public String getAssertionConsumerURL(String sp) throws MetadataProviderException { EntityDescriptor entityDescriptor = metadataManager.getEntityDescriptor(sp); SPSSODescriptor spssoDescriptor = entityDescriptor.getSPSSODescriptor(SAMLConstants.SAML20P_NS); List<AssertionConsumerService> assertionConsumerServices = spssoDescriptor.getAssertionConsumerServices(); Optional<AssertionConsumerService> defaultService = assertionConsumerServices.stream().filter(acs -> acs.isDefault()).findFirst(); if (defaultService.isPresent()) { return defaultService.get().getLocation(); } else { return assertionConsumerServices.get(0).getLocation(); } }
@Override protected SPSSODescriptor buildSPSSODescriptor(String entityBaseURL, String entityAlias, boolean requestSigned, boolean wantAssertionSigned, Collection<String> includedNameID) { SPSSODescriptor result = super.buildSPSSODescriptor(entityBaseURL, entityAlias, requestSigned, wantAssertionSigned, includedNameID); //metadata should not contain inactive keys KeyManager samlSPKeyManager = IdentityZoneHolder.getSamlSPKeyManager(); if (samlSPKeyManager != null && samlSPKeyManager.getAvailableCredentials()!=null) { Set<String> allKeyAliases = new HashSet(samlSPKeyManager.getAvailableCredentials()); String activeKeyAlias = samlSPKeyManager.getDefaultCredentialName(); allKeyAliases.remove(activeKeyAlias); for (String keyAlias : allKeyAliases) { result.getKeyDescriptors().add(getKeyDescriptor(UsageType.SIGNING, getServerKeyInfo(keyAlias))); } }//add inactive keys as signing verification keys int index = result.getAssertionConsumerServices().size(); result.getAssertionConsumerServices() .add( getAssertionConsumerService( getEntityBaseURL(), getEntityAlias(), false, index, "/oauth/token", "urn:oasis:names:tc:SAML:2.0:bindings:URI" )); return result; }
getSPSSODescriptor(SAMLConstants.SAML20P_NS); if (null != spSsoDescriptor && null != spSsoDescriptor.getNameIDFormats() && !spSsoDescriptor.getNameIDFormats().isEmpty()) { if (!spSsoDescriptor.getNameIDFormats().stream().anyMatch( format -> this.supportedNameIDs.contains(format.getFormat()))) { throw new MetadataProviderException(
spSSODescriptor.setWantAssertionsSigned(true); spSSODescriptor.setAuthnRequestsSigned(true); signKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(signingCredential)); encKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(encryptionCredential)); spSSODescriptor.getKeyDescriptors().add(signKeyDescriptor); spSSODescriptor.getKeyDescriptors().add(encKeyDescriptor); } catch (SecurityException e) { s_logger.warn("Unable to add SP X509 descriptors:" + e.getMessage()); spSSODescriptor.getNameIDFormats().add(nameIDFormat); spSSODescriptor.getNameIDFormats().add(emailNameIDFormat); spSSODescriptor.getNameIDFormats().add(transientNameIDFormat); assertionConsumerService.setBinding(SAMLConstants.SAML2_POST_BINDING_URI); assertionConsumerService.setLocation(spMetadata.getSsoUrl()); spSSODescriptor.getAssertionConsumerServices().add(assertionConsumerService); assertionConsumerService2.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI); assertionConsumerService2.setLocation(spMetadata.getSsoUrl()); spSSODescriptor.getAssertionConsumerServices().add(assertionConsumerService2); spSSODescriptor.getSingleLogoutServices().add(ssoService); spSSODescriptor.getSingleLogoutServices().add(ssoService2); spSSODescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS);
/** {@inheritDoc} */ protected void processChildElement(XMLObject parentSAMLObject, XMLObject childSAMLObject) throws UnmarshallingException { SPSSODescriptor descriptor = (SPSSODescriptor) parentSAMLObject; if (childSAMLObject instanceof AssertionConsumerService) { descriptor.getAssertionConsumerServices().add((AssertionConsumerService) childSAMLObject); } else if (childSAMLObject instanceof AttributeConsumingService) { descriptor.getAttributeConsumingServices().add((AttributeConsumingService) childSAMLObject); } else { super.processChildElement(parentSAMLObject, childSAMLObject); } }
/** * Loads the assertionConsumerIndex designated by the index. In case an index is specified the consumer * is located and returned, otherwise default consumer is used. * * @param ssoDescriptor descriptor * @param index to load, can be null * @return consumer service * @throws org.opensaml.common.SAMLRuntimeException * in case assertionConsumerService with given index isn't found */ public static AssertionConsumerService getConsumerService(SPSSODescriptor ssoDescriptor, Integer index) { if (index != null) { for (AssertionConsumerService service : ssoDescriptor.getAssertionConsumerServices()) { if (index.equals(service.getIndex())) { log.debug("Found assertionConsumerService with index {} and binding {}", index, service.getBinding()); return service; } } throw new SAMLRuntimeException("AssertionConsumerService with index " + index + " wasn't found for ServiceProvider " + ssoDescriptor.getID() + ", please check your metadata"); } log.debug("Index for AssertionConsumerService not specified, returning default"); return ssoDescriptor.getDefaultAssertionConsumerService(); }
List<AssertionConsumerService> services = spDescriptor.getAssertionConsumerServices(); if (spDescriptor.getDefaultAssertionConsumerService() != null && isEndpointSupported(spDescriptor.getDefaultAssertionConsumerService())) { AssertionConsumerService service = spDescriptor.getDefaultAssertionConsumerService(); log.debug("Using default consumer service with binding {}", service.getBinding()); return service;
@SuppressWarnings("unchecked") protected void buildResponse(Authentication authentication, SAMLMessageContext context, IdpWebSSOProfileOptions options) throws MetadataProviderException, SecurityException, MarshallingException, SignatureException, SAMLException { IDPSSODescriptor idpDescriptor = (IDPSSODescriptor) context.getLocalEntityRoleMetadata(); SPSSODescriptor spDescriptor = (SPSSODescriptor) context.getPeerEntityRoleMetadata(); AuthnRequest authnRequest = (AuthnRequest) context.getInboundSAMLMessage(); AssertionConsumerService assertionConsumerService = getAssertionConsumerService(options, idpDescriptor, spDescriptor); context.setPeerEntityEndpoint(assertionConsumerService); Assertion assertion = buildAssertion(authentication, authnRequest, options, context.getPeerEntityId(), context.getLocalEntityId()); if (options.isAssertionsSigned() || spDescriptor.getWantAssertionsSigned()) { signAssertion(assertion, context.getLocalSigningCredential()); } Response samlResponse = createResponse(context, assertionConsumerService, assertion, authnRequest); context.setOutboundMessage(samlResponse); context.setOutboundSAMLMessage(samlResponse); }
private void setDoValidateSignatureInRequests(SPSSODescriptor spssoDescriptor, SAMLSSOServiceProviderDO samlssoServiceProviderDO){ samlssoServiceProviderDO.setDoValidateSignatureInRequests(spssoDescriptor.isAuthnRequestsSigned()); } private void setSingleLogoutServices(SPSSODescriptor spssoDescriptor, SAMLSSOServiceProviderDO samlssoServiceProviderDO){
private void setClaims(SPSSODescriptor spssoDescriptor, SAMLSSOServiceProviderDO samlssoServiceProviderDO) { List<AttributeConsumingService> services; services = spssoDescriptor.getAttributeConsumingServices(); if (services != null && services.size() > 0) { //assuming that only one AttrbuteComsumingIndex exists AttributeConsumingService service = services.get(0); List<RequestedAttribute> attributes = service.getRequestAttributes(); for (RequestedAttribute attribute : attributes) { //set the values to claims } } else { } }
public static String getLogoutBinding(IDPSSODescriptor idp, SPSSODescriptor sp) throws MetadataProviderException { List<SingleLogoutService> logoutServices = idp.getSingleLogoutServices(); if (logoutServices.size() == 0) { throw new MetadataProviderException("IDP doesn't contain any SingleLogout endpoints"); } String binding = null; // Let's find first binding supported by both IDP and SP idp: for (SingleLogoutService idpService : logoutServices) { for (SingleLogoutService spService : sp.getSingleLogoutServices()) { if (idpService.getBinding().equals(spService.getBinding())) { binding = idpService.getBinding(); break idp; } } } // In case there's no common endpoint let's use first available if (binding == null) { binding = idp.getSingleLogoutServices().iterator().next().getBinding(); } return binding; }
private void setX509Certificate(EntityDescriptor entityDescriptor, SPSSODescriptor spssoDescriptor, SAMLSSOServiceProviderDO samlssoServiceProviderDO) { List<KeyDescriptor> descriptors = spssoDescriptor.getKeyDescriptors(); if (descriptors != null && descriptors.size() > 0) { KeyDescriptor descriptor = descriptors.get(0); if (descriptor != null) { if (descriptor.getUse().toString().equals("SIGNING")) { try { samlssoServiceProviderDO.setX509Certificate(org.opensaml.xml.security.keyinfo.KeyInfoHelper.getCertificates(descriptor.getKeyInfo()).get(0)); samlssoServiceProviderDO.setCertAlias(entityDescriptor.getEntityID()); } catch (java.security.cert.CertificateException ex) { log.error("Error While setting Certificate and alias", ex); } catch (java.lang.Exception ex) { log.error("Error While setting Certificate and alias", ex); } } } } }
if (i != null) { final List<AttributeConsumingService> services = ((SPSSODescriptor) role).getAttributeConsumingServices(); for (final AttributeConsumingService s : services) { if (s.getIndex() == i) { service = ((SPSSODescriptor) role).getDefaultAttributeConsumingService();
/** {@inheritDoc} */ protected void processAttribute(XMLObject samlObject, Attr attribute) throws UnmarshallingException { SPSSODescriptor descriptor = (SPSSODescriptor) samlObject; if (attribute.getLocalName().equals(SPSSODescriptor.AUTH_REQUESTS_SIGNED_ATTRIB_NAME)) { descriptor.setAuthnRequestsSigned(XSBooleanValue.valueOf(attribute.getValue())); } else if (attribute.getLocalName().equals(SPSSODescriptor.WANT_ASSERTIONS_SIGNED_ATTRIB_NAME)) { descriptor.setWantAssertionsSigned(XSBooleanValue.valueOf(attribute.getValue())); } else { super.processAttribute(samlObject, attribute); } } }
spDescriptor.setAuthnRequestsSigned(requestSigned); spDescriptor.setWantAssertionsSigned(wantAssertionSigned); spDescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS); spDescriptor.getNameIDFormats().addAll(getNameIDFormat(includedNameID)); spDescriptor.getAssertionConsumerServices().add(getAssertionConsumerService(entityBaseURL, entityAlias, assertionConsumerIndex == index, index++, getSAMLWebSSOProcessingFilterPath(), SAMLConstants.SAML2_ARTIFACT_BINDING_URI)); spDescriptor.getAssertionConsumerServices().add(getAssertionConsumerService(entityBaseURL, entityAlias, assertionConsumerIndex == index, index++, getSAMLWebSSOProcessingFilterPath(), SAMLConstants.SAML2_POST_BINDING_URI)); spDescriptor.getAssertionConsumerServices().add(getAssertionConsumerService(entityBaseURL, entityAlias, assertionConsumerIndex == index, index++, getSAMLWebSSOProcessingFilterPath(), SAMLConstants.SAML2_PAOS_BINDING_URI)); spDescriptor.getAssertionConsumerServices().add(getHoKAssertionConsumerService(entityBaseURL, entityAlias, assertionConsumerIndex == index, index++, getSAMLWebSSOHoKProcessingFilterPath(), SAMLConstants.SAML2_ARTIFACT_BINDING_URI)); spDescriptor.getAssertionConsumerServices().add(getHoKAssertionConsumerService(entityBaseURL, entityAlias, assertionConsumerIndex == index, index++, getSAMLWebSSOHoKProcessingFilterPath(), SAMLConstants.SAML2_POST_BINDING_URI)); spDescriptor.getSingleLogoutServices().add(getSingleLogoutService(entityBaseURL, entityAlias, SAMLConstants.SAML2_POST_BINDING_URI)); spDescriptor.getSingleLogoutServices().add(getSingleLogoutService(entityBaseURL, entityAlias, SAMLConstants.SAML2_REDIRECT_BINDING_URI)); spDescriptor.getSingleLogoutServices().add(getSingleLogoutService(entityBaseURL, entityAlias, SAMLConstants.SAML2_SOAP11_BINDING_URI)); spDescriptor.setExtensions(extensions); spDescriptor.getKeyDescriptors().add(getKeyDescriptor(UsageType.SIGNING, getServerKeyInfo(signingKey))); } else { log.info("Generating metadata without signing key, KeyStore doesn't contain any default private key, or the signingKey specified in ExtendedMetadata cannot be found"); spDescriptor.getKeyDescriptors().add(getKeyDescriptor(UsageType.ENCRYPTION, getServerKeyInfo(encryptionKey)));
private void setDoSignAssertions (SPSSODescriptor spssoDescriptor, SAMLSSOServiceProviderDO samlssoServiceProviderDO){ samlssoServiceProviderDO.setDoSignAssertions(spssoDescriptor.getWantAssertionsSigned()); } private void setDoValidateSignatureInRequests(SPSSODescriptor spssoDescriptor, SAMLSSOServiceProviderDO samlssoServiceProviderDO){
private void setDoValidateSignatureInRequests(SPSSODescriptor spssoDescriptor, SAMLSSOServiceProviderDO samlssoServiceProviderDO) { samlssoServiceProviderDO.setDoValidateSignatureInRequests(spssoDescriptor.isAuthnRequestsSigned()); }
private void setClaims(SPSSODescriptor spssoDescriptor, SAMLSSOServiceProviderDO samlssoServiceProviderDO){ List<AttributeConsumingService> services = new ArrayList<>(); services = spssoDescriptor.getAttributeConsumingServices(); if (services!=null && services.size()>0) { //assuming that only one AttrbuteComsumingIndex exists AttributeConsumingService service = services.get(0); List<RequestedAttribute> attributes = service.getRequestAttributes(); for (RequestedAttribute attribute : attributes){ //set the values to claims } } else { } } private void setDoSignAssertions (SPSSODescriptor spssoDescriptor, SAMLSSOServiceProviderDO samlssoServiceProviderDO){
private void setSingleLogoutServices(SPSSODescriptor spssoDescriptor, SAMLSSOServiceProviderDO samlssoServiceProviderDO) { List<SingleLogoutService> singleLogoutServices = spssoDescriptor.getSingleLogoutServices(); if (singleLogoutServices != null && singleLogoutServices.size() > 0) { boolean foundSingleLogoutServicePostBinding = false; for (SingleLogoutService singleLogoutService : singleLogoutServices) { if (singleLogoutService.getBinding().equals(SAMLConstants.SAML2_POST_BINDING_URI)) { samlssoServiceProviderDO.setSloRequestURL(singleLogoutService.getLocation()); samlssoServiceProviderDO.setSloResponseURL(singleLogoutService.getResponseLocation());//changed foundSingleLogoutServicePostBinding = true; break; } } samlssoServiceProviderDO.setSloRequestURL(singleLogoutServices.get(0).getLocation()); samlssoServiceProviderDO.setSloResponseURL(singleLogoutServices.get(0).getResponseLocation());//chnaged samlssoServiceProviderDO.setDoSingleLogout(true); } else { samlssoServiceProviderDO.setDoSingleLogout(false); } }
private void setX509Certificate(EntityDescriptor entityDescriptor,SPSSODescriptor spssoDescriptor, SAMLSSOServiceProviderDO samlssoServiceProviderDO){ List<KeyDescriptor> descriptors = spssoDescriptor.getKeyDescriptors(); if (descriptors != null && descriptors.size() > 0) { KeyDescriptor descriptor = descriptors.get(0); if (descriptor != null) { if (descriptor.getUse().toString().equals("SIGNING")) { try { samlssoServiceProviderDO.setX509Certificate(org.opensaml.xml.security.keyinfo.KeyInfoHelper.getCertificates(descriptor.getKeyInfo()).get(0)); samlssoServiceProviderDO.setCertAlias(entityDescriptor.getEntityID()); } catch (java.security.cert.CertificateException ex) { log.error("Error While setting Certificate and alias", ex); }catch(java.lang.Exception ex){ log.error("Error While setting Certificate and alias", ex); } } } } } private void setSigningAlgorithmUri(SPSSODescriptor spssoDescriptor, SAMLSSOServiceProviderDO samlssoServiceProviderDO){