/** * Returns a {@link NameID} which is matched to the specified {@code filter} from the {@link Response}. */ public static Optional<NameID> getNameId(Response response, Predicate<NameID> filter) { return response.getAssertions().stream() .map(s -> s.getSubject().getNameID()) .filter(filter) .findFirst(); }
final Subject subject = assertion.getSubject(); if (subject == null) { continue;
/** * Apply function to an assertion. * * @param assertion assertion to operate on * * @return the format, or null */ @Nullable private String apply(@Nonnull final org.opensaml.saml.saml2.core.Assertion assertion) { if (assertion.getSubject() != null && assertion.getSubject().getNameID() != null) { return assertion.getSubject().getNameID().getFormat(); } return null; }
/** * Apply function to an assertion. * * @param assertion assertion to operate on * * @return the identifier, or null */ @Nullable private String apply(@Nonnull final org.opensaml.saml.saml2.core.Assertion assertion) { if (assertion.getSubject() != null && assertion.getSubject().getNameID() != null) { return assertion.getSubject().getNameID().getValue(); } return null; }
/** * Get the subject to which the name identifier will be added. * * @param assertion the assertion being modified * * @return the assertion to which the name identifier will be added */ @Nonnull private Subject getAssertionSubject(@Nonnull final Assertion assertion) { if (assertion.getSubject() != null) { return assertion.getSubject(); } final Subject subject = subjectBuilder.buildObject(); assertion.setSubject(subject); return subject; }
/** * Get the subject to which the name identifier will be added. * * @param assertion the assertion being modified * * @return the assertion to which the name identifier will be added */ @Nonnull private Subject getAssertionSubject(@Nonnull final Assertion assertion) { if (assertion.getSubject() != null) { return assertion.getSubject(); } final Subject subject = subjectBuilder.buildObject(); assertion.setSubject(subject); return subject; }
/** * Get the subject to which the confirmation will be added. * * @param assertion the assertion being modified * * @return the subject to which the confirmation will be added */ @Nonnull private Subject getAssertionSubject(@Nonnull final Assertion assertion) { if (assertion.getSubject() != null) { return assertion.getSubject(); } final Subject subject = subjectBuilder.buildObject(); assertion.setSubject(subject); return subject; }
/** * Returns a {@link NameID} which is matched to the specified {@code filter} from the {@link Response}. */ public static Optional<NameID> getNameId(Response response, Predicate<NameID> filter) { return response.getAssertions().stream() .map(s -> s.getSubject().getNameID()) .filter(filter) .findFirst(); }
@Nullable private String findLoginNameFromSubjects(Response response) { if (Strings.isNullOrEmpty(subjectLoginNameIdFormat)) { return null; } return response.getAssertions() .stream() .map(s -> s.getSubject().getNameID()) .filter(nameId -> nameId.getFormat().equals(subjectLoginNameIdFormat)) .map(NameIDType::getValue) .findFirst() .orElse(null); }
if (assertion.getSubject() != null && assertion.getSubject().getNameID() != null) { for (final AuthnStatement statement : assertion.getAuthnStatements()) { if (statement.getSessionIndex() != null) {
@Override public String getPrincipalIdFrom(final Authentication authentication, final Object returnValue, final Exception exception) { val response = (Response) returnValue; if (!response.getAssertions().isEmpty()) { val assertion = response.getAssertions().get(0); val subject = assertion.getSubject(); if (subject != null && subject.getNameID() != null) { return subject.getNameID().getValue(); } } return super.getPrincipalIdFrom(authentication, returnValue, exception); }
/** {@inheritDoc} */ @Override protected boolean doPreExecute(@Nonnull final ProfileRequestContext profileRequestContext) { if (!super.doPreExecute(profileRequestContext)) { return false; } assertion = assertionTokenStrategy.apply(profileRequestContext); if (assertion == null) { log.warn("{} No valid SAML 2 Assertion available within the request context", getLogPrefix()); ActionSupport.buildEvent(profileRequestContext, AuthnEventIds.NO_CREDENTIALS); return false; } final org.opensaml.saml.saml2.core.Subject samlSubject = assertion.getSubject(); if (samlSubject == null || samlSubject.getNameID() == null) { log.warn("{} SAML 2 Assertion does not contain either a Subject or a NameID", getLogPrefix()); ActionSupport.buildEvent(profileRequestContext, AuthnEventIds.INVALID_SUBJECT); return false; } nameID = samlSubject.getNameID(); return true; }
public void validate(Message message, SamlAssertionWrapper wrapper) { validateSAMLVersion(wrapper); Conditions cs = wrapper.getSaml2().getConditions(); validateAudience(message, cs); if (issuer != null) { String actualIssuer = getIssuer(wrapper); String expectedIssuer = OAuthConstants.CLIENT_ID.equals(issuer) ? wrapper.getSaml2().getSubject().getNameID().getValue() : issuer; if (actualIssuer == null || !actualIssuer.equals(expectedIssuer)) { throw ExceptionUtils.toNotAuthorizedException(null, null); } } if (!validateAuthenticationSubject(message, cs, wrapper.getSaml2().getSubject())) { throw ExceptionUtils.toNotAuthorizedException(null, null); } }
public void validate(Message message, SamlAssertionWrapper wrapper) { validateSAMLVersion(wrapper); Conditions cs = wrapper.getSaml2().getConditions(); validateAudience(message, cs); if (issuer != null) { String actualIssuer = getIssuer(wrapper); String expectedIssuer = OAuthConstants.CLIENT_ID.equals(issuer) ? wrapper.getSaml2().getSubject().getNameID().getValue() : issuer; if (actualIssuer == null || !actualIssuer.equals(expectedIssuer)) { throw ExceptionUtils.toNotAuthorizedException(null, null); } } if (!validateAuthenticationSubject(message, cs, wrapper.getSaml2().getSubject())) { throw ExceptionUtils.toNotAuthorizedException(null, null); } }
private void storeAttributeQueryTicketInRegistry(final Assertion assertion, final HttpServletRequest request, final SamlRegisteredServiceServiceProviderMetadataFacade adaptor) { val value = assertion.getSubject().getNameID().getValue(); val ticketGrantingTicket = CookieUtils.getTicketGrantingTicketFromRequest( ticketGrantingTicketCookieGenerator, this.ticketRegistry, request); val ticket = samlAttributeQueryTicketFactory.create(value, assertion, adaptor.getEntityId(), ticketGrantingTicket); this.ticketRegistry.addTicket(ticket); } }
/** * Validate the given assertion: * - issueInstant * - issuer * - subject * - conditions * - authnStatements * - signature * * @param assertion the assertion * @param context the context * @param engine the engine * @param decrypter the decrypter */ protected final void validateAssertion(final Assertion assertion, final SAML2MessageContext context, final SignatureTrustEngine engine, final Decrypter decrypter) { validateIssueInstant(assertion.getIssueInstant()); validateIssuer(assertion.getIssuer(), context); if (assertion.getSubject() != null) { validateSubject(assertion.getSubject(), context, decrypter); } else { throw new SAMAssertionSubjectException("Assertion subject cannot be null"); } validateAssertionConditions(assertion.getConditions(), context); validateAuthenticationStatements(assertion.getAuthnStatements(), context); validateAssertionSignature(assertion.getSignature(), context, engine); }
/** * Decrypt any {@link EncryptedID} found in an assertion and replace it with the result. * * @param assertion assertion to operate on * * @throws EncryptionException if an error occurs */ private void processAssertion(@Nonnull final Assertion assertion) throws EncryptionException { processSubject(assertion.getSubject()); if (assertion.getConditions() != null) { for (final Condition c : assertion.getConditions().getConditions()) { if (!(c instanceof DelegationRestrictionType)) { continue; } for (final Delegate d : ((DelegationRestrictionType) c).getDelegates()) { if (shouldEncrypt(d.getNameID())) { log.debug("{} Encrypting NameID in Delegate", getLogPrefix()); final EncryptedID encrypted = getEncrypter().encrypt(d.getNameID()); d.setEncryptedID(encrypted); d.setNameID(null); } } } } }
protected Assertion resolveAssertion( org.opensaml.saml.saml2.core.Assertion parsed, List<SimpleKey> verificationKeys, List<SimpleKey> localKeys ) { Signature signature = validateSignature(parsed, verificationKeys); return new Assertion() .setSignature(signature) .setId(parsed.getID()) .setIssueInstant(parsed.getIssueInstant()) .setVersion(parsed.getVersion().toString()) .setIssuer(getIssuer(parsed.getIssuer())) .setSubject(getSubject(parsed.getSubject(), localKeys)) .setConditions(getConditions(parsed.getConditions())) .setAuthenticationStatements(getAuthenticationStatements(parsed.getAuthnStatements())) .setAttributes(getAttributes(parsed.getAttributeStatements(), localKeys)) ; }
public static Subject getSubject(Message message, SamlAssertionWrapper assertionW) { if (assertionW.getSaml2() != null) { org.opensaml.saml.saml2.core.Subject s = assertionW.getSaml2().getSubject(); Subject subject = new Subject(); NameID nameId = s.getNameID(); subject.setNameQualifier(nameId.getNameQualifier()); // if format is transient then we may need to use STSClient // to request an alternate name from IDP subject.setNameFormat(nameId.getFormat()); subject.setName(nameId.getValue()); subject.setSpId(nameId.getSPProvidedID()); subject.setSpQualifier(nameId.getSPNameQualifier()); return subject; } else if (assertionW.getSaml1() != null) { org.opensaml.saml.saml1.core.Subject s = getSaml1Subject(assertionW); if (s != null) { Subject subject = new Subject(); NameIdentifier nameId = s.getNameIdentifier(); subject.setNameQualifier(nameId.getNameQualifier()); // if format is transient then we may need to use STSClient // to request an alternate name from IDP subject.setNameFormat(nameId.getFormat()); subject.setName(nameId.getValue()); return subject; } } return null; }
public static Subject getSubject(Message message, SamlAssertionWrapper assertionW) { if (assertionW.getSaml2() != null) { org.opensaml.saml.saml2.core.Subject s = assertionW.getSaml2().getSubject(); Subject subject = new Subject(); NameID nameId = s.getNameID(); subject.setNameQualifier(nameId.getNameQualifier()); // if format is transient then we may need to use STSClient // to request an alternate name from IDP subject.setNameFormat(nameId.getFormat()); subject.setName(nameId.getValue()); subject.setSpId(nameId.getSPProvidedID()); subject.setSpQualifier(nameId.getSPNameQualifier()); return subject; } else if (assertionW.getSaml1() != null) { org.opensaml.saml.saml1.core.Subject s = getSaml1Subject(assertionW); if (s != null) { Subject subject = new Subject(); NameIdentifier nameId = s.getNameIdentifier(); subject.setNameQualifier(nameId.getNameQualifier()); // if format is transient then we may need to use STSClient // to request an alternate name from IDP subject.setNameFormat(nameId.getFormat()); subject.setName(nameId.getValue()); return subject; } } return null; }