protected ExtendedMetadataDelegate configureXMLMetadata(SamlIdentityProviderDefinition def) { ConfigMetadataProvider configMetadataProvider = new ConfigMetadataProvider(def.getZoneId(), def.getIdpEntityAlias(), def.getMetaDataLocation()); configMetadataProvider.setParserPool(getParserPool()); ExtendedMetadata extendedMetadata = new ExtendedMetadata(); extendedMetadata.setLocal(false); extendedMetadata.setAlias(def.getIdpEntityAlias()); ExtendedMetadataDelegate delegate = new ExtendedMetadataDelegate(configMetadataProvider, extendedMetadata); delegate.setMetadataTrustCheck(def.isMetadataTrustCheck()); return delegate; }
String metadataEntityId = ((ConfigMetadataProvider) added.getDelegate()).getEntityID(); if (provider.getEntityId() == null) { provider.setEntityId(metadataEntityId); added.initialize(); SPSSODescriptor spSsoDescriptor = added.getEntityDescriptor(metadataEntityId). getSPSSODescriptor(SAMLConstants.SAML20P_NS); if (null != spSsoDescriptor &&
protected String getProviderIdpAlias(ExtendedMetadataDelegate provider) throws MetadataProviderException { List<String> stringSet = parseProvider(provider); for (String key : stringSet) { RoleDescriptor idpRoleDescriptor = provider.getRole(key, IDPSSODescriptor.DEFAULT_ELEMENT_NAME, SAMLConstants.SAML20P_NS); if (idpRoleDescriptor != null) { return key; } } return null; }
@Override protected void initializeProviderFilters(ExtendedMetadataDelegate provider) throws MetadataProviderException { boolean requireSignature = provider.isMetadataRequireSignature(); SignatureTrustEngine trustEngine = getTrustEngine(provider); SignatureValidationFilter filter = new SignatureValidationFilter(trustEngine); filter.setRequireSignature(requireSignature); log.debug("Created new trust manager for metadata provider {}", provider); // Combine any existing filters with the signature verification MetadataFilter currentFilter = provider.getMetadataFilter(); if (currentFilter != null) { if (currentFilter instanceof MetadataFilterChain) { log.debug("Adding signature filter into existing chain"); MetadataFilterChain chain = (MetadataFilterChain) currentFilter; chain.getFilters().add(filter); } else { log.debug("Combining signature filter with the existing in a new chain"); MetadataFilterChain chain = new MetadataFilterChain(); chain.getFilters().add(currentFilter); chain.getFilters().add(filter); } } else { log.debug("Adding signature filter"); provider.setMetadataFilter(filter); } }
private ExtendedMetadataDelegate extendedMetadataDelegate(ExtendedMetadata extendedMetadata) { ExtendedMetadataDelegate extendedMetadataDelegate = new ExtendedMetadataDelegate(metadataProvider, extendedMetadata); extendedMetadataDelegate.setMetadataTrustCheck(false); extendedMetadataDelegate.setMetadataRequireSignature(false); return extendedMetadataDelegate; }
public ExtendedMetadataDelegate getLocalIdp() throws MetadataProviderException { EntityDescriptor descriptor = generator.generateMetadata(); ExtendedMetadata extendedMetadata = generator.generateExtendedMetadata(); log.info("Initialized local identity provider for entityID: " + descriptor.getEntityID()); MetadataMemoryProvider memoryProvider = new MetadataMemoryProvider(descriptor); memoryProvider.initialize(); return new ExtendedMetadataDelegate(memoryProvider, extendedMetadata); }
@SneakyThrows private ExtendedMetadataDelegate getExtendedProvider(MetadataProvider provider, ExtendedMetadata extendedMetadata, DelegateProps props, ExtendedMetadataDelegateProperties extendedDelegateConfig) { if (provider instanceof ExtendedMetadataDelegate) { return (ExtendedMetadataDelegate) provider; } ExtendedMetadataDelegate delegate = createDefaultExtendedMetadataDelegate(provider, extendedMetadata); delegate.setForceMetadataRevocationCheck(Optional.ofNullable(props.forceMetadataRevocationCheck) .orElseGet(extendedDelegateConfig::isForceMetadataRevocationCheck)); delegate.setMetadataRequireSignature(Optional.ofNullable(props.metadataRequireSignature) .orElseGet(extendedDelegateConfig::isMetadataRequireSignature)); delegate.setMetadataTrustCheck(Optional.ofNullable(props.metadataTrustCheck) .orElseGet(extendedDelegateConfig::isMetadataTrustCheck)); delegate.setMetadataTrustedKeys(Optional.ofNullable(props.metadataTrustedKeys) .orElseGet(extendedDelegateConfig::getMetadataTrustedKeys)); delegate.setRequireValidMetadata(Optional.ofNullable(props.requireValidMetadata) .orElseGet(extendedDelegateConfig::isRequireValidMetadata)); delegate.setMetadataFilter(Optional.ofNullable(props.metadataFilter) .map(this::postProcess) .orElse(null)); return postProcess(delegate); }
String entityIDToBeAdded = ((ConfigMetadataProvider) added.getDelegate()).getEntityID(); if (!StringUtils.hasText(entityIDToBeAdded)) { throw new MetadataProviderException("Emtpy entityID for SAML provider with zoneId:" + providerDefinition.getZoneId() + " and origin:" + providerDefinition.getIdpEntityAlias()); ConfigMetadataProvider existingProvider = (ConfigMetadataProvider) getExtendedMetadataDelegate(existing).getDelegate(); if (entityIDToBeAdded.equals(existingProvider.getEntityID()) && !(existing.getUniqueAlias().equals(clone.getUniqueAlias()))) {
@Test public void testGetAvailableProvidersForDefaultZone() throws Exception { IdentityZone defaultZone = samlTestUtils.getUaaZoneWithSamlConfig(); IdentityZoneHolder.set(defaultZone); when(providerProvisioning.retrieveActive(defaultZone.getId())) .thenReturn(Arrays.asList( new SamlServiceProvider[]{mockSamlServiceProviderForZone(defaultZone.getId())} )); assertEquals(1, configurator.getSamlServiceProvidersForZone(defaultZone).size()); //NonSnarlIdpMetadataManager also returns local idp as entity, needs 2 assertEquals(2, this.metadataManager.getAvailableProviders().size()); SamlServiceProvider confProvider = configurator.getSamlServiceProvidersForZone(defaultZone).get(0) .getSamlServiceProvider(); ExtendedMetadataDelegate metadataProvider = this.metadataManager.getAvailableProviders().get(1); metadataProvider.initialize(); EntityDescriptor entity = metadataProvider.getEntityDescriptor(confProvider.getEntityId()); assertNotNull(entity); assertEquals(confProvider.getEntityId(), entity.getEntityID()); }
@SneakyThrows private boolean isLocal(ExtendedMetadataDelegate delegate) { delegate.initialize(); XMLObject metadata = delegate.getDelegate().getMetadata(); List<EntityDescriptor> descriptors = EntityDescriptor.class.isAssignableFrom(metadata.getClass()) ? Collections.singletonList((EntityDescriptor) metadata) : (EntitiesDescriptor.class.isAssignableFrom(metadata.getClass()) ? ((EntitiesDescriptor) metadata).getEntityDescriptors() : Collections.emptyList()); return descriptors.stream() .anyMatch(ed -> isLocal(delegate, ed.getEntityID())); }
if (provider.isTrustFiltersInitialized()) { boolean requireSignature = provider.isMetadataRequireSignature(); SignatureTrustEngine trustEngine = getTrustEngine(provider); SignatureValidationFilter filter = new SignatureValidationFilter(trustEngine); MetadataFilter currentFilter = provider.getMetadataFilter(); if (currentFilter != null) { if (currentFilter instanceof MetadataFilterChain) { provider.setMetadataFilter(filter); provider.setTrustFiltersInitialized(true);
@Override protected void initializeProvider(ExtendedMetadataDelegate provider) throws MetadataProviderException { // Initialize provider and perform signature verification log.debug("Initializing extendedMetadataDelegate {}", provider); provider.initialize(); }
/** * Tries to load extended metadata for the given entity. The following algorithm is used: * <ol> * <li>Verifies that entityId can be located using the delegate (in other words makes sure we don't return extended metdata * for entities we don't have the basic ones for</li> * <li>In case extended metadata is available and contains value for the entityId it is returned</li> * <li>Returns default metadata otherwise</li> * </ol> * * @param entityID entity to load metadata for * @return extended metadata or null in case no default is given and entity can be located or is not present in the delegate * @throws MetadataProviderException error */ public ExtendedMetadata getExtendedMetadata(String entityID) throws MetadataProviderException { EntityDescriptor entityDescriptor = getEntityDescriptor(entityID); if (entityDescriptor == null) { return null; } ExtendedMetadata extendedMetadata = null; if (extendedMetadataMap != null) { extendedMetadata = extendedMetadataMap.get(entityID); } if (extendedMetadata == null) { return defaultMetadata; } else { return extendedMetadata; } }
@Bean public MetadataProvider identityProvider() throws MetadataProviderException, XMLParserException { Resource resource = defaultResourceLoader.getResource(identityProviderMetadataUrl); ResourceMetadataProvider resourceMetadataProvider = new ResourceMetadataProvider(resource); resourceMetadataProvider.setParserPool(parserPool()); ExtendedMetadataDelegate extendedMetadataDelegate = new ExtendedMetadataDelegate(resourceMetadataProvider, extendedMetadata()); extendedMetadataDelegate.setMetadataTrustCheck(true); extendedMetadataDelegate.setMetadataRequireSignature(true); return extendedMetadataDelegate; }
public ExtendedMetadataDelegate getLocalServiceProvider() throws MetadataProviderException { EntityDescriptor descriptor = generator.generateMetadata(); ExtendedMetadata extendedMetadata = generator.generateExtendedMetadata(); log.info("Initialized local service provider for entityID: " + descriptor.getEntityID()); MetadataMemoryProvider memoryProvider = new MetadataMemoryProvider(descriptor); memoryProvider.initialize(); return new ExtendedMetadataDelegate(memoryProvider, extendedMetadata); }
switch (def.getIdpEntityAlias()) { case "okta-local": { ComparableProvider provider = (ComparableProvider) configurator.getExtendedMetadataDelegateFromCache(def).getDelegate(); assertEquals("http://www.okta.com/k2lvtem0VAJDMINKEYJW", provider.getEntityID()); break; ComparableProvider provider = (ComparableProvider) configurator.getExtendedMetadataDelegateFromCache(def).getDelegate(); assertEquals("http://www.okta.com/k2lvtem0VAJDMINKEYJX", provider.getEntityID()); break; ComparableProvider provider = (ComparableProvider) configurator.getExtendedMetadataDelegateFromCache(def).getDelegate(); assertEquals("http://www.okta.com/k2lw4l5bPODCMIIDBRYZ", provider.getEntityID()); break; ComparableProvider provider = (ComparableProvider) configurator.getExtendedMetadataDelegateFromCache(def).getDelegate(); assertEquals("http://simplesamlphp.somewhere.com/saml2/idp/metadata.php", provider.getEntityID()); break; ComparableProvider provider = (ComparableProvider) configurator.getExtendedMetadataDelegateFromCache(def).getDelegate(); assertEquals("http://www.okta.com/k2lvtem0VAJDMINKEYJW", provider.getEntityID()); break;
@Test public void testGetAvailableProvidersRemovesNonPersistedProvidersInConfigurator() throws Exception { IdentityZone defaultZone = samlTestUtils.getUaaZoneWithSamlConfig(); configurator.validateSamlServiceProvider(mockSamlServiceProviderForZone(defaultZone.getId())); configurator.validateSamlServiceProvider(mockSamlServiceProvider("non-persisted-saml-sp")); when(providerProvisioning.retrieveActive(defaultZone.getId())) .thenReturn(Arrays.asList(new SamlServiceProvider[]{mockSamlServiceProviderForZone(defaultZone.getId())})); IdentityZoneHolder.set(defaultZone); assertEquals(1, configurator.getSamlServiceProvidersForZone(defaultZone).size()); assertEquals(2, this.metadataManager.getAvailableProviders().size()); SamlServiceProvider confProvider = configurator.getSamlServiceProvidersForZone(defaultZone).get(0) .getSamlServiceProvider(); ExtendedMetadataDelegate metadataProvider = this.metadataManager.getAvailableProviders().get(1); metadataProvider.initialize(); EntityDescriptor entity = metadataProvider.getEntityDescriptor(confProvider.getEntityId()); assertNotNull(entity); assertEquals(confProvider.getEntityId(), entity.getEntityID()); }
@Override protected void initializeProvider(ExtendedMetadataDelegate provider) throws MetadataProviderException { log.debug("Initializing extendedMetadataDelegate {}", provider); provider.initialize(); }
@Bean @Qualifier("idp-ssocircle") public ExtendedMetadataDelegate ssoCircleExtendedMetadataProvider() throws MetadataProviderException { String idpSSOCircleMetadataURL = "https://idp.ssocircle.com/idp-meta.xml"; HTTPMetadataProvider httpMetadataProvider = new HTTPMetadataProvider( this.backgroundTaskTimer, httpClient(), idpSSOCircleMetadataURL); httpMetadataProvider.setParserPool(parserPool()); ExtendedMetadataDelegate extendedMetadataDelegate = new ExtendedMetadataDelegate(httpMetadataProvider, extendedMetadata()); extendedMetadataDelegate.setMetadataTrustCheck(true); extendedMetadataDelegate.setMetadataRequireSignature(false); backgroundTaskTimer.purge(); return extendedMetadataDelegate; }
protected ExtendedMetadataDelegate configureXMLMetadata(SamlServiceProvider provider) { ConfigMetadataProvider configMetadataProvider = new ConfigMetadataProvider(provider.getIdentityZoneId(), provider.getEntityId(), provider.getConfig().getMetaDataLocation()); configMetadataProvider.setParserPool(getParserPool()); ExtendedMetadata extendedMetadata = new ExtendedMetadata(); extendedMetadata.setLocal(false); extendedMetadata.setAlias(provider.getEntityId()); ExtendedMetadataDelegate delegate = new ExtendedMetadataDelegate(configMetadataProvider, extendedMetadata); delegate.setMetadataTrustCheck(provider.getConfig().isMetadataTrustCheck()); return delegate; }