/** * Returns logout request message ready to be sent to the IDP. * * @param context message context * @param credential information about assertions used to log current user in * @param bindingService service used to deliver the request * @return logoutRequest to be sent to IDP * @throws SAMLException error creating the message * @throws MetadataProviderException error retrieving metadata */ protected LogoutRequest getLogoutRequest( SAMLMessageContext context, SAMLCredential credential, Endpoint bindingService) throws SAMLException, MetadataProviderException { SAMLObjectBuilder<LogoutRequest> builder = (SAMLObjectBuilder<LogoutRequest>) builderFactory.getBuilder(LogoutRequest.DEFAULT_ELEMENT_NAME); LogoutRequest request = builder.buildObject(); buildCommonAttributes(context.getLocalEntityId(), request, bindingService); // Add session indexes SAMLObjectBuilder<SessionIndex> sessionIndexBuilder = (SAMLObjectBuilder<SessionIndex>) builderFactory.getBuilder(SessionIndex.DEFAULT_ELEMENT_NAME); for (AuthnStatement statement : credential.getAuthenticationAssertion().getAuthnStatements()) { SessionIndex index = sessionIndexBuilder.buildObject(); index.setSessionIndex(statement.getSessionIndex()); request.getSessionIndexes().add(index); } if (request.getSessionIndexes().size() == 0) { throw new SAMLException("No session indexes to logout user for were found"); } SAMLObjectBuilder<NameID> nameIDBuilder = (SAMLObjectBuilder<NameID>) builderFactory.getBuilder(NameID.DEFAULT_ELEMENT_NAME); NameID nameID = nameIDBuilder.buildObject(); nameID.setFormat(credential.getNameID().getFormat()); nameID.setNameQualifier(credential.getNameID().getNameQualifier()); nameID.setSPNameQualifier(credential.getNameID().getSPNameQualifier()); nameID.setSPProvidedID(credential.getNameID().getSPProvidedID()); nameID.setValue(credential.getNameID().getValue()); request.setNameID(nameID); return request; }
private Assertion buildSAMLAssertion( SAMLSSOAuthnReqDTO authReqDTO, DateTime notOnOrAfter, String sessionId) throws IdentityException { try { DateTime currentTime = new DateTime(); Assertion samlAssertion = new AssertionBuilder().buildObject(); samlAssertion.setID(SAMLSSOUtil.createID()); samlAssertion.setVersion(SAMLVersion.VERSION_20); samlAssertion.setIssuer(SAMLSSOUtil.getIssuer()); samlAssertion.setIssueInstant(currentTime); Subject subject = new SubjectBuilder().buildObject(); NameID nameId = new NameIDBuilder().buildObject(); if (authReqDTO.getUseFullyQualifiedUsernameAsSubject()) { nameId.setValue(authReqDTO.getUsername()); nameId.setFormat(NameIdentifier.EMAIL); } else { nameId.setValue(MultitenantUtils.getTenantAwareUsername(authReqDTO.getUsername())); nameId.setFormat(authReqDTO.getNameIDFormat()); } subject.setNameID(nameId); SubjectConfirmation subjectConfirmation = new SubjectConfirmationBuilder().buildObject(); subjectConfirmation.setMethod(SAMLSSOConstants.SUBJECT_CONFIRM_BEARER); SubjectConfirmationData scData = new SubjectConfirmationDataBuilder().buildObject(); scData.setRecipient(authReqDTO.getAssertionConsumerURL()); scData.setNotOnOrAfter(notOnOrAfter); scData.setInResponseTo(authReqDTO.getId()); subjectConfirmation.setSubjectConfirmationData(scData); subject.getSubjectConfirmations().add(subjectConfirmation); samlAssertion.setSubject(subject); AuthnStatement authStmt = new AuthnStatementBuilder().buildObject(); authStmt.setAuthnInstant(new DateTime()); AuthnContext authContext = new AuthnContextBuilder().buildObject(); AuthnContextClassRef authCtxClassRef = new AuthnContextClassRefBuilder().buildObject(); authCtxClassRef.setAuthnContextClassRef(AuthnContext.PASSWORD_AUTHN_CTX); authContext.setAuthnContextClassRef(authCtxClassRef); authStmt.setAuthnContext(authContext); if (authReqDTO.isDoSingleLogout()) { authStmt.setSessionIndex(sessionId); } samlAssertion.getAuthnStatements().add(authStmt); /* * If <AttributeConsumingServiceIndex> element is in the * <AuthnRequest> and * according to the spec 2.0 the subject MUST be in the assertion */ Map<String, String> claims = SAMLSSOUtil.getAttributes(authReqDTO); if (claims != null) { samlAssertion.getAttributeStatements().add(buildAttributeStatement(claims)); } AudienceRestriction audienceRestriction = new AudienceRestrictionBuilder().buildObject(); Audience issuerAudience = new AudienceBuilder().buildObject(); issuerAudience.setAudienceURI(authReqDTO.getIssuer()); audienceRestriction.getAudiences().add(issuerAudience); if (authReqDTO.getRequestedAudiences() != null) { for (String requestedAudience : authReqDTO.getRequestedAudiences()) { Audience audience = new AudienceBuilder().buildObject(); audience.setAudienceURI(requestedAudience); audienceRestriction.getAudiences().add(audience); } } Conditions conditions = new ConditionsBuilder().buildObject(); conditions.setNotBefore(currentTime); conditions.setNotOnOrAfter(notOnOrAfter); conditions.getAudienceRestrictions().add(audienceRestriction); samlAssertion.setConditions(conditions); if (authReqDTO.getDoSignAssertions()) { SAMLSSOUtil.setSignature( samlAssertion, XMLSignature.ALGO_ID_SIGNATURE_RSA, new SignKeyDataHolder(authReqDTO.getUsername())); } return samlAssertion; } catch (Exception e) { log.error("Error when reading claim values for generating SAML Response", e); throw new IdentityException( "Error when reading claim values for generating SAML Response", e); } }