Example 1 with Saml2AuthenticatedPrincipal
use of org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticatedPrincipal in project spring-security by spring-projects.
the class OpenSaml4AuthenticationProviderTests method authenticateWhenAssertionContainsCustomAttributesThenItSucceeds.
@Test
public void authenticateWhenAssertionContainsCustomAttributesThenItSucceeds() {
Response response = response();
Assertion assertion = assertion();
AttributeStatement attribute = TestOpenSamlObjects.customAttributeStatement("Address", TestCustomOpenSamlObjects.instance());
assertion.getAttributeStatements().add(attribute);
TestOpenSamlObjects.signed(assertion, TestSaml2X509Credentials.assertingPartySigningCredential(), RELYING_PARTY_ENTITY_ID);
response.getAssertions().add(assertion);
Saml2AuthenticationToken token = token(response, verifying(registration()));
Authentication authentication = this.provider.authenticate(token);
Saml2AuthenticatedPrincipal principal = (Saml2AuthenticatedPrincipal) authentication.getPrincipal();
CustomOpenSamlObject address = (CustomOpenSamlObject) principal.getAttribute("Address").get(0);
assertThat(address.getStreet()).isEqualTo("Test Street");
assertThat(address.getStreetNumber()).isEqualTo("1");
assertThat(address.getZIP()).isEqualTo("11111");
assertThat(address.getCity()).isEqualTo("Test City");
}
Also used :
Response(org.opensaml.saml.saml2.core.Response)
AttributeStatement(org.opensaml.saml.saml2.core.AttributeStatement)
Authentication(org.springframework.security.core.Authentication)
EncryptedAssertion(org.opensaml.saml.saml2.core.EncryptedAssertion)
Assertion(org.opensaml.saml.saml2.core.Assertion)
CustomOpenSamlObject(org.springframework.security.saml2.provider.service.authentication.TestCustomOpenSamlObjects.CustomOpenSamlObject)
Test(org.junit.jupiter.api.Test)
Example 2 with Saml2AuthenticatedPrincipal
use of org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticatedPrincipal in project spring-security by spring-projects.
the class OpenSaml4AuthenticationProviderTests method authenticateWhenAssertionContainsAttributesThenItSucceeds.
@Test
public void authenticateWhenAssertionContainsAttributesThenItSucceeds() {
Response response = response();
Assertion assertion = assertion();
List<AttributeStatement> attributes = attributeStatements();
assertion.getAttributeStatements().addAll(attributes);
TestOpenSamlObjects.signed(assertion, TestSaml2X509Credentials.assertingPartySigningCredential(), RELYING_PARTY_ENTITY_ID);
response.getAssertions().add(assertion);
Saml2AuthenticationToken token = token(response, verifying(registration()));
Authentication authentication = this.provider.authenticate(token);
Saml2AuthenticatedPrincipal principal = (Saml2AuthenticatedPrincipal) authentication.getPrincipal();
Map<String, Object> expected = new LinkedHashMap<>();
expected.put("email", Arrays.asList("john.doe@example.com", "doe.john@example.com"));
expected.put("name", Collections.singletonList("John Doe"));
expected.put("age", Collections.singletonList(21));
expected.put("website", Collections.singletonList("https://johndoe.com/"));
expected.put("registered", Collections.singletonList(true));
Instant registeredDate = Instant.parse("1970-01-01T00:00:00Z");
expected.put("registeredDate", Collections.singletonList(registeredDate));
assertThat((String) principal.getFirstAttribute("name")).isEqualTo("John Doe");
assertThat(principal.getAttributes()).isEqualTo(expected);
assertThat(principal.getSessionIndexes()).contains("session-index");
}
Also used :
Response(org.opensaml.saml.saml2.core.Response)
AttributeStatement(org.opensaml.saml.saml2.core.AttributeStatement)
Authentication(org.springframework.security.core.Authentication)
Instant(java.time.Instant)
EncryptedAssertion(org.opensaml.saml.saml2.core.EncryptedAssertion)
Assertion(org.opensaml.saml.saml2.core.Assertion)
XMLObject(org.opensaml.core.xml.XMLObject)
CustomOpenSamlObject(org.springframework.security.saml2.provider.service.authentication.TestCustomOpenSamlObjects.CustomOpenSamlObject)
LinkedHashMap(java.util.LinkedHashMap)
Test(org.junit.jupiter.api.Test)
Example 3 with Saml2AuthenticatedPrincipal
use of org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticatedPrincipal in project midpoint by Evolveum.
the class MidpointSaml2LogoutRequestResolver method resolve.
@Override
public Saml2LogoutRequest resolve(HttpServletRequest httpServletRequest, Authentication authentication) {
Saml2AuthenticationToken token = null;
if (authentication instanceof MidpointAuthentication) {
ModuleAuthentication authModule = ((MidpointAuthentication) authentication).getProcessingModuleAuthentication();
if (authModule instanceof Saml2ModuleAuthenticationImpl) {
if (authModule.getAuthentication() instanceof Saml2AuthenticationToken) {
token = (Saml2AuthenticationToken) authModule.getAuthentication();
} else if ((authModule.getAuthentication() instanceof PreAuthenticatedAuthenticationToken || authModule.getAuthentication() instanceof AnonymousAuthenticationToken) && authModule.getAuthentication().getDetails() instanceof Saml2AuthenticationToken) {
token = (Saml2AuthenticationToken) authModule.getAuthentication().getDetails();
}
}
} else if (authentication instanceof AnonymousAuthenticationToken && authentication.getDetails() instanceof Saml2AuthenticationToken) {
token = (Saml2AuthenticationToken) authentication.getDetails();
}
if (token != null) {
AuthenticatedPrincipal principal = token.getDetails() instanceof AuthenticatedPrincipal ? (AuthenticatedPrincipal) token.getDetails() : null;
if (!(principal instanceof Saml2AuthenticatedPrincipal)) {
String name = token.getRelyingPartyRegistration().getEntityId();
String relyingPartyRegistrationId = token.getRelyingPartyRegistration().getRegistrationId();
principal = new Saml2AuthenticatedPrincipal() {
@Override
public String getName() {
return name;
}
@Override
public String getRelyingPartyRegistrationId() {
return relyingPartyRegistrationId;
}
};
}
return resolver.resolve(httpServletRequest, new Saml2Authentication(principal, token.getSaml2Response(), null));
}
return resolver.resolve(httpServletRequest, authentication);
}
Also used :
ModuleAuthentication(com.evolveum.midpoint.authentication.api.config.ModuleAuthentication)
Saml2Authentication(org.springframework.security.saml2.provider.service.authentication.Saml2Authentication)
PreAuthenticatedAuthenticationToken(org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken)
Saml2ModuleAuthenticationImpl(com.evolveum.midpoint.authentication.impl.module.authentication.Saml2ModuleAuthenticationImpl)
AnonymousAuthenticationToken(org.springframework.security.authentication.AnonymousAuthenticationToken)
MidpointAuthentication(com.evolveum.midpoint.authentication.api.config.MidpointAuthentication)
Saml2AuthenticationToken(org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationToken)
Saml2AuthenticatedPrincipal(org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticatedPrincipal)
Saml2AuthenticatedPrincipal(org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticatedPrincipal)
AuthenticatedPrincipal(org.springframework.security.core.AuthenticatedPrincipal)
Example 4 with Saml2AuthenticatedPrincipal
use of org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticatedPrincipal in project spring-security by spring-projects.
the class OpenSamlLogoutRequestResolver method resolve.
Saml2LogoutRequest resolve(HttpServletRequest request, Authentication authentication, BiConsumer<RelyingPartyRegistration, LogoutRequest> logoutRequestConsumer) {
String registrationId = getRegistrationId(authentication);
RelyingPartyRegistration registration = this.relyingPartyRegistrationResolver.resolve(request, registrationId);
if (registration == null) {
return null;
}
if (registration.getAssertingPartyDetails().getSingleLogoutServiceLocation() == null) {
return null;
}
LogoutRequest logoutRequest = this.logoutRequestBuilder.buildObject();
logoutRequest.setDestination(registration.getAssertingPartyDetails().getSingleLogoutServiceLocation());
Issuer issuer = this.issuerBuilder.buildObject();
issuer.setValue(registration.getEntityId());
logoutRequest.setIssuer(issuer);
NameID nameId = this.nameIdBuilder.buildObject();
nameId.setValue(authentication.getName());
logoutRequest.setNameID(nameId);
if (authentication.getPrincipal() instanceof Saml2AuthenticatedPrincipal) {
Saml2AuthenticatedPrincipal principal = (Saml2AuthenticatedPrincipal) authentication.getPrincipal();
for (String index : principal.getSessionIndexes()) {
SessionIndex sessionIndex = this.sessionIndexBuilder.buildObject();
sessionIndex.setSessionIndex(index);
logoutRequest.getSessionIndexes().add(sessionIndex);
}
}
logoutRequestConsumer.accept(registration, logoutRequest);
if (logoutRequest.getID() == null) {
logoutRequest.setID("LR" + UUID.randomUUID());
}
String relayState = UUID.randomUUID().toString();
Saml2LogoutRequest.Builder result = Saml2LogoutRequest.withRelyingPartyRegistration(registration).id(logoutRequest.getID());
if (registration.getAssertingPartyDetails().getSingleLogoutServiceBinding() == Saml2MessageBinding.POST) {
String xml = serialize(OpenSamlSigningUtils.sign(logoutRequest, registration));
String samlRequest = Saml2Utils.samlEncode(xml.getBytes(StandardCharsets.UTF_8));
return result.samlRequest(samlRequest).relayState(relayState).build();
} else {
String xml = serialize(logoutRequest);
String deflatedAndEncoded = Saml2Utils.samlEncode(Saml2Utils.samlDeflate(xml));
result.samlRequest(deflatedAndEncoded);
QueryParametersPartial partial = OpenSamlSigningUtils.sign(registration).param(Saml2ParameterNames.SAML_REQUEST, deflatedAndEncoded).param(Saml2ParameterNames.RELAY_STATE, relayState);
return result.parameters((params) -> params.putAll(partial.parameters())).build();
}
}
Also used :
RelyingPartyRegistration(org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration)
QueryParametersPartial(org.springframework.security.saml2.provider.service.web.authentication.logout.OpenSamlSigningUtils.QueryParametersPartial)
HttpServletRequest(jakarta.servlet.http.HttpServletRequest)
OpenSamlInitializationService(org.springframework.security.saml2.core.OpenSamlInitializationService)
LogoutRequestMarshaller(org.opensaml.saml.saml2.core.impl.LogoutRequestMarshaller)
XMLObjectProviderRegistry(org.opensaml.core.xml.config.XMLObjectProviderRegistry)
RelyingPartyRegistration(org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration)
Saml2MessageBinding(org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding)
LogoutRequest(org.opensaml.saml.saml2.core.LogoutRequest)
SerializeSupport(net.shibboleth.utilities.java.support.xml.SerializeSupport)
BiConsumer(java.util.function.BiConsumer)
MarshallingException(org.opensaml.core.xml.io.MarshallingException)
QueryParametersPartial(org.springframework.security.saml2.provider.service.web.authentication.logout.OpenSamlSigningUtils.QueryParametersPartial)
RelyingPartyRegistrationResolver(org.springframework.security.saml2.provider.service.web.RelyingPartyRegistrationResolver)
SessionIndexBuilder(org.opensaml.saml.saml2.core.impl.SessionIndexBuilder)
Saml2Exception(org.springframework.security.saml2.Saml2Exception)
ConfigurationService(org.opensaml.core.config.ConfigurationService)
UUID(java.util.UUID)
LogoutRequestBuilder(org.opensaml.saml.saml2.core.impl.LogoutRequestBuilder)
StandardCharsets(java.nio.charset.StandardCharsets)
IssuerBuilder(org.opensaml.saml.saml2.core.impl.IssuerBuilder)
NameIDBuilder(org.opensaml.saml.saml2.core.impl.NameIDBuilder)
SessionIndex(org.opensaml.saml.saml2.core.SessionIndex)
Saml2ParameterNames(org.springframework.security.saml2.core.Saml2ParameterNames)
Element(org.w3c.dom.Element)
Issuer(org.opensaml.saml.saml2.core.Issuer)
Log(org.apache.commons.logging.Log)
LogFactory(org.apache.commons.logging.LogFactory)
Authentication(org.springframework.security.core.Authentication)
Saml2AuthenticatedPrincipal(org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticatedPrincipal)
Saml2LogoutRequest(org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequest)
NameID(org.opensaml.saml.saml2.core.NameID)
Assert(org.springframework.util.Assert)
Issuer(org.opensaml.saml.saml2.core.Issuer)
NameID(org.opensaml.saml.saml2.core.NameID)
Saml2LogoutRequest(org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequest)
SessionIndex(org.opensaml.saml.saml2.core.SessionIndex)
LogoutRequest(org.opensaml.saml.saml2.core.LogoutRequest)
Saml2LogoutRequest(org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequest)
Saml2AuthenticatedPrincipal(org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticatedPrincipal)
Aggregations
Authentication (org.springframework.security.core.Authentication)3
Test (org.junit.jupiter.api.Test)2
Assertion (org.opensaml.saml.saml2.core.Assertion)2
AttributeStatement (org.opensaml.saml.saml2.core.AttributeStatement)2
EncryptedAssertion (org.opensaml.saml.saml2.core.EncryptedAssertion)2
Response (org.opensaml.saml.saml2.core.Response)2
Saml2AuthenticatedPrincipal (org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticatedPrincipal)2
CustomOpenSamlObject (org.springframework.security.saml2.provider.service.authentication.TestCustomOpenSamlObjects.CustomOpenSamlObject)2
MidpointAuthentication (com.evolveum.midpoint.authentication.api.config.MidpointAuthentication)1
ModuleAuthentication (com.evolveum.midpoint.authentication.api.config.ModuleAuthentication)1
Saml2ModuleAuthenticationImpl (com.evolveum.midpoint.authentication.impl.module.authentication.Saml2ModuleAuthenticationImpl)1
HttpServletRequest (jakarta.servlet.http.HttpServletRequest)1
StandardCharsets (java.nio.charset.StandardCharsets)1
Instant (java.time.Instant)1
LinkedHashMap (java.util.LinkedHashMap)1
UUID (java.util.UUID)1
BiConsumer (java.util.function.BiConsumer)1
SerializeSupport (net.shibboleth.utilities.java.support.xml.SerializeSupport)1
Log (org.apache.commons.logging.Log)1
LogFactory (org.apache.commons.logging.LogFactory)1
