public AuthChallenge getChallenge() { return this.handler.getChallenge(); }
protected AuthOutcome initiateLogin() { challenge = createChallenge(); return AuthOutcome.NOT_ATTEMPTED; }
@Override public AuthOutcome handle(OnSessionCreated onCreateSession) { return doHandle(new SamlInvocationContext(null, null, null), onCreateSession); } }
public AuthOutcome doHandle(SamlInvocationContext context, OnSessionCreated onCreateSession) { String samlRequest = context.getSamlRequest(); String samlResponse = context.getSamlResponse(); String relayState = context.getRelayState(); if (samlRequest != null) { return handleSamlRequest(samlRequest, relayState); } else if (samlResponse != null) { return handleSamlResponse(samlResponse, relayState, onCreateSession); } else if (sessionStore.isLoggedIn()) { if (verifySSL()) return AuthOutcome.FAILED; log.debug("AUTHENTICATED: was cached"); return handleRequest(); } return initiateLogin(); }
holder = extractRedirectBindingResponse(samlResponse); } else { postBinding = true; holder = extractPostBindingResponse(samlResponse); if (deployment.getIDP().getSingleSignOnService().validateResponseSignature()) { try { validateSamlSignature(holder, postBinding, GeneralConstants.SAML_RESPONSE_KEY); } catch (VerificationException e) { log.error("Failed to verify saml response signature", e); return handleLoginResponse(holder, postBinding, onCreateSession); } finally { sessionStore.setCurrentAction(SamlSessionStore.CurrentAction.NONE); if (deployment.getIDP().getSingleLogoutService().validateResponseSignature()) { try { validateSamlSignature(holder, postBinding, GeneralConstants.SAML_RESPONSE_KEY); } catch (VerificationException e) { log.error("Failed to verify saml response signature", e); return handleLogoutResponse(holder, statusResponse, relayState); } finally { sessionStore.setCurrentAction(SamlSessionStore.CurrentAction.NONE); if(checkStatusCodeValue(status.getStatusCode(), JBossSAMLURIConstants.STATUS_RESPONDER.get()) && checkStatusCodeValue(status.getStatusCode().getStatusCode(), JBossSAMLURIConstants.STATUS_NO_PASSIVE.get())){ log.debug("Not authenticated due passive mode Status found in SAML response: " + status.toString()); return AuthOutcome.NOT_AUTHENTICATED;
protected AuthOutcome handleLoginResponse(SAMLDocumentHolder responseHolder, boolean postBinding, OnSessionCreated onCreateSession) { final ResponseType responseType = (ResponseType) responseHolder.getSamlObject(); AssertionType assertion = null; if (! isSuccessfulSamlResponse(responseType) || responseType.getAssertions() == null || responseType.getAssertions().isEmpty()) { challenge = new AuthChallenge() { @Override return initiateLogin(); if (!AssertionUtil.isSignatureValid(getAssertionFromResponse(responseHolder), deployment.getIDP().getSignatureValidationKeyLocator())) { log.error("Failed to verify saml assertion signature"); for (AttributeStatementType.ASTChoiceType obj : attList) { AttributeType attr = obj.getAttribute(); if (isRole(attr)) { List<Object> attributeValues = attr.getAttributeValue(); if (attributeValues != null) { for (Object attrValue : attributeValues) { String role = getAttributeValue(attrValue); log.debugv("Add role: {0}", role); roles.add(role); if (attributeValues != null) { for (Object attrValue : attributeValues) { String value = getAttributeValue(attrValue); if (attr.getName() != null) { attributes.add(attr.getName(), value);
private void validateSamlSignature(SAMLDocumentHolder holder, boolean postBinding, String paramKey) throws VerificationException { KeyLocator signatureValidationKey = deployment.getIDP().getSignatureValidationKeyLocator(); if (postBinding) { verifyPostBindingSignature(holder.getSamlDocument(), signatureValidationKey); } else { String keyId = getMessageSigningKeyId(holder.getSamlObject()); verifyRedirectBindingSignature(paramKey, signatureValidationKey, keyId); } }
@Override public AuthOutcome handle(OnSessionCreated onCreateSession) { return doHandle(new SamlInvocationContext(facade.getRequest().getFirstParam(GeneralConstants.SAML_REQUEST_KEY), facade.getRequest().getFirstParam(GeneralConstants.SAML_RESPONSE_KEY), facade.getRequest().getFirstParam(GeneralConstants.RELAY_STATE)), onCreateSession); }
@Override public AuthOutcome handle(OnSessionCreated onCreateSession) { String header = facade.getRequest().getHeader(PAOS_HEADER); if (header != null) { return doHandle(new SamlInvocationContext(), onCreateSession); } else { try { MessageFactory messageFactory = MessageFactory.newInstance(); SOAPMessage soapMessage = messageFactory.createMessage(null, facade.getRequest().getInputStream()); SOAPBody soapBody = soapMessage.getSOAPBody(); Node authnRequestNode = soapBody.getFirstChild(); Document document = DocumentUtil.createDocument(); document.appendChild(document.importNode(authnRequestNode, true)); String samlResponse = PostBindingUtil.base64Encode(DocumentUtil.asString(document)); return doHandle(new SamlInvocationContext(null, samlResponse, null), onCreateSession); } catch (Exception e) { throw new RuntimeException("Error creating fault message.", e); } } }
if (deployment.getIDP().getSingleLogoutService().validateRequestSignature()) { try { validateSamlSignature(holder, postBinding, GeneralConstants.SAML_REQUEST_KEY); } catch (VerificationException e) { log.error("Failed to verify saml request signature", e); return logoutRequest(logout, relayState);
public AuthOutcome authenticate() { log.debugf("SamlAuthenticator is using handler [%s]", this.handler); return this.handler.handle(new OnSessionCreated() { @Override public void onSessionCreated(SamlSession samlSession) { completeAuthentication(samlSession); } }); }
return validateRedirectBindingSignatureForKey(sigAlg, rawQueryBytes, decodedSignature, key); if (validateRedirectBindingSignatureForKey(sigAlg, rawQueryBytes, decodedSignature, key)) { return true;
@Override protected void sendAuthnRequest(HttpFacade httpFacade, SAML2AuthnRequestBuilder authnRequestBuilder, BaseSAML2BindingBuilder binding) throws ProcessingException, ConfigurationException, IOException { if (isAutodetectedBearerOnly(httpFacade.getRequest())) { httpFacade.getResponse().setStatus(401); httpFacade.getResponse().end(); } else { Document document = authnRequestBuilder.toDocument(); SamlDeployment.Binding samlBinding = deployment.getIDP().getSingleSignOnService().getRequestBinding(); SamlUtil.sendSaml(true, httpFacade, deployment.getIDP().getSingleSignOnService().getRequestBindingUrl(), binding, document, samlBinding); } } };
if (! validateRedirectBindingSignature(signatureAlgorithm, rawQueryBytes, decodedSignature, keyLocator, keyId)) { throw new VerificationException("Invalid query param signature");