public String apply(final org.opensaml.saml.saml2.core.Assertion input) { return input.getID(); } });
/** * This method is used to set signature to a assertion * * @param assertion created assertion need to sign * @param signatureAlgorithm signature algorithm * @param digestAlgorithm cryptographic hash algorithm * @param cred X509Credential instance * @throws IdentitySAML2QueryException If unable to write signature to the assertion */ public static void setSignature(Assertion assertion, String signatureAlgorithm, String digestAlgorithm, X509Credential cred) throws IdentitySAML2QueryException { try { doSetSignature(assertion, signatureAlgorithm, digestAlgorithm, cred); } catch (IdentityException e) { log.error("Unable to set signature to the assertion id"+assertion.getID(),e); throw new IdentitySAML2QueryException("Unable to set signature to the assertion id"+assertion.getID(),e); } }
/** * Validates that the assertion is a {@link SAMLVersion#VERSION_20} assertion. * * @param assertion the assertion to validate * @param context current validation context * * @return result of the validation evaluation * * @throws AssertionValidationException thrown if there is a problem validating the version */ @Nonnull protected ValidationResult validateVersion(@Nonnull final Assertion assertion, @Nonnull final ValidationContext context) throws AssertionValidationException { if (assertion.getVersion() != SAMLVersion.VERSION_20) { context.setValidationFailureMessage(String.format( "Assertion '%s' is not a SAML 2.0 version Assertion", assertion.getID())); return ValidationResult.INVALID; } return ValidationResult.VALID; }
/** {@inheritDoc} */ @Override protected void doExecute(@Nonnull final ProfileRequestContext profileRequestContext) { for (final Assertion assertion : assertions) { addDelegationRestriction(profileRequestContext, SAML2ActionSupport.addConditionsToAssertion(this, assertion)); log.debug("{} Added DelegationRestrictionType Condition to Assertion {}", getLogPrefix(), assertion.getID()); } }
/** {@inheritDoc} */ @Override protected void doExecute(@Nonnull final ProfileRequestContext profileRequestContext, @Nonnull final AuthenticationContext authenticationContext) { final Assertion assertion = assertionLookupStrategy.apply(profileRequestContext); if (assertion == null) { log.error("Unable to obtain Assertion to modify"); ActionSupport.buildEvent(profileRequestContext, EventIds.INVALID_MSG_CTX); return; } final AuthnStatement statement = buildAuthnStatement(profileRequestContext, authenticationContext.getSubcontext(RequestedPrincipalContext.class)); assertion.getAuthnStatements().add(statement); log.debug("{} Added AuthenticationStatement to Assertion {}", getLogPrefix(), assertion.getID()); }
/** {@inheritDoc} */ @Override protected void doExecute(@Nonnull final ProfileRequestContext profileRequestContext) { for (final Assertion assertion : response.getAssertions()) { addProxyRestriction(profileRequestContext, SAML2ActionSupport.addConditionsToAssertion(this, assertion)); log.debug("{} Added ProxyRestriction to Assertion {}", getLogPrefix(), assertion.getID()); } }
/** {@inheritDoc} */ @Override protected void doExecute(@Nonnull final ProfileRequestContext profileRequestContext) { final Assertion assertion = assertionLookupStrategy.apply(profileRequestContext); if (assertion == null) { log.error("Unable to obtain Assertion to modify"); ActionSupport.buildEvent(profileRequestContext, EventIds.INVALID_MSG_CTX); return; } final AuthnStatement statement = getNewAuthnStatement(); if (statement == null) { log.error("Unable to obtain AuthnStatement to add"); ActionSupport.buildEvent(profileRequestContext, EventIds.MESSAGE_PROC_ERROR); return; } assertion.getAuthnStatements().add(statement); log.debug("{} Added AuthenticationStatement to Assertion {}", getLogPrefix(), assertion.getID()); } //CheckStyle: ReturnCount OFF
/** * Constructs and adds a {@link Assertion} to the given {@link Response}. The {@link Assertion} is constructed * using the parameters supplied, and its issue instant is set to the issue instant of the given {@link Response}. * * @param action the current action * @param response the response to which the assertion will be added * @param idGenerator source of assertion ID * @param issuer value for assertion * * @return the assertion that was added to the response */ @Nonnull public static Assertion addAssertionToResponse(@Nonnull final AbstractProfileAction action, @Nonnull final Response response, @Nonnull final IdentifierGenerationStrategy idGenerator, @Nullable final String issuer) { final Assertion assertion = buildAssertion(action, idGenerator, issuer); assertion.setIssueInstant(response.getIssueInstant()); getLogger().debug("Profile Action {}: Added Assertion {} to Response {}", new Object[] {action.getClass().getSimpleName(), assertion.getID(), response.getID(),}); response.getAssertions().add(assertion); return assertion; }
/** * Validates the <code>NotBefore</code> condition of the {@link SubjectConfirmationData}, if any is present. * * @param confirmation confirmation method, with {@link SubjectConfirmationData}, being validated * @param assertion assertion bearing the confirmation method * @param context current validation context * * @return the result of the validation evaluation * * @throws AssertionValidationException thrown if there is a problem determining the validity of the NotBefore */ @Nonnull protected ValidationResult validateNotBefore(@Nonnull final SubjectConfirmation confirmation, @Nonnull final Assertion assertion, @Nonnull final ValidationContext context) throws AssertionValidationException { DateTime skewedNow = new DateTime(ISOChronology.getInstanceUTC()).plus(SAML20AssertionValidator .getClockSkew(context)); DateTime notBefore = confirmation.getSubjectConfirmationData().getNotBefore(); log.debug("Evaluating SubjectConfirmationData NotBefore '{}' against 'skewed now' time '{}'", notBefore, skewedNow); if (notBefore != null && notBefore.isAfter(skewedNow)) { context.setValidationFailureMessage(String.format( "Subject confirmation, in assertion '%s', with NotBefore condition of '%s' is not yet valid", assertion.getID(), notBefore)); return ValidationResult.INVALID; } return ValidationResult.VALID; }
/** {@inheritDoc} */ @Nonnull public ValidationResult validate(@Nonnull final Condition condition, @Nonnull final Assertion assertion, @Nonnull final ValidationContext context) throws AssertionValidationException { if (!(condition instanceof OneTimeUse) && !Objects.equals(condition.getElementQName(), getServicedCondition())) { log.warn("Condition '{}' of type '{}' in assertion '{}' was not an '{}' condition. Unable to process.", new Object[] { condition.getElementQName(), condition.getSchemaType(), assertion.getID(), getServicedCondition(), }); return ValidationResult.INDETERMINATE; } if (!replayCache.check(CACHE_CONTEXT, getCacheValue(assertion), getExpires(assertion, context))) { context.setValidationFailureMessage(String.format( "Assertion '%s' has a one time use condition and has been used before", assertion.getID())); return ValidationResult.INVALID; } return ValidationResult.VALID; }
/** {@inheritDoc} */ protected void marshallAttributes(XMLObject samlObject, Element domElement) throws MarshallingException { Assertion assertion = (Assertion) samlObject; if (assertion.getVersion() != null) { domElement.setAttributeNS(null, Assertion.VERSION_ATTRIB_NAME, assertion.getVersion().toString()); } if (assertion.getIssueInstant() != null) { String issueInstantStr = SAMLConfigurationSupport.getSAMLDateFormatter().print(assertion.getIssueInstant()); domElement.setAttributeNS(null, Assertion.ISSUE_INSTANT_ATTRIB_NAME, issueInstantStr); } if (assertion.getID() != null) { domElement.setAttributeNS(null, Assertion.ID_ATTRIB_NAME, assertion.getID()); domElement.setIdAttributeNS(null, Assertion.ID_ATTRIB_NAME, true); } } }
/** * Creates and adds a {@link Conditions} to a given {@link Assertion}. If the {@link Assertion} already contains an * {@link Conditions} this method just returns. * * @param action current action * @param assertion assertion to which the condition will be added * * @return the {@link Conditions} that already existed on, or the one that was added to, the {@link Assertion} */ @Nonnull public static Conditions addConditionsToAssertion(@Nonnull final AbstractProfileAction action, @Nonnull final Assertion assertion) { Conditions conditions = assertion.getConditions(); if (conditions == null) { final SAMLObjectBuilder<Conditions> conditionsBuilder = (SAMLObjectBuilder<Conditions>) XMLObjectProviderRegistrySupport.getBuilderFactory().<Conditions>getBuilderOrThrow( Conditions.DEFAULT_ELEMENT_NAME); conditions = conditionsBuilder.buildObject(); assertion.setConditions(conditions); getLogger().debug("Profile Action {}: Assertion {} did not already contain Conditions, one was added", action.getClass().getSimpleName(), assertion.getID()); } else { getLogger().debug("Profile Action {}: Assertion {} already contained Conditions, nothing was done", action.getClass().getSimpleName(), assertion.getID()); } return conditions; }
/** {@inheritDoc} */ @Override protected void doExecute(@Nonnull final ProfileRequestContext profileRequestContext) { final SAMLObjectBuilder<OneTimeUse> conditionBuilder = (SAMLObjectBuilder<OneTimeUse>) XMLObjectProviderRegistrySupport.getBuilderFactory().<OneTimeUse>getBuilderOrThrow( OneTimeUse.DEFAULT_ELEMENT_NAME); for (final Assertion assertion : response.getAssertions()) { final Conditions conditions = SAML2ActionSupport.addConditionsToAssertion(this, assertion); if (conditions.getOneTimeUse() == null) { conditions.getConditions().add(conditionBuilder.buildObject()); log.debug("{} Added OneTimeUse condition to Assertion {}", getLogPrefix(), assertion.getID()); } else { log.debug("{} Assertion {} already contained OneTimeUse condition, another was not added", getLogPrefix(), assertion.getID()); } } }
/** {@inheritDoc} */ @Override protected void doExecute(@Nonnull final ProfileRequestContext profileRequestContext) { try { final AttributeStatement statement = buildAttributeStatement(profileRequestContext, getAttributeContext().getIdPAttributes().values()); if (statement == null) { log.debug("{} No AttributeStatement was built, nothing to do", getLogPrefix()); return; } final Assertion assertion = assertionLookupStrategy.apply(profileRequestContext); if (assertion == null) { log.error("Unable to obtain Assertion to modify"); ActionSupport.buildEvent(profileRequestContext, EventIds.INVALID_MSG_CTX); return; } assertion.getAttributeStatements().add(statement); log.debug("{} Adding constructed AttributeStatement to Assertion {} ", getLogPrefix(), assertion.getID()); } catch (final AttributeEncodingException e) { ActionSupport.buildEvent(profileRequestContext, IdPEventIds.UNABLE_ENCODE_ATTRIBUTE); } } //CheckStyle: ReturnCount ON
/** * Get the string value which will be tracked in the cache for purposes of one-time use detection. * * @param assertion the SAML 2 Assertion to evaluate * * @return the cache value * * @throws AssertionValidationException thrown if there is a problem calculating the cached value */ @Nonnull protected String getCacheValue(@Nonnull final Assertion assertion) throws AssertionValidationException { String issuer = null; if (assertion.getIssuer() != null && assertion.getIssuer().getValue() != null) { issuer = StringSupport.trimOrNull(assertion.getIssuer().getValue()); } if (issuer == null) { issuer = "NoIssuer"; } String id = StringSupport.trimOrNull(assertion.getID()); if (id == null) { id = "NoID"; } String value = String.format("%s--%s", issuer, id); log.debug("Generated one-time use cache value of: {}", value); return value; }
/** {@inheritDoc} */ @Override protected void doExecute(@Nonnull final ProfileRequestContext profileRequestContext) { if (response instanceof org.opensaml.saml.saml1.core.Response) { for (final org.opensaml.saml.saml1.core.Assertion assertion : ((org.opensaml.saml.saml1.core.Response) response).getAssertions()) { addAudienceRestriction(profileRequestContext, SAML1ActionSupport.addConditionsToAssertion(this, assertion)); log.debug("{} Added AudienceRestrictionCondition to Assertion {}", getLogPrefix(), assertion.getID()); } } else if (response instanceof org.opensaml.saml.saml2.core.Response) { for (final org.opensaml.saml.saml2.core.Assertion assertion : ((org.opensaml.saml.saml2.core.Response) response).getAssertions()) { addAudienceRestriction(profileRequestContext, SAML2ActionSupport.addConditionsToAssertion(this, assertion)); log.debug("{} Added AudienceRestrictionCondition to Assertion {}", getLogPrefix(), assertion.getID()); } } }
/** {@inheritDoc} */ @Override protected void doExecute(@Nonnull final ProfileRequestContext profileRequestContext) { if (response instanceof org.opensaml.saml.saml1.core.Response) { for (final org.opensaml.saml.saml1.core.Assertion assertion : ((org.opensaml.saml.saml1.core.Response) response).getAssertions()) { log.debug("{} Added NotBefore condition to Assertion {}", getLogPrefix(), assertion.getID()); SAML1ActionSupport.addConditionsToAssertion(this, assertion).setNotBefore( ((org.opensaml.saml.saml1.core.Response) response).getIssueInstant()); } } else if (response instanceof org.opensaml.saml.saml2.core.Response) { for (final org.opensaml.saml.saml2.core.Assertion assertion : ((org.opensaml.saml.saml2.core.Response) response).getAssertions()) { log.debug("{} Added NotBefore condition to Assertion {}", getLogPrefix(), assertion.getID()); SAML2ActionSupport.addConditionsToAssertion(this, assertion).setNotBefore( ((org.opensaml.saml.saml2.core.Response) response).getIssueInstant()); } } }
private String createNewId(SamlAssertionWrapper assertion) { if (assertion.getSaml1() != null) { org.opensaml.saml.saml1.core.Assertion saml1Assertion = assertion.getSaml1(); String oldId = saml1Assertion.getID(); saml1Assertion.setID(IDGenerator.generateID("_")); return oldId; } org.opensaml.saml.saml2.core.Assertion saml2Assertion = assertion.getSaml2(); String oldId = saml2Assertion.getID(); saml2Assertion.setID(IDGenerator.generateID("_")); return oldId; }
private String createNewId(SamlAssertionWrapper assertion) { if (assertion.getSaml1() != null) { org.opensaml.saml.saml1.core.Assertion saml1Assertion = assertion.getSaml1(); String oldId = saml1Assertion.getID(); saml1Assertion.setID(IDGenerator.generateID("_")); return oldId; } org.opensaml.saml.saml2.core.Assertion saml2Assertion = assertion.getSaml2(); String oldId = saml2Assertion.getID(); saml2Assertion.setID(IDGenerator.generateID("_")); return oldId; }
protected Assertion resolveAssertion( org.opensaml.saml.saml2.core.Assertion parsed, List<SimpleKey> verificationKeys, List<SimpleKey> localKeys ) { Signature signature = validateSignature(parsed, verificationKeys); return new Assertion() .setSignature(signature) .setId(parsed.getID()) .setIssueInstant(parsed.getIssueInstant()) .setVersion(parsed.getVersion().toString()) .setIssuer(getIssuer(parsed.getIssuer())) .setSubject(getSubject(parsed.getSubject(), localKeys)) .setConditions(getConditions(parsed.getConditions())) .setAuthenticationStatements(getAuthenticationStatements(parsed.getAuthnStatements())) .setAttributes(getAttributes(parsed.getAttributeStatements(), localKeys)) ; }