/** * Returns a {@link NameID} which is matched to the specified {@code filter} from the {@link Response}. */ public static Optional<NameID> getNameId(Response response, Predicate<NameID> filter) { return response.getAssertions().stream() .map(s -> s.getSubject().getNameID()) .filter(filter) .findFirst(); }
private Assertion getValidatedAssertion(Response response, String endpointUri) { final Status status = response.getStatus(); final String statusCode = status.getStatusCode().getValue(); if (!StatusCode.SUCCESS.equals(statusCode)) { final DateTime issueInstant = response.getIssueInstant(); if (issueInstant == null) { throw new SamlException("failed to get IssueInstant attribute"); if (response.getEncryptedAssertions().isEmpty()) { assertions = response.getAssertions(); } else { final Issuer issuer = response.getIssuer(); if (issuer != null) { idp = resolveIdpConfig(issuer); for (final EncryptedAssertion encryptedAssertion : response.getEncryptedAssertions()) { builder.add(decryptAssertion(encryptedAssertion, idp.encryptionCredential())); builder.addAll(response.getAssertions()); assertions = builder.build();
response.getAssertions().add(assertion); response.setID(requestIdManager.newId()); response.setIssuer(issuer); response.setIssueInstant(DateTime.now()); statusCode.setValue(StatusCode.SUCCESS); status.setStatusCode(statusCode); response.setStatus(status);
) { Response result = new Response() .setConsent(parsed.getConsent()) .setDestination(parsed.getDestination()) .setId(parsed.getID()) .setInResponseTo(parsed.getInResponseTo()) .setIssueInstant(parsed.getIssueInstant()) .setIssuer(getIssuer(parsed.getIssuer())) .setVersion(parsed.getVersion().toString()) .setStatus(getStatus(parsed.getStatus())) .setAssertions( parsed.getAssertions().stream().map(a -> resolveAssertion(a, verificationKeys, localKeys)) .collect(Collectors.toList()) ); if (parsed.getEncryptedAssertions() != null && !parsed.getEncryptedAssertions().isEmpty()) { parsed .getEncryptedAssertions() .stream() .forEach(
protected org.opensaml.saml.saml2.core.Response internalToXml(Response response) { org.opensaml.saml.saml2.core.Response result = buildSAMLObject(org.opensaml.saml.saml2.core.Response.class); result.setConsent(response.getConsent()); result.setID(ofNullable(response.getId()).orElse("a" + UUID.randomUUID().toString())); result.setInResponseTo(response.getInResponseTo()); result.setVersion(SAMLVersion.VERSION_20); result.setIssueInstant(response.getIssueInstant()); result.setDestination(response.getDestination()); result.setIssuer(toIssuer(response.getIssuer())); result.setStatus(status); EncryptedAssertion encryptedAssertion = encryptAssertion(osAssertion, a.getEncryptionKey(), a.getKeyAlgorithm(), a.getDataAlgorithm()); result.getEncryptedAssertions().add(encryptedAssertion); result.getAssertions().add(osAssertion);
/** {@inheritDoc} */ protected void processChildElement(XMLObject parentSAMLObject, XMLObject childSAMLObject) throws UnmarshallingException { Response resp = (Response) parentSAMLObject; if (childSAMLObject instanceof Assertion) { resp.getAssertions().add((Assertion) childSAMLObject); } else if (childSAMLObject instanceof EncryptedAssertion) { resp.getEncryptedAssertions().add((EncryptedAssertion) childSAMLObject); } else { super.processChildElement(parentSAMLObject, childSAMLObject); } }
val id = '_' + String.valueOf(RandomUtils.getNativeInstance().nextLong()); val samlResponse = newResponse(id, ZonedDateTime.now(ZoneOffset.UTC), authnRequest.getID(), null); samlResponse.setVersion(SAMLVersion.VERSION_20); samlResponse.setIssuer(buildEntityIssuer()); samlResponse.setDestination(location); samlResponse.getEncryptedAssertions().add(EncryptedAssertion.class.cast(finalAssertion)); } else { LOGGER.trace("Built assertion is not encrypted, so the response will add it to the assertions collection"); samlResponse.getAssertions().add(Assertion.class.cast(finalAssertion)); samlResponse.setStatus(status);
if (samlResponse.getStatus() == null || samlResponse.getStatus().getStatusCode() == null) { LOG.fine("Either the SAML Response Status or StatusCode is null"); throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); if (!SAML2_STATUSCODE_SUCCESS.equals(samlResponse.getStatus().getStatusCode().getValue())) { LOG.fine( "SAML Status code of " + samlResponse.getStatus().getStatusCode().getValue() + "does not equal " + SAML2_STATUSCODE_SUCCESS ); if (samlResponse.getIssueInstant() != null) { DateTime currentTime = new DateTime(); currentTime = currentTime.plusSeconds(futureTTL); if (samlResponse.getIssueInstant().isAfter(currentTime)) { LOG.fine("SAML Response IssueInstant not met"); throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); if (SAMLVersion.VERSION_20 != samlResponse.getVersion()) { LOG.fine( "SAML Version of " + samlResponse.getVersion() + "does not equal " + SAMLVersion.VERSION_20 ); Document doc = samlResponse.getDOM().getOwnerDocument(); for (org.opensaml.saml.saml2.core.EncryptedAssertion assertion : samlResponse.getEncryptedAssertions()) { samlResponse.getAssertions().add(wrapper.getSaml2());
) throws WSSecurityException { validateIssuer(samlResponse.getIssuer()); if (samlResponse.getAssertions() == null || samlResponse.getAssertions().isEmpty()) { LOG.fine("The Response must contain at least one Assertion"); throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); String destination = samlResponse.getDestination(); if (samlResponse.isSigned() && (destination == null || !destination.equals(assertionConsumerURL))) { LOG.fine("The Response must contain a destination that matches the assertion consumer URL"); if (enforceResponseSigned && !samlResponse.isSigned()) { LOG.fine("The Response must be signed!"); throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); for (org.opensaml.saml.saml2.core.Assertion assertion : samlResponse.getAssertions()) { if (!samlResponse.isSigned() && enforceAssertionsSigned && assertion.getSignature() == null) { LOG.fine("The enclosed assertions in the SAML Response must be signed"); throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); validatorResponse.setResponseId(samlResponse.getID()); validatorResponse.setSessionNotOnOrAfter(sessionNotOnOrAfter); if (samlResponse.getIssueInstant() != null) { validatorResponse.setCreated(Instant.ofEpochMilli(samlResponse.getIssueInstant().toDate().getTime()));
final SignatureTrustEngine engine) { validateSuccess(response.getStatus()); validateSignatureIfItExists(response.getSignature(), context, engine); validateIssueInstant(response.getIssueInstant()); if (messageStorage != null && response.getInResponseTo() != null) { final XMLObject xmlObject = messageStorage.retrieveMessage(response.getInResponseTo()); if (xmlObject == null) { throw new SAMLInResponseToMismatchException("InResponseToField of the Response doesn't correspond to sent message " + response.getInResponseTo()); } else if (xmlObject instanceof AuthnRequest) { request = (AuthnRequest) xmlObject; } else { throw new SAMLInResponseToMismatchException("Sent request was of different type than the expected AuthnRequest " + response.getInResponseTo()); verifyEndpoint(context.getSAMLEndpointContext().getEndpoint(), response.getDestination()); if (request != null) { verifyRequest(request, context); validateIssuerIfItExists(response.getIssuer(), context);
/** * Constructs and adds a {@link Assertion} to the given {@link Response}. The {@link Assertion} is constructed * using the parameters supplied, and its issue instant is set to the issue instant of the given {@link Response}. * * @param action the current action * @param response the response to which the assertion will be added * @param idGenerator source of assertion ID * @param issuer value for assertion * * @return the assertion that was added to the response */ @Nonnull public static Assertion addAssertionToResponse(@Nonnull final AbstractProfileAction action, @Nonnull final Response response, @Nonnull final IdentifierGenerationStrategy idGenerator, @Nullable final String issuer) { final Assertion assertion = buildAssertion(action, idGenerator, issuer); assertion.setIssueInstant(response.getIssueInstant()); getLogger().debug("Profile Action {}: Added Assertion {} to Response {}", new Object[] {action.getClass().getSimpleName(), assertion.getID(), response.getID(),}); response.getAssertions().add(assertion); return assertion; }
/** * Create a new SAML response object. * @param id the id * @param issueInstant the issue instant * @param recipient the recipient * @param service the service * @return the response */ public Response newResponse(final String id, final DateTime issueInstant, final String recipient, final WebApplicationService service) { final Response samlResponse = newSamlObject(Response.class); samlResponse.setID(id); samlResponse.setIssueInstant(issueInstant); samlResponse.setVersion(SAMLVersion.VERSION_20); if (service instanceof SamlService) { final SamlService samlService = (SamlService) service; final String requestId = samlService.getRequestID(); if (StringUtils.isNotBlank(requestId)) { samlResponse.setInResponseTo(requestId); } } return samlResponse; }
/** {@inheritDoc} */ @Override protected void doExecute(@Nonnull final ProfileRequestContext profileRequestContext) { if (response instanceof org.opensaml.saml.saml1.core.Response) { for (final org.opensaml.saml.saml1.core.Assertion assertion : ((org.opensaml.saml.saml1.core.Response) response).getAssertions()) { log.debug("{} Added NotBefore condition to Assertion {}", getLogPrefix(), assertion.getID()); SAML1ActionSupport.addConditionsToAssertion(this, assertion).setNotBefore( ((org.opensaml.saml.saml1.core.Response) response).getIssueInstant()); } } else if (response instanceof org.opensaml.saml.saml2.core.Response) { for (final org.opensaml.saml.saml2.core.Assertion assertion : ((org.opensaml.saml.saml2.core.Response) response).getAssertions()) { log.debug("{} Added NotBefore condition to Assertion {}", getLogPrefix(), assertion.getID()); SAML2ActionSupport.addConditionsToAssertion(this, assertion).setNotBefore( ((org.opensaml.saml.saml2.core.Response) response).getIssueInstant()); } } }
response.setStatus(this.samlObjectBuilder.newStatus(StatusCode.SUCCESS, null)); assertion.setSubject(subject); response.getAssertions().add(assertion);
private static void signXMLObject(XMLObject xmlObject) throws WSSecurityException { if (xmlObject instanceof org.opensaml.saml.saml1.core.Response) { org.opensaml.saml.saml1.core.Response response = (org.opensaml.saml.saml1.core.Response)xmlObject; // Sign any Assertions if (response.getAssertions() != null) { for (org.opensaml.saml.saml1.core.Assertion assertion : response.getAssertions()) { signObject(assertion.getSignature()); } } signObject(response.getSignature()); } else if (xmlObject instanceof org.opensaml.saml.saml2.core.Response) { org.opensaml.saml.saml2.core.Response response = (org.opensaml.saml.saml2.core.Response)xmlObject; // Sign any Assertions if (response.getAssertions() != null) { for (org.opensaml.saml.saml2.core.Assertion assertion : response.getAssertions()) { signObject(assertion.getSignature()); } } signObject(response.getSignature()); } else if (xmlObject instanceof SignableSAMLObject) { signObject(((SignableSAMLObject)xmlObject).getSignature()); } }
private String[] getPrincipalIdFromSamlResponse(final Response response) { val result = new ToStringBuilder(this, ToStringStyle.NO_CLASS_NAME_STYLE) .append("issuer", response.getIssuer().getValue()) .append("destination", response.getDestination()) .toString(); return new String[]{result}; }
private void prepareArtifactContext(final Response samlResponse, final MessageContext ctx) { val art = ctx.getSubcontext(SAMLArtifactContext.class, true); art.setArtifactType(SAML2ArtifactType0004.TYPE_CODE); art.setSourceEntityId(samlResponse.getIssuer().getValue()); val svc = adaptor.getAssertionConsumerServiceForArtifactBinding(); art.setSourceArtifactResolutionServiceEndpointIndex(svc.getIndex()); art.setSourceArtifactResolutionServiceEndpointURL(svc.getLocation()); } }
/** * Returns true if the identity provider cannot authenticate the principal passively, as requested, else false. * * @param response the SAML 2.0 Response to be evaluated * @return true if the identity provider cannot authenticate the principal passively, as requested, else false */ private boolean isNoPassive(Response response) { return (response.getStatus() != null) && (response.getStatus().getStatusCode() != null) && (response.getStatus().getStatusCode().getValue().equals(StatusCode.RESPONDER)) && (response.getStatus().getStatusCode().getStatusCode() != null) && (response.getStatus().getStatusCode().getStatusCode().getValue().equals(StatusCode.NO_PASSIVE)); }
/** * Decrypt encrypted assertions and add them to the assertions list of the response. * * @param response the response * @param decrypter the decrypter */ protected final void decryptEncryptedAssertions(final Response response, final Decrypter decrypter) { for (final EncryptedAssertion encryptedAssertion : response.getEncryptedAssertions()) { try { final Assertion decryptedAssertion = decrypter.decrypt(encryptedAssertion); response.getAssertions().add(decryptedAssertion); } catch (final DecryptionException e) { logger.error("Decryption of assertion failed, continue with the next one", e); } } }
if (samlResponse.getIssuer() == null || samlResponse.getIssuer().getValue() == null) { throw new IllegalArgumentException("The SAML Response must contain an Issuer"); final SAML2IdPEntity idp = getIdP(samlResponse.getIssuer().getValue()); if (idp.getConnObjectKeyItem() == null) { throw new IllegalArgumentException("No mapping provided for SAML 2.0 IdP '" + idp.getId() + "'");