.filter(audience -> entityId.equals(audience.getAudienceURI())) .findAny() .orElseThrow(() -> new SamlException("no audience found from the assertion"));
/** {@inheritDoc} */ protected void marshallElementContent(XMLObject samlObject, Element domElement) throws MarshallingException { Audience audience = (Audience) samlObject; ElementSupport.appendTextContent(domElement, audience.getAudienceURI()); } }
private boolean matchSaml2AudienceRestriction( String appliesTo, List<AudienceRestriction> audienceRestrictions ) { boolean found = false; if (audienceRestrictions != null && !audienceRestrictions.isEmpty()) { for (AudienceRestriction audienceRestriction : audienceRestrictions) { if (audienceRestriction.getAudiences() != null) { for (org.opensaml.saml.saml2.core.Audience audience : audienceRestriction.getAudiences()) { if (appliesTo.equals(audience.getAudienceURI())) { return true; } } } } } return found; }
private boolean matchSaml2AudienceRestriction( String appliesTo, List<AudienceRestriction> audienceRestrictions ) { boolean found = false; if (audienceRestrictions != null && !audienceRestrictions.isEmpty()) { for (AudienceRestriction audienceRestriction : audienceRestrictions) { if (audienceRestriction.getAudiences() != null) { for (org.opensaml.saml.saml2.core.Audience audience : audienceRestriction.getAudiences()) { if (appliesTo.equals(audience.getAudienceURI())) { return true; } } } } } return found; }
private boolean matchSaml2AudienceRestriction( String appliesTo, List<AudienceRestriction> audienceRestrictions ) { boolean oneMatchFound = false; if (audienceRestrictions != null && !audienceRestrictions.isEmpty()) { for (AudienceRestriction audienceRestriction : audienceRestrictions) { if (audienceRestriction.getAudiences() != null) { boolean matchFound = false; for (org.opensaml.saml.saml2.core.Audience audience : audienceRestriction.getAudiences()) { if (appliesTo.equals(audience.getAudienceURI())) { matchFound = true; oneMatchFound = true; break; } } if (!matchFound) { return false; } } } } return oneMatchFound; }
protected List<AssertionCondition> getCriteria(List<org.opensaml.saml.saml2.core.Condition> conditions) { List<AssertionCondition> result = new LinkedList<>(); for (Condition c : conditions) { if (c instanceof org.opensaml.saml.saml2.core.AudienceRestriction) { org.opensaml.saml.saml2.core.AudienceRestriction aud = (org.opensaml.saml.saml2.core.AudienceRestriction) c; if (aud.getAudiences() != null) { result.add( new AudienceRestriction() .setAudiences( aud.getAudiences().stream().map( a -> a.getAudienceURI() ).collect(Collectors.toList()) ) ); } } else if (c instanceof org.opensaml.saml.saml2.core.OneTimeUse) { result.add(new OneTimeUse()); } } return result; }
private void validateAudience(Message message, Conditions cs) { String absoluteAddress = getAbsoluteTargetAddress(message); List<AudienceRestriction> restrictions = cs.getAudienceRestrictions(); for (AudienceRestriction ar : restrictions) { List<Audience> audiences = ar.getAudiences(); for (Audience a : audiences) { if (absoluteAddress.equals(a.getAudienceURI())) { return; } } } throw ExceptionUtils.toNotAuthorizedException(null, null); }
/** * Validate audience by matching the SP entityId. * * @param audienceRestrictions the audience restrictions * @param spEntityId the sp entity id */ protected final void validateAudienceRestrictions(final List<AudienceRestriction> audienceRestrictions, final String spEntityId) { if (audienceRestrictions == null || audienceRestrictions.isEmpty()) { throw new SAMLAssertionAudienceException("Audience restrictions cannot be null or empty"); } final Set<String> audienceUris = new HashSet<>(); for (final AudienceRestriction audienceRestriction : audienceRestrictions) { if (audienceRestriction.getAudiences() != null) { for (final Audience audience : audienceRestriction.getAudiences()) { audienceUris.add(audience.getAudienceURI()); } } } if (!audienceUris.contains(spEntityId)) { throw new SAMLAssertionAudienceException("Assertion audience " + audienceUris + " does not match SP configuration " + spEntityId); } }
private void validateAudience(Message message, Conditions cs) { String absoluteAddress = getAbsoluteTargetAddress(message); List<AudienceRestriction> restrictions = cs.getAudienceRestrictions(); for (AudienceRestriction ar : restrictions) { List<Audience> audiences = ar.getAudiences(); for (Audience a : audiences) { if (absoluteAddress.equals(a.getAudienceURI())) { return; } } } throw ExceptionUtils.toNotAuthorizedException(null, null); }
.stream() .filter(audience -> contextConfiguration.getIssuerId().equals(audience. getAudienceURI()))) .count() > 0);
String audienceURI = StringSupport.trimOrNull(audience.getAudienceURI()); if (validAudiences.contains(audienceURI)) { log.debug("Matched valid audience: {}", audienceURI);
if (Objects.equals(responderId, StringSupport.trimOrNull(audience.getAudienceURI()))) { log.debug("Local entity ID '{}' already present in assertion AudienceRestriction set, skipping", responderId);
/** * Determine whether a delegation token was requested via the inbound AuthnRequest's * Conditions' AudienceRestriction. * * @param requestContext the current request context * @return true if the AudienceRestrictions condition contained the local entity Id, false otherwise */ private boolean isDelegationRequestedByAudience(@Nonnull final ProfileRequestContext requestContext) { if (!(requestContext.getInboundMessageContext().getMessage() instanceof AuthnRequest)) { log.debug("Inbound SAML message was not an AuthnRequest: {}", requestContext.getInboundMessageContext().getMessage().getClass().getName()); return false; } final AuthnRequest authnRequest = (AuthnRequest) requestContext.getInboundMessageContext().getMessage(); if (authnRequest.getConditions() != null) { final Conditions conditions = authnRequest.getConditions(); for (final AudienceRestriction ar : conditions.getAudienceRestrictions()) { for (final Audience audience : ar.getAudiences()) { final String audienceValue = StringSupport.trimOrNull(audience.getAudienceURI()); if (Objects.equals(audienceValue, responderId)) { log.debug("Saw an AuthnRequest/Conditions/AudienceRestriction/Audience with value of '{}'", responderId); return true; } } } } return false; }
protected List<String> getAudienceRestrictions(SamlAssertionWrapper assertion) { List<String> addresses = new ArrayList<>(); if (assertion.getSaml1() != null) { for (AudienceRestrictionCondition restriction : assertion.getSaml1().getConditions().getAudienceRestrictionConditions()) { for (org.opensaml.saml.saml1.core.Audience audience : restriction.getAudiences()) { addresses.add(audience.getUri()); } } } else if (assertion.getSaml2() != null) { for (org.opensaml.saml.saml2.core.AudienceRestriction restriction : assertion.getSaml2().getConditions().getAudienceRestrictions()) { for (org.opensaml.saml.saml2.core.Audience audience : restriction.getAudiences()) { addresses.add(audience.getAudienceURI()); } } } return addresses; }
protected List<String> getAudienceRestrictions(SamlAssertionWrapper assertion) { List<String> addresses = new ArrayList<>(); if (assertion.getSaml1() != null) { for (AudienceRestrictionCondition restriction : assertion.getSaml1().getConditions().getAudienceRestrictionConditions()) { for (org.opensaml.saml.saml1.core.Audience audience : restriction.getAudiences()) { addresses.add(audience.getUri()); } } } else if (assertion.getSaml2() != null) { for (org.opensaml.saml.saml2.core.AudienceRestriction restriction : assertion.getSaml2().getConditions().getAudienceRestrictions()) { for (org.opensaml.saml.saml2.core.Audience audience : restriction.getAudiences()) { addresses.add(audience.getAudienceURI()); } } } return addresses; }
audienceRestriction.getAudiences(); for (org.opensaml.saml.saml2.core.Audience audience : audiences) { String audienceURI = audience.getAudienceURI(); if (audienceRestrictions.contains(audienceURI)) { foundAddress = true;
.filter(audience -> entityId.equals(audience.getAudienceURI())) .findAny() .orElseThrow(() -> new SamlException("no audience found from the assertion"));