authnRequest.setID(authnId); authnRequest.setDestination(idpUrl); authnRequest.setVersion(SAMLVersion.VERSION_20); authnRequest.setForceAuthn(false); authnRequest.setIsPassive(false); authnRequest.setIssueInstant(new DateTime()); authnRequest.setProtocolBinding(SAMLConstants.SAML2_POST_BINDING_URI); authnRequest.setAssertionConsumerServiceURL(consumerUrl); authnRequest.setProviderName(spId); authnRequest.setIssuer(issuer); authnRequest.setRequestedAuthnContext(requestedAuthnContext);
if(null != authnRequest.getSubject() && null != authnRequest.getSubject().getNameID() && null != authnRequest.getSubject().getNameID().getFormat()){ nameIDFormat = authnRequest.getSubject().getNameID().getFormat(); switch (nameIDFormat) { case NameIDType.EMAIL: subjectConfirmationData.setInResponseTo(authnRequest.getID()); subjectConfirmationData.setRecipient(authnRequest.getAssertionConsumerServiceURL()); subjectConfirmation.setSubjectConfirmationData(subjectConfirmationData); subject.getSubjectConfirmations().add(subjectConfirmation);
public AuthnRequest buildIdpInitiatedAuthnRequest(String nameIDFormat, String spEntityID, String assertionUrl) { @SuppressWarnings("unchecked") SAMLObjectBuilder<AuthnRequest> builder = (SAMLObjectBuilder<AuthnRequest>) builderFactory .getBuilder(AuthnRequest.DEFAULT_ELEMENT_NAME); AuthnRequest request = builder.buildObject(); request.setVersion(SAMLVersion.VERSION_20); request.setID(generateID()); request.setIssuer(getIssuer(spEntityID)); request.setVersion(SAMLVersion.VERSION_20); request.setIssueInstant(new DateTime()); request.setID(null); request.setAssertionConsumerServiceURL(assertionUrl); if (null != nameIDFormat) { NameID nameID = ((SAMLObjectBuilder<NameID>) builderFactory.getBuilder(NameID.DEFAULT_ELEMENT_NAME)).buildObject(); nameID.setFormat(nameIDFormat); Subject subject = ((SAMLObjectBuilder<Subject>) builderFactory.getBuilder(Subject.DEFAULT_ELEMENT_NAME)).buildObject(); subject.setNameID(nameID); request.setSubject(subject); } return request; }
AuthnRequest authnRequest = (AuthnRequest) Util .buildXMLObject(AuthnRequest.DEFAULT_ELEMENT_NAME); authnRequest.setID(Util.createID()); authnRequest.setVersion(SAMLVersion.VERSION_20); authnRequest.setIssueInstant(new DateTime()); authnRequest.setIssuer(buildIssuer()); authnRequest.setNameIDPolicy(buildNameIDPolicy(nameIdPolicyFormat)); authnRequest.setIsPassive(isPassive); authnRequest.setDestination(Util.getIdentityProviderSSOServiceURL()); String acs = Util.getAssertionConsumerServiceURL(); if (acs != null && acs.trim().length() > 0) { authnRequest.setAssertionConsumerServiceURL(acs); } else { authnRequest.setAssertionConsumerServiceURL(CarbonUIUtil.getAdminConsoleURL("").replace("carbon/", "acs")); nameId.setFormat(NameIdentifier.EMAIL); subject.setNameID(nameId); authnRequest.setSubject(subject);
Issuer issuer = authnReq.getIssuer(); Subject subject = authnReq.getSubject(); if (!(SAMLVersion.VERSION_20.equals(authnReq.getVersion()))) { String errorResp = SAMLSSOUtil.buildErrorResponse( SAMLSSOConstants.StatusCodes.VERSION_MISMATCH, "Invalid SAML Version in Authentication Request. SAML Version should be equal to 2.0", authnReq.getAssertionConsumerServiceURL()); if (log.isDebugEnabled()) { log.debug("Invalid version in the SAMLRequest" + authnReq.getVersion()); SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, "Issuer/ProviderName should not be empty in the Authentication Request.", authnReq.getAssertionConsumerServiceURL()); log.debug("SAML Request issuer validation failed. Issuer should not be empty"); validationResponse.setResponse(errorResp); SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, "Issuer Format attribute value is invalid", authnReq.getAssertionConsumerServiceURL()); if (log.isDebugEnabled()) { log.debug("Invalid Issuer Format attribute value " + issuer.getFormat()); String acsUrl = authnReq.getAssertionConsumerServiceURL(); if ( StringUtils.isNotBlank(spAcsUrl) && StringUtils.isNotBlank(acsUrl) && !acsUrl.equals(spAcsUrl)) { log.error("Invalid ACS URL value " + acsUrl + " in the AuthnRequest message from " + spDO.getIssuer() + "\n" + "Possibly an attempt for a spoofing attack from Provider " + authnReq.getIssuer().getValue());
.getBuilder(AuthnRequest.DEFAULT_ELEMENT_NAME); AuthnRequest authnRequest = requestBuilder.buildObject(); authnRequest.setID("authn-request-" + UUID.randomUUID().toString()); authnRequest.setVersion(SAMLVersion.VERSION_20); authnRequest.setIssueInstant(new DateTime()); authnRequest.setDestination(idpDestination); authnRequest.setAssertionConsumerServiceURL(spDestination); authnRequest.setForceAuthn(true); authnRequest.setProtocolBinding(SAMLConstants.SAML2_POST_BINDING_URI); Issuer issuer = issuerBuilder.buildObject(); issuer.setValue(issuerName); authnRequest.setIssuer(issuer);
request.setID("z" + UUID.randomUUID().toString()); // ADFS needs IDs to start with a letter request.setVersion(SAMLVersion.VERSION_20); request.setIssueInstant(DateTime.now()); request.setProtocolBinding( "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-" + this.samlBinding.toString()); request.setAssertionConsumerServiceURL(assertionConsumerServiceUrl); request.setIssuer(issuer); request.setNameIDPolicy(nameIDPolicy);
public AuthnRequest createAuthnRequest(final String requestId) { final AuthnRequest request = new AuthnRequestBuilder().buildObject(); request.setAssertionConsumerServiceURL(config.getSPConfig().getAcs()); request.setDestination(config.getIdPConfig().getLoginUrl()); request.setIssueInstant(new DateTime()); request.setID(requestId); final NameIDPolicy nameIDPolicy = new NameIDPolicyBuilder().buildObject(); nameIDPolicy.setFormat(NameIDType.UNSPECIFIED); request.setNameIDPolicy(nameIDPolicy); final Issuer issuer = new IssuerBuilder().buildObject(); issuer.setValue(config.getSPConfig().getEntityId()); request.setIssuer(issuer); request.setSignature(getSignature()); return request; }
/** * Generate an authentication request. * * @return AuthnRequest Object * @throws Exception error when bootstrapping */ public AuthnRequest buildAuthenticationRequest(String issuerId) throws Exception { Util.doBootstrap(); AuthnRequest authnRequest = (AuthnRequest) Util.buildXMLObject(AuthnRequest.DEFAULT_ELEMENT_NAME); authnRequest.setID(Util.createID()); authnRequest.setVersion(SAMLVersion.VERSION_20); authnRequest.setIssueInstant(new DateTime()); authnRequest.setIssuer(buildIssuer( issuerId)); authnRequest.setNameIDPolicy(buildNameIDPolicy()); return authnRequest; }
request.setAssertionConsumerServiceURL(spConfig.getAcs().toString()); request.setDestination(idpConfig.getLoginUrl().toString()); request.setIssueInstant(new DateTime()); request.setID(requestId); request.setIssuer(issuer);
/** {@inheritDoc} */ protected void processAttribute(XMLObject samlObject, Attr attribute) throws UnmarshallingException { AuthnRequest req = (AuthnRequest) samlObject; if (attribute.getLocalName().equals(AuthnRequest.FORCE_AUTHN_ATTRIB_NAME)) { req.setForceAuthn(XSBooleanValue.valueOf(attribute.getValue())); } else if (attribute.getLocalName().equals(AuthnRequest.IS_PASSIVE_ATTRIB_NAME)) { req.setIsPassive(XSBooleanValue.valueOf(attribute.getValue())); } else if (attribute.getLocalName().equals(AuthnRequest.PROTOCOL_BINDING_ATTRIB_NAME)) { req.setProtocolBinding(attribute.getValue()); } else if (attribute.getLocalName().equals(AuthnRequest.ASSERTION_CONSUMER_SERVICE_INDEX_ATTRIB_NAME)) { req.setAssertionConsumerServiceIndex(Integer.valueOf(attribute.getValue())); } else if (attribute.getLocalName().equals(AuthnRequest.ASSERTION_CONSUMER_SERVICE_URL_ATTRIB_NAME)) { req.setAssertionConsumerServiceURL(attribute.getValue()); } else if (attribute.getLocalName().equals(AuthnRequest.ATTRIBUTE_CONSUMING_SERVICE_INDEX_ATTRIB_NAME)) { req.setAttributeConsumingServiceIndex(Integer.valueOf(attribute.getValue())); } else if (attribute.getLocalName().equals(AuthnRequest.PROVIDER_NAME_ATTRIB_NAME)) { req.setProviderName(attribute.getValue()); } else { super.processAttribute(samlObject, attribute); } }
if (authnRequest.getVersion().equals(SAMLVersion.VERSION_20)) { validatedItems.add(new ValidatedItemDTO( SAMLValidatorConstants.ValidationType.VAL_VERSION, false, String.format(SAMLValidatorConstants.ValidationMessage.VAL_VERSION_FAIL, authnRequest.getVersion()))); throw IdentityException.error(SAMLValidatorConstants.ValidationMessage.EXIT_WITH_ERROR); Issuer issuer = authnRequest.getIssuer(); Subject subject = authnRequest.getSubject(); false, String.format(SAMLValidatorConstants.ValidationMessage.VAL_IDP_CONFIGS_FAIL, authnRequest.getIssuer() .getValue()))); throw IdentityException.error(SAMLValidatorConstants.ValidationMessage.EXIT_WITH_ERROR); false, String.format(SAMLValidatorConstants.ValidationMessage.VAL_IDP_CONFIGS_FAIL, authnRequest.getIssuer() .getValue()))); throw IdentityException.error(SAMLValidatorConstants.ValidationMessage.EXIT_WITH_ERROR); true, String.format(SAMLValidatorConstants.ValidationMessage.VAL_IDP_CONFIGS_SUCCESS, authnRequest.getIssuer() .getValue())));
@SuppressWarnings("unchecked") private void doSSO(HttpServletRequest request, HttpServletResponse response, Authentication authentication, boolean postRequest) throws ValidationException, SecurityException, MessageDecodingException, MarshallingException, SignatureException, MessageEncodingException, MetadataProviderException, IOException, ServletException { SAMLMessageContext messageContext = samlMessageHandler.extractSAMLMessageContext(request, response, postRequest); AuthnRequest authnRequest = (AuthnRequest) messageContext.getInboundSAMLMessage(); String assertionConsumerServiceURL = idpConfiguration.getAcsEndpoint() != null ? idpConfiguration.getAcsEndpoint() : authnRequest.getAssertionConsumerServiceURL(); List<SAMLAttribute> attributes = attributes(authentication); SAMLPrincipal principal = new SAMLPrincipal( authentication.getName(), attributes.stream().filter(attr -> "urn:oasis:names:tc:SAML:1.1:nameid-format".equals(attr.getName())) .findFirst().map(attr -> attr.getValue()).orElse(NameIDType.UNSPECIFIED), attributes, authnRequest.getIssuer().getValue(), authnRequest.getID(), assertionConsumerServiceURL, messageContext.getRelayState()); samlMessageHandler.sendAuthnResponse(principal, response); }
private void buildCommonAttributes(String localEntityId, Response response, Endpoint service, AuthnRequest authnRequest) { response.setID(generateID()); response.setIssuer(getIssuer(localEntityId)); response.setInResponseTo(authnRequest.getID()); response.setVersion(SAMLVersion.VERSION_20); response.setIssueInstant(new DateTime()); if (service != null) { response.setDestination(service.getLocation()); } }
/** * Returns AuthnRequest SAML message to be used to demand authentication from an IDP described using * idpEntityDescriptor, with an expected response to the assertionConsumer address. * * @param context message context * @param options preferences of message creation * @param assertionConsumer assertion consumer where the IDP should respond * @param bindingService service used to deliver the request * @return authnRequest ready to be sent to IDP * @throws SAMLException error creating the message * @throws MetadataProviderException error retreiving metadata */ protected AuthnRequest getAuthnRequest(SAMLMessageContext context, WebSSOProfileOptions options, AssertionConsumerService assertionConsumer, SingleSignOnService bindingService) throws SAMLException, MetadataProviderException { SAMLObjectBuilder<AuthnRequest> builder = (SAMLObjectBuilder<AuthnRequest>) builderFactory.getBuilder(AuthnRequest.DEFAULT_ELEMENT_NAME); AuthnRequest request = builder.buildObject(); request.setIsPassive(options.getPassive()); request.setForceAuthn(options.getForceAuthN()); request.setProviderName(options.getProviderName()); request.setVersion(SAMLVersion.VERSION_20); buildCommonAttributes(context.getLocalEntityId(), request, bindingService); buildScoping(request, bindingService, options); builNameIDPolicy(request, options); buildAuthnContext(request, options); buildReturnAddress(request, assertionConsumer); return request; }
messageContext.setDestination(((AuthnRequest) request).getDestination()); messageContext.setId(((AuthnRequest) request).getID()); messageContext.setAssertionConsumerUrl(((AuthnRequest) request).getAssertionConsumerServiceURL()); messageContext.setIsPassive(((AuthnRequest) request).isPassive()); SSOAuthnRequestValidator reqValidator = new SPInitSSOAuthnRequestValidator(messageContext); return reqValidator.validate((AuthnRequest)request);
/** {@inheritDoc} */ protected void processChildElement(XMLObject parentSAMLObject, XMLObject childSAMLObject) throws UnmarshallingException { AuthnRequest req = (AuthnRequest) parentSAMLObject; if (childSAMLObject instanceof Subject) { req.setSubject((Subject) childSAMLObject); } else if (childSAMLObject instanceof NameIDPolicy) { req.setNameIDPolicy((NameIDPolicy) childSAMLObject); } else if (childSAMLObject instanceof Conditions) { req.setConditions((Conditions) childSAMLObject); } else if (childSAMLObject instanceof RequestedAuthnContext) { req.setRequestedAuthnContext((RequestedAuthnContext) childSAMLObject); } else if (childSAMLObject instanceof Scoping) { req.setScoping((Scoping) childSAMLObject); } else { super.processChildElement(parentSAMLObject, childSAMLObject); } } }
if (request.getAssertionConsumerServiceIndex() != null) { log.debug("Selecting endpoint by ACS index '{}' for request '{}' from entity '{}'", new Object[] { request.getAssertionConsumerServiceIndex(), request.getID(), getEntityMetadata().getEntityID()}); endpoint = selectEndpointByACSIndex(request, (List<IndexedEndpoint>) endpoints); } else if (request.getAssertionConsumerServiceURL() != null) { log.debug( "Selecting endpoint by ACS URL '{}' and protocol binding '{}' for request '{}' from entity '{}'", new Object[] {request.getAssertionConsumerServiceURL(), request.getProtocolBinding(), request.getID(), getEntityMetadata().getEntityID()}); endpoint = selectEndpointByACSURL(request, (List<IndexedEndpoint>) endpoints); if (endpoint == null && request.getAssertionConsumerServiceIndex() == null && request.getAssertionConsumerServiceURL() == null) { log.debug("No ACS index or URL given, selecting endpoint without additional constraints."); if (endpoints.get(0) instanceof IndexedEndpoint) {
/** * Fills the request with assertion consumer service url and protocol binding based on assertionConsumer * to be used to deliver response from the IDP. * * @param request request * @param service service to deliver response to, building is skipped when null * @throws MetadataProviderException error retrieving metadata information */ protected void buildReturnAddress(AuthnRequest request, AssertionConsumerService service) throws MetadataProviderException { if (service != null) { // AssertionConsumerServiceURL + ProtocolBinding is mutually exclusive with AssertionConsumerServiceIndex, we use the first one here if (service.getResponseLocation() != null) { request.setAssertionConsumerServiceURL(service.getResponseLocation()); } else { request.setAssertionConsumerServiceURL(service.getLocation()); } request.setProtocolBinding(getEndpointBinding(service)); } }
AuthnRequest req = (AuthnRequest) samlObject; if (req.isForceAuthnXSBoolean() != null) { domElement.setAttributeNS(null, AuthnRequest.FORCE_AUTHN_ATTRIB_NAME, req.isForceAuthnXSBoolean() .toString()); if (req.isPassiveXSBoolean() != null) { domElement.setAttributeNS(null, AuthnRequest.IS_PASSIVE_ATTRIB_NAME, req.isPassiveXSBoolean().toString()); if (req.getProtocolBinding() != null) { domElement.setAttributeNS(null, AuthnRequest.PROTOCOL_BINDING_ATTRIB_NAME, req.getProtocolBinding()); if (req.getAssertionConsumerServiceIndex() != null) { domElement.setAttributeNS(null, AuthnRequest.ASSERTION_CONSUMER_SERVICE_INDEX_ATTRIB_NAME, req .getAssertionConsumerServiceIndex().toString()); if (req.getAssertionConsumerServiceURL() != null) { domElement.setAttributeNS(null, AuthnRequest.ASSERTION_CONSUMER_SERVICE_URL_ATTRIB_NAME, req .getAssertionConsumerServiceURL()); if (req.getAttributeConsumingServiceIndex() != null) { domElement.setAttributeNS(null, AuthnRequest.ATTRIBUTE_CONSUMING_SERVICE_INDEX_ATTRIB_NAME, req .getAttributeConsumingServiceIndex().toString()); if (req.getProviderName() != null) { domElement.setAttributeNS(null, AuthnRequest.PROVIDER_NAME_ATTRIB_NAME, req.getProviderName());