/** * Returns a {@link NameID} which is matched to the specified {@code filter} from the {@link Response}. */ public static Optional<NameID> getNameId(Response response, Predicate<NameID> filter) { return response.getAssertions().stream() .map(s -> s.getSubject().getNameID()) .filter(filter) .findFirst(); }
private LogoutResponse createLogoutResponse(LogoutRequest logoutRequest, String statusCode) { final StatusCode success = build(StatusCode.DEFAULT_ELEMENT_NAME); success.setValue(statusCode); final Status status = build(Status.DEFAULT_ELEMENT_NAME); status.setStatusCode(success); final Issuer me = build(Issuer.DEFAULT_ELEMENT_NAME); me.setValue(entityId); final LogoutResponse logoutResponse = build(LogoutResponse.DEFAULT_ELEMENT_NAME); logoutResponse.setIssuer(me); logoutResponse.setID(requestIdManager.newId()); logoutResponse.setIssueInstant(DateTime.now()); logoutResponse.setStatus(status); logoutResponse.setInResponseTo(logoutRequest.getID()); return logoutResponse; } }
private SamlIdentityProviderConfig resolveIdpConfig(Issuer issuer) { final String value = issuer.getValue(); if (value != null) { final SamlIdentityProviderConfig config = idpConfigs.get(value); if (config != null) { return config; } } throw new SamlException("failed to find identity provider from configuration " + issuer.getValue()); }
private Assertion getValidatedAssertion(Response response, String endpointUri) { final Status status = response.getStatus(); final String statusCode = status.getStatusCode().getValue(); if (!StatusCode.SUCCESS.equals(statusCode)) { throw new SamlException("response status code: " + statusCode + final DateTime issueInstant = response.getIssueInstant(); if (issueInstant == null) { throw new SamlException("failed to get IssueInstant attribute"); if (response.getEncryptedAssertions().isEmpty()) { assertions = response.getAssertions(); } else { final Issuer issuer = response.getIssuer(); if (issuer != null) { idp = resolveIdpConfig(issuer); for (final EncryptedAssertion encryptedAssertion : response.getEncryptedAssertions()) { builder.add(decryptAssertion(encryptedAssertion, idp.encryptionCredential())); builder.addAll(response.getAssertions()); assertions = builder.build(); final Issuer issuer = assertion.getIssuer(); if (issuer == null || issuer.getValue() == null) { throw new SamlException("failed to get an Issuer element from the assertion"); final List<AuthnStatement> authnStatements = assertion.getAuthnStatements(); if (authnStatements.isEmpty()) {
issuer.setValue("http://idp.example.com/post"); data.setInResponseTo(requestIdManager.newId()); data.setNotOnOrAfter(DateTime.now().plusMinutes(1)); data.setRecipient(recipient); subjectConfirmation.setSubjectConfirmationData(data); subjectConfirmation.setMethod("urn:oasis:names:tc:SAML:2.0:cm:bearer"); subject.getSubjectConfirmations().add(subjectConfirmation); assertion.setSubject(subject); assertion.setIssuer(XMLObjectSupport.cloneXMLObject(issuer)); assertion.setIssueInstant(DateTime.now()); assertion.setID(requestIdManager.newId()); authnStatement.setSessionIndex("1"); assertion.getAuthnStatements().add(authnStatement); conditions.setNotBefore(DateTime.now().minusMinutes(1)); conditions.setNotOnOrAfter(DateTime.now().plusMinutes(1)); audience.setAudienceURI(spEntityId); audienceRestriction.getAudiences().add(audience); conditions.getAudienceRestrictions().add(audienceRestriction); assertion.setConditions(conditions);
issuer.setValue(myEntityId); authnRequest.setIssuer(issuer); authnRequest.setIssueInstant(DateTime.now()); authnRequest.setDestination(idp.ssoEndpoint().toUriString()); authnRequest.setID(requestIdManager.newId()); final SamlEndpoint acsEndpoint = idp.acsEndpoint() .orElse(sp.defaultAcsConfig().endpoint()); authnRequest.setAssertionConsumerServiceURL(acsEndpoint.toUriString(portConfig.scheme().uriText(), defaultHostname, portConfig.port())); authnRequest.setProtocolBinding(acsEndpoint.bindingProtocol().urn()); nameIdPolicy.setFormat(policy.format().urn()); nameIdPolicy.setAllowCreate(policy.isCreatable()); authnRequest.setNameIDPolicy(nameIdPolicy); passwordAuthnCtxRef.setAuthnContextClassRef(AuthnContext.PASSWORD_AUTHN_CTX); requestedAuthnContext.setComparison(AuthnContextComparisonTypeEnumeration.EXACT); requestedAuthnContext.getAuthnContextClassRefs().add(passwordAuthnCtxRef); authnRequest.setRequestedAuthnContext(requestedAuthnContext);
private LogoutRequest getLogoutRequest(String destination, String issuerId) { final LogoutRequest logoutRequest = build(LogoutRequest.DEFAULT_ELEMENT_NAME); logoutRequest.setID(requestIdManager.newId()); logoutRequest.setDestination(destination); final Issuer issuer = build(Issuer.DEFAULT_ELEMENT_NAME); issuer.setValue(issuerId); logoutRequest.setIssuer(issuer); logoutRequest.setIssueInstant(DateTime.now()); final NameID nameID = build(NameID.DEFAULT_ELEMENT_NAME); nameID.setFormat(SamlNameIdFormat.EMAIL.urn()); logoutRequest.setNameID(nameID); return logoutRequest; }
@Override public String getPrincipalIdFrom(final Authentication authentication, final Object returnValue, final Exception exception) { val response = (Response) returnValue; if (!response.getAssertions().isEmpty()) { val assertion = response.getAssertions().get(0); val subject = assertion.getSubject(); if (subject != null && subject.getNameID() != null) { return subject.getNameID().getValue(); } } return super.getPrincipalIdFrom(authentication, returnValue, exception); }
public SAMLAuthnRequest(AuthnRequest authnRequest) { super(authnRequest); consumerServiceURL = authnRequest.getAssertionConsumerServiceURL(); forceAuthn = authnRequest.isForceAuthn().booleanValue(); if (authnRequest.getSubject() != null && authnRequest.getSubject().getNameID() != null) { subjectNameId = authnRequest.getSubject().getNameID().getValue(); } }
private SamlIdentityProviderConfig validateAndGetIdPConfig(LogoutRequest logoutRequest, String endpointUri) { final String issuer = logoutRequest.getIssuer().getValue(); if (issuer == null) { throw new SamlException("no issuer found from the logout request: " + logoutRequest.getID()); } if (!endpointUri.equals(logoutRequest.getDestination())) { throw new SamlException("unexpected destination: " + logoutRequest.getDestination()); } final SamlIdentityProviderConfig config = idpConfigs.get(issuer); if (config == null) { throw new SamlException("unexpected identity provider: " + issuer); } return config; }
/** * This method is used to get subject value along with tenant domain * @param request Assertion request message * @param tenantDomain Tenant domain of the subject * @return String full qualified subject value */ protected String getFullQualifiedSubject(SubjectQuery request, String tenantDomain) { return request.getSubject().getNameID().getValue() + "@" + tenantDomain; }
issuer = ((RequestAbstractType) message).getIssuer(); } else if (message instanceof StatusResponseType) { issuer = ((StatusResponseType) message).getIssuer(); } else { throw new SamlException("invalid message type: " + message.getClass().getSimpleName()); final String idpEntityId = issuer.getValue(); config = idpConfigs.get(idpEntityId); if (config == null) {
/** * Returns a {@link NameID} that its name format equals to the specified {@code expectedFormat}, * from the {@link Response}. */ public static Optional<NameID> getNameId(Response response, SamlNameIdFormat expectedFormat) { return getNameId(response, nameId -> nameId.getFormat().equals(expectedFormat.urn())); }
@Override public HttpResponse serve(ServiceRequestContext ctx, AggregatedHttpMessage msg, String defaultHostname, SamlPortConfig portConfig) { try { final MessageContext<Response> messageContext; if (cfg.endpoint().bindingProtocol() == SamlBindingProtocol.HTTP_REDIRECT) { messageContext = HttpRedirectBindingUtil.toSamlObject(msg, SAML_RESPONSE, idpConfigs, defaultIdpConfig); } else { messageContext = HttpPostBindingUtil.toSamlObject(msg, SAML_RESPONSE); } final String endpointUri = cfg.endpoint().toUriString(portConfig.scheme().uriText(), defaultHostname, portConfig.port()); final Response response = messageContext.getMessage(); final Assertion assertion = getValidatedAssertion(response, endpointUri); // Find a session index which is sent by an identity provider. final String sessionIndex = assertion.getAuthnStatements().stream() .map(AuthnStatement::getSessionIndex) .filter(Objects::nonNull) .findFirst().orElse(null); final SAMLBindingContext bindingContext = messageContext.getSubcontext(SAMLBindingContext.class); final String relayState = bindingContext != null ? bindingContext.getRelayState() : null; return ssoHandler.loginSucceeded(ctx, msg, messageContext, sessionIndex, relayState); } catch (SamlException e) { return ssoHandler.loginFailed(ctx, msg, null, e); } }
protected RequestedAuthenticationContext getRequestedAuthenticationContext(AuthnRequest request) { RequestedAuthenticationContext result = null; if (request.getRequestedAuthnContext() != null) { AuthnContextComparisonTypeEnumeration comparison = request.getRequestedAuthnContext().getComparison(); if (null != comparison) { result = RequestedAuthenticationContext.valueOf(comparison.toString()); } } return result; }
} catch (SamlException e) { logger.warn("{} Cannot respond a logout response in response to {}", ctx, logoutRequest.getID(), e); final HttpResponse response = fail(ctx, logoutRequest, sloResEndpoint); return HttpResponse.from(sloHandler.logoutFailed(ctx, msg, e)