private void buildAssertionConditions(Assertion assertion, int assertionTtlSeconds, String audienceURI) { @SuppressWarnings("unchecked") SAMLObjectBuilder<Conditions> conditionsBuilder = (SAMLObjectBuilder<Conditions>) builderFactory .getBuilder(Conditions.DEFAULT_ELEMENT_NAME); Conditions conditions = conditionsBuilder.buildObject(); conditions.setNotBefore(new DateTime()); conditions.setNotOnOrAfter(new DateTime().plusSeconds(assertionTtlSeconds)); @SuppressWarnings("unchecked") SAMLObjectBuilder<AudienceRestriction> audienceRestrictionBuilder = (SAMLObjectBuilder<AudienceRestriction>) builderFactory .getBuilder(AudienceRestriction.DEFAULT_ELEMENT_NAME); AudienceRestriction audienceRestriction = audienceRestrictionBuilder.buildObject(); @SuppressWarnings("unchecked") SAMLObjectBuilder<Audience> audienceBuilder = (SAMLObjectBuilder<Audience>) builderFactory .getBuilder(Audience.DEFAULT_ELEMENT_NAME); Audience audience = audienceBuilder.buildObject(); audience.setAudienceURI(audienceURI); audienceRestriction.getAudiences().add(audience); conditions.getAudienceRestrictions().add(audienceRestriction); assertion.setConditions(conditions); }
/** {@inheritDoc} */ protected void marshallElementContent(XMLObject samlObject, Element domElement) throws MarshallingException { Audience audience = (Audience) samlObject; XMLHelper.appendTextContent(domElement, audience.getAudienceURI()); } }
/** * Checks that the AudienceURI is present. * * @param audience * @throws ValidationException */ protected void validateAudienceURI(Audience audience) throws ValidationException { if (DatatypeHelper.isEmpty(audience.getAudienceURI())) { throw new ValidationException("AudienceURI required"); } } }
public Conditions(Authentication authentication){ SAMLCredential credential = (SAMLCredential) authentication.getCredentials(); Assertion assertion = credential.getAuthenticationAssertion(); org.opensaml.saml2.core.Conditions conditions = assertion.getConditions(); List<AudienceRestriction> audienceRestrictions = conditions.getAudienceRestrictions(); List<Audience> audiences = audienceRestrictions.get(0).getAudiences(); notBefore = conditions.getNotBefore(); notOnOrAfter = conditions.getNotOnOrAfter(); audienceRestriction = new ArrayList<>(); for(Audience audience : audiences){ audienceRestriction.add(audience.getAudienceURI()); } }
DateTime until = new DateTime().plusHours(1); assertion.getSubject().getSubjectConfirmations().get(0).getSubjectConfirmationData().setRecipient(spEndpoint); assertion.getConditions().getAudienceRestrictions().get(0).getAudiences().get(0).setAudienceURI(audienceEntityID); assertion.getIssuer().setValue(issuerEntityId); assertion.getSubject().getNameID().setValue(username);
/** * Get Audiences of SAML2 Response. * * @param samlResponse SAML2 Response * @return audiences */ private List<String> getAudiencesFromSAMLResponse(ResponseImpl samlResponse) { Assertion assertion = samlResponse.getAssertions().get(0); List<String> audiences = new ArrayList<>(); if (assertion != null) { Conditions conditions = assertion.getConditions(); if (conditions != null) { List<AudienceRestriction> audienceRestrictions = conditions.getAudienceRestrictions(); if (CollectionUtils.isNotEmpty(audienceRestrictions)) { for (AudienceRestriction audienceRestriction : audienceRestrictions) { if (CollectionUtils.isNotEmpty(audienceRestriction.getAudiences())) { for (Audience audience : audienceRestriction.getAudiences()) { audiences.add(audience.getAudienceURI()); } } } } } } return audiences; }
/** {@inheritDoc} */ protected void processElementContent(XMLObject samlObject, String elementContent) { Audience audience = (Audience) samlObject; audience.setAudienceURI(elementContent); } }
boolean audienceFound = false; for (Audience audience : audienceRestriction.getAudiences()) { if (webApp.getSaml2SsoIssuer().equals(audience.getAudienceURI())) { audienceFound = true; break;
/** * Create an AudienceRestriction model * * @param audienceURI of type String * @return an AudienceRestriction model */ @SuppressWarnings("unchecked") public static AudienceRestriction createAudienceRestriction(String audienceURI) { if (audienceRestrictionBuilder == null) { audienceRestrictionBuilder = (SAMLObjectBuilder<AudienceRestriction>) builderFactory.getBuilder(AudienceRestriction.DEFAULT_ELEMENT_NAME); } if (audienceBuilder == null) { audienceBuilder = (SAMLObjectBuilder<Audience>) builderFactory.getBuilder(Audience.DEFAULT_ELEMENT_NAME); } AudienceRestriction audienceRestriction = audienceRestrictionBuilder.buildObject(); Audience audience = audienceBuilder.buildObject(); audience.setAudienceURI(audienceURI); audienceRestriction.getAudiences().add(audience); return audienceRestriction; } }
if (spId.equals(audience.getAudienceURI())) { return true;
/** * Create an AudienceRestriction object * * @param audienceRestrictionBean of type AudienceRestrictionBean * @return an AudienceRestriction object */ @SuppressWarnings("unchecked") public static AudienceRestriction createAudienceRestriction( AudienceRestrictionBean audienceRestrictionBean ) { if (audienceRestrictionBuilder == null) { audienceRestrictionBuilder = (SAMLObjectBuilder<AudienceRestriction>) builderFactory.getBuilder(AudienceRestriction.DEFAULT_ELEMENT_NAME); } if (audienceBuilder == null) { audienceBuilder = (SAMLObjectBuilder<Audience>) builderFactory.getBuilder(Audience.DEFAULT_ELEMENT_NAME); } AudienceRestriction audienceRestriction = audienceRestrictionBuilder.buildObject(); for (String audienceURI : audienceRestrictionBean.getAudienceURIs()) { Audience audience = audienceBuilder.buildObject(); audience.setAudienceURI(audienceURI); audienceRestriction.getAudiences().add(audience); } return audienceRestriction; }
private boolean validateAudience(IdentityProvider identityProvider, Conditions conditions, String tokenEndpointAlias, String tenantDomain) throws IdentityOAuth2Exception { validateTokenEPAlias(identityProvider, tokenEndpointAlias, tenantDomain); List<AudienceRestriction> audienceRestrictions = conditions.getAudienceRestrictions(); validateAudienceRestriction(audienceRestrictions); boolean audienceFound = false; // Checking if tokenEP Alias is found among the audiences for (AudienceRestriction audienceRestriction : audienceRestrictions) { if (CollectionUtils.isNotEmpty(audienceRestriction.getAudiences())) { for (Audience audience : audienceRestriction.getAudiences()) { if (audience.getAudienceURI().equals(tokenEndpointAlias)) { audienceFound = true; break; } } } if (audienceFound) { break; } } if (!audienceFound) { if (log.isDebugEnabled()) { log.debug("SAML Assertion Audience Restriction validation failed against the Audience : " + tokenEndpointAlias + " of Identity Provider : " + identityProvider.getIdentityProviderName() + " in tenant : " + tenantDomain); } throw new IdentityOAuth2Exception("SAML Assertion Audience Restriction validation failed"); } return true; }
/** * Create an AudienceRestriction object * * @param audienceRestrictionBean of type AudienceRestrictionBean * @return an AudienceRestriction object */ @SuppressWarnings("unchecked") public static AudienceRestriction createAudienceRestriction( AudienceRestrictionBean audienceRestrictionBean ) { if (audienceRestrictionBuilder == null) { audienceRestrictionBuilder = (SAMLObjectBuilder<AudienceRestriction>) builderFactory.getBuilder(AudienceRestriction.DEFAULT_ELEMENT_NAME); } if (audienceBuilder == null) { audienceBuilder = (SAMLObjectBuilder<Audience>) builderFactory.getBuilder(Audience.DEFAULT_ELEMENT_NAME); } AudienceRestriction audienceRestriction = audienceRestrictionBuilder.buildObject(); for (String audienceURI : audienceRestrictionBean.getAudienceURIs()) { Audience audience = audienceBuilder.buildObject(); audience.setAudienceURI(audienceURI); audienceRestriction.getAudiences().add(audience); } return audienceRestriction; }
/** * Method verifies audience restrictions of the assertion. Multiple audience restrictions are treated as * a logical AND and local entity must be present in all of them. Multiple audiences within one restrictions * for a logical OR. * * @param context context * @param audienceRestrictions audience restrictions to verify * @throws SAMLException in case local entity doesn't match the audience restrictions */ protected void verifyAudience(SAMLMessageContext context, List<AudienceRestriction> audienceRestrictions) throws SAMLException { // Multiple AudienceRestrictions form a logical "AND" (saml-core, 922-925) audience: for (AudienceRestriction rest : audienceRestrictions) { if (rest.getAudiences().size() == 0) { throw new SAMLException("No audit audience specified for the assertion"); } for (Audience aud : rest.getAudiences()) { // Multiple Audiences within one AudienceRestriction form a logical "OR" (saml-core, 922-925) if (context.getLocalEntityId().equals(aud.getAudienceURI())) { continue audience; } } throw new SAMLException("Local entity is not the intended audience of the assertion in at least " + "one AudienceRestriction"); } }
audience.setAudienceURI(audienceURI); proxyRestriction.getAudiences().add(audience);
if (!audience.getAudienceURI().equals(audienceUri)) { LOG.debug("expected audience URI: " + audienceUri); LOG.debug("audience URI: " + audience.getAudienceURI()); throw new AssertionValidationException( "AudienceURI does not match expected recipient");
audience.setAudienceURI(audienceURI); proxyRestriction.getAudiences().add(audience);
if (spId.equals(audience.getAudienceURI())) { return true;
public static Assertion buildAssertion(SAMLPrincipal principal, Status status, String entityId) { Assertion assertion = buildSAMLObject(Assertion.class, Assertion.DEFAULT_ELEMENT_NAME); if (status.getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) { Subject subject = buildSubject(principal.getNameID(), principal.getNameIDType(), principal.getAssertionConsumerServiceURL(), principal.getRequestID()); assertion.setSubject(subject); } Issuer issuer = buildIssuer(entityId); Audience audience = buildSAMLObject(Audience.class, Audience.DEFAULT_ELEMENT_NAME); audience.setAudienceURI(principal.getServiceProviderEntityID()); AudienceRestriction audienceRestriction = buildSAMLObject(AudienceRestriction.class, AudienceRestriction.DEFAULT_ELEMENT_NAME); audienceRestriction.getAudiences().add(audience); Conditions conditions = buildSAMLObject(Conditions.class, Conditions.DEFAULT_ELEMENT_NAME); conditions.getAudienceRestrictions().add(audienceRestriction); assertion.setConditions(conditions); AuthnStatement authnStatement = buildAuthnStatement(new DateTime(), entityId); assertion.setIssuer(issuer); assertion.getAuthnStatements().add(authnStatement); assertion.getAttributeStatements().add(buildAttributeStatement(principal.getAttributes())); assertion.setID(randomSAMLId()); assertion.setIssueInstant(new DateTime()); return assertion; }
) { for (Audience audience : audienceRestriction.getAudiences()) { if (ssoAgentConfig.getSAML2().getSPEntityId().equals(audience.getAudienceURI())) { audienceFound = true; break;