/** * This method is used to validate signature * * @param request any type of assertion request message * @return Boolean true, if signature is validated * @throws IdentitySAML2QueryException If unable to validate signature */ protected boolean validateSignature(RequestAbstractType request) throws IdentitySAML2QueryException { String alias; boolean isValidSig; String domainName; alias = ssoIdpConfig.getCertAlias(); domainName = CarbonContext.getThreadLocalCarbonContext().getTenantDomain(); try { isValidSig = OpenSAML3Util.validateXMLSignature(request, alias, domainName); if (isValidSig) { log.debug("Request with id" + request.getID() + " contain valid signature"); return true; } else { log.debug("Request with id:" + request.getID() + " contain in-valid Signature"); return false; } } catch (IdentityException e) { log.error(SAMLQueryRequestConstants.ServiceMessages.SIGNATURE_VALIDATION_FAILED); throw new IdentitySAML2QueryException("Unable to validate signature of request with id:" + request.getID(), e); } }
public SAMLAbstractRequest(RequestAbstractType request) { if (request.getIssuer() != null) { issuer = request.getIssuer().getValue(); } requestId = request.getID(); }
/** * Validate the signature of an assertion * * @param request SAML Assertion, this could be either a SAML Request or a * LogoutRequest * @param alias Certificate alias against which the signature is validated. * @param domainName domain name of the subject * @return true, if the signature is valid. * @throws IdentitySAML2QueryException When signature is invalid or unable to load credential information */ public static boolean validateXMLSignature(RequestAbstractType request, String alias, String domainName) throws IdentitySAML2QueryException { boolean isSignatureValid = false; if (request.getSignature() != null) { try { X509Credential cred = OpenSAML3Util.getX509CredentialImplForTenant(domainName, alias); SignatureValidator.validate(request.getSignature(), cred); return true; } catch (SignatureException e) { log.error("Unable to validate Signature of the request id:"+request.getID()+" with alias:" +alias+" ,domainname: "+domainName,e); throw new IdentitySAML2QueryException("Unable to validate Signature of the request id:"+request.getID()+" with alias:" +alias+" ,domainname: "+domainName,e); } } return isSignatureValid; }
org.opensaml.saml.saml2.core.RequestAbstractType request = (org.opensaml.saml.saml2.core.RequestAbstractType) samlMessage; return request.getID();
/** * This method is used to validate issuer of the request message * * @param request any type of request message * @return Boolean true, if issuer is valid * @throws IdentitySAML2QueryException If unable to collect issuer information */ protected boolean validateIssuer(RequestAbstractType request) throws IdentitySAML2QueryException { //get full quealified issuer Issuer issuer = request.getIssuer(); boolean validIssuer = false; if (issuer.getValue() == null) { throw new IdentitySAML2QueryException("Issuer value is empty. Unable to validate issuer"); } else { if (issuer.getFormat() != null && issuer.getFormat().equals(SAMLQueryRequestConstants.GenericConstants.ISSUER_FORMAT)) { ssoIdpConfig = SAMLQueryRequestUtil.getServiceProviderConfig(issuer.getValue()); if (ssoIdpConfig == null) { log.error(SAMLQueryRequestConstants.ServiceMessages.NULL_ISSUER); return validIssuer; } else { log.debug(SAMLQueryRequestConstants.ServiceMessages.SUCCESS_ISSUER + ssoIdpConfig.getIssuer()); return !validIssuer; } } else { log.error("NameID format is invalid in request ID:" + request.getID() + " and issuer: " + issuer.getValue()); return validIssuer; } } }
if (isValidMessage && invalidItems.size() <= 0) { log.debug("Request message with id:" + request.getID() + " is completely validated"); SAMLQueryProcessor processor = SAMLProcessorFactory.getProcessor(request); response = processor.process(request); SOAPEnvelope soapEnvelope = TransportUtils.createSOAPEnvelope(myOMElement); outMessageContext.setEnvelope(soapEnvelope); log.debug("SOAP response created for the request id:" + request.getID()); } else { "the request id:" + request.getID(), e); invalidItems.add(new InvalidItemDTO( SAMLQueryRequestConstants.ValidationType.STRING_TO_OMELEMENT, log.error("SAML Response is empty for the request id:" + request.getID()); invalidItems.add(new InvalidItemDTO(SAMLQueryRequestConstants.ValidationType.NO_ASSERTIONS, SAMLQueryRequestConstants.ValidationMessage.NO_ASSERTIONS_ERROR)); log.error("Request message with id:" + request.getID() + " contains validation errors"); invalidItems.add(new InvalidItemDTO(SAMLQueryRequestConstants.ValidationType.VAL_VALIDATION_ERROR, SAMLQueryRequestConstants.ValidationMessage.VALIDATION_ERROR));
+ assertionIDRequest.getID()); } catch (IdentitySAML2QueryException e) { log.error("Unable to build response for AssertionIdRequest id:" + request.getID(), e); throw new IdentitySAML2QueryException("Unable to build response for AssertionIdRequest id:" + request.getID()); throw new IdentitySAML2QueryException("Unable to process AsserionIDRequest with id:" + request.getID(), e);
service.isSkipGeneratingSubjectConfirmationRecipient() ? null : location, service.isSkipGeneratingSubjectConfirmationNotOnOrAfter() ? null : validFromDate.plusSeconds(this.skewAllowance), service.isSkipGeneratingSubjectConfirmationInResponseTo() ? null : authnRequest.getID(), service.isSkipGeneratingSubjectConfirmationNotBefore() ? null : ZonedDateTime.now());
LOG.debug("SAML Request with id '{}' successfully parsed", parsedRequest.getID());
final MessageContext messageContext) throws SamlException { val id = '_' + String.valueOf(RandomUtils.getNativeInstance().nextLong()); val samlResponse = newResponse(id, ZonedDateTime.now(ZoneOffset.UTC), authnRequest.getID(), null); samlResponse.setVersion(SAMLVersion.VERSION_20); samlResponse.setIssuer(buildEntityIssuer());
throw new IdentitySAML2QueryException("Unable to process AttributeQuery id:" + request.getID());
if (messageStorage != null) { if (request instanceof RequestAbstractType) { messageStorage.storeMessage(((RequestAbstractType) request).getID(), request); } else if (request instanceof StatusResponseType) { messageStorage.storeMessage(((StatusResponseType) request).getID(), request);