spSsoDescriptor.setAuthnRequestsSigned(true); spSsoDescriptor.setWantAssertionsSigned(true); spSsoDescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS); .map(SamlNameIdFormat::urn) .collect(Collectors.toList()); spSsoDescriptor.getNameIDFormats().addAll(buildNameIdFormatElements(nameIdFormats)); final List<SingleLogoutService> sloList = spSsoDescriptor.getSingleLogoutServices(); singleLogoutEndpoints.forEach(endpoint -> { final SingleLogoutService slo = build(SingleLogoutService.DEFAULT_ELEMENT_NAME); final List<AssertionConsumerService> services = spSsoDescriptor.getAssertionConsumerServices(); for (final SamlAssertionConsumerConfig acs : assertionConsumerConfigs) { services.add(buildAssertionConsumerServiceElement(acs, portConfig, defaultHostname, acsIndex++)); spSsoDescriptor.getKeyDescriptors().add( buildKeyDescriptorElement(UsageType.SIGNING, keyInfoGenerator.generate(signingCredential))); spSsoDescriptor.getKeyDescriptors().add( buildKeyDescriptorElement(UsageType.ENCRYPTION, keyInfoGenerator.generate(encryptionCredential)));
assertThat(sp.isAuthnRequestsSigned()).isTrue(); assertThat(sp.getWantAssertionsSigned()).isTrue(); final List<KeyDescriptor> kd = sp.getKeyDescriptors(); assertThat(kd.get(0).getUse().name()).isEqualToIgnoringCase("signing"); assertThat(kd.get(1).getUse().name()).isEqualToIgnoringCase("encryption"); final List<SingleLogoutService> slo = sp.getSingleLogoutServices(); assertThat(slo.get(0).getLocation()) .isEqualTo("http://" + spHostname + ':' + rule.httpPort() + "/saml/slo/post"); assertThat(slo.get(1).getBinding()).isEqualTo(SAMLConstants.SAML2_REDIRECT_BINDING_URI); final List<AssertionConsumerService> acs = sp.getAssertionConsumerServices();
final SPSSODescriptor spDescriptor = builder.buildObject(); spDescriptor.setAuthnRequestsSigned(this.authnRequestSigned); spDescriptor.setWantAssertionsSigned(this.wantAssertionSigned); spDescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS); spDescriptor.addSupportedProtocol(SAMLConstants.SAML10P_NS); spDescriptor.addSupportedProtocol(SAMLConstants.SAML11P_NS); spDescriptor.setExtensions(extensions); spDescriptor.getNameIDFormats().addAll(buildNameIDFormat()); spDescriptor.getAssertionConsumerServices() .add(getAssertionConsumerService(SAMLConstants.SAML2_POST_BINDING_URI, index++, this.defaultACSIndex == index)); spDescriptor.getSingleLogoutServices().add(getSingleLogoutService(SAMLConstants.SAML2_POST_BINDING_URI)); spDescriptor.getSingleLogoutServices().add(getSingleLogoutService(SAMLConstants.SAML2_REDIRECT_BINDING_URI)); spDescriptor.getSingleLogoutServices().add(getSingleLogoutService(SAMLConstants.SAML2_SOAP11_BINDING_URI)); spDescriptor.getKeyDescriptors().add(getKeyDescriptor(UsageType.SIGNING, this.credentialProvider.getKeyInfo())); spDescriptor.getKeyDescriptors().add(getKeyDescriptor(UsageType.ENCRYPTION, this.credentialProvider.getKeyInfo())); spDescriptor.getAttributeConsumingServices().add(attributeService);
SPSSODescriptor desc = (SPSSODescriptor) descriptor; ServiceProvider provider = new ServiceProvider(); provider.setId(desc.getID()); provider.setValidUntil(desc.getValidUntil()); if (desc.getCacheDuration() != null) { provider.setCacheDuration(toDuration(desc.getCacheDuration())); provider.setProtocolSupportEnumeration(desc.getSupportedProtocols()); provider.setNameIds(getNameIDs(desc.getNameIDFormats())); provider.setArtifactResolutionService(getEndpoints(desc.getArtifactResolutionServices())); provider.setSingleLogoutService(getEndpoints(desc.getSingleLogoutServices())); provider.setManageNameIDService(getEndpoints(desc.getManageNameIDServices())); provider.setAuthnRequestsSigned(desc.isAuthnRequestsSigned()); provider.setWantAssertionsSigned(desc.getWantAssertionsSigned()); provider.setAssertionConsumerService(getEndpoints(desc.getAssertionConsumerServices())); provider.setRequestedAttributes(getRequestAttributes(desc)); provider.setKeys(getProviderKeys(descriptor));
SPSSODescriptor descriptor = getSPSSODescriptor(); roleDescriptor = descriptor; descriptor.setAuthnRequestsSigned(sp.isAuthnRequestsSigned()); descriptor.setWantAssertionsSigned(sp.isWantAssertionsSigned()); descriptor.getNameIDFormats().add(getNameIDFormat(id)); descriptor.getAssertionConsumerServices().add(getAssertionConsumerService(ep, i)); descriptor.getArtifactResolutionServices().add(getArtifactResolutionService(ep, i)); descriptor.getSingleLogoutServices().add(getSingleLogoutService(ep)); .getAttributeConsumingServices() .add(getAttributeConsumingService(sp.getRequestedAttributes()));
signingKeyInfo.getX509Datas().add(signingX509Data); signingKeyDescriptor.setKeyInfo(signingKeyInfo); spSsoDescriptor.getKeyDescriptors().add(signingKeyDescriptor); encKeyInfo.getX509Datas().add(encX509Data); encKeyDescriptor.setKeyInfo(encKeyInfo); spSsoDescriptor.getKeyDescriptors().add(encKeyDescriptor); spSsoDescriptor.getNameIDFormats().add(nameIDFormat); addSingleLogoutLocation(singleLogOutLocation, spSsoDescriptor.getSingleLogoutServices()); assertionConsumerService.setIndex(acsIndex++); assertionConsumerService.setLocation(assertionConsumerServiceLocationRedirect); spSsoDescriptor.getAssertionConsumerServices().add(assertionConsumerService); assertionConsumerService.setIndex(acsIndex++); assertionConsumerService.setLocation(assertionConsumerServiceLocationPost); spSsoDescriptor.getAssertionConsumerServices().add(assertionConsumerService); assertionConsumerServicePaos.setIndex(acsIndex); assertionConsumerServicePaos.setLocation(assertionConsumerServiceLocationPaos); spSsoDescriptor.getAssertionConsumerServices().add(assertionConsumerServicePaos); spSsoDescriptor.addSupportedProtocol(SUPPORTED_PROTOCOL);
/** {@inheritDoc} */ protected void processChildElement(XMLObject parentSAMLObject, XMLObject childSAMLObject) throws UnmarshallingException { SPSSODescriptor descriptor = (SPSSODescriptor) parentSAMLObject; if (childSAMLObject instanceof AssertionConsumerService) { descriptor.getAssertionConsumerServices().add((AssertionConsumerService) childSAMLObject); } else if (childSAMLObject instanceof AttributeConsumingService) { descriptor.getAttributeConsumingServices().add((AttributeConsumingService) childSAMLObject); } else { super.processChildElement(parentSAMLObject, childSAMLObject); } }
/** Does the {@link EntityDescriptor} have a {@link MetadataServiceRegistry#PROXY_BINDING} acs. * @param entity what to look at * @return Whether is is authorized to proxy */ private boolean isAuthorizedToProxy(@Nonnull final EntityDescriptor entity) { final SPSSODescriptor descriptor = entity.getSPSSODescriptor(AbstractProtocolConfiguration.PROTOCOL_URI); if (descriptor != null) { for (final AssertionConsumerService acs : descriptor.getAssertionConsumerServices()) { if (PROXY_BINDING.equals(acs.getBinding())) { return true; } } } return false; }
/** {@inheritDoc} */ protected void processAttribute(XMLObject samlObject, Attr attribute) throws UnmarshallingException { SPSSODescriptor descriptor = (SPSSODescriptor) samlObject; if (attribute.getLocalName().equals(SPSSODescriptor.AUTH_REQUESTS_SIGNED_ATTRIB_NAME)) { descriptor.setAuthnRequestsSigned(XSBooleanValue.valueOf(attribute.getValue())); } else if (attribute.getLocalName().equals(SPSSODescriptor.WANT_ASSERTIONS_SIGNED_ATTRIB_NAME)) { descriptor.setWantAssertionsSigned(XSBooleanValue.valueOf(attribute.getValue())); } else { super.processAttribute(samlObject, attribute); } } }
public final AssertionConsumerService getSPAssertionConsumerService(final String acsIndex) { final SPSSODescriptor spssoDescriptor = getSPSSODescriptor(); final List<AssertionConsumerService> services = spssoDescriptor.getAssertionConsumerServices(); // Get by index if (acsIndex != null) { for (final AssertionConsumerService service : services) { if (Integer.valueOf(acsIndex).equals(service.getIndex())) { return service; } } throw new SAMLException("Assertion consumer service with index " + acsIndex + " could not be found for spDescriptor " + spssoDescriptor); } // Get default if (spssoDescriptor.getDefaultAssertionConsumerService() != null) { return spssoDescriptor.getDefaultAssertionConsumerService(); } // Get first if (!services.isEmpty()) { return services.iterator().next(); } throw new SAMLException("No assertion consumer services could be found for " + spssoDescriptor); }
protected List<Attribute> getRequestAttributes(SPSSODescriptor desc) { List<Attribute> result = new LinkedList<>(); if (desc.getDefaultAttributeConsumingService() != null) { result.addAll(getRequestedAttributes(desc.getDefaultAttributeConsumingService() .getRequestAttributes())); } else { for (AttributeConsumingService s : ofNullable(desc.getAttributeConsumingServices()).orElse(emptyList())) { if (s != null) { //take the first one result.addAll(getRequestedAttributes(s.getRequestAttributes())); break; } } } return result; }
public boolean isAuthnRequestsSigned() { return this.ssoDescriptor.isAuthnRequestsSigned(); }
public List<KeyDescriptor> getKeyDescriptors() { return this.ssoDescriptor.getKeyDescriptors(); }
return ((SPSSODescriptor) roleDescriptor).getAttributeConsumingServices(); } else if (roleDescriptor instanceof AttributeQueryDescriptorType) { log.debug("Resolving AttributeConsumingService candidates from AttributeQueryDescriptorType");
final NameIDFormat nif = formatBuilder.buildObject(); nif.setFormat(format); ((SPSSODescriptor) role).getNameIDFormats().add(nif); } else if (role instanceof AttributeAuthorityDescriptor) { final NameIDFormat nif = formatBuilder.buildObject();
/** * Validates the SAML logout response. * * @param logoutResponse the logout response * @param context the context * @param engine the signature engine */ protected void validateLogoutResponse(final LogoutResponse logoutResponse, final SAML2MessageContext context, final SignatureTrustEngine engine) { validateSuccess(logoutResponse.getStatus()); validateSignatureIfItExists(logoutResponse.getSignature(), context, engine); validateIssueInstant(logoutResponse.getIssueInstant()); validateIssuerIfItExists(logoutResponse.getIssuer(), context); verifyEndpoint(context.getSPSSODescriptor().getSingleLogoutServices().get(0), logoutResponse.getDestination()); }
public boolean isWantAssertionsSigned() { return this.ssoDescriptor.getWantAssertionsSigned(); }
it.forEach(entityDescriptor -> { val spssoDescriptor = entityDescriptor.getSPSSODescriptor(SAMLConstants.SAML20P_NS); val acsEndpoints = spssoDescriptor.getAssertionConsumerServices(); if (acsEndpoints.isEmpty()) { throw new IllegalArgumentException("Metadata resolved for entity id " + issuer + " has no defined ACS endpoints");
if (null != index) { log.debug("{} Request specified AttributeConsumingService index {}", getLogPrefix(), index); for (final AttributeConsumingService acsEntry : ssoDescriptor.getAttributeConsumingServices()) { if (index.intValue() == acsEntry.getIndex()) { acs = acsEntry; acs = ssoDescriptor.getDefaultAttributeConsumingService();
@Override protected boolean mustSignRequest(final SPSSODescriptor spDescriptor, final IDPSSODescriptor idpssoDescriptor) { boolean signOutboundContext = false; if (this.isRequestSigned) { logger.debug("Requests are expected to be always signed before submission"); signOutboundContext = true; } else if (spDescriptor.isAuthnRequestsSigned()) { logger.debug("The service provider metadata indicates that authn requests are signed"); signOutboundContext = true; } else if (idpssoDescriptor.getWantAuthnRequestsSigned()) { logger.debug("The identity provider metadata indicates that authn requests may be signed"); signOutboundContext = true; } return signOutboundContext; }