public static Response wrapAssertionIntoResponse(Assertion assertion, String assertionIssuer) { Response response = new ResponseBuilder().buildObject(); Issuer issuer = new IssuerBuilder().buildObject(); issuer.setValue(assertionIssuer); response.setIssuer(issuer); response.setID("id-" + System.currentTimeMillis()); Status stat = new StatusBuilder().buildObject(); // Set the status code StatusCode statCode = new StatusCodeBuilder().buildObject(); statCode.setValue("urn:oasis:names:tc:SAML:2.0:status:Success"); stat.setStatusCode(statCode); // Set the status Message StatusMessage statMesssage = new StatusMessageBuilder().buildObject(); statMesssage.setMessage(null); stat.setStatusMessage(statMesssage); response.setStatus(stat); response.setVersion(SAMLVersion.VERSION_20); response.setIssueInstant(new DateTime()); response.getAssertions().add(assertion); //XMLHelper.adoptElement(assertion.getDOM(), assertion.getDOM().getOwnerDocument()); return response; }
private void buildCommonAttributes(String localEntityId, Response response, Endpoint service, AuthnRequest authnRequest) { response.setID(generateID()); response.setIssuer(getIssuer(localEntityId)); response.setInResponseTo(authnRequest.getID()); response.setVersion(SAMLVersion.VERSION_20); response.setIssueInstant(new DateTime()); if (service != null) { response.setDestination(service.getLocation()); } }
private void buildStatus(Response response, String statusCodeStr) { @SuppressWarnings("unchecked") SAMLObjectBuilder<StatusCode> statusCodeBuilder = (SAMLObjectBuilder<StatusCode>) builderFactory .getBuilder(StatusCode.DEFAULT_ELEMENT_NAME); StatusCode statusCode = statusCodeBuilder.buildObject(); statusCode.setValue(statusCodeStr); @SuppressWarnings("unchecked") SAMLObjectBuilder<Status> statusBuilder = (SAMLObjectBuilder<Status>) builderFactory .getBuilder(Status.DEFAULT_ELEMENT_NAME); Status status = statusBuilder.buildObject(); status.setStatusCode(statusCode); response.setStatus(status); }
@Test public void testBuildResponse() throws MessageEncodingException, SAMLException, MetadataProviderException, SecurityException, MarshallingException, SignatureException { String authenticationId = UUID.randomUUID().toString(); Authentication authentication = samlTestUtils.mockUaaAuthentication(authenticationId); SAMLMessageContext context = samlTestUtils.mockSamlMessageContext(); IdpWebSSOProfileOptions options = new IdpWebSSOProfileOptions(); options.setAssertionsSigned(false); profile.buildResponse(authentication, context, options); AuthnRequest request = (AuthnRequest) context.getInboundSAMLMessage(); Response response = (Response) context.getOutboundSAMLMessage(); assertEquals(request.getID(), response.getInResponseTo()); Assertion assertion = response.getAssertions().get(0); Subject subject = assertion.getSubject(); assertEquals("marissa", subject.getNameID().getValue()); assertEquals(NameIDType.UNSPECIFIED, subject.getNameID().getFormat()); SubjectConfirmation subjectConfirmation = subject.getSubjectConfirmations().get(0); SubjectConfirmationData subjectConfirmationData = subjectConfirmation.getSubjectConfirmationData(); assertEquals(request.getID(), subjectConfirmationData.getInResponseTo()); verifyAssertionAttributes(authenticationId, assertion); }
profile.buildResponse(authentication, context, options); Response response = (Response) context.getOutboundSAMLMessage(); Assertion assertion = response.getAssertions().get(0); DateTime until = new DateTime().plusHours(1); assertion.getSubject().getSubjectConfirmations().get(0).getSubjectConfirmationData().setRecipient(spEndpoint); assertion.getConditions().getAudienceRestrictions().get(0).getAudiences().get(0).setAudienceURI(audienceEntityID); assertion.getIssuer().setValue(issuerEntityId); assertion.getSubject().getNameID().setValue(username); assertion.getSubject().getNameID().setFormat(format); assertion.getSubject().getSubjectConfirmations().get(0).getSubjectConfirmationData().setInResponseTo(null); assertion.getSubject().getSubjectConfirmations().get(0).getSubjectConfirmationData().setNotOnOrAfter(until); assertion.getConditions().setNotOnOrAfter(until); SamlConfig config = new SamlConfig(); config.addAndActivateKey("active-key", new SamlKey(privateKey, keyPassword, certificate)); signature.setSigningCredential(defaultCredential); SecurityHelper.prepareSignatureParams(signature, defaultCredential, null, null); assertion.setSignature(signature); Marshaller marshaller = Configuration.getMarshallerFactory().getMarshaller(assertion); marshaller.marshall(assertion);
if(null != authnRequest.getSubject() && null != authnRequest.getSubject().getNameID() && null != authnRequest.getSubject().getNameID().getFormat()){ nameIDFormat = authnRequest.getSubject().getNameID().getFormat(); switch (nameIDFormat) { case NameIDType.EMAIL: nameID.setValue(nameIdStr); nameID.setFormat(nameIDFormat); subject.setNameID(nameID); .getBuilder(SubjectConfirmation.DEFAULT_ELEMENT_NAME); SubjectConfirmation subjectConfirmation = subjectConfirmationBuilder.buildObject(); subjectConfirmation.setMethod(SubjectConfirmation.METHOD_BEARER); SubjectConfirmationData subjectConfirmationData = subjectConfirmationDataBuilder.buildObject(); subjectConfirmationData.setNotOnOrAfter(new DateTime().plusSeconds(assertionTtlSeconds)); subjectConfirmationData.setInResponseTo(authnRequest.getID()); subjectConfirmationData.setRecipient(authnRequest.getAssertionConsumerServiceURL()); subjectConfirmation.setSubjectConfirmationData(subjectConfirmationData); subject.getSubjectConfirmations().add(subjectConfirmation); assertion.setSubject(subject);
public AuthnRequest buildIdpInitiatedAuthnRequest(String nameIDFormat, String spEntityID, String assertionUrl) { @SuppressWarnings("unchecked") SAMLObjectBuilder<AuthnRequest> builder = (SAMLObjectBuilder<AuthnRequest>) builderFactory .getBuilder(AuthnRequest.DEFAULT_ELEMENT_NAME); AuthnRequest request = builder.buildObject(); request.setVersion(SAMLVersion.VERSION_20); request.setID(generateID()); request.setIssuer(getIssuer(spEntityID)); request.setVersion(SAMLVersion.VERSION_20); request.setIssueInstant(new DateTime()); request.setID(null); request.setAssertionConsumerServiceURL(assertionUrl); if (null != nameIDFormat) { NameID nameID = ((SAMLObjectBuilder<NameID>) builderFactory.getBuilder(NameID.DEFAULT_ELEMENT_NAME)).buildObject(); nameID.setFormat(nameIDFormat); Subject subject = ((SAMLObjectBuilder<Subject>) builderFactory.getBuilder(Subject.DEFAULT_ELEMENT_NAME)).buildObject(); subject.setNameID(nameID); request.setSubject(subject); } return request; }
private void buildAssertionConditions(Assertion assertion, int assertionTtlSeconds, String audienceURI) { @SuppressWarnings("unchecked") SAMLObjectBuilder<Conditions> conditionsBuilder = (SAMLObjectBuilder<Conditions>) builderFactory .getBuilder(Conditions.DEFAULT_ELEMENT_NAME); Conditions conditions = conditionsBuilder.buildObject(); conditions.setNotBefore(new DateTime()); conditions.setNotOnOrAfter(new DateTime().plusSeconds(assertionTtlSeconds)); @SuppressWarnings("unchecked") SAMLObjectBuilder<AudienceRestriction> audienceRestrictionBuilder = (SAMLObjectBuilder<AudienceRestriction>) builderFactory .getBuilder(AudienceRestriction.DEFAULT_ELEMENT_NAME); AudienceRestriction audienceRestriction = audienceRestrictionBuilder.buildObject(); @SuppressWarnings("unchecked") SAMLObjectBuilder<Audience> audienceBuilder = (SAMLObjectBuilder<Audience>) builderFactory .getBuilder(Audience.DEFAULT_ELEMENT_NAME); Audience audience = audienceBuilder.buildObject(); audience.setAudienceURI(audienceURI); audienceRestriction.getAudiences().add(audience); conditions.getAudienceRestrictions().add(audienceRestriction); assertion.setConditions(conditions); }
private void buildAssertionAuthnStatement(Assertion assertion) { @SuppressWarnings("unchecked") SAMLObjectBuilder<AuthnStatement> authnStatementBuilder = (SAMLObjectBuilder<AuthnStatement>) builderFactory .getBuilder(AuthnStatement.DEFAULT_ELEMENT_NAME); AuthnStatement authnStatement = authnStatementBuilder.buildObject(); authnStatement.setAuthnInstant(new DateTime()); authnStatement.setSessionIndex(generateID()); @SuppressWarnings("unchecked") SAMLObjectBuilder<AuthnContext> authnContextBuilder = (SAMLObjectBuilder<AuthnContext>) builderFactory .getBuilder(AuthnContext.DEFAULT_ELEMENT_NAME); AuthnContext authnContext = authnContextBuilder.buildObject(); @SuppressWarnings("unchecked") SAMLObjectBuilder<AuthnContextClassRef> authnContextClassRefBuilder = (SAMLObjectBuilder<AuthnContextClassRef>) builderFactory .getBuilder(AuthnContextClassRef.DEFAULT_ELEMENT_NAME); AuthnContextClassRef authnContextClassRef = authnContextClassRefBuilder.buildObject(); authnContextClassRef.setAuthnContextClassRef(AuthnContext.PASSWORD_AUTHN_CTX); authnContext.setAuthnContextClassRef(authnContextClassRef); authnStatement.setAuthnContext(authnContext); assertion.getAuthnStatements().add(authnStatement); }
public MultiValueMap<String, String> retrieveUserAttributes(SamlIdentityProviderDefinition definition, SAMLCredential credential) { logger.debug(String.format("Retrieving SAML user attributes [zone:%s, origin:%s]", definition.getZoneId(), definition.getIdpEntityAlias())); MultiValueMap<String, String> userAttributes = new LinkedMultiValueMap<>(); if (definition != null && definition.getAttributeMappings() != null) { for (Entry<String, Object> attributeMapping : definition.getAttributeMappings().entrySet()) { if (attributeMapping.getValue() instanceof String) { if (credential.getAttribute((String)attributeMapping.getValue()) != null) { String key = attributeMapping.getKey(); for (XMLObject xmlObject : credential.getAttribute((String) attributeMapping.getValue()).getAttributeValues()) { String value = getStringValue(key, definition, xmlObject); if (value!=null) { userAttributes.add(key, value); } } } } } } if (credential.getAuthenticationAssertion() != null && credential.getAuthenticationAssertion().getAuthnStatements() != null) { for (AuthnStatement statement : credential.getAuthenticationAssertion().getAuthnStatements()) { if (statement.getAuthnContext() != null && statement.getAuthnContext().getAuthnContextClassRef() != null) { userAttributes.add(AUTHENTICATION_CONTEXT_CLASS_REFERENCE, statement.getAuthnContext().getAuthnContextClassRef().getAuthnContextClassRef()); } } } return userAttributes; }
Boolean emailVerified) { NameID usernameID = mock(NameID.class); when(usernameID.getValue()).thenReturn(username); when(contextClassRef.getAuthnContextClassRef()).thenReturn(AuthnContext.PASSWORD_AUTHN_CTX); when(authenticationContext.getAuthnContextClassRef()).thenReturn(contextClassRef); when(statement.getAuthnContext()).thenReturn(authenticationContext); when(authenticationAssertion.getAuthnStatements()).thenReturn(Arrays.asList(statement));
private void verifyAssertionAttributes(String authenticationId, Assertion assertion) { List<Attribute> attributes = assertion.getAttributeStatements().get(0).getAttributes(); assertAttributeValue(attributes, "email", "marissa@testing.org"); assertAttributeValue(attributes, "id", authenticationId); assertAttributeValue(attributes, "name", "marissa"); assertAttributeValue(attributes, "origin", OriginKeys.UAA); assertAttributeValue(attributes, "zoneId", "uaa"); }
private void assertAttributeValue(List<Attribute> attributeList, String name, String... expectedValue) { for (Attribute attribute : attributeList) { if (attribute.getName().equals(name)) { List<XMLObject> xsString = attribute.getAttributeValues(); List<String> attributeValues = xsString.stream().map(xs -> ((XSString)xs).getValue()).collect(Collectors.toList()); assertThat(String.format("Attribute mismatch for '%s'.", name), attributeValues, containsInAnyOrder(expectedValue)); return; } } Assert.fail(String.format("No attribute value with name of '%s'.", name)); }
public Issuer getIssuer(String localEntityId) { @SuppressWarnings("unchecked") SAMLObjectBuilder<Issuer> issuerBuilder = (SAMLObjectBuilder<Issuer>) builderFactory .getBuilder(Issuer.DEFAULT_ELEMENT_NAME); Issuer issuer = issuerBuilder.buildObject(); issuer.setValue(localEntityId); return issuer; }
private Response createResponse(SAMLMessageContext context, AssertionConsumerService assertionConsumerService, Assertion assertion, AuthnRequest authnRequest) { @SuppressWarnings("unchecked") SAMLObjectBuilder<Response> responseBuilder = (SAMLObjectBuilder<Response>) builderFactory .getBuilder(Response.DEFAULT_ELEMENT_NAME); Response response = responseBuilder.buildObject(); buildCommonAttributes(context.getLocalEntityId(), response, assertionConsumerService, authnRequest); response.getAssertions().add(assertion); buildStatusSuccess(response); return response; }
@Test public void testBuildResponseForSamlRequestWithPersistentNameID() throws Exception { String authenticationId = UUID.randomUUID().toString(); Authentication authentication = samlTestUtils.mockUaaAuthentication(authenticationId); SAMLMessageContext context = samlTestUtils.mockSamlMessageContext(samlTestUtils.mockAuthnRequest(NameIDType.PERSISTENT)); IdpWebSSOProfileOptions options = new IdpWebSSOProfileOptions(); options.setAssertionsSigned(false); profile.buildResponse(authentication, context, options); AuthnRequest request = (AuthnRequest) context.getInboundSAMLMessage(); Response response = (Response) context.getOutboundSAMLMessage(); Assertion assertion = response.getAssertions().get(0); Subject subject = assertion.getSubject(); assertEquals(authenticationId, subject.getNameID().getValue()); assertEquals(NameIDType.PERSISTENT, subject.getNameID().getFormat()); SubjectConfirmation subjectConfirmation = subject.getSubjectConfirmations().get(0); SubjectConfirmationData subjectConfirmationData = subjectConfirmation.getSubjectConfirmationData(); assertEquals(request.getID(), subjectConfirmationData.getInResponseTo()); verifyAssertionAttributes(authenticationId, assertion); }
public AuthnRequest mockAuthnRequest(String nameIDFormat) { @SuppressWarnings("unchecked") SAMLObjectBuilder<AuthnRequest> builder = (SAMLObjectBuilder<AuthnRequest>) builderFactory .getBuilder(AuthnRequest.DEFAULT_ELEMENT_NAME); AuthnRequest request = builder.buildObject(); request.setVersion(SAMLVersion.VERSION_20); request.setID(generateID()); request.setIssuer(getIssuer(SP_ENTITY_ID)); request.setVersion(SAMLVersion.VERSION_20); request.setIssueInstant(new DateTime()); if (null != nameIDFormat) { NameID nameID = ((SAMLObjectBuilder<NameID>) builderFactory.getBuilder(NameID.DEFAULT_ELEMENT_NAME)) .buildObject(); nameID.setFormat(nameIDFormat); Subject subject = ((SAMLObjectBuilder<Subject>) builderFactory.getBuilder(Subject.DEFAULT_ELEMENT_NAME)) .buildObject(); subject.setNameID(nameID); request.setSubject(subject); } return request; }
@Test public void testBuildResponseForSamlRequestWithEmailAddressNameID() throws MessageEncodingException, SAMLException, MetadataProviderException, SecurityException, MarshallingException, SignatureException { String authenticationId = UUID.randomUUID().toString(); Authentication authentication = samlTestUtils.mockUaaAuthentication(authenticationId); SAMLMessageContext context = samlTestUtils.mockSamlMessageContext( samlTestUtils.mockAuthnRequest(NameIDType.EMAIL)); IdpWebSSOProfileOptions options = new IdpWebSSOProfileOptions(); options.setAssertionsSigned(false); profile.buildResponse(authentication, context, options); AuthnRequest request = (AuthnRequest) context.getInboundSAMLMessage(); Response response = (Response) context.getOutboundSAMLMessage(); Assertion assertion = response.getAssertions().get(0); Subject subject = assertion.getSubject(); assertEquals("marissa@testing.org", subject.getNameID().getValue()); assertEquals(NameIDType.EMAIL, subject.getNameID().getFormat()); SubjectConfirmation subjectConfirmation = subject.getSubjectConfirmations().get(0); SubjectConfirmationData subjectConfirmationData = subjectConfirmation.getSubjectConfirmationData(); assertEquals(request.getID(), subjectConfirmationData.getInResponseTo()); verifyAssertionAttributes(authenticationId, assertion); }
@Test public void testBuildResponseWithSignedAssertion() throws MessageEncodingException, SAMLException, MetadataProviderException, SecurityException, MarshallingException, SignatureException { String authenticationId = UUID.randomUUID().toString(); Authentication authentication = samlTestUtils.mockUaaAuthentication(authenticationId); SAMLMessageContext context = samlTestUtils.mockSamlMessageContext(); IdpWebSSOProfileOptions options = new IdpWebSSOProfileOptions(); options.setAssertionsSigned(true); profile.buildResponse(authentication, context, options); AuthnRequest request = (AuthnRequest) context.getInboundSAMLMessage(); Response response = (Response) context.getOutboundSAMLMessage(); Assertion assertion = response.getAssertions().get(0); Subject subject = assertion.getSubject(); assertEquals("marissa", subject.getNameID().getValue()); SubjectConfirmation subjectConfirmation = subject.getSubjectConfirmations().get(0); SubjectConfirmationData subjectConfirmationData = subjectConfirmation.getSubjectConfirmationData(); assertEquals(request.getID(), subjectConfirmationData.getInResponseTo()); verifyAssertionAttributes(authenticationId, assertion); assertNotNull(assertion.getSignature()); }
@Test public void testBuildResponseForSamlRequestWithUnspecifiedNameID() throws MessageEncodingException, SAMLException, MetadataProviderException, SecurityException, MarshallingException, SignatureException { String authenticationId = UUID.randomUUID().toString(); Authentication authentication = samlTestUtils.mockUaaAuthentication(authenticationId); SAMLMessageContext context = samlTestUtils.mockSamlMessageContext( samlTestUtils.mockAuthnRequest(NameIDType.UNSPECIFIED)); IdpWebSSOProfileOptions options = new IdpWebSSOProfileOptions(); options.setAssertionsSigned(false); profile.buildResponse(authentication, context, options); AuthnRequest request = (AuthnRequest) context.getInboundSAMLMessage(); Response response = (Response) context.getOutboundSAMLMessage(); Assertion assertion = response.getAssertions().get(0); Subject subject = assertion.getSubject(); assertEquals("marissa", subject.getNameID().getValue()); assertEquals(NameIDType.UNSPECIFIED, subject.getNameID().getFormat()); SubjectConfirmation subjectConfirmation = subject.getSubjectConfirmations().get(0); SubjectConfirmationData subjectConfirmationData = subjectConfirmation.getSubjectConfirmationData(); assertEquals(request.getID(), subjectConfirmationData.getInResponseTo()); verifyAssertionAttributes(authenticationId, assertion); }