.getBuilder(IDPSSODescriptor.DEFAULT_ELEMENT_NAME); IDPSSODescriptor idpDescriptor = builder.buildObject(); idpDescriptor.setWantAuthnRequestsSigned(wantAuthnRequestSigned); idpDescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS); idpDescriptor.getNameIDFormats().addAll(getNameIDFormat(includedNameID)); idpDescriptor.getSingleSignOnServices().add(getSingleSignOnService(entityBaseURL, entityAlias, getSAMLWebSSOProcessingFilterPath(), SAMLConstants.SAML2_POST_BINDING_URI)); idpDescriptor.getSingleSignOnServices().add(getSingleSignOnService(entityBaseURL, entityAlias, getSAMLWebSSOProcessingFilterPath(), SAMLConstants.SAML2_REDIRECT_BINDING_URI)); idpDescriptor.getSingleLogoutServices() .add(getSingleLogoutService(entityBaseURL, entityAlias, SAMLConstants.SAML2_POST_BINDING_URI)); idpDescriptor.getSingleLogoutServices().add( getSingleLogoutService(entityBaseURL, entityAlias, SAMLConstants.SAML2_REDIRECT_BINDING_URI)); idpDescriptor.getSingleLogoutServices().add( getSingleLogoutService(entityBaseURL, entityAlias, SAMLConstants.SAML2_SOAP11_BINDING_URI)); idpDescriptor.setExtensions(extensions); idpDescriptor.getKeyDescriptors().add(getKeyDescriptor(UsageType.SIGNING, getServerKeyInfo(signingKey))); } else { log.info( idpDescriptor.getKeyDescriptors()
entityDescriptor.getRoleDescriptors().add(idpssoDescriptor); idpssoDescriptor.setWantAuthnRequestsSigned(false); idpssoDescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS); NameIDFormat.class, NameIDFormat.DEFAULT_ELEMENT_NAME); nameIDFormat.setFormat(NameIDType.TRANSIENT); idpssoDescriptor.getNameIDFormats().add(nameIDFormat); keyDescriptor.setKeyInfo(getKeyInfo(identity)); keyDescriptor.setUse(UsageType.SIGNING); idpssoDescriptor.getKeyDescriptors().add(keyDescriptor); SingleSignOnService.class, SingleSignOnService.DEFAULT_ELEMENT_NAME); idpssoDescriptor.getSingleSignOnServices().add(ssoService);
@Test public void bindingOrderSSOList() { IdentityZoneHolder.set(otherZone); IDPSSODescriptor idpSSODescriptor = generator.buildIDPSSODescriptor( generator.getEntityBaseURL(), generator.getEntityAlias(), false, Arrays.asList("email") ); assertEquals(SAML2_POST_BINDING_URI, idpSSODescriptor.getSingleSignOnServices().get(0).getBinding());; assertEquals(SAML2_REDIRECT_BINDING_URI, idpSSODescriptor.getSingleSignOnServices().get(1).getBinding());; }
for (SingleSignOnService svc : idpDesc.getSingleSignOnServices()) { if (svc.getBinding().equals(SAMLConstants.SAML2_REDIRECT_BINDING_URI)) { _loginUrl = svc.getLocation(); for (KeyDescriptor kdesc : idpDesc.getKeyDescriptors()) { if (kdesc.getUse() != UsageType.SIGNING) { continue;
List<SingleSignOnService> singleSignOnServices = idpssoDescriptor.getSingleSignOnServices(); if (CollectionUtils.isNotEmpty(singleSignOnServices)) { boolean found = false; if (idpssoDescriptor.getWantAuthnRequestsSigned() != null && idpssoDescriptor.getWantAuthnRequestsSigned() == true) { property.setValue("true"); } else { List<SingleLogoutService> singleLogoutServices = idpssoDescriptor.getSingleLogoutServices(); if (CollectionUtils.isNotEmpty(singleLogoutServices)) { property.setValue("true"); properties[10] = property; List<KeyDescriptor> descriptors = idpssoDescriptor.getKeyDescriptors(); if (CollectionUtils.isNotEmpty(descriptors)) { for (int i = 0; i < descriptors.size(); i++) {
if (idpDescriptor.getSingleSignOnServices() != null) { for (SingleSignOnService ssos : idpDescriptor.getSingleSignOnServices()) { if (ssos.getBinding().equals(SAMLConstants.SAML2_REDIRECT_BINDING_URI)) { idpMetadata.setSsoUrl(ssos.getLocation()); if (idpDescriptor.getSingleLogoutServices() != null) { for (SingleLogoutService slos : idpDescriptor.getSingleLogoutServices()) { if (slos.getBinding().equals(SAMLConstants.SAML2_REDIRECT_BINDING_URI)) { idpMetadata.setSloUrl(slos.getLocation()); if (idpDescriptor.getKeyDescriptors() != null) { for (KeyDescriptor kd : idpDescriptor.getKeyDescriptors()) { if (kd.getUse() == UsageType.SIGNING) { try {
/** {@inheritDoc} */ protected void processChildElement(XMLObject parentObject, XMLObject childObject) throws UnmarshallingException { IDPSSODescriptor descriptor = (IDPSSODescriptor) parentObject; if (childObject instanceof SingleSignOnService) { descriptor.getSingleSignOnServices().add((SingleSignOnService) childObject); } else if (childObject instanceof NameIDMappingService) { descriptor.getNameIDMappingServices().add((NameIDMappingService) childObject); } else if (childObject instanceof AssertionIDRequestService) { descriptor.getAssertionIDRequestServices().add((AssertionIDRequestService) childObject); } else if (childObject instanceof AttributeProfile) { descriptor.getAttributeProfiles().add((AttributeProfile) childObject); } else if (childObject instanceof Attribute) { descriptor.getAttributes().add((Attribute) childObject); } else { super.processChildElement(parentObject, childObject); } }
@Override protected IDPSSODescriptor buildIDPSSODescriptor(String entityBaseURL, String entityAlias, boolean wantAuthnRequestSigned, Collection<String> includedNameID) { IDPSSODescriptor result = super.buildIDPSSODescriptor(entityBaseURL, entityAlias, wantAuthnRequestSigned, includedNameID); //metadata should not contain inactive keys KeyManager samlSPKeyManager = IdentityZoneHolder.getSamlSPKeyManager(); if (samlSPKeyManager != null && samlSPKeyManager.getAvailableCredentials()!=null) { Set<String> allKeyAliases = new HashSet(samlSPKeyManager.getAvailableCredentials()); String activeKeyAlias = samlSPKeyManager.getDefaultCredentialName(); allKeyAliases.remove(activeKeyAlias); for (String keyAlias : allKeyAliases) { result.getKeyDescriptors().add(getKeyDescriptor(UsageType.SIGNING, getServerKeyInfo(keyAlias))); } }//add inactive keys as signing verification keys return result; } }
@Override protected boolean isGlobalLogout(HttpServletRequest request, Authentication auth) { SAMLMessageContext context; try { SAMLCredential credential = (SAMLCredential) auth.getCredentials(); request.setAttribute(SAMLConstants.LOCAL_ENTITY_ID, credential.getLocalEntityID()); request.setAttribute(SAMLConstants.PEER_ENTITY_ID, credential.getRemoteEntityID()); context = contextProvider.getLocalAndPeerEntity(request, null); IDPSSODescriptor idp = (IDPSSODescriptor) context.getPeerEntityRoleMetadata(); List<SingleLogoutService> singleLogoutServices = idp.getSingleLogoutServices(); return singleLogoutServices.size() != 0; } catch (MetadataProviderException e) { logger.debug("Error processing metadata", e); return false; } }
public void buildSupportedProtocol(IDPSSODescriptor idpSsoDesc) throws MetadataException { idpSsoDesc.addSupportedProtocol(IDPMetadataConstant.SUPPORTED_PROTOCOL_SAML2); }
public void buildNameIdFormat(IDPSSODescriptor idpSsoDesc) throws MetadataException { NameIDFormat nameIdFormat = BuilderUtil.createSAMLObject(ConfigElements.FED_METADATA_NS, ConfigElements.NAMEID_FORMAT, ""); nameIdFormat.setFormat(IDPMetadataConstant.NAME_FORMAT_ID_SAML); idpSsoDesc.getNameIDFormats().add(nameIdFormat); }
/** {@inheritDoc} */ protected void processAttribute(XMLObject samlObject, Attr attribute) throws UnmarshallingException { IDPSSODescriptor descriptor = (IDPSSODescriptor) samlObject; if (attribute.getLocalName().equals(IDPSSODescriptor.WANT_AUTHN_REQ_SIGNED_ATTRIB_NAME)) { descriptor.setWantAuthnRequestsSigned(XSBooleanValue.valueOf(attribute.getValue())); } else { super.processAttribute(samlObject, attribute); } } }
idpssoDescriptor.getNameIDFormats().add(nameIDFormat); idpssoDescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS); singleSignOnService.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI); idpssoDescriptor.getSingleSignOnServices().add(singleSignOnService); idpssoDescriptor.getKeyDescriptors().add(encKeyDescriptor);
@Test public void artifactBindingNotInSSOList() throws Exception { IdentityZoneHolder.set(otherZone); IDPSSODescriptor idpSSODescriptor = generator.buildIDPSSODescriptor( generator.getEntityBaseURL(), generator.getEntityAlias(), false, Arrays.asList("email") ); assertThat(idpSSODescriptor.getSingleSignOnServices(), not(hasItem(hasProperty("binding", equalTo(SAML2_ARTIFACT_BINDING_URI))))); }
for (SingleSignOnService svc: idpDesc.getSingleSignOnServices()) { if (svc.getBinding().equals(SAMLConstants.SAML2_REDIRECT_BINDING_URI)) { loginUrl = svc.getLocation(); for (KeyDescriptor kdesc: idpDesc.getKeyDescriptors()) { if (kdesc.getUse() != UsageType.SIGNING) continue;
private static List<X509Certificate> getCertificates(IDPSSODescriptor idpSsoDescriptor) throws SamlException { List<X509Certificate> certificates; try { certificates = idpSsoDescriptor .getKeyDescriptors() .stream() .filter(x -> x.getUse() == UsageType.SIGNING) .flatMap(SamlClient::getDatasWithCertificates) .map(SamlClient::getFirstCertificate) .collect(Collectors.toList()); } catch (Exception e) { throw new SamlException("Exception in getCertificates", e); } return certificates; }
public static String getLogoutBinding(IDPSSODescriptor idp, SPSSODescriptor sp) throws MetadataProviderException { List<SingleLogoutService> logoutServices = idp.getSingleLogoutServices(); if (logoutServices.size() == 0) { throw new MetadataProviderException("IDP doesn't contain any SingleLogout endpoints"); } String binding = null; // Let's find first binding supported by both IDP and SP idp: for (SingleLogoutService idpService : logoutServices) { for (SingleLogoutService spService : sp.getSingleLogoutServices()) { if (idpService.getBinding().equals(spService.getBinding())) { binding = idpService.getBinding(); break idp; } } } // In case there's no common endpoint let's use first available if (binding == null) { binding = idp.getSingleLogoutServices().iterator().next().getBinding(); } return binding; }
/** * Checks that at least one SingleSignOnService is present. * * @param idpssoDescriptor * @throws ValidationException */ protected void validateSingleSignOnService(IDPSSODescriptor idpssoDescriptor) throws ValidationException { if (idpssoDescriptor.getSingleSignOnServices() == null || idpssoDescriptor.getSingleSignOnServices().size() < 1) { throw new ValidationException("Must have one or more SingleSignOnServices."); } } }
public void buildSingleLogOutService(IDPSSODescriptor idpSsoDesc, FederatedAuthenticatorConfig samlFederatedAuthenticatorConfig) throws MetadataException { SingleLogoutService sloServiceDesc = BuilderUtil .createSAMLObject(ConfigElements.FED_METADATA_NS, ConfigElements.SLOSERVICE_DESCRIPTOR, ""); sloServiceDesc.setBinding(IDPMetadataConstant.HTTP_BINDING_REDIRECT_SAML2); sloServiceDesc.setLocation(getFederatedAuthenticatorConfigProperty(samlFederatedAuthenticatorConfig, IdentityApplicationConstants.Authenticator.SAML2SSO.LOGOUT_REQ_URL).getValue()); sloServiceDesc.setResponseLocation(getFederatedAuthenticatorConfigProperty(samlFederatedAuthenticatorConfig, IdentityApplicationConstants.Authenticator.SAML2SSO.LOGOUT_REQ_URL).getValue()); idpSsoDesc.getSingleLogoutServices().add(sloServiceDesc); }
protected void validateSingleSign(IDPSSODescriptor idpssoDescriptor) throws ValidationException { if (idpssoDescriptor.getSingleSignOnServices() != null && idpssoDescriptor.getSingleSignOnServices().size() > 0) { for (int i = 0; i < idpssoDescriptor.getSingleSignOnServices().size(); i++) { if (!DatatypeHelper.isEmpty(idpssoDescriptor.getSingleSignOnServices().get(i).getResponseLocation())) { throw new ValidationException("ResponseLocation of all SingleSignOnServices must be null"); } } } }