/** {@inheritDoc} */ protected void marshallElementContent(XMLObject samlObject, Element domElement) throws MarshallingException { Audience audience = (Audience) samlObject; XMLHelper.appendTextContent(domElement, audience.getAudienceURI()); } }
/** * Checks that the AudienceURI is present. * * @param audience * @throws ValidationException */ protected void validateAudienceURI(Audience audience) throws ValidationException { if (DatatypeHelper.isEmpty(audience.getAudienceURI())) { throw new ValidationException("AudienceURI required"); } } }
public Conditions(Authentication authentication){ SAMLCredential credential = (SAMLCredential) authentication.getCredentials(); Assertion assertion = credential.getAuthenticationAssertion(); org.opensaml.saml2.core.Conditions conditions = assertion.getConditions(); List<AudienceRestriction> audienceRestrictions = conditions.getAudienceRestrictions(); List<Audience> audiences = audienceRestrictions.get(0).getAudiences(); notBefore = conditions.getNotBefore(); notOnOrAfter = conditions.getNotOnOrAfter(); audienceRestriction = new ArrayList<>(); for(Audience audience : audiences){ audienceRestriction.add(audience.getAudienceURI()); } }
/** * Get Audiences of SAML2 Response. * * @param samlResponse SAML2 Response * @return audiences */ private List<String> getAudiencesFromSAMLResponse(ResponseImpl samlResponse) { Assertion assertion = samlResponse.getAssertions().get(0); List<String> audiences = new ArrayList<>(); if (assertion != null) { Conditions conditions = assertion.getConditions(); if (conditions != null) { List<AudienceRestriction> audienceRestrictions = conditions.getAudienceRestrictions(); if (CollectionUtils.isNotEmpty(audienceRestrictions)) { for (AudienceRestriction audienceRestriction : audienceRestrictions) { if (CollectionUtils.isNotEmpty(audienceRestriction.getAudiences())) { for (Audience audience : audienceRestriction.getAudiences()) { audiences.add(audience.getAudienceURI()); } } } } } } return audiences; }
boolean audienceFound = false; for (Audience audience : audienceRestriction.getAudiences()) { if (webApp.getSaml2SsoIssuer().equals(audience.getAudienceURI())) { audienceFound = true; break;
if (!audience.getAudienceURI().equals(audienceUri)) { LOG.debug("expected audience URI: " + audienceUri); LOG.debug("audience URI: " + audience.getAudienceURI()); throw new AssertionValidationException( "AudienceURI does not match expected recipient");
if (spId.equals(audience.getAudienceURI())) { return true;
/** * Method verifies audience restrictions of the assertion. Multiple audience restrictions are treated as * a logical AND and local entity must be present in all of them. Multiple audiences within one restrictions * for a logical OR. * * @param context context * @param audienceRestrictions audience restrictions to verify * @throws SAMLException in case local entity doesn't match the audience restrictions */ protected void verifyAudience(SAMLMessageContext context, List<AudienceRestriction> audienceRestrictions) throws SAMLException { // Multiple AudienceRestrictions form a logical "AND" (saml-core, 922-925) audience: for (AudienceRestriction rest : audienceRestrictions) { if (rest.getAudiences().size() == 0) { throw new SAMLException("No audit audience specified for the assertion"); } for (Audience aud : rest.getAudiences()) { // Multiple Audiences within one AudienceRestriction form a logical "OR" (saml-core, 922-925) if (context.getLocalEntityId().equals(aud.getAudienceURI())) { continue audience; } } throw new SAMLException("Local entity is not the intended audience of the assertion in at least " + "one AudienceRestriction"); } }
private boolean validateAudience(IdentityProvider identityProvider, Conditions conditions, String tokenEndpointAlias, String tenantDomain) throws IdentityOAuth2Exception { validateTokenEPAlias(identityProvider, tokenEndpointAlias, tenantDomain); List<AudienceRestriction> audienceRestrictions = conditions.getAudienceRestrictions(); validateAudienceRestriction(audienceRestrictions); boolean audienceFound = false; // Checking if tokenEP Alias is found among the audiences for (AudienceRestriction audienceRestriction : audienceRestrictions) { if (CollectionUtils.isNotEmpty(audienceRestriction.getAudiences())) { for (Audience audience : audienceRestriction.getAudiences()) { if (audience.getAudienceURI().equals(tokenEndpointAlias)) { audienceFound = true; break; } } } if (audienceFound) { break; } } if (!audienceFound) { if (log.isDebugEnabled()) { log.debug("SAML Assertion Audience Restriction validation failed against the Audience : " + tokenEndpointAlias + " of Identity Provider : " + identityProvider.getIdentityProviderName() + " in tenant : " + tenantDomain); } throw new IdentityOAuth2Exception("SAML Assertion Audience Restriction validation failed"); } return true; }
if (spId.equals(audience.getAudienceURI())) { return true;
if (context.getLocalEntityId().equals(aud.getAudienceURI())) { continue audience;
) { for (Audience audience : audienceRestriction.getAudiences()) { if (ssoAgentConfig.getSAML2().getSPEntityId().equals(audience.getAudienceURI())) { audienceFound = true; break;
for (Audience audience : audienceRestriction.getAudiences()) { String spEntityId = getSPEntityId(getIdentityProviderConfig(context)); if (spEntityId.equals(audience.getAudienceURI())) { audienceFound = true; break;
) { for (Audience audience : audienceRestriction.getAudiences()) { if (ssoAgentConfig.getSAML2().getSPEntityId().equals(audience.getAudienceURI())) { audienceFound = true; break;
if (CollectionUtils.isNotEmpty(audienceRestriction.getAudiences())) { for (Audience audience : audienceRestriction.getAudiences()) { if (audience.getAudienceURI().equals(tokenEndpointAlias)) { audienceFound = true; break;
audienceRestriction.getAudiences(); for (org.opensaml.saml2.core.Audience audience : audiences) { String audienceURI = audience.getAudienceURI(); if (audienceRestrictions.contains(audienceURI)) { foundAddress = true;
audienceRestriction.getAudiences(); for (org.opensaml.saml2.core.Audience audience : audiences) { String audienceURI = audience.getAudienceURI(); if (audienceRestrictions.contains(audienceURI)) { foundAddress = true;
if (config.getSPConfig().getEntityId().equals(a.getAudienceURI())) { foundSP = true;
if (spConfig.getEntityId().equals(a.getAudienceURI())) foundSP = true;