private void buildCommonAttributes(String localEntityId, Response response, Endpoint service, AuthnRequest authnRequest) { response.setID(generateID()); response.setIssuer(getIssuer(localEntityId)); response.setInResponseTo(authnRequest.getID()); response.setVersion(SAMLVersion.VERSION_20); response.setIssueInstant(new DateTime()); if (service != null) { response.setDestination(service.getLocation()); } }
@Test public void testBuildResponse() throws MessageEncodingException, SAMLException, MetadataProviderException, SecurityException, MarshallingException, SignatureException { String authenticationId = UUID.randomUUID().toString(); Authentication authentication = samlTestUtils.mockUaaAuthentication(authenticationId); SAMLMessageContext context = samlTestUtils.mockSamlMessageContext(); IdpWebSSOProfileOptions options = new IdpWebSSOProfileOptions(); options.setAssertionsSigned(false); profile.buildResponse(authentication, context, options); AuthnRequest request = (AuthnRequest) context.getInboundSAMLMessage(); Response response = (Response) context.getOutboundSAMLMessage(); assertEquals(request.getID(), response.getInResponseTo()); Assertion assertion = response.getAssertions().get(0); Subject subject = assertion.getSubject(); assertEquals("marissa", subject.getNameID().getValue()); assertEquals(NameIDType.UNSPECIFIED, subject.getNameID().getFormat()); SubjectConfirmation subjectConfirmation = subject.getSubjectConfirmations().get(0); SubjectConfirmationData subjectConfirmationData = subjectConfirmation.getSubjectConfirmationData(); assertEquals(request.getID(), subjectConfirmationData.getInResponseTo()); verifyAssertionAttributes(authenticationId, assertion); }
@Test public void testBuildResponseWithSignedAssertion() throws MessageEncodingException, SAMLException, MetadataProviderException, SecurityException, MarshallingException, SignatureException { String authenticationId = UUID.randomUUID().toString(); Authentication authentication = samlTestUtils.mockUaaAuthentication(authenticationId); SAMLMessageContext context = samlTestUtils.mockSamlMessageContext(); IdpWebSSOProfileOptions options = new IdpWebSSOProfileOptions(); options.setAssertionsSigned(true); profile.buildResponse(authentication, context, options); AuthnRequest request = (AuthnRequest) context.getInboundSAMLMessage(); Response response = (Response) context.getOutboundSAMLMessage(); Assertion assertion = response.getAssertions().get(0); Subject subject = assertion.getSubject(); assertEquals("marissa", subject.getNameID().getValue()); SubjectConfirmation subjectConfirmation = subject.getSubjectConfirmations().get(0); SubjectConfirmationData subjectConfirmationData = subjectConfirmation.getSubjectConfirmationData(); assertEquals(request.getID(), subjectConfirmationData.getInResponseTo()); verifyAssertionAttributes(authenticationId, assertion); assertNotNull(assertion.getSignature()); }
@Test public void testBuildResponseForSamlRequestWithPersistentNameID() throws Exception { String authenticationId = UUID.randomUUID().toString(); Authentication authentication = samlTestUtils.mockUaaAuthentication(authenticationId); SAMLMessageContext context = samlTestUtils.mockSamlMessageContext(samlTestUtils.mockAuthnRequest(NameIDType.PERSISTENT)); IdpWebSSOProfileOptions options = new IdpWebSSOProfileOptions(); options.setAssertionsSigned(false); profile.buildResponse(authentication, context, options); AuthnRequest request = (AuthnRequest) context.getInboundSAMLMessage(); Response response = (Response) context.getOutboundSAMLMessage(); Assertion assertion = response.getAssertions().get(0); Subject subject = assertion.getSubject(); assertEquals(authenticationId, subject.getNameID().getValue()); assertEquals(NameIDType.PERSISTENT, subject.getNameID().getFormat()); SubjectConfirmation subjectConfirmation = subject.getSubjectConfirmations().get(0); SubjectConfirmationData subjectConfirmationData = subjectConfirmation.getSubjectConfirmationData(); assertEquals(request.getID(), subjectConfirmationData.getInResponseTo()); verifyAssertionAttributes(authenticationId, assertion); }
@Test public void testBuildResponseForSamlRequestWithEmailAddressNameID() throws MessageEncodingException, SAMLException, MetadataProviderException, SecurityException, MarshallingException, SignatureException { String authenticationId = UUID.randomUUID().toString(); Authentication authentication = samlTestUtils.mockUaaAuthentication(authenticationId); SAMLMessageContext context = samlTestUtils.mockSamlMessageContext( samlTestUtils.mockAuthnRequest(NameIDType.EMAIL)); IdpWebSSOProfileOptions options = new IdpWebSSOProfileOptions(); options.setAssertionsSigned(false); profile.buildResponse(authentication, context, options); AuthnRequest request = (AuthnRequest) context.getInboundSAMLMessage(); Response response = (Response) context.getOutboundSAMLMessage(); Assertion assertion = response.getAssertions().get(0); Subject subject = assertion.getSubject(); assertEquals("marissa@testing.org", subject.getNameID().getValue()); assertEquals(NameIDType.EMAIL, subject.getNameID().getFormat()); SubjectConfirmation subjectConfirmation = subject.getSubjectConfirmations().get(0); SubjectConfirmationData subjectConfirmationData = subjectConfirmation.getSubjectConfirmationData(); assertEquals(request.getID(), subjectConfirmationData.getInResponseTo()); verifyAssertionAttributes(authenticationId, assertion); }
@Test public void testBuildResponseForSamlRequestWithUnspecifiedNameID() throws MessageEncodingException, SAMLException, MetadataProviderException, SecurityException, MarshallingException, SignatureException { String authenticationId = UUID.randomUUID().toString(); Authentication authentication = samlTestUtils.mockUaaAuthentication(authenticationId); SAMLMessageContext context = samlTestUtils.mockSamlMessageContext( samlTestUtils.mockAuthnRequest(NameIDType.UNSPECIFIED)); IdpWebSSOProfileOptions options = new IdpWebSSOProfileOptions(); options.setAssertionsSigned(false); profile.buildResponse(authentication, context, options); AuthnRequest request = (AuthnRequest) context.getInboundSAMLMessage(); Response response = (Response) context.getOutboundSAMLMessage(); Assertion assertion = response.getAssertions().get(0); Subject subject = assertion.getSubject(); assertEquals("marissa", subject.getNameID().getValue()); assertEquals(NameIDType.UNSPECIFIED, subject.getNameID().getFormat()); SubjectConfirmation subjectConfirmation = subject.getSubjectConfirmations().get(0); SubjectConfirmationData subjectConfirmationData = subjectConfirmation.getSubjectConfirmationData(); assertEquals(request.getID(), subjectConfirmationData.getInResponseTo()); verifyAssertionAttributes(authenticationId, assertion); }
subjectConfirmationData.setInResponseTo(authnRequest.getID()); subjectConfirmationData.setRecipient(authnRequest.getAssertionConsumerServiceURL()); subjectConfirmation.setSubjectConfirmationData(subjectConfirmationData);
@SuppressWarnings("unchecked") private void doSSO(HttpServletRequest request, HttpServletResponse response, Authentication authentication, boolean postRequest) throws ValidationException, SecurityException, MessageDecodingException, MarshallingException, SignatureException, MessageEncodingException, MetadataProviderException, IOException, ServletException { SAMLMessageContext messageContext = samlMessageHandler.extractSAMLMessageContext(request, response, postRequest); AuthnRequest authnRequest = (AuthnRequest) messageContext.getInboundSAMLMessage(); String assertionConsumerServiceURL = idpConfiguration.getAcsEndpoint() != null ? idpConfiguration.getAcsEndpoint() : authnRequest.getAssertionConsumerServiceURL(); List<SAMLAttribute> attributes = attributes(authentication); SAMLPrincipal principal = new SAMLPrincipal( authentication.getName(), attributes.stream().filter(attr -> "urn:oasis:names:tc:SAML:1.1:nameid-format".equals(attr.getName())) .findFirst().map(attr -> attr.getValue()).orElse(NameIDType.UNSPECIFIED), attributes, authnRequest.getIssuer().getValue(), authnRequest.getID(), assertionConsumerServiceURL, messageContext.getRelayState()); samlMessageHandler.sendAuthnResponse(principal, response); }
setRequestId(authnRequest.getID(), request.getSession()); setRecipient(authnRequest.getAssertionConsumerServiceURL(), request.getSession());
request.getAssertionConsumerServiceIndex(), request.getID(), getEntityMetadata().getEntityID()}); endpoint = selectEndpointByACSIndex(request, (List<IndexedEndpoint>) endpoints); } else if (request.getAssertionConsumerServiceURL() != null) { "Selecting endpoint by ACS URL '{}' and protocol binding '{}' for request '{}' from entity '{}'", new Object[] {request.getAssertionConsumerServiceURL(), request.getProtocolBinding(), request.getID(), getEntityMetadata().getEntityID()}); endpoint = selectEndpointByACSURL(request, (List<IndexedEndpoint>) endpoints);
continue; } else { if (!data.getInResponseTo().equals(request.getID())) { log.debug("Bearer SubjectConfirmation invalidated by invalid in response to"); continue;
throw new SAMLException("SAML Assertion is invalid"); } else { if (!data.getInResponseTo().equals(request.getID())) { System.out.println("Assertion invalidated by subject confirmation - invalid in response to"); throw new SAMLException("SAML Assertion is invalid");
if (!data.getInResponseTo().equals(request.getID())) { log.debug("HoK SubjectConfirmation invalidated by invalid in response to field"); continue;
InvalidSPEntityIdException ex = new InvalidSPEntityIdException(StatusCode.REQUESTER_URI, "Cannot find issuer."); ex.setInResponseTo(authnRequest.getID()); ex.setAcsUrl(Config.getInstance().getErrorPageUrl()); throw ex; InvalidSPEntityIdException ex = new InvalidSPEntityIdException(StatusCode.REQUESTER_URI, e.getMessage()); ex.setInResponseTo(authnRequest.getID()); ex.setAcsUrl(Config.getInstance().getErrorPageUrl()); throw ex; SAML2SSORequestValidationException ex = new SAML2SSORequestValidationException(StatusCode.REQUESTER_URI, e.getMessage()); ex.setInResponseTo(authnRequest.getID()); ex.setAcsUrl(Config.getInstance().getErrorPageUrl()); throw ex;
return validationResponse; validationResponse.setId(authnReq.getID()); validationResponse.setAssertionConsumerURL(authnReq.getAssertionConsumerServiceURL()); validationResponse.setDestination(authnReq.getDestination());
@Override public GatewayHandlerResponse validate(AuthenticationContext authenticationContext) throws SAML2SSORequestValidationException { SAML2SSOContext saml2SSOContext = createInboundMessageContext(authenticationContext); SPInitRequest spInitRequest = (SPInitRequest) saml2SSOContext.getRequest(); AuthnRequest authnRequest = spInitRequest.getAuthnRequest(); saml2SSOContext.setSPEntityId(authenticationContext.getServiceProviderId()); saml2SSOContext.setId((authnRequest).getID()); try { validateAuthnRequest(authnRequest, saml2SSOContext); } catch (SAML2SSOServerException e) { // TODO: Throw GatewayServerException from validation handler. SAML2SSORuntimeException ex = new SAML2SSORuntimeException(StatusCode.RESPONDER_URI, e.getMessage(), e); ex.setInResponseTo(e.getInResponseTo()); ex.setAcsUrl(e.getAcsUrl()); throw ex; } return new GatewayHandlerResponse(); }
messageContext.setId(((AuthnRequest) request).getID()); messageContext.setAssertionConsumerUrl(((AuthnRequest) request).getAssertionConsumerServiceURL()); messageContext.setIsPassive(((AuthnRequest) request).isPassive());
@Override public void sendAuthenticationRequest(SAMLMessageContext context, WebSSOProfileOptions options) throws SAMLException, MetadataProviderException, MessageEncodingException { SPSSODescriptor spDescriptor = (SPSSODescriptor) context.getLocalEntityRoleMetadata(); AssertionConsumerService assertionConsumer = getAssertionConsumerService(options, null, spDescriptor); // The last parameter refers to the IdP that should receive the message. However, // in ECP, we don't know in advance which IdP will be contacted. AuthnRequest authRequest = getAuthnRequest(context, options, assertionConsumer, null); context.setCommunicationProfileId(getProfileIdentifier()); context.setOutboundMessage(getEnvelope()); context.setOutboundSAMLMessage(authRequest); SOAPHelper.addHeaderBlock(context, getPAOSRequest(assertionConsumer)); SOAPHelper.addHeaderBlock(context, getECPRequest(context, options)); sendMessage(context, spDescriptor.isAuthnRequestsSigned(), SAMLConstants.SAML2_PAOS_BINDING_URI); HTTPOutTransport outTransport = (HTTPOutTransport) context.getOutboundMessageTransport(); outTransport.setHeader("Content-Type", "application/vnd.paos+xml"); SAMLMessageStorage messageStorage = context.getMessageStorage(); if (messageStorage != null) { messageStorage.storeMessage(authRequest.getID(), authRequest); } }
public static boolean validateAuthnRequestSignature(AuthnRequest authnRequest, SAML2SSOContext saml2SSOContext, RequestValidatorConfig config) throws SAML2SSORequestValidationException, SAML2SSOServerException { String encodedCert = config.getSigningCertificate(); X509Certificate certificate; try { certificate = (X509Certificate) Utils.decodeCertificate(encodedCert); } catch (CertificateException e) { SAML2SSOServerException ex = new SAML2SSOServerException(StatusCode.RESPONDER_URI, "Error occurred while decoding signing certificate.", e); ex.setInResponseTo(authnRequest.getID()); ex.setAcsUrl(authnRequest.getDestination()); throw ex; } SPInitRequest spInitRequest = ((SPInitRequest) saml2SSOContext.getRequest()); if (spInitRequest.isRedirect()) { return validateDeflateSignature(spInitRequest.getQueryString(), spInitRequest.getSignature(), spInitRequest.getSignatureAlgorithm(), certificate, saml2SSOContext.getId(), saml2SSOContext.getAssertionConsumerURL(), saml2SSOContext.getSPEntityId()); } else { return validateXMLSignature(authnRequest, certificate, saml2SSOContext.getId(), saml2SSOContext.getAssertionConsumerURL()); } }
messageStorage.storeMessage(authRequest.getID(), authRequest);