/** {@inheritDoc} */ protected void marshallAttributes(XMLObject samlObject, Element domElement) throws MarshallingException { AuthnStatement authnStatement = (AuthnStatement) samlObject; if (authnStatement.getAuthnInstant() != null) { String authnInstantStr = SAMLConfigurationSupport.getSAMLDateFormatter().print( authnStatement.getAuthnInstant()); domElement.setAttributeNS(null, AuthnStatement.AUTHN_INSTANT_ATTRIB_NAME, authnInstantStr); } if (authnStatement.getSessionIndex() != null) { domElement.setAttributeNS(null, AuthnStatement.SESSION_INDEX_ATTRIB_NAME, authnStatement.getSessionIndex()); } if (authnStatement.getSessionNotOnOrAfter() != null) { String sessionNotOnOrAfterStr = SAMLConfigurationSupport.getSAMLDateFormatter().print( authnStatement.getSessionNotOnOrAfter()); domElement.setAttributeNS(null, AuthnStatement.SESSION_NOT_ON_OR_AFTER_ATTRIB_NAME, sessionNotOnOrAfterStr); } } }
/** {@inheritDoc} */ protected void processChildElement(XMLObject parentObject, XMLObject childObject) throws UnmarshallingException { AuthnStatement authnStatement = (AuthnStatement) parentObject; if (childObject instanceof SubjectLocality) { authnStatement.setSubjectLocality((SubjectLocality) childObject); } else if (childObject instanceof AuthnContext) { authnStatement.setAuthnContext((AuthnContext) childObject); } else { super.processChildElement(parentObject, childObject); } }
/** {@inheritDoc} */ protected void processAttribute(XMLObject samlObject, Attr attribute) throws UnmarshallingException { AuthnStatement authnStatement = (AuthnStatement) samlObject; if (attribute.getLocalName().equals(AuthnStatement.AUTHN_INSTANT_ATTRIB_NAME) && !Strings.isNullOrEmpty(attribute.getValue())) { authnStatement.setAuthnInstant(new DateTime(attribute.getValue(), ISOChronology.getInstanceUTC())); } else if (attribute.getLocalName().equals(AuthnStatement.SESSION_INDEX_ATTRIB_NAME)) { authnStatement.setSessionIndex(attribute.getValue()); } else if (attribute.getLocalName().equals(AuthnStatement.SESSION_NOT_ON_OR_AFTER_ATTRIB_NAME) && !Strings.isNullOrEmpty(attribute.getValue())) { authnStatement.setSessionNotOnOrAfter(new DateTime(attribute.getValue(), ISOChronology.getInstanceUTC())); } else { super.processAttribute(samlObject, attribute); } } }
statement.setAuthnInstant(new DateTime(getAuthenticationResult().getAuthenticationInstant())); statement.setAuthnContext(authnContext); final Long lifetime = sessionLifetimeLookupStrategy.apply(profileRequestContext); if (lifetime != null && lifetime > 0) { statement.setSessionNotOnOrAfter(new DateTime().plus(lifetime)); statement.setSessionIndex(getIdGenerator().generateIdentifier()); statement.setSubjectLocality(locality); } else { log.debug("{} HttpServletRequest not available, omitting SubjectLocality element", getLogPrefix());
protected List<AuthenticationStatement> getAuthenticationStatements( List<AuthnStatement> authnStatements ) { List<AuthenticationStatement> result = new LinkedList<>(); for (AuthnStatement s : ofNullable(authnStatements).orElse(emptyList())) { AuthnContext authnContext = s.getAuthnContext(); AuthnContextClassRef authnContextClassRef = authnContext.getAuthnContextClassRef(); String ref = null; if (authnContextClassRef.getAuthnContextClassRef() != null) { ref = authnContextClassRef.getAuthnContextClassRef(); } result.add( new AuthenticationStatement() .setSessionIndex(s.getSessionIndex()) .setAuthInstant(s.getAuthnInstant()) .setSessionNotOnOrAfter(s.getSessionNotOnOrAfter()) .setAuthenticationContext( authnContext != null ? new AuthenticationContext() .setClassReference(AuthenticationContextClassReference.fromUrn(ref)) : null ) ); } return result; }
/** * New authn statement. * * @param contextClassRef the context class ref such as {@link AuthnContext#PASSWORD_AUTHN_CTX} * @param authnInstant the authn instant * @return the authn statement */ public AuthnStatement newAuthnStatement(final String contextClassRef, final DateTime authnInstant) { final AuthnStatement stmt = newSamlObject(AuthnStatement.class); final AuthnContext ctx = newSamlObject(AuthnContext.class); final AuthnContextClassRef classRef = newSamlObject(AuthnContextClassRef.class); classRef.setAuthnContextClassRef(contextClassRef); ctx.setAuthnContextClassRef(classRef); stmt.setAuthnContext(ctx); stmt.setAuthnInstant(authnInstant); return stmt; }
DateTime authnInstant = authnStatement.getAuthnInstant(); DateTime sessionNotOnOrAfter = authnStatement.getSessionNotOnOrAfter(); String subjectLocalityAddress = null; if (authnStatement.getSubjectLocality() != null && authnStatement.getSubjectLocality().getAddress() != null) { subjectLocalityAddress = authnStatement.getSubjectLocality().getAddress();
/** * Validate the given authnStatements: * - authnInstant * - sessionNotOnOrAfter * * @param authnStatements the authn statements * @param context the context */ protected final void validateAuthenticationStatements(final List<AuthnStatement> authnStatements, final SAML2MessageContext context) { for (final AuthnStatement statement : authnStatements) { if (!isAuthnInstantValid(statement.getAuthnInstant())) { throw new SAMLAuthnInstantException("Authentication issue instant is too old or in the future"); } if (statement.getSessionNotOnOrAfter() != null && statement.getSessionNotOnOrAfter().isBeforeNow()) { throw new SAMLAuthnSessionCriteriaException("Authentication session between IDP and subject has ended"); } // TODO implement authnContext validation } }
final DateTime sessionBound = result.getSecond().getSessionNotOnOrAfter(); final long expiration; if (sessionBound != null) { result.getSecond().getSessionIndex());
/** * Searches the sessionIndex in the assertion * * @param subjectAssertion assertion from the response * @return the sessionIndex if found in the assertion */ protected String getSessionIndex(final Assertion subjectAssertion) { List<AuthnStatement> authnStatements = subjectAssertion.getAuthnStatements(); if (authnStatements != null && authnStatements.size() > 0) { AuthnStatement statement = authnStatements.get(0); if (statement != null) { return statement.getSessionIndex(); } } return null; }
if (assertion.getValidUntilDate() != null) { val dt = DateTimeUtils.zonedDateTimeOf(assertion.getValidUntilDate()); statement.setSessionNotOnOrAfter( DateTimeUtils.dateTimeOf(dt.plusSeconds(casProperties.getAuthn().getSamlIdp().getResponse().getSkewAllowance()))); statement.setSubjectLocality(subjectLocality); return statement;
authnStatement.setSessionIndex("1"); assertion.getAuthnStatements().add(authnStatement);
if (authnStatment.getSessionNotOnOrAfter() != null) { sessionNotOnOrAfter = Instant.ofEpochMilli(authnStatment.getSessionNotOnOrAfter().toDate().getTime());
: ((org.opensaml.saml.saml2.core.Response) response).getAssertions()) { for (final AuthnStatement statement : assertion.getAuthnStatements()) { if (statement.getAuthnInstant() != null) { return statement.getAuthnInstant();
final List<String> authnContexts = new ArrayList<>(); for (final AuthnStatement authnStatement : authnStatements) { if(authnStatement.getAuthnContext().getAuthnContextClassRef() != null) { authnContexts.add(authnStatement.getAuthnContext().getAuthnContextClassRef().getAuthnContextClassRef());
authInstant = new DateTime(); authnStatement.setAuthnInstant(authInstant); authnStatement.setSessionNotOnOrAfter(sessionNotOnOrAfter); authnStatement.setSessionIndex(statementBean.getSessionIndex()); AuthnContext authnContext = authnContextBuilder.buildObject(); authnContext.setAuthnContextClassRef(authnContextClassRef); authnStatement.setAuthnContext(authnContext); subjectLocality.setAddress(subjectLocalityBean.getIpAddress()); authnStatement.setSubjectLocality(subjectLocality);
authStmt.setAuthnInstant(new DateTime()); authCtxClassRef.setAuthnContextClassRef(AuthnContext.PASSWORD_AUTHN_CTX); authContext.setAuthnContextClassRef(authCtxClassRef); authStmt.setAuthnContext(authContext); samlAssertion.getAuthnStatements().add(authStmt);
for (final Assertion assertion : ((Response) message).getAssertions()) { for (final AuthnStatement statement : assertion.getAuthnStatements()) { if (statement.getSessionIndex() != null) { indexes.add(statement.getSessionIndex());
: ((org.opensaml.saml.saml2.core.Response) response).getAssertions()) { for (final AuthnStatement statement : assertion.getAuthnStatements()) { if (statement.getAuthnContext() != null) { final AuthnContext ac = statement.getAuthnContext(); if (ac.getAuthnContextClassRef() != null) { return ac.getAuthnContextClassRef().getAuthnContextClassRef();
aref.setAuthnContextClassRef(stmt.getAuthenticationContext().getClassReference().toString()); actx.setAuthnContextClassRef(aref); authnStatement.setAuthnContext(actx); a.getAuthnStatements().add(authnStatement); authnStatement.setSessionIndex(stmt.getSessionIndex()); authnStatement.setSessionNotOnOrAfter(stmt.getSessionNotOnOrAfter()); authnStatement.setAuthnInstant(stmt.getAuthInstant());