public MultiValueMap<String, String> retrieveUserAttributes(SamlIdentityProviderDefinition definition, SAMLCredential credential) { logger.debug(String.format("Retrieving SAML user attributes [zone:%s, origin:%s]", definition.getZoneId(), definition.getIdpEntityAlias())); MultiValueMap<String, String> userAttributes = new LinkedMultiValueMap<>(); if (definition != null && definition.getAttributeMappings() != null) { for (Entry<String, Object> attributeMapping : definition.getAttributeMappings().entrySet()) { if (attributeMapping.getValue() instanceof String) { if (credential.getAttribute((String)attributeMapping.getValue()) != null) { String key = attributeMapping.getKey(); for (XMLObject xmlObject : credential.getAttribute((String) attributeMapping.getValue()).getAttributeValues()) { String value = getStringValue(key, definition, xmlObject); if (value!=null) { userAttributes.add(key, value); } } } } } } if (credential.getAuthenticationAssertion() != null && credential.getAuthenticationAssertion().getAuthnStatements() != null) { for (AuthnStatement statement : credential.getAuthenticationAssertion().getAuthnStatements()) { if (statement.getAuthnContext() != null && statement.getAuthnContext().getAuthnContextClassRef() != null) { userAttributes.add(AUTHENTICATION_CONTEXT_CLASS_REFERENCE, statement.getAuthnContext().getAuthnContextClassRef().getAuthnContextClassRef()); } } } return userAttributes; }
when(statement.getAuthnContext()).thenReturn(authenticationContext);
private String getAuthenticatingAuthority(final Assertion assertion) { final List<AuthnStatement> authnStatements = assertion.getAuthnStatements(); for (AuthnStatement as : authnStatements) { final List<AuthenticatingAuthority> authorities = as.getAuthnContext().getAuthenticatingAuthorities(); for (AuthenticatingAuthority aa : authorities) { if (StringUtils.isNotBlank(aa.getURI())) { return aa.getURI(); } } } return null; }
/** * Checks that the AuthnContext element is present. * * @param authnStatement * @throws ValidationException */ protected void validateAuthnContext(AuthnStatement authnStatement) throws ValidationException { if (authnStatement.getAuthnContext() == null) { throw new ValidationException("AuthnContext required"); } } }
public AuthenticationStatement(Authentication authentication){ SAMLCredential credential = (SAMLCredential) authentication.getCredentials(); Assertion assertion = credential.getAuthenticationAssertion(); List<AuthnStatement> authnStatements = assertion.getAuthnStatements(); AuthnStatement authnStatement = authnStatements.get(0); SubjectLocality subjectLocalityValue = authnStatement.getSubjectLocality(); authenticationInstance = authnStatement.getAuthnInstant(); sessionValidity = authnStatement.getSessionNotOnOrAfter(); authenticationContextClass = authnStatement.getAuthnContext().getAuthnContextClassRef().getAuthnContextClassRef(); sessionIndex = authnStatement.getSessionIndex(); subjectLocality = subjectLocalityValue == null ? null : subjectLocalityValue.getAddress(); }
if ((authnStatement.getAuthnContext() != null) && (authnStatement.getAuthnContext().getAuthnContextClassRef() != null)) { samlAuthnStatement.setAuthContextClassRef(authnStatement.getAuthnContext().getAuthnContextClassRef().getAuthnContextClassRef()); log.debug("Assertion.samlAuthnStatement.authContextClassRef = " + samlAuthnStatement.getAuthContextClassRef()); log.debug("authnContext has " + authnStatement.getAuthnContext().getAuthenticatingAuthorities().size() + " content entries. "); List<AuthenticatingAuthority> contents = authnStatement.getAuthnContext().getAuthenticatingAuthorities(); if ((contents != null) && (contents.size() > 0)) {
AuthnContext authnContext = authnStatement.getAuthnContext(); if (null == authnContext) { throw new AssertionValidationException("missing SAML authn context");
/** * Verifies that authentication statement is valid. Checks the authInstant and sessionNotOnOrAfter fields. * * @param auth statement to check * @param requestedAuthnContext original requested context can be null for unsolicited messages or when no context was requested * @param context message context * @throws AuthenticationException in case the statement is invalid */ protected void verifyAuthenticationStatement(AuthnStatement auth, RequestedAuthnContext requestedAuthnContext, SAMLMessageContext context) throws AuthenticationException { // Validate that user wasn't authenticated too long time ago if (!isDateTimeSkewValid(getResponseSkew(), getMaxAuthenticationAge(), auth.getAuthnInstant())) { throw new CredentialsExpiredException("Authentication statement is too old to be used with value " + auth.getAuthnInstant()); } // Validate users session is still valid if (auth.getSessionNotOnOrAfter() != null && auth.getSessionNotOnOrAfter().isBeforeNow()) { throw new CredentialsExpiredException("Authentication session is not valid on or after " + auth.getSessionNotOnOrAfter()); } // Verify context verifyAuthnContext(requestedAuthnContext, auth.getAuthnContext(), context); }