private Response createResponse(SAMLMessageContext context, AssertionConsumerService assertionConsumerService, Assertion assertion, AuthnRequest authnRequest) { @SuppressWarnings("unchecked") SAMLObjectBuilder<Response> responseBuilder = (SAMLObjectBuilder<Response>) builderFactory .getBuilder(Response.DEFAULT_ELEMENT_NAME); Response response = responseBuilder.buildObject(); buildCommonAttributes(context.getLocalEntityId(), response, assertionConsumerService, authnRequest); response.getAssertions().add(assertion); buildStatusSuccess(response); return response; }
private void buildCommonAttributes(String localEntityId, Response response, Endpoint service, AuthnRequest authnRequest) { response.setID(generateID()); response.setIssuer(getIssuer(localEntityId)); response.setInResponseTo(authnRequest.getID()); response.setVersion(SAMLVersion.VERSION_20); response.setIssueInstant(new DateTime()); if (service != null) { response.setDestination(service.getLocation()); } }
public static Response wrapAssertionIntoResponse(Assertion assertion, String assertionIssuer) { Response response = new ResponseBuilder().buildObject(); Issuer issuer = new IssuerBuilder().buildObject(); issuer.setValue(assertionIssuer); response.setIssuer(issuer); response.setID("id-" + System.currentTimeMillis()); Status stat = new StatusBuilder().buildObject(); // Set the status code StatusCode statCode = new StatusCodeBuilder().buildObject(); statCode.setValue("urn:oasis:names:tc:SAML:2.0:status:Success"); stat.setStatusCode(statCode); // Set the status Message StatusMessage statMesssage = new StatusMessageBuilder().buildObject(); statMesssage.setMessage(null); stat.setStatusMessage(statMesssage); response.setStatus(stat); response.setVersion(SAMLVersion.VERSION_20); response.setIssueInstant(new DateTime()); response.getAssertions().add(assertion); //XMLHelper.adoptElement(assertion.getDOM(), assertion.getDOM().getOwnerDocument()); return response; }
@Test public void testBuildResponse() throws MessageEncodingException, SAMLException, MetadataProviderException, SecurityException, MarshallingException, SignatureException { String authenticationId = UUID.randomUUID().toString(); Authentication authentication = samlTestUtils.mockUaaAuthentication(authenticationId); SAMLMessageContext context = samlTestUtils.mockSamlMessageContext(); IdpWebSSOProfileOptions options = new IdpWebSSOProfileOptions(); options.setAssertionsSigned(false); profile.buildResponse(authentication, context, options); AuthnRequest request = (AuthnRequest) context.getInboundSAMLMessage(); Response response = (Response) context.getOutboundSAMLMessage(); assertEquals(request.getID(), response.getInResponseTo()); Assertion assertion = response.getAssertions().get(0); Subject subject = assertion.getSubject(); assertEquals("marissa", subject.getNameID().getValue()); assertEquals(NameIDType.UNSPECIFIED, subject.getNameID().getFormat()); SubjectConfirmation subjectConfirmation = subject.getSubjectConfirmations().get(0); SubjectConfirmationData subjectConfirmationData = subjectConfirmation.getSubjectConfirmationData(); assertEquals(request.getID(), subjectConfirmationData.getInResponseTo()); verifyAssertionAttributes(authenticationId, assertion); }
/** {@inheritDoc} */ protected void processChildElement(XMLObject parentSAMLObject, XMLObject childSAMLObject) throws UnmarshallingException { Response resp = (Response) parentSAMLObject; if (childSAMLObject instanceof Assertion) { resp.getAssertions().add((Assertion) childSAMLObject); } else if (childSAMLObject instanceof EncryptedAssertion) { resp.getEncryptedAssertions().add((EncryptedAssertion) childSAMLObject); } else { super.processChildElement(parentSAMLObject, childSAMLObject); } }
@Override public Response build() { Response saml2Response = new ResponseBuilder().buildObject(); saml2Response.setIssueInstant(issueInstant); saml2Response.setVersion(SAMLVersion.VERSION_20); saml2Response.setID(id); saml2Response.setInResponseTo(inResponseTo); saml2Response.setIssuer(issuer); saml2Response.setStatus(status); saml2Response.setSignature(signature); if(assertions.size() >0){ for (Assertion assertion : assertions) { saml2Response.getAssertions().add(assertion); } } return saml2Response; } }
.getBuilder(Response.DEFAULT_ELEMENT_NAME); Response response = builder.buildObject(); response.getAssertions().add(assertion); response.setIssuer(createIssuer()); DateTime issueInstant = new DateTime(); response.setIssueInstant(issueInstant); response = setSignature(response, XMLSignature.ALGO_ID_SIGNATURE_RSA, createBasicCredentials()); try {
private void validateSignature(Response response) throws SamlException { Signature responseSignature = response.getSignature(); Signature assertionSignature = response.getAssertions().get(0).getSignature(); if (responseSignature == null && assertionSignature == null) { throw new SamlException("No signature is present in either response or assertion"); } if (responseSignature != null && !validate(responseSignature)) { throw new SamlException("The response signature is invalid"); } if (assertionSignature != null && !validate(assertionSignature)) { throw new SamlException("The assertion signature is invalid"); } }
String statusCode = response.getStatus().getStatusCode().getValue(); if (!StatusCode.SUCCESS_URI.equals(statusCode)) { StatusMessage statusMessage = response.getStatus().getStatusMessage(); String statusMessageText = null; if (statusMessage != null) { if (response.getSignature() != null && !context.isInboundSAMLMessageAuthenticated()) { log.debug("Verifying Response signature"); verifySignature(response.getSignature(), context.getPeerEntityId(), context.getLocalTrustEngine()); context.setInboundSAMLMessageAuthenticated(true); DateTime time = response.getIssueInstant(); if (!isDateTimeSkewValid(getResponseSkew(), time)) { throw new SAMLException("Response issue time is either too old or with date in the future, skew " + getResponseSkew() + ", time " + time); if (!context.getPeerExtendedMetadata().isSupportUnsolicitedResponse() && response.getInResponseTo() == null) { throw new SAMLException("Reception of Unsolicited Response messages (without InResponseToField) is disabled"); if (messageStorage != null && response.getInResponseTo() != null) { XMLObject xmlObject = messageStorage.retrieveMessage(response.getInResponseTo()); if (xmlObject == null) { throw new SAMLException("InResponseToField of the Response doesn't correspond to sent message " + response.getInResponseTo()); } else if (xmlObject instanceof AuthnRequest) { request = (AuthnRequest) xmlObject; } else { throw new SAMLException("Sent request was of different type than the expected AuthnRequest " + response.getInResponseTo()); verifyEndpoint(context.getLocalEntityEndpoint(), response.getDestination());
final String samlResponse = ((String[])params.get(SAMLPluginConstants.SAML_RESPONSE))[0]; Response processedSAMLResponse = this.processSAMLResponse(samlResponse); String statusCode = processedSAMLResponse.getStatus().getStatusCode().getValue(); if (!statusCode.equals(StatusCode.SUCCESS_URI)) { throw new ServerApiException(ApiErrorCode.ACCOUNT_ERROR, apiServer.getSerializedApiError(ApiErrorCode.ACCOUNT_ERROR.getHttpCode(), Issuer issuer = processedSAMLResponse.getIssuer(); SAMLProviderMetadata spMetadata = samlAuthManager.getSPMetadata(); SAMLProviderMetadata idpMetadata = samlAuthManager.getIdPMetadata(issuer.getValue()); String responseToId = processedSAMLResponse.getInResponseTo(); s_logger.debug("Received SAMLResponse in response to id=" + responseToId); SAMLTokenVO token = samlAuthManager.getToken(responseToId); Signature sig = processedSAMLResponse.getSignature(); if (idpMetadata.getSigningCertificate() != null && sig != null) { BasicX509Credential credential = new BasicX509Credential(); username = SAMLUtils.getValueFromAssertions(processedSAMLResponse.getAssertions(), SAML2AuthManager.SAMLUserAttributeName.value()); for (Assertion assertion: processedSAMLResponse.getAssertions()) { if (assertion!= null && assertion.getSubject() != null && assertion.getSubject().getNameID() != null) { session.setAttribute(SAMLPluginConstants.SAML_NAMEID, assertion.getSubject().getNameID().getValue()); Decrypter decrypter = new Decrypter(null, keyInfoResolver, keyResolver); decrypter.setRootInNewDocument(true); List<EncryptedAssertion> encryptedAssertions = processedSAMLResponse.getEncryptedAssertions(); if (encryptedAssertions != null) { for (EncryptedAssertion encryptedAssertion : encryptedAssertions) {
Response samlResponse; samlResponse = (Response) samlObject; List<Assertion> assertions = samlResponse.getAssertions(); Assertion assertion = null; if (assertions != null && assertions.size() > 0) { assertion = assertions.get(0); } else { List<EncryptedAssertion> encryptedAssertions = samlResponse.getEncryptedAssertions(); EncryptedAssertion encryptedAssertion; if (encryptedAssertions.size() > 0) { if (samlResponse.getStatus() != null && samlResponse.getStatus().getStatusCode() != null && samlResponse.getStatus().getStatusCode().getValue().equals("urn:oasis:names:tc:SAML:2.0:status:Responder") && samlResponse.getStatus().getStatusCode().getStatusCode() != null && samlResponse.getStatus().getStatusCode().getStatusCode().getValue().equals("urn:oasis:names:tc:SAML:2.0:status:NoPassive")) { if (samlResponse.getStatus() != null && samlResponse.getStatus().getStatusMessage() != null) { log.error(samlResponse.getStatus().getStatusMessage().getMessage()); } else { log.error("SAML Assertion not found in the Response.");
if (validateIssuer(samlResponseObject.getIssuer())) { if (validateSignature(samlResponseObject.getSignature())) { List<Assertion> assertionList = samlResponseObject.getAssertions();
public static String generateErrorneousResponse() { Response response = new ResponseBuilder().buildObject(); response.setIssuer(getIssuer()); response.setStatus(buildStatus()); response.setVersion(SAMLVersion.VERSION_20); response.setID(UIDGenerator.generateUID()); try { return encode(marshall(response)); } catch (IdentityException e) { if (log.isDebugEnabled()) { log.debug("Error while encoding.", e); } return null; } }
if (!samlResponse.getInResponseTo().equals(requestId)) { Status status = samlResponse.getStatus(); StatusCode statusCode = status.getStatusCode(); String statusValue = statusCode.getValue(); List<Assertion> assertions = samlResponse.getAssertions(); if (assertions.isEmpty()) { throw new AuthenticationResponseProcessorException( if (null == samlResponse.getSignature() && expectResponseSigned) { throw new AuthenticationResponseProcessorException( "Expected a signed response but was not so! "); if (null != samlResponse.getSignature()) { .getCertificates(samlResponse.getSignature() .getKeyInfo());
response.getAssertions().add(assertion); new SAML2SSOResponseBuilderException(StatusCode.RESPONDER_URI, "Encryption certificate is not configured."); ex.setInResponseTo(response.getID()); ex.setAcsUrl(response.getDestination()); throw ex; new SAML2SSOResponseBuilderException(StatusCode.RESPONDER_URI, "Invalid encoded certificate: " + encodedCert); ex.setInResponseTo(response.getID()); ex.setAcsUrl(response.getDestination()); throw ex; "Error occurred while encrypting assertion.", e); ex.setInResponseTo(assertion.getID()); ex.setAcsUrl(response.getDestination()); throw ex; "Error occurred while encrypting assertion.", e); ex.setInResponseTo(assertion.getID()); ex.setAcsUrl(response.getDestination()); throw ex; response.getEncryptedAssertions().add(encryptedAssertion);
private void validate(final Response response) throws ValidationException { if (response.getStatus() == null || response.getStatus().getStatusCode() == null || !(StatusCode.SUCCESS_URI .equals(response.getStatus().getStatusCode().getValue()))) { throw new ValidationException("Response has an unsuccessful status code"); if (!config.getSPConfig().getAcs().equals(response.getDestination())) { throw new ValidationException("Response is destined for a different endpoint"); final DateTime issueInstant = response.getIssueInstant(); for (Assertion assertion : response.getAssertions()) {
/** * Validate the signature of a SAML2 Response * * @param response SAML2 Response * @param domainName domain name of the subject * @return true, if signature is valid. */ private boolean validateSignature(Response response, String domainName) { boolean isSignatureValid = false; if (response == null || response.getSignature() == null) { log.error("SAML Response is not signed or response not available. Authentication process will be " + "terminated."); } else { if (log.isDebugEnabled()) { log.debug("Validating SAML Response Signature."); } isSignatureValid = validateSignature(response.getSignature(), domainName); } return isSignatureValid; }
Signature sig = response.getSignature(); if (sig != null) sigValidator.validate(sig); if (response.getStatus() == null || response.getStatus().getStatusCode() == null || !(StatusCode.SUCCESS_URI .equals(response.getStatus().getStatusCode().getValue()))) { throw new ValidationException( "Response has an unsuccessful status code"); if (!spConfig.getAcs().equals(response.getDestination())) throw new ValidationException( "Response is destined for a different endpoint"); DateTime issueInstant = response.getIssueInstant();
final String samlResponse = ((String[])params.get(SAMLPluginConstants.SAML_RESPONSE))[0]; Response processedSAMLResponse = SAMLUtils.decodeSAMLResponse(samlResponse); String statusCode = processedSAMLResponse.getStatus().getStatusCode().getValue(); if (!statusCode.equals(StatusCode.SUCCESS_URI)) { throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, _apiServer.getSerializedApiError(ApiErrorCode.INTERNAL_ERROR.getHttpCode(),
private void validateResponse(Response response) throws SamlException { try { new ResponseSchemaValidator().validate(response); } catch (ValidationException ex) { throw new SamlException("The response schema validation failed", ex); } if (!response.getIssuer().getValue().equals(responseIssuer)) { throw new SamlException("The response issuer didn't match the expected value"); } String statusCode = response.getStatus().getStatusCode().getValue(); if (!statusCode.equals("urn:oasis:names:tc:SAML:2.0:status:Success")) { throw new SamlException("Invalid status code: " + statusCode); } }