@Test public void testBuildResponseWithSignedAssertion() throws MessageEncodingException, SAMLException, MetadataProviderException, SecurityException, MarshallingException, SignatureException { String authenticationId = UUID.randomUUID().toString(); Authentication authentication = samlTestUtils.mockUaaAuthentication(authenticationId); SAMLMessageContext context = samlTestUtils.mockSamlMessageContext(); IdpWebSSOProfileOptions options = new IdpWebSSOProfileOptions(); options.setAssertionsSigned(true); profile.buildResponse(authentication, context, options); AuthnRequest request = (AuthnRequest) context.getInboundSAMLMessage(); Response response = (Response) context.getOutboundSAMLMessage(); Assertion assertion = response.getAssertions().get(0); Subject subject = assertion.getSubject(); assertEquals("marissa", subject.getNameID().getValue()); SubjectConfirmation subjectConfirmation = subject.getSubjectConfirmations().get(0); SubjectConfirmationData subjectConfirmationData = subjectConfirmation.getSubjectConfirmationData(); assertEquals(request.getID(), subjectConfirmationData.getInResponseTo()); verifyAssertionAttributes(authenticationId, assertion); assertNotNull(assertion.getSignature()); }
/** * @return the SAML signature. */ @Override public Signature getSAMLSignature() { return assertion.getSignature(); }
continue; Signature encSig = assertion.getSignature(); if (idpMetadata.getSigningCertificate() != null && encSig != null) { BasicX509Credential sigCredential = new BasicX509Credential();
public Signature getSignature() { Signature sig = null; if (saml2 != null && saml2.getSignature() != null) { sig = saml2.getSignature(); } else if (saml1 != null && saml1.getSignature() != null) { sig = saml1.getSignature(); } return sig; }
public Signature getSignature() { Signature sig = null; if (saml2 != null && saml2.getSignature() != null) { sig = saml2.getSignature(); } else if (saml1 != null && saml1.getSignature() != null) { sig = saml1.getSignature(); } return sig; }
/** * Method isSigned returns the signed of this AssertionWrapper model. * * @return the signed (type boolean) of this AssertionWrapper model. */ public boolean isSigned() { if (saml2 != null) { return saml2.isSigned() || saml2.getSignature() != null; } return false; }
/** * Validate the signature of a SAML2 Assertion * * @param assertion SAML2 Assertion * @param domainName domain name of the subject * @return true, if signature is valid. */ private boolean validateSignature(Assertion assertion, String domainName) { boolean isSignatureValid = false; if (assertion == null || assertion.getSignature() == null) { log.error("SAML Assertion is not signed or assertion not available. Authentication process will be " + "terminated."); } else { if (log.isDebugEnabled()) { log.debug("Validating SAML Assertion Signature."); } isSignatureValid = validateSignature(assertion.getSignature(), domainName); } return isSignatureValid; }
/** * Validate the signature of a SAML2 Assertion * * @param assertion SAML2 Assertion * @param domainName domain name of the subject * @return true, if signature is valid. */ private boolean validateSignature(Assertion assertion, String domainName) { boolean isSignatureValid = false; if (assertion == null || assertion.getSignature() == null) { log.error("SAML Assertion is not signed or assertion not available. Authentication process will be " + "terminated."); } else { if (log.isDebugEnabled()) { log.debug("Validating SAML Assertion Signature."); } isSignatureValid = validateSignature(assertion.getSignature(), domainName); } return isSignatureValid; }
/** * The Assertion MUST be digitally signed by the issuer and the authorization server MUST verify the signature. * @param assertion * @throws IdentityOAuth2Exception */ private void validateSignature(Assertion assertion) throws IdentityOAuth2Exception { try { profileValidator.validate(assertion.getSignature()); } catch (ValidationException e) { throw new IdentityOAuth2Exception("Signature do not adhere to the SAML signature profile.", e); } }
/** * Method isSigned returns the signed of this AssertionWrapper object. * * @return the signed (type boolean) of this AssertionWrapper object. */ public boolean isSigned() { if (saml2 != null) { return saml2.isSigned() || saml2.getSignature() != null; } else if (saml1 != null) { return saml1.isSigned() || saml1.getSignature() != null; } return false; }
/** * Validate SAML Assertion signature. * @param credential * @return */ private boolean validateAssertionSignature(Credential credential) { // Get the SAML response signature and assertion signature Signature assertionSignature = null; if(isResponse()){ assertionSignature = ((Response)getSAMLResponse()).getAssertions().get(0).getSignature(); } return validateSignature(credential, assertionSignature); }
/** * Method isSigned returns the signed of this AssertionWrapper object. * * @return the signed (type boolean) of this AssertionWrapper object. */ public boolean isSigned() { if (saml2 != null) { return saml2.isSigned() || saml2.getSignature() != null; } else if (saml1 != null) { return saml1.isSigned() || saml1.getSignature() != null; } return false; }
protected void validateSignatureAgainstIdpCertificate(Assertion assertion, String tenantDomain, IdentityProvider identityProvider) throws IdentityOAuth2Exception { X509Certificate x509Certificate = getIdpCertificate(tenantDomain, identityProvider); try { X509Credential x509Credential = new X509CredentialImpl(x509Certificate); SignatureValidator signatureValidator = new SignatureValidator(x509Credential); signatureValidator.validate(assertion.getSignature()); } catch (ValidationException e) { throw new IdentityOAuth2Exception("Error while validating the signature.", e); } }
private static void extractSignatureInfo(Assertion assertion, AssertionType assertOut) { SamlSignatureType samlSignature = assertOut.getSamlSignature() ; SamlSignatureKeyInfoType samlSignatureKeyInfoType = samlSignature.getKeyInfo() ; byte []signatureValue = samlSignature.getSignatureValue(); samlSignature.getKeyInfo().getRsaKeyValueExponent(); samlSignature.getKeyInfo().getRsaKeyValueModulus() ; Signature signature = assertion.getSignature() ; assertion.getSignature().getCanonicalizationAlgorithm(); signature.getSignatureAlgorithm(); List<ContentReference> contentReference1 = signature.getContentReferences(); ContentReference contentReference = (ContentReference)contentReference1.get(0); signature.getSigningCredential().getPublicKey().getAlgorithm(); //signature.getSigningCredential(). } private static String getSubjectNameIDValue(Assertion assertion) {
private void validateSignature(Response response) throws SamlException { Signature responseSignature = response.getSignature(); Signature assertionSignature = response.getAssertions().get(0).getSignature(); if (responseSignature == null && assertionSignature == null) { throw new SamlException("No signature is present in either response or assertion"); } if (responseSignature != null && !validate(responseSignature)) { throw new SamlException("The response signature is invalid"); } if (assertionSignature != null && !validate(assertionSignature)) { throw new SamlException("The assertion signature is invalid"); } }
private void validateSignature(Assertion assertion) throws ValidationException, CertificateException{ assertion.validate(true); Signature signature = assertion.getSignature(); KeyInfo inf = signature.getKeyInfo(); List<X509Certificate> certs = KeyInfoHelper.getCertificates(inf); if (certs == null || certs.isEmpty() ){ throw new CertificateException("KeyInfoHelper contains no certificates, unable to validate signature!"); } X509Certificate cert = certs.get(0); //TODO: verify certificate issuer/subject? // Principal pr = cert.getIssuerDN(); // pr = cert.getSubjectDN(); SAMLSignatureProfileValidator pv = new SAMLSignatureProfileValidator(); pv.validate(signature); BasicX509Credential credential = new BasicX509Credential(); credential.setEntityCertificate(cert); SignatureValidator sigValidator = new SignatureValidator(credential); sigValidator.validate(signature); }
if (saml2 != null && saml2.getSignature() != null) { sig = saml2.getSignature(); } else if (saml1 != null && saml1.getSignature() != null) { sig = saml1.getSignature();
private void verifyAssertion(Assertion assertion, AuthnRequest request, BasicSAMLMessageContext context) throws SAMLException, org.opensaml.xml.security.SecurityException, ValidationException, Exception { // Verify assertion time skew if (!isDateTimeSkewValid(MAX_ASSERTION_TIME, assertion.getIssueInstant())) { System.out.println("Authentication statement is too old to be used"+assertion.getIssueInstant()); throw new Exception("Users authentication credential is too old to be used"); } // Verify validity of assertion // Advice is ignored, core 574 verifyIssuer(assertion.getIssuer(), context); verifyAssertionSignature(assertion.getSignature(), context); verifySubject(assertion.getSubject(), request, context); // Assertion with authentication statement must contain audience restriction if (assertion.getAuthnStatements().size() > 0) { verifyAssertionConditions(assertion.getConditions(), context, true); for (AuthnStatement statement : assertion.getAuthnStatements()) { verifyAuthenticationStatement(statement, context); } } else { verifyAssertionConditions(assertion.getConditions(), context, false); } } /**
/** * Validate the signature of a SAML2 Response and Assertion * * @param response SAML2 Response * @return true, if signature is valid. */ protected void validateSignature(Response response, Assertion assertion) throws SSOAgentException { if (SSOAgentDataHolder.getInstance().getSignatureValidator() != null) { //Custom implemetation of signature validation SAMLSignatureValidator signatureValidatorUtility = (SAMLSignatureValidator) SSOAgentDataHolder .getInstance().getSignatureValidator(); signatureValidatorUtility.validateSignature(response, assertion, ssoAgentConfig); } else { //If custom implementation not found, Execute the default implementation if (ssoAgentConfig.getSAML2().isResponseSigned()) { if (response.getSignature() == null) { throw new SSOAgentException("SAML2 Response signing is enabled, but signature element not found in SAML2 Response element"); } else { validateSignature(response.getSignature()); } } if (ssoAgentConfig.getSAML2().isAssertionSigned()) { if (assertion.getSignature() == null) { throw new SSOAgentException("SAML2 Assertion signing is enabled, but signature element not found in SAML2 Assertion element"); } else { validateSignature(assertion.getSignature()); } } } }
protected void verifyAssertion(Assertion assertion, AuthnRequest request, SAMLMessageContext context) throws AuthenticationException, SAMLException, org.opensaml.xml.security.SecurityException, ValidationException, DecryptionException { // Verify storage time skew if (!isDateTimeSkewValid(getResponseSkew(), getMaxAssertionTime(), assertion.getIssueInstant())) { throw new SAMLException("Assertion is too old to be used, value can be customized by setting maxAssertionTime value " + assertion.getIssueInstant()); } // Verify validity of storage // Advice is ignored, core 574 verifyIssuer(assertion.getIssuer(), context); verifyAssertionSignature(assertion.getSignature(), context); // Check subject if (assertion.getSubject() != null) { verifySubject(assertion.getSubject(), request, context); } else { throw new SAMLException("Assertion does not contain subject and is discarded"); } // Assertion with authentication statement must contain audience restriction if (assertion.getAuthnStatements().size() > 0) { verifyAssertionConditions(assertion.getConditions(), context, true); for (AuthnStatement statement : assertion.getAuthnStatements()) { if (request != null) { verifyAuthenticationStatement(statement, request.getRequestedAuthnContext(), context); } else { verifyAuthenticationStatement(statement, null, context); } } } else { verifyAssertionConditions(assertion.getConditions(), context, false); } }