Example 21 with IDPSSODescriptor
use of org.opensaml.saml2.metadata.IDPSSODescriptor in project ddf by codice.
the class IdpHandler method doPaosRequest.
private HandlerResult doPaosRequest(ServletRequest request, ServletResponse response) {
HttpServletResponse httpServletResponse = (HttpServletResponse) response;
HandlerResult handlerResult = new HandlerResultImpl(HandlerResult.Status.REDIRECTED, null);
handlerResult.setSource(SOURCE);
String paosHeader = ((HttpServletRequest) request).getHeader(PAOS);
// some of these options aren't currently used, leaving these here as a marker for what
// isn't implemented
boolean wantChannelBind = paosHeader.contains("urn:oasis:names:tc:SAML:protocol:ext:channel-binding");
boolean wantHok = paosHeader.contains("urn:oasis:names:tc:SAML:2.0:cm:holder-of-key");
boolean wantSigned = paosHeader.contains("urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp:2.0:WantAuthnRequestsSigned");
boolean wantDelegation = paosHeader.contains("urn:oasis:names:tc:SAML:2.0:conditions:delegation");
LOGGER.trace("ECP Client requested: channel bind {}, holder of key {}, signatures {}, delegation {}", wantChannelBind, wantHok, wantSigned, wantDelegation);
LOGGER.trace("Configuring SAML Response for POST.");
Document doc = DOMUtils.createDocument();
doc.appendChild(doc.createElement("root"));
LOGGER.trace("Signing SAML POST Response.");
String authnRequest;
String paosRequest;
String ecpRequest;
String ecpRelayState;
try {
IDPSSODescriptor idpssoDescriptor = idpMetadata.getDescriptor();
if (idpssoDescriptor == null) {
throw new AuthenticationFailureException(IDP_METADATA_MISSING);
}
authnRequest = createAndSignAuthnRequest(true, wantSigned && idpssoDescriptor.getWantAuthnRequestsSigned());
paosRequest = createPaosRequest((HttpServletRequest) request);
ecpRequest = createEcpRequest();
ecpRelayState = createEcpRelayState((HttpServletRequest) request);
} catch (WSSecurityException | AuthenticationFailureException e) {
LOGGER.debug("Unable to create and sign AuthnRequest.", e);
httpServletResponse.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
try {
httpServletResponse.flushBuffer();
} catch (IOException e1) {
LOGGER.debug("Failed to send error response", e1);
}
return handlerResult;
}
LOGGER.trace("Converting SAML Response to DOM");
String soapMessage = soapMessageTemplate.replace("{{" + PAOS_REQUEST + "}}", paosRequest);
soapMessage = soapMessage.replace("{{" + ECP_REQUEST + "}}", ecpRequest);
soapMessage = soapMessage.replace("{{" + SAML_REQUEST + "}}", authnRequest);
soapMessage = soapMessage.replace("{{" + ECP_RELAY_STATE + "}}", ecpRelayState);
soapMessage = soapMessage.replace("{{" + PAOS_RESPONSE + "}}", "");
try {
httpServletResponse.setStatus(HttpServletResponse.SC_OK);
httpServletResponse.setContentType(PAOS_MIME);
httpServletResponse.getOutputStream().print(soapMessage);
httpServletResponse.flushBuffer();
} catch (IOException ioe) {
LOGGER.debug("Failed to send auth response", ioe);
}
return handlerResult;
}
Also used :
HttpServletRequest(javax.servlet.http.HttpServletRequest)
IDPSSODescriptor(org.opensaml.saml.saml2.metadata.IDPSSODescriptor)
HandlerResultImpl(org.codice.ddf.security.handler.HandlerResultImpl)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
HandlerResult(org.codice.ddf.security.handler.api.HandlerResult)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
AuthenticationFailureException(org.codice.ddf.platform.filter.AuthenticationFailureException)
IOException(java.io.IOException)
Document(org.w3c.dom.Document)
Example 22 with IDPSSODescriptor
use of org.opensaml.saml2.metadata.IDPSSODescriptor in project ddf by codice.
the class IdpMetadata method initCertificates.
private void initCertificates() {
IDPSSODescriptor descriptor = getDescriptor();
if (descriptor == null) {
return;
}
for (KeyDescriptor key : descriptor.getKeyDescriptors()) {
String certificate = null;
if (!key.getKeyInfo().getX509Datas().isEmpty() && !key.getKeyInfo().getX509Datas().get(0).getX509Certificates().isEmpty()) {
certificate = key.getKeyInfo().getX509Datas().get(0).getX509Certificates().get(0).getValue();
}
if (StringUtils.isBlank(certificate)) {
break;
}
if (UsageType.UNSPECIFIED.equals(key.getUse())) {
encryptionCertificate = certificate;
signingCertificate = certificate;
}
if (UsageType.ENCRYPTION.equals(key.getUse())) {
encryptionCertificate = certificate;
}
if (UsageType.SIGNING.equals(key.getUse())) {
signingCertificate = certificate;
}
}
}
Also used :
IDPSSODescriptor(org.opensaml.saml.saml2.metadata.IDPSSODescriptor)
KeyDescriptor(org.opensaml.saml.saml2.metadata.KeyDescriptor)
Example 23 with IDPSSODescriptor
use of org.opensaml.saml2.metadata.IDPSSODescriptor in project spring-security by spring-projects.
the class OpenSamlMetadataAssertingPartyDetailsConverter method convert.
RelyingPartyRegistration.AssertingPartyDetails.Builder convert(EntityDescriptor descriptor) {
IDPSSODescriptor idpssoDescriptor = descriptor.getIDPSSODescriptor(SAMLConstants.SAML20P_NS);
if (idpssoDescriptor == null) {
throw new Saml2Exception("Metadata response is missing the necessary IDPSSODescriptor element");
}
List<Saml2X509Credential> verification = new ArrayList<>();
List<Saml2X509Credential> encryption = new ArrayList<>();
for (KeyDescriptor keyDescriptor : idpssoDescriptor.getKeyDescriptors()) {
if (keyDescriptor.getUse().equals(UsageType.SIGNING)) {
List<X509Certificate> certificates = certificates(keyDescriptor);
for (X509Certificate certificate : certificates) {
verification.add(Saml2X509Credential.verification(certificate));
}
}
if (keyDescriptor.getUse().equals(UsageType.ENCRYPTION)) {
List<X509Certificate> certificates = certificates(keyDescriptor);
for (X509Certificate certificate : certificates) {
encryption.add(Saml2X509Credential.encryption(certificate));
}
}
if (keyDescriptor.getUse().equals(UsageType.UNSPECIFIED)) {
List<X509Certificate> certificates = certificates(keyDescriptor);
for (X509Certificate certificate : certificates) {
verification.add(Saml2X509Credential.verification(certificate));
encryption.add(Saml2X509Credential.encryption(certificate));
}
}
}
if (verification.isEmpty()) {
throw new Saml2Exception("Metadata response is missing verification certificates, necessary for verifying SAML assertions");
}
RelyingPartyRegistration.AssertingPartyDetails.Builder party = OpenSamlAssertingPartyDetails.withEntityDescriptor(descriptor).entityId(descriptor.getEntityID()).wantAuthnRequestsSigned(Boolean.TRUE.equals(idpssoDescriptor.getWantAuthnRequestsSigned())).verificationX509Credentials((c) -> c.addAll(verification)).encryptionX509Credentials((c) -> c.addAll(encryption));
List<SigningMethod> signingMethods = signingMethods(idpssoDescriptor);
for (SigningMethod method : signingMethods) {
party.signingAlgorithms((algorithms) -> algorithms.add(method.getAlgorithm()));
}
if (idpssoDescriptor.getSingleSignOnServices().isEmpty()) {
throw new Saml2Exception("Metadata response is missing a SingleSignOnService, necessary for sending AuthnRequests");
}
for (SingleSignOnService singleSignOnService : idpssoDescriptor.getSingleSignOnServices()) {
Saml2MessageBinding binding;
if (singleSignOnService.getBinding().equals(Saml2MessageBinding.POST.getUrn())) {
binding = Saml2MessageBinding.POST;
} else if (singleSignOnService.getBinding().equals(Saml2MessageBinding.REDIRECT.getUrn())) {
binding = Saml2MessageBinding.REDIRECT;
} else {
continue;
}
party.singleSignOnServiceLocation(singleSignOnService.getLocation()).singleSignOnServiceBinding(binding);
break;
}
for (SingleLogoutService singleLogoutService : idpssoDescriptor.getSingleLogoutServices()) {
Saml2MessageBinding binding;
if (singleLogoutService.getBinding().equals(Saml2MessageBinding.POST.getUrn())) {
binding = Saml2MessageBinding.POST;
} else if (singleLogoutService.getBinding().equals(Saml2MessageBinding.REDIRECT.getUrn())) {
binding = Saml2MessageBinding.REDIRECT;
} else {
continue;
}
String responseLocation = (singleLogoutService.getResponseLocation() == null) ? singleLogoutService.getLocation() : singleLogoutService.getResponseLocation();
party.singleLogoutServiceLocation(singleLogoutService.getLocation()).singleLogoutServiceResponseLocation(responseLocation).singleLogoutServiceBinding(binding);
break;
}
return party;
}
Also used :
X509Certificate(java.security.cert.X509Certificate)
Arrays(java.util.Arrays)
OpenSamlInitializationService(org.springframework.security.saml2.core.OpenSamlInitializationService)
KeyDescriptor(org.opensaml.saml.saml2.metadata.KeyDescriptor)
XMLObjectProviderRegistry(org.opensaml.core.xml.config.XMLObjectProviderRegistry)
Extensions(org.opensaml.saml.saml2.metadata.Extensions)
ArrayList(java.util.ArrayList)
SigningMethod(org.opensaml.saml.ext.saml2alg.SigningMethod)
SingleSignOnService(org.opensaml.saml.saml2.metadata.SingleSignOnService)
Document(org.w3c.dom.Document)
IDPSSODescriptor(org.opensaml.saml.saml2.metadata.IDPSSODescriptor)
XMLObject(org.opensaml.core.xml.XMLObject)
SAMLConstants(org.opensaml.saml.common.xml.SAMLConstants)
EntitiesDescriptor(org.opensaml.saml.saml2.metadata.EntitiesDescriptor)
UsageType(org.opensaml.security.credential.UsageType)
SingleLogoutService(org.opensaml.saml.saml2.metadata.SingleLogoutService)
Collection(java.util.Collection)
Unmarshaller(org.opensaml.core.xml.io.Unmarshaller)
Saml2Exception(org.springframework.security.saml2.Saml2Exception)
ConfigurationService(org.opensaml.core.config.ConfigurationService)
Saml2X509Credential(org.springframework.security.saml2.core.Saml2X509Credential)
CertificateException(java.security.cert.CertificateException)
KeyInfoSupport(org.opensaml.xmlsec.keyinfo.KeyInfoSupport)
ParserPool(net.shibboleth.utilities.java.support.xml.ParserPool)
List(java.util.List)
Element(org.w3c.dom.Element)
EntityDescriptor(org.opensaml.saml.saml2.metadata.EntityDescriptor)
InputStream(java.io.InputStream)
IDPSSODescriptor(org.opensaml.saml.saml2.metadata.IDPSSODescriptor)
SingleLogoutService(org.opensaml.saml.saml2.metadata.SingleLogoutService)
KeyDescriptor(org.opensaml.saml.saml2.metadata.KeyDescriptor)
Saml2X509Credential(org.springframework.security.saml2.core.Saml2X509Credential)
ArrayList(java.util.ArrayList)
SingleSignOnService(org.opensaml.saml.saml2.metadata.SingleSignOnService)
Saml2Exception(org.springframework.security.saml2.Saml2Exception)
X509Certificate(java.security.cert.X509Certificate)
SigningMethod(org.opensaml.saml.ext.saml2alg.SigningMethod)
Aggregations
IDPSSODescriptor (org.opensaml.saml.saml2.metadata.IDPSSODescriptor)21
KeyDescriptor (org.opensaml.saml.saml2.metadata.KeyDescriptor)8
EntityDescriptor (org.opensaml.saml.saml2.metadata.EntityDescriptor)7
SingleSignOnService (org.opensaml.saml.saml2.metadata.SingleSignOnService)7
IOException (java.io.IOException)3
CriteriaSet (net.shibboleth.utilities.java.support.resolver.CriteriaSet)3
AuthenticationFailureException (org.codice.ddf.platform.filter.AuthenticationFailureException)3
EntityIdCriterion (org.opensaml.core.criterion.EntityIdCriterion)3
MarshallingException (org.opensaml.core.xml.io.MarshallingException)3
SingleLogoutService (org.opensaml.saml.saml2.metadata.SingleLogoutService)3
SignatureException (org.opensaml.xmlsec.signature.support.SignatureException)3
URI (java.net.URI)2
CertificateException (java.security.cert.CertificateException)2
X509Certificate (java.security.cert.X509Certificate)2
ComponentInitializationException (net.shibboleth.utilities.java.support.component.ComponentInitializationException)2
ResolverException (net.shibboleth.utilities.java.support.resolver.ResolverException)2
Test (org.junit.Test)2
MessageEncoder (org.opensaml.messaging.encoder.MessageEncoder)2
MessageEncodingException (org.opensaml.messaging.encoder.MessageEncodingException)2
AssertionConsumerService (org.opensaml.saml.saml2.metadata.AssertionConsumerService)2
