Search in sources :

Example 1 with KeyDescriptor

use of org.opensaml.saml2.metadata.KeyDescriptor in project syncope by apache.

the class SAML2SPLogic method getMetadata.

@PreAuthorize("isAuthenticated()")
public void getMetadata(final String spEntityID, final String urlContext, final OutputStream os) {
    check();
    try {
        EntityDescriptor spEntityDescriptor = new EntityDescriptorBuilder().buildObject();
        spEntityDescriptor.setEntityID(spEntityID);
        SPSSODescriptor spSSODescriptor = new SPSSODescriptorBuilder().buildObject();
        spSSODescriptor.setWantAssertionsSigned(true);
        spSSODescriptor.setAuthnRequestsSigned(true);
        spSSODescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS);
        X509KeyInfoGeneratorFactory keyInfoGeneratorFactory = new X509KeyInfoGeneratorFactory();
        keyInfoGeneratorFactory.setEmitEntityCertificate(true);
        KeyInfoGenerator keyInfoGenerator = keyInfoGeneratorFactory.newInstance();
        keyInfoGenerator.generate(loader.getCredential());
        KeyDescriptor keyDescriptor = new KeyDescriptorBuilder().buildObject();
        keyDescriptor.setKeyInfo(keyInfoGenerator.generate(loader.getCredential()));
        spSSODescriptor.getKeyDescriptors().add(keyDescriptor);
        NameIDFormat nameIDFormat = new NameIDFormatBuilder().buildObject();
        nameIDFormat.setFormat(NameIDType.PERSISTENT);
        spSSODescriptor.getNameIDFormats().add(nameIDFormat);
        nameIDFormat = new NameIDFormatBuilder().buildObject();
        nameIDFormat.setFormat(NameIDType.TRANSIENT);
        spSSODescriptor.getNameIDFormats().add(nameIDFormat);
        for (SAML2BindingType bindingType : SAML2BindingType.values()) {
            AssertionConsumerService assertionConsumerService = new AssertionConsumerServiceBuilder().buildObject();
            assertionConsumerService.setIndex(bindingType.ordinal());
            assertionConsumerService.setBinding(bindingType.getUri());
            assertionConsumerService.setLocation(getAssertionConsumerURL(spEntityID, urlContext));
            spSSODescriptor.getAssertionConsumerServices().add(assertionConsumerService);
            spEntityDescriptor.getRoleDescriptors().add(spSSODescriptor);
            String sloUrl = spEntityID + urlContext + "/logout";
            validateUrl(sloUrl);
            SingleLogoutService singleLogoutService = new SingleLogoutServiceBuilder().buildObject();
            singleLogoutService.setBinding(bindingType.getUri());
            singleLogoutService.setLocation(sloUrl);
            singleLogoutService.setResponseLocation(sloUrl);
            spSSODescriptor.getSingleLogoutServices().add(singleLogoutService);
        }
        spEntityDescriptor.getRoleDescriptors().add(spSSODescriptor);
        saml2rw.sign(spEntityDescriptor);
        saml2rw.write(new OutputStreamWriter(os), spEntityDescriptor, true);
    } catch (Exception e) {
        LOG.error("While getting SP metadata", e);
        SyncopeClientException sce = SyncopeClientException.build(ClientExceptionType.Unknown);
        sce.getElements().add(e.getMessage());
        throw sce;
    }
}
Also used : SAML2BindingType(org.apache.syncope.common.lib.types.SAML2BindingType) SPSSODescriptorBuilder(org.opensaml.saml.saml2.metadata.impl.SPSSODescriptorBuilder) SingleLogoutService(org.opensaml.saml.saml2.metadata.SingleLogoutService) KeyDescriptor(org.opensaml.saml.saml2.metadata.KeyDescriptor) AssertionConsumerServiceBuilder(org.opensaml.saml.saml2.metadata.impl.AssertionConsumerServiceBuilder) SyncopeClientException(org.apache.syncope.common.lib.SyncopeClientException) NameIDFormatBuilder(org.opensaml.saml.saml2.metadata.impl.NameIDFormatBuilder) XSString(org.opensaml.core.xml.schema.XSString) EntityDescriptorBuilder(org.opensaml.saml.saml2.metadata.impl.EntityDescriptorBuilder) SyncopeClientException(org.apache.syncope.common.lib.SyncopeClientException) NotFoundException(org.apache.syncope.core.persistence.api.dao.NotFoundException) EntityDescriptor(org.opensaml.saml.saml2.metadata.EntityDescriptor) SPSSODescriptor(org.opensaml.saml.saml2.metadata.SPSSODescriptor) KeyInfoGenerator(org.opensaml.xmlsec.keyinfo.KeyInfoGenerator) NameIDFormat(org.opensaml.saml.saml2.metadata.NameIDFormat) SingleLogoutServiceBuilder(org.opensaml.saml.saml2.metadata.impl.SingleLogoutServiceBuilder) AssertionConsumerService(org.opensaml.saml.saml2.metadata.AssertionConsumerService) OutputStreamWriter(java.io.OutputStreamWriter) KeyDescriptorBuilder(org.opensaml.saml.saml2.metadata.impl.KeyDescriptorBuilder) X509KeyInfoGeneratorFactory(org.opensaml.xmlsec.keyinfo.impl.X509KeyInfoGeneratorFactory) PreAuthorize(org.springframework.security.access.prepost.PreAuthorize)

Example 2 with KeyDescriptor

use of org.opensaml.saml2.metadata.KeyDescriptor in project pac4j by pac4j.

the class SAML2MetadataGenerator method getKeyDescriptor.

protected final KeyDescriptor getKeyDescriptor(final UsageType type, final KeyInfo key) {
    final SAMLObjectBuilder<KeyDescriptor> builder = (SAMLObjectBuilder<KeyDescriptor>) Configuration.getBuilderFactory().getBuilder(KeyDescriptor.DEFAULT_ELEMENT_NAME);
    final KeyDescriptor descriptor = builder.buildObject();
    descriptor.setUse(type);
    descriptor.setKeyInfo(key);
    return descriptor;
}
Also used : SAMLObjectBuilder(org.opensaml.saml.common.SAMLObjectBuilder) KeyDescriptor(org.opensaml.saml.saml2.metadata.KeyDescriptor)

Example 3 with KeyDescriptor

use of org.opensaml.saml2.metadata.KeyDescriptor in project cloudstack by apache.

the class SAML2AuthManagerImpl method addIdpToMap.

private void addIdpToMap(EntityDescriptor descriptor, Map<String, SAMLProviderMetadata> idpMap) {
    SAMLProviderMetadata idpMetadata = new SAMLProviderMetadata();
    idpMetadata.setEntityId(descriptor.getEntityID());
    s_logger.debug("Adding IdP to the list of discovered IdPs: " + descriptor.getEntityID());
    if (descriptor.getOrganization() != null) {
        if (descriptor.getOrganization().getDisplayNames() != null) {
            for (OrganizationDisplayName orgName : descriptor.getOrganization().getDisplayNames()) {
                if (orgName != null && orgName.getName() != null) {
                    idpMetadata.setOrganizationName(orgName.getName().getLocalString());
                    break;
                }
            }
        }
        if (idpMetadata.getOrganizationName() == null && descriptor.getOrganization().getOrganizationNames() != null) {
            for (OrganizationName orgName : descriptor.getOrganization().getOrganizationNames()) {
                if (orgName != null && orgName.getName() != null) {
                    idpMetadata.setOrganizationName(orgName.getName().getLocalString());
                    break;
                }
            }
        }
        if (descriptor.getOrganization().getURLs() != null) {
            for (OrganizationURL organizationURL : descriptor.getOrganization().getURLs()) {
                if (organizationURL != null && organizationURL.getURL() != null) {
                    idpMetadata.setOrganizationUrl(organizationURL.getURL().getLocalString());
                    break;
                }
            }
        }
    }
    if (descriptor.getContactPersons() != null) {
        for (ContactPerson person : descriptor.getContactPersons()) {
            if (person == null || (person.getGivenName() == null && person.getSurName() == null) || person.getEmailAddresses() == null) {
                continue;
            }
            if (person.getGivenName() != null) {
                idpMetadata.setContactPersonName(person.getGivenName().getName());
            } else if (person.getSurName() != null) {
                idpMetadata.setContactPersonName(person.getSurName().getName());
            }
            for (EmailAddress emailAddress : person.getEmailAddresses()) {
                if (emailAddress != null && emailAddress.getAddress() != null) {
                    idpMetadata.setContactPersonEmail(emailAddress.getAddress());
                }
            }
            if (idpMetadata.getContactPersonName() != null && idpMetadata.getContactPersonEmail() != null) {
                break;
            }
        }
    }
    IDPSSODescriptor idpDescriptor = descriptor.getIDPSSODescriptor(SAMLConstants.SAML20P_NS);
    if (idpDescriptor != null) {
        if (idpDescriptor.getSingleSignOnServices() != null) {
            for (SingleSignOnService ssos : idpDescriptor.getSingleSignOnServices()) {
                if (ssos.getBinding().equals(SAMLConstants.SAML2_REDIRECT_BINDING_URI)) {
                    idpMetadata.setSsoUrl(ssos.getLocation());
                }
            }
        }
        if (idpDescriptor.getSingleLogoutServices() != null) {
            for (SingleLogoutService slos : idpDescriptor.getSingleLogoutServices()) {
                if (slos.getBinding().equals(SAMLConstants.SAML2_REDIRECT_BINDING_URI)) {
                    idpMetadata.setSloUrl(slos.getLocation());
                }
            }
        }
        X509Certificate unspecifiedKey = null;
        if (idpDescriptor.getKeyDescriptors() != null) {
            for (KeyDescriptor kd : idpDescriptor.getKeyDescriptors()) {
                if (kd.getUse() == UsageType.SIGNING) {
                    try {
                        idpMetadata.setSigningCertificate(KeyInfoHelper.getCertificates(kd.getKeyInfo()).get(0));
                    } catch (CertificateException ignored) {
                        s_logger.info("[ignored] encountered invalid certificate signing.", ignored);
                    }
                }
                if (kd.getUse() == UsageType.ENCRYPTION) {
                    try {
                        idpMetadata.setEncryptionCertificate(KeyInfoHelper.getCertificates(kd.getKeyInfo()).get(0));
                    } catch (CertificateException ignored) {
                        s_logger.info("[ignored] encountered invalid certificate encryption.", ignored);
                    }
                }
                if (kd.getUse() == UsageType.UNSPECIFIED) {
                    try {
                        unspecifiedKey = KeyInfoHelper.getCertificates(kd.getKeyInfo()).get(0);
                    } catch (CertificateException ignored) {
                        s_logger.info("[ignored] encountered invalid certificate.", ignored);
                    }
                }
            }
        }
        if (idpMetadata.getSigningCertificate() == null && unspecifiedKey != null) {
            idpMetadata.setSigningCertificate(unspecifiedKey);
        }
        if (idpMetadata.getEncryptionCertificate() == null && unspecifiedKey != null) {
            idpMetadata.setEncryptionCertificate(unspecifiedKey);
        }
        if (idpMap.containsKey(idpMetadata.getEntityId())) {
            s_logger.warn("Duplicate IdP metadata found with entity Id: " + idpMetadata.getEntityId());
        }
        idpMap.put(idpMetadata.getEntityId(), idpMetadata);
    }
}
Also used : OrganizationName(org.opensaml.saml2.metadata.OrganizationName) OrganizationDisplayName(org.opensaml.saml2.metadata.OrganizationDisplayName) IDPSSODescriptor(org.opensaml.saml2.metadata.IDPSSODescriptor) SingleLogoutService(org.opensaml.saml2.metadata.SingleLogoutService) KeyDescriptor(org.opensaml.saml2.metadata.KeyDescriptor) SingleSignOnService(org.opensaml.saml2.metadata.SingleSignOnService) CertificateException(java.security.cert.CertificateException) ContactPerson(org.opensaml.saml2.metadata.ContactPerson) EmailAddress(org.opensaml.saml2.metadata.EmailAddress) X509Certificate(java.security.cert.X509Certificate) OrganizationURL(org.opensaml.saml2.metadata.OrganizationURL)

Example 4 with KeyDescriptor

use of org.opensaml.saml2.metadata.KeyDescriptor in project ddf by codice.

the class SamlProtocol method createIdpMetadata.

@SuppressWarnings("squid:S00107")
public static EntityDescriptor createIdpMetadata(String entityId, String signingCert, String encryptionCert, List<String> nameIds, String singleSignOnLocationRedirect, String singleSignOnLocationPost, String singleSignOnLocationSoap, String singleLogOutLocation) {
    EntityDescriptor entityDescriptor = entityDescriptorBuilder.buildObject();
    entityDescriptor.setEntityID(entityId);
    IDPSSODescriptor idpssoDescriptor = idpssoDescriptorBuilder.buildObject();
    // signing
    KeyDescriptor signingKeyDescriptor = keyDescriptorBuilder.buildObject();
    signingKeyDescriptor.setUse(UsageType.SIGNING);
    KeyInfo signingKeyInfo = keyInfoBuilder.buildObject(KeyInfo.DEFAULT_ELEMENT_NAME);
    X509Data signingX509Data = x509DataBuilder.buildObject(X509Data.DEFAULT_ELEMENT_NAME);
    X509Certificate signingX509Certificate = x509CertificateBuilder.buildObject(X509Certificate.DEFAULT_ELEMENT_NAME);
    signingX509Certificate.setValue(signingCert);
    signingX509Data.getX509Certificates().add(signingX509Certificate);
    signingKeyInfo.getX509Datas().add(signingX509Data);
    signingKeyDescriptor.setKeyInfo(signingKeyInfo);
    idpssoDescriptor.getKeyDescriptors().add(signingKeyDescriptor);
    // encryption
    KeyDescriptor encKeyDescriptor = keyDescriptorBuilder.buildObject();
    encKeyDescriptor.setUse(UsageType.ENCRYPTION);
    KeyInfo encKeyInfo = keyInfoBuilder.buildObject(KeyInfo.DEFAULT_ELEMENT_NAME);
    X509Data encX509Data = x509DataBuilder.buildObject(X509Data.DEFAULT_ELEMENT_NAME);
    X509Certificate encX509Certificate = x509CertificateBuilder.buildObject(X509Certificate.DEFAULT_ELEMENT_NAME);
    encX509Certificate.setValue(encryptionCert);
    encX509Data.getX509Certificates().add(encX509Certificate);
    encKeyInfo.getX509Datas().add(encX509Data);
    encKeyDescriptor.setKeyInfo(encKeyInfo);
    idpssoDescriptor.getKeyDescriptors().add(encKeyDescriptor);
    for (String nameId : nameIds) {
        NameIDFormat nameIDFormat = nameIdFormatBuilder.buildObject();
        nameIDFormat.setFormat(nameId);
        idpssoDescriptor.getNameIDFormats().add(nameIDFormat);
    }
    if (StringUtils.isNotBlank(singleSignOnLocationRedirect)) {
        SingleSignOnService singleSignOnServiceRedirect = singleSignOnServiceBuilder.buildObject();
        singleSignOnServiceRedirect.setBinding(REDIRECT_BINDING);
        singleSignOnServiceRedirect.setLocation(singleSignOnLocationRedirect);
        idpssoDescriptor.getSingleSignOnServices().add(singleSignOnServiceRedirect);
    }
    if (StringUtils.isNotBlank(singleSignOnLocationPost)) {
        SingleSignOnService singleSignOnServicePost = singleSignOnServiceBuilder.buildObject();
        singleSignOnServicePost.setBinding(POST_BINDING);
        singleSignOnServicePost.setLocation(singleSignOnLocationPost);
        idpssoDescriptor.getSingleSignOnServices().add(singleSignOnServicePost);
    }
    addSingleLogoutLocation(singleLogOutLocation, idpssoDescriptor.getSingleLogoutServices());
    if (StringUtils.isNotBlank(singleSignOnLocationSoap)) {
        SingleSignOnService singleSignOnServiceSoap = singleSignOnServiceBuilder.buildObject();
        singleSignOnServiceSoap.setBinding(SOAP_BINDING);
        singleSignOnServiceSoap.setLocation(singleSignOnLocationSoap);
        idpssoDescriptor.getSingleSignOnServices().add(singleSignOnServiceSoap);
    }
    idpssoDescriptor.setWantAuthnRequestsSigned(true);
    idpssoDescriptor.addSupportedProtocol(SUPPORTED_PROTOCOL);
    entityDescriptor.getRoleDescriptors().add(idpssoDescriptor);
    entityDescriptor.setCacheDuration(getCacheDuration().toMillis());
    return entityDescriptor;
}
Also used : EntityDescriptor(org.opensaml.saml.saml2.metadata.EntityDescriptor) NameIDFormat(org.opensaml.saml.saml2.metadata.NameIDFormat) IDPSSODescriptor(org.opensaml.saml.saml2.metadata.IDPSSODescriptor) KeyInfo(org.opensaml.xmlsec.signature.KeyInfo) KeyDescriptor(org.opensaml.saml.saml2.metadata.KeyDescriptor) SingleSignOnService(org.opensaml.saml.saml2.metadata.SingleSignOnService) X509Data(org.opensaml.xmlsec.signature.X509Data) X509Certificate(org.opensaml.xmlsec.signature.X509Certificate)

Example 5 with KeyDescriptor

use of org.opensaml.saml2.metadata.KeyDescriptor in project ddf by codice.

the class SamlProtocol method createSpMetadata.

public static EntityDescriptor createSpMetadata(String entityId, String signingCert, String encryptionCert, List<String> nameIds, String singleLogOutLocation, String assertionConsumerServiceLocationRedirect, String assertionConsumerServiceLocationPost, String assertionConsumerServiceLocationPaos) {
    EntityDescriptor entityDescriptor = entityDescriptorBuilder.buildObject();
    entityDescriptor.setEntityID(entityId);
    SPSSODescriptor spSsoDescriptor = spSsoDescriptorBuilder.buildObject();
    // signing
    KeyDescriptor signingKeyDescriptor = keyDescriptorBuilder.buildObject();
    signingKeyDescriptor.setUse(UsageType.SIGNING);
    KeyInfo signingKeyInfo = keyInfoBuilder.buildObject(KeyInfo.DEFAULT_ELEMENT_NAME);
    X509Data signingX509Data = x509DataBuilder.buildObject(X509Data.DEFAULT_ELEMENT_NAME);
    X509Certificate signingX509Certificate = x509CertificateBuilder.buildObject(X509Certificate.DEFAULT_ELEMENT_NAME);
    signingX509Certificate.setValue(signingCert);
    signingX509Data.getX509Certificates().add(signingX509Certificate);
    signingKeyInfo.getX509Datas().add(signingX509Data);
    signingKeyDescriptor.setKeyInfo(signingKeyInfo);
    spSsoDescriptor.getKeyDescriptors().add(signingKeyDescriptor);
    // encryption
    KeyDescriptor encKeyDescriptor = keyDescriptorBuilder.buildObject();
    encKeyDescriptor.setUse(UsageType.ENCRYPTION);
    KeyInfo encKeyInfo = keyInfoBuilder.buildObject(KeyInfo.DEFAULT_ELEMENT_NAME);
    X509Data encX509Data = x509DataBuilder.buildObject(X509Data.DEFAULT_ELEMENT_NAME);
    X509Certificate encX509Certificate = x509CertificateBuilder.buildObject(X509Certificate.DEFAULT_ELEMENT_NAME);
    encX509Certificate.setValue(encryptionCert);
    encX509Data.getX509Certificates().add(encX509Certificate);
    encKeyInfo.getX509Datas().add(encX509Data);
    encKeyDescriptor.setKeyInfo(encKeyInfo);
    spSsoDescriptor.getKeyDescriptors().add(encKeyDescriptor);
    for (String nameId : nameIds) {
        NameIDFormat nameIDFormat = nameIdFormatBuilder.buildObject();
        nameIDFormat.setFormat(nameId);
        spSsoDescriptor.getNameIDFormats().add(nameIDFormat);
    }
    addSingleLogoutLocation(singleLogOutLocation, spSsoDescriptor.getSingleLogoutServices());
    int acsIndex = 0;
    if (StringUtils.isNotBlank(assertionConsumerServiceLocationRedirect)) {
        AssertionConsumerService assertionConsumerService = assertionConsumerServiceBuilder.buildObject();
        assertionConsumerService.setBinding(REDIRECT_BINDING);
        assertionConsumerService.setIndex(acsIndex++);
        assertionConsumerService.setLocation(assertionConsumerServiceLocationRedirect);
        spSsoDescriptor.getAssertionConsumerServices().add(assertionConsumerService);
    }
    if (StringUtils.isNotBlank(assertionConsumerServiceLocationPost)) {
        AssertionConsumerService assertionConsumerService = assertionConsumerServiceBuilder.buildObject();
        assertionConsumerService.setBinding(POST_BINDING);
        assertionConsumerService.setIndex(acsIndex++);
        assertionConsumerService.setLocation(assertionConsumerServiceLocationPost);
        spSsoDescriptor.getAssertionConsumerServices().add(assertionConsumerService);
    }
    if (StringUtils.isNotBlank(assertionConsumerServiceLocationPaos)) {
        AssertionConsumerService assertionConsumerServicePaos = assertionConsumerServiceBuilder.buildObject();
        assertionConsumerServicePaos.setBinding(PAOS_BINDING);
        assertionConsumerServicePaos.setIndex(acsIndex);
        assertionConsumerServicePaos.setLocation(assertionConsumerServiceLocationPaos);
        spSsoDescriptor.getAssertionConsumerServices().add(assertionConsumerServicePaos);
    }
    spSsoDescriptor.addSupportedProtocol(SUPPORTED_PROTOCOL);
    entityDescriptor.getRoleDescriptors().add(spSsoDescriptor);
    entityDescriptor.setCacheDuration(getCacheDuration().toMillis());
    return entityDescriptor;
}
Also used : EntityDescriptor(org.opensaml.saml.saml2.metadata.EntityDescriptor) SPSSODescriptor(org.opensaml.saml.saml2.metadata.SPSSODescriptor) NameIDFormat(org.opensaml.saml.saml2.metadata.NameIDFormat) KeyInfo(org.opensaml.xmlsec.signature.KeyInfo) KeyDescriptor(org.opensaml.saml.saml2.metadata.KeyDescriptor) AssertionConsumerService(org.opensaml.saml.saml2.metadata.AssertionConsumerService) X509Data(org.opensaml.xmlsec.signature.X509Data) X509Certificate(org.opensaml.xmlsec.signature.X509Certificate)

Aggregations

KeyDescriptor (org.opensaml.saml.saml2.metadata.KeyDescriptor)27 EntityDescriptor (org.opensaml.saml.saml2.metadata.EntityDescriptor)11 Test (org.junit.jupiter.api.Test)9 IDPSSODescriptor (org.opensaml.saml.saml2.metadata.IDPSSODescriptor)8 X509Certificate (org.opensaml.xmlsec.signature.X509Certificate)8 KeyInfo (org.opensaml.xmlsec.signature.KeyInfo)5 X509Data (org.opensaml.xmlsec.signature.X509Data)5 SingleLogoutService (org.opensaml.saml.saml2.metadata.SingleLogoutService)4 MarshallingException (org.opensaml.core.xml.io.MarshallingException)3 NameIDFormat (org.opensaml.saml.saml2.metadata.NameIDFormat)3 SingleSignOnService (org.opensaml.saml.saml2.metadata.SingleSignOnService)3 SignatureException (org.opensaml.xmlsec.signature.support.SignatureException)3 CertificateException (java.security.cert.CertificateException)2 X509Certificate (java.security.cert.X509Certificate)2 ArrayList (java.util.ArrayList)2 AssertionConsumerService (org.opensaml.saml.saml2.metadata.AssertionConsumerService)2 SPSSODescriptor (org.opensaml.saml.saml2.metadata.SPSSODescriptor)2 Signature (org.opensaml.xmlsec.signature.Signature)2 Saml2Exception (org.springframework.security.saml2.Saml2Exception)2 Saml2X509Credential (org.springframework.security.saml2.core.Saml2X509Credential)2