private void buildAssertionConditions(Assertion assertion, int assertionTtlSeconds, String audienceURI) { @SuppressWarnings("unchecked") SAMLObjectBuilder<Conditions> conditionsBuilder = (SAMLObjectBuilder<Conditions>) builderFactory .getBuilder(Conditions.DEFAULT_ELEMENT_NAME); Conditions conditions = conditionsBuilder.buildObject(); conditions.setNotBefore(new DateTime()); conditions.setNotOnOrAfter(new DateTime().plusSeconds(assertionTtlSeconds)); @SuppressWarnings("unchecked") SAMLObjectBuilder<AudienceRestriction> audienceRestrictionBuilder = (SAMLObjectBuilder<AudienceRestriction>) builderFactory .getBuilder(AudienceRestriction.DEFAULT_ELEMENT_NAME); AudienceRestriction audienceRestriction = audienceRestrictionBuilder.buildObject(); @SuppressWarnings("unchecked") SAMLObjectBuilder<Audience> audienceBuilder = (SAMLObjectBuilder<Audience>) builderFactory .getBuilder(Audience.DEFAULT_ELEMENT_NAME); Audience audience = audienceBuilder.buildObject(); audience.setAudienceURI(audienceURI); audienceRestriction.getAudiences().add(audience); conditions.getAudienceRestrictions().add(audienceRestriction); assertion.setConditions(conditions); }
DateTime until = new DateTime().plusHours(1); assertion.getSubject().getSubjectConfirmations().get(0).getSubjectConfirmationData().setRecipient(spEndpoint); assertion.getConditions().getAudienceRestrictions().get(0).getAudiences().get(0).setAudienceURI(audienceEntityID); assertion.getIssuer().setValue(issuerEntityId); assertion.getSubject().getNameID().setValue(username);
public Conditions(Authentication authentication){ SAMLCredential credential = (SAMLCredential) authentication.getCredentials(); Assertion assertion = credential.getAuthenticationAssertion(); org.opensaml.saml2.core.Conditions conditions = assertion.getConditions(); List<AudienceRestriction> audienceRestrictions = conditions.getAudienceRestrictions(); List<Audience> audiences = audienceRestrictions.get(0).getAudiences(); notBefore = conditions.getNotBefore(); notOnOrAfter = conditions.getNotOnOrAfter(); audienceRestriction = new ArrayList<>(); for(Audience audience : audiences){ audienceRestriction.add(audience.getAudienceURI()); } }
/** * Get Audiences of SAML2 Response. * * @param samlResponse SAML2 Response * @return audiences */ private List<String> getAudiencesFromSAMLResponse(ResponseImpl samlResponse) { Assertion assertion = samlResponse.getAssertions().get(0); List<String> audiences = new ArrayList<>(); if (assertion != null) { Conditions conditions = assertion.getConditions(); if (conditions != null) { List<AudienceRestriction> audienceRestrictions = conditions.getAudienceRestrictions(); if (CollectionUtils.isNotEmpty(audienceRestrictions)) { for (AudienceRestriction audienceRestriction : audienceRestrictions) { if (CollectionUtils.isNotEmpty(audienceRestriction.getAudiences())) { for (Audience audience : audienceRestriction.getAudiences()) { audiences.add(audience.getAudienceURI()); } } } } } } return audiences; }
Conditions conditions = assertion.getConditions(); if (conditions != null) { List<AudienceRestriction> audienceRestrictions = conditions.getAudienceRestrictions(); if (audienceRestrictions != null && !audienceRestrictions.isEmpty()) { for (AudienceRestriction audienceRestriction : audienceRestrictions) {
if (conditions.getAudienceRestrictions().isEmpty() || conditions.getAudienceRestrictions().size() != 1) { .getAudienceRestrictions().get(0); if (audienceRestriction.getAudiences().isEmpty() || audienceRestriction.getAudiences().size() != 1) {
Conditions conditions = assertion.getConditions(); if (conditions != null) { List<AudienceRestriction> audienceRestrictions = conditions.getAudienceRestrictions(); if (audienceRestrictions != null && !audienceRestrictions.isEmpty()) { for (AudienceRestriction audienceRestriction : audienceRestrictions) {
private boolean validateAudience(IdentityProvider identityProvider, Conditions conditions, String tokenEndpointAlias, String tenantDomain) throws IdentityOAuth2Exception { validateTokenEPAlias(identityProvider, tokenEndpointAlias, tenantDomain); List<AudienceRestriction> audienceRestrictions = conditions.getAudienceRestrictions(); validateAudienceRestriction(audienceRestrictions); boolean audienceFound = false; // Checking if tokenEP Alias is found among the audiences for (AudienceRestriction audienceRestriction : audienceRestrictions) { if (CollectionUtils.isNotEmpty(audienceRestriction.getAudiences())) { for (Audience audience : audienceRestriction.getAudiences()) { if (audience.getAudienceURI().equals(tokenEndpointAlias)) { audienceFound = true; break; } } } if (audienceFound) { break; } } if (!audienceFound) { if (log.isDebugEnabled()) { log.debug("SAML Assertion Audience Restriction validation failed against the Audience : " + tokenEndpointAlias + " of Identity Provider : " + identityProvider.getIdentityProviderName() + " in tenant : " + tenantDomain); } throw new IdentityOAuth2Exception("SAML Assertion Audience Restriction validation failed"); } return true; }
Conditions conditions = assertion.getConditions(); if (conditions != null) { List<AudienceRestriction> audienceRestrictions = conditions.getAudienceRestrictions(); if (audienceRestrictions != null && !audienceRestrictions.isEmpty()) { for (AudienceRestriction audienceRestriction : audienceRestrictions) {
if (audienceRequired && conditions.getAudienceRestrictions().size() == 0) { System.out.println("Assertion invalidated by missing audience restriction"); throw new SAMLException("SAML response is not valid"); for (AudienceRestriction rest : conditions.getAudienceRestrictions()) { if (rest.getAudiences().size() == 0) { System.out.println("No audit audience specified for the assertion");
protected void verifyAssertionConditions(Conditions conditions, SAMLMessageContext context, boolean audienceRequired) throws SAMLException { if (audienceRequired && (conditions == null || conditions.getAudienceRestrictions().size() == 0)) { throw new SAMLException("Assertion invalidated by missing Audience Restriction"); verifyAudience(context, conditions.getAudienceRestrictions());
org.opensaml.saml2.core.Conditions conditions = assertion.getSaml2().getConditions(); if (conditions != null && conditions.getAudienceRestrictions() != null && !conditions.getAudienceRestrictions().isEmpty()) { boolean foundAddress = false; for (org.opensaml.saml2.core.AudienceRestriction audienceRestriction : conditions.getAudienceRestrictions()) { if (audienceRestriction.getAudiences() != null) { List<org.opensaml.saml2.core.Audience> audiences =
Conditions conditions = assertion.getConditions(); if (conditions != null) { List<AudienceRestriction> audienceRestrictions = conditions.getAudienceRestrictions(); if (audienceRestrictions != null && !audienceRestrictions.isEmpty()) { boolean audienceFound = false;
Conditions conditions = assertion.getConditions(); if (conditions != null) { List<AudienceRestriction> audienceRestrictions = conditions.getAudienceRestrictions(); if (audienceRestrictions != null && !audienceRestrictions.isEmpty()) { for (AudienceRestriction audienceRestriction : audienceRestrictions) {
Conditions conditions = assertion.getConditions(); if (conditions != null) { List<AudienceRestriction> audienceRestrictions = conditions.getAudienceRestrictions(); if (audienceRestrictions != null && !audienceRestrictions.isEmpty()) { boolean audienceFound = false;
public static Assertion buildAssertion(SAMLPrincipal principal, Status status, String entityId) { Assertion assertion = buildSAMLObject(Assertion.class, Assertion.DEFAULT_ELEMENT_NAME); if (status.getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) { Subject subject = buildSubject(principal.getNameID(), principal.getNameIDType(), principal.getAssertionConsumerServiceURL(), principal.getRequestID()); assertion.setSubject(subject); } Issuer issuer = buildIssuer(entityId); Audience audience = buildSAMLObject(Audience.class, Audience.DEFAULT_ELEMENT_NAME); audience.setAudienceURI(principal.getServiceProviderEntityID()); AudienceRestriction audienceRestriction = buildSAMLObject(AudienceRestriction.class, AudienceRestriction.DEFAULT_ELEMENT_NAME); audienceRestriction.getAudiences().add(audience); Conditions conditions = buildSAMLObject(Conditions.class, Conditions.DEFAULT_ELEMENT_NAME); conditions.getAudienceRestrictions().add(audienceRestriction); assertion.setConditions(conditions); AuthnStatement authnStatement = buildAuthnStatement(new DateTime(), entityId); assertion.setIssuer(issuer); assertion.getAuthnStatements().add(authnStatement); assertion.getAttributeStatements().add(buildAttributeStatement(principal.getAttributes())); assertion.setID(randomSAMLId()); assertion.setIssueInstant(new DateTime()); return assertion; }
AudienceRestriction audienceRestriction = createAudienceRestriction(conditionsBean.getAudienceURI()); conditions.getAudienceRestrictions().add(audienceRestriction); AudienceRestriction audienceRestriction = createAudienceRestriction(audienceRestrictionBean); conditions.getAudienceRestrictions().add(audienceRestriction);
AudienceRestriction audienceRestriction = createAudienceRestriction(conditionsBean.getAudienceURI()); conditions.getAudienceRestrictions().add(audienceRestriction);
audienceRestrictions.getAudiences().add(audience); conditions.getAudienceRestrictions().add(audienceRestrictions);
audienceRestrictions.getAudiences().add(audience); conditions.getAudienceRestrictions().add(audienceRestrictions);