protected final void addIDPContext(final SAML2MessageContext context) { final SAMLPeerEntityContext peerContext = context.getSAMLPeerEntityContext(); peerContext.setEntityId(this.idpEntityId.getEntityId()); peerContext.setRole(IDPSSODescriptor.DEFAULT_ELEMENT_NAME); addContext(this.idpEntityId, peerContext, IDPSSODescriptor.DEFAULT_ELEMENT_NAME); }
if (peerContext == null || Strings.isNullOrEmpty(peerContext.getEntityId())) { log.warn("SAML peer entityID was not available, unable to evaluate rule"); return; String messageIssuer = peerContext.getEntityId(); SAMLMetadataContext metadataContext = peerContext.getSubcontext(SAMLMetadataContext.class, false); if (metadataContext == null || metadataContext.getRoleDescriptor() == null) { log.warn("SAMLPeerContext did not contain either a SAMLMetadataContext or a RoleDescriptor, "
if (peerContext.getEntityId() != null) { final String contextEntityID = peerContext.getEntityId(); final String msgType = signableObject.getElementQName().toString(); log.debug("{} Attempting to verify signature on signed SAML protocol message type: {}", log.debug("{} Validation of protocol message signature succeeded, message type: {}", getLogPrefix(), msgType); if (!peerContext.isAuthenticated()) { log.debug("{} Authentication via protocol message signature succeeded for " + "context issuer entity ID {}", getLogPrefix(), contextEntityID); peerContext.setAuthenticated(true);
/** {@inheritDoc} */ @Override @Nullable @NotEmpty public String getEntityId() { if (super.getEntityId() == null) { setEntityId(resolveEntityId()); } return super.getEntityId(); }
protected final void validateSignatureIfItExists(final Signature signature, final SAML2MessageContext context, final SignatureTrustEngine engine) { if (signature != null) { final String entityId = context.getSAMLPeerEntityContext().getEntityId(); validateSignature(signature, entityId, engine); context.getSAMLPeerEntityContext().setAuthenticated(true); } }
/** {@inheritDoc} */ @Override protected void doExecute(@Nonnull final ProfileRequestContext profileRequestContext) { final MessageContext msgCtx = new MessageContext(); profileRequestContext.setOutboundMessageContext(msgCtx); final SAMLSelfEntityContext selfContext = msgCtx.getSubcontext(SAMLSelfEntityContext.class, true); selfContext.setEntityId(selfIdentityLookupStrategy.apply(profileRequestContext)); final SAMLPeerEntityContext peerContext = msgCtx.getSubcontext(SAMLPeerEntityContext.class, true); peerContext.setEntityId(peerEntityCtx.getEntityId()); final SAMLMetadataContext inboundMetadataCtx = peerEntityCtx.getSubcontext(SAMLMetadataContext.class); if (inboundMetadataCtx != null) { final SAMLMetadataContext outboundMetadataCtx = peerContext.getSubcontext(SAMLMetadataContext.class, true); outboundMetadataCtx.setEntityDescriptor(inboundMetadataCtx.getEntityDescriptor()); outboundMetadataCtx.setRoleDescriptor(inboundMetadataCtx.getRoleDescriptor()); final AttributeConsumingServiceContext acsCtx = inboundMetadataCtx.getSubcontext(AttributeConsumingServiceContext.class); if (null != acsCtx) { outboundMetadataCtx.getSubcontext(AttributeConsumingServiceContext.class, true) .setAttributeConsumingService(acsCtx.getAttributeConsumingService()); } } log.debug("{} Initialized outbound message context", getLogPrefix()); } }
final String contextEntityID = peerContext.getEntityId(); if (validateSignature(signature, signedContent, algorithmURI, criteriaSet, candidateCredentials)) { log.debug("{} Validation of request simple signature succeeded", getLogPrefix()); if (!peerContext.isAuthenticated()) { log.debug( "{} Authentication via request simple signature succeeded for context issuer entity ID {}", getLogPrefix(), contextEntityID); peerContext.setAuthenticated(true); if (validateSignature(signature, signedContent, algorithmURI, criteriaSet, candidateCredentials)) { log.debug("{} Validation of request simple signature succeeded", getLogPrefix()); if (!peerContext.isAuthenticated()) { log.debug("{} Authentication via request simple signature succeeded for derived issuer {}", getLogPrefix(), derivedEntityID); peerContext.setEntityId(derivedEntityID); peerContext.setAuthenticated(true);
rpc.setRelyingPartyIdContextTree(peerContext); peerContext.setEntityId(entityID); peerContext.setRole(roleDescriptor.getSchemaType() != null ? roleDescriptor.getSchemaType() : roleDescriptor.getElementQName()); final SAMLMetadataContext metadataContext = peerContext.getSubcontext(SAMLMetadataContext.class, true); metadataContext.setEntityDescriptor(entityDescriptor); metadataContext.setRoleDescriptor(roleDescriptor);
outboundContext.getSAMLPeerEndpointContext().setEndpoint(getEndpoint(context)); outboundContext.getSAMLPeerEntityContext().setRole(context.getSAMLPeerEntityContext().getRole()); outboundContext.getSAMLPeerEntityContext().setEntityId(context.getSAMLPeerEntityContext().getEntityId()); outboundContext.getSAMLProtocolContext().setProtocol(context.getSAMLProtocolContext().getProtocol()); outboundContext.getSecurityParametersContext()
val handler = new SAML2HTTPRedirectDeflateSignatureSecurityHandler(); val peer = context.getSubcontext(SAMLPeerEntityContext.class, true); peer.setEntityId(SamlIdPUtils.getIssuerFromSamlObject(profileRequest)); val peerEntityId = peer.getEntityId(); LOGGER.debug("Validating request signature for [{}] via [{}]...", peerEntityId, handler.getClass().getSimpleName()); new CriteriaSet(new EntityIdCriterion(peerEntityId), new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME))); peer.setRole(roleDescriptor.getElementQName()); val protocol = context.getSubcontext(SAMLProtocolContext.class, true); protocol.setProtocol(SAMLConstants.SAML20P_NS);
/** {@inheritDoc} */ @Override protected void doDecode() throws MessageDecodingException { final HttpServletRequest request = getHttpServletRequest(); if (request == null) { throw new MessageDecodingException("Unable to locate HttpServletRequest"); } final ResolverTestRequest message = new ResolverTestRequest(getPrincipal(request), getRequesterId(request), getIndex(request), getProtocol(request)); final MessageContext<ResolverTestRequest> messageContext = new MessageContext<>(); messageContext.setMessage(message); setMessageContext(messageContext); final SAMLPeerEntityContext peerCtx = new SAMLPeerEntityContext(); peerCtx.setRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME); peerCtx.setEntityId(message.getRequesterId()); messageContext.addSubcontext(peerCtx, true); if (message.getProtocol() != null) { messageContext.getSubcontext(SAMLProtocolContext.class, true).setProtocol(message.getProtocol()); } }
/** * Prepare peer entity saml endpoint. * * @param request the authn request * @param outboundContext the outbound context * @param adaptor the adaptor * @param binding the binding * @throws SamlException the saml exception */ public static void preparePeerEntitySamlEndpointContext(final RequestAbstractType request, final MessageContext outboundContext, final SamlRegisteredServiceServiceProviderMetadataFacade adaptor, final String binding) throws SamlException { val entityId = adaptor.getEntityId(); if (!adaptor.containsAssertionConsumerServices()) { throw new SamlException("No assertion consumer service could be found for entity " + entityId); } val peerEntityContext = outboundContext.getSubcontext(SAMLPeerEntityContext.class, true); if (peerEntityContext == null) { throw new SamlException("SAMLPeerEntityContext could not be defined for entity " + entityId); } peerEntityContext.setEntityId(entityId); val endpointContext = peerEntityContext.getSubcontext(SAMLEndpointContext.class, true); if (endpointContext == null) { throw new SamlException("SAMLEndpointContext could not be defined for entity " + entityId); } val endpoint = determineEndpointForRequest(request, adaptor, binding); LOGGER.debug("Configured peer entity endpoint to be [{}] with binding [{}]", endpoint.getLocation(), endpoint.getBinding()); endpointContext.setEndpoint(endpoint); }
/** * Get the requester. * * @param messageContext the message context * @return the requester */ @Nullable private String getInboundMessageIssuer(@Nonnull final MessageContext<SAMLObject> messageContext) { final SAMLPeerEntityContext peerCtx = messageContext.getSubcontext(SAMLPeerEntityContext.class); if (peerCtx == null) { return null; } return peerCtx.getEntityId(); }
/** {@inheritDoc} */ @Override protected void doExecute(@Nonnull final ProfileRequestContext profileRequestContext) { final MessageContext msgCtx = new MessageContext(); profileRequestContext.setInboundMessageContext(msgCtx); final SAMLPeerEntityContext peerContext = msgCtx.getSubcontext(SAMLPeerEntityContext.class, true); peerContext.setEntityId(saml2Session.getId()); log.debug("{} Initialized inbound message context for logout of {}", getLogPrefix(), saml2Session.getId()); }
public final SAMLMetadataContext getSAMLPeerMetadataContext() { return getSAMLPeerEntityContext().getSubcontext(SAMLMetadataContext.class, true); }
/** * Validate assertion signature. If none is found and the SAML response did not have one and the SP requires * the assertions to be signed, the validation fails. * * @param signature the signature * @param context the context * @param engine the engine */ protected final void validateAssertionSignature(final Signature signature, final SAML2MessageContext context, final SignatureTrustEngine engine) { final SAMLPeerEntityContext peerContext = context.getSAMLPeerEntityContext(); if (signature != null) { final String entityId = peerContext.getEntityId(); validateSignature(signature, entityId, engine); } else { if (wantsAssertionsSigned(context) && !peerContext.isAuthenticated()) { throw new SAMLSignatureRequiredException("Assertion or response must be signed"); } } }
/** {@inheritDoc} */ @Override protected boolean doPreInvoke(@Nonnull final MessageContext messageContext) throws MessageHandlerException { if (!super.doPreInvoke(messageContext)) { return false; } peerContext = messageContext.getSubcontext(SAMLPeerEntityContext.class); if (peerContext == null || peerContext.getRole() == null) { throw new MessageHandlerException("SAMLPeerEntityContext was missing or unpopulated"); } samlProtocolContext = messageContext.getSubcontext(SAMLProtocolContext.class); if (samlProtocolContext == null || samlProtocolContext.getProtocol() == null) { throw new MessageHandlerException("SAMLProtocolContext was missing or unpopulated"); } return true; }
peerContext.setEntityId(peerEntityCtx.getEntityId()); final SAMLMetadataContext inboundMetadataCtx = peerEntityCtx.getSubcontext(SAMLMetadataContext.class); if (inboundMetadataCtx != null) { final SAMLMetadataContext outboundMetadataCtx = peerContext.getSubcontext(SAMLMetadataContext.class, true); outboundMetadataCtx.setEntityDescriptor(inboundMetadataCtx.getEntityDescriptor()); outboundMetadataCtx.setRoleDescriptor(inboundMetadataCtx.getRoleDescriptor());
/** {@inheritDoc} */ @Override protected void doDecode() throws MessageDecodingException { final HttpServletRequest request = getHttpServletRequest(); if (request == null) { throw new MessageDecodingException("Unable to locate HttpServletRequest"); } final MetadataQueryRequest message = new MetadataQueryRequest(); message.setEntityID(getEntityID(request)); message.setProtocol(getProtocol(request)); final MessageContext<MetadataQueryRequest> messageContext = new MessageContext<>(); messageContext.setMessage(message); setMessageContext(messageContext); final SAMLPeerEntityContext peerCtx = new SAMLPeerEntityContext(); peerCtx.setRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME); peerCtx.setEntityId(message.getEntityID()); messageContext.addSubcontext(peerCtx, true); if (message.getProtocol() != null) { messageContext.getSubcontext(SAMLProtocolContext.class, true).setProtocol(message.getProtocol()); } }
/** * Get the requester. * * @param messageContext the message context * @return the requester */ @Nullable private String getInboundMessageIssuer(@Nonnull final MessageContext<SAMLObject> messageContext) { final SAMLPeerEntityContext peerCtx = messageContext.getSubcontext(SAMLPeerEntityContext.class); if (peerCtx == null) { return null; } return peerCtx.getEntityId(); }