Example 1 with SAML2Credentials
use of org.pac4j.saml.credentials.SAML2Credentials in project hive by apache.
the class HiveSaml2Client method validate.
/**
* Given a response which may contain a SAML Assertion, validates it. If the validation
* is successful, it extracts the nameId from the assertion which is used as the
* identity of the end user.
*
* @param request
* @param response
* @return the NameId as received in the assertion if the assertion was valid.
* @throws HttpSamlAuthenticationException In case the assertion is not present or is
* invalid.
*/
public String validate(HttpServletRequest request, HttpServletResponse response) throws HttpSamlAuthenticationException {
Optional<SAML2Credentials> credentials;
try {
SAML2CredentialsExtractor credentialsExtractor = new SAML2CredentialsExtractor(this);
credentials = credentialsExtractor.extract(new JEEContext(request, response));
} catch (Exception ex) {
throw new HttpSamlAuthenticationException("Could not validate the SAML response", ex);
}
if (!credentials.isPresent()) {
throw new HttpSamlAuthenticationException("Credentials could not be extracted");
}
String nameId = credentials.get().getNameId().getValue();
if (!groupNameFilter.apply(credentials.get().getAttributes())) {
LOG.warn("Could not match any groups for the nameid {}", nameId);
throw new HttpSamlNoGroupsMatchedException("None of the configured groups match for the user");
}
return nameId;
}
Also used :
SAML2Credentials(org.pac4j.saml.credentials.SAML2Credentials)
SAML2CredentialsExtractor(org.pac4j.saml.credentials.extractor.SAML2CredentialsExtractor)
JEEContext(org.pac4j.core.context.JEEContext)
IOException(java.io.IOException)
Example 2 with SAML2Credentials
use of org.pac4j.saml.credentials.SAML2Credentials in project pac4j by pac4j.
the class SAML2DefaultResponseValidator method buildSAML2Credentials.
protected final SAML2Credentials buildSAML2Credentials(final SAML2MessageContext context) {
final NameID nameId = context.getSAMLSubjectNameIdentifierContext().getSAML2SubjectNameID();
final Assertion subjectAssertion = context.getSubjectAssertion();
final String sessionIndex = getSessionIndex(subjectAssertion);
final String issuerEntityId = subjectAssertion.getIssuer().getValue();
List<AuthnStatement> authnStatements = subjectAssertion.getAuthnStatements();
List<String> authnContexts = new ArrayList<String>();
for (AuthnStatement authnStatement : authnStatements) {
authnContexts.add(authnStatement.getAuthnContext().getAuthnContextClassRef().getAuthnContextClassRef());
}
final List<Attribute> attributes = new ArrayList<Attribute>();
for (final AttributeStatement attributeStatement : subjectAssertion.getAttributeStatements()) {
for (final Attribute attribute : attributeStatement.getAttributes()) {
attributes.add(attribute);
}
if (!attributeStatement.getEncryptedAttributes().isEmpty()) {
if (decrypter == null) {
logger.warn("Encrypted attributes returned, but no keystore was provided.");
} else {
for (final EncryptedAttribute encryptedAttribute : attributeStatement.getEncryptedAttributes()) {
try {
attributes.add(decrypter.decrypt(encryptedAttribute));
} catch (final DecryptionException e) {
logger.warn("Decryption of attribute failed, continue with the next one", e);
}
}
}
}
}
return new SAML2Credentials(nameId, issuerEntityId, attributes, subjectAssertion.getConditions(), sessionIndex, authnContexts);
}
Also used :
EncryptedAttribute(org.opensaml.saml.saml2.core.EncryptedAttribute)
NameID(org.opensaml.saml.saml2.core.NameID)
Attribute(org.opensaml.saml.saml2.core.Attribute)
EncryptedAttribute(org.opensaml.saml.saml2.core.EncryptedAttribute)
SAML2Credentials(org.pac4j.saml.credentials.SAML2Credentials)
EncryptedAssertion(org.opensaml.saml.saml2.core.EncryptedAssertion)
Assertion(org.opensaml.saml.saml2.core.Assertion)
ArrayList(java.util.ArrayList)
AttributeStatement(org.opensaml.saml.saml2.core.AttributeStatement)
AuthnStatement(org.opensaml.saml.saml2.core.AuthnStatement)
DecryptionException(org.opensaml.xmlsec.encryption.support.DecryptionException)
SAMLNameIdDecryptionException(org.pac4j.saml.exceptions.SAMLNameIdDecryptionException)
Example 3 with SAML2Credentials
use of org.pac4j.saml.credentials.SAML2Credentials in project pac4j by pac4j.
the class SAML2Client method clientInit.
@Override
protected void clientInit() {
CommonHelper.assertNotNull("configuration", this.configuration);
// First of all, initialize the configuration. It may dynamically load some properties, if it is not a static one.
this.configuration.init(getName());
initCredentialProvider();
initDecrypter();
initSignatureSigningParametersProvider();
final MetadataResolver metadataManager = initChainingMetadataResolver(initIdentityProviderMetadataResolver(), initServiceProviderMetadataResolver());
initSAMLContextProvider(metadataManager);
initSignatureTrustEngineProvider(metadataManager);
initSAMLResponseValidator();
initSAMLProfileHandler();
defaultRedirectActionBuilder(new SAML2RedirectActionBuilder(this));
defaultCredentialsExtractor(ctx -> {
final SAML2MessageContext samlContext = this.contextProvider.buildContext(ctx);
final SAML2Credentials credentials = (SAML2Credentials) this.profileHandler.receive(samlContext);
return credentials;
});
defaultAuthenticator(new SAML2Authenticator());
defaultLogoutActionBuilder(new SAML2LogoutActionBuilder<>(this));
}
Also used :
SAML2MessageContext(org.pac4j.saml.context.SAML2MessageContext)
SAML2RedirectActionBuilder(org.pac4j.saml.redirect.SAML2RedirectActionBuilder)
SAML2Credentials(org.pac4j.saml.credentials.SAML2Credentials)
SAML2IdentityProviderMetadataResolver(org.pac4j.saml.metadata.SAML2IdentityProviderMetadataResolver)
SAML2ServiceProviderMetadataResolver(org.pac4j.saml.metadata.SAML2ServiceProviderMetadataResolver)
SAML2MetadataResolver(org.pac4j.saml.metadata.SAML2MetadataResolver)
MetadataResolver(org.opensaml.saml.metadata.resolver.MetadataResolver)
ChainingMetadataResolver(org.opensaml.saml.metadata.resolver.ChainingMetadataResolver)
SAML2Authenticator(org.pac4j.saml.credentials.authenticator.SAML2Authenticator)
Aggregations
SAML2Credentials (org.pac4j.saml.credentials.SAML2Credentials)3
IOException (java.io.IOException)1
ArrayList (java.util.ArrayList)1
ChainingMetadataResolver (org.opensaml.saml.metadata.resolver.ChainingMetadataResolver)1
MetadataResolver (org.opensaml.saml.metadata.resolver.MetadataResolver)1
Assertion (org.opensaml.saml.saml2.core.Assertion)1
Attribute (org.opensaml.saml.saml2.core.Attribute)1
AttributeStatement (org.opensaml.saml.saml2.core.AttributeStatement)1
AuthnStatement (org.opensaml.saml.saml2.core.AuthnStatement)1
EncryptedAssertion (org.opensaml.saml.saml2.core.EncryptedAssertion)1
EncryptedAttribute (org.opensaml.saml.saml2.core.EncryptedAttribute)1
NameID (org.opensaml.saml.saml2.core.NameID)1
DecryptionException (org.opensaml.xmlsec.encryption.support.DecryptionException)1
JEEContext (org.pac4j.core.context.JEEContext)1
SAML2MessageContext (org.pac4j.saml.context.SAML2MessageContext)1
SAML2Authenticator (org.pac4j.saml.credentials.authenticator.SAML2Authenticator)1
SAML2CredentialsExtractor (org.pac4j.saml.credentials.extractor.SAML2CredentialsExtractor)1
SAMLNameIdDecryptionException (org.pac4j.saml.exceptions.SAMLNameIdDecryptionException)1
SAML2IdentityProviderMetadataResolver (org.pac4j.saml.metadata.SAML2IdentityProviderMetadataResolver)1
SAML2MetadataResolver (org.pac4j.saml.metadata.SAML2MetadataResolver)1
