Search in sources :

Example 1 with SAML2Credentials

use of org.pac4j.saml.credentials.SAML2Credentials in project hive by apache.

the class HiveSaml2Client method validate.

/**
 * Given a response which may contain a SAML Assertion, validates it. If the validation
 * is successful, it extracts the nameId from the assertion which is used as the
 * identity of the end user.
 *
 * @param request
 * @param response
 * @return the NameId as received in the assertion if the assertion was valid.
 * @throws HttpSamlAuthenticationException In case the assertion is not present or is
 *                                         invalid.
 */
public String validate(HttpServletRequest request, HttpServletResponse response) throws HttpSamlAuthenticationException {
    Optional<SAML2Credentials> credentials;
    try {
        SAML2CredentialsExtractor credentialsExtractor = new SAML2CredentialsExtractor(this);
        credentials = credentialsExtractor.extract(new JEEContext(request, response));
    } catch (Exception ex) {
        throw new HttpSamlAuthenticationException("Could not validate the SAML response", ex);
    }
    if (!credentials.isPresent()) {
        throw new HttpSamlAuthenticationException("Credentials could not be extracted");
    }
    String nameId = credentials.get().getNameId().getValue();
    if (!groupNameFilter.apply(credentials.get().getAttributes())) {
        LOG.warn("Could not match any groups for the nameid {}", nameId);
        throw new HttpSamlNoGroupsMatchedException("None of the configured groups match for the user");
    }
    return nameId;
}
Also used : SAML2Credentials(org.pac4j.saml.credentials.SAML2Credentials) SAML2CredentialsExtractor(org.pac4j.saml.credentials.extractor.SAML2CredentialsExtractor) JEEContext(org.pac4j.core.context.JEEContext) IOException(java.io.IOException)

Example 2 with SAML2Credentials

use of org.pac4j.saml.credentials.SAML2Credentials in project pac4j by pac4j.

the class SAML2DefaultResponseValidator method buildSAML2Credentials.

protected final SAML2Credentials buildSAML2Credentials(final SAML2MessageContext context) {
    final NameID nameId = context.getSAMLSubjectNameIdentifierContext().getSAML2SubjectNameID();
    final Assertion subjectAssertion = context.getSubjectAssertion();
    final String sessionIndex = getSessionIndex(subjectAssertion);
    final String issuerEntityId = subjectAssertion.getIssuer().getValue();
    List<AuthnStatement> authnStatements = subjectAssertion.getAuthnStatements();
    List<String> authnContexts = new ArrayList<String>();
    for (AuthnStatement authnStatement : authnStatements) {
        authnContexts.add(authnStatement.getAuthnContext().getAuthnContextClassRef().getAuthnContextClassRef());
    }
    final List<Attribute> attributes = new ArrayList<Attribute>();
    for (final AttributeStatement attributeStatement : subjectAssertion.getAttributeStatements()) {
        for (final Attribute attribute : attributeStatement.getAttributes()) {
            attributes.add(attribute);
        }
        if (!attributeStatement.getEncryptedAttributes().isEmpty()) {
            if (decrypter == null) {
                logger.warn("Encrypted attributes returned, but no keystore was provided.");
            } else {
                for (final EncryptedAttribute encryptedAttribute : attributeStatement.getEncryptedAttributes()) {
                    try {
                        attributes.add(decrypter.decrypt(encryptedAttribute));
                    } catch (final DecryptionException e) {
                        logger.warn("Decryption of attribute failed, continue with the next one", e);
                    }
                }
            }
        }
    }
    return new SAML2Credentials(nameId, issuerEntityId, attributes, subjectAssertion.getConditions(), sessionIndex, authnContexts);
}
Also used : EncryptedAttribute(org.opensaml.saml.saml2.core.EncryptedAttribute) NameID(org.opensaml.saml.saml2.core.NameID) Attribute(org.opensaml.saml.saml2.core.Attribute) EncryptedAttribute(org.opensaml.saml.saml2.core.EncryptedAttribute) SAML2Credentials(org.pac4j.saml.credentials.SAML2Credentials) EncryptedAssertion(org.opensaml.saml.saml2.core.EncryptedAssertion) Assertion(org.opensaml.saml.saml2.core.Assertion) ArrayList(java.util.ArrayList) AttributeStatement(org.opensaml.saml.saml2.core.AttributeStatement) AuthnStatement(org.opensaml.saml.saml2.core.AuthnStatement) DecryptionException(org.opensaml.xmlsec.encryption.support.DecryptionException) SAMLNameIdDecryptionException(org.pac4j.saml.exceptions.SAMLNameIdDecryptionException)

Example 3 with SAML2Credentials

use of org.pac4j.saml.credentials.SAML2Credentials in project pac4j by pac4j.

the class SAML2Client method clientInit.

@Override
protected void clientInit() {
    CommonHelper.assertNotNull("configuration", this.configuration);
    // First of all, initialize the configuration. It may dynamically load some properties, if it is not a static one.
    this.configuration.init(getName());
    initCredentialProvider();
    initDecrypter();
    initSignatureSigningParametersProvider();
    final MetadataResolver metadataManager = initChainingMetadataResolver(initIdentityProviderMetadataResolver(), initServiceProviderMetadataResolver());
    initSAMLContextProvider(metadataManager);
    initSignatureTrustEngineProvider(metadataManager);
    initSAMLResponseValidator();
    initSAMLProfileHandler();
    defaultRedirectActionBuilder(new SAML2RedirectActionBuilder(this));
    defaultCredentialsExtractor(ctx -> {
        final SAML2MessageContext samlContext = this.contextProvider.buildContext(ctx);
        final SAML2Credentials credentials = (SAML2Credentials) this.profileHandler.receive(samlContext);
        return credentials;
    });
    defaultAuthenticator(new SAML2Authenticator());
    defaultLogoutActionBuilder(new SAML2LogoutActionBuilder<>(this));
}
Also used : SAML2MessageContext(org.pac4j.saml.context.SAML2MessageContext) SAML2RedirectActionBuilder(org.pac4j.saml.redirect.SAML2RedirectActionBuilder) SAML2Credentials(org.pac4j.saml.credentials.SAML2Credentials) SAML2IdentityProviderMetadataResolver(org.pac4j.saml.metadata.SAML2IdentityProviderMetadataResolver) SAML2ServiceProviderMetadataResolver(org.pac4j.saml.metadata.SAML2ServiceProviderMetadataResolver) SAML2MetadataResolver(org.pac4j.saml.metadata.SAML2MetadataResolver) MetadataResolver(org.opensaml.saml.metadata.resolver.MetadataResolver) ChainingMetadataResolver(org.opensaml.saml.metadata.resolver.ChainingMetadataResolver) SAML2Authenticator(org.pac4j.saml.credentials.authenticator.SAML2Authenticator)

Aggregations

SAML2Credentials (org.pac4j.saml.credentials.SAML2Credentials)3 IOException (java.io.IOException)1 ArrayList (java.util.ArrayList)1 ChainingMetadataResolver (org.opensaml.saml.metadata.resolver.ChainingMetadataResolver)1 MetadataResolver (org.opensaml.saml.metadata.resolver.MetadataResolver)1 Assertion (org.opensaml.saml.saml2.core.Assertion)1 Attribute (org.opensaml.saml.saml2.core.Attribute)1 AttributeStatement (org.opensaml.saml.saml2.core.AttributeStatement)1 AuthnStatement (org.opensaml.saml.saml2.core.AuthnStatement)1 EncryptedAssertion (org.opensaml.saml.saml2.core.EncryptedAssertion)1 EncryptedAttribute (org.opensaml.saml.saml2.core.EncryptedAttribute)1 NameID (org.opensaml.saml.saml2.core.NameID)1 DecryptionException (org.opensaml.xmlsec.encryption.support.DecryptionException)1 JEEContext (org.pac4j.core.context.JEEContext)1 SAML2MessageContext (org.pac4j.saml.context.SAML2MessageContext)1 SAML2Authenticator (org.pac4j.saml.credentials.authenticator.SAML2Authenticator)1 SAML2CredentialsExtractor (org.pac4j.saml.credentials.extractor.SAML2CredentialsExtractor)1 SAMLNameIdDecryptionException (org.pac4j.saml.exceptions.SAMLNameIdDecryptionException)1 SAML2IdentityProviderMetadataResolver (org.pac4j.saml.metadata.SAML2IdentityProviderMetadataResolver)1 SAML2MetadataResolver (org.pac4j.saml.metadata.SAML2MetadataResolver)1