issuer = ((RequestAbstractType) message).getIssuer(); } else if (message instanceof StatusResponseType) { issuer = ((StatusResponseType) message).getIssuer();
/** * This method is used to validate SAML version of request message * * @param request any type of request message * @return Boolean true, if SAML version is 2.0 * @throws IdentitySAML2QueryException if SAML version not compatible */ protected boolean validateSAMLVersion(RequestAbstractType request) throws IdentitySAML2QueryException { boolean isValidversion = false; if (request.getVersion() != null && request.getVersion().equals(SAMLVersion.VERSION_20)) { isValidversion = true; } else { log.error(SAMLQueryRequestConstants.ServiceMessages.NON_COMPAT_SAML_VERSION); // throw new IdentitySAML2QueryException("Request contain empty SAML version or non 2.0 version"); } return isValidversion; }
if (parsedRequest.isSigned()) { getValidatingCertificate(idp, parsedRequest.getIssuer().getValue()); Crypto issuerCrypto = new CertificateStore(new X509Certificate[] {validatingCert}); validateRequestSignature(parsedRequest.getSignature(), issuerCrypto); } else if (signature != null) { samlRequest, parsedRequest.getIssuer().getValue()); } else if (requireSignature) { LOG.debug("No signature is present, therefore the request is rejected"); LOG.debug("SAML Request with id '{}' successfully parsed", parsedRequest.getID());
RequestAbstractType req = (RequestAbstractType) samlObject; if (req.getVersion() != null) { domElement.setAttributeNS(null, RequestAbstractType.VERSION_ATTRIB_NAME, req.getVersion().toString()); if (req.getID() != null) { domElement.setAttributeNS(null, RequestAbstractType.ID_ATTRIB_NAME, req.getID()); domElement.setIdAttributeNS(null, RequestAbstractType.ID_ATTRIB_NAME, true); if (req.getVersion() != null) { domElement.setAttributeNS(null, RequestAbstractType.VERSION_ATTRIB_NAME, req.getVersion().toString()); if (req.getIssueInstant() != null) { String iiStr = SAMLConfigurationSupport.getSAMLDateFormatter().print(req.getIssueInstant()); domElement.setAttributeNS(null, RequestAbstractType.ISSUE_INSTANT_ATTRIB_NAME, iiStr); if (req.getDestination() != null) { domElement.setAttributeNS(null, RequestAbstractType.DESTINATION_ATTRIB_NAME, req.getDestination()); if (req.getConsent() != null) { domElement.setAttributeNS(null, RequestAbstractType.CONSENT_ATTRIB_NAME, req.getConsent());
/** * This method is used to validate signature * * @param request any type of assertion request message * @return Boolean true, if signature is validated * @throws IdentitySAML2QueryException If unable to validate signature */ protected boolean validateSignature(RequestAbstractType request) throws IdentitySAML2QueryException { String alias; boolean isValidSig; String domainName; alias = ssoIdpConfig.getCertAlias(); domainName = CarbonContext.getThreadLocalCarbonContext().getTenantDomain(); try { isValidSig = OpenSAML3Util.validateXMLSignature(request, alias, domainName); if (isValidSig) { log.debug("Request with id" + request.getID() + " contain valid signature"); return true; } else { log.debug("Request with id:" + request.getID() + " contain in-valid Signature"); return false; } } catch (IdentityException e) { log.error(SAMLQueryRequestConstants.ServiceMessages.SIGNATURE_VALIDATION_FAILED); throw new IdentitySAML2QueryException("Unable to validate signature of request with id:" + request.getID(), e); } }
/** * Validate the signature of an assertion * * @param request SAML Assertion, this could be either a SAML Request or a * LogoutRequest * @param alias Certificate alias against which the signature is validated. * @param domainName domain name of the subject * @return true, if the signature is valid. * @throws IdentitySAML2QueryException When signature is invalid or unable to load credential information */ public static boolean validateXMLSignature(RequestAbstractType request, String alias, String domainName) throws IdentitySAML2QueryException { boolean isSignatureValid = false; if (request.getSignature() != null) { try { X509Credential cred = OpenSAML3Util.getX509CredentialImplForTenant(domainName, alias); SignatureValidator.validate(request.getSignature(), cred); return true; } catch (SignatureException e) { log.error("Unable to validate Signature of the request id:"+request.getID()+" with alias:" +alias+" ,domainname: "+domainName,e); throw new IdentitySAML2QueryException("Unable to validate Signature of the request id:"+request.getID()+" with alias:" +alias+" ,domainname: "+domainName,e); } } return isSignatureValid; }
/** {@inheritDoc} */ protected void processAttribute(XMLObject samlObject, Attr attribute) throws UnmarshallingException { RequestAbstractType req = (RequestAbstractType) samlObject; if (attribute.getLocalName().equals(RequestAbstractType.VERSION_ATTRIB_NAME)) { req.setVersion(SAMLVersion.valueOf(attribute.getValue())); } else if (attribute.getLocalName().equals(RequestAbstractType.ID_ATTRIB_NAME)) { req.setID(attribute.getValue()); attribute.getOwnerElement().setIdAttributeNode(attribute, true); } else if (attribute.getLocalName().equals(RequestAbstractType.ISSUE_INSTANT_ATTRIB_NAME) && !Strings.isNullOrEmpty(attribute.getValue())) { req.setIssueInstant(new DateTime(attribute.getValue(), ISOChronology.getInstanceUTC())); } else if (attribute.getLocalName().equals(RequestAbstractType.DESTINATION_ATTRIB_NAME)) { req.setDestination(attribute.getValue()); } else if (attribute.getLocalName().equals(RequestAbstractType.CONSENT_ATTRIB_NAME)) { req.setConsent(attribute.getValue()); } else { super.processAttribute(samlObject, attribute); } }
private void checkDestination(RequestContext context, RequestAbstractType request) throws ProcessingException { // Check destination String destination = request.getDestination(); LOG.debug("Validating destination: {}", destination); String localAddr = WebUtils.getHttpServletRequest(context).getRequestURL().toString(); if (destination == null || !localAddr.startsWith(destination)) { LOG.debug("The destination {} does not match the local address {}", destination, localAddr); throw new ProcessingException(TYPE.BAD_REQUEST); } }
/** * Verify saml profile request if needed. * * @param profileRequest the profile request * @param resolver the resolver * @param request the request * @param context the context * @throws Exception the exception */ public void verifySamlProfileRequestIfNeeded(final RequestAbstractType profileRequest, final MetadataResolver resolver, final HttpServletRequest request, final MessageContext context) throws Exception { val roleDescriptorResolver = getRoleDescriptorResolver(resolver, context, profileRequest); LOGGER.debug("Validating signature for [{}]", profileRequest.getClass().getName()); val signature = profileRequest.getSignature(); if (signature != null) { validateSignatureOnProfileRequest(profileRequest, signature, roleDescriptorResolver); } else { validateSignatureOnAuthenticationRequest(profileRequest, request, context, roleDescriptorResolver); } }
/** * Sets the destination attribute on an outbound message if it is either a * {@link org.opensaml.saml.saml2.core.RequestAbstractType} or a * {@link org.opensaml.saml.saml2.core.StatusResponseType} message. * * @param outboundMessage outbound SAML message * @param endpointURL destination endpoint */ public static void setSAML2Destination(@Nonnull final SAMLObject outboundMessage, @Nonnull @NotEmpty final String endpointURL) { if (outboundMessage instanceof org.opensaml.saml.saml2.core.RequestAbstractType) { ((org.opensaml.saml.saml2.core.RequestAbstractType) outboundMessage).setDestination(endpointURL); } else if (outboundMessage instanceof org.opensaml.saml.saml2.core.StatusResponseType) { ((org.opensaml.saml.saml2.core.StatusResponseType) outboundMessage).setDestination(endpointURL); } }
org.opensaml.saml.saml2.core.RequestAbstractType request = (org.opensaml.saml.saml2.core.RequestAbstractType) samlMessage; return request.getIssueInstant();
org.opensaml.saml.saml2.core.RequestAbstractType request = (org.opensaml.saml.saml2.core.RequestAbstractType) samlMessage; return request.getID();
org.opensaml.saml.saml2.core.RequestAbstractType request = (org.opensaml.saml.saml2.core.RequestAbstractType) samlMessage; messageDestination = StringSupport.trimOrNull(request.getDestination());
/** * Resolve the SAML entity ID from a SAML 2 request. * * @param request the request * * @return the entity ID, or null if it could not be resolved */ @Nullable protected String processSaml2Request( @Nonnull final org.opensaml.saml.saml2.core.RequestAbstractType request) { if (request.getIssuer() != null) { return processSaml2Issuer(request.getIssuer()); } return null; }
/** * This method is used to validate issuer of the request message * * @param request any type of request message * @return Boolean true, if issuer is valid * @throws IdentitySAML2QueryException If unable to collect issuer information */ protected boolean validateIssuer(RequestAbstractType request) throws IdentitySAML2QueryException { //get full quealified issuer Issuer issuer = request.getIssuer(); boolean validIssuer = false; if (issuer.getValue() == null) { throw new IdentitySAML2QueryException("Issuer value is empty. Unable to validate issuer"); } else { if (issuer.getFormat() != null && issuer.getFormat().equals(SAMLQueryRequestConstants.GenericConstants.ISSUER_FORMAT)) { ssoIdpConfig = SAMLQueryRequestUtil.getServiceProviderConfig(issuer.getValue()); if (ssoIdpConfig == null) { log.error(SAMLQueryRequestConstants.ServiceMessages.NULL_ISSUER); return validIssuer; } else { log.debug(SAMLQueryRequestConstants.ServiceMessages.SUCCESS_ISSUER + ssoIdpConfig.getIssuer()); return !validIssuer; } } else { log.error("NameID format is invalid in request ID:" + request.getID() + " and issuer: " + issuer.getValue()); return validIssuer; } } }
if (isValidMessage && invalidItems.size() <= 0) { log.debug("Request message with id:" + request.getID() + " is completely validated"); SAMLQueryProcessor processor = SAMLProcessorFactory.getProcessor(request); response = processor.process(request); SOAPEnvelope soapEnvelope = TransportUtils.createSOAPEnvelope(myOMElement); outMessageContext.setEnvelope(soapEnvelope); log.debug("SOAP response created for the request id:" + request.getID()); } else { "the request id:" + request.getID(), e); invalidItems.add(new InvalidItemDTO( SAMLQueryRequestConstants.ValidationType.STRING_TO_OMELEMENT, log.error("SAML Response is empty for the request id:" + request.getID()); invalidItems.add(new InvalidItemDTO(SAMLQueryRequestConstants.ValidationType.NO_ASSERTIONS, SAMLQueryRequestConstants.ValidationMessage.NO_ASSERTIONS_ERROR)); log.error("Request message with id:" + request.getID() + " contains validation errors"); invalidItems.add(new InvalidItemDTO(SAMLQueryRequestConstants.ValidationType.VAL_VALIDATION_ERROR, SAMLQueryRequestConstants.ValidationMessage.VALIDATION_ERROR));
final SAMLVersion version = ((org.opensaml.saml.saml2.core.RequestAbstractType) message).getVersion(); if (version.getMajorVersion() != 2) { throw new MessageHandlerException("Response major version was invalid");
/** * Gets issuer from saml request. * * @param request the request * @return the issuer from saml request */ private static String getIssuerFromSamlRequest(final RequestAbstractType request) { return request.getIssuer().getValue(); }
+ assertionIDRequest.getID()); } catch (IdentitySAML2QueryException e) { log.error("Unable to build response for AssertionIdRequest id:" + request.getID(), e); throw new IdentitySAML2QueryException("Unable to build response for AssertionIdRequest id:" + request.getID()); throw new IdentitySAML2QueryException("Unable to process AsserionIDRequest with id:" + request.getID(), e);