SAMLConstants(org.opensaml.saml.common.xml.SAMLConstants) EntitiesDescriptor(org.opensaml.saml.saml2.metadata.EntitiesDescriptor) UsageType(org.opensaml.security.credential.UsageType) SingleLogoutService(org.opensaml.saml.saml2.metadata.SingleLogoutService) Collection(java.util.Collection) Unmarshaller(org.opensaml.core.xml.io.Unmarshaller) Saml2Exception(org.springframework.security.saml2.Saml2Exception) ConfigurationService(org.opensaml.core.config.ConfigurationService) Saml2X509Credential(org.springframework.security.saml2.core.Saml2X509Credential) CertificateException(java.security.cert.CertificateException) KeyInfoSupport(org.opensaml.xmlsec.keyinfo.KeyInfoSupport) ParserPool(net.shibboleth.utilities.java.support.xml.ParserPool) List(java.util.List) Element(org.w3c.dom.Element) EntityDescriptor(org.opensaml.saml.saml2.metadata.EntityDescriptor) InputStream(java.io.InputStream) IDPSSODescriptor(org.opensaml.saml.saml2.metadata.IDPSSODescriptor) SingleLogoutService(org.opensaml.saml.saml2.metadata.SingleLogoutService) KeyDescriptor(org.opensaml.saml.saml2.metadata.KeyDescriptor) Saml2X509Credential(org.springframework.security.saml2.core.Saml2X509Credential) ArrayList(java.util.ArrayList) SingleSignOnService(org.opensaml.saml.saml2.metadata.SingleSignOnService) Saml2Exception(org.springframework.security.saml2.Saml2Exception) X509Certificate(java.security.cert.X509Certificate) SigningMethod(org.opensaml.saml.ext.saml2alg.SigningMethod)

Aggregations

IDPSSODescriptor (org.opensaml.saml.saml2.metadata.IDPSSODescriptor)21 KeyDescriptor (org.opensaml.saml.saml2.metadata.KeyDescriptor)8 EntityDescriptor (org.opensaml.saml.saml2.metadata.EntityDescriptor)7 SingleSignOnService (org.opensaml.saml.saml2.metadata.SingleSignOnService)7 IOException (java.io.IOException)3 CriteriaSet (net.shibboleth.utilities.java.support.resolver.CriteriaSet)3 AuthenticationFailureException (org.codice.ddf.platform.filter.AuthenticationFailureException)3 EntityIdCriterion (org.opensaml.core.criterion.EntityIdCriterion)3 MarshallingException (org.opensaml.core.xml.io.MarshallingException)3 SingleLogoutService (org.opensaml.saml.saml2.metadata.SingleLogoutService)3 SignatureException (org.opensaml.xmlsec.signature.support.SignatureException)3 URI (java.net.URI)2 CertificateException (java.security.cert.CertificateException)2 X509Certificate (java.security.cert.X509Certificate)2 ComponentInitializationException (net.shibboleth.utilities.java.support.component.ComponentInitializationException)2 ResolverException (net.shibboleth.utilities.java.support.resolver.ResolverException)2 Test (org.junit.Test)2 MessageEncoder (org.opensaml.messaging.encoder.MessageEncoder)2 MessageEncodingException (org.opensaml.messaging.encoder.MessageEncodingException)2 AssertionConsumerService (org.opensaml.saml.saml2.metadata.AssertionConsumerService)2