public NonSnarlMetadataManager(SamlIdentityProviderConfigurator configurator) throws MetadataProviderException { super(Collections.EMPTY_LIST); this.configurator = configurator; this.defaultExtendedMetadata = new ExtendedMetadata(); super.setRefreshCheckInterval(0); }
protected String getProviderAlias(ExtendedMetadataDelegate provider) throws MetadataProviderException { List<String> stringSet = parseProvider(provider); for (String key : stringSet) { // Verify extended metadata ExtendedMetadata extendedMetadata = getExtendedMetadata(key, provider); if (extendedMetadata != null) { if (extendedMetadata.isLocal()) { // Parse alias String alias = extendedMetadata.getAlias(); if (alias != null) { // Verify alias is valid SAMLUtil.verifyAlias(alias, key); return alias; } else { log.debug("Local entity {} doesn't have an alias", key); } } else { log.debug("Remote entity {} available", key); } } else { log.debug("No extended metadata available for entity {}", key); } } return null; } /**
protected ExtendedMetadataDelegate configureXMLMetadata(SamlIdentityProviderDefinition def) { ConfigMetadataProvider configMetadataProvider = new ConfigMetadataProvider(def.getZoneId(), def.getIdpEntityAlias(), def.getMetaDataLocation()); configMetadataProvider.setParserPool(getParserPool()); ExtendedMetadata extendedMetadata = new ExtendedMetadata(); extendedMetadata.setLocal(false); extendedMetadata.setAlias(def.getIdpEntityAlias()); ExtendedMetadataDelegate delegate = new ExtendedMetadataDelegate(configMetadataProvider, extendedMetadata); delegate.setMetadataTrustCheck(def.isMetadataTrustCheck()); return delegate; }
@Override public void configure(ServiceProviderBuilder builder) throws Exception { if (extendedMetadataBean == null) { if (extendedMetadata == null) { extendedMetadata = createExtendedMetadata(); //extendedMetadata.setLocal(Optional.ofNullable(local).orElseGet(extendedMetadataConfig::isLocal)); extendedMetadata.setIdpDiscoveryEnabled(Optional.ofNullable(idpDiscoveryEnabled).orElseGet(extendedMetadataConfig::isIdpDiscoveryEnabled)); extendedMetadata.setEcpEnabled(Optional.ofNullable(ecpEnabled).orElseGet(extendedMetadataConfig::isEcpEnabled)); extendedMetadata.setSignMetadata(Optional.ofNullable(signMetadata).orElseGet(extendedMetadataConfig::isSignMetadata)); extendedMetadata.setRequireLogoutRequestSigned(Optional.ofNullable(requireLogoutRequestSigned).orElseGet(extendedMetadataConfig::isRequireLogoutRequestSigned)); extendedMetadata.setRequireLogoutResponseSigned(Optional.ofNullable(requireLogoutResponseSigned).orElseGet(extendedMetadataConfig::isRequireLogoutResponseSigned)); extendedMetadata.setRequireArtifactResolveSigned(Optional.ofNullable(requireArtifactResolveSigned).orElseGet(extendedMetadataConfig::isRequireArtifactResolveSigned)); extendedMetadata.setSupportUnsolicitedResponse(Optional.ofNullable(supportUnsolicitedResponse).orElseGet(extendedMetadataConfig::isSupportUnsolicitedResponse)); extendedMetadata.setAlias(Optional.ofNullable(alias).orElseGet(extendedMetadataConfig::getAlias)); extendedMetadata.setIdpDiscoveryURL(Optional.ofNullable(idpDiscoveryURL).orElseGet(extendedMetadataConfig::getIdpDiscoveryUrl)); extendedMetadata.setIdpDiscoveryResponseURL(Optional.ofNullable(idpDiscoveryResponseURL).orElseGet(extendedMetadataConfig::getIdpDiscoveryResponseUrl)); extendedMetadata.setSecurityProfile(Optional.ofNullable(securityProfile).orElseGet(extendedMetadataConfig::getSecurityProfile)); extendedMetadata.setSslSecurityProfile(Optional.ofNullable(sslSecurityProfile).orElseGet(extendedMetadataConfig::getSslSecurityProfile)); extendedMetadata.setSslHostnameVerification(Optional.ofNullable(sslHostnameVerification).orElseGet(extendedMetadataConfig::getSslHostnameVerification)); extendedMetadata.setSigningKey(Optional.ofNullable(signingKey).orElseGet(extendedMetadataConfig::getSigningKey)); extendedMetadata.setSigningAlgorithm(Optional.ofNullable(signingAlgorithm).orElseGet(extendedMetadataConfig::getSigningAlgorithm)); extendedMetadata.setKeyInfoGeneratorName(Optional.ofNullable(keyInfoGeneratorName).orElseGet(extendedMetadataConfig::getKeyInfoGeneratorName)); extendedMetadata.setEncryptionKey(Optional.ofNullable(encryptionKey).orElseGet(extendedMetadataConfig::getEncryptionKey)); extendedMetadata.setTlsKey(Optional.ofNullable(tlsKey).orElseGet(extendedMetadataConfig::getTlsKey)); extendedMetadata.setTrustedKeys(Optional.ofNullable(trustedKeys).orElseGet(extendedMetadataConfig::getTrustedKeys)); } shareExtendedMetadata(builder); } }
@Bean public ExtendedMetadata extendedMetadata() { ExtendedMetadata extendedMetadata = new ExtendedMetadata(); extendedMetadata.setIdpDiscoveryEnabled(true); extendedMetadata.setSignMetadata(false); extendedMetadata.setEcpEnabled(true); return extendedMetadata; }
private ExtendedMetadata extendedMetadata(boolean discoveryEnabled) { ExtendedMetadata extendedMetadata = new ExtendedMetadata(); extendedMetadata.setIdpDiscoveryEnabled(discoveryEnabled); extendedMetadata.setSignMetadata(true); return extendedMetadata; }
@Before public void setUp() { otherZone = new IdentityZone(); otherZone.setId(ZONE_ID); otherZone.setName(ZONE_ID); otherZone.setSubdomain(ZONE_ID); otherZone.setConfig(new IdentityZoneConfiguration()); otherZoneDefinition = otherZone.getConfig(); otherZoneDefinition.getSamlConfig().setRequestSigned(true); otherZoneDefinition.getSamlConfig().setWantAssertionSigned(true); otherZoneDefinition.getSamlConfig().addAndActivateKey("key-1", samlKey1); otherZone.setConfig(otherZoneDefinition); generator = new ZoneAwareMetadataGenerator(); generator.setEntityBaseURL("http://localhost:8080/uaa"); generator.setEntityId("entityIdValue"); extendedMetadata = new org.springframework.security.saml.metadata.ExtendedMetadata(); extendedMetadata.setIdpDiscoveryEnabled(true); extendedMetadata.setAlias("entityAlias"); extendedMetadata.setSignMetadata(true); generator.setExtendedMetadata(extendedMetadata); keyManager = new ZoneAwareKeyManager(); generator.setKeyManager(keyManager); }
@Bean public ExtendedMetadata extendedMetadata() { ExtendedMetadata metadata = new ExtendedMetadata(); //set flag to true to present user with IDP Selection screen metadata.setIdpDiscoveryEnabled(true); metadata.setRequireLogoutRequestSigned(true); //metadata.setRequireLogoutResponseSigned(true); metadata.setSignMetadata(false); return metadata; }
/** * Generates extended metadata. Default extendedMetadata object is cloned if present and used for defaults. * The following properties are always overriden from the properties of this bean: * discoveryUrl, discoveryResponseUrl, signingKey, encryptionKey, entityAlias and tlsKey. * Property local of the generated metadata is always set to true. * * @return generated extended metadata */ public ExtendedMetadata generateExtendedMetadata() { ExtendedMetadata metadata; if (extendedMetadata != null) { metadata = extendedMetadata.clone(); } else { metadata = new ExtendedMetadata(); } String entityBaseURL = getEntityBaseURL(); String entityAlias = getEntityAlias(); if (isIncludeDiscovery()) { metadata.setIdpDiscoveryURL(getDiscoveryURL(entityBaseURL, entityAlias)); metadata.setIdpDiscoveryResponseURL(getDiscoveryResponseURL(entityBaseURL, entityAlias)); } else { metadata.setIdpDiscoveryURL(null); metadata.setIdpDiscoveryResponseURL(null); } metadata.setLocal(true); return metadata; }
@Before public void setup() { otherZone = new IdentityZone(); otherZone.setId(ZONE_ID); otherZone.setName(ZONE_ID); otherZone.setSubdomain(ZONE_ID); otherZone.setConfig(new IdentityZoneConfiguration()); otherZoneDefinition = otherZone.getConfig(); otherZoneDefinition.getSamlConfig().setRequestSigned(true); otherZoneDefinition.getSamlConfig().setWantAssertionSigned(true); otherZoneDefinition.getSamlConfig().addAndActivateKey("key-1", samlKey1); otherZone.setConfig(otherZoneDefinition); generator = new ZoneAwareIdpMetadataGenerator(); extendedMetadata = new IdpExtendedMetadata(); extendedMetadata.setIdpDiscoveryEnabled(true); extendedMetadata.setAlias("entityAlias"); extendedMetadata.setSignMetadata(true); generator.setExtendedMetadata((IdpExtendedMetadata) extendedMetadata); generator.setEntityBaseURL("http://localhost:8080/uaa"); keyManager = new ZoneAwareKeyManager(); generator.setKeyManager(keyManager); }
protected ExtendedMetadataDelegate configureURLMetadata(SamlServiceProvider provider) throws MetadataProviderException { SamlServiceProviderDefinition def = provider.getConfig().clone(); ExtendedMetadata extendedMetadata = new ExtendedMetadata(); extendedMetadata.setAlias(provider.getEntityId()); byte[] metadata; try { metadata = fixedHttpMetaDataProvider.fetchMetadata(def.getMetaDataLocation(), def.isSkipSslValidation()); } catch (RestClientException e) { throw new MetadataProviderException("Unavailable Metadata Provider", e); } catch (URISyntaxException e) { throw new MetadataProviderException("Invalid metadata URI: " + def.getMetaDataLocation(), e); } def.setMetaDataLocation(new String(metadata, StandardCharsets.UTF_8)); return configureXMLMetadata(provider); }
@Override public String getEntityIdForAlias(String entityAlias) throws MetadataProviderException { if (entityAlias == null) { return null; } String entityId = null; for (String sp : getSPEntityNames()) { ExtendedMetadata extendedMetadata = getExtendedMetadata(sp); if (entityAlias.equals(extendedMetadata.getAlias())) { if (entityId != null && !entityId.equals(sp)) { throw new MetadataProviderException("Alias " + entityAlias + " is used both for entity " + entityId + " and " + sp); } else { entityId = sp; } } } for (String idp : getIDPEntityNames()) { ExtendedMetadata extendedMetadata = getExtendedMetadata(idp); if (entityAlias.equals(extendedMetadata.getAlias())) { if (entityId != null && !entityId.equals(idp)) { throw new MetadataProviderException("Alias " + entityAlias + " is used both for entity " + entityId + " and " + idp); } else { entityId = idp; } } } return entityId; }
@Override public IdpExtendedMetadata clone() { return (IdpExtendedMetadata) super.clone(); } }
@Bean BeanFactoryPostProcessor idpMetadataLoader() { return beanFactory -> { PathMatchingResourcePatternResolver metadataFilesResolver = new PathMatchingResourcePatternResolver(); try { Resource[] idpMetadataFiles = metadataFilesResolver.getResources("classpath:/idp-*.xml"); Stream.of(idpMetadataFiles).forEach(idpMetadataFile -> { try { Timer refreshTimer = new Timer(true); ResourceBackedMetadataProvider delegate = null; delegate = new ResourceBackedMetadataProvider(refreshTimer, new SpringResourceWrapperOpenSAMLResource(idpMetadataFile)); delegate.setParserPool(parserPool()); ExtendedMetadata extendedMetadata = extendedMetadata().clone(); ExtendedMetadataDelegate provider = new ExtendedMetadataDelegate(delegate, extendedMetadata); provider.setMetadataTrustCheck(true); provider.setMetadataRequireSignature(false); String idpFileName = idpMetadataFile.getFilename(); String idpName = idpFileName.substring(idpFileName.lastIndexOf("idp-") + 4, idpFileName.lastIndexOf(".xml")); extendedMetadata.setAlias(idpName); beanFactory.registerSingleton(idpName, provider); log.info("Loaded Idp Metadata bean {}: {}", idpName, idpMetadataFile); } catch (Exception e) { throw new IllegalStateException("Unable to initialize IDP Metadata", e); } }); } catch (Exception e) { throw new IllegalStateException("Unable to initialize IDP Metadata", e); } }; }
if (extendedMetadata.isLocal() && extendedMetadata.getIdpDiscoveryResponseURL() != null) { return extendedMetadata.getIdpDiscoveryResponseURL(); if (extendedMetadata.isLocal()) { String responseURL = contextPath + filterUrl + (extendedMetadata.getAlias() != null ? "/alias/" + extendedMetadata.getAlias() : "") + "?" + SAMLEntryPoint.DISCOVERY_RESPONSE_PARAMETER + "=true";
public LocalExtendedMetadata() { super.setLocal(true); }
@Bean public ExtendedMetadata extendedMetadata() { ExtendedMetadata extendedMetadata = new ExtendedMetadata(); extendedMetadata.setIdpDiscoveryEnabled(true); extendedMetadata.setSignMetadata(false); extendedMetadata.setEcpEnabled(true); return extendedMetadata; }
@Bean public ExtendedMetadata extendedMetadata() { ExtendedMetadata extendedMetadata = new ExtendedMetadata(); extendedMetadata.setIdpDiscoveryEnabled(false); extendedMetadata.setSignMetadata(true); return extendedMetadata; }
@Override protected String getPassiveIDP(HttpServletRequest request) { String paramName = request.getParameter(RETURN_ID_PARAM); //we have received the alias in our request //so we need to translate that into an entityID String idpAlias = request.getParameter(paramName==null?"idp":paramName); if ( idpAlias!=null ) { Set<String> idps = metadata.getIDPEntityNames(); for (String idp : idps) { try { ExtendedMetadata emd = metadata.getExtendedMetadata(idp); if (emd!=null && idpAlias.equals(emd.getAlias())) { return idp; } } catch (MetadataProviderException e) { String message = "Unable to read extended metadata for alias["+idpAlias+"] IDP["+idp+"]"; throw new UnableToFindSamlIDPException(message, e); } } } throw new UnableToFindSamlIDPException("Unable to locate IDP provider for alias:"+idpAlias); //return super.getPassiveIDP(request); }