SubjectConfirmationData subjectConfirmationData = subjectConfirmationDataBuilder.buildObject(); subjectConfirmationData.setNotOnOrAfter(new DateTime().plusSeconds(assertionTtlSeconds)); subjectConfirmationData.setInResponseTo(authnRequest.getID()); subjectConfirmationData.setRecipient(authnRequest.getAssertionConsumerServiceURL()); subjectConfirmation.setSubjectConfirmationData(subjectConfirmationData); subject.getSubjectConfirmations().add(subjectConfirmation);
@Test public void testBuildResponseForSamlRequestWithPersistentNameID() throws Exception { String authenticationId = UUID.randomUUID().toString(); Authentication authentication = samlTestUtils.mockUaaAuthentication(authenticationId); SAMLMessageContext context = samlTestUtils.mockSamlMessageContext(samlTestUtils.mockAuthnRequest(NameIDType.PERSISTENT)); IdpWebSSOProfileOptions options = new IdpWebSSOProfileOptions(); options.setAssertionsSigned(false); profile.buildResponse(authentication, context, options); AuthnRequest request = (AuthnRequest) context.getInboundSAMLMessage(); Response response = (Response) context.getOutboundSAMLMessage(); Assertion assertion = response.getAssertions().get(0); Subject subject = assertion.getSubject(); assertEquals(authenticationId, subject.getNameID().getValue()); assertEquals(NameIDType.PERSISTENT, subject.getNameID().getFormat()); SubjectConfirmation subjectConfirmation = subject.getSubjectConfirmations().get(0); SubjectConfirmationData subjectConfirmationData = subjectConfirmation.getSubjectConfirmationData(); assertEquals(request.getID(), subjectConfirmationData.getInResponseTo()); verifyAssertionAttributes(authenticationId, assertion); }
/** {@inheritDoc} */ protected void processAttribute(XMLObject samlObject, Attr attribute) throws UnmarshallingException { SubjectConfirmationData subjectCD = (SubjectConfirmationData) samlObject; if (attribute.getLocalName().equals(SubjectConfirmationData.NOT_BEFORE_ATTRIB_NAME) && !DatatypeHelper.isEmpty(attribute.getValue())) { subjectCD.setNotBefore(new DateTime(attribute.getValue(), ISOChronology.getInstanceUTC())); } else if (attribute.getLocalName().equals(SubjectConfirmationData.NOT_ON_OR_AFTER_ATTRIB_NAME) && !DatatypeHelper.isEmpty(attribute.getValue())) { subjectCD.setNotOnOrAfter(new DateTime(attribute.getValue(), ISOChronology.getInstanceUTC())); } else if (attribute.getLocalName().equals(SubjectConfirmationData.RECIPIENT_ATTRIB_NAME)) { subjectCD.setRecipient(attribute.getValue()); } else if (attribute.getLocalName().equals(SubjectConfirmationData.IN_RESPONSE_TO_ATTRIB_NAME)) { subjectCD.setInResponseTo(attribute.getValue()); } else if (attribute.getLocalName().equals(SubjectConfirmationData.ADDRESS_ATTRIB_NAME)) { subjectCD.setAddress(attribute.getValue()); } else { QName attribQName = XMLHelper.getNodeQName(attribute); if (attribute.isId()) { subjectCD.getUnknownAttributes().registerID(attribQName); } subjectCD.getUnknownAttributes().put(attribQName, attribute.getValue()); } } }
if (!subjectConfirmationData.getInResponseTo().equals(requestId)) { if (!subjectConfirmationData.getRecipient().equals(recipient)) { validateTime(now, subjectConfirmationData.getNotBefore(), subjectConfirmationData.getNotOnOrAfter(), maxTimeOffset);
SubjectConfirmationData subjectCD = (SubjectConfirmationData) samlObject; if (subjectCD.getNotBefore() != null) { String notBeforeStr = Configuration.getSAMLDateFormatter().print(subjectCD.getNotBefore()); domElement.setAttributeNS(null, SubjectConfirmationData.NOT_BEFORE_ATTRIB_NAME, notBeforeStr); if (subjectCD.getNotOnOrAfter() != null) { String notOnOrAfterStr = Configuration.getSAMLDateFormatter().print(subjectCD.getNotOnOrAfter()); domElement.setAttributeNS(null, SubjectConfirmationData.NOT_ON_OR_AFTER_ATTRIB_NAME, notOnOrAfterStr); if (subjectCD.getRecipient() != null) { domElement.setAttributeNS(null, SubjectConfirmationData.RECIPIENT_ATTRIB_NAME, subjectCD.getRecipient()); if (subjectCD.getInResponseTo() != null) { domElement.setAttributeNS(null, SubjectConfirmationData.IN_RESPONSE_TO_ATTRIB_NAME, subjectCD .getInResponseTo()); if (subjectCD.getAddress() != null) { domElement.setAttributeNS(null, SubjectConfirmationData.ADDRESS_ATTRIB_NAME, subjectCD.getAddress()); for (Entry<QName, String> entry : subjectCD.getUnknownAttributes().entrySet()) { attribute = XMLHelper.constructAttribute(domElement.getOwnerDocument(), entry.getKey()); attribute.setValue(entry.getValue()); domElement.setAttributeNodeNS(attribute); if (Configuration.isIDAttribute(entry.getKey()) || subjectCD.getUnknownAttributes().isIDAttribute(entry.getKey())) { attribute.getOwnerElement().setIdAttributeNode(attribute, true);
subjectConfirmationData.setRecipient(ssoIdPConfigs.getAssertionConsumerUrl()); subjectConfirmationData.setNotOnOrAfter(notOnOrAfter);
public SubjectConfirmation(Authentication authentication){ SAMLCredential credential = (SAMLCredential) authentication.getCredentials(); Subject subject = credential.getAuthenticationAssertion().getSubject(); List<org.opensaml.saml2.core.SubjectConfirmation> subjectConfirmations = subject.getSubjectConfirmations(); org.opensaml.saml2.core.SubjectConfirmation subjectConfirmation = subjectConfirmations.get(0); SubjectConfirmationData subjectConfirmationData = subjectConfirmation.getSubjectConfirmationData(); method = subjectConfirmation.getMethod(); inResponseTo = subjectConfirmationData.getInResponseTo(); notOnOrAfter = subjectConfirmationData.getNotOnOrAfter(); recipient = subjectConfirmationData.getRecipient(); }
if (s.getSubjectConfirmationData().getRecipient() != null) { recipientURLS.add(s.getSubjectConfirmationData().getRecipient()); if (s.getSubjectConfirmationData().getNotOnOrAfter() != null) { notOnOrAfterFromSubjectConfirmations.add(s.getSubjectConfirmationData().getNotOnOrAfter()); } else { if (log.isDebugEnabled()){
private Map<DateTime, DateTime> getValidNotBeforeAndAfterDetails(SubjectConfirmationData subjectConfirmationData, long timeSkew) throws IdentityOAuth2Exception { Map<DateTime, DateTime> timeConstrainsFromSubjectConfirmation = new HashMap<>(); DateTime notOnOrAfter = subjectConfirmationData.getNotOnOrAfter(); DateTime notBefore = subjectConfirmationData.getNotBefore(); if (isWithinValidTimeWindow(notOnOrAfter, notBefore, timeSkew)) { if (notOnOrAfter != null) { timeConstrainsFromSubjectConfirmation.put(notOnOrAfter, notBefore); } else { if (log.isDebugEnabled()){ log.debug("Cannot find valid NotOnOrAfter and NotBefore attributes in " + "SubjectConfirmationData " + subjectConfirmationData.toString()); } } } return timeConstrainsFromSubjectConfirmation; }
SubjectConfirmationData confirmationMethod = (SubjectConfirmationData) confirmationMethodBuilder.buildObject(); DateTime now = new DateTime(); confirmationMethod.setNotBefore(now); confirmationMethod.setNotOnOrAfter(now.plusMinutes(2));
private List<String> getRecipientUrls(SubjectConfirmationData subjectConfirmationData) { List<String> recipientURLS = new ArrayList<>(); if (subjectConfirmationData.getRecipient() != null) { recipientURLS.add(subjectConfirmationData.getRecipient()); } return recipientURLS; }
/** * Validates the <code>NotOnOrAfter</code> condition of the {@link SubjectConfirmationData}, if any is present. * * @param confirmation confirmation method, with {@link SubjectConfirmationData}, being validated * @param assertion assertion bearing the confirmation method * @param context current validation context * * @return the result of the validation evaluation */ protected ValidationResult validateNotOnOrAfter(SubjectConfirmation confirmation, Assertion assertion, ValidationContext context) { DateTime skewedNow = new DateTime(ISOChronology.getInstanceUTC()).minus(getClockSkew(context)); DateTime notOnOrAfter = confirmation.getSubjectConfirmationData().getNotOnOrAfter(); if (notOnOrAfter != null && notOnOrAfter.isBefore(skewedNow)) { context.setValidationFailureMessage(String.format( "Subject confirmation, in assertion '%s', with NotOnOrAfter condition of '%s' is no longer valid", assertion.getID(), notOnOrAfter)); return ValidationResult.INVALID; } return ValidationResult.VALID; }
SubjectConfirmationData confData = (SubjectConfirmationData) buildXMLObject(SubjectConfirmationData.DEFAULT_ELEMENT_NAME); confData.setAddress(CONF_KEY); subjectConf.setSubjectConfirmationData(confData); subject.getSubjectConfirmations().add(subjectConf);
/** * Validates the <code>NotBefore</code> condition of the {@link SubjectConfirmationData}, if any is present. * * @param confirmation confirmation method, with {@link SubjectConfirmationData}, being validated * @param assertion assertion bearing the confirmation method * @param context current validation context * * @return the result of the validation evaluation */ protected ValidationResult validateNotBefore(SubjectConfirmation confirmation, Assertion assertion, ValidationContext context) { DateTime skewedNow = new DateTime(ISOChronology.getInstanceUTC()).plus(getClockSkew(context)); DateTime notBefore = confirmation.getSubjectConfirmationData().getNotBefore(); if (notBefore != null && notBefore.isAfter(skewedNow)) { context.setValidationFailureMessage(String.format( "Subject confirmation, in assertion '%s', with NotBefore condition of '%s' is not yet valid"+ assertion.getID()+", "+ notBefore)); return ValidationResult.INVALID; } return ValidationResult.VALID; }
private static Subject buildSubject(String subjectNameId, String subjectNameIdType, String recipient, String inResponseTo) { NameID nameID = buildSAMLObject(NameID.class, NameID.DEFAULT_ELEMENT_NAME); nameID.setValue(subjectNameId); nameID.setFormat(subjectNameIdType); Subject subject = buildSAMLObject(Subject.class, Subject.DEFAULT_ELEMENT_NAME); subject.setNameID(nameID); SubjectConfirmation subjectConfirmation = buildSAMLObject(SubjectConfirmation.class, SubjectConfirmation.DEFAULT_ELEMENT_NAME); subjectConfirmation.setMethod(SubjectConfirmation.METHOD_BEARER); SubjectConfirmationData subjectConfirmationData = buildSAMLObject(SubjectConfirmationData.class, SubjectConfirmationData.DEFAULT_ELEMENT_NAME); subjectConfirmationData.setRecipient(recipient); subjectConfirmationData.setInResponseTo(inResponseTo); subjectConfirmationData.setNotOnOrAfter(new DateTime().plusMinutes(8 * 60)); subjectConfirmationData.setAddress(recipient); subjectConfirmation.setSubjectConfirmationData(subjectConfirmationData); subject.getSubjectConfirmations().add(subjectConfirmation); return subject; }
if (data.getNotBefore() != null) { log.debug("Bearer SubjectConfirmation invalidated by not before which is forbidden"); continue; if (data.getNotOnOrAfter() == null) { log.debug("Bearer SubjectConfirmation invalidated by missing notOnOrAfter"); continue; if (data.getNotOnOrAfter().plusSeconds(getResponseSkew()).isBeforeNow()) { log.debug("Bearer SubjectConfirmation invalidated by notOnOrAfter"); continue; if (data.getInResponseTo() == null) { log.debug("Bearer SubjectConfirmation invalidated by missing inResponseTo field"); continue; } else { if (!data.getInResponseTo().equals(request.getID())) { log.debug("Bearer SubjectConfirmation invalidated by invalid in response to"); continue; if (data.getRecipient() == null) { log.debug("Bearer SubjectConfirmation invalidated by missing recipient"); continue; } else { try { verifyEndpoint(context.getLocalEntityEndpoint(), data.getRecipient()); } catch (SAMLException e) { log.debug("Bearer SubjectConfirmation invalidated by recipient assertion consumer URL, found {}", data.getRecipient()); continue;
subjectConfirmationData.setRecipient(ssoIdPConfigs.getAssertionConsumerUrl()); subjectConfirmationData.setNotOnOrAfter(notOnOrAfter);
if (scd.getNotOnOrAfter() != null) { final DateTime chkdate = scd.getNotOnOrAfter().plusSeconds(slack); if (now.isEqual(chkdate) || now.isAfter(chkdate)) { throw new ValidationException("SubjectConfirmationData is in the past"); if (config.getSPConfig().getAcs().equals(scd.getRecipient())) { foundRecipient = true;
protected void processSAMLAssertion() { this.setAssertionId(assertion.getID()); Subject subject = assertion.getSubject(); //Read the validity period from the 'Conditions' element, else read it from SC Data if (assertion.getConditions() != null) { Conditions conditions = assertion.getConditions(); if (conditions.getNotBefore() != null) { this.setDateNotBefore(conditions.getNotBefore().toDate()); } if (conditions.getNotOnOrAfter() != null) { this.setDateNotOnOrAfter(conditions.getNotOnOrAfter().toDate()); } } else { SubjectConfirmationData scData = subject.getSubjectConfirmations() .get(0).getSubjectConfirmationData(); if (scData.getNotBefore() != null) { this.setDateNotBefore(scData.getNotBefore().toDate()); } if (scData.getNotOnOrAfter() != null) { this.setDateNotOnOrAfter(scData.getNotOnOrAfter().toDate()); } } }
ValidationContext context) { String recipient = DatatypeHelper .safeTrimOrNullString(confirmation.getSubjectConfirmationData().getRecipient()); if (recipient == null) { return ValidationResult.VALID;