DateTime until = new DateTime().plusHours(1); assertion.getSubject().getSubjectConfirmations().get(0).getSubjectConfirmationData().setRecipient(spEndpoint); assertion.getConditions().getAudienceRestrictions().get(0).getAudiences().get(0).setAudienceURI(audienceEntityID); assertion.getIssuer().setValue(issuerEntityId); assertion.getSubject().getNameID().setValue(username); assertion.getSubject().getSubjectConfirmations().get(0).getSubjectConfirmationData().setInResponseTo(null); assertion.getSubject().getSubjectConfirmations().get(0).getSubjectConfirmationData().setNotOnOrAfter(until); assertion.getConditions().setNotOnOrAfter(until); SamlConfig config = new SamlConfig(); config.addAndActivateKey("active-key", new SamlKey(privateKey, keyPassword, certificate));
private DateTime getNotBefore(Assertion assertion) { return assertion.getConditions().getNotBefore(); }
private DateTime getNotOnOrAfter(Assertion assertion) { return assertion.getConditions().getNotOnOrAfter(); }
private void validateDateTime(Assertion assertion) throws ValidationException{ DateTime now = new DateTime(); Conditions conditions = assertion.getConditions(); DateTime notBefore = conditions.getNotBefore(); DateTime notAfter = conditions.getNotOnOrAfter(); if (now.getMillis() < notBefore.getMillis()){ throw new ValidationException("notBefore validation failed!"); } if (now.getMillis() > notAfter.getMillis()){ throw new ValidationException("notOnOrAfter validation failed!"); } }
/** * {@inheritDoc} */ public Assertion getSignedAuthorizationAssertion(List<SAML2Attribute> saml2AuthorizationAttributes,Assertion authnAssertion) { Assertion authorizationAssertion = saml2AssertionGenerator.generateSAML2Assertion(authnAssertion.getID(), StringConstants.ATTRIBUTE_AUTHORIZATION_DATA, new DateTime(), authnAssertion.getConditions().getNotBefore(), authnAssertion.getConditions().getNotOnOrAfter().minusMinutes(1), saml2AuthorizationAttributes); try { authorizationAssertion = (Assertion)saml2XmlObjectSigner.sign(authorizationAssertion); }catch(SignatureException e){ String message ="SAML2 assertion signing failed : "; logger.error(message,e); } return authorizationAssertion; }
/** * {@inheritDoc} */ public Assertion getSignedAuditingAssertion(List<SAML2Attribute> saml2AuditingAttributes,Assertion authnAssertion){ Assertion auditingAssertion = saml2AssertionGenerator.generateSAML2Assertion(authnAssertion.getID(), StringConstants.ATTRIBUTE_INFO_DATA, new DateTime(), authnAssertion.getConditions().getNotBefore(), authnAssertion.getConditions().getNotOnOrAfter().minusMinutes(1), saml2AuditingAttributes); try { auditingAssertion = (Assertion)saml2XmlObjectSigner.sign(auditingAssertion); }catch(SignatureException e){ String message ="SAML2 assertion signing failed : "; logger.error(message,e); } return auditingAssertion; }
/** * Get Audiences of SAML2 Response. * * @param samlResponse SAML2 Response * @return audiences */ private List<String> getAudiencesFromSAMLResponse(ResponseImpl samlResponse) { Assertion assertion = samlResponse.getAssertions().get(0); List<String> audiences = new ArrayList<>(); if (assertion != null) { Conditions conditions = assertion.getConditions(); if (conditions != null) { List<AudienceRestriction> audienceRestrictions = conditions.getAudienceRestrictions(); if (CollectionUtils.isNotEmpty(audienceRestrictions)) { for (AudienceRestriction audienceRestriction : audienceRestrictions) { if (CollectionUtils.isNotEmpty(audienceRestriction.getAudiences())) { for (Audience audience : audienceRestriction.getAudiences()) { audiences.add(audience.getAudienceURI()); } } } } } } return audiences; }
public Conditions(Authentication authentication){ SAMLCredential credential = (SAMLCredential) authentication.getCredentials(); Assertion assertion = credential.getAuthenticationAssertion(); org.opensaml.saml2.core.Conditions conditions = assertion.getConditions(); List<AudienceRestriction> audienceRestrictions = conditions.getAudienceRestrictions(); List<Audience> audiences = audienceRestrictions.get(0).getAudiences(); notBefore = conditions.getNotBefore(); notOnOrAfter = conditions.getNotOnOrAfter(); audienceRestriction = new ArrayList<>(); for(Audience audience : audiences){ audienceRestriction.add(audience.getAudienceURI()); } }
/** * The Assertion MUST contain <Conditions> element with an <AudienceRestriction> element with an <Audience> element * containing a URI reference that identifies the authorization server, or the service provider SAML entity of its * controlling domain, as an intended audience. The token endpoint URL of the authorization server MAY be used as * an acceptable value for an <Audience> element. The authorization server MUST verify that * it is an intended audience for the Assertion. * @param tokReqMsgCtx * @param assertion * @param identityProvider * @param tenantDomain * @return * @throws IdentityOAuth2Exception */ private void validateConditions(OAuthTokenReqMessageContext tokReqMsgCtx, Assertion assertion, IdentityProvider identityProvider, String tenantDomain) throws IdentityOAuth2Exception { Conditions conditions = assertion.getConditions(); if (conditions != null) { String tokenEndpointAlias = getTokenEPAlias(assertion, identityProvider, tenantDomain); validateAudience(identityProvider, conditions, tokenEndpointAlias, tenantDomain); } else { throw new IdentityOAuth2Exception("SAML Assertion doesn't contain Conditions"); } }
/** * Validates the 'Not Before' and 'Not On Or After' conditions of the SAML Assertion * * @param assertion SAML Assertion element * @throws SSOAgentException */ private void validateAssertionValidityPeriod(Assertion assertion) throws SSOAgentException { if (assertion.getConditions() != null) { int timeStampSkewInSeconds = ssoAgentConfig.getSAML2().getTimeStampSkewInSeconds(); DateTime validFrom = assertion.getConditions().getNotBefore(); DateTime validTill = assertion.getConditions().getNotOnOrAfter(); if (validFrom != null && validFrom.minusSeconds(timeStampSkewInSeconds).isAfterNow()) { throw new SSOAgentException("Failed to meet SAML Assertion Condition 'Not Before'"); } if (validTill != null && validTill.plusSeconds(timeStampSkewInSeconds).isBeforeNow()) { throw new SSOAgentException("Failed to meet SAML Assertion Condition 'Not On Or After'"); } if (validFrom != null && validTill != null && validFrom.isAfter(validTill)) { throw new SSOAgentException( "SAML Assertion Condition 'Not Before' must be less than the value of 'Not On Or After'"); } } }
/** * Validates the 'Not Before' and 'Not On Or After' conditions of the SAML Assertion * * @param assertion SAML Assertion element * @throws SSOAgentException */ private void validateAssertionValidityPeriod(Assertion assertion) throws SSOAgentException { if (assertion.getConditions() != null) { int timeStampSkewInSeconds = ssoAgentConfig.getSAML2().getTimeStampSkewInSeconds(); DateTime validFrom = assertion.getConditions().getNotBefore(); DateTime validTill = assertion.getConditions().getNotOnOrAfter(); if (validFrom != null && validFrom.minusSeconds(timeStampSkewInSeconds).isAfterNow()) { throw new SSOAgentException("Failed to meet SAML Assertion Condition 'Not Before'"); } if (validTill != null && validTill.plusSeconds(timeStampSkewInSeconds).isBeforeNow()) { throw new SSOAgentException("Failed to meet SAML Assertion Condition 'Not On Or After'"); } if (validFrom != null && validTill != null && validFrom.isAfter(validTill)) { throw new SSOAgentException( "SAML Assertion Condition 'Not Before' must be less than the value of 'Not On Or After'"); } } }
DateTime validTill = null; if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20) && assertion.getSaml2().getConditions() != null) { validFrom = assertion.getSaml2().getConditions().getNotBefore(); validTill = assertion.getSaml2().getConditions().getNotOnOrAfter(); } else if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_11) && assertion.getSaml1().getConditions() != null) {
) throws WSSecurityException { if (samlAssertion.getSamlVersion().equals(SAMLVersion.VERSION_20) && samlAssertion.getSaml2().getConditions() != null && samlAssertion.getSaml2().getConditions().getOneTimeUse() != null && data.getSamlOneTimeUseReplayCache() != null) { String identifier = samlAssertion.getId(); DateTime expires = samlAssertion.getSaml2().getConditions().getNotOnOrAfter(); if (expires != null) { Date rightNow = new Date();
private void validateAssertion(Response response) throws SamlException { if (response.getAssertions().size() != 1) { throw new SamlException("The response doesn't contain exactly 1 assertion"); } Assertion assertion = response.getAssertions().get(0); if (!assertion.getIssuer().getValue().equals(responseIssuer)) { throw new SamlException("The assertion issuer didn't match the expected value"); } if (assertion.getSubject().getNameID() == null) { throw new SamlException( "The NameID value is missing from the SAML response; this is likely an IDP configuration issue"); } enforceConditions(assertion.getConditions()); }
) throws WSSecurityException { if (samlAssertion.getSamlVersion().equals(SAMLVersion.VERSION_20) && samlAssertion.getSaml2().getConditions() != null && samlAssertion.getSaml2().getConditions().getOneTimeUse() != null && data.getSamlOneTimeUseReplayCache() != null) { String identifier = samlAssertion.getId(); DateTime expires = samlAssertion.getSaml2().getConditions().getNotOnOrAfter(); if (expires != null) { Date rightNow = new Date();
protected void processSAMLAssertion() { this.setAssertionId(assertion.getID()); Subject subject = assertion.getSubject(); //Read the validity period from the 'Conditions' element, else read it from SC Data if (assertion.getConditions() != null) { Conditions conditions = assertion.getConditions(); if (conditions.getNotBefore() != null) { this.setDateNotBefore(conditions.getNotBefore().toDate()); } if (conditions.getNotOnOrAfter() != null) { this.setDateNotOnOrAfter(conditions.getNotOnOrAfter().toDate()); } } else { SubjectConfirmationData scData = subject.getSubjectConfirmations() .get(0).getSubjectConfirmationData(); if (scData.getNotBefore() != null) { this.setDateNotBefore(scData.getNotBefore().toDate()); } if (scData.getNotOnOrAfter() != null) { this.setDateNotOnOrAfter(scData.getNotOnOrAfter().toDate()); } } }
private void verifyAssertion(Assertion assertion, AuthnRequest request, BasicSAMLMessageContext context) throws SAMLException, org.opensaml.xml.security.SecurityException, ValidationException, Exception { // Verify assertion time skew if (!isDateTimeSkewValid(MAX_ASSERTION_TIME, assertion.getIssueInstant())) { System.out.println("Authentication statement is too old to be used"+assertion.getIssueInstant()); throw new Exception("Users authentication credential is too old to be used"); } // Verify validity of assertion // Advice is ignored, core 574 verifyIssuer(assertion.getIssuer(), context); verifyAssertionSignature(assertion.getSignature(), context); verifySubject(assertion.getSubject(), request, context); // Assertion with authentication statement must contain audience restriction if (assertion.getAuthnStatements().size() > 0) { verifyAssertionConditions(assertion.getConditions(), context, true); for (AuthnStatement statement : assertion.getAuthnStatements()) { verifyAuthenticationStatement(statement, context); } } else { verifyAssertionConditions(assertion.getConditions(), context, false); } } /**
Conditions conditions = assertion.getConditions(); if (conditions != null) { List<AudienceRestriction> audienceRestrictions = conditions.getAudienceRestrictions();
Conditions conditions = assertion.getConditions(); if (conditions != null) { List<AudienceRestriction> audienceRestrictions = conditions.getAudienceRestrictions();
protected void verifyAssertion(Assertion assertion, AuthnRequest request, SAMLMessageContext context) throws AuthenticationException, SAMLException, org.opensaml.xml.security.SecurityException, ValidationException, DecryptionException { // Verify storage time skew if (!isDateTimeSkewValid(getResponseSkew(), getMaxAssertionTime(), assertion.getIssueInstant())) { throw new SAMLException("Assertion is too old to be used, value can be customized by setting maxAssertionTime value " + assertion.getIssueInstant()); } // Verify validity of storage // Advice is ignored, core 574 verifyIssuer(assertion.getIssuer(), context); verifyAssertionSignature(assertion.getSignature(), context); // Check subject if (assertion.getSubject() != null) { verifySubject(assertion.getSubject(), request, context); } else { throw new SAMLException("Assertion does not contain subject and is discarded"); } // Assertion with authentication statement must contain audience restriction if (assertion.getAuthnStatements().size() > 0) { verifyAssertionConditions(assertion.getConditions(), context, true); for (AuthnStatement statement : assertion.getAuthnStatements()) { if (request != null) { verifyAuthenticationStatement(statement, request.getRequestedAuthnContext(), context); } else { verifyAuthenticationStatement(statement, null, context); } } } else { verifyAssertionConditions(assertion.getConditions(), context, false); } }