Example 1 with ResponseToken
use of org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationProvider.ResponseToken in project spring-security by spring-projects.
the class OpenSamlAuthenticationProviderTests method authenticateWhenResponseAuthenticationConverterConfiguredThenUses.
@Test
public void authenticateWhenResponseAuthenticationConverterConfiguredThenUses() {
Converter<ResponseToken, Saml2Authentication> authenticationConverter = mock(Converter.class);
OpenSamlAuthenticationProvider provider = new OpenSamlAuthenticationProvider();
provider.setResponseAuthenticationConverter(authenticationConverter);
Response response = TestOpenSamlObjects.signedResponseWithOneAssertion();
Saml2AuthenticationToken token = token(response, verifying(registration()));
provider.authenticate(token);
verify(authenticationConverter).convert(any());
}
Also used :
Response(org.opensaml.saml.saml2.core.Response)
ResponseToken(org.springframework.security.saml2.provider.service.authentication.OpenSamlAuthenticationProvider.ResponseToken)
Test(org.junit.jupiter.api.Test)
Example 2 with ResponseToken
use of org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationProvider.ResponseToken in project spring-security by spring-projects.
the class OpenSaml4AuthenticationProvider method process.
private void process(Saml2AuthenticationToken token, Response response) {
String issuer = response.getIssuer().getValue();
this.logger.debug(LogMessage.format("Processing SAML response from %s", issuer));
boolean responseSigned = response.isSigned();
ResponseToken responseToken = new ResponseToken(response, token);
Saml2ResponseValidatorResult result = this.responseSignatureValidator.convert(responseToken);
if (responseSigned) {
this.responseElementsDecrypter.accept(responseToken);
} else if (!response.getEncryptedAssertions().isEmpty()) {
result = result.concat(new Saml2Error(Saml2ErrorCodes.INVALID_SIGNATURE, "Did not decrypt response [" + response.getID() + "] since it is not signed"));
}
result = result.concat(this.responseValidator.convert(responseToken));
boolean allAssertionsSigned = true;
for (Assertion assertion : response.getAssertions()) {
AssertionToken assertionToken = new AssertionToken(assertion, token);
result = result.concat(this.assertionSignatureValidator.convert(assertionToken));
allAssertionsSigned = allAssertionsSigned && assertion.isSigned();
if (responseSigned || assertion.isSigned()) {
this.assertionElementsDecrypter.accept(new AssertionToken(assertion, token));
}
result = result.concat(this.assertionValidator.convert(assertionToken));
}
if (!responseSigned && !allAssertionsSigned) {
String description = "Either the response or one of the assertions is unsigned. " + "Please either sign the response or all of the assertions.";
result = result.concat(new Saml2Error(Saml2ErrorCodes.INVALID_SIGNATURE, description));
}
Assertion firstAssertion = CollectionUtils.firstElement(response.getAssertions());
if (firstAssertion != null && !hasName(firstAssertion)) {
Saml2Error error = new Saml2Error(Saml2ErrorCodes.SUBJECT_NOT_FOUND, "Assertion [" + firstAssertion.getID() + "] is missing a subject");
result = result.concat(error);
}
if (result.hasErrors()) {
Collection<Saml2Error> errors = result.getErrors();
if (this.logger.isTraceEnabled()) {
this.logger.debug("Found " + errors.size() + " validation errors in SAML response [" + response.getID() + "]: " + errors);
} else if (this.logger.isDebugEnabled()) {
this.logger.debug("Found " + errors.size() + " validation errors in SAML response [" + response.getID() + "]");
}
Saml2Error first = errors.iterator().next();
throw createAuthenticationException(first.getErrorCode(), first.getDescription(), null);
} else {
if (this.logger.isDebugEnabled()) {
this.logger.debug("Successfully processed SAML Response [" + response.getID() + "]");
}
}
}
Also used :
Saml2Error(org.springframework.security.saml2.core.Saml2Error)
EncryptedAssertion(org.opensaml.saml.saml2.core.EncryptedAssertion)
Assertion(org.opensaml.saml.saml2.core.Assertion)
XSString(org.opensaml.core.xml.schema.XSString)
Saml2ResponseValidatorResult(org.springframework.security.saml2.core.Saml2ResponseValidatorResult)
Example 3 with ResponseToken
use of org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationProvider.ResponseToken in project spring-security by spring-projects.
the class OpenSaml4AuthenticationProviderTests method authenticateWhenCustomResponseValidatorThenUses.
@Test
public void authenticateWhenCustomResponseValidatorThenUses() {
Converter<OpenSaml4AuthenticationProvider.ResponseToken, Saml2ResponseValidatorResult> validator = mock(Converter.class);
OpenSaml4AuthenticationProvider provider = new OpenSaml4AuthenticationProvider();
// @formatter:off
provider.setResponseValidator((responseToken) -> OpenSaml4AuthenticationProvider.createDefaultResponseValidator().convert(responseToken).concat(validator.convert(responseToken)));
// @formatter:on
Response response = response();
Assertion assertion = assertion();
response.getAssertions().add(assertion);
TestOpenSamlObjects.signed(response, TestSaml2X509Credentials.assertingPartySigningCredential(), ASSERTING_PARTY_ENTITY_ID);
Saml2AuthenticationToken token = token(response, verifying(registration()));
given(validator.convert(any(OpenSaml4AuthenticationProvider.ResponseToken.class))).willReturn(Saml2ResponseValidatorResult.success());
provider.authenticate(token);
verify(validator).convert(any(OpenSaml4AuthenticationProvider.ResponseToken.class));
}
Also used :
Response(org.opensaml.saml.saml2.core.Response)
EncryptedAssertion(org.opensaml.saml.saml2.core.EncryptedAssertion)
Assertion(org.opensaml.saml.saml2.core.Assertion)
ResponseToken(org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationProvider.ResponseToken)
Saml2ResponseValidatorResult(org.springframework.security.saml2.core.Saml2ResponseValidatorResult)
Test(org.junit.jupiter.api.Test)
Example 4 with ResponseToken
use of org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationProvider.ResponseToken in project midpoint by Evolveum.
the class Saml2Provider method initSamlProvider.
private void initSamlProvider() {
openSamlProvider.setResponseAuthenticationConverter((responseToken) -> {
Saml2Authentication authentication = defaultConverter.convert(responseToken);
if (authentication == null) {
return null;
}
DefaultSaml2AuthenticatedPrincipal principal = (DefaultSaml2AuthenticatedPrincipal) authentication.getPrincipal();
Map<String, List<Object>> originalAttributes = principal.getAttributes();
Response response = responseToken.getResponse();
Assertion assertion = CollectionUtils.firstElement(response.getAssertions());
if (assertion == null) {
return authentication;
}
Map<String, List<Object>> attributes = new LinkedHashMap<>();
for (AttributeStatement attributeStatement : assertion.getAttributeStatements()) {
for (Attribute attribute : attributeStatement.getAttributes()) {
if (originalAttributes.containsKey(attribute.getName())) {
List<Object> attributeValues = originalAttributes.get(attribute.getName());
attributes.put(attribute.getName(), attributeValues);
if (StringUtils.isNotEmpty(attribute.getFriendlyName())) {
attributes.put(attribute.getFriendlyName(), attributeValues);
}
}
}
}
MidpointSaml2AuthenticatedPrincipal newPrincipal = new MidpointSaml2AuthenticatedPrincipal(principal.getName(), attributes, assertion.getSubject().getNameID());
newPrincipal.setRelyingPartyRegistrationId(responseToken.getToken().getRelyingPartyRegistration().getRegistrationId());
Saml2Authentication saml2Authentication = new Saml2Authentication(newPrincipal, authentication.getSaml2Response(), authentication.getAuthorities());
saml2Authentication.setDetails(assertion.getSubject().getNameID());
return saml2Authentication;
});
}
Also used :
DefaultSaml2AuthenticatedPrincipal(org.springframework.security.saml2.provider.service.authentication.DefaultSaml2AuthenticatedPrincipal)
LinkedHashMap(java.util.LinkedHashMap)
Saml2Authentication(org.springframework.security.saml2.provider.service.authentication.Saml2Authentication)
List(java.util.List)
Example 5 with ResponseToken
use of org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationProvider.ResponseToken in project spring-security by spring-projects.
the class OpenSaml4AuthenticationProviderTests method authenticateWhenResponseAuthenticationConverterConfiguredThenUses.
@Test
public void authenticateWhenResponseAuthenticationConverterConfiguredThenUses() {
Converter<ResponseToken, Saml2Authentication> authenticationConverter = mock(Converter.class);
OpenSaml4AuthenticationProvider provider = new OpenSaml4AuthenticationProvider();
provider.setResponseAuthenticationConverter(authenticationConverter);
Response response = TestOpenSamlObjects.signedResponseWithOneAssertion();
Saml2AuthenticationToken token = token(response, verifying(registration()));
provider.authenticate(token);
verify(authenticationConverter).convert(any());
}
Also used :
Response(org.opensaml.saml.saml2.core.Response)
ResponseToken(org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationProvider.ResponseToken)
Test(org.junit.jupiter.api.Test)
Aggregations
Response (org.opensaml.saml.saml2.core.Response)7
Test (org.junit.jupiter.api.Test)5
XSString (org.opensaml.core.xml.schema.XSString)4
Assertion (org.opensaml.saml.saml2.core.Assertion)3
EncryptedAssertion (org.opensaml.saml.saml2.core.EncryptedAssertion)3
Saml2ResponseValidatorResult (org.springframework.security.saml2.core.Saml2ResponseValidatorResult)3
ResponseToken (org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationProvider.ResponseToken)3
AuthenticationException (org.springframework.security.core.AuthenticationException)2
Saml2Exception (org.springframework.security.saml2.Saml2Exception)2
Saml2Error (org.springframework.security.saml2.core.Saml2Error)2
ResponseToken (org.springframework.security.saml2.provider.service.authentication.OpenSamlAuthenticationProvider.ResponseToken)2
LinkedHashMap (java.util.LinkedHashMap)1
List (java.util.List)1
AssertionValidationException (org.opensaml.saml.common.assertion.AssertionValidationException)1
AbstractAuthenticationToken (org.springframework.security.authentication.AbstractAuthenticationToken)1
DefaultSaml2AuthenticatedPrincipal (org.springframework.security.saml2.provider.service.authentication.DefaultSaml2AuthenticatedPrincipal)1
Saml2Authentication (org.springframework.security.saml2.provider.service.authentication.Saml2Authentication)1
