/** * Resolve the SAML entity ID from a SAML 2 Issuer. * * @param issuer the issuer * * @return the entity ID, or null if it could not be resolved */ @Nullable protected String processSaml2Issuer(@Nonnull final Issuer issuer) { if (issuer.getFormat() == null || issuer.getFormat().equals(NameIDType.ENTITY)) { return issuer.getValue(); } else { log.warn("Couldn't dynamically resolve SAML 2 peer entity ID due to unsupported NameID format: {}", issuer.getFormat()); return null; } }
/** {@inheritDoc} */ @Override @Nullable public String apply(@Nullable final ProfileRequestContext profileRequestContext) { final RequestAbstractType request = requestLookupStrategy.apply(profileRequestContext); if (request != null && request.getIssuer() != null) { final Issuer issuer = request.getIssuer(); if (issuer.getFormat() == null || NameID.ENTITY.equals(issuer.getFormat())) { return issuer.getValue(); } } return null; }
/** * Validate issuer format and value. * * @param issuer the issuer * @param context the context */ protected final void validateIssuer(final Issuer issuer, final SAML2MessageContext context) { if (issuer.getFormat() != null && !issuer.getFormat().equals(NameIDType.ENTITY)) { throw new SAMLIssuerException("Issuer type is not entity but " + issuer.getFormat()); } final String entityId = context.getSAMLPeerEntityContext().getEntityId(); if (entityId == null || !entityId.equals(issuer.getValue())) { throw new SAMLIssuerException("Issuer " + issuer.getValue() + " does not match idp entityId " + entityId); } }
/** * Validate the Issuer (if it exists) */ private void validateIssuer(org.opensaml.saml.saml2.core.Issuer issuer) throws WSSecurityException { if (issuer == null) { return; } // Issuer value must match (be contained in) Issuer IDP if (enforceKnownIssuer && (issuer.getValue() == null || !issuerIDP.startsWith(issuer.getValue()))) { LOG.fine("Issuer value: " + issuer.getValue() + " does not match issuer IDP: " + issuerIDP); throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); } // Format must be nameid-format-entity if (issuer.getFormat() != null && !SAML2Constants.NAMEID_FORMAT_ENTITY.equals(issuer.getFormat())) { LOG.fine("Issuer format is not null and does not equal: " + SAML2Constants.NAMEID_FORMAT_ENTITY); throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); } }
/** * This method is used to validate issuer of the request message * * @param request any type of request message * @return Boolean true, if issuer is valid * @throws IdentitySAML2QueryException If unable to collect issuer information */ protected boolean validateIssuer(RequestAbstractType request) throws IdentitySAML2QueryException { //get full quealified issuer Issuer issuer = request.getIssuer(); boolean validIssuer = false; if (issuer.getValue() == null) { throw new IdentitySAML2QueryException("Issuer value is empty. Unable to validate issuer"); } else { if (issuer.getFormat() != null && issuer.getFormat().equals(SAMLQueryRequestConstants.GenericConstants.ISSUER_FORMAT)) { ssoIdpConfig = SAMLQueryRequestUtil.getServiceProviderConfig(issuer.getValue()); if (ssoIdpConfig == null) { log.error(SAMLQueryRequestConstants.ServiceMessages.NULL_ISSUER); return validIssuer; } else { log.debug(SAMLQueryRequestConstants.ServiceMessages.SUCCESS_ISSUER + ssoIdpConfig.getIssuer()); return !validIssuer; } } else { log.error("NameID format is invalid in request ID:" + request.getID() + " and issuer: " + issuer.getValue()); return validIssuer; } } }
private void validateRequest(RequestAbstractType parsedRequest) throws ProcessingException { if (parsedRequest.getIssuer() == null) { LOG.debug("No Issuer is present in the AuthnRequest/LogoutRequest"); throw new ProcessingException(TYPE.BAD_REQUEST); } String format = parsedRequest.getIssuer().getFormat(); if (format != null && !"urn:oasis:names:tc:SAML:2.0:nameid-format:entity".equals(format)) { LOG.debug("An invalid Format attribute was received: {}", format); throw new ProcessingException(TYPE.BAD_REQUEST); } if (parsedRequest instanceof AuthnRequest) { // No SubjectConfirmation Elements are allowed AuthnRequest authnRequest = (AuthnRequest)parsedRequest; if (authnRequest.getSubject() != null && authnRequest.getSubject().getSubjectConfirmations() != null && !authnRequest.getSubject().getSubjectConfirmations().isEmpty()) { LOG.debug("An invalid SubjectConfirmation Element was received"); throw new ProcessingException(TYPE.BAD_REQUEST); } } }
protected Issuer getIssuer(org.opensaml.saml.saml2.core.Issuer issuer) { return issuer == null ? null : new Issuer() .setValue(issuer.getValue()) .setFormat(NameId.fromUrn(issuer.getFormat())) .setSpNameQualifier(issuer.getSPNameQualifier()) .setNameQualifier(issuer.getNameQualifier()); }