Example 11 with Saml2MessageBinding
use of org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding in project spring-security by spring-projects.
the class OpenSamlMetadataAssertingPartyDetailsConverter method convert.
RelyingPartyRegistration.AssertingPartyDetails.Builder convert(EntityDescriptor descriptor) {
IDPSSODescriptor idpssoDescriptor = descriptor.getIDPSSODescriptor(SAMLConstants.SAML20P_NS);
if (idpssoDescriptor == null) {
throw new Saml2Exception("Metadata response is missing the necessary IDPSSODescriptor element");
}
List<Saml2X509Credential> verification = new ArrayList<>();
List<Saml2X509Credential> encryption = new ArrayList<>();
for (KeyDescriptor keyDescriptor : idpssoDescriptor.getKeyDescriptors()) {
if (keyDescriptor.getUse().equals(UsageType.SIGNING)) {
List<X509Certificate> certificates = certificates(keyDescriptor);
for (X509Certificate certificate : certificates) {
verification.add(Saml2X509Credential.verification(certificate));
}
}
if (keyDescriptor.getUse().equals(UsageType.ENCRYPTION)) {
List<X509Certificate> certificates = certificates(keyDescriptor);
for (X509Certificate certificate : certificates) {
encryption.add(Saml2X509Credential.encryption(certificate));
}
}
if (keyDescriptor.getUse().equals(UsageType.UNSPECIFIED)) {
List<X509Certificate> certificates = certificates(keyDescriptor);
for (X509Certificate certificate : certificates) {
verification.add(Saml2X509Credential.verification(certificate));
encryption.add(Saml2X509Credential.encryption(certificate));
}
}
}
if (verification.isEmpty()) {
throw new Saml2Exception("Metadata response is missing verification certificates, necessary for verifying SAML assertions");
}
RelyingPartyRegistration.AssertingPartyDetails.Builder party = OpenSamlAssertingPartyDetails.withEntityDescriptor(descriptor).entityId(descriptor.getEntityID()).wantAuthnRequestsSigned(Boolean.TRUE.equals(idpssoDescriptor.getWantAuthnRequestsSigned())).verificationX509Credentials((c) -> c.addAll(verification)).encryptionX509Credentials((c) -> c.addAll(encryption));
List<SigningMethod> signingMethods = signingMethods(idpssoDescriptor);
for (SigningMethod method : signingMethods) {
party.signingAlgorithms((algorithms) -> algorithms.add(method.getAlgorithm()));
}
if (idpssoDescriptor.getSingleSignOnServices().isEmpty()) {
throw new Saml2Exception("Metadata response is missing a SingleSignOnService, necessary for sending AuthnRequests");
}
for (SingleSignOnService singleSignOnService : idpssoDescriptor.getSingleSignOnServices()) {
Saml2MessageBinding binding;
if (singleSignOnService.getBinding().equals(Saml2MessageBinding.POST.getUrn())) {
binding = Saml2MessageBinding.POST;
} else if (singleSignOnService.getBinding().equals(Saml2MessageBinding.REDIRECT.getUrn())) {
binding = Saml2MessageBinding.REDIRECT;
} else {
continue;
}
party.singleSignOnServiceLocation(singleSignOnService.getLocation()).singleSignOnServiceBinding(binding);
break;
}
for (SingleLogoutService singleLogoutService : idpssoDescriptor.getSingleLogoutServices()) {
Saml2MessageBinding binding;
if (singleLogoutService.getBinding().equals(Saml2MessageBinding.POST.getUrn())) {
binding = Saml2MessageBinding.POST;
} else if (singleLogoutService.getBinding().equals(Saml2MessageBinding.REDIRECT.getUrn())) {
binding = Saml2MessageBinding.REDIRECT;
} else {
continue;
}
String responseLocation = (singleLogoutService.getResponseLocation() == null) ? singleLogoutService.getLocation() : singleLogoutService.getResponseLocation();
party.singleLogoutServiceLocation(singleLogoutService.getLocation()).singleLogoutServiceResponseLocation(responseLocation).singleLogoutServiceBinding(binding);
break;
}
return party;
}
Also used :
X509Certificate(java.security.cert.X509Certificate)
Arrays(java.util.Arrays)
OpenSamlInitializationService(org.springframework.security.saml2.core.OpenSamlInitializationService)
KeyDescriptor(org.opensaml.saml.saml2.metadata.KeyDescriptor)
XMLObjectProviderRegistry(org.opensaml.core.xml.config.XMLObjectProviderRegistry)
Extensions(org.opensaml.saml.saml2.metadata.Extensions)
ArrayList(java.util.ArrayList)
SigningMethod(org.opensaml.saml.ext.saml2alg.SigningMethod)
SingleSignOnService(org.opensaml.saml.saml2.metadata.SingleSignOnService)
Document(org.w3c.dom.Document)
IDPSSODescriptor(org.opensaml.saml.saml2.metadata.IDPSSODescriptor)
XMLObject(org.opensaml.core.xml.XMLObject)
SAMLConstants(org.opensaml.saml.common.xml.SAMLConstants)
EntitiesDescriptor(org.opensaml.saml.saml2.metadata.EntitiesDescriptor)
UsageType(org.opensaml.security.credential.UsageType)
SingleLogoutService(org.opensaml.saml.saml2.metadata.SingleLogoutService)
Collection(java.util.Collection)
Unmarshaller(org.opensaml.core.xml.io.Unmarshaller)
Saml2Exception(org.springframework.security.saml2.Saml2Exception)
ConfigurationService(org.opensaml.core.config.ConfigurationService)
Saml2X509Credential(org.springframework.security.saml2.core.Saml2X509Credential)
CertificateException(java.security.cert.CertificateException)
KeyInfoSupport(org.opensaml.xmlsec.keyinfo.KeyInfoSupport)
ParserPool(net.shibboleth.utilities.java.support.xml.ParserPool)
List(java.util.List)
Element(org.w3c.dom.Element)
EntityDescriptor(org.opensaml.saml.saml2.metadata.EntityDescriptor)
InputStream(java.io.InputStream)
IDPSSODescriptor(org.opensaml.saml.saml2.metadata.IDPSSODescriptor)
SingleLogoutService(org.opensaml.saml.saml2.metadata.SingleLogoutService)
KeyDescriptor(org.opensaml.saml.saml2.metadata.KeyDescriptor)
Saml2X509Credential(org.springframework.security.saml2.core.Saml2X509Credential)
ArrayList(java.util.ArrayList)
SingleSignOnService(org.opensaml.saml.saml2.metadata.SingleSignOnService)
Saml2Exception(org.springframework.security.saml2.Saml2Exception)
X509Certificate(java.security.cert.X509Certificate)
SigningMethod(org.opensaml.saml.ext.saml2alg.SigningMethod)
Example 12 with Saml2MessageBinding
use of org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding in project spring-security by spring-projects.
the class OpenSamlLogoutResponseResolverTests method resolveRedirectWhenAuthenticatedThenSuccess.
@Test
public void resolveRedirectWhenAuthenticatedThenSuccess() {
RelyingPartyRegistration registration = TestRelyingPartyRegistrations.full().build();
MockHttpServletRequest request = new MockHttpServletRequest();
LogoutRequest logoutRequest = TestOpenSamlObjects.assertingPartyLogoutRequest(registration);
request.setParameter(Saml2ParameterNames.SAML_REQUEST, Saml2Utils.samlEncode(OpenSamlSigningUtils.serialize(logoutRequest).getBytes()));
request.setParameter(Saml2ParameterNames.RELAY_STATE, "abcd");
Authentication authentication = authentication(registration);
given(this.relyingPartyRegistrationResolver.resolve(any(), any())).willReturn(registration);
Saml2LogoutResponse saml2LogoutResponse = this.logoutResponseResolver.resolve(request, authentication);
assertThat(saml2LogoutResponse.getParameter(Saml2ParameterNames.SIG_ALG)).isNotNull();
assertThat(saml2LogoutResponse.getParameter(Saml2ParameterNames.SIGNATURE)).isNotNull();
assertThat(saml2LogoutResponse.getParameter(Saml2ParameterNames.RELAY_STATE)).isSameAs("abcd");
Saml2MessageBinding binding = registration.getAssertingPartyDetails().getSingleLogoutServiceBinding();
LogoutResponse logoutResponse = getLogoutResponse(saml2LogoutResponse.getSamlResponse(), binding);
assertThat(logoutResponse.getStatus().getStatusCode().getValue()).isEqualTo(StatusCode.SUCCESS);
}
Also used :
RelyingPartyRegistration(org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration)
LogoutResponse(org.opensaml.saml.saml2.core.LogoutResponse)
Saml2LogoutResponse(org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutResponse)
MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest)
Saml2Authentication(org.springframework.security.saml2.provider.service.authentication.Saml2Authentication)
Authentication(org.springframework.security.core.Authentication)
Saml2MessageBinding(org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding)
LogoutRequest(org.opensaml.saml.saml2.core.LogoutRequest)
Saml2LogoutResponse(org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutResponse)
Test(org.junit.jupiter.api.Test)
Example 13 with Saml2MessageBinding
use of org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding in project spring-security by spring-projects.
the class OpenSamlAuthenticationRequestFactory method createAuthenticationRequest.
@Override
@Deprecated
public String createAuthenticationRequest(Saml2AuthenticationRequest request) {
Saml2MessageBinding binding = this.protocolBindingResolver.convert(null);
RelyingPartyRegistration registration = RelyingPartyRegistration.withRegistrationId("noId").assertionConsumerServiceBinding(binding).assertionConsumerServiceLocation(request.getAssertionConsumerServiceUrl()).entityId(request.getIssuer()).remoteIdpEntityId("noIssuer").idpWebSsoUrl("noUrl").credentials((credentials) -> credentials.addAll(request.getCredentials())).build();
Saml2AuthenticationRequestContext context = Saml2AuthenticationRequestContext.builder().relyingPartyRegistration(registration).issuer(request.getIssuer()).assertionConsumerServiceUrl(request.getAssertionConsumerServiceUrl()).build();
AuthnRequest authnRequest = this.authenticationRequestContextConverter.convert(context);
return OpenSamlSigningUtils.serialize(OpenSamlSigningUtils.sign(authnRequest, registration));
}
Also used :
RelyingPartyRegistration(org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration)
Converter(org.springframework.core.convert.converter.Converter)
OpenSamlInitializationService(org.springframework.security.saml2.core.OpenSamlInitializationService)
DateTime(org.joda.time.DateTime)
AuthnRequest(org.opensaml.saml.saml2.core.AuthnRequest)
ConfigurationService(org.opensaml.core.config.ConfigurationService)
UUID(java.util.UUID)
Instant(java.time.Instant)
StandardCharsets(java.nio.charset.StandardCharsets)
XMLObjectProviderRegistry(org.opensaml.core.xml.config.XMLObjectProviderRegistry)
RelyingPartyRegistration(org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration)
IssuerBuilder(org.opensaml.saml.saml2.core.impl.IssuerBuilder)
Saml2MessageBinding(org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding)
AuthnRequestBuilder(org.opensaml.saml.saml2.core.impl.AuthnRequestBuilder)
Saml2ParameterNames(org.springframework.security.saml2.core.Saml2ParameterNames)
Issuer(org.opensaml.saml.saml2.core.Issuer)
Map(java.util.Map)
Clock(java.time.Clock)
SAMLConstants(org.opensaml.saml.common.xml.SAMLConstants)
QueryParametersPartial(org.springframework.security.saml2.provider.service.authentication.OpenSamlSigningUtils.QueryParametersPartial)
Assert(org.springframework.util.Assert)
StringUtils(org.springframework.util.StringUtils)
AuthnRequest(org.opensaml.saml.saml2.core.AuthnRequest)
Saml2MessageBinding(org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding)
Example 14 with Saml2MessageBinding
use of org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding in project spring-security by spring-projects.
the class OpenSamlAuthenticationRequestFactory method setProtocolBinding.
/**
* Sets the {@code protocolBinding} to use when generating authentication requests.
* Acceptable values are {@link SAMLConstants#SAML2_POST_BINDING_URI} and
* {@link SAMLConstants#SAML2_REDIRECT_BINDING_URI} The IDP will be reading this value
* in the {@code AuthNRequest} to determine how to send the Response/Assertion to the
* ACS URL, assertion consumer service URL.
* @param protocolBinding either {@link SAMLConstants#SAML2_POST_BINDING_URI} or
* {@link SAMLConstants#SAML2_REDIRECT_BINDING_URI}
* @throws IllegalArgumentException if the protocolBinding is not valid
* @deprecated Use
* {@link org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.Builder#assertionConsumerServiceBinding(Saml2MessageBinding)}
* instead
*/
@Deprecated
public void setProtocolBinding(String protocolBinding) {
Saml2MessageBinding binding = Saml2MessageBinding.from(protocolBinding);
Assert.notNull(binding, "Invalid protocol binding: " + protocolBinding);
this.protocolBindingResolver = (context) -> binding;
}
Also used :
Saml2MessageBinding(org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding)
Example 15 with Saml2MessageBinding
use of org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding in project spring-security by spring-projects.
the class OpenSaml4AuthenticationRequestFactoryTests method getAuthNRequest.
private AuthnRequest getAuthNRequest(Saml2MessageBinding binding) {
AbstractSaml2AuthenticationRequest result = (binding == Saml2MessageBinding.REDIRECT) ? this.factory.createRedirectAuthenticationRequest(this.context) : this.factory.createPostAuthenticationRequest(this.context);
String samlRequest = result.getSamlRequest();
assertThat(samlRequest).isNotEmpty();
if (result.getBinding() == Saml2MessageBinding.REDIRECT) {
samlRequest = Saml2Utils.samlInflate(Saml2Utils.samlDecode(samlRequest));
} else {
samlRequest = new String(Saml2Utils.samlDecode(samlRequest), StandardCharsets.UTF_8);
}
try {
Document document = XMLObjectProviderRegistrySupport.getParserPool().parse(new ByteArrayInputStream(samlRequest.getBytes(StandardCharsets.UTF_8)));
Element element = document.getDocumentElement();
return (AuthnRequest) this.unmarshaller.unmarshall(element);
} catch (Exception ex) {
throw new Saml2Exception(ex);
}
}
Also used :
AuthnRequest(org.opensaml.saml.saml2.core.AuthnRequest)
ByteArrayInputStream(java.io.ByteArrayInputStream)
Element(org.w3c.dom.Element)
Document(org.w3c.dom.Document)
Saml2Exception(org.springframework.security.saml2.Saml2Exception)
Saml2Exception(org.springframework.security.saml2.Saml2Exception)
Assertions.assertThatIllegalArgumentException(org.assertj.core.api.Assertions.assertThatIllegalArgumentException)
Aggregations
Saml2MessageBinding (org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding)10
Saml2Exception (org.springframework.security.saml2.Saml2Exception)9
Document (org.w3c.dom.Document)7
Element (org.w3c.dom.Element)7
ByteArrayInputStream (java.io.ByteArrayInputStream)6
RelyingPartyRegistration (org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration)6
AuthnRequest (org.opensaml.saml.saml2.core.AuthnRequest)5
LogoutRequest (org.opensaml.saml.saml2.core.LogoutRequest)5
Test (org.junit.jupiter.api.Test)4
StandardCharsets (java.nio.charset.StandardCharsets)3
ArrayList (java.util.ArrayList)3
Issuer (org.opensaml.saml.saml2.core.Issuer)3
LogoutResponse (org.opensaml.saml.saml2.core.LogoutResponse)3
MockHttpServletRequest (org.springframework.mock.web.MockHttpServletRequest)3
Saml2Authentication (org.springframework.security.saml2.provider.service.authentication.Saml2Authentication)3
Saml2LogoutRequest (org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequest)3
HttpServletRequest (jakarta.servlet.http.HttpServletRequest)2
Arrays (java.util.Arrays)2
HashMap (java.util.HashMap)2
Assertions.assertThat (org.assertj.core.api.Assertions.assertThat)2
