/** * Parses entityID from the descriptor and adds it to the result set. Signatures on all found entities * are verified using the given policy and trust engine. * * @param result result set * @param descriptor descriptor to parse * @throws MetadataProviderException in case signature validation fails */ private void addDescriptor(List<String> result, EntityDescriptor descriptor) throws MetadataProviderException { String entityID = descriptor.getEntityID(); log.debug("Found metadata EntityDescriptor with ID", entityID); result.add(entityID); }
public EntityDescriptor generateMetadata() { boolean wantAuthnRequestSigned = isWantAuthnRequestSigned(); Collection<String> includedNameID = getNameID(); String entityId = getEntityId(); String entityBaseURL = getEntityBaseURL(); String entityAlias = getEntityAlias(); validateRequiredAttributes(entityId, entityBaseURL); if (id == null) { // Use entityID cleaned as NCName for ID in case no value is provided id = SAMLUtil.getNCNameString(entityId); } @SuppressWarnings("unchecked") SAMLObjectBuilder<EntityDescriptor> builder = (SAMLObjectBuilder<EntityDescriptor>) builderFactory .getBuilder(EntityDescriptor.DEFAULT_ELEMENT_NAME); EntityDescriptor descriptor = builder.buildObject(); if (id != null) { descriptor.setID(id); } descriptor.setEntityID(entityId); IDPSSODescriptor ssoDescriptor = buildIDPSSODescriptor(entityBaseURL, entityAlias, wantAuthnRequestSigned, includedNameID); if (ssoDescriptor != null) { descriptor.getRoleDescriptors().add(ssoDescriptor); } return descriptor; }
public String getAssertionConsumerURL(String sp) throws MetadataProviderException { EntityDescriptor entityDescriptor = metadataManager.getEntityDescriptor(sp); SPSSODescriptor spssoDescriptor = entityDescriptor.getSPSSODescriptor(SAMLConstants.SAML20P_NS); List<AssertionConsumerService> assertionConsumerServices = spssoDescriptor.getAssertionConsumerServices(); Optional<AssertionConsumerService> defaultService = assertionConsumerServices.stream().filter(acs -> acs.isDefault()).findFirst(); if (defaultService.isPresent()) { return defaultService.get().getLocation(); } else { return assertionConsumerServices.get(0).getLocation(); } }
@Override public EntityDescriptor generateMetadata() { EntityDescriptor result = super.generateMetadata(); result.setID(SAMLUtil.getNCNameString(result.getEntityID())); return result; }
/** * Filters entity descriptor roles. * * @param descriptor entity descriptor to filter * * @throws FilterException thrown if an effective role name can not be determined */ protected void filterEntityDescriptor(EntityDescriptor descriptor) throws FilterException { List<RoleDescriptor> roles = descriptor.getRoleDescriptors(); if (roles != null && !roles.isEmpty()) { Iterator<RoleDescriptor> rolesItr = roles.iterator(); QName roleName; while (rolesItr.hasNext()) { roleName = getRoleName(rolesItr.next()); if (!roleWhiteList.contains(roleName)) { log.trace("Filtering out role {} from entity {}", roleName, descriptor.getEntityID()); rolesItr.remove(); } } } }
final IDPSSODescriptor idpDesc = edesc.getIDPSSODescriptor("urn:oasis:names:tc:SAML:2.0:protocol"); this.setEntityId(edesc.getEntityID()); this.setLoginUrl(_loginUrl); this.setCert(_cert);
String entityID = entityDescriptor.getEntityID(); log.trace("Processing EntityDescriptor: {}", entityID); if (entityDescriptor.isSigned()) { verifySignature(entityDescriptor, entityID, false); Iterator<RoleDescriptor> roleIter = entityDescriptor.getRoleDescriptors().iterator(); while (roleIter.hasNext()) { RoleDescriptor roleChild = roleIter.next(); if (entityDescriptor.getAffiliationDescriptor() != null) { AffiliationDescriptor affiliationDescriptor = entityDescriptor.getAffiliationDescriptor(); if (!affiliationDescriptor.isSigned()) { log.trace("AffiliationDescriptor member was not signed, skipping signature processing..."); "failed signature verification, removing from metadata provider", affiliationDescriptor.getOwnerID(), entityID); entityDescriptor.setAffiliationDescriptor(null);
@RequestMapping(method = RequestMethod.GET, value = "/metadata", produces = "application/xml") public String metadata() throws SecurityException, ParserConfigurationException, SignatureException, MarshallingException, TransformerException { EntityDescriptor entityDescriptor = buildSAMLObject(EntityDescriptor.class, EntityDescriptor.DEFAULT_ELEMENT_NAME); entityDescriptor.setEntityID(idpConfiguration.getEntityId()); entityDescriptor.setID(SAMLBuilder.randomSAMLId()); entityDescriptor.setValidUntil(new DateTime().plusMillis(86400000)); signature.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS); entityDescriptor.setSignature(signature); entityDescriptor.getRoleDescriptors().add(idpssoDescriptor);
final SPSSODescriptor spDesc = edesc.getSPSSODescriptor("urn:oasis:names:tc:SAML:2.0:protocol"); this.setEntityId(edesc.getEntityID()); this.setAcs(acsUrl);
/** * Gets the identified roles from an EntityDescriptor. This method should not check if the provider is initialized, * if arguments are null, if the roles are valid, etc. All of this is done by the invoker of this method. * * @param entityID ID of the entity from which to retrieve the roles, never null * @param roleName name of the roles to search for, never null * * @return the modifiable list of identified roles or an empty list if no roles exists * * @throws MetadataProviderException thrown if there is a problem searching for the roles */ protected List<RoleDescriptor> doGetRole(String entityID, QName roleName) throws MetadataProviderException { EntityDescriptor entity = doGetEntityDescriptor(entityID); if (entity == null) { log.debug("Metadata document did not contain a descriptor for entity {}", entityID); return Collections.emptyList(); } List<RoleDescriptor> descriptors = entity.getRoleDescriptors(roleName); if (descriptors != null && !descriptors.isEmpty()) { return new ArrayList<RoleDescriptor>(descriptors); } return Collections.emptyList(); }
private void addIdpToMap(EntityDescriptor descriptor, Map<String, SAMLProviderMetadata> idpMap) { SAMLProviderMetadata idpMetadata = new SAMLProviderMetadata(); idpMetadata.setEntityId(descriptor.getEntityID()); s_logger.debug("Adding IdP to the list of discovered IdPs: " + descriptor.getEntityID()); if (descriptor.getOrganization() != null) { if (descriptor.getOrganization().getDisplayNames() != null) { for (OrganizationDisplayName orgName : descriptor.getOrganization().getDisplayNames()) { if (orgName != null && orgName.getName() != null) { idpMetadata.setOrganizationName(orgName.getName().getLocalString()); if (idpMetadata.getOrganizationName() == null && descriptor.getOrganization().getOrganizationNames() != null) { for (OrganizationName orgName : descriptor.getOrganization().getOrganizationNames()) { if (orgName != null && orgName.getName() != null) { idpMetadata.setOrganizationName(orgName.getName().getLocalString()); if (descriptor.getOrganization().getURLs() != null) { for (OrganizationURL organizationURL : descriptor.getOrganization().getURLs()) { if (organizationURL != null && organizationURL.getURL() != null) { idpMetadata.setOrganizationUrl(organizationURL.getURL().getLocalString()); if (descriptor.getContactPersons() != null) { for (ContactPerson person : descriptor.getContactPersons()) { if (person == null || (person.getGivenName() == null && person.getSurName() == null) || person.getEmailAddresses() == null) { IDPSSODescriptor idpDescriptor = descriptor.getIDPSSODescriptor(SAMLConstants.SAML20P_NS); if (idpDescriptor != null) { if (idpDescriptor.getSingleSignOnServices() != null) {
spEntityDescriptor.setEntityID(spMetadata.getEntityId()); spEntityDescriptor.getRoleDescriptors().add(spSSODescriptor); contactPerson.setGivenName(givenName); contactPerson.getEmailAddresses().add(emailAddress); spEntityDescriptor.getContactPersons().add(contactPerson); contactPersonAdmin.setGivenName(givenNameAdmin); contactPersonAdmin.getEmailAddresses().add(emailAddressAdmin); spEntityDescriptor.getContactPersons().add(contactPersonAdmin); organization.getOrganizationNames().add(organizationName); organization.getURLs().add(organizationURL); spEntityDescriptor.setOrganization(organization);
/** {@inheritDoc} */ protected void processChildElement(XMLObject parentSAMLObject, XMLObject childSAMLObject) throws UnmarshallingException { EntityDescriptor entityDescriptor = (EntityDescriptor) parentSAMLObject; if (childSAMLObject instanceof Extensions) { entityDescriptor.setExtensions((Extensions) childSAMLObject); } else if (childSAMLObject instanceof Signature) { entityDescriptor.setSignature((Signature) childSAMLObject); } else if (childSAMLObject instanceof RoleDescriptor) { entityDescriptor.getRoleDescriptors().add((RoleDescriptor) childSAMLObject); } else if (childSAMLObject instanceof AffiliationDescriptor) { entityDescriptor.setAffiliationDescriptor((AffiliationDescriptor) childSAMLObject); } else if (childSAMLObject instanceof Organization) { entityDescriptor.setOrganization((Organization) childSAMLObject); } else if (childSAMLObject instanceof ContactPerson) { entityDescriptor.getContactPersons().add((ContactPerson) childSAMLObject); } else if (childSAMLObject instanceof AdditionalMetadataLocation) { entityDescriptor.getAdditionalMetadataLocations().add((AdditionalMetadataLocation) childSAMLObject); } else { super.processChildElement(parentSAMLObject, childSAMLObject); } }
EntityDescriptor.class, EntityDescriptor.DEFAULT_ELEMENT_NAME); entityDescriptor.setEntityID(entityId); entityDescriptor.setSignature(signature); entityDescriptor.getRoleDescriptors().add(idpssoDescriptor);
if (entityDescriptor.getEntityID() != null) { domElement.setAttributeNS(null, EntityDescriptor.ENTITY_ID_ATTRIB_NAME, entityDescriptor.getEntityID()); if (entityDescriptor.getID() != null) { domElement.setAttributeNS(null, EntityDescriptor.ID_ATTRIB_NAME, entityDescriptor.getID()); domElement.setIdAttributeNS(null, EntityDescriptor.ID_ATTRIB_NAME, true); if (entityDescriptor.getValidUntil() != null) { log.debug("Writting validUntil attribute to EntityDescriptor DOM element"); String validUntilStr = Configuration.getSAMLDateFormatter().print(entityDescriptor.getValidUntil()); domElement.setAttributeNS(null, TimeBoundSAMLObject.VALID_UNTIL_ATTRIB_NAME, validUntilStr); if (entityDescriptor.getCacheDuration() != null) { log.debug("Writting cacheDuration attribute to EntityDescriptor DOM element"); String cacheDuration = XMLHelper.longToDuration(entityDescriptor.getCacheDuration()); domElement.setAttributeNS(null, CacheableSAMLObject.CACHE_DURATION_ATTRIB_NAME, cacheDuration); for (Entry<QName, String> entry : entityDescriptor.getUnknownAttributes().entrySet()) { attribute = XMLHelper.constructAttribute(domElement.getOwnerDocument(), entry.getKey()); attribute.setValue(entry.getValue()); domElement.setAttributeNodeNS(attribute); if (Configuration.isIDAttribute(entry.getKey()) || entityDescriptor.getUnknownAttributes().isIDAttribute(entry.getKey())) { attribute.getOwnerElement().setIdAttributeNode(attribute, true);
@Override public SAMLMessageContext sendMessage(SAMLMessageContext samlContext, boolean sign) throws SAMLException, MetadataProviderException, MessageEncodingException { Endpoint endpoint = samlContext.getPeerEntityEndpoint(); SAMLBinding binding = getBinding(endpoint); samlContext.setLocalEntityId(spConfiguration.getEntityId()); samlContext.getLocalEntityMetadata().setEntityID(spConfiguration.getEntityId()); samlContext.getPeerEntityEndpoint().setLocation(spConfiguration.getIdpSSOServiceURL()); SPSSODescriptor roleDescriptor = (SPSSODescriptor) samlContext.getLocalEntityMetadata().getRoleDescriptors().get(0); AssertionConsumerService assertionConsumerService = roleDescriptor.getAssertionConsumerServices().stream().filter(service -> service.isDefault()).findAny().orElseThrow(() -> new RuntimeException("No default ACS")); assertionConsumerService.setBinding(spConfiguration.getProtocolBinding()); assertionConsumerService.setLocation(spConfiguration.getAssertionConsumerServiceURL()); return super.sendMessage(samlContext, spConfiguration.isNeedsSigning(), binding); } }
/** {@inheritDoc} */ protected void processAttribute(XMLObject samlObject, Attr attribute) throws UnmarshallingException { EntityDescriptor entityDescriptor = (EntityDescriptor) samlObject; if (attribute.getLocalName().equals(EntityDescriptor.ENTITY_ID_ATTRIB_NAME)) { entityDescriptor.setEntityID(attribute.getValue()); } else if (attribute.getLocalName().equals(EntityDescriptor.ID_ATTRIB_NAME)) { entityDescriptor.setID(attribute.getValue()); attribute.getOwnerElement().setIdAttributeNode(attribute, true); } else if (attribute.getLocalName().equals(TimeBoundSAMLObject.VALID_UNTIL_ATTRIB_NAME) && !DatatypeHelper.isEmpty(attribute.getValue())) { entityDescriptor.setValidUntil(new DateTime(attribute.getValue(), ISOChronology.getInstanceUTC())); } else if (attribute.getLocalName().equals(CacheableSAMLObject.CACHE_DURATION_ATTRIB_NAME)) { entityDescriptor.setCacheDuration(XMLHelper.durationToLong(attribute.getValue())); } else { QName attribQName = XMLHelper.getNodeQName(attribute); if (attribute.isId()) { entityDescriptor.getUnknownAttributes().registerID(attribQName); } entityDescriptor.getUnknownAttributes().put(attribQName, attribute.getValue()); } } }
@SuppressWarnings("unchecked") public SAMLMessageContext mockSamlMessageContext(AuthnRequest authnRequest) { SAMLMessageContext context = new SAMLMessageContext(); context.setLocalEntityId(IDP_ENTITY_ID); context.setLocalEntityRole(IDPSSODescriptor.DEFAULT_ELEMENT_NAME); EntityDescriptor idpMetadata = mockIdpMetadata(); context.setLocalEntityMetadata(idpMetadata); IDPSSODescriptor idpDescriptor = idpMetadata.getIDPSSODescriptor(SAML20P_NS); context.setLocalEntityRoleMetadata(idpDescriptor); context.setPeerEntityId(SP_ENTITY_ID); context.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME); EntityDescriptor spMetadata = mockSpMetadata(); context.setPeerEntityMetadata(spMetadata); SPSSODescriptor spDescriptor = spMetadata.getSPSSODescriptor(SAML20P_NS); context.setPeerEntityRoleMetadata(spDescriptor); context.setInboundSAMLMessage(authnRequest); SamlConfig config = new SamlConfig(); config.setPrivateKey(PROVIDER_PRIVATE_KEY); config.setPrivateKeyPassword(PROVIDER_PRIVATE_KEY_PASSWORD); config.setCertificate(PROVIDER_CERTIFICATE); KeyManager keyManager = SamlKeyManagerFactory.getKeyManager(config); context.setLocalSigningCredential(keyManager.getDefaultCredential()); return context; }
if (entityDescriptor.getExtensions() != null) { entityAttributesCollection = entityDescriptor.getExtensions().getUnknownXMLObjects( EntityAttributes.DEFAULT_ELEMENT_NAME); log.debug("Descriptor for {} does not contain any EntityAttributes", entityDescriptor.getEntityID()); return null; entityDescriptor.getEntityID()); if (entityAttributes == null || entityAttributes.isEmpty()) { log.debug("EntityAttributes extension for {} does not contain any Attributes", entityDescriptor.getEntityID()); return null; || (DatatypeHelper.safeEquals(getNameFormat(), entityAttribute.getNameFormat()))) { log.debug("Descriptor for {} contains an entity attribute with the name {} and the format {}", new Object[] { entityDescriptor.getEntityID(), getName(), getNameFormat() }); return entityAttribute; new Object[] { entityDescriptor.getEntityID(), getName(), getNameFormat() }); return null;
while (entityIter.hasNext()) { EntityDescriptor entityChild = entityIter.next(); if (!entityChild.isSigned()) { log.trace("EntityDescriptor member '{}' was not signed, skipping signature processing...", entityChild.getEntityID()); continue; } else { log.trace("Processing signed EntityDescriptor member: {}", entityChild.getEntityID()); } catch (FilterException e) { log.error("EntityDescriptor '{}' failed signature verification, removing from metadata provider", entityChild.getEntityID()); toRemove.add(entityChild);