/** * Determines whether given SingleSignOn service can be used together with this profile. Bindings POST, Artifact * and Redirect are supported for WebSSO. * * @param endpoint endpoint * @return true if endpoint is supported * @throws MetadataProviderException in case system can't verify whether endpoint is supported or not */ @Override protected boolean isEndpointSupported(SingleSignOnService endpoint) throws MetadataProviderException { return SAML2_POST_BINDING_URI.equals(endpoint.getBinding()) || SAML2_REDIRECT_BINDING_URI.equals(endpoint.getBinding()); }
public String getAssertionConsumerURL(String sp) throws MetadataProviderException { EntityDescriptor entityDescriptor = metadataManager.getEntityDescriptor(sp); SPSSODescriptor spssoDescriptor = entityDescriptor.getSPSSODescriptor(SAMLConstants.SAML20P_NS); List<AssertionConsumerService> assertionConsumerServices = spssoDescriptor.getAssertionConsumerServices(); Optional<AssertionConsumerService> defaultService = assertionConsumerServices.stream().filter(acs -> acs.isDefault()).findFirst(); if (defaultService.isPresent()) { return defaultService.get().getLocation(); } else { return assertionConsumerServices.get(0).getLocation(); } }
private void addDescriptors(List<String> result, EntitiesDescriptor descriptors) throws MetadataProviderException { log.debug("Found metadata EntitiesDescriptor with ID", descriptors.getID()); if (descriptors.getEntitiesDescriptors() != null) { for (EntitiesDescriptor descriptor : descriptors.getEntitiesDescriptors()) { addDescriptors(result, descriptor); } } if (descriptors.getEntityDescriptors() != null) { for (EntityDescriptor descriptor : descriptors.getEntityDescriptors()) { addDescriptor(result, descriptor); } } }
default String getEntityID() throws MetadataProviderException { fetchMetadata(); XMLObject metadata = doGetMetadata(); if (metadata instanceof EntityDescriptor) { EntityDescriptor entityDescriptor = (EntityDescriptor) metadata; return entityDescriptor.getEntityID(); } else if (metadata instanceof EntitiesDescriptor) { EntitiesDescriptor desc = (EntitiesDescriptor)metadata; if (desc.getEntityDescriptors().size()!=1) { throw new MetadataProviderException("Invalid metadata. Number of descriptors must be 1, but is "+desc.getEntityDescriptors().size()); } else { return desc.getEntityDescriptors().get(0).getEntityID(); } } else { throw new MetadataProviderException("Unknown descriptor class:"+metadata.getClass().getName()); } }
@Override public EntityDescriptor generateMetadata() { EntityDescriptor result = super.generateMetadata(); result.setID(SAMLUtil.getNCNameString(result.getEntityID())); return result; }
/** * Parses entityID from the descriptor and adds it to the result set. Signatures on all found entities * are verified using the given policy and trust engine. * * @param result result set * @param descriptor descriptor to parse * @throws MetadataProviderException in case signature validation fails */ private void addDescriptor(List<String> result, EntityDescriptor descriptor) throws MetadataProviderException { String entityID = descriptor.getEntityID(); log.debug("Found metadata EntityDescriptor with ID", entityID); result.add(entityID); }
@Test public void bindingOrderSSOList() { IdentityZoneHolder.set(otherZone); IDPSSODescriptor idpSSODescriptor = generator.buildIDPSSODescriptor( generator.getEntityBaseURL(), generator.getEntityAlias(), false, Arrays.asList("email") ); assertEquals(SAML2_POST_BINDING_URI, idpSSODescriptor.getSingleSignOnServices().get(0).getBinding());; assertEquals(SAML2_REDIRECT_BINDING_URI, idpSSODescriptor.getSingleSignOnServices().get(1).getBinding());; }
protected KeyDescriptor getKeyDescriptor(UsageType type, KeyInfo key) { @SuppressWarnings("unchecked") SAMLObjectBuilder<KeyDescriptor> builder = (SAMLObjectBuilder<KeyDescriptor>) Configuration.getBuilderFactory() .getBuilder(KeyDescriptor.DEFAULT_ELEMENT_NAME); KeyDescriptor descriptor = builder.buildObject(); descriptor.setUse(type); descriptor.setKeyInfo(key); return descriptor; }
@Test public void artifactBindingNotInSSOList() throws Exception { IdentityZoneHolder.set(otherZone); IDPSSODescriptor idpSSODescriptor = generator.buildIDPSSODescriptor( generator.getEntityBaseURL(), generator.getEntityAlias(), false, Arrays.asList("email") ); assertThat(idpSSODescriptor.getSingleSignOnServices(), not(hasItem(hasProperty("binding", equalTo(SAML2_ARTIFACT_BINDING_URI))))); }
@SuppressWarnings("unchecked") public SAMLMessageContext mockSamlMessageContext(AuthnRequest authnRequest) { SAMLMessageContext context = new SAMLMessageContext(); context.setLocalEntityId(IDP_ENTITY_ID); context.setLocalEntityRole(IDPSSODescriptor.DEFAULT_ELEMENT_NAME); EntityDescriptor idpMetadata = mockIdpMetadata(); context.setLocalEntityMetadata(idpMetadata); IDPSSODescriptor idpDescriptor = idpMetadata.getIDPSSODescriptor(SAML20P_NS); context.setLocalEntityRoleMetadata(idpDescriptor); context.setPeerEntityId(SP_ENTITY_ID); context.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME); EntityDescriptor spMetadata = mockSpMetadata(); context.setPeerEntityMetadata(spMetadata); SPSSODescriptor spDescriptor = spMetadata.getSPSSODescriptor(SAML20P_NS); context.setPeerEntityRoleMetadata(spDescriptor); context.setInboundSAMLMessage(authnRequest); SamlConfig config = new SamlConfig(); config.setPrivateKey(PROVIDER_PRIVATE_KEY); config.setPrivateKeyPassword(PROVIDER_PRIVATE_KEY_PASSWORD); config.setCertificate(PROVIDER_CERTIFICATE); KeyManager keyManager = SamlKeyManagerFactory.getKeyManager(config); context.setLocalSigningCredential(keyManager.getDefaultCredential()); return context; }
protected SingleSignOnService getSingleSignOnService(String entityBaseURL, String entityAlias, String filterURL, String binding) { @SuppressWarnings("unchecked") SAMLObjectBuilder<SingleSignOnService> builder = (SAMLObjectBuilder<SingleSignOnService>) builderFactory .getBuilder(SingleSignOnService.DEFAULT_ELEMENT_NAME); SingleSignOnService sso = builder.buildObject(); sso.setLocation(getServerURL(entityBaseURL, entityAlias, filterURL)); sso.setBinding(binding); return sso; }
protected SingleLogoutService getSingleLogoutService(String entityBaseURL, String entityAlias, String binding) { @SuppressWarnings("unchecked") SAMLObjectBuilder<SingleLogoutService> builder = (SAMLObjectBuilder<SingleLogoutService>) builderFactory .getBuilder(SingleLogoutService.DEFAULT_ELEMENT_NAME); SingleLogoutService logoutService = builder.buildObject(); logoutService.setLocation(getServerURL(entityBaseURL, entityAlias, getSAMLLogoutFilterPath())); logoutService.setBinding(binding); return logoutService; }
@SuppressWarnings("unchecked") protected void buildResponse(Authentication authentication, SAMLMessageContext context, IdpWebSSOProfileOptions options) throws MetadataProviderException, SecurityException, MarshallingException, SignatureException, SAMLException { IDPSSODescriptor idpDescriptor = (IDPSSODescriptor) context.getLocalEntityRoleMetadata(); SPSSODescriptor spDescriptor = (SPSSODescriptor) context.getPeerEntityRoleMetadata(); AuthnRequest authnRequest = (AuthnRequest) context.getInboundSAMLMessage(); AssertionConsumerService assertionConsumerService = getAssertionConsumerService(options, idpDescriptor, spDescriptor); context.setPeerEntityEndpoint(assertionConsumerService); Assertion assertion = buildAssertion(authentication, authnRequest, options, context.getPeerEntityId(), context.getLocalEntityId()); if (options.isAssertionsSigned() || spDescriptor.getWantAssertionsSigned()) { signAssertion(assertion, context.getLocalSigningCredential()); } Response samlResponse = createResponse(context, assertionConsumerService, assertion, authnRequest); context.setOutboundMessage(samlResponse); context.setOutboundSAMLMessage(samlResponse); }
@Override protected boolean isGlobalLogout(HttpServletRequest request, Authentication auth) { SAMLMessageContext context; try { SAMLCredential credential = (SAMLCredential) auth.getCredentials(); request.setAttribute(SAMLConstants.LOCAL_ENTITY_ID, credential.getLocalEntityID()); request.setAttribute(SAMLConstants.PEER_ENTITY_ID, credential.getRemoteEntityID()); context = contextProvider.getLocalAndPeerEntity(request, null); IDPSSODescriptor idp = (IDPSSODescriptor) context.getPeerEntityRoleMetadata(); List<SingleLogoutService> singleLogoutServices = idp.getSingleLogoutServices(); return singleLogoutServices.size() != 0; } catch (MetadataProviderException e) { logger.debug("Error processing metadata", e); return false; } }
private void buildCommonAttributes(String localEntityId, Response response, Endpoint service, AuthnRequest authnRequest) { response.setID(generateID()); response.setIssuer(getIssuer(localEntityId)); response.setInResponseTo(authnRequest.getID()); response.setVersion(SAMLVersion.VERSION_20); response.setIssueInstant(new DateTime()); if (service != null) { response.setDestination(service.getLocation()); } }
protected SingleSignOnService getHoKSingleSignOnService(String entityBaseURL, String entityAlias, String filterURL, String binding) { SingleSignOnService hokSso = getSingleSignOnService(entityBaseURL, entityAlias, filterURL, org.springframework.security.saml.SAMLConstants.SAML2_HOK_WEBSSO_PROFILE_URI); QName consumerName = new QName(org.springframework.security.saml.SAMLConstants.SAML2_HOK_WEBSSO_PROFILE_URI, AuthnRequest.PROTOCOL_BINDING_ATTRIB_NAME, "hoksso"); hokSso.getUnknownAttributes().put(consumerName, binding); return hokSso; }
@Test public void get_assertion_consumer_service_url() throws Exception { String entityID = "validEntityID"; EntityDescriptor entityDescriptor = mock(EntityDescriptor.class); when(metadataManager.getEntityDescriptor(eq(entityID))).thenReturn(entityDescriptor); SPSSODescriptor spssoDescriptor = mock(SPSSODescriptor.class); when(entityDescriptor.getSPSSODescriptor(eq(SAML20P_NS))).thenReturn(spssoDescriptor); AssertionConsumerService service = mock(AssertionConsumerService.class); when(service.getLocation()).thenReturn("service-location"); when(service.isDefault()).thenReturn(false); AssertionConsumerService defaultService = mock(AssertionConsumerService.class); when(defaultService.getLocation()).thenReturn("default-location"); when(defaultService.isDefault()).thenReturn(true); when(spssoDescriptor.getAssertionConsumerServices()).thenReturn(Arrays.asList(service, defaultService)); String url = controller.getAssertionConsumerURL(entityID); assertEquals("default-location", url); when(defaultService.isDefault()).thenReturn(false); url = controller.getAssertionConsumerURL(entityID); assertEquals("service-location", url); }
@Override public EntityDescriptor generateMetadata() { EntityDescriptor result = super.generateMetadata(); result.setID(SAMLUtil.getNCNameString(result.getEntityID())); return result; }
public ExtendedMetadataDelegate getLocalServiceProvider() throws MetadataProviderException { EntityDescriptor descriptor = generator.generateMetadata(); ExtendedMetadata extendedMetadata = generator.generateExtendedMetadata(); log.info("Initialized local service provider for entityID: " + descriptor.getEntityID()); MetadataMemoryProvider memoryProvider = new MetadataMemoryProvider(descriptor); memoryProvider.initialize(); return new ExtendedMetadataDelegate(memoryProvider, extendedMetadata); }
public ExtendedMetadataDelegate getLocalIdp() throws MetadataProviderException { EntityDescriptor descriptor = generator.generateMetadata(); ExtendedMetadata extendedMetadata = generator.generateExtendedMetadata(); log.info("Initialized local identity provider for entityID: " + descriptor.getEntityID()); MetadataMemoryProvider memoryProvider = new MetadataMemoryProvider(descriptor); memoryProvider.initialize(); return new ExtendedMetadataDelegate(memoryProvider, extendedMetadata); }