Example 1 with KeyDescriptor
use of org.opensaml.saml2.metadata.KeyDescriptor in project syncope by apache.
the class SAML2SPLogic method getMetadata.
@PreAuthorize("isAuthenticated()")
public void getMetadata(final String spEntityID, final String urlContext, final OutputStream os) {
check();
try {
EntityDescriptor spEntityDescriptor = new EntityDescriptorBuilder().buildObject();
spEntityDescriptor.setEntityID(spEntityID);
SPSSODescriptor spSSODescriptor = new SPSSODescriptorBuilder().buildObject();
spSSODescriptor.setWantAssertionsSigned(true);
spSSODescriptor.setAuthnRequestsSigned(true);
spSSODescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS);
X509KeyInfoGeneratorFactory keyInfoGeneratorFactory = new X509KeyInfoGeneratorFactory();
keyInfoGeneratorFactory.setEmitEntityCertificate(true);
KeyInfoGenerator keyInfoGenerator = keyInfoGeneratorFactory.newInstance();
keyInfoGenerator.generate(loader.getCredential());
KeyDescriptor keyDescriptor = new KeyDescriptorBuilder().buildObject();
keyDescriptor.setKeyInfo(keyInfoGenerator.generate(loader.getCredential()));
spSSODescriptor.getKeyDescriptors().add(keyDescriptor);
NameIDFormat nameIDFormat = new NameIDFormatBuilder().buildObject();
nameIDFormat.setFormat(NameIDType.PERSISTENT);
spSSODescriptor.getNameIDFormats().add(nameIDFormat);
nameIDFormat = new NameIDFormatBuilder().buildObject();
nameIDFormat.setFormat(NameIDType.TRANSIENT);
spSSODescriptor.getNameIDFormats().add(nameIDFormat);
for (SAML2BindingType bindingType : SAML2BindingType.values()) {
AssertionConsumerService assertionConsumerService = new AssertionConsumerServiceBuilder().buildObject();
assertionConsumerService.setIndex(bindingType.ordinal());
assertionConsumerService.setBinding(bindingType.getUri());
assertionConsumerService.setLocation(getAssertionConsumerURL(spEntityID, urlContext));
spSSODescriptor.getAssertionConsumerServices().add(assertionConsumerService);
spEntityDescriptor.getRoleDescriptors().add(spSSODescriptor);
String sloUrl = spEntityID + urlContext + "/logout";
validateUrl(sloUrl);
SingleLogoutService singleLogoutService = new SingleLogoutServiceBuilder().buildObject();
singleLogoutService.setBinding(bindingType.getUri());
singleLogoutService.setLocation(sloUrl);
singleLogoutService.setResponseLocation(sloUrl);
spSSODescriptor.getSingleLogoutServices().add(singleLogoutService);
}
spEntityDescriptor.getRoleDescriptors().add(spSSODescriptor);
saml2rw.sign(spEntityDescriptor);
saml2rw.write(new OutputStreamWriter(os), spEntityDescriptor, true);
} catch (Exception e) {
LOG.error("While getting SP metadata", e);
SyncopeClientException sce = SyncopeClientException.build(ClientExceptionType.Unknown);
sce.getElements().add(e.getMessage());
throw sce;
}
}
Also used :
SAML2BindingType(org.apache.syncope.common.lib.types.SAML2BindingType)
SPSSODescriptorBuilder(org.opensaml.saml.saml2.metadata.impl.SPSSODescriptorBuilder)
SingleLogoutService(org.opensaml.saml.saml2.metadata.SingleLogoutService)
KeyDescriptor(org.opensaml.saml.saml2.metadata.KeyDescriptor)
AssertionConsumerServiceBuilder(org.opensaml.saml.saml2.metadata.impl.AssertionConsumerServiceBuilder)
SyncopeClientException(org.apache.syncope.common.lib.SyncopeClientException)
NameIDFormatBuilder(org.opensaml.saml.saml2.metadata.impl.NameIDFormatBuilder)
XSString(org.opensaml.core.xml.schema.XSString)
EntityDescriptorBuilder(org.opensaml.saml.saml2.metadata.impl.EntityDescriptorBuilder)
SyncopeClientException(org.apache.syncope.common.lib.SyncopeClientException)
NotFoundException(org.apache.syncope.core.persistence.api.dao.NotFoundException)
EntityDescriptor(org.opensaml.saml.saml2.metadata.EntityDescriptor)
SPSSODescriptor(org.opensaml.saml.saml2.metadata.SPSSODescriptor)
KeyInfoGenerator(org.opensaml.xmlsec.keyinfo.KeyInfoGenerator)
NameIDFormat(org.opensaml.saml.saml2.metadata.NameIDFormat)
SingleLogoutServiceBuilder(org.opensaml.saml.saml2.metadata.impl.SingleLogoutServiceBuilder)
AssertionConsumerService(org.opensaml.saml.saml2.metadata.AssertionConsumerService)
OutputStreamWriter(java.io.OutputStreamWriter)
KeyDescriptorBuilder(org.opensaml.saml.saml2.metadata.impl.KeyDescriptorBuilder)
X509KeyInfoGeneratorFactory(org.opensaml.xmlsec.keyinfo.impl.X509KeyInfoGeneratorFactory)
PreAuthorize(org.springframework.security.access.prepost.PreAuthorize)
Example 2 with KeyDescriptor
use of org.opensaml.saml2.metadata.KeyDescriptor in project pac4j by pac4j.
the class SAML2MetadataGenerator method getKeyDescriptor.
protected final KeyDescriptor getKeyDescriptor(final UsageType type, final KeyInfo key) {
final SAMLObjectBuilder<KeyDescriptor> builder = (SAMLObjectBuilder<KeyDescriptor>) Configuration.getBuilderFactory().getBuilder(KeyDescriptor.DEFAULT_ELEMENT_NAME);
final KeyDescriptor descriptor = builder.buildObject();
descriptor.setUse(type);
descriptor.setKeyInfo(key);
return descriptor;
}
Also used :
SAMLObjectBuilder(org.opensaml.saml.common.SAMLObjectBuilder)
KeyDescriptor(org.opensaml.saml.saml2.metadata.KeyDescriptor)
Example 3 with KeyDescriptor
use of org.opensaml.saml2.metadata.KeyDescriptor in project cloudstack by apache.
the class SAML2AuthManagerImpl method addIdpToMap.
private void addIdpToMap(EntityDescriptor descriptor, Map<String, SAMLProviderMetadata> idpMap) {
SAMLProviderMetadata idpMetadata = new SAMLProviderMetadata();
idpMetadata.setEntityId(descriptor.getEntityID());
s_logger.debug("Adding IdP to the list of discovered IdPs: " + descriptor.getEntityID());
if (descriptor.getOrganization() != null) {
if (descriptor.getOrganization().getDisplayNames() != null) {
for (OrganizationDisplayName orgName : descriptor.getOrganization().getDisplayNames()) {
if (orgName != null && orgName.getName() != null) {
idpMetadata.setOrganizationName(orgName.getName().getLocalString());
break;
}
}
}
if (idpMetadata.getOrganizationName() == null && descriptor.getOrganization().getOrganizationNames() != null) {
for (OrganizationName orgName : descriptor.getOrganization().getOrganizationNames()) {
if (orgName != null && orgName.getName() != null) {
idpMetadata.setOrganizationName(orgName.getName().getLocalString());
break;
}
}
}
if (descriptor.getOrganization().getURLs() != null) {
for (OrganizationURL organizationURL : descriptor.getOrganization().getURLs()) {
if (organizationURL != null && organizationURL.getURL() != null) {
idpMetadata.setOrganizationUrl(organizationURL.getURL().getLocalString());
break;
}
}
}
}
if (descriptor.getContactPersons() != null) {
for (ContactPerson person : descriptor.getContactPersons()) {
if (person == null || (person.getGivenName() == null && person.getSurName() == null) || person.getEmailAddresses() == null) {
continue;
}
if (person.getGivenName() != null) {
idpMetadata.setContactPersonName(person.getGivenName().getName());
} else if (person.getSurName() != null) {
idpMetadata.setContactPersonName(person.getSurName().getName());
}
for (EmailAddress emailAddress : person.getEmailAddresses()) {
if (emailAddress != null && emailAddress.getAddress() != null) {
idpMetadata.setContactPersonEmail(emailAddress.getAddress());
}
}
if (idpMetadata.getContactPersonName() != null && idpMetadata.getContactPersonEmail() != null) {
break;
}
}
}
IDPSSODescriptor idpDescriptor = descriptor.getIDPSSODescriptor(SAMLConstants.SAML20P_NS);
if (idpDescriptor != null) {
if (idpDescriptor.getSingleSignOnServices() != null) {
for (SingleSignOnService ssos : idpDescriptor.getSingleSignOnServices()) {
if (ssos.getBinding().equals(SAMLConstants.SAML2_REDIRECT_BINDING_URI)) {
idpMetadata.setSsoUrl(ssos.getLocation());
}
}
}
if (idpDescriptor.getSingleLogoutServices() != null) {
for (SingleLogoutService slos : idpDescriptor.getSingleLogoutServices()) {
if (slos.getBinding().equals(SAMLConstants.SAML2_REDIRECT_BINDING_URI)) {
idpMetadata.setSloUrl(slos.getLocation());
}
}
}
X509Certificate unspecifiedKey = null;
if (idpDescriptor.getKeyDescriptors() != null) {
for (KeyDescriptor kd : idpDescriptor.getKeyDescriptors()) {
if (kd.getUse() == UsageType.SIGNING) {
try {
idpMetadata.setSigningCertificate(KeyInfoHelper.getCertificates(kd.getKeyInfo()).get(0));
} catch (CertificateException ignored) {
s_logger.info("[ignored] encountered invalid certificate signing.", ignored);
}
}
if (kd.getUse() == UsageType.ENCRYPTION) {
try {
idpMetadata.setEncryptionCertificate(KeyInfoHelper.getCertificates(kd.getKeyInfo()).get(0));
} catch (CertificateException ignored) {
s_logger.info("[ignored] encountered invalid certificate encryption.", ignored);
}
}
if (kd.getUse() == UsageType.UNSPECIFIED) {
try {
unspecifiedKey = KeyInfoHelper.getCertificates(kd.getKeyInfo()).get(0);
} catch (CertificateException ignored) {
s_logger.info("[ignored] encountered invalid certificate.", ignored);
}
}
}
}
if (idpMetadata.getSigningCertificate() == null && unspecifiedKey != null) {
idpMetadata.setSigningCertificate(unspecifiedKey);
}
if (idpMetadata.getEncryptionCertificate() == null && unspecifiedKey != null) {
idpMetadata.setEncryptionCertificate(unspecifiedKey);
}
if (idpMap.containsKey(idpMetadata.getEntityId())) {
s_logger.warn("Duplicate IdP metadata found with entity Id: " + idpMetadata.getEntityId());
}
idpMap.put(idpMetadata.getEntityId(), idpMetadata);
}
}
Also used :
OrganizationName(org.opensaml.saml2.metadata.OrganizationName)
OrganizationDisplayName(org.opensaml.saml2.metadata.OrganizationDisplayName)
IDPSSODescriptor(org.opensaml.saml2.metadata.IDPSSODescriptor)
SingleLogoutService(org.opensaml.saml2.metadata.SingleLogoutService)
KeyDescriptor(org.opensaml.saml2.metadata.KeyDescriptor)
SingleSignOnService(org.opensaml.saml2.metadata.SingleSignOnService)
CertificateException(java.security.cert.CertificateException)
ContactPerson(org.opensaml.saml2.metadata.ContactPerson)
EmailAddress(org.opensaml.saml2.metadata.EmailAddress)
X509Certificate(java.security.cert.X509Certificate)
OrganizationURL(org.opensaml.saml2.metadata.OrganizationURL)
Example 4 with KeyDescriptor
use of org.opensaml.saml2.metadata.KeyDescriptor in project ddf by codice.
the class SamlProtocol method createIdpMetadata.
@SuppressWarnings("squid:S00107")
public static EntityDescriptor createIdpMetadata(String entityId, String signingCert, String encryptionCert, List<String> nameIds, String singleSignOnLocationRedirect, String singleSignOnLocationPost, String singleSignOnLocationSoap, String singleLogOutLocation) {
EntityDescriptor entityDescriptor = entityDescriptorBuilder.buildObject();
entityDescriptor.setEntityID(entityId);
IDPSSODescriptor idpssoDescriptor = idpssoDescriptorBuilder.buildObject();
// signing
KeyDescriptor signingKeyDescriptor = keyDescriptorBuilder.buildObject();
signingKeyDescriptor.setUse(UsageType.SIGNING);
KeyInfo signingKeyInfo = keyInfoBuilder.buildObject(KeyInfo.DEFAULT_ELEMENT_NAME);
X509Data signingX509Data = x509DataBuilder.buildObject(X509Data.DEFAULT_ELEMENT_NAME);
X509Certificate signingX509Certificate = x509CertificateBuilder.buildObject(X509Certificate.DEFAULT_ELEMENT_NAME);
signingX509Certificate.setValue(signingCert);
signingX509Data.getX509Certificates().add(signingX509Certificate);
signingKeyInfo.getX509Datas().add(signingX509Data);
signingKeyDescriptor.setKeyInfo(signingKeyInfo);
idpssoDescriptor.getKeyDescriptors().add(signingKeyDescriptor);
// encryption
KeyDescriptor encKeyDescriptor = keyDescriptorBuilder.buildObject();
encKeyDescriptor.setUse(UsageType.ENCRYPTION);
KeyInfo encKeyInfo = keyInfoBuilder.buildObject(KeyInfo.DEFAULT_ELEMENT_NAME);
X509Data encX509Data = x509DataBuilder.buildObject(X509Data.DEFAULT_ELEMENT_NAME);
X509Certificate encX509Certificate = x509CertificateBuilder.buildObject(X509Certificate.DEFAULT_ELEMENT_NAME);
encX509Certificate.setValue(encryptionCert);
encX509Data.getX509Certificates().add(encX509Certificate);
encKeyInfo.getX509Datas().add(encX509Data);
encKeyDescriptor.setKeyInfo(encKeyInfo);
idpssoDescriptor.getKeyDescriptors().add(encKeyDescriptor);
for (String nameId : nameIds) {
NameIDFormat nameIDFormat = nameIdFormatBuilder.buildObject();
nameIDFormat.setFormat(nameId);
idpssoDescriptor.getNameIDFormats().add(nameIDFormat);
}
if (StringUtils.isNotBlank(singleSignOnLocationRedirect)) {
SingleSignOnService singleSignOnServiceRedirect = singleSignOnServiceBuilder.buildObject();
singleSignOnServiceRedirect.setBinding(REDIRECT_BINDING);
singleSignOnServiceRedirect.setLocation(singleSignOnLocationRedirect);
idpssoDescriptor.getSingleSignOnServices().add(singleSignOnServiceRedirect);
}
if (StringUtils.isNotBlank(singleSignOnLocationPost)) {
SingleSignOnService singleSignOnServicePost = singleSignOnServiceBuilder.buildObject();
singleSignOnServicePost.setBinding(POST_BINDING);
singleSignOnServicePost.setLocation(singleSignOnLocationPost);
idpssoDescriptor.getSingleSignOnServices().add(singleSignOnServicePost);
}
addSingleLogoutLocation(singleLogOutLocation, idpssoDescriptor.getSingleLogoutServices());
if (StringUtils.isNotBlank(singleSignOnLocationSoap)) {
SingleSignOnService singleSignOnServiceSoap = singleSignOnServiceBuilder.buildObject();
singleSignOnServiceSoap.setBinding(SOAP_BINDING);
singleSignOnServiceSoap.setLocation(singleSignOnLocationSoap);
idpssoDescriptor.getSingleSignOnServices().add(singleSignOnServiceSoap);
}
idpssoDescriptor.setWantAuthnRequestsSigned(true);
idpssoDescriptor.addSupportedProtocol(SUPPORTED_PROTOCOL);
entityDescriptor.getRoleDescriptors().add(idpssoDescriptor);
entityDescriptor.setCacheDuration(getCacheDuration().toMillis());
return entityDescriptor;
}
Also used :
EntityDescriptor(org.opensaml.saml.saml2.metadata.EntityDescriptor)
NameIDFormat(org.opensaml.saml.saml2.metadata.NameIDFormat)
IDPSSODescriptor(org.opensaml.saml.saml2.metadata.IDPSSODescriptor)
KeyInfo(org.opensaml.xmlsec.signature.KeyInfo)
KeyDescriptor(org.opensaml.saml.saml2.metadata.KeyDescriptor)
SingleSignOnService(org.opensaml.saml.saml2.metadata.SingleSignOnService)
X509Data(org.opensaml.xmlsec.signature.X509Data)
X509Certificate(org.opensaml.xmlsec.signature.X509Certificate)
Example 5 with KeyDescriptor
use of org.opensaml.saml2.metadata.KeyDescriptor in project ddf by codice.
the class SamlProtocol method createSpMetadata.
public static EntityDescriptor createSpMetadata(String entityId, String signingCert, String encryptionCert, List<String> nameIds, String singleLogOutLocation, String assertionConsumerServiceLocationRedirect, String assertionConsumerServiceLocationPost, String assertionConsumerServiceLocationPaos) {
EntityDescriptor entityDescriptor = entityDescriptorBuilder.buildObject();
entityDescriptor.setEntityID(entityId);
SPSSODescriptor spSsoDescriptor = spSsoDescriptorBuilder.buildObject();
// signing
KeyDescriptor signingKeyDescriptor = keyDescriptorBuilder.buildObject();
signingKeyDescriptor.setUse(UsageType.SIGNING);
KeyInfo signingKeyInfo = keyInfoBuilder.buildObject(KeyInfo.DEFAULT_ELEMENT_NAME);
X509Data signingX509Data = x509DataBuilder.buildObject(X509Data.DEFAULT_ELEMENT_NAME);
X509Certificate signingX509Certificate = x509CertificateBuilder.buildObject(X509Certificate.DEFAULT_ELEMENT_NAME);
signingX509Certificate.setValue(signingCert);
signingX509Data.getX509Certificates().add(signingX509Certificate);
signingKeyInfo.getX509Datas().add(signingX509Data);
signingKeyDescriptor.setKeyInfo(signingKeyInfo);
spSsoDescriptor.getKeyDescriptors().add(signingKeyDescriptor);
// encryption
KeyDescriptor encKeyDescriptor = keyDescriptorBuilder.buildObject();
encKeyDescriptor.setUse(UsageType.ENCRYPTION);
KeyInfo encKeyInfo = keyInfoBuilder.buildObject(KeyInfo.DEFAULT_ELEMENT_NAME);
X509Data encX509Data = x509DataBuilder.buildObject(X509Data.DEFAULT_ELEMENT_NAME);
X509Certificate encX509Certificate = x509CertificateBuilder.buildObject(X509Certificate.DEFAULT_ELEMENT_NAME);
encX509Certificate.setValue(encryptionCert);
encX509Data.getX509Certificates().add(encX509Certificate);
encKeyInfo.getX509Datas().add(encX509Data);
encKeyDescriptor.setKeyInfo(encKeyInfo);
spSsoDescriptor.getKeyDescriptors().add(encKeyDescriptor);
for (String nameId : nameIds) {
NameIDFormat nameIDFormat = nameIdFormatBuilder.buildObject();
nameIDFormat.setFormat(nameId);
spSsoDescriptor.getNameIDFormats().add(nameIDFormat);
}
addSingleLogoutLocation(singleLogOutLocation, spSsoDescriptor.getSingleLogoutServices());
int acsIndex = 0;
if (StringUtils.isNotBlank(assertionConsumerServiceLocationRedirect)) {
AssertionConsumerService assertionConsumerService = assertionConsumerServiceBuilder.buildObject();
assertionConsumerService.setBinding(REDIRECT_BINDING);
assertionConsumerService.setIndex(acsIndex++);
assertionConsumerService.setLocation(assertionConsumerServiceLocationRedirect);
spSsoDescriptor.getAssertionConsumerServices().add(assertionConsumerService);
}
if (StringUtils.isNotBlank(assertionConsumerServiceLocationPost)) {
AssertionConsumerService assertionConsumerService = assertionConsumerServiceBuilder.buildObject();
assertionConsumerService.setBinding(POST_BINDING);
assertionConsumerService.setIndex(acsIndex++);
assertionConsumerService.setLocation(assertionConsumerServiceLocationPost);
spSsoDescriptor.getAssertionConsumerServices().add(assertionConsumerService);
}
if (StringUtils.isNotBlank(assertionConsumerServiceLocationPaos)) {
AssertionConsumerService assertionConsumerServicePaos = assertionConsumerServiceBuilder.buildObject();
assertionConsumerServicePaos.setBinding(PAOS_BINDING);
assertionConsumerServicePaos.setIndex(acsIndex);
assertionConsumerServicePaos.setLocation(assertionConsumerServiceLocationPaos);
spSsoDescriptor.getAssertionConsumerServices().add(assertionConsumerServicePaos);
}
spSsoDescriptor.addSupportedProtocol(SUPPORTED_PROTOCOL);
entityDescriptor.getRoleDescriptors().add(spSsoDescriptor);
entityDescriptor.setCacheDuration(getCacheDuration().toMillis());
return entityDescriptor;
}
Also used :
EntityDescriptor(org.opensaml.saml.saml2.metadata.EntityDescriptor)
SPSSODescriptor(org.opensaml.saml.saml2.metadata.SPSSODescriptor)
NameIDFormat(org.opensaml.saml.saml2.metadata.NameIDFormat)
KeyInfo(org.opensaml.xmlsec.signature.KeyInfo)
KeyDescriptor(org.opensaml.saml.saml2.metadata.KeyDescriptor)
AssertionConsumerService(org.opensaml.saml.saml2.metadata.AssertionConsumerService)
X509Data(org.opensaml.xmlsec.signature.X509Data)
X509Certificate(org.opensaml.xmlsec.signature.X509Certificate)
Aggregations
KeyDescriptor (org.opensaml.saml.saml2.metadata.KeyDescriptor)27
EntityDescriptor (org.opensaml.saml.saml2.metadata.EntityDescriptor)11
Test (org.junit.jupiter.api.Test)9
IDPSSODescriptor (org.opensaml.saml.saml2.metadata.IDPSSODescriptor)8
X509Certificate (org.opensaml.xmlsec.signature.X509Certificate)8
KeyInfo (org.opensaml.xmlsec.signature.KeyInfo)5
X509Data (org.opensaml.xmlsec.signature.X509Data)5
SingleLogoutService (org.opensaml.saml.saml2.metadata.SingleLogoutService)4
MarshallingException (org.opensaml.core.xml.io.MarshallingException)3
NameIDFormat (org.opensaml.saml.saml2.metadata.NameIDFormat)3
SingleSignOnService (org.opensaml.saml.saml2.metadata.SingleSignOnService)3
SignatureException (org.opensaml.xmlsec.signature.support.SignatureException)3
CertificateException (java.security.cert.CertificateException)2
X509Certificate (java.security.cert.X509Certificate)2
ArrayList (java.util.ArrayList)2
AssertionConsumerService (org.opensaml.saml.saml2.metadata.AssertionConsumerService)2
SPSSODescriptor (org.opensaml.saml.saml2.metadata.SPSSODescriptor)2
Signature (org.opensaml.xmlsec.signature.Signature)2
Saml2Exception (org.springframework.security.saml2.Saml2Exception)2
Saml2X509Credential (org.springframework.security.saml2.core.Saml2X509Credential)2
