/**
   * Validate the AudienceRestriction of SAML2 Response
   *
   * @param assertion SAML2 Assertion
   * @return validity
   */
  protected void validateAudienceRestriction(Assertion assertion) throws SSOAgentException {

    if (assertion != null) {
      Conditions conditions = assertion.getConditions();
      if (conditions != null) {
        List<AudienceRestriction> audienceRestrictions = conditions.getAudienceRestrictions();
        if (audienceRestrictions != null && !audienceRestrictions.isEmpty()) {
          boolean audienceFound = false;
          for (AudienceRestriction audienceRestriction : audienceRestrictions) {
            if (audienceRestriction.getAudiences() != null
                && !audienceRestriction.getAudiences().isEmpty()) {
              for (Audience audience : audienceRestriction.getAudiences()) {
                if (ssoAgentConfig.getSAML2().getSPEntityId().equals(audience.getAudienceURI())) {
                  audienceFound = true;
                  break;
                }
              }
            }
            if (audienceFound) {
              break;
            }
          }
          if (!audienceFound) {
            throw new SSOAgentException("SAML2 Assertion Audience Restriction validation failed");
          }
        } else {
          throw new SSOAgentException("SAML2 Response doesn't contain AudienceRestrictions");
        }
      } else {
        throw new SSOAgentException("SAML2 Response doesn't contain Conditions");
      }
    }
  }
  /**
   * Validate the AudienceRestriction of SAML2 Response
   *
   * @param assertion SAML2 Assertion
   * @return validity
   */
  private void validateAudienceRestriction(Assertion assertion) throws SAMLSSOException {

    if (assertion != null) {
      Conditions conditions = assertion.getConditions();
      if (conditions != null) {
        List<AudienceRestriction> audienceRestrictions = conditions.getAudienceRestrictions();
        if (audienceRestrictions != null && !audienceRestrictions.isEmpty()) {
          for (AudienceRestriction audienceRestriction : audienceRestrictions) {
            if (CollectionUtils.isNotEmpty(audienceRestriction.getAudiences())) {
              boolean audienceFound = false;
              for (Audience audience : audienceRestriction.getAudiences()) {
                if (properties
                    .get(IdentityApplicationConstants.Authenticator.SAML2SSO.SP_ENTITY_ID)
                    .equals(audience.getAudienceURI())) {
                  audienceFound = true;
                  break;
                }
              }
              if (!audienceFound) {
                throw new SAMLSSOException("SAML Assertion Audience Restriction validation failed");
              }
            } else {
              throw new SAMLSSOException(
                  "SAML Response's AudienceRestriction doesn't contain Audiences");
            }
          }
        } else {
          throw new SAMLSSOException("SAML Response doesn't contain AudienceRestrictions");
        }
      } else {
        throw new SAMLSSOException("SAML Response doesn't contain Conditions");
      }
    }
  }
Exemplo n.º 3
0
  private Assertion buildSAMLAssertion(
      SAMLSSOAuthnReqDTO authReqDTO, DateTime notOnOrAfter, String sessionId)
      throws IdentityException {
    try {
      DateTime currentTime = new DateTime();
      Assertion samlAssertion = new AssertionBuilder().buildObject();
      samlAssertion.setID(SAMLSSOUtil.createID());
      samlAssertion.setVersion(SAMLVersion.VERSION_20);
      samlAssertion.setIssuer(SAMLSSOUtil.getIssuer());
      samlAssertion.setIssueInstant(currentTime);
      Subject subject = new SubjectBuilder().buildObject();

      NameID nameId = new NameIDBuilder().buildObject();
      if (authReqDTO.getUseFullyQualifiedUsernameAsSubject()) {
        nameId.setValue(authReqDTO.getUsername());
        nameId.setFormat(NameIdentifier.EMAIL);
      } else {
        nameId.setValue(MultitenantUtils.getTenantAwareUsername(authReqDTO.getUsername()));
        nameId.setFormat(authReqDTO.getNameIDFormat());
      }

      subject.setNameID(nameId);

      SubjectConfirmation subjectConfirmation = new SubjectConfirmationBuilder().buildObject();
      subjectConfirmation.setMethod(SAMLSSOConstants.SUBJECT_CONFIRM_BEARER);

      SubjectConfirmationData scData = new SubjectConfirmationDataBuilder().buildObject();
      scData.setRecipient(authReqDTO.getAssertionConsumerURL());
      scData.setNotOnOrAfter(notOnOrAfter);
      scData.setInResponseTo(authReqDTO.getId());
      subjectConfirmation.setSubjectConfirmationData(scData);

      subject.getSubjectConfirmations().add(subjectConfirmation);

      samlAssertion.setSubject(subject);

      AuthnStatement authStmt = new AuthnStatementBuilder().buildObject();
      authStmt.setAuthnInstant(new DateTime());

      AuthnContext authContext = new AuthnContextBuilder().buildObject();
      AuthnContextClassRef authCtxClassRef = new AuthnContextClassRefBuilder().buildObject();
      authCtxClassRef.setAuthnContextClassRef(AuthnContext.PASSWORD_AUTHN_CTX);
      authContext.setAuthnContextClassRef(authCtxClassRef);
      authStmt.setAuthnContext(authContext);
      if (authReqDTO.isDoSingleLogout()) {
        authStmt.setSessionIndex(sessionId);
      }
      samlAssertion.getAuthnStatements().add(authStmt);

      /*
       * If <AttributeConsumingServiceIndex> element is in the
       * <AuthnRequest> and
       * according to the spec 2.0 the subject MUST be in the assertion
       */
      Map<String, String> claims = SAMLSSOUtil.getAttributes(authReqDTO);
      if (claims != null) {
        samlAssertion.getAttributeStatements().add(buildAttributeStatement(claims));
      }

      AudienceRestriction audienceRestriction = new AudienceRestrictionBuilder().buildObject();
      Audience issuerAudience = new AudienceBuilder().buildObject();
      issuerAudience.setAudienceURI(authReqDTO.getIssuer());
      audienceRestriction.getAudiences().add(issuerAudience);
      if (authReqDTO.getRequestedAudiences() != null) {
        for (String requestedAudience : authReqDTO.getRequestedAudiences()) {
          Audience audience = new AudienceBuilder().buildObject();
          audience.setAudienceURI(requestedAudience);
          audienceRestriction.getAudiences().add(audience);
        }
      }
      Conditions conditions = new ConditionsBuilder().buildObject();
      conditions.setNotBefore(currentTime);
      conditions.setNotOnOrAfter(notOnOrAfter);
      conditions.getAudienceRestrictions().add(audienceRestriction);
      samlAssertion.setConditions(conditions);

      if (authReqDTO.getDoSignAssertions()) {
        SAMLSSOUtil.setSignature(
            samlAssertion,
            XMLSignature.ALGO_ID_SIGNATURE_RSA,
            new SignKeyDataHolder(authReqDTO.getUsername()));
      }

      return samlAssertion;
    } catch (Exception e) {
      log.error("Error when reading claim values for generating SAML Response", e);
      throw new IdentityException(
          "Error when reading claim values for generating SAML Response", e);
    }
  }