Search in sources :

Example 1 with ResponseToken

use of org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationProvider.ResponseToken in project spring-security by spring-projects.

the class OpenSamlAuthenticationProviderTests method authenticateWhenResponseAuthenticationConverterConfiguredThenUses.

@Test
public void authenticateWhenResponseAuthenticationConverterConfiguredThenUses() {
    Converter<ResponseToken, Saml2Authentication> authenticationConverter = mock(Converter.class);
    OpenSamlAuthenticationProvider provider = new OpenSamlAuthenticationProvider();
    provider.setResponseAuthenticationConverter(authenticationConverter);
    Response response = TestOpenSamlObjects.signedResponseWithOneAssertion();
    Saml2AuthenticationToken token = token(response, verifying(registration()));
    provider.authenticate(token);
    verify(authenticationConverter).convert(any());
}
Also used : Response(org.opensaml.saml.saml2.core.Response) ResponseToken(org.springframework.security.saml2.provider.service.authentication.OpenSamlAuthenticationProvider.ResponseToken) Test(org.junit.jupiter.api.Test)

Example 2 with ResponseToken

use of org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationProvider.ResponseToken in project spring-security by spring-projects.

the class OpenSaml4AuthenticationProvider method process.

private void process(Saml2AuthenticationToken token, Response response) {
    String issuer = response.getIssuer().getValue();
    this.logger.debug(LogMessage.format("Processing SAML response from %s", issuer));
    boolean responseSigned = response.isSigned();
    ResponseToken responseToken = new ResponseToken(response, token);
    Saml2ResponseValidatorResult result = this.responseSignatureValidator.convert(responseToken);
    if (responseSigned) {
        this.responseElementsDecrypter.accept(responseToken);
    } else if (!response.getEncryptedAssertions().isEmpty()) {
        result = result.concat(new Saml2Error(Saml2ErrorCodes.INVALID_SIGNATURE, "Did not decrypt response [" + response.getID() + "] since it is not signed"));
    }
    result = result.concat(this.responseValidator.convert(responseToken));
    boolean allAssertionsSigned = true;
    for (Assertion assertion : response.getAssertions()) {
        AssertionToken assertionToken = new AssertionToken(assertion, token);
        result = result.concat(this.assertionSignatureValidator.convert(assertionToken));
        allAssertionsSigned = allAssertionsSigned && assertion.isSigned();
        if (responseSigned || assertion.isSigned()) {
            this.assertionElementsDecrypter.accept(new AssertionToken(assertion, token));
        }
        result = result.concat(this.assertionValidator.convert(assertionToken));
    }
    if (!responseSigned && !allAssertionsSigned) {
        String description = "Either the response or one of the assertions is unsigned. " + "Please either sign the response or all of the assertions.";
        result = result.concat(new Saml2Error(Saml2ErrorCodes.INVALID_SIGNATURE, description));
    }
    Assertion firstAssertion = CollectionUtils.firstElement(response.getAssertions());
    if (firstAssertion != null && !hasName(firstAssertion)) {
        Saml2Error error = new Saml2Error(Saml2ErrorCodes.SUBJECT_NOT_FOUND, "Assertion [" + firstAssertion.getID() + "] is missing a subject");
        result = result.concat(error);
    }
    if (result.hasErrors()) {
        Collection<Saml2Error> errors = result.getErrors();
        if (this.logger.isTraceEnabled()) {
            this.logger.debug("Found " + errors.size() + " validation errors in SAML response [" + response.getID() + "]: " + errors);
        } else if (this.logger.isDebugEnabled()) {
            this.logger.debug("Found " + errors.size() + " validation errors in SAML response [" + response.getID() + "]");
        }
        Saml2Error first = errors.iterator().next();
        throw createAuthenticationException(first.getErrorCode(), first.getDescription(), null);
    } else {
        if (this.logger.isDebugEnabled()) {
            this.logger.debug("Successfully processed SAML Response [" + response.getID() + "]");
        }
    }
}
Also used : Saml2Error(org.springframework.security.saml2.core.Saml2Error) EncryptedAssertion(org.opensaml.saml.saml2.core.EncryptedAssertion) Assertion(org.opensaml.saml.saml2.core.Assertion) XSString(org.opensaml.core.xml.schema.XSString) Saml2ResponseValidatorResult(org.springframework.security.saml2.core.Saml2ResponseValidatorResult)

Example 3 with ResponseToken

use of org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationProvider.ResponseToken in project spring-security by spring-projects.

the class OpenSaml4AuthenticationProviderTests method authenticateWhenCustomResponseValidatorThenUses.

@Test
public void authenticateWhenCustomResponseValidatorThenUses() {
    Converter<OpenSaml4AuthenticationProvider.ResponseToken, Saml2ResponseValidatorResult> validator = mock(Converter.class);
    OpenSaml4AuthenticationProvider provider = new OpenSaml4AuthenticationProvider();
    // @formatter:off
    provider.setResponseValidator((responseToken) -> OpenSaml4AuthenticationProvider.createDefaultResponseValidator().convert(responseToken).concat(validator.convert(responseToken)));
    // @formatter:on
    Response response = response();
    Assertion assertion = assertion();
    response.getAssertions().add(assertion);
    TestOpenSamlObjects.signed(response, TestSaml2X509Credentials.assertingPartySigningCredential(), ASSERTING_PARTY_ENTITY_ID);
    Saml2AuthenticationToken token = token(response, verifying(registration()));
    given(validator.convert(any(OpenSaml4AuthenticationProvider.ResponseToken.class))).willReturn(Saml2ResponseValidatorResult.success());
    provider.authenticate(token);
    verify(validator).convert(any(OpenSaml4AuthenticationProvider.ResponseToken.class));
}
Also used : Response(org.opensaml.saml.saml2.core.Response) EncryptedAssertion(org.opensaml.saml.saml2.core.EncryptedAssertion) Assertion(org.opensaml.saml.saml2.core.Assertion) ResponseToken(org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationProvider.ResponseToken) Saml2ResponseValidatorResult(org.springframework.security.saml2.core.Saml2ResponseValidatorResult) Test(org.junit.jupiter.api.Test)

Example 4 with ResponseToken

use of org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationProvider.ResponseToken in project midpoint by Evolveum.

the class Saml2Provider method initSamlProvider.

private void initSamlProvider() {
    openSamlProvider.setResponseAuthenticationConverter((responseToken) -> {
        Saml2Authentication authentication = defaultConverter.convert(responseToken);
        if (authentication == null) {
            return null;
        }
        DefaultSaml2AuthenticatedPrincipal principal = (DefaultSaml2AuthenticatedPrincipal) authentication.getPrincipal();
        Map<String, List<Object>> originalAttributes = principal.getAttributes();
        Response response = responseToken.getResponse();
        Assertion assertion = CollectionUtils.firstElement(response.getAssertions());
        if (assertion == null) {
            return authentication;
        }
        Map<String, List<Object>> attributes = new LinkedHashMap<>();
        for (AttributeStatement attributeStatement : assertion.getAttributeStatements()) {
            for (Attribute attribute : attributeStatement.getAttributes()) {
                if (originalAttributes.containsKey(attribute.getName())) {
                    List<Object> attributeValues = originalAttributes.get(attribute.getName());
                    attributes.put(attribute.getName(), attributeValues);
                    if (StringUtils.isNotEmpty(attribute.getFriendlyName())) {
                        attributes.put(attribute.getFriendlyName(), attributeValues);
                    }
                }
            }
        }
        MidpointSaml2AuthenticatedPrincipal newPrincipal = new MidpointSaml2AuthenticatedPrincipal(principal.getName(), attributes, assertion.getSubject().getNameID());
        newPrincipal.setRelyingPartyRegistrationId(responseToken.getToken().getRelyingPartyRegistration().getRegistrationId());
        Saml2Authentication saml2Authentication = new Saml2Authentication(newPrincipal, authentication.getSaml2Response(), authentication.getAuthorities());
        saml2Authentication.setDetails(assertion.getSubject().getNameID());
        return saml2Authentication;
    });
}
Also used : DefaultSaml2AuthenticatedPrincipal(org.springframework.security.saml2.provider.service.authentication.DefaultSaml2AuthenticatedPrincipal) LinkedHashMap(java.util.LinkedHashMap) Saml2Authentication(org.springframework.security.saml2.provider.service.authentication.Saml2Authentication) List(java.util.List)

Example 5 with ResponseToken

use of org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationProvider.ResponseToken in project spring-security by spring-projects.

the class OpenSaml4AuthenticationProviderTests method authenticateWhenResponseAuthenticationConverterConfiguredThenUses.

@Test
public void authenticateWhenResponseAuthenticationConverterConfiguredThenUses() {
    Converter<ResponseToken, Saml2Authentication> authenticationConverter = mock(Converter.class);
    OpenSaml4AuthenticationProvider provider = new OpenSaml4AuthenticationProvider();
    provider.setResponseAuthenticationConverter(authenticationConverter);
    Response response = TestOpenSamlObjects.signedResponseWithOneAssertion();
    Saml2AuthenticationToken token = token(response, verifying(registration()));
    provider.authenticate(token);
    verify(authenticationConverter).convert(any());
}
Also used : Response(org.opensaml.saml.saml2.core.Response) ResponseToken(org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationProvider.ResponseToken) Test(org.junit.jupiter.api.Test)

Aggregations

Response (org.opensaml.saml.saml2.core.Response)7 Test (org.junit.jupiter.api.Test)5 XSString (org.opensaml.core.xml.schema.XSString)4 Assertion (org.opensaml.saml.saml2.core.Assertion)3 EncryptedAssertion (org.opensaml.saml.saml2.core.EncryptedAssertion)3 Saml2ResponseValidatorResult (org.springframework.security.saml2.core.Saml2ResponseValidatorResult)3 ResponseToken (org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationProvider.ResponseToken)3 AuthenticationException (org.springframework.security.core.AuthenticationException)2 Saml2Exception (org.springframework.security.saml2.Saml2Exception)2 Saml2Error (org.springframework.security.saml2.core.Saml2Error)2 ResponseToken (org.springframework.security.saml2.provider.service.authentication.OpenSamlAuthenticationProvider.ResponseToken)2 LinkedHashMap (java.util.LinkedHashMap)1 List (java.util.List)1 AssertionValidationException (org.opensaml.saml.common.assertion.AssertionValidationException)1 AbstractAuthenticationToken (org.springframework.security.authentication.AbstractAuthenticationToken)1 DefaultSaml2AuthenticatedPrincipal (org.springframework.security.saml2.provider.service.authentication.DefaultSaml2AuthenticatedPrincipal)1 Saml2Authentication (org.springframework.security.saml2.provider.service.authentication.Saml2Authentication)1