Example 6 with SAMLException
use of org.pac4j.saml.exceptions.SAMLException in project pac4j by pac4j.
the class SAML2ContextProvider method addContext.
protected final void addContext(final SAML2MetadataResolver entityId, final BaseContext parentContext, final QName elementName) {
final EntityDescriptor entityDescriptor;
final RoleDescriptor roleDescriptor;
try {
final CriteriaSet set = new CriteriaSet();
set.add(new EntityIdCriterion(entityId.getEntityId()));
entityDescriptor = this.metadata.resolveSingle(set);
if (entityDescriptor == null) {
throw new SAMLException("Cannot find entity " + entityId + " in metadata provider");
}
final List<RoleDescriptor> list = entityDescriptor.getRoleDescriptors(elementName, SAMLConstants.SAML20P_NS);
roleDescriptor = CommonHelper.isNotEmpty(list) ? list.get(0) : null;
if (roleDescriptor == null) {
throw new SAMLException("Cannot find entity " + entityId + " or role " + elementName + " in metadata provider");
}
} catch (final ResolverException e) {
throw new SAMLException("An error occured while getting IDP descriptors", e);
}
final SAMLMetadataContext mdCtx = parentContext.getSubcontext(SAMLMetadataContext.class, true);
mdCtx.setEntityDescriptor(entityDescriptor);
mdCtx.setRoleDescriptor(roleDescriptor);
}
Also used :
EntityDescriptor(org.opensaml.saml.saml2.metadata.EntityDescriptor)
ResolverException(net.shibboleth.utilities.java.support.resolver.ResolverException)
RoleDescriptor(org.opensaml.saml.saml2.metadata.RoleDescriptor)
CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet)
EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion)
SAMLMetadataContext(org.opensaml.saml.common.messaging.context.SAMLMetadataContext)
SAMLException(org.pac4j.saml.exceptions.SAMLException)
Example 7 with SAMLException
use of org.pac4j.saml.exceptions.SAMLException in project pac4j by pac4j.
the class SAML2MessageContext method getSPAssertionConsumerService.
public final AssertionConsumerService getSPAssertionConsumerService(final String acsIndex) {
final SPSSODescriptor spssoDescriptor = getSPSSODescriptor();
final List<AssertionConsumerService> services = spssoDescriptor.getAssertionConsumerServices();
// Get by index
if (acsIndex != null) {
for (final AssertionConsumerService service : services) {
if (Integer.valueOf(acsIndex).equals(service.getIndex())) {
return service;
}
}
throw new SAMLException("Assertion consumer service with index " + acsIndex + " could not be found for spDescriptor " + spssoDescriptor);
}
// Get default
if (spssoDescriptor.getDefaultAssertionConsumerService() != null) {
return spssoDescriptor.getDefaultAssertionConsumerService();
}
// Get first
if (!services.isEmpty()) {
return services.iterator().next();
}
throw new SAMLException("No assertion consumer services could be found for " + spssoDescriptor);
}
Also used :
SPSSODescriptor(org.opensaml.saml.saml2.metadata.SPSSODescriptor)
AssertionConsumerService(org.opensaml.saml.saml2.metadata.AssertionConsumerService)
SAMLException(org.pac4j.saml.exceptions.SAMLException)
Example 8 with SAMLException
use of org.pac4j.saml.exceptions.SAMLException in project pac4j by pac4j.
the class KeyStoreCredentialProvider method getCredential.
@Override
public final Credential getCredential() {
try {
final CriteriaSet cs = new CriteriaSet();
final EntityIdCriterion criteria = new EntityIdCriterion(this.privateKey);
cs.add(criteria);
final X509Credential creds = (X509Credential) this.credentialResolver.resolveSingle(cs);
return creds;
} catch (final ResolverException e) {
throw new SAMLException("Can't obtain SP private key", e);
}
}
Also used :
X509Credential(org.opensaml.security.x509.X509Credential)
ResolverException(net.shibboleth.utilities.java.support.resolver.ResolverException)
CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet)
EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion)
SAMLException(org.pac4j.saml.exceptions.SAMLException)
Example 9 with SAMLException
use of org.pac4j.saml.exceptions.SAMLException in project pac4j by pac4j.
the class SAML2DefaultResponseValidator method validateSamlSSOResponse.
/**
* Validates the SAML SSO response by finding a valid assertion with authn statements.
* Populates the {@link SAML2MessageContext} with a subjectAssertion and a subjectNameIdentifier.
*
* @param response the response
* @param context the context
* @param engine the engine
* @param decrypter the decrypter
*/
protected final void validateSamlSSOResponse(final Response response, final SAML2MessageContext context, final SignatureTrustEngine engine, final Decrypter decrypter) {
final List<SAMLException> errors = new ArrayList<>();
for (final Assertion assertion : response.getAssertions()) {
if (!assertion.getAuthnStatements().isEmpty()) {
try {
validateAssertion(assertion, context, engine, decrypter);
} catch (final SAMLException e) {
logger.error("Current assertion validation failed, continue with the next one", e);
errors.add(e);
continue;
}
context.setSubjectAssertion(assertion);
break;
}
}
if (!errors.isEmpty()) {
throw errors.get(0);
}
if (context.getSubjectAssertion() == null) {
throw new SAMAssertionSubjectException("No valid subject assertion found in response");
}
// We do not check EncryptedID here because it has been already decrypted and stored into NameID
final List<SubjectConfirmation> subjectConfirmations = context.getSubjectConfirmations();
final NameID nameIdentifier = (NameID) context.getSAMLSubjectNameIdentifierContext().getSubjectNameIdentifier();
if ((nameIdentifier == null || nameIdentifier.getValue() == null) && context.getBaseID() == null && (subjectConfirmations == null || subjectConfirmations.isEmpty())) {
throw new SAMLException("Subject NameID, BaseID and EncryptedID cannot be all null at the same time if there are no Subject Confirmations.");
}
}
Also used :
SAMAssertionSubjectException(org.pac4j.saml.exceptions.SAMAssertionSubjectException)
SubjectConfirmation(org.opensaml.saml.saml2.core.SubjectConfirmation)
NameID(org.opensaml.saml.saml2.core.NameID)
ArrayList(java.util.ArrayList)
EncryptedAssertion(org.opensaml.saml.saml2.core.EncryptedAssertion)
Assertion(org.opensaml.saml.saml2.core.Assertion)
SAMLException(org.pac4j.saml.exceptions.SAMLException)
Example 10 with SAMLException
use of org.pac4j.saml.exceptions.SAMLException in project pac4j by pac4j.
the class SAML2DefaultResponseValidator method validateSamlProtocolResponse.
/**
* Validates the SAML protocol response:
* - IssueInstant
* - Issuer
* - StatusCode
* - Signature
*
* @param response the response
* @param context the context
* @param engine the engine
*/
protected final void validateSamlProtocolResponse(final Response response, final SAML2MessageContext context, final SignatureTrustEngine engine) {
if (!StatusCode.SUCCESS.equals(response.getStatus().getStatusCode().getValue())) {
String status = response.getStatus().getStatusCode().getValue();
if (response.getStatus().getStatusMessage() != null) {
status += " / " + response.getStatus().getStatusMessage().getMessage();
}
throw new SAMLException("Authentication response is not success ; actual " + status);
}
if (response.getSignature() != null) {
final String entityId = context.getSAMLPeerEntityContext().getEntityId();
validateSignature(response.getSignature(), entityId, engine);
context.getSAMLPeerEntityContext().setAuthenticated(true);
}
if (!isIssueInstantValid(response.getIssueInstant())) {
throw new SAMLIssueInstantException("Response issue instant is too old or in the future");
}
AuthnRequest request = null;
final SAMLMessageStorage messageStorage = context.getSAMLMessageStorage();
if (messageStorage != null && response.getInResponseTo() != null) {
final XMLObject xmlObject = messageStorage.retrieveMessage(response.getInResponseTo());
if (xmlObject == null) {
throw new SAMLInResponseToMismatchException("InResponseToField of the Response doesn't correspond to sent message " + response.getInResponseTo());
} else if (xmlObject instanceof AuthnRequest) {
request = (AuthnRequest) xmlObject;
} else {
throw new SAMLInResponseToMismatchException("Sent request was of different type than the expected AuthnRequest " + response.getInResponseTo());
}
}
verifyEndpoint(context.getSAMLEndpointContext().getEndpoint(), response.getDestination());
if (request != null) {
verifyRequest(request, context);
}
if (response.getIssuer() != null) {
validateIssuer(response.getIssuer(), context);
}
}
Also used :
SAMLInResponseToMismatchException(org.pac4j.saml.exceptions.SAMLInResponseToMismatchException)
AuthnRequest(org.opensaml.saml.saml2.core.AuthnRequest)
XMLObject(org.opensaml.core.xml.XMLObject)
SAMLIssueInstantException(org.pac4j.saml.exceptions.SAMLIssueInstantException)
SAMLMessageStorage(org.pac4j.saml.storage.SAMLMessageStorage)
SAMLException(org.pac4j.saml.exceptions.SAMLException)
Aggregations
SAMLException (org.pac4j.saml.exceptions.SAMLException)19
ComponentInitializationException (net.shibboleth.utilities.java.support.component.ComponentInitializationException)7
MessageEncodingException (org.opensaml.messaging.encoder.MessageEncodingException)4
AssertionConsumerService (org.opensaml.saml.saml2.metadata.AssertionConsumerService)4
SAMLMessageStorage (org.pac4j.saml.storage.SAMLMessageStorage)4
CriteriaSet (net.shibboleth.utilities.java.support.resolver.CriteriaSet)3
ResolverException (net.shibboleth.utilities.java.support.resolver.ResolverException)3
EntityDescriptor (org.opensaml.saml.saml2.metadata.EntityDescriptor)3
SAML2MessageContext (org.pac4j.saml.context.SAML2MessageContext)3
IOException (java.io.IOException)2
KeyStore (java.security.KeyStore)2
EntityIdCriterion (org.opensaml.core.criterion.EntityIdCriterion)2
XMLObject (org.opensaml.core.xml.XMLObject)2
MessageEncoder (org.opensaml.messaging.encoder.MessageEncoder)2
SAMLObject (org.opensaml.saml.common.SAMLObject)2
SAMLOutboundDestinationHandler (org.opensaml.saml.common.binding.impl.SAMLOutboundDestinationHandler)2
EndpointURLSchemeSecurityHandler (org.opensaml.saml.common.binding.security.impl.EndpointURLSchemeSecurityHandler)2
SAMLOutboundProtocolMessageSigningHandler (org.opensaml.saml.common.binding.security.impl.SAMLOutboundProtocolMessageSigningHandler)2
Response (org.opensaml.saml.saml2.core.Response)2
SPSSODescriptor (org.opensaml.saml.saml2.metadata.SPSSODescriptor)2
