authnRequest.setIssuer(issuer); authnRequest.setIssueInstant(DateTime.now()); authnRequest.setDestination(idp.ssoEndpoint().toUriString()); authnRequest.setID(requestIdManager.newId()); final SamlEndpoint acsEndpoint = idp.acsEndpoint() .orElse(sp.defaultAcsConfig().endpoint()); authnRequest.setAssertionConsumerServiceURL(acsEndpoint.toUriString(portConfig.scheme().uriText(), defaultHostname, portConfig.port())); authnRequest.setProtocolBinding(acsEndpoint.bindingProtocol().urn()); nameIdPolicy.setFormat(policy.format().urn()); nameIdPolicy.setAllowCreate(policy.isCreatable()); authnRequest.setNameIDPolicy(nameIdPolicy); requestedAuthnContext.getAuthnContextClassRefs().add(passwordAuthnCtxRef); authnRequest.setRequestedAuthnContext(requestedAuthnContext);
@SuppressWarnings("unchecked") //CHECKSTYLE:OFF public static AuthnRequest createAuthnRequest( String serviceURL, boolean forceAuthn, boolean isPassive, String protocolBinding, SAMLVersion version, Issuer issuer, NameIDPolicy nameIDPolicy, RequestedAuthnContext requestedAuthnCtx ) { //CHECKSTYLE:ON if (authnRequestBuilder == null) { authnRequestBuilder = (SAMLObjectBuilder<AuthnRequest>) builderFactory.getBuilder(AuthnRequest.DEFAULT_ELEMENT_NAME); } AuthnRequest authnRequest = authnRequestBuilder.buildObject(); authnRequest.setAssertionConsumerServiceURL(serviceURL); authnRequest.setForceAuthn(forceAuthn); authnRequest.setID("_" + UUID.randomUUID()); authnRequest.setIsPassive(isPassive); authnRequest.setIssueInstant(new DateTime()); authnRequest.setProtocolBinding(protocolBinding); authnRequest.setVersion(version); authnRequest.setIssuer(issuer); authnRequest.setNameIDPolicy(nameIDPolicy); authnRequest.setRequestedAuthnContext(requestedAuthnCtx); return authnRequest; }
authnRequest.setID("_" + SecureRandomUtils.generateRandomUUID().toString()); authnRequest.setForceAuthn(false); authnRequest.setIsPassive(false); authnRequest.setVersion(SAMLVersion.VERSION_20); authnRequest.setProtocolBinding(idp.getBindingType().getUri()); authnRequest.setIssueInstant(new DateTime()); authnRequest.setIssuer(issuer); authnRequest.setNameIDPolicy(nameIDPolicy); authnRequest.setRequestedAuthnContext(requestedAuthnContextProvider.provide()); authnRequest.setDestination(idp.getSSOLocation(idp.getBindingType()).getLocation()); requestTO.setIdpServiceAddress(authnRequest.getDestination()); requestTO.setBindingType(idp.getBindingType()); try { Pair<String, Date> relayState = accessTokenDataBinder.generateJWT( SecureRandomUtils.generateRandomUUID().toString(), authnRequest.getID(), JWT_RELAY_STATE_DURATION, claims);
/** * Build a synthetic AuthnRequest instance from the IdP-initiated SSO request structure. * * @return the synthetic AuthnRequest message instance * * @throws MessageDecodingException if the inbound request does not contain an entityID value */ @Nonnull protected AuthnRequest buildAuthnRequest() throws MessageDecodingException { final AuthnRequest authnRequest = requestBuilder.buildObject(); final Issuer requestIssuer = issuerBuilder.buildObject(); requestIssuer.setValue(ssoRequest.getEntityId()); authnRequest.setIssuer(requestIssuer); final NameIDPolicy nip = nipBuilder.buildObject(); nip.setAllowCreate(true); authnRequest.setNameIDPolicy(nip); authnRequest.setAssertionConsumerServiceURL(ssoRequest.getAssertionConsumerServiceURL()); authnRequest.setIssueInstant(new DateTime(ssoRequest.getTime(), ISOChronology.getInstanceUTC())); authnRequest.setVersion(SAMLVersion.VERSION_20); authnRequest.setID(getMessageID()); return authnRequest; }
authnRequest.setAssertionConsumerServiceURL(shire); authnRequest.setIssuer(issuer); authnRequest.setProtocolBinding(SAMLConstants.SAML2_POST_BINDING_URI); val pBuilder = (SAMLObjectBuilder) configBean.getBuilderFactory().getBuilder(NameIDPolicy.DEFAULT_ELEMENT_NAME); val nameIDPolicy = (NameIDPolicy) pBuilder.buildObject(); nameIDPolicy.setAllowCreate(Boolean.TRUE); authnRequest.setNameIDPolicy(nameIDPolicy); authnRequest.setIssueInstant(new DateTime(TimeUnit.SECONDS.convert(Long.parseLong(time), TimeUnit.MILLISECONDS), ISOChronology.getInstanceUTC())); } else { authnRequest.setIssueInstant(new DateTime(DateTime.now(), ISOChronology.getInstanceUTC())); authnRequest.setForceAuthn(Boolean.FALSE); if (StringUtils.isNotBlank(target)) { request.setAttribute(SamlProtocolConstants.PARAMETER_SAML_RELAY_STATE, target);
/** {@inheritDoc} */ protected void processAttribute(XMLObject samlObject, Attr attribute) throws UnmarshallingException { AuthnRequest req = (AuthnRequest) samlObject; if (attribute.getLocalName().equals(AuthnRequest.FORCE_AUTHN_ATTRIB_NAME)) { req.setForceAuthn(XSBooleanValue.valueOf(attribute.getValue())); } else if (attribute.getLocalName().equals(AuthnRequest.IS_PASSIVE_ATTRIB_NAME)) { req.setIsPassive(XSBooleanValue.valueOf(attribute.getValue())); } else if (attribute.getLocalName().equals(AuthnRequest.PROTOCOL_BINDING_ATTRIB_NAME)) { req.setProtocolBinding(attribute.getValue()); } else if (attribute.getLocalName().equals(AuthnRequest.ASSERTION_CONSUMER_SERVICE_INDEX_ATTRIB_NAME)) { req.setAssertionConsumerServiceIndex(Integer.valueOf(attribute.getValue())); } else if (attribute.getLocalName().equals(AuthnRequest.ASSERTION_CONSUMER_SERVICE_URL_ATTRIB_NAME)) { req.setAssertionConsumerServiceURL(attribute.getValue()); } else if (attribute.getLocalName().equals(AuthnRequest.ATTRIBUTE_CONSUMING_SERVICE_INDEX_ATTRIB_NAME)) { req.setAttributeConsumingServiceIndex(Integer.valueOf(attribute.getValue())); } else if (attribute.getLocalName().equals(AuthnRequest.PROVIDER_NAME_ATTRIB_NAME)) { req.setProviderName(attribute.getValue()); } else { super.processAttribute(samlObject, attribute); } }
protected AuthenticationRequest resolveAuthenticationRequest(AuthnRequest parsed) { AuthnRequest request = parsed; AuthenticationRequest result = new AuthenticationRequest() .setBinding(Binding.fromUrn(request.getProtocolBinding())) .setAssertionConsumerService( getEndpoint( request.getAssertionConsumerServiceURL(), Binding.fromUrn(request.getProtocolBinding()), ofNullable(request.getAssertionConsumerServiceIndex()).orElse(-1), false request.getDestination(), Binding.fromUrn(request.getProtocolBinding()), -1, false .setIssuer(getIssuer(request.getIssuer())) .setForceAuth(request.isForceAuthn()) .setPassive(request.isPassive()) .setId(request.getID()) .setIssueInstant(request.getIssueInstant()) .setVersion(request.getVersion().toString()) .setRequestedAuthenticationContext(getRequestedAuthenticationContext(request)) .setAuthenticationContextClassReference(getAuthenticationContextClassReference(request)) .setNameIdPolicy(fromNameIDPolicy(request.getNameIDPolicy()));
/** {@inheritDoc} */ protected void processChildElement(XMLObject parentSAMLObject, XMLObject childSAMLObject) throws UnmarshallingException { AuthnRequest req = (AuthnRequest) parentSAMLObject; if (childSAMLObject instanceof Subject) { req.setSubject((Subject) childSAMLObject); } else if (childSAMLObject instanceof NameIDPolicy) { req.setNameIDPolicy((NameIDPolicy) childSAMLObject); } else if (childSAMLObject instanceof Conditions) { req.setConditions((Conditions) childSAMLObject); } else if (childSAMLObject instanceof RequestedAuthnContext) { req.setRequestedAuthnContext((RequestedAuthnContext) childSAMLObject); } else if (childSAMLObject instanceof Scoping) { req.setScoping((Scoping) childSAMLObject); } else { super.processChildElement(parentSAMLObject, childSAMLObject); } } }
protected void verifyRequest(final AuthnRequest request, final SAML2MessageContext context) { // Verify endpoint requested in the original request final AssertionConsumerService assertionConsumerService = (AssertionConsumerService) context.getSAMLEndpointContext() .getEndpoint(); if (request.getAssertionConsumerServiceIndex() != null) { if (!request.getAssertionConsumerServiceIndex().equals(assertionConsumerService.getIndex())) { logger.warn("Response was received at a different endpoint index than was requested"); } } else { final String requestedResponseURL = request.getAssertionConsumerServiceURL(); final String requestedBinding = request.getProtocolBinding(); if (requestedResponseURL != null) { final String responseLocation; if (assertionConsumerService.getResponseLocation() != null) { responseLocation = assertionConsumerService.getResponseLocation(); } else { responseLocation = assertionConsumerService.getLocation(); } if (!requestedResponseURL.equals(responseLocation)) { logger.warn("Response was received at a different endpoint URL {} than was requested {}", responseLocation, requestedResponseURL); } } if (requestedBinding != null && !requestedBinding.equals(context.getSAMLBindingContext().getBindingUri())) { logger.warn("Response was received using a different binding {} than was requested {}", context.getSAMLBindingContext().getBindingUri(), requestedBinding); } } }
AuthnRequest req = (AuthnRequest) samlObject; if (req.isForceAuthnXSBoolean() != null) { domElement.setAttributeNS(null, AuthnRequest.FORCE_AUTHN_ATTRIB_NAME, req.isForceAuthnXSBoolean() .toString()); if (req.isPassiveXSBoolean() != null) { domElement.setAttributeNS(null, AuthnRequest.IS_PASSIVE_ATTRIB_NAME, req.isPassiveXSBoolean().toString()); if (req.getProtocolBinding() != null) { domElement.setAttributeNS(null, AuthnRequest.PROTOCOL_BINDING_ATTRIB_NAME, req.getProtocolBinding()); if (req.getAssertionConsumerServiceIndex() != null) { domElement.setAttributeNS(null, AuthnRequest.ASSERTION_CONSUMER_SERVICE_INDEX_ATTRIB_NAME, req .getAssertionConsumerServiceIndex().toString()); if (req.getAssertionConsumerServiceURL() != null) { domElement.setAttributeNS(null, AuthnRequest.ASSERTION_CONSUMER_SERVICE_URL_ATTRIB_NAME, req .getAssertionConsumerServiceURL()); if (req.getAttributeConsumingServiceIndex() != null) { domElement.setAttributeNS(null, AuthnRequest.ATTRIBUTE_CONSUMING_SERVICE_INDEX_ATTRIB_NAME, req .getAttributeConsumingServiceIndex().toString()); if (req.getProviderName() != null) { domElement.setAttributeNS(null, AuthnRequest.PROVIDER_NAME_ATTRIB_NAME, req.getProviderName());
public SAMLAuthnRequest(AuthnRequest authnRequest) { super(authnRequest); consumerServiceURL = authnRequest.getAssertionConsumerServiceURL(); forceAuthn = authnRequest.isForceAuthn().booleanValue(); if (authnRequest.getSubject() != null && authnRequest.getSubject().getNameID() != null) { subjectNameId = authnRequest.getSubject().getNameID().getValue(); } }
authnRequest.setDestination(trustedIdp.getUrl()); String authnRequestId = authnRequest.getID(); WebUtils.putAttributeInExternalContext(context, SAML_SSO_REQUEST_ID, authnRequestId);
private static AssertionConsumerService getAssertionConsumerServiceFromRequest(final RequestAbstractType authnRequest, final String binding) { if (authnRequest instanceof AuthnRequest) { val acsUrl = AuthnRequest.class.cast(authnRequest).getAssertionConsumerServiceURL(); if (StringUtils.isBlank(acsUrl)) { return null; } LOGGER.debug("Using assertion consumer service url [{}] with binding [{}] from authentication request", acsUrl, binding); val builder = new AssertionConsumerServiceBuilder(); val endpoint = builder.buildObject(AssertionConsumerService.DEFAULT_ELEMENT_NAME); endpoint.setBinding(binding); endpoint.setResponseLocation(acsUrl); endpoint.setLocation(acsUrl); return endpoint; } return null; }
protected AuthnRequest internalToXml(AuthenticationRequest request) { AuthnRequest auth = buildSAMLObject(AuthnRequest.class); auth.setID(request.getId()); auth.setVersion(SAMLVersion.VERSION_20); auth.setIssueInstant(request.getIssueInstant()); auth.setForceAuthn(request.isForceAuth()); auth.setIsPassive(request.isPassive()); auth.setProtocolBinding(request.getBinding().toString()); // Azure AD as IdP will not accept index if protocol binding or AssertationCustomerServiceURL is set. // auth.setAssertionConsumerServiceIndex(request.getAssertionConsumerService().getIndex()); auth.setAssertionConsumerServiceURL(request.getAssertionConsumerService().getLocation()); auth.setDestination(request.getDestination().getLocation()); auth.setNameIDPolicy(getNameIDPolicy(request.getNameIdPolicy())); auth.setRequestedAuthnContext(getRequestedAuthenticationContext(request)); auth.setIssuer(toIssuer(request.getIssuer())); if (request.getSigningKey() != null) { this.signObject(auth, request.getSigningKey(), request.getAlgorithm(), request.getDigest()); } return auth; }
log.debug("{} Populating template endpoint for resolution from SAML AuthnRequest", getLogPrefix()); endpoint.setLocation(((AuthnRequest) inboundMessage).getAssertionConsumerServiceURL()); endpoint.setBinding(((AuthnRequest) inboundMessage).getProtocolBinding()); if (endpoint instanceof IndexedEndpoint) { ((IndexedEndpoint) endpoint).setIndex( ((AuthnRequest) inboundMessage).getAssertionConsumerServiceIndex());
); if (isSignRequest()) { authnRequest.setDestination(getIdpServiceAddress()); signAuthnRequest(authnRequest); authnRequest.getID(), getIssuerId(m), webAppContext,
request.setRequestedAuthnContext(authnContext); request.setID(SAML2Utils.generateID()); request.setIssuer(getIssuer(selfContext.getEntityId())); request.setIssueInstant(DateTime.now(DateTimeZone.UTC).plusSeconds(this.issueInstantSkewSeconds)); request.setVersion(SAMLVersion.VERSION_20); request.setIsPassive(this.passive); request.setForceAuthn(this.forceAuth); request.setProviderName(this.providerName); nameIdPolicy.setAllowCreate(true); nameIdPolicy.setFormat(nameIdPolicyFormat); request.setNameIDPolicy(nameIdPolicy); request.setDestination(ssoService.getLocation()); if (assertionConsumerServiceIndex >= 0) { request.setAssertionConsumerServiceIndex(assertionConsumerServiceIndex); } else { request.setAssertionConsumerServiceURL(assertionConsumerService.getLocation()); request.setProtocolBinding(assertionConsumerService.getBinding()); request.setAttributeConsumingServiceIndex(attributeConsumingServiceIndex); .getBuilder(Extensions.DEFAULT_ELEMENT_NAME)).buildObject(); extensionsElem.getUnknownXMLObjects().addAll(extensions.get()); request.setExtensions(extensionsElem);
authnRequest.setIssuer(issuer); authnRequest.setIssueInstant(DateTime.now()); authnRequest.setDestination(idp.ssoEndpoint().toUriString()); authnRequest.setID(requestIdManager.newId()); final SamlEndpoint acsEndpoint = idp.acsEndpoint() .orElse(sp.defaultAcsConfig().endpoint()); authnRequest.setAssertionConsumerServiceURL(acsEndpoint.toUriString(portConfig.scheme().uriText(), defaultHostname, portConfig.port())); authnRequest.setProtocolBinding(acsEndpoint.bindingProtocol().urn()); nameIdPolicy.setFormat(policy.format().urn()); nameIdPolicy.setAllowCreate(policy.isCreatable()); authnRequest.setNameIDPolicy(nameIdPolicy); requestedAuthnContext.getAuthnContextClassRefs().add(passwordAuthnCtxRef); authnRequest.setRequestedAuthnContext(requestedAuthnContext);
try { val acs = new AssertionConsumerServiceBuilder().buildObject(); if (authnRequest.getAssertionConsumerServiceIndex() != null) { val issuer = getIssuerFromSamlRequest(authnRequest); val samlResolver = getMetadataResolverForAllSamlServices(servicesManager, issuer, resolver); throw new IllegalArgumentException("Metadata resolved for entity id " + issuer + " has no defined ACS endpoints"); val acsIndex = authnRequest.getAssertionConsumerServiceIndex(); if (acsIndex + 1 > acsEndpoints.size()) { throw new IllegalArgumentException("AssertionConsumerService index specified in the request " + acsIndex + " is invalid " }); } else { acs.setBinding(authnRequest.getProtocolBinding()); acs.setLocation(authnRequest.getAssertionConsumerServiceURL()); acs.setResponseLocation(authnRequest.getAssertionConsumerServiceURL()); acs.setIndex(0); acs.setIsDefault(Boolean.TRUE);
authnRequest.setID(SSOUtils.createID()); authnRequest.setVersion(SAMLVersion.VERSION_20); authnRequest.setIssueInstant(new DateTime()); authnRequest.setForceAuthn( Optional.ofNullable((Boolean) (request.getAttribute(Constants.IS_FORCE_AUTH_ENABLED))) .orElse(false)); authnRequest.setIsPassive( Optional.ofNullable((Boolean) (request.getAttribute(Constants.IS_PASSIVE_AUTH_ENABLED))) .orElse(false)); authnRequest.setProtocolBinding(contextConfiguration.getHttpBinding()); contextConfiguration.setConsumerURL(consumerURL); authnRequest.setAssertionConsumerServiceURL(contextConfiguration.getConsumerURL()); authnRequest.setIssuer(issuer); authnRequest.setNameIDPolicy(nameIdPolicy); authnRequest.setRequestedAuthnContext(requestedAuthnContext); authnRequest.setDestination(serverConfiguration.getIdpURL()); .ifPresent(extensions -> authnRequest.setExtensions((Extensions) extensions));