Example 61 with RelyingPartyRegistration
use of org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration in project midpoint by Evolveum.
the class SamlModuleWebSecurityConfiguration method buildInternal.
private static SamlModuleWebSecurityConfiguration buildInternal(Saml2AuthenticationModuleType modelType, String prefixOfSequence, String publicHttpUrlPattern, ServletRequest request) {
SamlModuleWebSecurityConfiguration configuration = new SamlModuleWebSecurityConfiguration();
build(configuration, modelType, prefixOfSequence);
List<Saml2ServiceProviderAuthenticationModuleType> serviceProviders = modelType.getServiceProvider();
List<RelyingPartyRegistration> registrations = new ArrayList<>();
serviceProviders.forEach(serviceProviderType -> {
Saml2KeyAuthenticationModuleType keysType = serviceProviderType.getKeys();
Saml2ProviderAuthenticationModuleType providerType = serviceProviderType.getIdentityProvider();
RelyingPartyRegistration.Builder registrationBuilder = getRelyingPartyFromMetadata(providerType.getMetadata(), providerType);
SamlAdditionalConfiguration.Builder additionalConfigBuilder = SamlAdditionalConfiguration.builder();
createRelyingPartyRegistration(registrationBuilder, additionalConfigBuilder, providerType, publicHttpUrlPattern, configuration, keysType, serviceProviderType, request);
RelyingPartyRegistration registration = registrationBuilder.build();
registrations.add(registration);
configuration.additionalConfiguration.put(registration.getRegistrationId(), additionalConfigBuilder.build());
});
InMemoryRelyingPartyRegistrationRepository relyingPartyRegistrationRepository = new InMemoryRelyingPartyRegistrationRepository(registrations);
configuration.setRelyingPartyRegistrationRepository(relyingPartyRegistrationRepository);
return configuration;
}
Also used :
RelyingPartyRegistration(org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration)
ArrayList(java.util.ArrayList)
InMemoryRelyingPartyRegistrationRepository(org.springframework.security.saml2.provider.service.registration.InMemoryRelyingPartyRegistrationRepository)
Example 62 with RelyingPartyRegistration
use of org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration in project spring-security by spring-projects.
the class OpenSamlLogoutResponseResolver method resolve.
Saml2LogoutResponse resolve(HttpServletRequest request, Authentication authentication, BiConsumer<RelyingPartyRegistration, LogoutResponse> logoutResponseConsumer) {
String registrationId = getRegistrationId(authentication);
RelyingPartyRegistration registration = this.relyingPartyRegistrationResolver.resolve(request, registrationId);
if (registration == null) {
return null;
}
if (registration.getAssertingPartyDetails().getSingleLogoutServiceResponseLocation() == null) {
return null;
}
String serialized = request.getParameter(Saml2ParameterNames.SAML_REQUEST);
byte[] b = Saml2Utils.samlDecode(serialized);
LogoutRequest logoutRequest = parse(inflateIfRequired(registration, b));
LogoutResponse logoutResponse = this.logoutResponseBuilder.buildObject();
logoutResponse.setDestination(registration.getAssertingPartyDetails().getSingleLogoutServiceResponseLocation());
Issuer issuer = this.issuerBuilder.buildObject();
issuer.setValue(registration.getEntityId());
logoutResponse.setIssuer(issuer);
StatusCode code = this.statusCodeBuilder.buildObject();
code.setValue(StatusCode.SUCCESS);
Status status = this.statusBuilder.buildObject();
status.setStatusCode(code);
logoutResponse.setStatus(status);
logoutResponse.setInResponseTo(logoutRequest.getID());
if (logoutResponse.getID() == null) {
logoutResponse.setID("LR" + UUID.randomUUID());
}
logoutResponseConsumer.accept(registration, logoutResponse);
Saml2LogoutResponse.Builder result = Saml2LogoutResponse.withRelyingPartyRegistration(registration);
if (registration.getAssertingPartyDetails().getSingleLogoutServiceBinding() == Saml2MessageBinding.POST) {
String xml = serialize(OpenSamlSigningUtils.sign(logoutResponse, registration));
String samlResponse = Saml2Utils.samlEncode(xml.getBytes(StandardCharsets.UTF_8));
result.samlResponse(samlResponse);
if (request.getParameter(Saml2ParameterNames.RELAY_STATE) != null) {
result.relayState(request.getParameter(Saml2ParameterNames.RELAY_STATE));
}
return result.build();
} else {
String xml = serialize(logoutResponse);
String deflatedAndEncoded = Saml2Utils.samlEncode(Saml2Utils.samlDeflate(xml));
result.samlResponse(deflatedAndEncoded);
QueryParametersPartial partial = OpenSamlSigningUtils.sign(registration).param(Saml2ParameterNames.SAML_RESPONSE, deflatedAndEncoded);
if (request.getParameter(Saml2ParameterNames.RELAY_STATE) != null) {
partial.param(Saml2ParameterNames.RELAY_STATE, request.getParameter(Saml2ParameterNames.RELAY_STATE));
}
return result.parameters((params) -> params.putAll(partial.parameters())).build();
}
}
Also used :
RelyingPartyRegistration(org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration)
Status(org.opensaml.saml.saml2.core.Status)
QueryParametersPartial(org.springframework.security.saml2.provider.service.web.authentication.logout.OpenSamlSigningUtils.QueryParametersPartial)
LogoutResponseBuilder(org.opensaml.saml.saml2.core.impl.LogoutResponseBuilder)
HttpServletRequest(jakarta.servlet.http.HttpServletRequest)
OpenSamlInitializationService(org.springframework.security.saml2.core.OpenSamlInitializationService)
LogoutResponse(org.opensaml.saml.saml2.core.LogoutResponse)
Saml2LogoutResponse(org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutResponse)
XMLObjectProviderRegistry(org.opensaml.core.xml.config.XMLObjectProviderRegistry)
RelyingPartyRegistration(org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration)
Saml2MessageBinding(org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding)
LogoutRequest(org.opensaml.saml.saml2.core.LogoutRequest)
Status(org.opensaml.saml.saml2.core.Status)
StatusCode(org.opensaml.saml.saml2.core.StatusCode)
ByteArrayInputStream(java.io.ByteArrayInputStream)
SerializeSupport(net.shibboleth.utilities.java.support.xml.SerializeSupport)
Document(org.w3c.dom.Document)
BiConsumer(java.util.function.BiConsumer)
StatusCodeBuilder(org.opensaml.saml.saml2.core.impl.StatusCodeBuilder)
MarshallingException(org.opensaml.core.xml.io.MarshallingException)
QueryParametersPartial(org.springframework.security.saml2.provider.service.web.authentication.logout.OpenSamlSigningUtils.QueryParametersPartial)
RelyingPartyRegistrationResolver(org.springframework.security.saml2.provider.service.web.RelyingPartyRegistrationResolver)
Saml2Exception(org.springframework.security.saml2.Saml2Exception)
ConfigurationService(org.opensaml.core.config.ConfigurationService)
UUID(java.util.UUID)
StandardCharsets(java.nio.charset.StandardCharsets)
XMLObjectProviderRegistrySupport(org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport)
StatusBuilder(org.opensaml.saml.saml2.core.impl.StatusBuilder)
IssuerBuilder(org.opensaml.saml.saml2.core.impl.IssuerBuilder)
ParserPool(net.shibboleth.utilities.java.support.xml.ParserPool)
LogoutResponseMarshaller(org.opensaml.saml.saml2.core.impl.LogoutResponseMarshaller)
Saml2ParameterNames(org.springframework.security.saml2.core.Saml2ParameterNames)
Element(org.w3c.dom.Element)
Issuer(org.opensaml.saml.saml2.core.Issuer)
Log(org.apache.commons.logging.Log)
LogFactory(org.apache.commons.logging.LogFactory)
Authentication(org.springframework.security.core.Authentication)
Saml2AuthenticatedPrincipal(org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticatedPrincipal)
LogoutRequestUnmarshaller(org.opensaml.saml.saml2.core.impl.LogoutRequestUnmarshaller)
Assert(org.springframework.util.Assert)
LogoutResponse(org.opensaml.saml.saml2.core.LogoutResponse)
Saml2LogoutResponse(org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutResponse)
Issuer(org.opensaml.saml.saml2.core.Issuer)
LogoutRequest(org.opensaml.saml.saml2.core.LogoutRequest)
Saml2LogoutResponse(org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutResponse)
StatusCode(org.opensaml.saml.saml2.core.StatusCode)
Example 63 with RelyingPartyRegistration
use of org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration in project spring-security by spring-projects.
the class OpenSamlAuthenticationRequestResolver method resolve.
<T extends AbstractSaml2AuthenticationRequest> T resolve(HttpServletRequest request, BiConsumer<RelyingPartyRegistration, AuthnRequest> authnRequestConsumer) {
RequestMatcher.MatchResult result = this.requestMatcher.matcher(request);
if (!result.isMatch()) {
return null;
}
String registrationId = result.getVariables().get("registrationId");
RelyingPartyRegistration registration = this.relyingPartyRegistrationResolver.resolve(request, registrationId);
if (registration == null) {
return null;
}
AuthnRequest authnRequest = this.authnRequestBuilder.buildObject();
authnRequest.setForceAuthn(Boolean.FALSE);
authnRequest.setIsPassive(Boolean.FALSE);
authnRequest.setProtocolBinding(registration.getAssertionConsumerServiceBinding().getUrn());
Issuer iss = this.issuerBuilder.buildObject();
iss.setValue(registration.getEntityId());
authnRequest.setIssuer(iss);
authnRequest.setDestination(registration.getAssertingPartyDetails().getSingleSignOnServiceLocation());
authnRequest.setAssertionConsumerServiceURL(registration.getAssertionConsumerServiceLocation());
authnRequestConsumer.accept(registration, authnRequest);
if (authnRequest.getID() == null) {
authnRequest.setID("ARQ" + UUID.randomUUID().toString().substring(1));
}
String relayState = UUID.randomUUID().toString();
Saml2MessageBinding binding = registration.getAssertingPartyDetails().getSingleSignOnServiceBinding();
if (binding == Saml2MessageBinding.POST) {
if (registration.getAssertingPartyDetails().getWantAuthnRequestsSigned()) {
OpenSamlSigningUtils.sign(authnRequest, registration);
}
String xml = serialize(authnRequest);
String encoded = Saml2Utils.samlEncode(xml.getBytes(StandardCharsets.UTF_8));
return (T) Saml2PostAuthenticationRequest.withRelyingPartyRegistration(registration).samlRequest(encoded).relayState(relayState).build();
} else {
String xml = serialize(authnRequest);
String deflatedAndEncoded = Saml2Utils.samlEncode(Saml2Utils.samlDeflate(xml));
Saml2RedirectAuthenticationRequest.Builder builder = Saml2RedirectAuthenticationRequest.withRelyingPartyRegistration(registration).samlRequest(deflatedAndEncoded).relayState(relayState);
if (registration.getAssertingPartyDetails().getWantAuthnRequestsSigned()) {
Map<String, String> parameters = OpenSamlSigningUtils.sign(registration).param(Saml2ParameterNames.SAML_REQUEST, deflatedAndEncoded).param(Saml2ParameterNames.RELAY_STATE, relayState).parameters();
builder.sigAlg(parameters.get(Saml2ParameterNames.SIG_ALG)).signature(parameters.get(Saml2ParameterNames.SIGNATURE));
}
return (T) builder.build();
}
}
Also used :
RelyingPartyRegistration(org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration)
RequestMatcher(org.springframework.security.web.util.matcher.RequestMatcher)
AntPathRequestMatcher(org.springframework.security.web.util.matcher.AntPathRequestMatcher)
AuthnRequest(org.opensaml.saml.saml2.core.AuthnRequest)
Saml2RedirectAuthenticationRequest(org.springframework.security.saml2.provider.service.authentication.Saml2RedirectAuthenticationRequest)
Issuer(org.opensaml.saml.saml2.core.Issuer)
Saml2MessageBinding(org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding)
Example 64 with RelyingPartyRegistration
use of org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration in project spring-security by spring-projects.
the class OpenSamlLogoutRequestResolver method resolve.
Saml2LogoutRequest resolve(HttpServletRequest request, Authentication authentication, BiConsumer<RelyingPartyRegistration, LogoutRequest> logoutRequestConsumer) {
String registrationId = getRegistrationId(authentication);
RelyingPartyRegistration registration = this.relyingPartyRegistrationResolver.resolve(request, registrationId);
if (registration == null) {
return null;
}
if (registration.getAssertingPartyDetails().getSingleLogoutServiceLocation() == null) {
return null;
}
LogoutRequest logoutRequest = this.logoutRequestBuilder.buildObject();
logoutRequest.setDestination(registration.getAssertingPartyDetails().getSingleLogoutServiceLocation());
Issuer issuer = this.issuerBuilder.buildObject();
issuer.setValue(registration.getEntityId());
logoutRequest.setIssuer(issuer);
NameID nameId = this.nameIdBuilder.buildObject();
nameId.setValue(authentication.getName());
logoutRequest.setNameID(nameId);
if (authentication.getPrincipal() instanceof Saml2AuthenticatedPrincipal) {
Saml2AuthenticatedPrincipal principal = (Saml2AuthenticatedPrincipal) authentication.getPrincipal();
for (String index : principal.getSessionIndexes()) {
SessionIndex sessionIndex = this.sessionIndexBuilder.buildObject();
sessionIndex.setSessionIndex(index);
logoutRequest.getSessionIndexes().add(sessionIndex);
}
}
logoutRequestConsumer.accept(registration, logoutRequest);
if (logoutRequest.getID() == null) {
logoutRequest.setID("LR" + UUID.randomUUID());
}
String relayState = UUID.randomUUID().toString();
Saml2LogoutRequest.Builder result = Saml2LogoutRequest.withRelyingPartyRegistration(registration).id(logoutRequest.getID());
if (registration.getAssertingPartyDetails().getSingleLogoutServiceBinding() == Saml2MessageBinding.POST) {
String xml = serialize(OpenSamlSigningUtils.sign(logoutRequest, registration));
String samlRequest = Saml2Utils.samlEncode(xml.getBytes(StandardCharsets.UTF_8));
return result.samlRequest(samlRequest).relayState(relayState).build();
} else {
String xml = serialize(logoutRequest);
String deflatedAndEncoded = Saml2Utils.samlEncode(Saml2Utils.samlDeflate(xml));
result.samlRequest(deflatedAndEncoded);
QueryParametersPartial partial = OpenSamlSigningUtils.sign(registration).param(Saml2ParameterNames.SAML_REQUEST, deflatedAndEncoded).param(Saml2ParameterNames.RELAY_STATE, relayState);
return result.parameters((params) -> params.putAll(partial.parameters())).build();
}
}
Also used :
RelyingPartyRegistration(org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration)
QueryParametersPartial(org.springframework.security.saml2.provider.service.web.authentication.logout.OpenSamlSigningUtils.QueryParametersPartial)
HttpServletRequest(jakarta.servlet.http.HttpServletRequest)
OpenSamlInitializationService(org.springframework.security.saml2.core.OpenSamlInitializationService)
LogoutRequestMarshaller(org.opensaml.saml.saml2.core.impl.LogoutRequestMarshaller)
XMLObjectProviderRegistry(org.opensaml.core.xml.config.XMLObjectProviderRegistry)
RelyingPartyRegistration(org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration)
Saml2MessageBinding(org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding)
LogoutRequest(org.opensaml.saml.saml2.core.LogoutRequest)
SerializeSupport(net.shibboleth.utilities.java.support.xml.SerializeSupport)
BiConsumer(java.util.function.BiConsumer)
MarshallingException(org.opensaml.core.xml.io.MarshallingException)
QueryParametersPartial(org.springframework.security.saml2.provider.service.web.authentication.logout.OpenSamlSigningUtils.QueryParametersPartial)
RelyingPartyRegistrationResolver(org.springframework.security.saml2.provider.service.web.RelyingPartyRegistrationResolver)
SessionIndexBuilder(org.opensaml.saml.saml2.core.impl.SessionIndexBuilder)
Saml2Exception(org.springframework.security.saml2.Saml2Exception)
ConfigurationService(org.opensaml.core.config.ConfigurationService)
UUID(java.util.UUID)
LogoutRequestBuilder(org.opensaml.saml.saml2.core.impl.LogoutRequestBuilder)
StandardCharsets(java.nio.charset.StandardCharsets)
IssuerBuilder(org.opensaml.saml.saml2.core.impl.IssuerBuilder)
NameIDBuilder(org.opensaml.saml.saml2.core.impl.NameIDBuilder)
SessionIndex(org.opensaml.saml.saml2.core.SessionIndex)
Saml2ParameterNames(org.springframework.security.saml2.core.Saml2ParameterNames)
Element(org.w3c.dom.Element)
Issuer(org.opensaml.saml.saml2.core.Issuer)
Log(org.apache.commons.logging.Log)
LogFactory(org.apache.commons.logging.LogFactory)
Authentication(org.springframework.security.core.Authentication)
Saml2AuthenticatedPrincipal(org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticatedPrincipal)
Saml2LogoutRequest(org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequest)
NameID(org.opensaml.saml.saml2.core.NameID)
Assert(org.springframework.util.Assert)
Issuer(org.opensaml.saml.saml2.core.Issuer)
NameID(org.opensaml.saml.saml2.core.NameID)
Saml2LogoutRequest(org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequest)
SessionIndex(org.opensaml.saml.saml2.core.SessionIndex)
LogoutRequest(org.opensaml.saml.saml2.core.LogoutRequest)
Saml2LogoutRequest(org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequest)
Saml2AuthenticatedPrincipal(org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticatedPrincipal)
Example 65 with RelyingPartyRegistration
use of org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration in project spring-security by spring-projects.
the class OpenSamlSigningUtils method resolveSigningCredentials.
private static List<Credential> resolveSigningCredentials(RelyingPartyRegistration relyingPartyRegistration) {
List<Credential> credentials = new ArrayList<>();
for (Saml2X509Credential x509Credential : relyingPartyRegistration.getSigningX509Credentials()) {
X509Certificate certificate = x509Credential.getCertificate();
PrivateKey privateKey = x509Credential.getPrivateKey();
BasicCredential credential = CredentialSupport.getSimpleCredential(certificate, privateKey);
credential.setEntityId(relyingPartyRegistration.getEntityId());
credential.setUsageType(UsageType.SIGNING);
credentials.add(credential);
}
return credentials;
}
Also used :
BasicCredential(org.opensaml.security.credential.BasicCredential)
Credential(org.opensaml.security.credential.Credential)
Saml2X509Credential(org.springframework.security.saml2.core.Saml2X509Credential)
PrivateKey(java.security.PrivateKey)
ArrayList(java.util.ArrayList)
Saml2X509Credential(org.springframework.security.saml2.core.Saml2X509Credential)
X509Certificate(java.security.cert.X509Certificate)
BasicCredential(org.opensaml.security.credential.BasicCredential)
Aggregations
RelyingPartyRegistration (org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration)97
Test (org.junit.jupiter.api.Test)68
MockHttpServletRequest (org.springframework.mock.web.MockHttpServletRequest)41
Assertions.assertThat (org.assertj.core.api.Assertions.assertThat)36
TestRelyingPartyRegistrations (org.springframework.security.saml2.provider.service.registration.TestRelyingPartyRegistrations)36
Saml2MessageBinding (org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding)34
BDDMockito.given (org.mockito.BDDMockito.given)28
Saml2X509Credential (org.springframework.security.saml2.core.Saml2X509Credential)28
Authentication (org.springframework.security.core.Authentication)26
StandardCharsets (java.nio.charset.StandardCharsets)24
MockHttpServletResponse (org.springframework.mock.web.MockHttpServletResponse)24
Assertions.assertThatExceptionOfType (org.assertj.core.api.Assertions.assertThatExceptionOfType)23
BeforeEach (org.junit.jupiter.api.BeforeEach)22
Mockito.mock (org.mockito.Mockito.mock)22
LogoutRequest (org.opensaml.saml.saml2.core.LogoutRequest)22
Saml2Exception (org.springframework.security.saml2.Saml2Exception)22
ArgumentMatchers.any (org.mockito.ArgumentMatchers.any)21
Mockito.verify (org.mockito.Mockito.verify)19
MockFilterChain (org.springframework.mock.web.MockFilterChain)19
Saml2Authentication (org.springframework.security.saml2.provider.service.authentication.Saml2Authentication)19
