/** {@inheritDoc} */ protected void doDecode(MessageContext messageContext) throws MessageDecodingException { if (!(messageContext instanceof SAMLMessageContext)) { log.error("Invalid message context type, this decoder only support SAMLMessageContext"); throw new MessageDecodingException( "Invalid message context type, this decoder only support SAMLMessageContext"); } if (!(messageContext.getInboundMessageTransport() instanceof HTTPInTransport)) { log.error("Invalid inbound message transport type, this decoder only support HTTPInTransport"); throw new MessageDecodingException( "Invalid inbound message transport type, this decoder only support HTTPInTransport"); } SAMLMessageContext samlMsgCtx = (SAMLMessageContext) messageContext; HTTPInTransport inTransport = (HTTPInTransport) samlMsgCtx.getInboundMessageTransport(); if (!inTransport.getHTTPMethod().equalsIgnoreCase("POST")) { throw new MessageDecodingException("This message decoder only supports the HTTP POST method"); } String relayState = inTransport.getParameterValue("RelayState"); samlMsgCtx.setRelayState(relayState); log.debug("Decoded SAML relay state of: {}", relayState); InputStream base64DecodedMessage = getBase64DecodedMessage(inTransport); Assertion inboundMessage = (Assertion) unmarshallMessage(base64DecodedMessage); Response response = SamlRedirectUtils.wrapAssertionIntoResponse(inboundMessage, inboundMessage.getIssuer().getValue()); samlMsgCtx.setInboundMessage(response); samlMsgCtx.setInboundSAMLMessage(response); log.debug("Decoded SAML message"); populateMessageContext(samlMsgCtx); }
assertion.getSubject().getSubjectConfirmations().get(0).getSubjectConfirmationData().setRecipient(spEndpoint); assertion.getConditions().getAudienceRestrictions().get(0).getAudiences().get(0).setAudienceURI(audienceEntityID); assertion.getIssuer().setValue(issuerEntityId); assertion.getSubject().getNameID().setValue(username); assertion.getSubject().getNameID().setFormat(format);
/** * Method getIssuerString returns the issuerString of this AssertionWrapper model. * * @return the issuerString (type String) of this AssertionWrapper model. */ public String getIssuerString() { if (saml2 != null && saml2.getIssuer() != null) { return saml2.getIssuer().getValue(); } log.error( "AssertionWrapper: unable to return Issuer string - no saml assertion " + "model or issuer is null" ); return null; }
/** * Checks that Issuer element is present. * * @param assertion * @throws ValidationException */ protected void validateIssuer(Assertion assertion) throws ValidationException { if (assertion.getIssuer() == null) { throw new ValidationException("Issuer is required element"); } }
/** * Issuer of the SAML token * * @return */ @Override public String getIssuerName() { return assertion.getIssuer().getValue(); }
/** * Method getIssuerString returns the issuerString of this AssertionWrapper object. * * @return the issuerString (type String) of this AssertionWrapper object. */ public String getIssuerString() { if (saml2 != null && saml2.getIssuer() != null) { return saml2.getIssuer().getValue(); } else if (saml1 != null) { return saml1.getIssuer(); } LOG.error( "AssertionWrapper: unable to return Issuer string - no saml assertion " + "object or issuer is null" ); return null; }
/** * Method getIssuerString returns the issuerString of this AssertionWrapper object. * * @return the issuerString (type String) of this AssertionWrapper object. */ public String getIssuerString() { if (saml2 != null && saml2.getIssuer() != null) { return saml2.getIssuer().getValue(); } else if (saml1 != null) { return saml1.getIssuer(); } LOG.error( "AssertionWrapper: unable to return Issuer string - no saml assertion " + "object or issuer is null" ); return null; }
private boolean validateIdpEntityId(Assertion assertion, String tenantDomain, String idpEntityId) throws IdentityOAuth2Exception { if (idpEntityId == null || !assertion.getIssuer().getValue().equals(idpEntityId)) { if(log.isDebugEnabled()) { log.debug("SAML Token Issuer verification failed against resident Identity Provider " + "in tenant : " + tenantDomain + ". Received : " + assertion.getIssuer().getValue() + ", Expected : " + idpEntityId); } throw new IdentityOAuth2Exception("Issuer verification failed against resident idp"); } return true; }
private void checkNullIdentityProvider(Assertion assertion, String tenantDomain, IdentityProvider identityProvider) throws IdentityOAuth2Exception { if (identityProvider == null) { if(log.isDebugEnabled()) { log.debug("SAML Token Issuer : " + assertion.getIssuer().getValue() + " not registered as a local Identity Provider in tenant : " + tenantDomain); } throw new IdentityOAuth2Exception("Identity provider is null"); } }
private IdentityProvider getIdentityProviderFromManager(Assertion assertion, String tenantDomain) throws IdentityProviderManagementException { if (log.isDebugEnabled()) { log.debug("Retrieving identity provider : " + assertion.getIssuer().getValue() + " for " + "authenticator name " + SAMLSSO_AUTHENTICATOR); } IdentityProvider identityProvider = getIdPByAuthenticatorPropertyValue(assertion, tenantDomain, SAMLSSO_AUTHENTICATOR); if (identityProvider == null) { if (log.isDebugEnabled()) { log.debug("Couldnt find an idp for samlsso authenticator. Hence retrieving " + "identity provider : " + assertion .getIssuer().getValue() + " for " + "authenticator name " + SAML2SSO_AUTHENTICATOR_NAME); } identityProvider = getIdPByAuthenticatorPropertyValue(assertion, tenantDomain, SAML2SSO_AUTHENTICATOR_NAME); } return identityProvider; }
protected void validateIssuer(Assertion assertion, AuthenticationContext context) throws SAML2SSOAuthenticationException { if (assertion.getIssuer() == null) { throw new SAML2SSOAuthenticationException("Cannot find Issuer element in Assertion."); } else if (!assertion.getIssuer().getValue().equals(getIdPEntityId(getIdentityProviderConfig(context)))) { throw new SAML2SSOAuthenticationException("Issuer validation failed."); } }
private IdentityProvider getIdPByAuthenticatorPropertyValue(Assertion assertion, String tenantDomain, String authenticatorProperty) throws IdentityProviderManagementException { return IdentityProviderManager.getInstance().getIdPByAuthenticatorPropertyValue(IDP_ENTITY_ID, assertion.getIssuer().getValue(), tenantDomain, authenticatorProperty, false); }
public General(Authentication authentication){ SAMLCredential credential = (SAMLCredential) authentication.getCredentials(); NameID nameID = credential.getNameID(); name = authentication.getName(); principal = authentication.getPrincipal(); nameId = nameID.getValue(); nameIdFormat = nameID.getFormat(); idp = credential.getAuthenticationAssertion().getIssuer().getValue(); assertionIssueTime = credential.getAuthenticationAssertion().getIssueInstant(); }
private IdentityProvider getIdentityProvider(Assertion assertion, String tenantDomain) throws IdentityOAuth2Exception { try { IdentityProvider identityProvider = getIdentityProviderFromManager(assertion, tenantDomain); checkNullIdentityProvider(assertion, tenantDomain, identityProvider); if (ClaimsUtil.isResidentIdp(identityProvider)) { identityProvider = IdentityProviderManager.getInstance().getResidentIdP(tenantDomain); } if (log.isDebugEnabled()) { log.debug("Found an idp with given information. IDP name : " + identityProvider.getIdentityProviderName()); } return identityProvider; } catch (IdentityProviderManagementException e) { if (log.isDebugEnabled()) { log.debug("Error while retrieving identity provider for issuer : " + assertion.getIssuer().getValue() + " for tenantDomain : " + tenantDomain, e); } throw new IdentityOAuth2Exception("Error while retrieving identity provider"); } }
private void validateAssertion(Response response) throws SamlException { if (response.getAssertions().size() != 1) { throw new SamlException("The response doesn't contain exactly 1 assertion"); } Assertion assertion = response.getAssertions().get(0); if (!assertion.getIssuer().getValue().equals(responseIssuer)) { throw new SamlException("The assertion issuer didn't match the expected value"); } if (assertion.getSubject().getNameID() == null) { throw new SamlException( "The NameID value is missing from the SAML response; this is likely an IDP configuration issue"); } enforceConditions(assertion.getConditions()); }
String assertionIssuer; for (Assertion assertion : assertions) { if (assertion != null && assertion.getIssuer() != null) { assertionIssuer = extractEntityId(assertion.getIssuer()); if (messageIssuer != null && !messageIssuer.equals(assertionIssuer)) { throw new MessageDecodingException("SAML 2 assertions, within response "
if (validateIssuer(assertion1.getIssuer())) {
private void verifyAssertion(Assertion assertion, AuthnRequest request, BasicSAMLMessageContext context) throws SAMLException, org.opensaml.xml.security.SecurityException, ValidationException, Exception { // Verify assertion time skew if (!isDateTimeSkewValid(MAX_ASSERTION_TIME, assertion.getIssueInstant())) { System.out.println("Authentication statement is too old to be used"+assertion.getIssueInstant()); throw new Exception("Users authentication credential is too old to be used"); } // Verify validity of assertion // Advice is ignored, core 574 verifyIssuer(assertion.getIssuer(), context); verifyAssertionSignature(assertion.getSignature(), context); verifySubject(assertion.getSubject(), request, context); // Assertion with authentication statement must contain audience restriction if (assertion.getAuthnStatements().size() > 0) { verifyAssertionConditions(assertion.getConditions(), context, true); for (AuthnStatement statement : assertion.getAuthnStatements()) { verifyAuthenticationStatement(statement, context); } } else { verifyAssertionConditions(assertion.getConditions(), context, false); } } /**
protected void verifyAssertion(Assertion assertion, AuthnRequest request, SAMLMessageContext context) throws AuthenticationException, SAMLException, org.opensaml.xml.security.SecurityException, ValidationException, DecryptionException { // Verify storage time skew if (!isDateTimeSkewValid(getResponseSkew(), getMaxAssertionTime(), assertion.getIssueInstant())) { throw new SAMLException("Assertion is too old to be used, value can be customized by setting maxAssertionTime value " + assertion.getIssueInstant()); } // Verify validity of storage // Advice is ignored, core 574 verifyIssuer(assertion.getIssuer(), context); verifyAssertionSignature(assertion.getSignature(), context); // Check subject if (assertion.getSubject() != null) { verifySubject(assertion.getSubject(), request, context); } else { throw new SAMLException("Assertion does not contain subject and is discarded"); } // Assertion with authentication statement must contain audience restriction if (assertion.getAuthnStatements().size() > 0) { verifyAssertionConditions(assertion.getConditions(), context, true); for (AuthnStatement statement : assertion.getAuthnStatements()) { if (request != null) { verifyAuthenticationStatement(statement, request.getRequestedAuthnContext(), context); } else { verifyAuthenticationStatement(statement, null, context); } } } else { verifyAssertionConditions(assertion.getConditions(), context, false); } }