Example 26 with SAML2
use of org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants.StandardInboundProtocols.SAML2 in project carbon-identity-framework by wso2.
the class SAMLSSOServiceProviderDAOTest method testResourceToObject.
@Test(dataProvider = "ResourceToObjectData")
public void testResourceToObject(Object paramMapObj) throws Exception {
Properties properties = new Properties();
properties.putAll((Map<?, ?>) paramMapObj);
Resource dummyResource = new ResourceImpl();
dummyResource.setProperties(properties);
SAMLSSOServiceProviderDO serviceProviderDO = objUnderTest.resourceToObject(dummyResource);
assertEquals(serviceProviderDO.getIssuer(), dummyResource.getProperty(IdentityRegistryResources.PROP_SAML_SSO_ISSUER), "Issuer Mismatch.");
assertEquals(serviceProviderDO.getAssertionConsumerUrlList(), dummyResource.getPropertyValues(IdentityRegistryResources.PROP_SAML_SSO_ASSERTION_CONS_URLS), "ACS URLs Mismatch");
assertEquals(serviceProviderDO.getDefaultAssertionConsumerUrl(), dummyResource.getProperty(IdentityRegistryResources.PROP_DEFAULT_SAML_SSO_ASSERTION_CONS_URL), "Default ACS URL Mismatch");
assertEquals(serviceProviderDO.getCertAlias(), dummyResource.getProperty(IdentityRegistryResources.PROP_SAML_SSO_ISSUER_CERT_ALIAS), "Cert Alias Mismatch");
assertEquals(serviceProviderDO.getLoginPageURL(), dummyResource.getProperty((IdentityRegistryResources.PROP_SAML_SSO_LOGIN_PAGE_URL)), "Login page url mismatch");
assertEquals(serviceProviderDO.getIssuerQualifier(), dummyResource.getProperty(IdentityRegistryResources.PROP_SAML_SSO_ISSUER_QUALIFIER), "Issuer Qualifier Value Mismatch");
String sigAlg = dummyResource.getProperty(IdentityRegistryResources.PROP_SAML_SSO_SIGNING_ALGORITHM);
if (StringUtils.isBlank(sigAlg)) {
sigAlg = IdentityCoreConstants.XML_SIGNATURE_ALGORITHM_RSA_SHA1_URI;
}
assertEquals(serviceProviderDO.getSigningAlgorithmUri(), sigAlg, "Sign algorithm mismatch");
assertEquals(serviceProviderDO.isAssertionQueryRequestProfileEnabled(), Boolean.parseBoolean(dummyResource.getProperty((IdentityRegistryResources.PROP_SAML_SSO_ASSERTION_QUERY_REQUEST_PROFILE_ENABLED))), "Query profile enable mismatch");
assertEquals(serviceProviderDO.getSupportedAssertionQueryRequestTypes(), dummyResource.getProperty((IdentityRegistryResources.PROP_SAML_SSO_SUPPORTED_ASSERTION_QUERY_REQUEST_TYPES)), "Query request " + "type mismatch");
assertEquals(serviceProviderDO.isEnableSAML2ArtifactBinding(), Boolean.parseBoolean(dummyResource.getProperty((IdentityRegistryResources.PROP_SAML_SSO_ENABLE_SAML2_ARTIFACT_BINDING))), "SAML2 artifact binding enable mismatch");
String digestAlg = dummyResource.getProperty(IdentityRegistryResources.PROP_SAML_SSO_DIGEST_ALGORITHM);
if (StringUtils.isBlank(digestAlg)) {
digestAlg = IdentityCoreConstants.XML_DIGEST_ALGORITHM_SHA1;
}
assertEquals(serviceProviderDO.getDigestAlgorithmUri(), digestAlg, "Digest algorithm mismatch");
String asEncAlg = dummyResource.getProperty(IdentityRegistryResources.PROP_SAML_SSO_ASSERTION_ENCRYPTION_ALGORITHM);
if (StringUtils.isBlank(asEncAlg)) {
asEncAlg = IdentityCoreConstants.XML_ASSERTION_ENCRYPTION_ALGORITHM_AES256;
}
assertEquals(serviceProviderDO.getAssertionEncryptionAlgorithmUri(), asEncAlg, "Assertion encryption " + "algorithm mismatch");
String keyEncAlg = dummyResource.getProperty(IdentityRegistryResources.PROP_SAML_SSO_KEY_ENCRYPTION_ALGORITHM);
if (StringUtils.isBlank(keyEncAlg)) {
keyEncAlg = IdentityCoreConstants.XML_KEY_ENCRYPTION_ALGORITHM_RSAOAEP;
}
assertEquals(serviceProviderDO.getKeyEncryptionAlgorithmUri(), keyEncAlg, "Key encryption " + "algorithm mismatch");
assertEquals(serviceProviderDO.isDoSingleLogout(), Boolean.parseBoolean(dummyResource.getProperty((IdentityRegistryResources.PROP_SAML_SSO_DO_SINGLE_LOGOUT))), "Is SLO enabled mismatch");
assertEquals(serviceProviderDO.isDoSignAssertions(), Boolean.parseBoolean(dummyResource.getProperty((IdentityRegistryResources.PROP_SAML_SSO_DO_SIGN_ASSERTIONS))), "Is sign assertions mismatch");
assertEquals(serviceProviderDO.isEnableAttributesByDefault(), Boolean.parseBoolean(dummyResource.getProperty((IdentityRegistryResources.PROP_SAML_SSO_ENABLE_ATTRIBUTES_BY_DEFAULT))), "Enable attributes " + "by default mismatch");
assertEquals(serviceProviderDO.isIdPInitSSOEnabled(), Boolean.parseBoolean(dummyResource.getProperty((IdentityRegistryResources.PROP_SAML_SSO_IDP_INIT_SSO_ENABLED))), "Idp SSO enabled mismatch");
assertEquals(serviceProviderDO.isIdPInitSLOEnabled(), Boolean.parseBoolean(dummyResource.getProperty((IdentityRegistryResources.PROP_SAML_SLO_IDP_INIT_SLO_ENABLED))), "Idp SLO enabled mismatch");
assertEquals(serviceProviderDO.isDoEnableEncryptedAssertion(), Boolean.parseBoolean(dummyResource.getProperty((IdentityRegistryResources.PROP_SAML_SSO_ENABLE_ENCRYPTED_ASSERTION))), "Assertion encrypted mismatch");
assertEquals(serviceProviderDO.isDoValidateSignatureInRequests(), Boolean.parseBoolean(dummyResource.getProperty((IdentityRegistryResources.PROP_SAML_SSO_VALIDATE_SIGNATURE_IN_REQUESTS))));
assertEquals(serviceProviderDO.isDoValidateSignatureInArtifactResolve(), Boolean.parseBoolean(dummyResource.getProperty((IdentityRegistryResources.PROP_SAML_SSO_VALIDATE_SIGNATURE_IN_ARTIFACT_RESOLVE))));
assertEquals(serviceProviderDO.getNameIDFormat(), dummyResource.getProperty(IdentityRegistryResources.PROP_SAML_SSO_NAMEID_FORMAT), "Name id format Mismatch.");
assertEquals(serviceProviderDO.getNameIdClaimUri(), dummyResource.getProperty(IdentityRegistryResources.PROP_SAML_SSO_NAMEID_CLAIMURI), "Name id claim URI Mismatch.");
assertEquals(serviceProviderDO.getSloResponseURL(), dummyResource.getProperty(IdentityRegistryResources.PROP_SAML_SLO_RESPONSE_URL), "SLO response URL Mismatch.");
assertEquals(serviceProviderDO.getSloRequestURL(), dummyResource.getProperty(IdentityRegistryResources.PROP_SAML_SLO_REQUEST_URL), "SLO req url Mismatch.");
assertEquals(serviceProviderDO.isSamlECP(), Boolean.parseBoolean(dummyResource.getProperty(IdentityRegistryResources.PROP_SAML_ENABLE_ECP)), "ECP enabled mismatch");
if (dummyResource.getPropertyValues(IdentityRegistryResources.PROP_SAML_SSO_REQUESTED_CLAIMS) == null) {
assertTrue(serviceProviderDO.getRequestedClaimsList().isEmpty(), "Requested claims should be empty");
} else {
assertEquals(serviceProviderDO.getRequestedClaimsList(), dummyResource.getPropertyValues(IdentityRegistryResources.PROP_SAML_SSO_REQUESTED_CLAIMS), "Requested claim Mismatch.");
}
if (dummyResource.getPropertyValues(IdentityRegistryResources.PROP_SAML_SSO_REQUESTED_AUDIENCES) == null) {
assertTrue(serviceProviderDO.getRequestedAudiencesList().isEmpty(), "Audience should be empty");
} else {
assertEquals(serviceProviderDO.getRequestedAudiencesList(), dummyResource.getPropertyValues(IdentityRegistryResources.PROP_SAML_SSO_REQUESTED_AUDIENCES), "Audience Mismatch.");
}
if (dummyResource.getPropertyValues(IdentityRegistryResources.PROP_SAML_IDP_INIT_SLO_RETURN_URLS) == null) {
assertTrue(serviceProviderDO.getIdpInitSLOReturnToURLList().isEmpty(), "SLO return URL should be empty");
} else {
assertEquals(serviceProviderDO.getIdpInitSLOReturnToURLList(), dummyResource.getPropertyValues(IdentityRegistryResources.PROP_SAML_IDP_INIT_SLO_RETURN_URLS), "SLO return URL Mismatch.");
}
if (dummyResource.getPropertyValues(IdentityRegistryResources.PROP_SAML_SSO_REQUESTED_RECIPIENTS) == null) {
assertTrue(serviceProviderDO.getRequestedRecipientsList().isEmpty(), "Recipients should be empty");
} else {
assertEquals(serviceProviderDO.getRequestedRecipientsList(), dummyResource.getPropertyValues(IdentityRegistryResources.PROP_SAML_SSO_REQUESTED_RECIPIENTS), "Recipient Mismatch.");
}
if (dummyResource.getPropertyValues(IdentityRegistryResources.PROP_SAML_SSO_ATTRIB_CONSUMING_SERVICE_INDEX) == null) {
dummyResource.setProperty(IdentityRegistryResources.PROP_SAML_SSO_ATTRIB_CONSUMING_SERVICE_INDEX, StringUtils.EMPTY);
}
assertEquals(serviceProviderDO.getAttributeConsumingServiceIndex(), dummyResource.getProperty(IdentityRegistryResources.PROP_SAML_SSO_ATTRIB_CONSUMING_SERVICE_INDEX), "Attrib consuming service " + "index Mismatch.");
assertEquals(serviceProviderDO.getIdpEntityIDAlias(), dummyResource.getProperty(IdentityRegistryResources.PROP_SAML_SSO_IDP_ENTITY_ID_ALIAS), "IdP Entity ID Alias Mismatch.");
}
Also used :
SAMLSSOServiceProviderDO(org.wso2.carbon.identity.core.model.SAMLSSOServiceProviderDO)
ResourceImpl(org.wso2.carbon.registry.core.ResourceImpl)
Resource(org.wso2.carbon.registry.core.Resource)
Properties(java.util.Properties)
Test(org.testng.annotations.Test)
PrepareForTest(org.powermock.core.classloader.annotations.PrepareForTest)
Example 27 with SAML2
use of org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants.StandardInboundProtocols.SAML2 in project identity-inbound-auth-oauth by wso2-extensions.
the class OAuthServerConfiguration method buildOAuthServerConfiguration.
private void buildOAuthServerConfiguration() {
IdentityConfigParser configParser = IdentityConfigParser.getInstance();
OMElement oauthElem = configParser.getConfigElement(CONFIG_ELEM_OAUTH);
if (oauthElem == null) {
warnOnFaultyConfiguration("OAuth element is not available.");
return;
}
// read callback handler configurations
parseOAuthCallbackHandlers(oauthElem.getFirstChildWithName(getQNameWithIdentityNS(ConfigElements.OAUTH_CALLBACK_HANDLERS)));
// get the token validators by type
parseTokenValidators(oauthElem.getFirstChildWithName(getQNameWithIdentityNS(ConfigElements.TOKEN_VALIDATORS)));
// Get the configured jdbc scope validator
OMElement scopeValidatorElem = oauthElem.getFirstChildWithName(getQNameWithIdentityNS(ConfigElements.SCOPE_VALIDATOR));
// Get the configured scope validators
OMElement scopeValidatorsElem = oauthElem.getFirstChildWithName(getQNameWithIdentityNS(ConfigElements.SCOPE_VALIDATORS));
// Get the configured scopeValidationEnabledConfigValue.
OMElement scopeValidationElem = oauthElem.getFirstChildWithName(getQNameWithIdentityNS(ConfigElements.SCOPE_VALIDATION_FOR_AUTHZ_CODE_AND_IMPLICIT));
if (scopeValidationElem != null) {
scopeValidationConfigValue = Boolean.parseBoolean(scopeValidationElem.getText());
}
if (scopeValidatorElem != null) {
parseScopeValidator(scopeValidatorElem);
} else if (scopeValidatorsElem != null) {
parseScopeValidator(scopeValidatorsElem);
}
// Get the configured scope handlers
OMElement scopeHandlersElem = oauthElem.getFirstChildWithName(getQNameWithIdentityNS(ConfigElements.SCOPE_HANDLERS));
if (scopeHandlersElem != null) {
parseScopeHandlers(scopeHandlersElem);
}
// read default timeout periods
parseDefaultValidityPeriods(oauthElem);
// read OAuth URLs
parseOAuthURLs(oauthElem);
// read token renewal per request config.
// if enabled access token and refresh token will be renewed for each token endpoint call.
parseTokenRenewalPerRequestConfiguration(oauthElem);
// read refresh token renewal config
parseRefreshTokenRenewalConfiguration(oauthElem);
// read token persistence processor config
parseTokenPersistenceProcessorConfig(oauthElem);
// read supported grant types
parseSupportedGrantTypesConfig(oauthElem);
// Read <UserConsentEnabledGrantTypes> under <OAuth> tag and populate data.
parseUserConsentEnabledGrantTypesConfig(oauthElem);
// read supported response types
parseSupportedResponseTypesConfig(oauthElem);
// read supported response types
parseSupportedClientAuthHandlersConfig(oauthElem.getFirstChildWithName(getQNameWithIdentityNS(ConfigElements.CLIENT_AUTH_HANDLERS)));
// read SAML2 grant config
parseSAML2GrantConfig(oauthElem);
// read JWT generator config
parseAuthorizationContextTokenGeneratorConfig(oauthElem);
// read the assertions user name config
parseEnableAssertionsUserNameConfig(oauthElem);
// read access token partitioning config
parseAccessTokenPartitioningConfig(oauthElem);
// read access token partitioning domains config
parseAccessTokenPartitioningDomainsConfig(oauthElem);
// read openid connect configurations
parseOpenIDConnectConfig(oauthElem);
// parse OAuth 2.0 token generator
parseOAuthTokenGeneratorConfig(oauthElem);
// parse OAuth2 implicit grant error in fragment property for backward compatibility
parseImplicitErrorFragment(oauthElem);
// parse identity OAuth 2.0 token generator
parseOAuthTokenIssuerConfig(oauthElem);
// parse client is validation regex pattern
parseClientIdValidationRegex(oauthElem);
// Parse Persist Access Token Alias element.
parsePersistAccessTokenAliasConfig(oauthElem);
// read supported token types
parseSupportedTokenTypesConfig(oauthElem);
// Parse token value generator class name.
parseOAuthTokenValueGenerator(oauthElem);
// Parse values of DeviceCodeGrant config.
parseOAuthDeviceCodeGrantConfig(oauthElem);
// Read the value of UseSPTenantDomain config.
parseUseSPTenantDomainConfig(oauthElem);
parseRevokeResponseHeadersEnableConfig(oauthElem);
parseShowDisplayNameInConsentPage(oauthElem);
// read hash algorithm type config
parseHashAlgorithm(oauthElem);
// read hash mode config
parseEnableHashMode(oauthElem);
// Read the value of retain Access Tokens config. If true old token will be stored in Audit table else drop it.
parseRetainOldAccessTokensConfig(oauthElem);
// Read the value of old Access Tokens cleanup enable config. If true cleanup feature will be enable.
tokenCleanupFeatureConfig(oauthElem);
// Read token introspection related configurations.
parseTokenIntrospectionConfig(oauthElem);
// Read the property for error redirection URI
parseRedirectToOAuthErrorPageConfig(oauthElem);
// Read config for allowed scopes.
parseAllowedScopesConfiguration(oauthElem);
// Read config for filtered claims for introspection response.
parseFilteredClaimsForIntrospectionConfiguration(oauthElem);
// Read config for dropping unregistered scopes.
parseDropUnregisteredScopes(oauthElem);
}
Also used :
IdentityConfigParser(org.wso2.carbon.identity.core.util.IdentityConfigParser)
OMElement(org.apache.axiom.om.OMElement)
Example 28 with SAML2
use of org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants.StandardInboundProtocols.SAML2 in project identity-inbound-auth-oauth by wso2-extensions.
the class SAML1BearerGrantHandler method validateGrant.
/**
* We're validating the SAML token that we receive from the request. Through the assertion parameter is the POST
* request. A request format that we handle here looks like,
* <p/>
* POST /token.oauth2 HTTP/1.1
* Host: as.example.com
* Content-Type: application/x-www-form-urlencoded
* <p/>
* grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Asaml1-bearer&
* assertion=PHNhbWxwOl...[omitted for brevity]...ZT4
*
* @param tokReqMsgCtx Token message request context
* @return true if validation is successful, false otherwise
* @throws org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception
*/
@Override
public boolean validateGrant(OAuthTokenReqMessageContext tokReqMsgCtx) throws IdentityOAuth2Exception {
boolean validGrant = super.validateGrant(tokReqMsgCtx);
Assertion assertion;
IdentityProvider identityProvider = null;
String tokenEndpointAlias = null;
String tenantDomain = tokReqMsgCtx.getOauth2AccessTokenReqDTO().getTenantDomain();
if (tenantDomain == null || "".equals(tenantDomain)) {
tenantDomain = MultitenantConstants.SUPER_TENANT_DOMAIN_NAME;
}
RequestParameter[] requestParameters = tokReqMsgCtx.getOauth2AccessTokenReqDTO().getRequestParameters();
for (RequestParameter requestParameter : requestParameters) {
if (requestParameter.getKey().equals("assertion")) {
String[] values = requestParameter.getValue();
tokReqMsgCtx.getOauth2AccessTokenReqDTO().setAssertion(values[0]);
break;
}
}
if (log.isDebugEnabled() && IdentityUtil.isTokenLoggable(IdentityConstants.IdentityTokens.SAML_ASSERTION)) {
log.debug("Received SAML assertion : " + new String(Base64.decodeBase64(tokReqMsgCtx.getOauth2AccessTokenReqDTO().getAssertion()), StandardCharsets.UTF_8));
}
try {
XMLObject samlObject = UnmarshallUtils.unmarshall(new String(Base64.decodeBase64(tokReqMsgCtx.getOauth2AccessTokenReqDTO().getAssertion()), StandardCharsets.UTF_8));
// Validating for multiple assertions
NodeList assertionList = samlObject.getDOM().getElementsByTagNameNS(SAMLConstants.SAML1_NS, "Assertion");
if (assertionList.getLength() > 0) {
if (log.isDebugEnabled()) {
log.debug("Invalid schema for SAML Assertion. Nested assertions detected.");
}
return false;
}
if (samlObject instanceof Assertion) {
assertion = (Assertion) samlObject;
} else {
if (log.isDebugEnabled()) {
log.debug("Only Assertion objects are validated in SAML1Bearer Grant Type");
}
return false;
}
} catch (IdentityUnmarshallingException e) {
if (log.isDebugEnabled()) {
log.debug("Error occurred while unmarshalling SAML1.0 assertion", e);
}
return false;
}
/*
* The Assertion MUST contain a <Subject> element. The subject MAY identify the resource owner for whom
* the access token is being requested. For client authentication, the Subject MUST be the "client_id"
* of the OAuth client. When using an Assertion as an authorization grant, the Subject SHOULD identify
* an authorized accessor for whom the access token is being requested (typically the resource owner, or
* an authorized delegate). Additional information identifying the subject/principal of the transaction
* MAY be included in an <AttributeStatement>.
*/
List<AuthenticationStatement> authenticationStatements = assertion.getAuthenticationStatements();
Subject subject;
if (authenticationStatements != null && authenticationStatements.size() > 0) {
AuthenticationStatement authenticationStatement = authenticationStatements.get(0);
subject = authenticationStatement.getSubject();
if (subject != null) {
String resourceOwnerUserName = subject.getNameIdentifier().getNameIdentifier();
if (resourceOwnerUserName == null || resourceOwnerUserName.equals("")) {
if (log.isDebugEnabled()) {
log.debug("NameID in Assertion cannot be empty");
}
return false;
}
AuthenticatedUser user = OAuth2Util.getUserFromUserName(resourceOwnerUserName);
user.setAuthenticatedSubjectIdentifier(resourceOwnerUserName);
user.setFederatedUser(true);
tokReqMsgCtx.setAuthorizedUser(user);
if (log.isDebugEnabled()) {
log.debug("Resource Owner User Name is set to " + resourceOwnerUserName);
}
} else {
if (log.isDebugEnabled()) {
log.debug("Subject element cannot be empty.");
}
return false;
}
} else {
if (log.isDebugEnabled()) {
log.debug("Authentication Statement cannot be empty");
}
return false;
}
if (assertion.getIssuer() == null || assertion.getIssuer().isEmpty()) {
if (log.isDebugEnabled()) {
log.debug("Issuer is empty in the SAML assertion");
}
return false;
} else {
try {
if (log.isDebugEnabled()) {
log.debug("Issuer is :" + assertion.getIssuer());
}
identityProvider = IdentityProviderManager.getInstance().getIdPByAuthenticatorPropertyValue("IdPEntityId", assertion.getIssuer(), tenantDomain, false);
// resident IDP entitiID == issuer
if (identityProvider != null) {
if (IdentityApplicationConstants.RESIDENT_IDP_RESERVED_NAME.equals(identityProvider.getIdentityProviderName())) {
identityProvider = IdentityProviderManager.getInstance().getResidentIdP(tenantDomain);
FederatedAuthenticatorConfig[] fedAuthnConfigs = identityProvider.getFederatedAuthenticatorConfigs();
String idpEntityId = null;
// Get SAML authenticator
FederatedAuthenticatorConfig samlAuthenticatorConfig = IdentityApplicationManagementUtil.getFederatedAuthenticator(fedAuthnConfigs, IdentityApplicationConstants.Authenticator.SAML2SSO.NAME);
// Get Entity ID from SAML authenticator
Property samlProperty = IdentityApplicationManagementUtil.getProperty(samlAuthenticatorConfig.getProperties(), IdentityApplicationConstants.Authenticator.SAML2SSO.IDP_ENTITY_ID);
if (samlProperty != null) {
idpEntityId = samlProperty.getValue();
}
if (idpEntityId == null || !assertion.getIssuer().equals(idpEntityId)) {
if (log.isDebugEnabled()) {
log.debug("SAML Token Issuer verification failed or Issuer not registered");
}
return false;
}
// Get OpenIDConnect authenticator == OAuth
// authenticator
FederatedAuthenticatorConfig oauthAuthenticatorConfig = IdentityApplicationManagementUtil.getFederatedAuthenticator(fedAuthnConfigs, IdentityApplicationConstants.Authenticator.OIDC.NAME);
// Get OAuth token endpoint
Property oauthProperty = IdentityApplicationManagementUtil.getProperty(oauthAuthenticatorConfig.getProperties(), IdentityApplicationConstants.Authenticator.OIDC.OAUTH2_TOKEN_URL);
if (oauthProperty != null) {
tokenEndpointAlias = oauthProperty.getValue();
}
} else {
// Get Alias from Federated IDP
tokenEndpointAlias = identityProvider.getAlias();
}
} else {
if (log.isDebugEnabled()) {
log.debug("SAML Token Issuer verification failed or Issuer not registered");
}
return false;
}
} catch (IdentityProviderManagementException e) {
if (log.isDebugEnabled()) {
log.debug("Error while getting Federated Identity Provider ", e);
}
}
}
if (audienceRestrictionValidationEnabled) {
if (tokenEndpointAlias == null || tokenEndpointAlias.equals("")) {
String errorMsg = "Token Endpoint alias of the local Identity Provider has not been " + "configured for " + identityProvider.getIdentityProviderName();
if (log.isDebugEnabled()) {
log.debug(errorMsg);
}
return false;
}
Conditions conditions = assertion.getConditions();
if (conditions != null) {
List<AudienceRestrictionCondition> audienceRestrictions = conditions.getAudienceRestrictionConditions();
if (audienceRestrictions != null && !audienceRestrictions.isEmpty()) {
boolean audienceFound = false;
for (AudienceRestrictionCondition audienceRestriction : audienceRestrictions) {
if (audienceRestriction.getAudiences() != null && audienceRestriction.getAudiences().size() > 0) {
for (Audience audience : audienceRestriction.getAudiences()) {
if (audience.getUri().equals(tokenEndpointAlias)) {
audienceFound = true;
break;
}
}
}
if (audienceFound) {
break;
}
}
if (!audienceFound) {
if (log.isDebugEnabled()) {
log.debug("SAML Assertion Audience Restriction validation failed");
}
return false;
}
} else {
if (log.isDebugEnabled()) {
log.debug("SAML Assertion doesn't contain AudienceRestrictions");
}
return false;
}
} else {
if (log.isDebugEnabled()) {
log.debug("SAML Assertion doesn't contain Conditions");
}
return false;
}
}
/*
* The Assertion MUST have an expiry that limits the time window during which it can be used. The expiry
* can be expressed either as the NotOnOrAfter attribute of the <Conditions> element or as the NotOnOrAfter
* attribute of a suitable <SubjectConfirmationData> element.
*/
/*
* The <Subject> element MUST contain at least one <SubjectConfirmation> element that allows the
* authorization server to confirm it as a Bearer Assertion. Such a <SubjectConfirmation> element MUST
* have a Method attribute with a value of "urn:oasis:names:tc:SAML:1.0:cm:bearer". The
* <SubjectConfirmation> element MUST contain a <SubjectConfirmationData> element, unless the Assertion
* has a suitable NotOnOrAfter attribute on the <Conditions> element, in which case the
* <SubjectConfirmationData> element MAY be omitted.
* The <SubjectConfirmationData> element MUST have a NotOnOrAfter attribute that limits the window during
* which the Assertion can be confirmed. The <SubjectConfirmationData> element MAY also contain an Address
* attribute limiting the client address from which the Assertion can be delivered. Verification of the
* Address is at the discretion of the authorization server.
*/
DateTime notOnOrAfterFromConditions = null;
Set<DateTime> notOnOrAfterFromSubjectConfirmations = new HashSet<DateTime>();
boolean bearerFound = false;
if (assertion.getConditions() != null && assertion.getConditions().getNotOnOrAfter() != null) {
notOnOrAfterFromConditions = assertion.getConditions().getNotOnOrAfter();
}
SubjectConfirmation subjectConfirmation = subject.getSubjectConfirmation();
List<ConfirmationMethod> confirmationMethods = subjectConfirmation.getConfirmationMethods();
for (ConfirmationMethod confirmationMethod : confirmationMethods) {
if (OAuthConstants.OAUTH_SAML1_BEARER_METHOD.equals(confirmationMethod.getConfirmationMethod())) {
bearerFound = true;
}
}
if (!bearerFound) {
if (log.isDebugEnabled()) {
log.debug("Cannot find a subject confirmation with method " + OAuthConstants.OAUTH_SAML1_BEARER_METHOD + " in subject confirmation " + subject.getSubjectConfirmation());
}
return false;
}
XMLObject confirmationData = subject.getSubjectConfirmation().getSubjectConfirmationData();
if (confirmationData == null) {
log.warn("Subject confirmation data is missing.");
}
/*
* The authorization server MUST verify that the NotOnOrAfter instant has not passed, subject to allowable
* clock skew between systems. An invalid NotOnOrAfter instant on the <Conditions> element invalidates
* the entire Assertion. An invalid NotOnOrAfter instant on a <SubjectConfirmationData> element only
* invalidates the individual <SubjectConfirmation>. The authorization server MAY reject Assertions with
* a NotOnOrAfter instant that is unreasonably far in the future. The authorization server MAY ensure
* that Bearer Assertions are not replayed, by maintaining the set of used ID values for the length of
* time for which the Assertion would be considered valid based on the applicable NotOnOrAfter instant.
*/
long timestampSkewInMillis = OAuthServerConfiguration.getInstance().getTimeStampSkewInSeconds() * 1000;
if (notOnOrAfterFromConditions != null && notOnOrAfterFromConditions.plus(timestampSkewInMillis).isBeforeNow()) {
// notOnOrAfter is an expired timestamp
if (log.isDebugEnabled()) {
log.debug("NotOnOrAfter is having an expired timestamp in Conditions element");
}
return false;
}
boolean validSubjectConfirmationDataExists = false;
if (!notOnOrAfterFromSubjectConfirmations.isEmpty()) {
for (DateTime entry : notOnOrAfterFromSubjectConfirmations) {
if (entry.plus(timestampSkewInMillis).isAfterNow()) {
validSubjectConfirmationDataExists = true;
}
}
}
if (notOnOrAfterFromConditions == null && !validSubjectConfirmationDataExists) {
if (log.isDebugEnabled()) {
log.debug("No valid NotOnOrAfter element found in SubjectConfirmations");
}
return false;
}
try {
profileValidator.validate(assertion.getSignature());
} catch (SignatureException e) {
// Indicates signature did not conform to SAML1.0 Signature profile
if (log.isDebugEnabled()) {
log.debug("Signature did not conform to SAML1.0 Signature profile", e);
}
return false;
}
X509Certificate x509Certificate = null;
try {
x509Certificate = (X509Certificate) IdentityApplicationManagementUtil.decodeCertificate(identityProvider.getCertificate());
} catch (CertificateException e) {
String message = "Error occurred while decoding public certificate of Identity Provider " + identityProvider.getIdentityProviderName() + " for tenant domain " + tenantDomain;
throw new IdentityOAuth2Exception(message, e);
}
try {
X509Credential x509Credential = new X509CredentialImpl(x509Certificate);
SignatureValidator.validate(assertion.getSignature(), x509Credential);
if (log.isDebugEnabled()) {
log.debug("Signature validation successful");
}
} catch (SignatureException e) {
if (log.isDebugEnabled()) {
log.debug("Signature validation failure:" + e.getMessage(), e);
}
return false;
}
tokReqMsgCtx.setScope(tokReqMsgCtx.getOauth2AccessTokenReqDTO().getScope());
// Storing the Assertion. This will be used in OpenID Connect for example
tokReqMsgCtx.addProperty(OAuthConstants.OAUTH_SAML2_ASSERTION, assertion);
// Invoking extension
SAML2TokenCallbackHandler callback = OAuthServerConfiguration.getInstance().getSAML2TokenCallbackHandler();
if (callback != null) {
if (log.isDebugEnabled()) {
log.debug("Invoking the SAML2 Token callback handler");
}
callback.handleSAML2Token(tokReqMsgCtx);
}
return validGrant;
}
Also used :
FederatedAuthenticatorConfig(org.wso2.carbon.identity.application.common.model.FederatedAuthenticatorConfig)
ConfirmationMethod(org.opensaml.saml.saml1.core.ConfirmationMethod)
CertificateException(java.security.cert.CertificateException)
IdentityUnmarshallingException(org.wso2.carbon.identity.saml.common.util.exception.IdentityUnmarshallingException)
SignatureException(org.opensaml.xmlsec.signature.support.SignatureException)
AuthenticatedUser(org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser)
AuthenticationStatement(org.opensaml.saml.saml1.core.AuthenticationStatement)
Conditions(org.opensaml.saml.saml1.core.Conditions)
DateTime(org.joda.time.DateTime)
SubjectConfirmation(org.opensaml.saml.saml1.core.SubjectConfirmation)
IdentityOAuth2Exception(org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception)
X509CredentialImpl(org.wso2.carbon.identity.oauth2.util.X509CredentialImpl)
AudienceRestrictionCondition(org.opensaml.saml.saml1.core.AudienceRestrictionCondition)
Property(org.wso2.carbon.identity.application.common.model.Property)
HashSet(java.util.HashSet)
Audience(org.opensaml.saml.saml1.core.Audience)
RequestParameter(org.wso2.carbon.identity.oauth2.model.RequestParameter)
NodeList(org.w3c.dom.NodeList)
Assertion(org.opensaml.saml.saml1.core.Assertion)
XMLObject(org.opensaml.core.xml.XMLObject)
IdentityProvider(org.wso2.carbon.identity.application.common.model.IdentityProvider)
Subject(org.opensaml.saml.saml1.core.Subject)
X509Certificate(java.security.cert.X509Certificate)
X509Credential(org.opensaml.security.x509.X509Credential)
IdentityProviderManagementException(org.wso2.carbon.idp.mgt.IdentityProviderManagementException)
Example 29 with SAML2
use of org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants.StandardInboundProtocols.SAML2 in project identity-inbound-auth-oauth by wso2-extensions.
the class SAML2BearerGrantHandler method createLegacyUser.
/**
* This method is setting the username removing the domain name without checking whether the user is federated
* or not. This fix has done for support backward capability.
*
* @param tokReqMsgCtx Token request message context.
* @param assertion SAML2 Assertion.
*/
protected void createLegacyUser(OAuthTokenReqMessageContext tokReqMsgCtx, Assertion assertion) throws IdentityOAuth2Exception {
String tenantDomain = getTenantDomain(tokReqMsgCtx);
IdentityProvider identityProvider = getIdentityProvider(assertion, tenantDomain);
// Check whether NameID value is null before call this method.
String resourceOwnerUserName = getUserId(tokReqMsgCtx, identityProvider, assertion);
AuthenticatedUser user = OAuth2Util.getUserFromUserName(resourceOwnerUserName);
user.setAuthenticatedSubjectIdentifier(resourceOwnerUserName);
user.setFederatedUser(true);
user.setFederatedIdPName(getIdentityProvider(assertion, getTenantDomain(tokReqMsgCtx)).getIdentityProviderName());
tokReqMsgCtx.setAuthorizedUser(user);
}
Also used :
IdentityProvider(org.wso2.carbon.identity.application.common.model.IdentityProvider)
AuthenticatedUser(org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser)
Example 30 with SAML2
use of org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants.StandardInboundProtocols.SAML2 in project identity-inbound-auth-oauth by wso2-extensions.
the class SAML2BearerGrantHandler method setFederatedUser.
/**
* Build and set Federated User Object.
* @param tokReqMsgCtx Token request message context.
* @param assertion SAML2 Assertion.
* @param tenantDomain Tenant Domain.
*/
protected void setFederatedUser(OAuthTokenReqMessageContext tokReqMsgCtx, Assertion assertion, String tenantDomain) throws IdentityOAuth2Exception {
IdentityProvider identityProvider = getIdentityProvider(assertion, tenantDomain);
String subjectIdentifier = getUserId(tokReqMsgCtx, identityProvider, assertion);
if (log.isDebugEnabled()) {
log.debug("Setting federated user : " + subjectIdentifier + ". with SP tenant domain : " + tenantDomain);
}
AuthenticatedUser user = AuthenticatedUser.createFederateAuthenticatedUserFromSubjectIdentifier(subjectIdentifier);
user.setUserName(subjectIdentifier);
user.setFederatedIdPName(getIdentityProvider(assertion, getTenantDomain(tokReqMsgCtx)).getIdentityProviderName());
tokReqMsgCtx.setAuthorizedUser(user);
}
Also used :
IdentityProvider(org.wso2.carbon.identity.application.common.model.IdentityProvider)
AuthenticatedUser(org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser)
Aggregations
Test (org.testng.annotations.Test)16
InboundAuthenticationRequestConfig (org.wso2.carbon.identity.application.common.model.xsd.InboundAuthenticationRequestConfig)14
HttpResponse (org.apache.http.HttpResponse)11
IOException (java.io.IOException)10
RemoteException (java.rmi.RemoteException)9
ParserConfigurationException (javax.xml.parsers.ParserConfigurationException)9
ServiceProvider (org.wso2.carbon.identity.application.common.model.xsd.ServiceProvider)9
IdentitySAMLSSOConfigServiceIdentityException (org.wso2.carbon.identity.sso.saml.stub.IdentitySAMLSSOConfigServiceIdentityException)9
SAXException (org.xml.sax.SAXException)9
UnsupportedEncodingException (java.io.UnsupportedEncodingException)8
ArrayList (java.util.ArrayList)7
XPathExpressionException (javax.xml.xpath.XPathExpressionException)7
ConfigurationException (org.opensaml.xml.ConfigurationException)7
ValidationException (org.opensaml.xml.validation.ValidationException)7
IdentityProvider (org.wso2.carbon.identity.application.common.model.IdentityProvider)7
ISIntegrationTest (org.wso2.identity.integration.common.utils.ISIntegrationTest)7
Property (org.wso2.carbon.identity.application.common.model.idp.xsd.Property)5
BufferedReader (java.io.BufferedReader)4
InputStreamReader (java.io.InputStreamReader)4
AuthenticatedUser (org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser)4
