/** {@inheritDoc} */ protected void doDecode(MessageContext messageContext) throws MessageDecodingException { if (!(messageContext instanceof SAMLMessageContext)) { log.error("Invalid message context type, this decoder only support SAMLMessageContext"); throw new MessageDecodingException( "Invalid message context type, this decoder only support SAMLMessageContext"); } if (!(messageContext.getInboundMessageTransport() instanceof HTTPInTransport)) { log.error("Invalid inbound message transport type, this decoder only support HTTPInTransport"); throw new MessageDecodingException( "Invalid inbound message transport type, this decoder only support HTTPInTransport"); } SAMLMessageContext samlMsgCtx = (SAMLMessageContext) messageContext; HTTPInTransport inTransport = (HTTPInTransport) samlMsgCtx.getInboundMessageTransport(); if (!inTransport.getHTTPMethod().equalsIgnoreCase("POST")) { throw new MessageDecodingException("This message decoder only supports the HTTP POST method"); } String relayState = inTransport.getParameterValue("RelayState"); samlMsgCtx.setRelayState(relayState); log.debug("Decoded SAML relay state of: {}", relayState); InputStream base64DecodedMessage = getBase64DecodedMessage(inTransport); Assertion inboundMessage = (Assertion) unmarshallMessage(base64DecodedMessage); Response response = SamlRedirectUtils.wrapAssertionIntoResponse(inboundMessage, inboundMessage.getIssuer().getValue()); samlMsgCtx.setInboundMessage(response); samlMsgCtx.setInboundSAMLMessage(response); log.debug("Decoded SAML message"); populateMessageContext(samlMsgCtx); }
/** * If it fails to authenticate the user, the method gets the value from configuration * Saml2FailedLoginRedirectUrl; if the user configured an error URL then it redirects to that * URL, otherwise it throws the ServerApiException */ protected void whenFailToAuthenticateThrowExceptionOrRedirectToUrl(final Map<String, Object[]> params, final String responseType, final HttpServletResponse resp, Issuer issuer, UserAccount userAccount) throws IOException { if (userAccount == null || userAccount.getExternalEntity() == null || !samlAuthManager.isUserAuthorized(userAccount.getId(), issuer.getValue())) { String saml2RedirectUrl = saml2FailedLoginRedirectUrl.value(); if (StringUtils.isBlank(saml2RedirectUrl)) { throw new ServerApiException(ApiErrorCode.ACCOUNT_ERROR, apiServer.getSerializedApiError(ApiErrorCode.ACCOUNT_ERROR.getHttpCode(), "Your authenticated user is not authorized for SAML Single Sign-On, please contact your administrator", params, responseType)); } else { resp.sendRedirect(saml2RedirectUrl); } } }
Issuer issuer = processedSAMLResponse.getIssuer(); SAMLProviderMetadata spMetadata = samlAuthManager.getSPMetadata(); SAMLProviderMetadata idpMetadata = samlAuthManager.getIdPMetadata(issuer.getValue()); SAMLTokenVO token = samlAuthManager.getToken(responseToId); if (token != null) { if (!(token.getEntity().equalsIgnoreCase(issuer.getValue()))) { throw new ServerApiException(ApiErrorCode.ACCOUNT_ERROR, apiServer.getSerializedApiError(ApiErrorCode.ACCOUNT_ERROR.getHttpCode(), "The SAML response contains Issuer Entity ID that is different from the original SAML request", session.setAttribute(SAMLPluginConstants.SAML_IDPID, issuer.getValue()); List<UserAccountVO> possibleUserAccounts = userAccountDao.getAllUsersByNameAndEntity(username, issuer.getValue()); if (possibleUserAccounts != null && possibleUserAccounts.size() > 0) {
/** * Issuer of the SAML token * * @return */ @Override public String getIssuerName() { return assertion.getIssuer().getValue(); }
/** * Check for the validity of the issuer * * @param issuer :who makes the claims inside the Query * @return whether the issuer is valid */ private boolean validateIssuer(Issuer issuer) { boolean isValidated = false; if (issuer.getValue().equals("https://identity.carbon.wso2.org") && issuer.getSPProvidedID().equals("SPPProvierId")) { isValidated = true; } return isValidated; }
/** * Check for the validity of the issuer * * @param issuer :who makes the claims inside the Query * @return whether the issuer is valid */ private boolean validateIssuer(Issuer issuer) { boolean isValidated = false; if (issuer.getValue().equals("https://identity.carbon.wso2.org") && issuer.getSPProvidedID().equals("SPPProvierId")) { isValidated = true; } return isValidated; }
/** * Check for the validity of the issuer * * @param issuer :who makes the claims inside the Query * @return whether the issuer is valid */ private boolean validateIssuer(Issuer issuer) { boolean isValidated = false; if (ISSUER_URL.equals(issuer.getValue()) && "SPPProvider".equals(issuer.getSPProvidedID())) { isValidated = true; } return isValidated; }
/** * Check for the validity of the issuer * * @param issuer :who makes the claims inside the Query * @return whether the issuer is valid */ private boolean validateIssuer(Issuer issuer) { boolean isValidated = false; if (ISSUER_URL.equals(issuer.getValue()) && "SPPProvider".equals(issuer.getSPProvidedID())) { isValidated = true; } return isValidated; }
private boolean validateIdpEntityId(Assertion assertion, String tenantDomain, String idpEntityId) throws IdentityOAuth2Exception { if (idpEntityId == null || !assertion.getIssuer().getValue().equals(idpEntityId)) { if(log.isDebugEnabled()) { log.debug("SAML Token Issuer verification failed against resident Identity Provider " + "in tenant : " + tenantDomain + ". Received : " + assertion.getIssuer().getValue() + ", Expected : " + idpEntityId); } throw new IdentityOAuth2Exception("Issuer verification failed against resident idp"); } return true; }
private void checkNullIdentityProvider(Assertion assertion, String tenantDomain, IdentityProvider identityProvider) throws IdentityOAuth2Exception { if (identityProvider == null) { if(log.isDebugEnabled()) { log.debug("SAML Token Issuer : " + assertion.getIssuer().getValue() + " not registered as a local Identity Provider in tenant : " + tenantDomain); } throw new IdentityOAuth2Exception("Identity provider is null"); } }
private boolean issuerNotFoundInAssertion(Assertion assertion) { return assertion.getIssuer() == null || StringUtils.isEmpty(assertion.getIssuer().getValue()); }
/** * Checks that Issuer name is present. * * @param issuer * @throws ValidationException */ protected void validateName(Issuer issuer) throws ValidationException { if (DatatypeHelper.isEmpty(issuer.getValue())) { throw new ValidationException("Issuer name required"); } } }
protected void verifyIssuer(Issuer issuer, BasicSAMLMessageContext context) throws SAMLException { // Validat format of issuer if (issuer.getFormat() != null && !issuer.getFormat().equals(NameIDType.ENTITY)) { System.out.println("Assertion invalidated by issuer type"+issuer.getFormat()); throw new SAMLException("SAML Assertion is invalid"); } // Validate that issuer is expected peer entity if (!context.getPeerEntityMetadata().getEntityID().equals(issuer.getValue())) { System.out.println("Assertion invalidated by unexpected issuer value"+ issuer.getValue()); throw new SAMLException("SAML Assertion is invalid"); } }
/** * Method getIssuerString returns the issuerString of this AssertionWrapper object. * * @return the issuerString (type String) of this AssertionWrapper object. */ public String getIssuerString() { if (saml2 != null && saml2.getIssuer() != null) { return saml2.getIssuer().getValue(); } else if (saml1 != null) { return saml1.getIssuer(); } LOG.error( "AssertionWrapper: unable to return Issuer string - no saml assertion " + "object or issuer is null" ); return null; }
protected void verifyIssuer(Issuer issuer, SAMLMessageContext context) throws SAMLException { // Validate format of issuer if (issuer.getFormat() != null && !issuer.getFormat().equals(NameIDType.ENTITY)) { throw new SAMLException("Issuer invalidated by issuer type " + issuer.getFormat()); } // Validate that issuer is expected peer entity if (!context.getPeerEntityMetadata().getEntityID().equals(issuer.getValue())) { throw new SAMLException("Issuer invalidated by issuer value " + issuer.getValue()); } }
private IdentityProvider getIdPByAuthenticatorPropertyValue(Assertion assertion, String tenantDomain, String authenticatorProperty) throws IdentityProviderManagementException { return IdentityProviderManager.getInstance().getIdPByAuthenticatorPropertyValue(IDP_ENTITY_ID, assertion.getIssuer().getValue(), tenantDomain, authenticatorProperty, false); }
public General(Authentication authentication){ SAMLCredential credential = (SAMLCredential) authentication.getCredentials(); NameID nameID = credential.getNameID(); name = authentication.getName(); principal = authentication.getPrincipal(); nameId = nameID.getValue(); nameIdFormat = nameID.getFormat(); idp = credential.getAuthenticationAssertion().getIssuer().getValue(); assertionIssueTime = credential.getAuthenticationAssertion().getIssueInstant(); }
protected void validateIssuer(Assertion assertion, AuthenticationContext context) throws SAML2SSOAuthenticationException { if (assertion.getIssuer() == null) { throw new SAML2SSOAuthenticationException("Cannot find Issuer element in Assertion."); } else if (!assertion.getIssuer().getValue().equals(getIdPEntityId(getIdentityProviderConfig(context)))) { throw new SAML2SSOAuthenticationException("Issuer validation failed."); } }
private void validateAssertion(Response response) throws SamlException { if (response.getAssertions().size() != 1) { throw new SamlException("The response doesn't contain exactly 1 assertion"); } Assertion assertion = response.getAssertions().get(0); if (!assertion.getIssuer().getValue().equals(responseIssuer)) { throw new SamlException("The assertion issuer didn't match the expected value"); } if (assertion.getSubject().getNameID() == null) { throw new SamlException( "The NameID value is missing from the SAML response; this is likely an IDP configuration issue"); } enforceConditions(assertion.getConditions()); }
private void validateResponse(Response response) throws SamlException { try { new ResponseSchemaValidator().validate(response); } catch (ValidationException ex) { throw new SamlException("The response schema validation failed", ex); } if (!response.getIssuer().getValue().equals(responseIssuer)) { throw new SamlException("The response issuer didn't match the expected value"); } String statusCode = response.getStatus().getStatusCode().getValue(); if (!statusCode.equals("urn:oasis:names:tc:SAML:2.0:status:Success")) { throw new SamlException("Invalid status code: " + statusCode); } }