protected LogoutRequest buildLogoutRequest(String user, String sessionIdx)
throws SSOAgentException {
LogoutRequest logoutReq = new LogoutRequestBuilder().buildObject();
logoutReq.setID(SSOAgentUtils.createID());
logoutReq.setDestination(ssoAgentConfig.getSAML2().getIdPURL());
DateTime issueInstant = new DateTime();
logoutReq.setIssueInstant(issueInstant);
logoutReq.setNotOnOrAfter(new DateTime(issueInstant.getMillis() + 5 * 60 * 1000));
IssuerBuilder issuerBuilder = new IssuerBuilder();
Issuer issuer = issuerBuilder.buildObject();
issuer.setValue(ssoAgentConfig.getSAML2().getSPEntityId());
logoutReq.setIssuer(issuer);
NameID nameId = new NameIDBuilder().buildObject();
nameId.setFormat("urn:oasis:names:tc:SAML:2.0:nameid-format:entity");
nameId.setValue(user);
logoutReq.setNameID(nameId);
SessionIndex sessionIndex = new SessionIndexBuilder().buildObject();
sessionIndex.setSessionIndex(sessionIdx);
logoutReq.getSessionIndexes().add(sessionIndex);
logoutReq.setReason("Single Logout");
return logoutReq;
}
protected AuthnRequest buildAuthnRequest(HttpServletRequest request) throws SSOAgentException {
IssuerBuilder issuerBuilder = new IssuerBuilder();
Issuer issuer =
issuerBuilder.buildObject("urn:oasis:names:tc:SAML:2.0:assertion", "Issuer", "samlp");
issuer.setValue(ssoAgentConfig.getSAML2().getSPEntityId());
/* NameIDPolicy */
NameIDPolicyBuilder nameIdPolicyBuilder = new NameIDPolicyBuilder();
NameIDPolicy nameIdPolicy = nameIdPolicyBuilder.buildObject();
nameIdPolicy.setFormat("urn:oasis:names:tc:SAML:2.0:nameid-format:persistent");
nameIdPolicy.setSPNameQualifier("Issuer");
nameIdPolicy.setAllowCreate(true);
/* AuthnContextClass */
AuthnContextClassRefBuilder authnContextClassRefBuilder = new AuthnContextClassRefBuilder();
AuthnContextClassRef authnContextClassRef =
authnContextClassRefBuilder.buildObject(
"urn:oasis:names:tc:SAML:2.0:assertion", "AuthnContextClassRef", "saml");
authnContextClassRef.setAuthnContextClassRef(
"urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport");
/* AuthnContex */
RequestedAuthnContextBuilder requestedAuthnContextBuilder = new RequestedAuthnContextBuilder();
RequestedAuthnContext requestedAuthnContext = requestedAuthnContextBuilder.buildObject();
requestedAuthnContext.setComparison(AuthnContextComparisonTypeEnumeration.EXACT);
requestedAuthnContext.getAuthnContextClassRefs().add(authnContextClassRef);
DateTime issueInstant = new DateTime();
/* Creation of AuthRequestObject */
AuthnRequestBuilder authRequestBuilder = new AuthnRequestBuilder();
AuthnRequest authRequest =
authRequestBuilder.buildObject(
"urn:oasis:names:tc:SAML:2.0:protocol", "AuthnRequest", "samlp");
authRequest.setForceAuthn(ssoAgentConfig.getSAML2().isForceAuthn());
authRequest.setIsPassive(ssoAgentConfig.getSAML2().isPassiveAuthn());
authRequest.setIssueInstant(issueInstant);
authRequest.setProtocolBinding(ssoAgentConfig.getSAML2().getHttpBinding());
authRequest.setAssertionConsumerServiceURL(ssoAgentConfig.getSAML2().getACSURL());
authRequest.setIssuer(issuer);
authRequest.setNameIDPolicy(nameIdPolicy);
authRequest.setRequestedAuthnContext(requestedAuthnContext);
authRequest.setID(SSOAgentUtils.createID());
authRequest.setVersion(SAMLVersion.VERSION_20);
authRequest.setDestination(ssoAgentConfig.getSAML2().getIdPURL());
if (request.getAttribute(Extensions.LOCAL_NAME) != null) {
authRequest.setExtensions((Extensions) request.getAttribute(Extensions.LOCAL_NAME));
}
/* Requesting Attributes. This Index value is registered in the IDP */
if (ssoAgentConfig.getSAML2().getAttributeConsumingServiceIndex() != null
&& ssoAgentConfig.getSAML2().getAttributeConsumingServiceIndex().trim().length() > 0) {
authRequest.setAttributeConsumingServiceIndex(
Integer.parseInt(ssoAgentConfig.getSAML2().getAttributeConsumingServiceIndex()));
}
return authRequest;
}
/*
* Create the AuthnRequest
*/
public AuthnRequestImpl buildAuthnRequest() throws ValidationException {
// Use the OpenSAML Configuration singleton to get a builder factory object
final XMLObjectBuilderFactory xmlObjectBuilderFactory = Configuration.getBuilderFactory();
// First get a builder for AuthnRequest
final AuthnRequestBuilder authnRequestBuilder =
(AuthnRequestBuilder) xmlObjectBuilderFactory.getBuilder(AuthnRequest.DEFAULT_ELEMENT_NAME);
// And one for Issuer
final IssuerBuilder issuerBuilder =
(IssuerBuilder) xmlObjectBuilderFactory.getBuilder(Issuer.DEFAULT_ELEMENT_NAME);
// get a builder for NameID
final NameIDBuilder nameIDBuilder =
(NameIDBuilder) xmlObjectBuilderFactory.getBuilder(NameID.DEFAULT_ELEMENT_NAME);
// build a NameID object
final NameID nameID = nameIDBuilder.buildObject();
nameID.setFormat(NameIDType.PERSISTENT);
nameID.setSPProvidedID("https://aa.bb.cc/sp/provider");
nameID.setSPNameQualifier("https://aa.bb.cc/sp/provider");
// get a builder for Subject
final SubjectBuilder subjectBuilder =
(SubjectBuilder) xmlObjectBuilderFactory.getBuilder(Subject.DEFAULT_ELEMENT_NAME);
// build a Subject object
final Subject subject = subjectBuilder.buildObject();
subject.setNameID(nameID);
// build an AuthnRequest object
final AuthnRequestImpl authnRequest = (AuthnRequestImpl) authnRequestBuilder.buildObject();
// Build the Issuer object
final Issuer newIssuer = issuerBuilder.buildObject();
newIssuer.setValue("https://aa.bb.cc/sp/provideraaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa");
authnRequest.setIssuer(newIssuer);
authnRequest.setProviderName("https://aa.bb.cc/sp/provider");
authnRequest.setAssertionConsumerServiceURL("1");
authnRequest.setDestination("https://aa.bb.cc/sp/provider");
authnRequest.setProtocolBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
authnRequest.setSubject(subject);
// Only add the parameter if it is true.
// if (forceReAuthentication == true) {
authnRequest.setForceAuthn(true);
// }
authnRequest.setVersion(org.opensaml.common.SAMLVersion.VERSION_20);
final DateTime dateTime = new DateTime();
authnRequest.setIssueInstant(dateTime);
authnRequest.setID(UUID.randomUUID().toString());
authnRequest.validate(true);
return authnRequest;
}
private LogoutRequest buildLogoutRequest(
String user,
String sessionIndexStr,
String idpUrl,
String nameQualifier,
String spNameQualifier)
throws SAMLSSOException {
LogoutRequest logoutReq = new LogoutRequestBuilder().buildObject();
logoutReq.setID(SSOUtils.createID());
logoutReq.setDestination(idpUrl);
DateTime issueInstant = new DateTime();
logoutReq.setIssueInstant(issueInstant);
logoutReq.setNotOnOrAfter(new DateTime(issueInstant.getMillis() + 5 * 60 * 1000));
IssuerBuilder issuerBuilder = new IssuerBuilder();
Issuer issuer = issuerBuilder.buildObject();
String spEntityId =
properties.get(IdentityApplicationConstants.Authenticator.SAML2SSO.SP_ENTITY_ID);
if (spEntityId != null && !spEntityId.isEmpty()) {
issuer.setValue(spEntityId);
} else {
issuer.setValue("carbonServer");
}
logoutReq.setIssuer(issuer);
NameID nameId = new NameIDBuilder().buildObject();
nameId.setFormat(NameIDType.UNSPECIFIED);
nameId.setValue(user);
nameId.setNameQualifier(nameQualifier);
nameId.setSPNameQualifier(spNameQualifier);
logoutReq.setNameID(nameId);
SessionIndex sessionIndex = new SessionIndexBuilder().buildObject();
if (sessionIndexStr != null) {
sessionIndex.setSessionIndex(sessionIndexStr);
} else {
sessionIndex.setSessionIndex(UUID.randomUUID().toString());
}
logoutReq.getSessionIndexes().add(sessionIndex);
logoutReq.setReason("Single Logout");
return logoutReq;
}
private AuthnRequest buildAuthnRequest(
HttpServletRequest request, boolean isPassive, String idpUrl, AuthenticationContext context)
throws SAMLSSOException {
IssuerBuilder issuerBuilder = new IssuerBuilder();
Issuer issuer =
issuerBuilder.buildObject("urn:oasis:names:tc:SAML:2.0:assertion", "Issuer", "samlp");
String spEntityId =
properties.get(IdentityApplicationConstants.Authenticator.SAML2SSO.SP_ENTITY_ID);
if (spEntityId != null && !spEntityId.isEmpty()) {
issuer.setValue(spEntityId);
} else {
issuer.setValue("carbonServer");
}
DateTime issueInstant = new DateTime();
/* Creation of AuthRequestObject */
AuthnRequestBuilder authRequestBuilder = new AuthnRequestBuilder();
AuthnRequest authRequest =
authRequestBuilder.buildObject(
"urn:oasis:names:tc:SAML:2.0:protocol", "AuthnRequest", "samlp");
authRequest.setForceAuthn(isForceAuthenticate(context));
authRequest.setIsPassive(isPassive);
authRequest.setIssueInstant(issueInstant);
String includeProtocolBindingProp =
properties.get(
IdentityApplicationConstants.Authenticator.SAML2SSO.INCLUDE_PROTOCOL_BINDING);
if (StringUtils.isEmpty(includeProtocolBindingProp)
|| Boolean.parseBoolean(includeProtocolBindingProp)) {
authRequest.setProtocolBinding(SAMLConstants.SAML2_POST_BINDING_URI);
}
String acsUrl = IdentityUtil.getServerURL(FrameworkConstants.COMMONAUTH);
authRequest.setAssertionConsumerServiceURL(acsUrl);
authRequest.setIssuer(issuer);
authRequest.setID(SSOUtils.createID());
authRequest.setVersion(SAMLVersion.VERSION_20);
authRequest.setDestination(idpUrl);
String attributeConsumingServiceIndexProp =
properties.get(
IdentityApplicationConstants.Authenticator.SAML2SSO.ATTRIBUTE_CONSUMING_SERVICE_INDEX);
if (StringUtils.isNotEmpty(attributeConsumingServiceIndexProp)) {
try {
authRequest.setAttributeConsumingServiceIndex(
Integer.valueOf(attributeConsumingServiceIndexProp));
} catch (NumberFormatException e) {
log.error(
"Error while populating SAMLRequest with AttributeConsumingServiceIndex: "
+ attributeConsumingServiceIndexProp,
e);
}
}
String includeNameIDPolicyProp =
properties.get(IdentityApplicationConstants.Authenticator.SAML2SSO.INCLUDE_NAME_ID_POLICY);
if (StringUtils.isEmpty(includeNameIDPolicyProp)
|| Boolean.parseBoolean(includeNameIDPolicyProp)) {
NameIDPolicyBuilder nameIdPolicyBuilder = new NameIDPolicyBuilder();
NameIDPolicy nameIdPolicy = nameIdPolicyBuilder.buildObject();
nameIdPolicy.setFormat(NameIDType.UNSPECIFIED);
// nameIdPolicy.setSPNameQualifier("Issuer");
nameIdPolicy.setAllowCreate(true);
authRequest.setNameIDPolicy(nameIdPolicy);
}
// Get the inbound SAMLRequest
AuthnRequest inboundAuthnRequest = getAuthnRequest(context);
RequestedAuthnContext requestedAuthnContext = buildRequestedAuthnContext(inboundAuthnRequest);
if (requestedAuthnContext != null) {
authRequest.setRequestedAuthnContext(requestedAuthnContext);
}
Extensions extensions = getSAMLExtensions(request);
if (extensions != null) {
authRequest.setExtensions(extensions);
}
return authRequest;
}