public Issuer getIssuer(String localEntityId) { @SuppressWarnings("unchecked") SAMLObjectBuilder<Issuer> issuerBuilder = (SAMLObjectBuilder<Issuer>) builderFactory .getBuilder(Issuer.DEFAULT_ELEMENT_NAME); Issuer issuer = issuerBuilder.buildObject(); issuer.setValue(localEntityId); return issuer; }
/** {@inheritDoc} */ protected void doDecode(MessageContext messageContext) throws MessageDecodingException { if (!(messageContext instanceof SAMLMessageContext)) { log.error("Invalid message context type, this decoder only support SAMLMessageContext"); throw new MessageDecodingException( "Invalid message context type, this decoder only support SAMLMessageContext"); } if (!(messageContext.getInboundMessageTransport() instanceof HTTPInTransport)) { log.error("Invalid inbound message transport type, this decoder only support HTTPInTransport"); throw new MessageDecodingException( "Invalid inbound message transport type, this decoder only support HTTPInTransport"); } SAMLMessageContext samlMsgCtx = (SAMLMessageContext) messageContext; HTTPInTransport inTransport = (HTTPInTransport) samlMsgCtx.getInboundMessageTransport(); if (!inTransport.getHTTPMethod().equalsIgnoreCase("POST")) { throw new MessageDecodingException("This message decoder only supports the HTTP POST method"); } String relayState = inTransport.getParameterValue("RelayState"); samlMsgCtx.setRelayState(relayState); log.debug("Decoded SAML relay state of: {}", relayState); InputStream base64DecodedMessage = getBase64DecodedMessage(inTransport); Assertion inboundMessage = (Assertion) unmarshallMessage(base64DecodedMessage); Response response = SamlRedirectUtils.wrapAssertionIntoResponse(inboundMessage, inboundMessage.getIssuer().getValue()); samlMsgCtx.setInboundMessage(response); samlMsgCtx.setInboundSAMLMessage(response); log.debug("Decoded SAML message"); populateMessageContext(samlMsgCtx); }
/** * Check for the validity of the issuer * * @param issuer :who makes the claims inside the Query * @return whether the issuer is valid */ private boolean validateIssuer(Issuer issuer) { boolean isValidated = false; if (issuer.getValue().equals("https://identity.carbon.wso2.org") && issuer.getSPProvidedID().equals("SPPProvierId")) { isValidated = true; } return isValidated; }
if (issuer.getValue() == null && issuer.getSPProvidedID() == null) { validatedItems.add(new ValidatedItemDTO( SAMLValidatorConstants.ValidationType.VAL_ISSUER, throw IdentityException.error(SAMLValidatorConstants.ValidationMessage.EXIT_WITH_ERROR); } else { issuerStr = issuer.getValue() != null ? issuer.getValue() : issuer.getSPProvidedID(); validatedItems.add(new ValidatedItemDTO( SAMLValidatorConstants.ValidationType.VAL_ISSUER, if (issuer.getFormat() != null) { if (issuer.getFormat().equals(SAMLValidatorConstants.Attribute.ISSUER_FORMAT)) { validatedItems.add(new ValidatedItemDTO( SAMLValidatorConstants.ValidationType.VAL_ISSUER_FORMAT, ssoIdPConfigs = SAMLValidatorUtil.getServiceProviderConfig(issuer.getValue()); } catch (IdentityException e) { log.error(e.getMessage()); String.format(SAMLValidatorConstants.ValidationMessage.VAL_IDP_CONFIGS_FAIL, authnRequest.getIssuer() .getValue()))); throw IdentityException.error(SAMLValidatorConstants.ValidationMessage.EXIT_WITH_ERROR); String.format(SAMLValidatorConstants.ValidationMessage.VAL_IDP_CONFIGS_FAIL, authnRequest.getIssuer() .getValue()))); throw IdentityException.error(SAMLValidatorConstants.ValidationMessage.EXIT_WITH_ERROR); } else {
/** * Create the issuer object to be added * * @return : the issuer of the statements */ private static Issuer createIssuer() { IssuerBuilder issuer = (IssuerBuilder) org.opensaml.xml.Configuration.getBuilderFactory(). getBuilder(Issuer.DEFAULT_ELEMENT_NAME); Issuer issuerObject = issuer.buildObject(); issuerObject.setValue("https://identity.carbon.wso2.org"); issuerObject.setSPProvidedID("SPPProvierId"); return issuerObject; }
/** * Extracts the entity ID from the SAML 2 Issuer. * * @param issuer issuer to extract the entityID from * * @return entity ID of the issuer * * @throws MessageDecodingException thrown if the given issuer has a format other than {@link NameIDType#ENTITY} */ protected String extractEntityId(Issuer issuer) throws MessageDecodingException { if (issuer != null) { if (issuer.getFormat() == null || issuer.getFormat().equals(NameIDType.ENTITY)) { return issuer.getValue(); } else { throw new MessageDecodingException("SAML 2 Issuer is not of ENTITY format type"); } } return null; }
if (StringUtils.isNotBlank(issuer.getFormat()) && !NameID.ENTITY.equals(issuer.getFormat())) { SAML2SSORequestValidationException ex = new SAML2SSORequestValidationException(StatusCode.REQUESTER_URI, "Invalid Issuer Format attribute value " + issuer .getFormat()); ex.setInResponseTo(saml2SSOContext.getId()); ex.setAcsUrl(saml2SSOContext.getAssertionConsumerURL());
/** * Check for the validity of the issuer * * @param issuer :who makes the claims inside the Query * @return whether the issuer is valid */ private boolean validateIssuer(Issuer issuer) { boolean isValidated = false; if (issuer.getValue().equals("https://identity.carbon.wso2.org") && issuer.getSPProvidedID().equals("SPPProvierId")) { isValidated = true; } return isValidated; }
if (issuer.getValue() == null && issuer.getSPProvidedID() == null) { validatedItems.add(new ValidatedItemDTO( SAMLValidatorConstants.ValidationType.VAL_ISSUER, throw IdentityException.error(SAMLValidatorConstants.ValidationMessage.EXIT_WITH_ERROR); } else { issuerStr = issuer.getValue() != null ? issuer.getValue() : issuer.getSPProvidedID(); validatedItems.add(new ValidatedItemDTO( SAMLValidatorConstants.ValidationType.VAL_ISSUER, if (issuer.getFormat() != null) { if (issuer.getFormat().equals(SAMLValidatorConstants.Attribute.ISSUER_FORMAT)) { validatedItems.add(new ValidatedItemDTO( SAMLValidatorConstants.ValidationType.VAL_ISSUER_FORMAT, ssoIdPConfigs = SAMLValidatorUtil.getServiceProviderConfig(issuer.getValue()); } catch (IdentityException e) { log.error(e.getMessage()); String.format(SAMLValidatorConstants.ValidationMessage.VAL_IDP_CONFIGS_FAIL, authnRequest.getIssuer() .getValue()))); throw IdentityException.error(SAMLValidatorConstants.ValidationMessage.EXIT_WITH_ERROR); String.format(SAMLValidatorConstants.ValidationMessage.VAL_IDP_CONFIGS_FAIL, authnRequest.getIssuer() .getValue()))); throw IdentityException.error(SAMLValidatorConstants.ValidationMessage.EXIT_WITH_ERROR); } else {
/** * Create the issuer object to be added * * @return : the issuer of the statements */ private static Issuer createIssuer() { IssuerBuilder issuer = (IssuerBuilder) org.opensaml.xml.Configuration.getBuilderFactory(). getBuilder(Issuer.DEFAULT_ELEMENT_NAME); Issuer issuerObject = issuer.buildObject(); issuerObject.setValue(ISSUER_URL); issuerObject.setSPProvidedID("SPPProvierId"); return issuerObject; }
protected void verifyIssuer(Issuer issuer, SAMLMessageContext context) throws SAMLException { // Validate format of issuer if (issuer.getFormat() != null && !issuer.getFormat().equals(NameIDType.ENTITY)) { throw new SAMLException("Issuer invalidated by issuer type " + issuer.getFormat()); } // Validate that issuer is expected peer entity if (!context.getPeerEntityMetadata().getEntityID().equals(issuer.getValue())) { throw new SAMLException("Issuer invalidated by issuer value " + issuer.getValue()); } }
public static Response wrapAssertionIntoResponse(Assertion assertion, String assertionIssuer) { Response response = new ResponseBuilder().buildObject(); Issuer issuer = new IssuerBuilder().buildObject(); issuer.setValue(assertionIssuer); response.setIssuer(issuer); response.setID("id-" + System.currentTimeMillis()); Status stat = new StatusBuilder().buildObject(); // Set the status code StatusCode statCode = new StatusCodeBuilder().buildObject(); statCode.setValue("urn:oasis:names:tc:SAML:2.0:status:Success"); stat.setStatusCode(statCode); // Set the status Message StatusMessage statMesssage = new StatusMessageBuilder().buildObject(); statMesssage.setMessage(null); stat.setStatusMessage(statMesssage); response.setStatus(stat); response.setVersion(SAMLVersion.VERSION_20); response.setIssueInstant(new DateTime()); response.getAssertions().add(assertion); //XMLHelper.adoptElement(assertion.getDOM(), assertion.getDOM().getOwnerDocument()); return response; }
/** * If it fails to authenticate the user, the method gets the value from configuration * Saml2FailedLoginRedirectUrl; if the user configured an error URL then it redirects to that * URL, otherwise it throws the ServerApiException */ protected void whenFailToAuthenticateThrowExceptionOrRedirectToUrl(final Map<String, Object[]> params, final String responseType, final HttpServletResponse resp, Issuer issuer, UserAccount userAccount) throws IOException { if (userAccount == null || userAccount.getExternalEntity() == null || !samlAuthManager.isUserAuthorized(userAccount.getId(), issuer.getValue())) { String saml2RedirectUrl = saml2FailedLoginRedirectUrl.value(); if (StringUtils.isBlank(saml2RedirectUrl)) { throw new ServerApiException(ApiErrorCode.ACCOUNT_ERROR, apiServer.getSerializedApiError(ApiErrorCode.ACCOUNT_ERROR.getHttpCode(), "Your authenticated user is not authorized for SAML Single Sign-On, please contact your administrator", params, responseType)); } else { resp.sendRedirect(saml2RedirectUrl); } } }
/** * Check for the validity of the issuer * * @param issuer :who makes the claims inside the Query * @return whether the issuer is valid */ private boolean validateIssuer(Issuer issuer) { boolean isValidated = false; if (ISSUER_URL.equals(issuer.getValue()) && "SPPProvider".equals(issuer.getSPProvidedID())) { isValidated = true; } return isValidated; }
if (StringUtils.isNotBlank(issuer.getValue())) { messageContext.setIssuer(issuer.getValue()); } else if (StringUtils.isNotBlank(issuer.getSPProvidedID())) { messageContext.setIssuer(issuer.getSPProvidedID()); } else { if (log.isDebugEnabled()) { if (!SAMLSSOUtil.isSAMLIssuerExists(splitAppendedTenantDomain(issuer.getValue()), SAMLSSOUtil.getTenantDomainFromThreadLocal())) { String message = "A Service Provider with the Issuer '" + issuer.getValue() + "' is not " + "registered. Service Provider should be registered in " + "advance"; if (log.isDebugEnabled()) { if ((StringUtils.isNotBlank(issuer.getFormat())) && !(issuer.getFormat().equals(SAMLSSOConstants.Attribute.ISSUER_FORMAT))) { if (log.isDebugEnabled()) { log.debug("Invalid Issuer Format attribute value " + issuer.getFormat()); log.debug("Invalid ACS URL value " + acsUrl + " in the AuthnRequest message from " + spDO .getIssuer() + "\n" + "Possibly an attempt for a spoofing attack from Provider " + authnReq.getIssuer().getValue());
/** * Create the issuer object to be added * * @return : the issuer of the statements */ private static Issuer createIssuer() { IssuerBuilder issuer = (IssuerBuilder) org.opensaml.xml.Configuration.getBuilderFactory(). getBuilder(Issuer.DEFAULT_ELEMENT_NAME); Issuer issuerObject = issuer.buildObject(); issuerObject.setValue(ISSUER_URL); issuerObject.setSPProvidedID("SPPProvierId"); return issuerObject; }
protected void verifyIssuer(Issuer issuer, BasicSAMLMessageContext context) throws SAMLException { // Validat format of issuer if (issuer.getFormat() != null && !issuer.getFormat().equals(NameIDType.ENTITY)) { System.out.println("Assertion invalidated by issuer type"+issuer.getFormat()); throw new SAMLException("SAML Assertion is invalid"); } // Validate that issuer is expected peer entity if (!context.getPeerEntityMetadata().getEntityID().equals(issuer.getValue())) { System.out.println("Assertion invalidated by unexpected issuer value"+ issuer.getValue()); throw new SAMLException("SAML Assertion is invalid"); } }