/** * Parses entityID from the descriptor and adds it to the result set. Signatures on all found entities * are verified using the given policy and trust engine. * * @param result result set * @param descriptor descriptor to parse * @throws MetadataProviderException in case signature validation fails */ private void addDescriptor(List<String> result, EntityDescriptor descriptor) throws MetadataProviderException { String entityID = descriptor.getEntityID(); log.debug("Found metadata EntityDescriptor with ID", entityID); result.add(entityID); }
default String getEntityID() throws MetadataProviderException { fetchMetadata(); XMLObject metadata = doGetMetadata(); if (metadata instanceof EntityDescriptor) { EntityDescriptor entityDescriptor = (EntityDescriptor) metadata; return entityDescriptor.getEntityID(); } else if (metadata instanceof EntitiesDescriptor) { EntitiesDescriptor desc = (EntitiesDescriptor)metadata; if (desc.getEntityDescriptors().size()!=1) { throw new MetadataProviderException("Invalid metadata. Number of descriptors must be 1, but is "+desc.getEntityDescriptors().size()); } else { return desc.getEntityDescriptors().get(0).getEntityID(); } } else { throw new MetadataProviderException("Unknown descriptor class:"+metadata.getClass().getName()); } }
@Override public EntityDescriptor generateMetadata() { EntityDescriptor result = super.generateMetadata(); result.setID(SAMLUtil.getNCNameString(result.getEntityID())); return result; }
@Override public EntityDescriptor generateMetadata() { EntityDescriptor result = super.generateMetadata(); result.setID(SAMLUtil.getNCNameString(result.getEntityID())); return result; }
public ExtendedMetadataDelegate getLocalServiceProvider() throws MetadataProviderException { EntityDescriptor descriptor = generator.generateMetadata(); ExtendedMetadata extendedMetadata = generator.generateExtendedMetadata(); log.info("Initialized local service provider for entityID: " + descriptor.getEntityID()); MetadataMemoryProvider memoryProvider = new MetadataMemoryProvider(descriptor); memoryProvider.initialize(); return new ExtendedMetadataDelegate(memoryProvider, extendedMetadata); }
public ExtendedMetadataDelegate getLocalIdp() throws MetadataProviderException { EntityDescriptor descriptor = generator.generateMetadata(); ExtendedMetadata extendedMetadata = generator.generateExtendedMetadata(); log.info("Initialized local identity provider for entityID: " + descriptor.getEntityID()); MetadataMemoryProvider memoryProvider = new MetadataMemoryProvider(descriptor); memoryProvider.initialize(); return new ExtendedMetadataDelegate(memoryProvider, extendedMetadata); }
ExtendedMetadata extendedMetadata = generator.generateExtendedMetadata(); log.info("Created default metadata for system with entityID: " + descriptor.getEntityID()); MetadataMemoryProvider memoryProvider = new MetadataMemoryProvider(descriptor); memoryProvider.initialize(); manager.setHostedIdpName(descriptor.getEntityID()); manager.refreshMetadata();
@Test public void testGetAvailableProvidersForDefaultZone() throws Exception { IdentityZone defaultZone = samlTestUtils.getUaaZoneWithSamlConfig(); IdentityZoneHolder.set(defaultZone); when(providerProvisioning.retrieveActive(defaultZone.getId())) .thenReturn(Arrays.asList( new SamlServiceProvider[]{mockSamlServiceProviderForZone(defaultZone.getId())} )); assertEquals(1, configurator.getSamlServiceProvidersForZone(defaultZone).size()); //NonSnarlIdpMetadataManager also returns local idp as entity, needs 2 assertEquals(2, this.metadataManager.getAvailableProviders().size()); SamlServiceProvider confProvider = configurator.getSamlServiceProvidersForZone(defaultZone).get(0) .getSamlServiceProvider(); ExtendedMetadataDelegate metadataProvider = this.metadataManager.getAvailableProviders().get(1); metadataProvider.initialize(); EntityDescriptor entity = metadataProvider.getEntityDescriptor(confProvider.getEntityId()); assertNotNull(entity); assertEquals(confProvider.getEntityId(), entity.getEntityID()); }
@Test public void testGetAvailableProvidersRemovesNonPersistedProvidersInConfigurator() throws Exception { IdentityZone defaultZone = samlTestUtils.getUaaZoneWithSamlConfig(); configurator.validateSamlServiceProvider(mockSamlServiceProviderForZone(defaultZone.getId())); configurator.validateSamlServiceProvider(mockSamlServiceProvider("non-persisted-saml-sp")); when(providerProvisioning.retrieveActive(defaultZone.getId())) .thenReturn(Arrays.asList(new SamlServiceProvider[]{mockSamlServiceProviderForZone(defaultZone.getId())})); IdentityZoneHolder.set(defaultZone); assertEquals(1, configurator.getSamlServiceProvidersForZone(defaultZone).size()); assertEquals(2, this.metadataManager.getAvailableProviders().size()); SamlServiceProvider confProvider = configurator.getSamlServiceProvidersForZone(defaultZone).get(0) .getSamlServiceProvider(); ExtendedMetadataDelegate metadataProvider = this.metadataManager.getAvailableProviders().get(1); metadataProvider.initialize(); EntityDescriptor entity = metadataProvider.getEntityDescriptor(confProvider.getEntityId()); assertNotNull(entity); assertEquals(confProvider.getEntityId(), entity.getEntityID()); }
/** * Parses entityID from the descriptor and adds it to the result set. Signatures on all found entities * are verified using the given policy and trust engine. * * @param result result set * @param descriptor descriptor to parse * @throws MetadataProviderException in case signature validation fails */ private void addDescriptor(List<String> result, EntityDescriptor descriptor) throws MetadataProviderException { String entityID = descriptor.getEntityID(); log.debug("Found metadata EntityDescriptor with ID", entityID); result.add(entityID); }
private void setIssuer(EntityDescriptor entityDescriptor, SAMLSSOServiceProviderDO samlssoServiceProviderDO) throws InvalidMetadataException { if (entityDescriptor.getEntityID() == null || entityDescriptor.getEntityID().length() == 0) { throw new InvalidMetadataException("Invalid metadata content, Issuer can't be empty"); } samlssoServiceProviderDO.setIssuer(entityDescriptor.getEntityID());//correct }
private void setIssuer(EntityDescriptor entityDescriptor , SAMLSSOServiceProviderDO samlssoServiceProviderDO){ samlssoServiceProviderDO.setIssuer(entityDescriptor.getEntityID());//correct } private void setNameIDFormat(SPSSODescriptor spssoDescriptor, SAMLSSOServiceProviderDO samlssoServiceProviderDO){
private void addIdpToMap(EntityDescriptor descriptor, Map<String, SAMLProviderMetadata> idpMap) { SAMLProviderMetadata idpMetadata = new SAMLProviderMetadata(); idpMetadata.setEntityId(descriptor.getEntityID()); s_logger.debug("Adding IdP to the list of discovered IdPs: " + descriptor.getEntityID()); if (descriptor.getOrganization() != null) { if (descriptor.getOrganization().getDisplayNames() != null) {
/** * Checks that EntityID is present and valid. * * @param entityDescriptor * @throws ValidationException */ protected void validateEntityID(EntityDescriptor entityDescriptor) throws ValidationException { if (DatatypeHelper.isEmpty(entityDescriptor.getEntityID())) { throw new ValidationException("Entity ID required."); } else if (entityDescriptor.getEntityID().length() > 1024) { throw new ValidationException("Max Entity ID length is 1024."); } }
/** * Filters entity descriptor roles. * * @param descriptor entity descriptor to filter * * @throws FilterException thrown if an effective role name can not be determined */ protected void filterEntityDescriptor(EntityDescriptor descriptor) throws FilterException { List<RoleDescriptor> roles = descriptor.getRoleDescriptors(); if (roles != null && !roles.isEmpty()) { Iterator<RoleDescriptor> rolesItr = roles.iterator(); QName roleName; while (rolesItr.hasNext()) { roleName = getRoleName(rolesItr.next()); if (!roleWhiteList.contains(roleName)) { log.trace("Filtering out role {} from entity {}", roleName, descriptor.getEntityID()); rolesItr.remove(); } } } }
@SneakyThrows private boolean isLocal(ExtendedMetadataDelegate delegate) { delegate.initialize(); XMLObject metadata = delegate.getDelegate().getMetadata(); List<EntityDescriptor> descriptors = EntityDescriptor.class.isAssignableFrom(metadata.getClass()) ? Collections.singletonList((EntityDescriptor) metadata) : (EntitiesDescriptor.class.isAssignableFrom(metadata.getClass()) ? ((EntitiesDescriptor) metadata).getEntityDescriptors() : Collections.emptyList()); return descriptors.stream() .anyMatch(ed -> isLocal(delegate, ed.getEntityID())); }
private void setX509Certificate(EntityDescriptor entityDescriptor, SPSSODescriptor spssoDescriptor, SAMLSSOServiceProviderDO samlssoServiceProviderDO) { List<KeyDescriptor> descriptors = spssoDescriptor.getKeyDescriptors(); if (descriptors != null && descriptors.size() > 0) { KeyDescriptor descriptor = descriptors.get(0); if (descriptor != null) { if (descriptor.getUse().toString().equals("SIGNING")) { try { samlssoServiceProviderDO.setX509Certificate(org.opensaml.xml.security.keyinfo.KeyInfoHelper.getCertificates(descriptor.getKeyInfo()).get(0)); samlssoServiceProviderDO.setCertAlias(entityDescriptor.getEntityID()); } catch (java.security.cert.CertificateException ex) { log.error("Error While setting Certificate and alias", ex); } catch (java.lang.Exception ex) { log.error("Error While setting Certificate and alias", ex); } } } } }
protected void verifyIssuer(Issuer issuer, BasicSAMLMessageContext context) throws SAMLException { // Validat format of issuer if (issuer.getFormat() != null && !issuer.getFormat().equals(NameIDType.ENTITY)) { System.out.println("Assertion invalidated by issuer type"+issuer.getFormat()); throw new SAMLException("SAML Assertion is invalid"); } // Validate that issuer is expected peer entity if (!context.getPeerEntityMetadata().getEntityID().equals(issuer.getValue())) { System.out.println("Assertion invalidated by unexpected issuer value"+ issuer.getValue()); throw new SAMLException("SAML Assertion is invalid"); } }
protected void verifyIssuer(Issuer issuer, SAMLMessageContext context) throws SAMLException { // Validate format of issuer if (issuer.getFormat() != null && !issuer.getFormat().equals(NameIDType.ENTITY)) { throw new SAMLException("Issuer invalidated by issuer type " + issuer.getFormat()); } // Validate that issuer is expected peer entity if (!context.getPeerEntityMetadata().getEntityID().equals(issuer.getValue())) { throw new SAMLException("Issuer invalidated by issuer value " + issuer.getValue()); } }
/** * Verifies signature of the assertion. In case signature is not present and SP required signatures in metadata * the exception is thrown. * @param signature signature to verify * @param context context * @throws SAMLException signature missing although required * @throws org.opensaml.xml.security.SecurityException signature can't be validated * @throws ValidationException signature is malformed */ protected void verifyAssertionSignature(Signature signature, BasicSAMLMessageContext context) throws SAMLException, org.opensaml.xml.security.SecurityException, ValidationException { SPSSODescriptor roleMetadata = (SPSSODescriptor) context.getLocalEntityRoleMetadata(); boolean wantSigned = roleMetadata.getWantAssertionsSigned(); if (signature != null && wantSigned) { verifySignature(signature, context.getPeerEntityMetadata().getEntityID()); } else if (wantSigned) { System.out.println("Assertion must be signed, but is not"); throw new SAMLException("SAML Assertion is invalid"); } }