Example 21 with Saml2X509Credential
use of org.springframework.security.saml2.credentials.Saml2X509Credential in project spring-security by spring-projects.
the class OpenSamlMetadataAssertingPartyDetailsConverter method convert.
RelyingPartyRegistration.AssertingPartyDetails.Builder convert(EntityDescriptor descriptor) {
IDPSSODescriptor idpssoDescriptor = descriptor.getIDPSSODescriptor(SAMLConstants.SAML20P_NS);
if (idpssoDescriptor == null) {
throw new Saml2Exception("Metadata response is missing the necessary IDPSSODescriptor element");
}
List<Saml2X509Credential> verification = new ArrayList<>();
List<Saml2X509Credential> encryption = new ArrayList<>();
for (KeyDescriptor keyDescriptor : idpssoDescriptor.getKeyDescriptors()) {
if (keyDescriptor.getUse().equals(UsageType.SIGNING)) {
List<X509Certificate> certificates = certificates(keyDescriptor);
for (X509Certificate certificate : certificates) {
verification.add(Saml2X509Credential.verification(certificate));
}
}
if (keyDescriptor.getUse().equals(UsageType.ENCRYPTION)) {
List<X509Certificate> certificates = certificates(keyDescriptor);
for (X509Certificate certificate : certificates) {
encryption.add(Saml2X509Credential.encryption(certificate));
}
}
if (keyDescriptor.getUse().equals(UsageType.UNSPECIFIED)) {
List<X509Certificate> certificates = certificates(keyDescriptor);
for (X509Certificate certificate : certificates) {
verification.add(Saml2X509Credential.verification(certificate));
encryption.add(Saml2X509Credential.encryption(certificate));
}
}
}
if (verification.isEmpty()) {
throw new Saml2Exception("Metadata response is missing verification certificates, necessary for verifying SAML assertions");
}
RelyingPartyRegistration.AssertingPartyDetails.Builder party = OpenSamlAssertingPartyDetails.withEntityDescriptor(descriptor).entityId(descriptor.getEntityID()).wantAuthnRequestsSigned(Boolean.TRUE.equals(idpssoDescriptor.getWantAuthnRequestsSigned())).verificationX509Credentials((c) -> c.addAll(verification)).encryptionX509Credentials((c) -> c.addAll(encryption));
List<SigningMethod> signingMethods = signingMethods(idpssoDescriptor);
for (SigningMethod method : signingMethods) {
party.signingAlgorithms((algorithms) -> algorithms.add(method.getAlgorithm()));
}
if (idpssoDescriptor.getSingleSignOnServices().isEmpty()) {
throw new Saml2Exception("Metadata response is missing a SingleSignOnService, necessary for sending AuthnRequests");
}
for (SingleSignOnService singleSignOnService : idpssoDescriptor.getSingleSignOnServices()) {
Saml2MessageBinding binding;
if (singleSignOnService.getBinding().equals(Saml2MessageBinding.POST.getUrn())) {
binding = Saml2MessageBinding.POST;
} else if (singleSignOnService.getBinding().equals(Saml2MessageBinding.REDIRECT.getUrn())) {
binding = Saml2MessageBinding.REDIRECT;
} else {
continue;
}
party.singleSignOnServiceLocation(singleSignOnService.getLocation()).singleSignOnServiceBinding(binding);
break;
}
for (SingleLogoutService singleLogoutService : idpssoDescriptor.getSingleLogoutServices()) {
Saml2MessageBinding binding;
if (singleLogoutService.getBinding().equals(Saml2MessageBinding.POST.getUrn())) {
binding = Saml2MessageBinding.POST;
} else if (singleLogoutService.getBinding().equals(Saml2MessageBinding.REDIRECT.getUrn())) {
binding = Saml2MessageBinding.REDIRECT;
} else {
continue;
}
String responseLocation = (singleLogoutService.getResponseLocation() == null) ? singleLogoutService.getLocation() : singleLogoutService.getResponseLocation();
party.singleLogoutServiceLocation(singleLogoutService.getLocation()).singleLogoutServiceResponseLocation(responseLocation).singleLogoutServiceBinding(binding);
break;
}
return party;
}
Also used :
X509Certificate(java.security.cert.X509Certificate)
Arrays(java.util.Arrays)
OpenSamlInitializationService(org.springframework.security.saml2.core.OpenSamlInitializationService)
KeyDescriptor(org.opensaml.saml.saml2.metadata.KeyDescriptor)
XMLObjectProviderRegistry(org.opensaml.core.xml.config.XMLObjectProviderRegistry)
Extensions(org.opensaml.saml.saml2.metadata.Extensions)
ArrayList(java.util.ArrayList)
SigningMethod(org.opensaml.saml.ext.saml2alg.SigningMethod)
SingleSignOnService(org.opensaml.saml.saml2.metadata.SingleSignOnService)
Document(org.w3c.dom.Document)
IDPSSODescriptor(org.opensaml.saml.saml2.metadata.IDPSSODescriptor)
XMLObject(org.opensaml.core.xml.XMLObject)
SAMLConstants(org.opensaml.saml.common.xml.SAMLConstants)
EntitiesDescriptor(org.opensaml.saml.saml2.metadata.EntitiesDescriptor)
UsageType(org.opensaml.security.credential.UsageType)
SingleLogoutService(org.opensaml.saml.saml2.metadata.SingleLogoutService)
Collection(java.util.Collection)
Unmarshaller(org.opensaml.core.xml.io.Unmarshaller)
Saml2Exception(org.springframework.security.saml2.Saml2Exception)
ConfigurationService(org.opensaml.core.config.ConfigurationService)
Saml2X509Credential(org.springframework.security.saml2.core.Saml2X509Credential)
CertificateException(java.security.cert.CertificateException)
KeyInfoSupport(org.opensaml.xmlsec.keyinfo.KeyInfoSupport)
ParserPool(net.shibboleth.utilities.java.support.xml.ParserPool)
List(java.util.List)
Element(org.w3c.dom.Element)
EntityDescriptor(org.opensaml.saml.saml2.metadata.EntityDescriptor)
InputStream(java.io.InputStream)
IDPSSODescriptor(org.opensaml.saml.saml2.metadata.IDPSSODescriptor)
SingleLogoutService(org.opensaml.saml.saml2.metadata.SingleLogoutService)
KeyDescriptor(org.opensaml.saml.saml2.metadata.KeyDescriptor)
Saml2X509Credential(org.springframework.security.saml2.core.Saml2X509Credential)
ArrayList(java.util.ArrayList)
SingleSignOnService(org.opensaml.saml.saml2.metadata.SingleSignOnService)
Saml2Exception(org.springframework.security.saml2.Saml2Exception)
X509Certificate(java.security.cert.X509Certificate)
SigningMethod(org.opensaml.saml.ext.saml2alg.SigningMethod)
Example 22 with Saml2X509Credential
use of org.springframework.security.saml2.credentials.Saml2X509Credential in project spring-security by spring-projects.
the class RelyingPartyRegistration method toDeprecated.
private static org.springframework.security.saml2.credentials.Saml2X509Credential toDeprecated(Saml2X509Credential credential) {
PrivateKey privateKey = credential.getPrivateKey();
X509Certificate certificate = credential.getCertificate();
Set<org.springframework.security.saml2.credentials.Saml2X509Credential.Saml2X509CredentialType> credentialTypes = new HashSet<>();
if (credential.isSigningCredential()) {
credentialTypes.add(org.springframework.security.saml2.credentials.Saml2X509Credential.Saml2X509CredentialType.SIGNING);
}
if (credential.isVerificationCredential()) {
credentialTypes.add(org.springframework.security.saml2.credentials.Saml2X509Credential.Saml2X509CredentialType.VERIFICATION);
}
if (credential.isEncryptionCredential()) {
credentialTypes.add(org.springframework.security.saml2.credentials.Saml2X509Credential.Saml2X509CredentialType.ENCRYPTION);
}
if (credential.isDecryptionCredential()) {
credentialTypes.add(org.springframework.security.saml2.credentials.Saml2X509Credential.Saml2X509CredentialType.DECRYPTION);
}
return new org.springframework.security.saml2.credentials.Saml2X509Credential(privateKey, certificate, credentialTypes);
}
Also used :
PrivateKey(java.security.PrivateKey)
Saml2X509Credential(org.springframework.security.saml2.core.Saml2X509Credential)
X509Certificate(java.security.cert.X509Certificate)
HashSet(java.util.HashSet)
Example 23 with Saml2X509Credential
use of org.springframework.security.saml2.credentials.Saml2X509Credential in project spring-security by spring-projects.
the class OpenSamlVerificationUtils method trustEngine.
static SignatureTrustEngine trustEngine(RelyingPartyRegistration registration) {
Set<Credential> credentials = new HashSet<>();
Collection<Saml2X509Credential> keys = registration.getAssertingPartyDetails().getVerificationX509Credentials();
for (Saml2X509Credential key : keys) {
BasicX509Credential cred = new BasicX509Credential(key.getCertificate());
cred.setUsageType(UsageType.SIGNING);
cred.setEntityId(registration.getAssertingPartyDetails().getEntityId());
credentials.add(cred);
}
CredentialResolver credentialsResolver = new CollectionCredentialResolver(credentials);
return new ExplicitKeySignatureTrustEngine(credentialsResolver, DefaultSecurityConfigurationBootstrap.buildBasicInlineKeyInfoCredentialResolver());
}
Also used :
Credential(org.opensaml.security.credential.Credential)
Saml2X509Credential(org.springframework.security.saml2.core.Saml2X509Credential)
BasicX509Credential(org.opensaml.security.x509.BasicX509Credential)
BasicX509Credential(org.opensaml.security.x509.BasicX509Credential)
ExplicitKeySignatureTrustEngine(org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine)
Saml2X509Credential(org.springframework.security.saml2.core.Saml2X509Credential)
CollectionCredentialResolver(org.opensaml.security.credential.impl.CollectionCredentialResolver)
CredentialResolver(org.opensaml.security.credential.CredentialResolver)
CollectionCredentialResolver(org.opensaml.security.credential.impl.CollectionCredentialResolver)
HashSet(java.util.HashSet)
Example 24 with Saml2X509Credential
use of org.springframework.security.saml2.credentials.Saml2X509Credential in project spring-security by spring-projects.
the class TestRelyingPartyRegistrations method relyingPartyRegistration.
public static RelyingPartyRegistration.Builder relyingPartyRegistration() {
String registrationId = "simplesamlphp";
String rpEntityId = "{baseUrl}/saml2/service-provider-metadata/{registrationId}";
Saml2X509Credential signingCredential = TestSaml2X509Credentials.relyingPartySigningCredential();
String assertionConsumerServiceLocation = "{baseUrl}" + Saml2WebSsoAuthenticationFilter.DEFAULT_FILTER_PROCESSES_URI;
String apEntityId = "https://simplesaml-for-spring-saml.apps.pcfone.io/saml2/idp/metadata.php";
Saml2X509Credential verificationCertificate = TestSaml2X509Credentials.relyingPartyVerifyingCredential();
String singleSignOnServiceLocation = "https://simplesaml-for-spring-saml.apps.pcfone.io/saml2/idp/SSOService.php";
String singleLogoutServiceLocation = "{baseUrl}/logout/saml2/slo";
return RelyingPartyRegistration.withRegistrationId(registrationId).entityId(rpEntityId).assertionConsumerServiceLocation(assertionConsumerServiceLocation).singleLogoutServiceLocation(singleLogoutServiceLocation).credentials((c) -> c.add(signingCredential)).providerDetails((c) -> c.entityId(apEntityId).webSsoUrl(singleSignOnServiceLocation)).credentials((c) -> c.add(verificationCertificate));
}
Also used :
Saml2WebSsoAuthenticationFilter(org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationFilter)
TestSaml2X509Credentials(org.springframework.security.saml2.credentials.TestSaml2X509Credentials)
Saml2X509Credential(org.springframework.security.saml2.credentials.Saml2X509Credential)
Saml2X509Credential(org.springframework.security.saml2.credentials.Saml2X509Credential)
Example 25 with Saml2X509Credential
use of org.springframework.security.saml2.credentials.Saml2X509Credential in project spring-security by spring-projects.
the class TestOpenSamlObjects method encrypted.
static EncryptedAssertion encrypted(Assertion assertion, Saml2X509Credential credential) {
X509Certificate certificate = credential.getCertificate();
Encrypter encrypter = getEncrypter(certificate);
try {
return encrypter.encrypt(assertion);
} catch (EncryptionException ex) {
throw new Saml2Exception("Unable to encrypt assertion.", ex);
}
}
Also used :
Encrypter(org.opensaml.saml.saml2.encryption.Encrypter)
EncryptionException(org.opensaml.xmlsec.encryption.support.EncryptionException)
Saml2Exception(org.springframework.security.saml2.Saml2Exception)
X509Certificate(java.security.cert.X509Certificate)
Aggregations
Saml2X509Credential (org.springframework.security.saml2.core.Saml2X509Credential)24
X509Certificate (java.security.cert.X509Certificate)17
Saml2Exception (org.springframework.security.saml2.Saml2Exception)14
ArrayList (java.util.ArrayList)10
Credential (org.opensaml.security.credential.Credential)8
PrivateKey (java.security.PrivateKey)7
RelyingPartyRegistration (org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration)7
SAMLConstants (org.opensaml.saml.common.xml.SAMLConstants)6
Saml2MessageBinding (org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding)6
Document (org.w3c.dom.Document)6
Element (org.w3c.dom.Element)6
ByteArrayInputStream (java.io.ByteArrayInputStream)5
CertificateException (java.security.cert.CertificateException)5
Assertions.assertThat (org.assertj.core.api.Assertions.assertThat)5
Assertions.assertThatExceptionOfType (org.assertj.core.api.Assertions.assertThatExceptionOfType)5
BasicCredential (org.opensaml.security.credential.BasicCredential)5
SignatureConstants (org.opensaml.xmlsec.signature.support.SignatureConstants)5
TestSaml2X509Credentials (org.springframework.security.saml2.credentials.TestSaml2X509Credentials)5
TestRelyingPartyRegistrations (org.springframework.security.saml2.provider.service.registration.TestRelyingPartyRegistrations)5
StandardCharsets (java.nio.charset.StandardCharsets)4
