Search in sources :

Example 1 with BasicX509Credential

use of org.opensaml.xml.security.x509.BasicX509Credential in project cas by apereo.

the class BaseSamlObjectSigner method getSignatureSigningConfiguration.

/**
     * Gets signature signing configuration.
     *
     * @return the signature signing configuration
     * @throws Exception the exception
     */
protected SignatureSigningConfiguration getSignatureSigningConfiguration() throws Exception {
    final BasicSignatureSigningConfiguration config = DefaultSecurityConfigurationBootstrap.buildDefaultSignatureSigningConfiguration();
    final SamlIdPProperties samlIdp = casProperties.getAuthn().getSamlIdp();
    if (this.overrideBlackListedSignatureAlgorithms != null && !samlIdp.getAlgs().getOverrideBlackListedSignatureSigningAlgorithms().isEmpty()) {
        config.setBlacklistedAlgorithms(this.overrideBlackListedSignatureAlgorithms);
    }
    if (this.overrideSignatureAlgorithms != null && !this.overrideSignatureAlgorithms.isEmpty()) {
        config.setSignatureAlgorithms(this.overrideSignatureAlgorithms);
    }
    if (this.overrideSignatureReferenceDigestMethods != null && !this.overrideSignatureReferenceDigestMethods.isEmpty()) {
        config.setSignatureReferenceDigestMethods(this.overrideSignatureReferenceDigestMethods);
    }
    if (this.overrideWhiteListedAlgorithms != null && !this.overrideWhiteListedAlgorithms.isEmpty()) {
        config.setWhitelistedAlgorithms(this.overrideWhiteListedAlgorithms);
    }
    if (StringUtils.isNotBlank(samlIdp.getAlgs().getOverrideSignatureCanonicalizationAlgorithm())) {
        config.setSignatureCanonicalizationAlgorithm(samlIdp.getAlgs().getOverrideSignatureCanonicalizationAlgorithm());
    }
    LOGGER.debug("Signature signing blacklisted algorithms: [{}]", config.getBlacklistedAlgorithms());
    LOGGER.debug("Signature signing signature algorithms: [{}]", config.getSignatureAlgorithms());
    LOGGER.debug("Signature signing signature canonicalization algorithm: [{}]", config.getSignatureCanonicalizationAlgorithm());
    LOGGER.debug("Signature signing whitelisted algorithms: [{}]", config.getWhitelistedAlgorithms());
    LOGGER.debug("Signature signing reference digest methods: [{}]", config.getSignatureReferenceDigestMethods());
    final PrivateKey privateKey = getSigningPrivateKey();
    final X509Certificate certificate = getSigningCertificate();
    final List<Credential> creds = new ArrayList<>();
    creds.add(new BasicX509Credential(certificate, privateKey));
    config.setSigningCredentials(creds);
    LOGGER.debug("Signature signing credentials configured");
    return config;
}
Also used : Credential(org.opensaml.security.credential.Credential) BasicX509Credential(org.opensaml.security.x509.BasicX509Credential) PrivateKey(java.security.PrivateKey) SamlIdPProperties(org.apereo.cas.configuration.model.support.saml.idp.SamlIdPProperties) BasicX509Credential(org.opensaml.security.x509.BasicX509Credential) ArrayList(java.util.ArrayList) BasicSignatureSigningConfiguration(org.opensaml.xmlsec.impl.BasicSignatureSigningConfiguration) X509Certificate(java.security.cert.X509Certificate)

Example 2 with BasicX509Credential

use of org.opensaml.xml.security.x509.BasicX509Credential in project cloudstack by apache.

the class SAML2LoginAPIAuthenticatorCmd method authenticate.

@Override
public String authenticate(final String command, final Map<String, Object[]> params, final HttpSession session, final InetAddress remoteAddress, final String responseType, final StringBuilder auditTrailSb, final HttpServletRequest req, final HttpServletResponse resp) throws ServerApiException {
    try {
        if (!params.containsKey(SAMLPluginConstants.SAML_RESPONSE) && !params.containsKey("SAMLart")) {
            String idpId = null;
            String domainPath = null;
            if (params.containsKey(ApiConstants.IDP_ID)) {
                idpId = ((String[]) params.get(ApiConstants.IDP_ID))[0];
            }
            if (params.containsKey(ApiConstants.DOMAIN)) {
                domainPath = ((String[]) params.get(ApiConstants.DOMAIN))[0];
            }
            if (domainPath != null && !domainPath.isEmpty()) {
                if (!domainPath.startsWith("/")) {
                    domainPath = "/" + domainPath;
                }
                if (!domainPath.endsWith("/")) {
                    domainPath = domainPath + "/";
                }
            }
            SAMLProviderMetadata spMetadata = _samlAuthManager.getSPMetadata();
            SAMLProviderMetadata idpMetadata = _samlAuthManager.getIdPMetadata(idpId);
            if (idpMetadata == null) {
                throw new ServerApiException(ApiErrorCode.PARAM_ERROR, _apiServer.getSerializedApiError(ApiErrorCode.PARAM_ERROR.getHttpCode(), "IdP ID (" + idpId + ") is not found in our list of supported IdPs, cannot proceed.", params, responseType));
            }
            if (idpMetadata.getSsoUrl() == null || idpMetadata.getSsoUrl().isEmpty()) {
                throw new ServerApiException(ApiErrorCode.PARAM_ERROR, _apiServer.getSerializedApiError(ApiErrorCode.PARAM_ERROR.getHttpCode(), "IdP ID (" + idpId + ") has no Single Sign On URL defined please contact " + idpMetadata.getContactPersonName() + " <" + idpMetadata.getContactPersonEmail() + ">, cannot proceed.", params, responseType));
            }
            String authnId = SAMLUtils.generateSecureRandomId();
            _samlAuthManager.saveToken(authnId, domainPath, idpMetadata.getEntityId());
            s_logger.debug("Sending SAMLRequest id=" + authnId);
            String redirectUrl = SAMLUtils.buildAuthnRequestUrl(authnId, spMetadata, idpMetadata, SAML2AuthManager.SAMLSignatureAlgorithm.value());
            resp.sendRedirect(redirectUrl);
            return "";
        }
        if (params.containsKey("SAMLart")) {
            throw new ServerApiException(ApiErrorCode.UNSUPPORTED_ACTION_ERROR, _apiServer.getSerializedApiError(ApiErrorCode.UNSUPPORTED_ACTION_ERROR.getHttpCode(), "SAML2 HTTP Artifact Binding is not supported", params, responseType));
        } else {
            final String samlResponse = ((String[]) params.get(SAMLPluginConstants.SAML_RESPONSE))[0];
            Response processedSAMLResponse = this.processSAMLResponse(samlResponse);
            String statusCode = processedSAMLResponse.getStatus().getStatusCode().getValue();
            if (!statusCode.equals(StatusCode.SUCCESS_URI)) {
                throw new ServerApiException(ApiErrorCode.ACCOUNT_ERROR, _apiServer.getSerializedApiError(ApiErrorCode.ACCOUNT_ERROR.getHttpCode(), "Identity Provider send a non-successful authentication status code", params, responseType));
            }
            String username = null;
            Issuer issuer = processedSAMLResponse.getIssuer();
            SAMLProviderMetadata spMetadata = _samlAuthManager.getSPMetadata();
            SAMLProviderMetadata idpMetadata = _samlAuthManager.getIdPMetadata(issuer.getValue());
            String responseToId = processedSAMLResponse.getInResponseTo();
            s_logger.debug("Received SAMLResponse in response to id=" + responseToId);
            SAMLTokenVO token = _samlAuthManager.getToken(responseToId);
            if (token != null) {
                if (!(token.getEntity().equalsIgnoreCase(issuer.getValue()))) {
                    throw new ServerApiException(ApiErrorCode.ACCOUNT_ERROR, _apiServer.getSerializedApiError(ApiErrorCode.ACCOUNT_ERROR.getHttpCode(), "The SAML response contains Issuer Entity ID that is different from the original SAML request", params, responseType));
                }
            } else {
                throw new ServerApiException(ApiErrorCode.ACCOUNT_ERROR, _apiServer.getSerializedApiError(ApiErrorCode.ACCOUNT_ERROR.getHttpCode(), "Received SAML response for a SSO request that we may not have made or has expired, please try logging in again", params, responseType));
            }
            // Set IdpId for this session
            session.setAttribute(SAMLPluginConstants.SAML_IDPID, issuer.getValue());
            Signature sig = processedSAMLResponse.getSignature();
            if (idpMetadata.getSigningCertificate() != null && sig != null) {
                BasicX509Credential credential = new BasicX509Credential();
                credential.setEntityCertificate(idpMetadata.getSigningCertificate());
                SignatureValidator validator = new SignatureValidator(credential);
                try {
                    validator.validate(sig);
                } catch (ValidationException e) {
                    s_logger.error("SAML Response's signature failed to be validated by IDP signing key:" + e.getMessage());
                    throw new ServerApiException(ApiErrorCode.ACCOUNT_ERROR, _apiServer.getSerializedApiError(ApiErrorCode.ACCOUNT_ERROR.getHttpCode(), "SAML Response's signature failed to be validated by IDP signing key", params, responseType));
                }
            }
            if (username == null) {
                username = SAMLUtils.getValueFromAssertions(processedSAMLResponse.getAssertions(), SAML2AuthManager.SAMLUserAttributeName.value());
            }
            for (Assertion assertion : processedSAMLResponse.getAssertions()) {
                if (assertion != null && assertion.getSubject() != null && assertion.getSubject().getNameID() != null) {
                    session.setAttribute(SAMLPluginConstants.SAML_NAMEID, assertion.getSubject().getNameID().getValue());
                    break;
                }
            }
            if (idpMetadata.getEncryptionCertificate() != null && spMetadata != null && spMetadata.getKeyPair() != null && spMetadata.getKeyPair().getPrivate() != null) {
                Credential credential = SecurityHelper.getSimpleCredential(idpMetadata.getEncryptionCertificate().getPublicKey(), spMetadata.getKeyPair().getPrivate());
                StaticKeyInfoCredentialResolver keyInfoResolver = new StaticKeyInfoCredentialResolver(credential);
                EncryptedKeyResolver keyResolver = new InlineEncryptedKeyResolver();
                Decrypter decrypter = new Decrypter(null, keyInfoResolver, keyResolver);
                decrypter.setRootInNewDocument(true);
                List<EncryptedAssertion> encryptedAssertions = processedSAMLResponse.getEncryptedAssertions();
                if (encryptedAssertions != null) {
                    for (EncryptedAssertion encryptedAssertion : encryptedAssertions) {
                        Assertion assertion = null;
                        try {
                            assertion = decrypter.decrypt(encryptedAssertion);
                        } catch (DecryptionException e) {
                            s_logger.warn("SAML EncryptedAssertion error: " + e.toString());
                        }
                        if (assertion == null) {
                            continue;
                        }
                        Signature encSig = assertion.getSignature();
                        if (idpMetadata.getSigningCertificate() != null && encSig != null) {
                            BasicX509Credential sigCredential = new BasicX509Credential();
                            sigCredential.setEntityCertificate(idpMetadata.getSigningCertificate());
                            SignatureValidator validator = new SignatureValidator(sigCredential);
                            try {
                                validator.validate(encSig);
                            } catch (ValidationException e) {
                                s_logger.error("SAML Response's signature failed to be validated by IDP signing key:" + e.getMessage());
                                throw new ServerApiException(ApiErrorCode.ACCOUNT_ERROR, _apiServer.getSerializedApiError(ApiErrorCode.ACCOUNT_ERROR.getHttpCode(), "SAML Response's signature failed to be validated by IDP signing key", params, responseType));
                            }
                        }
                        if (assertion.getSubject() != null && assertion.getSubject().getNameID() != null) {
                            session.setAttribute(SAMLPluginConstants.SAML_NAMEID, assertion.getSubject().getNameID().getValue());
                        }
                        if (username == null) {
                            username = SAMLUtils.getValueFromAttributeStatements(assertion.getAttributeStatements(), SAML2AuthManager.SAMLUserAttributeName.value());
                        }
                    }
                }
            }
            if (username == null) {
                throw new ServerApiException(ApiErrorCode.ACCOUNT_ERROR, _apiServer.getSerializedApiError(ApiErrorCode.ACCOUNT_ERROR.getHttpCode(), "Failed to find admin configured username attribute in the SAML Response. Please ask your administrator to check SAML user attribute name.", params, responseType));
            }
            UserAccount userAccount = null;
            List<UserAccountVO> possibleUserAccounts = _userAccountDao.getAllUsersByNameAndEntity(username, issuer.getValue());
            if (possibleUserAccounts != null && possibleUserAccounts.size() > 0) {
                // Users can switch to other allowed accounts later
                for (UserAccountVO possibleUserAccount : possibleUserAccounts) {
                    if (possibleUserAccount.getAccountState().equals(Account.State.enabled.toString())) {
                        userAccount = possibleUserAccount;
                        break;
                    }
                }
            }
            if (userAccount == null || userAccount.getExternalEntity() == null || !_samlAuthManager.isUserAuthorized(userAccount.getId(), issuer.getValue())) {
                throw new ServerApiException(ApiErrorCode.ACCOUNT_ERROR, _apiServer.getSerializedApiError(ApiErrorCode.ACCOUNT_ERROR.getHttpCode(), "Your authenticated user is not authorized for SAML Single Sign-On, please contact your administrator", params, responseType));
            }
            try {
                if (_apiServer.verifyUser(userAccount.getId())) {
                    LoginCmdResponse loginResponse = (LoginCmdResponse) _apiServer.loginUser(session, userAccount.getUsername(), userAccount.getUsername() + userAccount.getSource().toString(), userAccount.getDomainId(), null, remoteAddress, params);
                    SAMLUtils.setupSamlUserCookies(loginResponse, resp);
                    resp.sendRedirect(SAML2AuthManager.SAMLCloudStackRedirectionUrl.value());
                    return ApiResponseSerializer.toSerializedString(loginResponse, responseType);
                }
            } catch (CloudAuthenticationException | IOException exception) {
                s_logger.debug("SAML Login failed to log in the user due to: " + exception.getMessage());
            }
        }
    } catch (IOException e) {
        auditTrailSb.append("SP initiated SAML authentication using HTTP redirection failed:");
        auditTrailSb.append(e.getMessage());
    }
    throw new ServerApiException(ApiErrorCode.ACCOUNT_ERROR, _apiServer.getSerializedApiError(ApiErrorCode.ACCOUNT_ERROR.getHttpCode(), "Unable to authenticate user while performing SAML based SSO. Please make sure your user/account has been added, enable and authorized by the admin before you can authenticate. Please contact your administrator.", params, responseType));
}
Also used : ValidationException(org.opensaml.xml.validation.ValidationException) Issuer(org.opensaml.saml2.core.Issuer) SAMLTokenVO(org.apache.cloudstack.saml.SAMLTokenVO) CloudAuthenticationException(com.cloud.exception.CloudAuthenticationException) StaticKeyInfoCredentialResolver(org.opensaml.xml.security.keyinfo.StaticKeyInfoCredentialResolver) ServerApiException(org.apache.cloudstack.api.ServerApiException) SAMLProviderMetadata(org.apache.cloudstack.saml.SAMLProviderMetadata) BasicX509Credential(org.opensaml.xml.security.x509.BasicX509Credential) Credential(org.opensaml.xml.security.credential.Credential) Assertion(org.opensaml.saml2.core.Assertion) EncryptedAssertion(org.opensaml.saml2.core.EncryptedAssertion) Decrypter(org.opensaml.saml2.encryption.Decrypter) IOException(java.io.IOException) LoginCmdResponse(org.apache.cloudstack.api.response.LoginCmdResponse) Response(org.opensaml.saml2.core.Response) HttpServletResponse(javax.servlet.http.HttpServletResponse) UserAccountVO(com.cloud.user.UserAccountVO) BasicX509Credential(org.opensaml.xml.security.x509.BasicX509Credential) EncryptedAssertion(org.opensaml.saml2.core.EncryptedAssertion) Signature(org.opensaml.xml.signature.Signature) SignatureValidator(org.opensaml.xml.signature.SignatureValidator) InlineEncryptedKeyResolver(org.opensaml.xml.encryption.InlineEncryptedKeyResolver) DecryptionException(org.opensaml.xml.encryption.DecryptionException) UserAccount(com.cloud.user.UserAccount) LoginCmdResponse(org.apache.cloudstack.api.response.LoginCmdResponse) InlineEncryptedKeyResolver(org.opensaml.xml.encryption.InlineEncryptedKeyResolver) EncryptedKeyResolver(org.opensaml.xml.encryption.EncryptedKeyResolver)

Example 3 with BasicX509Credential

use of org.opensaml.xml.security.x509.BasicX509Credential in project cas by apereo.

the class WsFederationConfiguration method getSigningCredential.

/**
     * getSigningCredential loads up an X509Credential from a file.
     *
     * @param resource the signing certificate file
     * @return an X509 credential
     */
private Credential getSigningCredential(final Resource resource) {
    try (InputStream inputStream = resource.getInputStream()) {
        final CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
        final X509Certificate certificate = (X509Certificate) certificateFactory.generateCertificate(inputStream);
        final Credential publicCredential = new BasicX509Credential(certificate);
        LOGGER.debug("getSigningCredential: key retrieved.");
        return publicCredential;
    } catch (final Exception ex) {
        LOGGER.error(ex.getMessage(), ex);
    }
    return null;
}
Also used : Credential(org.opensaml.security.credential.Credential) BasicX509Credential(org.opensaml.security.x509.BasicX509Credential) BasicX509Credential(org.opensaml.security.x509.BasicX509Credential) InputStream(java.io.InputStream) CertificateFactory(java.security.cert.CertificateFactory) X509Certificate(java.security.cert.X509Certificate)

Example 4 with BasicX509Credential

use of org.opensaml.xml.security.x509.BasicX509Credential in project cas by apereo.

the class WsFederationHelper method getEncryptionCredential.

private static Credential getEncryptionCredential(final WsFederationConfiguration config) {
    try {
        // This will need to contain the private keypair in PEM format
        LOGGER.debug("Locating encryption credential private key [{}]", config.getEncryptionPrivateKey());
        final BufferedReader br = new BufferedReader(new InputStreamReader(config.getEncryptionPrivateKey().getInputStream(), StandardCharsets.UTF_8));
        Security.addProvider(new BouncyCastleProvider());
        LOGGER.debug("Parsing credential private key");
        final PEMParser pemParser = new PEMParser(br);
        final Object privateKeyPemObject = pemParser.readObject();
        final JcaPEMKeyConverter converter = new JcaPEMKeyConverter().setProvider(new BouncyCastleProvider());
        final KeyPair kp;
        if (privateKeyPemObject instanceof PEMEncryptedKeyPair) {
            LOGGER.debug("Encryption private key is an encrypted keypair");
            final PEMEncryptedKeyPair ckp = (PEMEncryptedKeyPair) privateKeyPemObject;
            final PEMDecryptorProvider decProv = new JcePEMDecryptorProviderBuilder().build(config.getEncryptionPrivateKeyPassword().toCharArray());
            LOGGER.debug("Attempting to decrypt the encrypted keypair based on the provided encryption private key password");
            kp = converter.getKeyPair(ckp.decryptKeyPair(decProv));
        } else {
            LOGGER.debug("Extracting a keypair from the private key");
            kp = converter.getKeyPair((PEMKeyPair) privateKeyPemObject);
        }
        final X509CertParser certParser = new X509CertParser();
        // This is the certificate shared with ADFS in DER format, i.e certificate.crt
        LOGGER.debug("Locating encryption certificate [{}]", config.getEncryptionCertificate());
        certParser.engineInit(config.getEncryptionCertificate().getInputStream());
        LOGGER.debug("Invoking certificate engine to parse the certificate [{}]", config.getEncryptionCertificate());
        final X509CertificateObject cert = (X509CertificateObject) certParser.engineRead();
        LOGGER.debug("Creating final credential based on the certificate [{}] and the private key", cert.getIssuerDN());
        return new BasicX509Credential(cert, kp.getPrivate());
    } catch (final Exception e) {
        throw Throwables.propagate(e);
    }
}
Also used : KeyPair(java.security.KeyPair) PEMEncryptedKeyPair(org.bouncycastle.openssl.PEMEncryptedKeyPair) PEMKeyPair(org.bouncycastle.openssl.PEMKeyPair) InputStreamReader(java.io.InputStreamReader) PEMDecryptorProvider(org.bouncycastle.openssl.PEMDecryptorProvider) JcaPEMKeyConverter(org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter) JcePEMDecryptorProviderBuilder(org.bouncycastle.openssl.jcajce.JcePEMDecryptorProviderBuilder) SignatureException(org.opensaml.xmlsec.signature.support.SignatureException) SecurityException(org.opensaml.security.SecurityException) X509CertParser(org.bouncycastle.jce.provider.X509CertParser) PEMEncryptedKeyPair(org.bouncycastle.openssl.PEMEncryptedKeyPair) PEMParser(org.bouncycastle.openssl.PEMParser) X509CertificateObject(org.bouncycastle.jce.provider.X509CertificateObject) BasicX509Credential(org.opensaml.security.x509.BasicX509Credential) BufferedReader(java.io.BufferedReader) XMLObject(org.opensaml.core.xml.XMLObject) X509CertificateObject(org.bouncycastle.jce.provider.X509CertificateObject) PEMKeyPair(org.bouncycastle.openssl.PEMKeyPair) BouncyCastleProvider(org.bouncycastle.jce.provider.BouncyCastleProvider)

Example 5 with BasicX509Credential

use of org.opensaml.xml.security.x509.BasicX509Credential in project cloudstack by apache.

the class GetServiceProviderMetaDataCmd method authenticate.

@Override
public String authenticate(String command, Map<String, Object[]> params, HttpSession session, InetAddress remoteAddress, String responseType, StringBuilder auditTrailSb, final HttpServletRequest req, final HttpServletResponse resp) throws ServerApiException {
    SAMLMetaDataResponse response = new SAMLMetaDataResponse();
    response.setResponseName(getCommandName());
    try {
        DefaultBootstrap.bootstrap();
    } catch (ConfigurationException | FactoryConfigurationError e) {
        s_logger.error("OpenSAML Bootstrapping error: " + e.getMessage());
        throw new ServerApiException(ApiErrorCode.ACCOUNT_ERROR, _apiServer.getSerializedApiError(ApiErrorCode.ACCOUNT_ERROR.getHttpCode(), "OpenSAML Bootstrapping error while creating SP MetaData", params, responseType));
    }
    final SAMLProviderMetadata spMetadata = _samlAuthManager.getSPMetadata();
    EntityDescriptor spEntityDescriptor = new EntityDescriptorBuilder().buildObject();
    spEntityDescriptor.setEntityID(spMetadata.getEntityId());
    SPSSODescriptor spSSODescriptor = new SPSSODescriptorBuilder().buildObject();
    spSSODescriptor.setWantAssertionsSigned(true);
    spSSODescriptor.setAuthnRequestsSigned(true);
    X509KeyInfoGeneratorFactory keyInfoGeneratorFactory = new X509KeyInfoGeneratorFactory();
    keyInfoGeneratorFactory.setEmitEntityCertificate(true);
    KeyInfoGenerator keyInfoGenerator = keyInfoGeneratorFactory.newInstance();
    KeyDescriptor signKeyDescriptor = new KeyDescriptorBuilder().buildObject();
    signKeyDescriptor.setUse(UsageType.SIGNING);
    KeyDescriptor encKeyDescriptor = new KeyDescriptorBuilder().buildObject();
    encKeyDescriptor.setUse(UsageType.ENCRYPTION);
    BasicX509Credential signingCredential = new BasicX509Credential();
    signingCredential.setEntityCertificate(spMetadata.getSigningCertificate());
    BasicX509Credential encryptionCredential = new BasicX509Credential();
    encryptionCredential.setEntityCertificate(spMetadata.getEncryptionCertificate());
    try {
        signKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(signingCredential));
        encKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(encryptionCredential));
        spSSODescriptor.getKeyDescriptors().add(signKeyDescriptor);
        spSSODescriptor.getKeyDescriptors().add(encKeyDescriptor);
    } catch (SecurityException e) {
        s_logger.warn("Unable to add SP X509 descriptors:" + e.getMessage());
    }
    NameIDFormat nameIDFormat = new NameIDFormatBuilder().buildObject();
    nameIDFormat.setFormat(NameIDType.PERSISTENT);
    spSSODescriptor.getNameIDFormats().add(nameIDFormat);
    NameIDFormat emailNameIDFormat = new NameIDFormatBuilder().buildObject();
    emailNameIDFormat.setFormat(NameIDType.EMAIL);
    spSSODescriptor.getNameIDFormats().add(emailNameIDFormat);
    NameIDFormat transientNameIDFormat = new NameIDFormatBuilder().buildObject();
    transientNameIDFormat.setFormat(NameIDType.TRANSIENT);
    spSSODescriptor.getNameIDFormats().add(transientNameIDFormat);
    AssertionConsumerService assertionConsumerService = new AssertionConsumerServiceBuilder().buildObject();
    assertionConsumerService.setIndex(1);
    assertionConsumerService.setIsDefault(true);
    assertionConsumerService.setBinding(SAMLConstants.SAML2_POST_BINDING_URI);
    assertionConsumerService.setLocation(spMetadata.getSsoUrl());
    spSSODescriptor.getAssertionConsumerServices().add(assertionConsumerService);
    AssertionConsumerService assertionConsumerService2 = new AssertionConsumerServiceBuilder().buildObject();
    assertionConsumerService2.setIndex(2);
    assertionConsumerService2.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
    assertionConsumerService2.setLocation(spMetadata.getSsoUrl());
    spSSODescriptor.getAssertionConsumerServices().add(assertionConsumerService2);
    SingleLogoutService ssoService = new SingleLogoutServiceBuilder().buildObject();
    ssoService.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
    ssoService.setLocation(spMetadata.getSloUrl());
    spSSODescriptor.getSingleLogoutServices().add(ssoService);
    SingleLogoutService ssoService2 = new SingleLogoutServiceBuilder().buildObject();
    ssoService2.setBinding(SAMLConstants.SAML2_POST_BINDING_URI);
    ssoService2.setLocation(spMetadata.getSloUrl());
    spSSODescriptor.getSingleLogoutServices().add(ssoService2);
    spSSODescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS);
    spEntityDescriptor.getRoleDescriptors().add(spSSODescriptor);
    // Add technical contact
    GivenName givenName = new GivenNameBuilder().buildObject();
    givenName.setName(spMetadata.getContactPersonName());
    EmailAddress emailAddress = new EmailAddressBuilder().buildObject();
    emailAddress.setAddress(spMetadata.getContactPersonEmail());
    ContactPerson contactPerson = new ContactPersonBuilder().buildObject();
    contactPerson.setType(ContactPersonTypeEnumeration.TECHNICAL);
    contactPerson.setGivenName(givenName);
    contactPerson.getEmailAddresses().add(emailAddress);
    spEntityDescriptor.getContactPersons().add(contactPerson);
    // Add administrative/support contact
    GivenName givenNameAdmin = new GivenNameBuilder().buildObject();
    givenNameAdmin.setName(spMetadata.getContactPersonName());
    EmailAddress emailAddressAdmin = new EmailAddressBuilder().buildObject();
    emailAddressAdmin.setAddress(spMetadata.getContactPersonEmail());
    ContactPerson contactPersonAdmin = new ContactPersonBuilder().buildObject();
    contactPersonAdmin.setType(ContactPersonTypeEnumeration.ADMINISTRATIVE);
    contactPersonAdmin.setGivenName(givenNameAdmin);
    contactPersonAdmin.getEmailAddresses().add(emailAddressAdmin);
    spEntityDescriptor.getContactPersons().add(contactPersonAdmin);
    Organization organization = new OrganizationBuilder().buildObject();
    OrganizationName organizationName = new OrganizationNameBuilder().buildObject();
    organizationName.setName(new LocalizedString(spMetadata.getOrganizationName(), Locale.getDefault().getLanguage()));
    OrganizationURL organizationURL = new OrganizationURLBuilder().buildObject();
    organizationURL.setURL(new LocalizedString(spMetadata.getOrganizationUrl(), Locale.getDefault().getLanguage()));
    organization.getOrganizationNames().add(organizationName);
    organization.getURLs().add(organizationURL);
    spEntityDescriptor.setOrganization(organization);
    StringWriter stringWriter = new StringWriter();
    try {
        DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
        DocumentBuilder builder = factory.newDocumentBuilder();
        Document document = builder.newDocument();
        Marshaller out = Configuration.getMarshallerFactory().getMarshaller(spEntityDescriptor);
        out.marshall(spEntityDescriptor, document);
        Transformer transformer = TransformerFactory.newInstance().newTransformer();
        StreamResult streamResult = new StreamResult(stringWriter);
        DOMSource source = new DOMSource(document);
        transformer.transform(source, streamResult);
        stringWriter.close();
        response.setMetadata(stringWriter.toString());
    } catch (ParserConfigurationException | IOException | MarshallingException | TransformerException e) {
        if (responseType.equals(HttpUtils.JSON_CONTENT_TYPE)) {
            response.setMetadata("Error creating Service Provider MetaData XML: " + e.getMessage());
        } else {
            return "Error creating Service Provider MetaData XML: " + e.getMessage();
        }
    }
    // For JSON type return serialized response object
    if (responseType.equals(HttpUtils.RESPONSE_TYPE_JSON)) {
        return ApiResponseSerializer.toSerializedString(response, responseType);
    }
    // For other response types return XML
    return stringWriter.toString();
}
Also used : OrganizationName(org.opensaml.saml2.metadata.OrganizationName) EmailAddressBuilder(org.opensaml.saml2.metadata.impl.EmailAddressBuilder) DOMSource(javax.xml.transform.dom.DOMSource) SAMLMetaDataResponse(org.apache.cloudstack.api.response.SAMLMetaDataResponse) Organization(org.opensaml.saml2.metadata.Organization) OrganizationNameBuilder(org.opensaml.saml2.metadata.impl.OrganizationNameBuilder) DocumentBuilderFactory(javax.xml.parsers.DocumentBuilderFactory) Transformer(javax.xml.transform.Transformer) SPSSODescriptorBuilder(org.opensaml.saml2.metadata.impl.SPSSODescriptorBuilder) KeyDescriptor(org.opensaml.saml2.metadata.KeyDescriptor) GivenName(org.opensaml.saml2.metadata.GivenName) NameIDFormatBuilder(org.opensaml.saml2.metadata.impl.NameIDFormatBuilder) LocalizedString(org.opensaml.saml2.metadata.LocalizedString) Document(org.w3c.dom.Document) EntityDescriptorBuilder(org.opensaml.saml2.metadata.impl.EntityDescriptorBuilder) ContactPerson(org.opensaml.saml2.metadata.ContactPerson) SPSSODescriptor(org.opensaml.saml2.metadata.SPSSODescriptor) KeyInfoGenerator(org.opensaml.xml.security.keyinfo.KeyInfoGenerator) ServerApiException(org.apache.cloudstack.api.ServerApiException) StringWriter(java.io.StringWriter) MarshallingException(org.opensaml.xml.io.MarshallingException) ParserConfigurationException(javax.xml.parsers.ParserConfigurationException) ConfigurationException(org.opensaml.xml.ConfigurationException) SingleLogoutServiceBuilder(org.opensaml.saml2.metadata.impl.SingleLogoutServiceBuilder) AssertionConsumerService(org.opensaml.saml2.metadata.AssertionConsumerService) OrganizationBuilder(org.opensaml.saml2.metadata.impl.OrganizationBuilder) ParserConfigurationException(javax.xml.parsers.ParserConfigurationException) SAMLProviderMetadata(org.apache.cloudstack.saml.SAMLProviderMetadata) FactoryConfigurationError(javax.xml.stream.FactoryConfigurationError) GivenNameBuilder(org.opensaml.saml2.metadata.impl.GivenNameBuilder) TransformerException(javax.xml.transform.TransformerException) X509KeyInfoGeneratorFactory(org.opensaml.xml.security.x509.X509KeyInfoGeneratorFactory) Marshaller(org.opensaml.xml.io.Marshaller) OrganizationURLBuilder(org.opensaml.saml2.metadata.impl.OrganizationURLBuilder) StreamResult(javax.xml.transform.stream.StreamResult) SingleLogoutService(org.opensaml.saml2.metadata.SingleLogoutService) AssertionConsumerServiceBuilder(org.opensaml.saml2.metadata.impl.AssertionConsumerServiceBuilder) SecurityException(org.opensaml.xml.security.SecurityException) IOException(java.io.IOException) EmailAddress(org.opensaml.saml2.metadata.EmailAddress) ContactPersonBuilder(org.opensaml.saml2.metadata.impl.ContactPersonBuilder) EntityDescriptor(org.opensaml.saml2.metadata.EntityDescriptor) NameIDFormat(org.opensaml.saml2.metadata.NameIDFormat) BasicX509Credential(org.opensaml.xml.security.x509.BasicX509Credential) DocumentBuilder(javax.xml.parsers.DocumentBuilder) KeyDescriptorBuilder(org.opensaml.saml2.metadata.impl.KeyDescriptorBuilder) OrganizationURL(org.opensaml.saml2.metadata.OrganizationURL)

Aggregations

BasicX509Credential (org.opensaml.security.x509.BasicX509Credential)5 X509Certificate (java.security.cert.X509Certificate)3 IOException (java.io.IOException)2 PrivateKey (java.security.PrivateKey)2 ServerApiException (org.apache.cloudstack.api.ServerApiException)2 SAMLProviderMetadata (org.apache.cloudstack.saml.SAMLProviderMetadata)2 CloudAuthenticationException (com.cloud.exception.CloudAuthenticationException)1 UserAccount (com.cloud.user.UserAccount)1 UserAccountVO (com.cloud.user.UserAccountVO)1 BufferedReader (java.io.BufferedReader)1 InputStream (java.io.InputStream)1 InputStreamReader (java.io.InputStreamReader)1 StringWriter (java.io.StringWriter)1 KeyPair (java.security.KeyPair)1 CertificateFactory (java.security.cert.CertificateFactory)1 ArrayList (java.util.ArrayList)1 HttpServletResponse (javax.servlet.http.HttpServletResponse)1 DocumentBuilder (javax.xml.parsers.DocumentBuilder)1 DocumentBuilderFactory (javax.xml.parsers.DocumentBuilderFactory)1 ParserConfigurationException (javax.xml.parsers.ParserConfigurationException)1