use of org.pac4j.saml.config.SAML2Configuration in project cas by apereo.
the class SamlObjectSignatureValidatorTests method setupTestContextFor.
private void setupTestContextFor(final String spMetadataPath, final String spEntityId) throws Exception {
val idpMetadata = new File("src/test/resources/metadata/idp-metadata.xml").getCanonicalPath();
val keystorePath = new File(FileUtils.getTempDirectory(), "keystore").getCanonicalPath();
saml2ClientConfiguration = new SAML2Configuration(keystorePath, "changeit", "changeit", idpMetadata);
saml2ClientConfiguration.setServiceProviderEntityId(spEntityId);
saml2ClientConfiguration.setServiceProviderMetadataPath(spMetadataPath);
saml2ClientConfiguration.init();
val saml2Client = new SAML2Client(saml2ClientConfiguration);
saml2Client.setCallbackUrl("http://callback.example.org");
saml2Client.init();
samlContext = new MessageContext();
saml2MessageContext = new SAML2MessageContext();
saml2MessageContext.setSaml2Configuration(saml2ClientConfiguration);
saml2MessageContext.setWebContext(new JEEContext(new MockHttpServletRequest(), new MockHttpServletResponse()));
val peer = saml2MessageContext.getMessageContext().getSubcontext(SAMLPeerEntityContext.class, true);
assertNotNull(peer);
peer.setEntityId("https://cas.example.org/idp");
val md = peer.getSubcontext(SAMLMetadataContext.class, true);
assertNotNull(md);
val idpResolver = SamlIdPUtils.getRoleDescriptorResolver(casSamlIdPMetadataResolver, true);
md.setRoleDescriptor(idpResolver.resolveSingle(new CriteriaSet(new EntityIdCriterion(Objects.requireNonNull(peer.getEntityId())), new EntityRoleCriterion(IDPSSODescriptor.DEFAULT_ELEMENT_NAME))));
val self = saml2MessageContext.getMessageContext().getSubcontext(SAMLSelfEntityContext.class, true);
assertNotNull(self);
self.setEntityId(saml2ClientConfiguration.getServiceProviderEntityId());
val sp = self.getSubcontext(SAMLMetadataContext.class, true);
assertNotNull(sp);
val spRes = new InMemoryResourceMetadataResolver(saml2ClientConfiguration.getServiceProviderMetadataResource(), openSamlConfigBean);
spRes.setId(getClass().getSimpleName());
spRes.initialize();
val spResolver = SamlIdPUtils.getRoleDescriptorResolver(spRes, true);
sp.setRoleDescriptor(spResolver.resolveSingle(new CriteriaSet(new EntityIdCriterion(Objects.requireNonNull(self.getEntityId())), new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME))));
val service = new SamlRegisteredService();
service.setName("Sample");
service.setServiceId(saml2ClientConfiguration.getServiceProviderEntityId());
service.setId(100);
service.setDescription("SAML Service");
service.setMetadataLocation(spMetadataPath);
val facade = SamlRegisteredServiceServiceProviderMetadataFacade.get(samlRegisteredServiceCachingMetadataResolver, service, service.getServiceId());
this.adaptor = facade.get();
}
use of org.pac4j.saml.config.SAML2Configuration in project cas by apereo.
the class AuthnRequestRequestedAttributesAttributeReleasePolicyTests method initialize.
@BeforeEach
public void initialize() throws Exception {
val idpMetadata = new File("src/test/resources/metadata/idp-metadata.xml").getCanonicalPath();
val keystorePath = new File(FileUtils.getTempDirectory(), "keystore").getCanonicalPath();
val spMetadataPath = new File(FileUtils.getTempDirectory(), "sp-metadata.xml").getCanonicalPath();
saml2Configuration = new SAML2Configuration(keystorePath, "changeit", "changeit", idpMetadata);
saml2Configuration.setServiceProviderEntityId("cas:example:sp");
saml2Configuration.setServiceProviderMetadataPath(spMetadataPath);
saml2Configuration.init();
val saml2Client = new SAML2Client(saml2Configuration);
saml2Client.setCallbackUrl("http://callback.example.org");
saml2Client.init();
saml2MessageContext = new SAML2MessageContext();
saml2MessageContext.setSaml2Configuration(saml2Configuration);
saml2MessageContext.setWebContext(new JEEContext(new MockHttpServletRequest(), new MockHttpServletResponse()));
val peer = saml2MessageContext.getMessageContext().getSubcontext(SAMLPeerEntityContext.class, true);
assertNotNull(peer);
peer.setEntityId("https://cas.example.org/idp");
val md = peer.getSubcontext(SAMLMetadataContext.class, true);
assertNotNull(md);
val idpResolver = SamlIdPUtils.getRoleDescriptorResolver(casSamlIdPMetadataResolver, true);
md.setRoleDescriptor(idpResolver.resolveSingle(new CriteriaSet(new EntityIdCriterion(Objects.requireNonNull(peer.getEntityId())), new EntityRoleCriterion(IDPSSODescriptor.DEFAULT_ELEMENT_NAME))));
val self = saml2MessageContext.getMessageContext().getSubcontext(SAMLSelfEntityContext.class, true);
assertNotNull(self);
self.setEntityId(saml2Configuration.getServiceProviderEntityId());
val sp = self.getSubcontext(SAMLMetadataContext.class, true);
assertNotNull(sp);
val spRes = new InMemoryResourceMetadataResolver(new File(spMetadataPath), openSamlConfigBean);
spRes.setId(getClass().getSimpleName());
spRes.initialize();
val spResolver = SamlIdPUtils.getRoleDescriptorResolver(spRes, true);
sp.setRoleDescriptor(spResolver.resolveSingle(new CriteriaSet(new EntityIdCriterion(Objects.requireNonNull(self.getEntityId())), new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME))));
}
use of org.pac4j.saml.config.SAML2Configuration in project cas by apereo.
the class DefaultDelegatedClientFactory method configureSamlClient.
/**
* Configure saml client.
*
* @param properties the properties
*/
protected void configureSamlClient(final Collection<IndirectClient> properties) {
val pac4jProperties = casProperties.getAuthn().getPac4j();
val index = new AtomicInteger();
pac4jProperties.getSaml().stream().filter(saml -> saml.isEnabled() && StringUtils.isNotBlank(saml.getKeystorePath()) && StringUtils.isNotBlank(saml.getIdentityProviderMetadataPath()) && StringUtils.isNotBlank(saml.getServiceProviderEntityId()) && StringUtils.isNotBlank(saml.getServiceProviderMetadataPath())).forEach(saml -> {
val cfg = new SAML2Configuration(saml.getKeystorePath(), saml.getKeystorePassword(), saml.getPrivateKeyPassword(), saml.getIdentityProviderMetadataPath());
cfg.setForceKeystoreGeneration(saml.isForceKeystoreGeneration());
if (saml.getCertificateExpirationDays() > 0) {
cfg.setCertificateExpirationPeriod(Period.ofDays(saml.getCertificateExpirationDays()));
}
FunctionUtils.doIfNotNull(saml.getCertificateSignatureAlg(), cfg::setCertificateSignatureAlg);
cfg.setCertificateNameToAppend(StringUtils.defaultIfBlank(saml.getCertificateNameToAppend(), saml.getClientName()));
cfg.setMaximumAuthenticationLifetime(Beans.newDuration(saml.getMaximumAuthenticationLifetime()).toSeconds());
cfg.setServiceProviderEntityId(saml.getServiceProviderEntityId());
cfg.setServiceProviderMetadataPath(saml.getServiceProviderMetadataPath());
cfg.setAuthnRequestBindingType(saml.getDestinationBinding());
cfg.setForceAuth(saml.isForceAuth());
cfg.setPassive(saml.isPassive());
cfg.setSignMetadata(saml.isSignServiceProviderMetadata());
cfg.setMetadataSigner(new XMLSecSAML2MetadataSigner(cfg));
cfg.setAuthnRequestSigned(saml.isSignAuthnRequest());
cfg.setSpLogoutRequestSigned(saml.isSignServiceProviderLogoutRequest());
cfg.setAcceptedSkew(Beans.newDuration(saml.getAcceptedSkew()).toSeconds());
cfg.setSslSocketFactory(casSSLContext.getSslContext().getSocketFactory());
cfg.setHostnameVerifier(casSSLContext.getHostnameVerifier());
if (StringUtils.isNotBlank(saml.getPrincipalIdAttribute())) {
cfg.setAttributeAsId(saml.getPrincipalIdAttribute());
}
cfg.setWantsAssertionsSigned(saml.isWantsAssertionsSigned());
cfg.setWantsResponsesSigned(saml.isWantsResponsesSigned());
cfg.setAllSignatureValidationDisabled(saml.isAllSignatureValidationDisabled());
cfg.setUseNameQualifier(saml.isUseNameQualifier());
cfg.setAttributeConsumingServiceIndex(saml.getAttributeConsumingServiceIndex());
if (applicationContext.containsBean(DelegatedClientFactory.BEAN_NAME_SAML2_CLIENT_MESSAGE_FACTORY)) {
val factory = applicationContext.getBean(DelegatedClientFactory.BEAN_NAME_SAML2_CLIENT_MESSAGE_FACTORY, SAMLMessageStoreFactory.class);
cfg.setSamlMessageStoreFactory(factory);
} else {
FunctionUtils.doIf(saml.getMessageStoreFactory().equalsIgnoreCase("EMPTY"), ig -> cfg.setSamlMessageStoreFactory(new EmptyStoreFactory())).accept(saml);
FunctionUtils.doIf(saml.getMessageStoreFactory().equalsIgnoreCase("SESSION"), ig -> cfg.setSamlMessageStoreFactory(new HttpSessionStoreFactory())).accept(saml);
if (saml.getMessageStoreFactory().contains(".")) {
Unchecked.consumer(ig -> {
val clazz = ClassUtils.getClass(DefaultDelegatedClientFactory.class.getClassLoader(), saml.getMessageStoreFactory());
val factory = SAMLMessageStoreFactory.class.cast(clazz.getDeclaredConstructor().newInstance());
cfg.setSamlMessageStoreFactory(factory);
}).accept(saml);
}
}
if (saml.getAssertionConsumerServiceIndex() >= 0) {
cfg.setAssertionConsumerServiceIndex(saml.getAssertionConsumerServiceIndex());
}
if (!saml.getAuthnContextClassRef().isEmpty()) {
cfg.setComparisonType(saml.getAuthnContextComparisonType().toUpperCase());
cfg.setAuthnContextClassRefs(saml.getAuthnContextClassRef());
}
if (StringUtils.isNotBlank(saml.getKeystoreAlias())) {
cfg.setKeystoreAlias(saml.getKeystoreAlias());
}
if (StringUtils.isNotBlank(saml.getNameIdPolicyFormat())) {
cfg.setNameIdPolicyFormat(saml.getNameIdPolicyFormat());
}
if (!saml.getRequestedAttributes().isEmpty()) {
saml.getRequestedAttributes().stream().map(attribute -> new SAML2ServiceProviderRequestedAttribute(attribute.getName(), attribute.getFriendlyName(), attribute.getNameFormat(), attribute.isRequired())).forEach(attribute -> cfg.getRequestedServiceProviderAttributes().add(attribute));
}
if (!saml.getBlockedSignatureSigningAlgorithms().isEmpty()) {
cfg.setBlackListedSignatureSigningAlgorithms(saml.getBlockedSignatureSigningAlgorithms());
}
if (!saml.getSignatureAlgorithms().isEmpty()) {
cfg.setSignatureAlgorithms(saml.getSignatureAlgorithms());
}
if (!saml.getSignatureReferenceDigestMethods().isEmpty()) {
cfg.setSignatureReferenceDigestMethods(saml.getSignatureReferenceDigestMethods());
}
if (!StringUtils.isNotBlank(saml.getSignatureCanonicalizationAlgorithm())) {
cfg.setSignatureCanonicalizationAlgorithm(saml.getSignatureCanonicalizationAlgorithm());
}
cfg.setProviderName(saml.getProviderName());
cfg.setNameIdPolicyAllowCreate(saml.getNameIdPolicyAllowCreate().toBoolean());
val mappedAttributes = saml.getMappedAttributes();
if (!mappedAttributes.isEmpty()) {
cfg.setMappedAttributes(CollectionUtils.convertDirectedListToMap(mappedAttributes));
}
val client = new SAML2Client(cfg);
if (StringUtils.isBlank(saml.getClientName())) {
val count = index.intValue();
client.setName(client.getClass().getSimpleName() + count);
}
configureClient(client, saml);
index.incrementAndGet();
LOGGER.debug("Created delegated client [{}]", client);
properties.add(client);
});
}
use of org.pac4j.saml.config.SAML2Configuration in project hive by apache.
the class HiveSaml2Client method getSamlConfig.
/**
* Extracts the SAML specific configuration needed to initialize the SAML2.0 client.
*/
private static SAML2Configuration getSamlConfig(HiveConf conf) throws Exception {
// by default the SAML2Client will create the keystore if the keystore path provided
// doesn't exist. The directory where the keystore path is set must be accessible.
SAML2Configuration saml2Configuration = new SAML2Configuration(conf.get(ConfVars.HIVE_SERVER2_SAML_KEYSTORE_PATH.varname), String.valueOf(conf.getPassword(ConfVars.HIVE_SERVER2_SAML_KEYSTORE_PASSWORD.varname)), String.valueOf(conf.getPassword(ConfVars.HIVE_SERVER2_SAML_PRIVATE_KEY_PASSWORD.varname)), conf.get(ConfVars.HIVE_SERVER2_SAML_IDP_METADATA.varname));
saml2Configuration.setAuthnRequestBindingType(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
saml2Configuration.setResponseBindingType(SAML2_POST_BINDING_URI);
saml2Configuration.setForceAuth(conf.getBoolean(ConfVars.HIVE_SERVER2_SAML_FORCE_AUTH.varname, false));
saml2Configuration.setMaximumAuthenticationLifetime(((int) conf.getTimeVar(ConfVars.HIVE_SERVER2_SAML_AUTHENTICATION_LIFETIME, TimeUnit.SECONDS)));
String acsIndex = conf.get(ConfVars.HIVE_SERVER2_SAML_ACS_INDEX.varname, "");
if (!acsIndex.isEmpty()) {
saml2Configuration.setAssertionConsumerServiceIndex(conf.getIntVar(ConfVars.HIVE_SERVER2_SAML_ACS_INDEX));
}
String disallowedSignatureAlgos = conf.get(ConfVars.HIVE_SERVER2_SAML_BLACKLISTED_SIGNATURE_ALGORITHMS.varname, "");
if (!disallowedSignatureAlgos.isEmpty()) {
LOG.info("List of disallowed signature algorithms: " + disallowedSignatureAlgos);
List<String> blackListedSignAlgos = Splitter.on(',').splitToList(disallowedSignatureAlgos);
saml2Configuration.setBlackListedSignatureSigningAlgorithms(blackListedSignAlgos);
}
// if the SP id is set use it else we configure the SP Id as the callback id.
// this behavior IDP dependent. E.g. in case of Okta we can explicitly set a
// different SP id.
saml2Configuration.setServiceProviderEntityId(conf.get(ConfVars.HIVE_SERVER2_SAML_SP_ID.varname, getCallBackUrl(conf)));
saml2Configuration.setWantsAssertionsSigned(conf.getBoolVar(ConfVars.HIVE_SERVER2_SAML_WANT_ASSERTIONS_SIGNED));
saml2Configuration.setAuthnRequestSigned(conf.getBoolVar(ConfVars.HIVE_SERVER2_SAML_SIGN_REQUESTS));
return saml2Configuration;
}
use of org.pac4j.saml.config.SAML2Configuration in project cas by apereo.
the class DefaultDelegatedClientAuthenticationWebflowManagerTests method verifySamlStoreOperation.
@Test
public void verifySamlStoreOperation() throws Exception {
val config = new SAML2Configuration();
val client = new SAML2Client(config);
val ticket = delegatedClientAuthenticationWebflowManager.store(context, client);
assertNotNull(ticketRegistry.getTicket(ticket.getId()));
assertEquals(ticket.getId(), delegatedClientDistributedSessionStore.get(context, SAML2StateGenerator.SAML_RELAY_STATE_ATTRIBUTE).get());
httpServletRequest.addParameter("RelayState", ticket.getId());
val service = delegatedClientAuthenticationWebflowManager.retrieve(requestContext, context, client);
assertNotNull(service);
assertNull(ticketRegistry.getTicket(ticket.getId()));
}
Aggregations