/** {@inheritDoc} */ protected void doDecode(MessageContext messageContext) throws MessageDecodingException { if (!(messageContext instanceof SAMLMessageContext)) { log.error("Invalid message context type, this decoder only support SAMLMessageContext"); throw new MessageDecodingException( "Invalid message context type, this decoder only support SAMLMessageContext"); } if (!(messageContext.getInboundMessageTransport() instanceof HTTPInTransport)) { log.error("Invalid inbound message transport type, this decoder only support HTTPInTransport"); throw new MessageDecodingException( "Invalid inbound message transport type, this decoder only support HTTPInTransport"); } SAMLMessageContext samlMsgCtx = (SAMLMessageContext) messageContext; HTTPInTransport inTransport = (HTTPInTransport) samlMsgCtx.getInboundMessageTransport(); if (!inTransport.getHTTPMethod().equalsIgnoreCase("POST")) { throw new MessageDecodingException("This message decoder only supports the HTTP POST method"); } String relayState = inTransport.getParameterValue("RelayState"); samlMsgCtx.setRelayState(relayState); log.debug("Decoded SAML relay state of: {}", relayState); InputStream base64DecodedMessage = getBase64DecodedMessage(inTransport); Assertion inboundMessage = (Assertion) unmarshallMessage(base64DecodedMessage); Response response = SamlRedirectUtils.wrapAssertionIntoResponse(inboundMessage, inboundMessage.getIssuer().getValue()); samlMsgCtx.setInboundMessage(response); samlMsgCtx.setInboundSAMLMessage(response); log.debug("Decoded SAML message"); populateMessageContext(samlMsgCtx); }
/** {@inheritDoc} */ protected boolean isIntendedDestinationEndpointURIRequired(SAMLMessageContext samlMsgCtx) { return samlMsgCtx.getInboundSAMLMessage() instanceof ResponseAbstractType; } }
private Response extractSamlResponse(HttpServletRequest request) { SAMLMessageContext messageContext; final SAMLMessageHandler samlMessageHandler = openSAMLContext.samlMessageHandler(); try { messageContext = samlMessageHandler.extractSAMLMessageContext(request); } catch (MessageDecodingException me) { throw new ServiceProviderAuthenticationException("Could not decode SAML Response", me); } catch (org.opensaml.xml.security.SecurityException se) { throw new ServiceProviderAuthenticationException("Could not decode SAML Response", se); } LOG.debug("Message received from issuer: " + messageContext.getInboundMessageIssuer()); if (!(messageContext.getInboundSAMLMessage() instanceof Response)) { throw new ServiceProviderAuthenticationException("SAML Message was not a Response."); } final Response inboundSAMLMessage = (Response) messageContext.getInboundSAMLMessage(); try { openSAMLContext.validatorSuite().validate(inboundSAMLMessage); return inboundSAMLMessage; } catch (ValidationException ve) { LOG.warn("Response Message failed Validation", ve); throw new RuntimeException("Invalid SAML Response Message", ve); } }
SignableSAMLObject message = context.getInboundSAMLMessage(); String sRequestor = context.getInboundMessageIssuer(); HTTPInTransport inTransport = (HTTPInTransport) context.getInboundMessageTransport(); String sigParam = inTransport.getParameterValue("Signature"); boolean bSignatureParam = !DatatypeHelper.isEmpty(sigParam);
HTTPOutTransport outTransport = (HTTPOutTransport) artifactContext.getOutboundMessageTransport(); params.add(new Pair<String, String>("TARGET", artifactContext.getRelayState())); if (artifactContext.getOutboundMessageArtifactType() != null) { artifactBuilder = Configuration.getSAML1ArtifactBuilderFactory().getArtifactBuilder( artifactContext.getOutboundMessageArtifactType()); } else { artifactBuilder = Configuration.getSAML1ArtifactBuilderFactory().getArtifactBuilder(defaultArtifactType); artifactContext.setOutboundMessageArtifactType(defaultArtifactType); for (Assertion assertion : artifactContext.getOutboundSAMLMessage().getAssertions()) { artifact = artifactBuilder.buildArtifact(artifactContext, assertion); if(artifact == null){ .getInboundMessageIssuer()); outTransport.sendRedirect(urlBuilder.buildURL());
MetadataProvider metadataProvider = messageContext.getMetadataProvider(); try { if (metadataProvider != null) { EntityDescriptor relyingPartyMD = metadataProvider.getEntityDescriptor(messageContext .getInboundMessageIssuer()); messageContext.setPeerEntityMetadata(relyingPartyMD); QName relyingPartyRole = messageContext.getPeerEntityRole(); if (relyingPartyMD != null && relyingPartyRole != null) { List<RoleDescriptor> roles = relyingPartyMD.getRoleDescriptors(relyingPartyRole, SAMLConstants.SAML11P_NS); if (roles != null && roles.size() > 0) { messageContext.setPeerEntityRoleMetadata(roles.get(0)); log.error("Error retrieving metadata for relying party " + messageContext.getInboundMessageIssuer(), e); throw new MessageDecodingException("Error retrieving metadata for relying party " + messageContext.getInboundMessageIssuer(), e);
HTTPInTransport inTransport = (HTTPInTransport) samlMsgCtx.getInboundMessageTransport(); if (!inTransport.getHTTPMethod().equalsIgnoreCase("POST")) { throw new MessageDecodingException("This message decoder only supports the HTTP POST method"); samlMsgCtx.setInboundMessage(soapMessage); samlMsgCtx.setInboundSAMLMessage(samlMessage);
/** * Determine whether the inbound message is signed. * * @param messageContext the message context being evaluated * @return true if the inbound message is signed, otherwise false */ protected boolean isMessageSigned(SAMLMessageContext messageContext) { // TODO this really should be determined by the decoders and supplied to the rule // in some fashion, to handle binding-specific signature mechanisms. See JIRA issue JOWS-4. // // For now evaluate here inline for XML Signature and HTTP-Redirect and HTTP-Post-SimpleSign. SAMLObject samlMessage = messageContext.getInboundSAMLMessage(); if (samlMessage instanceof SignableSAMLObject) { SignableSAMLObject signableMessage = (SignableSAMLObject) samlMessage; if (signableMessage.isSigned()) { return true; } } // This handles HTTP-Redirect and HTTP-POST-SimpleSign bindings. HTTPInTransport inTransport = (HTTPInTransport) messageContext.getInboundMessageTransport(); String sigParam = inTransport.getParameterValue("Signature"); return !DatatypeHelper.isEmpty(sigParam); }
if (artifactContext.getOutboundMessageArtifactType() != null) { artifactBuilder = Configuration.getSAML2ArtifactBuilderFactory().getArtifactBuilder( artifactContext.getOutboundMessageArtifactType()); } else { artifactBuilder = Configuration.getSAML2ArtifactBuilderFactory().getArtifactBuilder(defaultArtifactType); artifactContext.setOutboundMessageArtifactType(defaultArtifactType); artifactMap.put(encodedArtifact, artifactContext.getInboundMessageIssuer(), artifactContext .getOutboundMessageIssuer(), artifactContext.getOutboundSAMLMessage()); } catch (MarshallingException e) { log.error("Unable to marshall assertion to be represented as an artifact", e);
SAMLObject samlMessage = samlMsgCtx.getInboundSAMLMessage(); if (! (samlMessage instanceof AuthnRequest) ) { log.debug("Inbound message is not an instance of AuthnRequest, skipping evaluation..."); String messageIssuer = samlMsgCtx.getInboundMessageIssuer(); if (DatatypeHelper.isEmpty(messageIssuer)) { log.warn("Inbound message issuer was empty, unable to evaluate rule"); MetadataProvider metadataProvider = samlMsgCtx.getMetadataProvider(); if (metadataProvider == null) { log.warn("Message context did not contain a metadata provider, unable to evaluate rule");
/** * Decodes the TARGET parameter and adds it to the message context. * * @param samlMsgCtx current message context * * @throws MessageDecodingException thrown if there is a problem decoding the TARGET parameter. */ protected void decodeTarget(SAMLMessageContext samlMsgCtx) throws MessageDecodingException { HTTPInTransport inTransport = (HTTPInTransport) samlMsgCtx.getInboundMessageTransport(); String target = DatatypeHelper.safeTrim(inTransport.getParameterValue("TARGET")); if (target == null) { log.error("URL TARGET parameter was missing or did not contain a value."); throw new MessageDecodingException("URL TARGET parameter was missing or did not contain a value."); } samlMsgCtx.setRelayState(target); }
@Override protected String getActualReceiverEndpointURI(SAMLMessageContext messageContext) throws MessageDecodingException { InTransport inTransport = messageContext.getInboundMessageTransport(); if (inTransport instanceof LocationAwareInTransport) { return ((LocationAwareInTransport)inTransport).getLocalAddress(); } else { return super.getActualReceiverEndpointURI(messageContext); } }
@SuppressWarnings("unchecked") private void doSSO(HttpServletRequest request, HttpServletResponse response, Authentication authentication, boolean postRequest) throws ValidationException, SecurityException, MessageDecodingException, MarshallingException, SignatureException, MessageEncodingException, MetadataProviderException, IOException, ServletException { SAMLMessageContext messageContext = samlMessageHandler.extractSAMLMessageContext(request, response, postRequest); AuthnRequest authnRequest = (AuthnRequest) messageContext.getInboundSAMLMessage(); String assertionConsumerServiceURL = idpConfiguration.getAcsEndpoint() != null ? idpConfiguration.getAcsEndpoint() : authnRequest.getAssertionConsumerServiceURL(); List<SAMLAttribute> attributes = attributes(authentication); SAMLPrincipal principal = new SAMLPrincipal( authentication.getName(), attributes.stream().filter(attr -> "urn:oasis:names:tc:SAML:1.1:nameid-format".equals(attr.getName())) .findFirst().map(attr -> attr.getValue()).orElse(NameIDType.UNSPECIFIED), attributes, authnRequest.getIssuer().getValue(), authnRequest.getID(), assertionConsumerServiceURL, messageContext.getRelayState()); samlMessageHandler.sendAuthnResponse(principal, response); }
SAMLObject samlMessage = samlMsgCtx.getOutboundSAMLMessage(); if (samlMessage == null) { throw new MessageEncodingException("No outbound SAML message contained in message context"); if (samlMsgCtx.getRelayState() != null) { SOAPHelper.addHeaderBlock(samlMsgCtx, getRelayState(samlMsgCtx.getRelayState())); XMLObject outboundEnveloppe = samlMsgCtx.getOutboundMessage();
/** {@inheritDoc} */ protected CriteriaSet buildCriteriaSet(String entityID, MessageContext messageContext) throws SecurityPolicyException { if (!(messageContext instanceof SAMLMessageContext)) { log.error("Supplied message context was not an instance of SAMLMessageContext, can not build criteria set from SAML metadata parameters"); throw new SecurityPolicyException("Supplied message context was not an instance of SAMLMessageContext"); } SAMLMessageContext samlContext = (SAMLMessageContext) messageContext; CriteriaSet criteriaSet = super.buildCriteriaSet(entityID, messageContext); MetadataCriteria mdCriteria = new MetadataCriteria(samlContext.getPeerEntityRole(), samlContext.getInboundSAMLProtocol()); criteriaSet.add(mdCriteria); return criteriaSet; } }
String contextIssuer = samlMsgCtx.getInboundMessageIssuer(); if (validateSignature(signature, signedContent, algorithmURI, criteriaSet, candidateCredentials)) { log.info("Validation of request simple signature succeeded"); if (!samlMsgCtx.isInboundSAMLMessageAuthenticated()) { log.info("Authentication via request simple signature succeeded for context issuer entity ID {}", contextIssuer); samlMsgCtx.setInboundSAMLMessageAuthenticated(true); if (validateSignature(signature, signedContent, algorithmURI, criteriaSet, candidateCredentials)) { log.info("Validation of request simple signature succeeded"); if (!samlMsgCtx.isInboundSAMLMessageAuthenticated()) { log.info("Authentication via request simple signature succeeded for derived issuer {}", derivedIssuer); samlMsgCtx.setInboundMessageIssuer(derivedIssuer); samlMsgCtx.setInboundSAMLMessageAuthenticated(true);
String messageXML = XMLHelper.nodeToString(marshallMessage(messageContext.getOutboundSAMLMessage())); String encodedMessage = Base64.encodeBytes(messageXML.getBytes("UTF-8"), Base64.DONT_BREAK_LINES); context.put("SAMLResponse", encodedMessage); if (messageContext.getRelayState() != null) { String encodedRelayState = esapiEncoder.encodeForHTMLAttribute(messageContext.getRelayState()); log.debug("Setting TARGET parameter to: '{}', encoded as '{}'", messageContext.getRelayState(), encodedRelayState); context.put("TARGET", encodedRelayState); HTTPOutTransport outTransport = (HTTPOutTransport) messageContext.getOutboundMessageTransport(); HTTPTransportUtils.addNoCacheHeaders(outTransport); HTTPTransportUtils.setUTF8Encoding(outTransport);
queryParams.clear(); if (messagesContext.getOutboundSAMLMessage() instanceof RequestAbstractType) { queryParams.add(new Pair<String, String>("SAMLRequest", message)); } else if (messagesContext.getOutboundSAMLMessage() instanceof StatusResponseType) { queryParams.add(new Pair<String, String>("SAMLResponse", message)); } else { String relayState = messagesContext.getRelayState(); if (checkRelayState(relayState)) { queryParams.add(new Pair<String, String>("RelayState", relayState)); Credential signingCredential = messagesContext.getOuboundSAMLMessageSigningCredential(); if (signingCredential != null) {
throws SecurityPolicyException { String contextIssuer = samlMsgCtx.getInboundMessageIssuer(); if (contextIssuer != null) { String msgType = signableObject.getElementQName().toString(); if (!samlMsgCtx.isInboundSAMLMessageAuthenticated()) { log.debug("Authentication via protocol message signature succeeded for context issuer entity ID {}", contextIssuer); samlMsgCtx.setInboundSAMLMessageAuthenticated(true);
if (messageContext.getOutboundSAMLMessage().getDOM() == null) { marshallMessage(messageContext.getOutboundSAMLMessage()); String messageXML = XMLHelper.nodeToString(messageContext.getOutboundSAMLMessage().getDOM()); String encodedMessage = Base64.encodeBytes(messageXML.getBytes("UTF-8"), Base64.DONT_BREAK_LINES); if (messageContext.getOutboundSAMLMessage() instanceof RequestAbstractType) { velocityContext.put("SAMLRequest", encodedMessage); } else if (messageContext.getOutboundSAMLMessage() instanceof StatusResponseType) { velocityContext.put("SAMLResponse", encodedMessage); } else { String relayState = messageContext.getRelayState(); if (checkRelayState(relayState)) { String encodedRelayState = esapiEncoder.encodeForHTMLAttribute(relayState);