private void buildAssertionAuthnStatement(Assertion assertion) { @SuppressWarnings("unchecked") SAMLObjectBuilder<AuthnStatement> authnStatementBuilder = (SAMLObjectBuilder<AuthnStatement>) builderFactory .getBuilder(AuthnStatement.DEFAULT_ELEMENT_NAME); AuthnStatement authnStatement = authnStatementBuilder.buildObject(); authnStatement.setAuthnInstant(new DateTime()); authnStatement.setSessionIndex(generateID()); @SuppressWarnings("unchecked") SAMLObjectBuilder<AuthnContext> authnContextBuilder = (SAMLObjectBuilder<AuthnContext>) builderFactory .getBuilder(AuthnContext.DEFAULT_ELEMENT_NAME); AuthnContext authnContext = authnContextBuilder.buildObject(); @SuppressWarnings("unchecked") SAMLObjectBuilder<AuthnContextClassRef> authnContextClassRefBuilder = (SAMLObjectBuilder<AuthnContextClassRef>) builderFactory .getBuilder(AuthnContextClassRef.DEFAULT_ELEMENT_NAME); AuthnContextClassRef authnContextClassRef = authnContextClassRefBuilder.buildObject(); authnContextClassRef.setAuthnContextClassRef(AuthnContext.PASSWORD_AUTHN_CTX); authnContext.setAuthnContextClassRef(authnContextClassRef); authnStatement.setAuthnContext(authnContext); assertion.getAuthnStatements().add(authnStatement); }
public MultiValueMap<String, String> retrieveUserAttributes(SamlIdentityProviderDefinition definition, SAMLCredential credential) { logger.debug(String.format("Retrieving SAML user attributes [zone:%s, origin:%s]", definition.getZoneId(), definition.getIdpEntityAlias())); MultiValueMap<String, String> userAttributes = new LinkedMultiValueMap<>(); if (definition != null && definition.getAttributeMappings() != null) { for (Entry<String, Object> attributeMapping : definition.getAttributeMappings().entrySet()) { if (attributeMapping.getValue() instanceof String) { if (credential.getAttribute((String)attributeMapping.getValue()) != null) { String key = attributeMapping.getKey(); for (XMLObject xmlObject : credential.getAttribute((String) attributeMapping.getValue()).getAttributeValues()) { String value = getStringValue(key, definition, xmlObject); if (value!=null) { userAttributes.add(key, value); } } } } } } if (credential.getAuthenticationAssertion() != null && credential.getAuthenticationAssertion().getAuthnStatements() != null) { for (AuthnStatement statement : credential.getAuthenticationAssertion().getAuthnStatements()) { if (statement.getAuthnContext() != null && statement.getAuthnContext().getAuthnContextClassRef() != null) { userAttributes.add(AUTHENTICATION_CONTEXT_CLASS_REFERENCE, statement.getAuthnContext().getAuthnContextClassRef().getAuthnContextClassRef()); } } } return userAttributes; }
AuthnStatement authnStatement = authnStatementBuilder.buildObject(); authnStatement.setAuthnInstant(new DateTime()); authnStatement.setSessionIndex("12345"); authnStatement.setSubjectLocality(subjectLocality); AuthnContext authnContext = authnContextBuilder.buildObject(); authnContext.setAuthnContextClassRef(authnContextClassRef); authnStatement.setAuthnContext(authnContext);
@Override public AuthnStatement build() { AuthnStatement authnStatement = new AuthnStatementBuilder().buildObject(); authnStatement.setAuthnContext(authnContext); authnStatement.setAuthnInstant(authnInstant); return authnStatement; }
public AuthenticationStatement(Authentication authentication){ SAMLCredential credential = (SAMLCredential) authentication.getCredentials(); Assertion assertion = credential.getAuthenticationAssertion(); List<AuthnStatement> authnStatements = assertion.getAuthnStatements(); AuthnStatement authnStatement = authnStatements.get(0); SubjectLocality subjectLocalityValue = authnStatement.getSubjectLocality(); authenticationInstance = authnStatement.getAuthnInstant(); sessionValidity = authnStatement.getSessionNotOnOrAfter(); authenticationContextClass = authnStatement.getAuthnContext().getAuthnContextClassRef().getAuthnContextClassRef(); sessionIndex = authnStatement.getSessionIndex(); subjectLocality = subjectLocalityValue == null ? null : subjectLocalityValue.getAddress(); }
/** {@inheritDoc} */ protected void processAttribute(XMLObject samlObject, Attr attribute) throws UnmarshallingException { AuthnStatement authnStatement = (AuthnStatement) samlObject; if (attribute.getLocalName().equals(AuthnStatement.AUTHN_INSTANT_ATTRIB_NAME) && !DatatypeHelper.isEmpty(attribute.getValue())) { authnStatement.setAuthnInstant(new DateTime(attribute.getValue(), ISOChronology.getInstanceUTC())); } else if (attribute.getLocalName().equals(AuthnStatement.SESSION_INDEX_ATTRIB_NAME)) { authnStatement.setSessionIndex(attribute.getValue()); } else if (attribute.getLocalName().equals(AuthnStatement.SESSION_NOT_ON_OR_AFTER_ATTRIB_NAME) && !DatatypeHelper.isEmpty(attribute.getValue())) { authnStatement.setSessionNotOnOrAfter(new DateTime(attribute.getValue(), ISOChronology.getInstanceUTC())); } else { super.processAttribute(samlObject, attribute); } } }
protected void verifyAuthenticationStatement(AuthnStatement auth, BasicSAMLMessageContext context) throws Exception { // Validate that user wasn't authenticated too long time ago if (!isDateTimeSkewValid(MAX_AUTHENTICATION_TIME, auth.getAuthnInstant())) { System.out.println("Authentication statement is too old to be used"+auth.getAuthnInstant()); throw new Exception("Users authentication data is too old"); } // Validate users session is still valid if (auth.getSessionNotOnOrAfter() != null && auth.getSessionNotOnOrAfter().isAfter(new Date().getTime())) { System.out.println("Authentication session is not valid anymore"+auth.getSessionNotOnOrAfter()); throw new Exception("Users authentication is expired"); } if (auth.getSubjectLocality() != null) { HTTPInTransport httpInTransport = (HTTPInTransport) context.getInboundMessageTransport(); if (auth.getSubjectLocality().getAddress() != null) { if (!httpInTransport.getPeerAddress().equals(auth.getSubjectLocality().getAddress())) { throw new Exception("User is accessing the service from invalid address"); } } } }
/** {@inheritDoc} */ protected void marshallAttributes(XMLObject samlObject, Element domElement) throws MarshallingException { AuthnStatement authnStatement = (AuthnStatement) samlObject; if (authnStatement.getAuthnInstant() != null) { String authnInstantStr = Configuration.getSAMLDateFormatter().print(authnStatement.getAuthnInstant()); domElement.setAttributeNS(null, AuthnStatement.AUTHN_INSTANT_ATTRIB_NAME, authnInstantStr); } if (authnStatement.getSessionIndex() != null) { domElement.setAttributeNS(null, AuthnStatement.SESSION_INDEX_ATTRIB_NAME, authnStatement.getSessionIndex()); } if (authnStatement.getSessionNotOnOrAfter() != null) { String sessionNotOnOrAfterStr = Configuration.getSAMLDateFormatter().print( authnStatement.getSessionNotOnOrAfter()); domElement.setAttributeNS(null, AuthnStatement.SESSION_NOT_ON_OR_AFTER_ATTRIB_NAME, sessionNotOnOrAfterStr); } } }
/** * Verifies that authentication statement is valid. Checks the authInstant and sessionNotOnOrAfter fields. * * @param auth statement to check * @param requestedAuthnContext original requested context can be null for unsolicited messages or when no context was requested * @param context message context * @throws AuthenticationException in case the statement is invalid */ protected void verifyAuthenticationStatement(AuthnStatement auth, RequestedAuthnContext requestedAuthnContext, SAMLMessageContext context) throws AuthenticationException { // Validate that user wasn't authenticated too long time ago if (!isDateTimeSkewValid(getResponseSkew(), getMaxAuthenticationAge(), auth.getAuthnInstant())) { throw new CredentialsExpiredException("Authentication statement is too old to be used with value " + auth.getAuthnInstant()); } // Validate users session is still valid if (auth.getSessionNotOnOrAfter() != null && auth.getSessionNotOnOrAfter().isBeforeNow()) { throw new CredentialsExpiredException("Authentication session is not valid on or after " + auth.getSessionNotOnOrAfter()); } // Verify context verifyAuthnContext(requestedAuthnContext, auth.getAuthnContext(), context); }
public static Object getSessionIndex(ResponseImpl samlResponse) { Assertion assertion = samlResponse.getAssertions().get(0); String sessionIndex = assertion.getAuthnStatements().get(0).getSessionIndex(); return sessionIndex; } }
/** {@inheritDoc} */ protected void processChildElement(XMLObject parentObject, XMLObject childObject) throws UnmarshallingException { AuthnStatement authnStatement = (AuthnStatement) parentObject; if (childObject instanceof SubjectLocality) { authnStatement.setSubjectLocality((SubjectLocality) childObject); } else if (childObject instanceof AuthnContext) { authnStatement.setAuthnContext((AuthnContext) childObject); } else { super.processChildElement(parentObject, childObject); } }
DateTime authenticationTime = authnStatement.getAuthnInstant(); AuthnContext authnContext = authnStatement.getAuthnContext(); if (null == authnContext) { throw new AssertionValidationException("missing SAML authn context");
/** * Parses the SAMLCredential for expiration time. Locates all AuthnStatements present within the assertion * (only one in most cases) and computes the expiration based on sessionNotOnOrAfter field. * * @param credential credential to use for expiration parsing. * @return null if no expiration is present, expiration time onOrAfter which the token is not valid anymore */ protected Date getExpirationDate(SAMLCredential credential) { List<AuthnStatement> statementList = credential.getAuthenticationAssertion().getAuthnStatements(); DateTime expiration = null; for (AuthnStatement statement : statementList) { DateTime newExpiration = statement.getSessionNotOnOrAfter(); if (newExpiration != null) { if (expiration == null || expiration.isAfter(newExpiration)) { expiration = newExpiration; } } } return expiration != null ? expiration.toDate() : null; }
/** * Checks that the AuthnInstant attribute is present. * * @param authnStatement * @throws ValidationException */ protected void validateAuthnInstant(AuthnStatement authnStatement) throws ValidationException { if (authnStatement.getAuthnInstant() == null) { throw new ValidationException("AuthnInstant required"); } }
authInstant = new DateTime(); authnStatement.setAuthnInstant(authInstant); authnStatement.setSessionNotOnOrAfter(sessionNotOnOrAfter); authnStatement.setSessionIndex(statementBean.getSessionIndex()); AuthnContext authnContext = authnContextBuilder.buildObject(); authnContext.setAuthnContextClassRef(authnContextClassRef); authnStatement.setAuthnContext(authnContext); subjectLocality.setAddress(subjectLocalityBean.getIpAddress()); authnStatement.setSubjectLocality(subjectLocality);
private static AuthnStatement buildAuthnStatement(DateTime authnInstant, String entityID) { AuthnContextClassRef authnContextClassRef = buildSAMLObject(AuthnContextClassRef.class, AuthnContextClassRef.DEFAULT_ELEMENT_NAME); authnContextClassRef.setAuthnContextClassRef(AuthnContext.PASSWORD_AUTHN_CTX); AuthenticatingAuthority authenticatingAuthority = buildSAMLObject(AuthenticatingAuthority.class, AuthenticatingAuthority.DEFAULT_ELEMENT_NAME); authenticatingAuthority.setURI(entityID); AuthnContext authnContext = buildSAMLObject(AuthnContext.class, AuthnContext.DEFAULT_ELEMENT_NAME); authnContext.setAuthnContextClassRef(authnContextClassRef); authnContext.getAuthenticatingAuthorities().add(authenticatingAuthority); AuthnStatement authnStatement = buildSAMLObject(AuthnStatement.class, AuthnStatement.DEFAULT_ELEMENT_NAME); authnStatement.setAuthnContext(authnContext); authnStatement.setAuthnInstant(authnInstant); return authnStatement; }
if (authnStatement.getAuthnInstant() != null) { samlAuthnStatement.setAuthInstant(authnStatement.getAuthnInstant().toString()); log.debug("Assertion.samlAuthnStatement.authnInstant = " + samlAuthnStatement.getAuthInstant()); if (authnStatement.getSessionIndex() != null) { samlAuthnStatement.setSessionIndex(authnStatement.getSessionIndex()); log.debug("Assertion.samlAuthnStatement.sessionIndex = " + samlAuthnStatement.getSessionIndex()); if ((authnStatement.getAuthnContext() != null) && (authnStatement.getAuthnContext().getAuthnContextClassRef() != null)) { samlAuthnStatement.setAuthContextClassRef(authnStatement.getAuthnContext().getAuthnContextClassRef().getAuthnContextClassRef()); log.debug("Assertion.samlAuthnStatement.authContextClassRef = " + samlAuthnStatement.getAuthContextClassRef()); log.debug("authnContext has " + authnStatement.getAuthnContext().getAuthenticatingAuthorities().size() + " content entries. "); List<AuthenticatingAuthority> contents = authnStatement.getAuthnContext().getAuthenticatingAuthorities(); if ((contents != null) && (contents.size() > 0)) { if ((authnStatement.getSubjectLocality() != null) && (authnStatement.getSubjectLocality().getAddress() != null) && (authnStatement.getSubjectLocality().getAddress().length() > 0)) { samlAuthnStatement.setSubjectLocalityAddress(authnStatement.getSubjectLocality().getAddress()); log.debug("Assertion.samlAuthnStatement.subjectlocalityAddress = " + samlAuthnStatement.getSubjectLocalityAddress()); if ((authnStatement.getSubjectLocality() != null) && (authnStatement.getSubjectLocality().getDNSName() != null) && (authnStatement.getSubjectLocality().getDNSName().length() > 0)) { samlAuthnStatement.setSubjectLocalityDNSName(authnStatement.getSubjectLocality().getDNSName());
DateTime authnInstant = authnStatement.getAuthnInstant(); DateTime sessionNotOnOrAfter = authnStatement.getSessionNotOnOrAfter(); String subjectLocalityAddress = null; if (authnStatement.getSubjectLocality() != null && authnStatement.getSubjectLocality().getAddress() != null) { subjectLocalityAddress = authnStatement.getSubjectLocality().getAddress();
/** * Read the session index from a Response * * @param response SAML Response * @return Session Index value contained in the Response */ private String getSessionIndexFromResponse(Response response) { List<Assertion> assertions = response.getAssertions(); String sessionIndex = null; if (assertions != null && assertions.size() > 0) { // There can be only one assertion in a SAML Response, so get the first one List<AuthnStatement> authnStatements = assertions.get(0).getAuthnStatements(); if (authnStatements != null && authnStatements.size() > 0) { // There can be only one authentication stmt inside the SAML assertion of a SAML Response AuthnStatement authStmt = authnStatements.get(0); sessionIndex = authStmt.getSessionIndex(); } } return sessionIndex; }
if (as.getSessionNotOnOrAfter() == null) { LOG.error("SessionNotOnOrAfter is null"); continue; final DateTime exp = as.getSessionNotOnOrAfter().plusSeconds(slack); if (exp != null && (now.isEqual(exp) || now.isAfter(exp))) {