コード例 #1
0
  protected LogoutRequest buildLogoutRequest(String user, String sessionIdx)
      throws SSOAgentException {

    LogoutRequest logoutReq = new LogoutRequestBuilder().buildObject();

    logoutReq.setID(SSOAgentUtils.createID());
    logoutReq.setDestination(ssoAgentConfig.getSAML2().getIdPURL());

    DateTime issueInstant = new DateTime();
    logoutReq.setIssueInstant(issueInstant);
    logoutReq.setNotOnOrAfter(new DateTime(issueInstant.getMillis() + 5 * 60 * 1000));

    IssuerBuilder issuerBuilder = new IssuerBuilder();
    Issuer issuer = issuerBuilder.buildObject();
    issuer.setValue(ssoAgentConfig.getSAML2().getSPEntityId());
    logoutReq.setIssuer(issuer);

    NameID nameId = new NameIDBuilder().buildObject();
    nameId.setFormat("urn:oasis:names:tc:SAML:2.0:nameid-format:entity");
    nameId.setValue(user);
    logoutReq.setNameID(nameId);

    SessionIndex sessionIndex = new SessionIndexBuilder().buildObject();
    sessionIndex.setSessionIndex(sessionIdx);
    logoutReq.getSessionIndexes().add(sessionIndex);

    logoutReq.setReason("Single Logout");

    return logoutReq;
  }
コード例 #2
0
  protected AuthnRequest buildAuthnRequest(HttpServletRequest request) throws SSOAgentException {

    IssuerBuilder issuerBuilder = new IssuerBuilder();
    Issuer issuer =
        issuerBuilder.buildObject("urn:oasis:names:tc:SAML:2.0:assertion", "Issuer", "samlp");
    issuer.setValue(ssoAgentConfig.getSAML2().getSPEntityId());

    /* NameIDPolicy */
    NameIDPolicyBuilder nameIdPolicyBuilder = new NameIDPolicyBuilder();
    NameIDPolicy nameIdPolicy = nameIdPolicyBuilder.buildObject();
    nameIdPolicy.setFormat("urn:oasis:names:tc:SAML:2.0:nameid-format:persistent");
    nameIdPolicy.setSPNameQualifier("Issuer");
    nameIdPolicy.setAllowCreate(true);

    /* AuthnContextClass */
    AuthnContextClassRefBuilder authnContextClassRefBuilder = new AuthnContextClassRefBuilder();
    AuthnContextClassRef authnContextClassRef =
        authnContextClassRefBuilder.buildObject(
            "urn:oasis:names:tc:SAML:2.0:assertion", "AuthnContextClassRef", "saml");
    authnContextClassRef.setAuthnContextClassRef(
        "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport");

    /* AuthnContex */
    RequestedAuthnContextBuilder requestedAuthnContextBuilder = new RequestedAuthnContextBuilder();
    RequestedAuthnContext requestedAuthnContext = requestedAuthnContextBuilder.buildObject();
    requestedAuthnContext.setComparison(AuthnContextComparisonTypeEnumeration.EXACT);
    requestedAuthnContext.getAuthnContextClassRefs().add(authnContextClassRef);

    DateTime issueInstant = new DateTime();

    /* Creation of AuthRequestObject */
    AuthnRequestBuilder authRequestBuilder = new AuthnRequestBuilder();
    AuthnRequest authRequest =
        authRequestBuilder.buildObject(
            "urn:oasis:names:tc:SAML:2.0:protocol", "AuthnRequest", "samlp");

    authRequest.setForceAuthn(ssoAgentConfig.getSAML2().isForceAuthn());
    authRequest.setIsPassive(ssoAgentConfig.getSAML2().isPassiveAuthn());
    authRequest.setIssueInstant(issueInstant);
    authRequest.setProtocolBinding(ssoAgentConfig.getSAML2().getHttpBinding());
    authRequest.setAssertionConsumerServiceURL(ssoAgentConfig.getSAML2().getACSURL());
    authRequest.setIssuer(issuer);
    authRequest.setNameIDPolicy(nameIdPolicy);
    authRequest.setRequestedAuthnContext(requestedAuthnContext);
    authRequest.setID(SSOAgentUtils.createID());
    authRequest.setVersion(SAMLVersion.VERSION_20);
    authRequest.setDestination(ssoAgentConfig.getSAML2().getIdPURL());
    if (request.getAttribute(Extensions.LOCAL_NAME) != null) {
      authRequest.setExtensions((Extensions) request.getAttribute(Extensions.LOCAL_NAME));
    }

    /* Requesting Attributes. This Index value is registered in the IDP */
    if (ssoAgentConfig.getSAML2().getAttributeConsumingServiceIndex() != null
        && ssoAgentConfig.getSAML2().getAttributeConsumingServiceIndex().trim().length() > 0) {
      authRequest.setAttributeConsumingServiceIndex(
          Integer.parseInt(ssoAgentConfig.getSAML2().getAttributeConsumingServiceIndex()));
    }

    return authRequest;
  }
コード例 #3
0
  /**
   * Validate the signature of a SAML2 Response and Assertion
   *
   * @param response SAML2 Response
   * @return true, if signature is valid.
   */
  protected void validateSignature(Response response, Assertion assertion)
      throws SSOAgentException {

    if (SSOAgentDataHolder.getInstance().getSignatureValidator() != null) {
      // Custom implemetation of signature validation
      SAMLSignatureValidator signatureValidatorUtility =
          (SAMLSignatureValidator) SSOAgentDataHolder.getInstance().getSignatureValidator();
      signatureValidatorUtility.validateSignature(response, assertion, ssoAgentConfig);
    } else {
      // If custom implementation not found, Execute the default implementation
      if (ssoAgentConfig.getSAML2().isResponseSigned()) {
        if (response.getSignature() == null) {
          throw new SSOAgentException(
              "SAML2 Response signing is enabled, but signature element not found in SAML2 Response element");
        } else {
          try {
            SignatureValidator validator =
                new SignatureValidator(
                    new X509CredentialImpl(ssoAgentConfig.getSAML2().getSSOAgentX509Credential()));
            validator.validate(response.getSignature());
          } catch (ValidationException e) {
            if (log.isDebugEnabled()) {
              log.debug("Validation exception : ", e);
            }
            throw new SSOAgentException("Signature validation failed for SAML2 Response");
          }
        }
      }
      if (ssoAgentConfig.getSAML2().isAssertionSigned()) {
        if (assertion.getSignature() == null) {
          throw new SSOAgentException(
              "SAML2 Assertion signing is enabled, but signature element not found in SAML2 Assertion element");
        } else {
          try {
            SignatureValidator validator =
                new SignatureValidator(
                    new X509CredentialImpl(ssoAgentConfig.getSAML2().getSSOAgentX509Credential()));
            validator.validate(assertion.getSignature());
          } catch (ValidationException e) {
            if (log.isDebugEnabled()) {
              log.debug("Validation exception : ", e);
            }
            throw new SSOAgentException("Signature validation failed for SAML2 Assertion");
          }
        }
      }
    }
  }
コード例 #4
0
  /**
   * Validate the AudienceRestriction of SAML2 Response
   *
   * @param assertion SAML2 Assertion
   * @return validity
   */
  protected void validateAudienceRestriction(Assertion assertion) throws SSOAgentException {

    if (assertion != null) {
      Conditions conditions = assertion.getConditions();
      if (conditions != null) {
        List<AudienceRestriction> audienceRestrictions = conditions.getAudienceRestrictions();
        if (audienceRestrictions != null && !audienceRestrictions.isEmpty()) {
          boolean audienceFound = false;
          for (AudienceRestriction audienceRestriction : audienceRestrictions) {
            if (audienceRestriction.getAudiences() != null
                && !audienceRestriction.getAudiences().isEmpty()) {
              for (Audience audience : audienceRestriction.getAudiences()) {
                if (ssoAgentConfig.getSAML2().getSPEntityId().equals(audience.getAudienceURI())) {
                  audienceFound = true;
                  break;
                }
              }
            }
            if (audienceFound) {
              break;
            }
          }
          if (!audienceFound) {
            throw new SSOAgentException("SAML2 Assertion Audience Restriction validation failed");
          }
        } else {
          throw new SSOAgentException("SAML2 Response doesn't contain AudienceRestrictions");
        }
      } else {
        throw new SSOAgentException("SAML2 Response doesn't contain Conditions");
      }
    }
  }
コード例 #5
0
  public void processResponse(HttpServletRequest request, HttpServletResponse response)
      throws SSOAgentException {

    String saml2SSOResponse =
        request.getParameter(SSOAgentConstants.SAML2SSO.HTTP_POST_PARAM_SAML2_RESP);

    if (saml2SSOResponse != null) {
      String decodedResponse =
          new String(Base64.decode(saml2SSOResponse), Charset.forName("UTF-8"));
      XMLObject samlObject = SSOAgentUtils.unmarshall(decodedResponse);
      if (samlObject instanceof LogoutResponse) {
        // This is a SAML response for a single logout request from the SP
        doSLO(request);
      } else {
        processSSOResponse(request);
      }
      String relayState = request.getParameter(RelayState.DEFAULT_ELEMENT_LOCAL_NAME);

      if (relayState != null
          && !relayState.isEmpty()
          && !"null".equalsIgnoreCase(relayState)) { // additional
        // checks for incompetent IdPs
        ssoAgentConfig.getSAML2().setRelayState(relayState);
      }

    } else {
      throw new SSOAgentException("Invalid SAML2 Response. SAML2 Response can not be null.");
    }
  }
コード例 #6
0
  public SAML2SSOManager(SSOAgentConfig ssoAgentConfig) throws SSOAgentException {

    /* Initializing the OpenSAML library, loading default configurations */
    this.ssoAgentConfig = ssoAgentConfig;
    // load custom Signature Validator Class
    String signerClassName = ssoAgentConfig.getSAML2().getSignatureValidatorImplClass();
    try {
      if (signerClassName != null) {
        SSOAgentDataHolder.getInstance()
            .setSignatureValidator(Class.forName(signerClassName).newInstance());
      }
    } catch (ClassNotFoundException e) {
      throw new SSOAgentException("Error loading custom signature validator class", e);
    } catch (IllegalAccessException e) {
      throw new SSOAgentException("Error loading custom signature validator class", e);
    } catch (InstantiationException e) {
      throw new SSOAgentException("Error loading custom signature validator class", e);
    }
    SSOAgentUtils.doBootstrap();
  }
コード例 #7
0
  /**
   * Get Decrypted Assertion
   *
   * @param encryptedAssertion
   * @return
   * @throws Exception
   */
  protected Assertion getDecryptedAssertion(EncryptedAssertion encryptedAssertion)
      throws SSOAgentException {

    try {
      KeyInfoCredentialResolver keyResolver =
          new StaticKeyInfoCredentialResolver(
              new X509CredentialImpl(ssoAgentConfig.getSAML2().getSSOAgentX509Credential()));

      EncryptedKey key =
          encryptedAssertion.getEncryptedData().getKeyInfo().getEncryptedKeys().get(0);
      Decrypter decrypter = new Decrypter(null, keyResolver, null);
      SecretKey dkey =
          (SecretKey)
              decrypter.decryptKey(
                  key, encryptedAssertion.getEncryptedData().getEncryptionMethod().getAlgorithm());
      Credential shared = SecurityHelper.getSimpleCredential(dkey);
      decrypter = new Decrypter(new StaticKeyInfoCredentialResolver(shared), null, null);
      decrypter.setRootInNewDocument(true);
      return decrypter.decrypt(encryptedAssertion);
    } catch (Exception e) {
      throw new SSOAgentException("Decrypted assertion error", e);
    }
  }
コード例 #8
0
  protected void processSSOResponse(HttpServletRequest request) throws SSOAgentException {

    LoggedInSessionBean sessionBean = new LoggedInSessionBean();
    sessionBean.setSAML2SSO(sessionBean.new SAML2SSO());

    String saml2ResponseString =
        new String(
            Base64.decode(
                request.getParameter(SSOAgentConstants.SAML2SSO.HTTP_POST_PARAM_SAML2_RESP)),
            Charset.forName("UTF-8"));
    Response saml2Response = (Response) SSOAgentUtils.unmarshall(saml2ResponseString);
    sessionBean.getSAML2SSO().setResponseString(saml2ResponseString);
    sessionBean.getSAML2SSO().setSAMLResponse(saml2Response);

    Assertion assertion = null;
    if (ssoAgentConfig.getSAML2().isAssertionEncrypted()) {
      List<EncryptedAssertion> encryptedAssertions = saml2Response.getEncryptedAssertions();
      EncryptedAssertion encryptedAssertion = null;
      if (!org.apache.commons.collections.CollectionUtils.isEmpty(encryptedAssertions)) {
        encryptedAssertion = encryptedAssertions.get(0);
        try {
          assertion = getDecryptedAssertion(encryptedAssertion);
        } catch (Exception e) {
          if (log.isDebugEnabled()) {
            log.debug("Assertion decryption failure : ", e);
          }
          throw new SSOAgentException("Unable to decrypt the SAML2 Assertion");
        }
      }
    } else {
      List<Assertion> assertions = saml2Response.getAssertions();
      if (assertions != null && !assertions.isEmpty()) {
        assertion = assertions.get(0);
      }
    }
    if (assertion == null) {
      if (isNoPassive(saml2Response)) {
        LOGGER.log(Level.FINE, "Cannot authenticate in passive mode");
        return;
      }
      throw new SSOAgentException("SAML2 Assertion not found in the Response");
    }

    String idPEntityIdValue = assertion.getIssuer().getValue();
    if (idPEntityIdValue == null || idPEntityIdValue.isEmpty()) {
      throw new SSOAgentException("SAML2 Response does not contain an Issuer value");
    } else if (!idPEntityIdValue.equals(ssoAgentConfig.getSAML2().getIdPEntityId())) {
      throw new SSOAgentException("SAML2 Response Issuer verification failed");
    }
    sessionBean.getSAML2SSO().setAssertion(assertion);
    // Cannot marshall SAML assertion here, before signature validation due to a weird issue in
    // OpenSAML

    // Get the subject name from the Response Object and forward it to login_action.jsp
    String subject = null;
    if (assertion.getSubject() != null && assertion.getSubject().getNameID() != null) {
      subject = assertion.getSubject().getNameID().getValue();
    }

    if (subject == null) {
      throw new SSOAgentException("SAML2 Response does not contain the name of the subject");
    }

    sessionBean.getSAML2SSO().setSubjectId(subject); // set the subject
    request.getSession().setAttribute(SSOAgentConstants.SESSION_BEAN_NAME, sessionBean);

    // validate audience restriction
    validateAudienceRestriction(assertion);

    // validate signature
    validateSignature(saml2Response, assertion);

    // Marshalling SAML2 assertion after signature validation due to a weird issue in OpenSAML
    sessionBean.getSAML2SSO().setAssertionString(marshall(assertion));

    ((LoggedInSessionBean) request.getSession().getAttribute(SSOAgentConstants.SESSION_BEAN_NAME))
        .getSAML2SSO()
        .setSubjectAttributes(getAssertionStatements(assertion));

    // For removing the session when the single sign out request made by the SP itself
    if (ssoAgentConfig.getSAML2().isSLOEnabled()) {
      String sessionId = assertion.getAuthnStatements().get(0).getSessionIndex();
      if (sessionId == null) {
        throw new SSOAgentException(
            "Single Logout is enabled but IdP Session ID not found in SAML2 Assertion");
      }
      ((LoggedInSessionBean) request.getSession().getAttribute(SSOAgentConstants.SESSION_BEAN_NAME))
          .getSAML2SSO()
          .setSessionIndex(sessionId);
      SSOAgentSessionManager.addAuthenticatedSession(request.getSession(false));
    }

    request.getSession().setAttribute(SSOAgentConstants.SESSION_BEAN_NAME, sessionBean);
  }
コード例 #9
0
  /**
   * Handles the request for http post binding
   *
   * @param request The HTTP request with SAML2 message
   * @param response The HTTP response
   * @param isLogout Whether the request is a logout request
   * @throws SSOAgentException
   */
  public String buildPostRequest(
      HttpServletRequest request, HttpServletResponse response, boolean isLogout)
      throws SSOAgentException {

    RequestAbstractType requestMessage = null;
    if (!isLogout) {
      requestMessage = buildAuthnRequest(request);
      if (ssoAgentConfig.getSAML2().isRequestSigned()) {
        requestMessage =
            SSOAgentUtils.setSignature(
                (AuthnRequest) requestMessage,
                XMLSignature.ALGO_ID_SIGNATURE_RSA,
                new X509CredentialImpl(ssoAgentConfig.getSAML2().getSSOAgentX509Credential()));
      }

    } else {
      LoggedInSessionBean sessionBean =
          (LoggedInSessionBean)
              request.getSession(false).getAttribute(SSOAgentConstants.SESSION_BEAN_NAME);
      if (sessionBean != null) {
        requestMessage =
            buildLogoutRequest(
                sessionBean.getSAML2SSO().getSubjectId(),
                sessionBean.getSAML2SSO().getSessionIndex());
        if (ssoAgentConfig.getSAML2().isRequestSigned()) {
          requestMessage =
              SSOAgentUtils.setSignature(
                  (LogoutRequest) requestMessage,
                  XMLSignature.ALGO_ID_SIGNATURE_RSA,
                  new X509CredentialImpl(ssoAgentConfig.getSAML2().getSSOAgentX509Credential()));
        }
      } else {
        throw new SSOAgentException("SLO Request can not be built. SSO Session is null");
      }
    }
    String encodedRequestMessage =
        encodeRequestMessage(requestMessage, SAMLConstants.SAML2_POST_BINDING_URI);

    Map<String, String[]> paramsMap = new HashMap<String, String[]>();
    paramsMap.put(
        SSOAgentConstants.SAML2SSO.HTTP_POST_PARAM_SAML2_AUTH_REQ,
        new String[] {encodedRequestMessage});
    if (ssoAgentConfig.getSAML2().getRelayState() != null) {
      paramsMap.put(
          RelayState.DEFAULT_ELEMENT_LOCAL_NAME,
          new String[] {ssoAgentConfig.getSAML2().getRelayState()});
    }

    // Add any additional parameters defined
    if (ssoAgentConfig.getQueryParams() != null && !ssoAgentConfig.getQueryParams().isEmpty()) {
      paramsMap.putAll(ssoAgentConfig.getQueryParams());
    }

    StringBuilder htmlParams = new StringBuilder();
    for (Map.Entry<String, String[]> entry : paramsMap.entrySet()) {
      if (entry.getKey() != null && entry.getValue() != null && entry.getValue().length > 0) {
        for (String param : entry.getValue()) {
          htmlParams
              .append("<input type='hidden' name='")
              .append(entry.getKey())
              .append("' value='")
              .append(param)
              .append("'>\n");
        }
      }
    }
    String htmlPayload = ssoAgentConfig.getSAML2().getPostBindingRequestHTMLPayload();
    if (htmlPayload == null || !htmlPayload.contains("<!--$saml_params-->")) {
      htmlPayload =
          "<html>\n"
              + "<body>\n"
              + "<p>You are now redirected back to "
              + ssoAgentConfig.getSAML2().getIdPURL()
              + " \n"
              + "If the redirection fails, please click the post button.</p>\n"
              + "<form method='post' action='"
              + ssoAgentConfig.getSAML2().getIdPURL()
              + "'>\n"
              + "<p>\n"
              + htmlParams.toString()
              + "<button type='submit'>POST</button>\n"
              + "</p>\n"
              + "</form>\n"
              + "<script type='text/javascript'>\n"
              + "document.forms[0].submit();\n"
              + "</script>\n"
              + "</body>\n"
              + "</html>";
    } else {
      htmlPayload = htmlPayload.replace("<!--$saml_params-->", htmlParams.toString());
    }
    return htmlPayload;
  }
コード例 #10
0
  /**
   * Returns the redirection URL with the appended SAML2 Request message
   *
   * @param request SAML 2 request
   * @return redirectionUrl
   */
  public String buildRedirectRequest(HttpServletRequest request, boolean isLogout)
      throws SSOAgentException {

    RequestAbstractType requestMessage = null;
    if (!isLogout) {
      requestMessage = buildAuthnRequest(request);
    } else {
      LoggedInSessionBean sessionBean =
          (LoggedInSessionBean)
              request.getSession(false).getAttribute(SSOAgentConstants.SESSION_BEAN_NAME);
      if (sessionBean != null) {
        requestMessage =
            buildLogoutRequest(
                sessionBean.getSAML2SSO().getSubjectId(),
                sessionBean.getSAML2SSO().getSessionIndex());
      } else {
        throw new SSOAgentException("SLO Request can not be built. SSO Session is NULL");
      }
    }
    String idpUrl = null;

    String encodedRequestMessage =
        encodeRequestMessage(requestMessage, SAMLConstants.SAML2_REDIRECT_BINDING_URI);
    StringBuilder httpQueryString =
        new StringBuilder(
            SSOAgentConstants.SAML2SSO.HTTP_POST_PARAM_SAML2_AUTH_REQ
                + "="
                + encodedRequestMessage);

    String relayState = ssoAgentConfig.getSAML2().getRelayState();
    if (relayState != null) {
      try {
        httpQueryString.append(
            "&"
                + RelayState.DEFAULT_ELEMENT_LOCAL_NAME
                + "="
                + URLEncoder.encode(relayState, "UTF-8").trim());
      } catch (UnsupportedEncodingException e) {
        throw new SSOAgentException(
            "Error occurred while URLEncoding " + RelayState.DEFAULT_ELEMENT_LOCAL_NAME, e);
      }
    }

    if (ssoAgentConfig.getQueryParams() != null && !ssoAgentConfig.getQueryParams().isEmpty()) {
      StringBuilder builder = new StringBuilder();
      for (Map.Entry<String, String[]> entry : ssoAgentConfig.getQueryParams().entrySet()) {
        if (entry.getKey() != null && entry.getValue() != null && entry.getValue().length > 0) {
          for (String param : entry.getValue()) {
            builder.append("&").append(entry.getKey()).append("=").append(param);
          }
        }
      }
      httpQueryString.append(builder);
    }

    if (ssoAgentConfig.getSAML2().isRequestSigned()) {
      SSOAgentUtils.addDeflateSignatureToHTTPQueryString(
          httpQueryString,
          new X509CredentialImpl(ssoAgentConfig.getSAML2().getSSOAgentX509Credential()));
    }

    if (ssoAgentConfig.getSAML2().getIdPURL().indexOf("?") > -1) {
      idpUrl = ssoAgentConfig.getSAML2().getIdPURL().concat("&").concat(httpQueryString.toString());
    } else {
      idpUrl = ssoAgentConfig.getSAML2().getIdPURL().concat("?").concat(httpQueryString.toString());
    }
    return idpUrl;
  }