/** * Populates localEntityId and localEntityRole based on the SAMLCredential. * * @param context context to populate * @param credential credential * @throws MetadataProviderException in case entity id can' be populated */ protected void populateLocalEntityId(SAMLMessageContext context, SAMLCredential credential) throws MetadataProviderException { String entityID = credential.getLocalEntityID(); context.setLocalEntityId(entityID); context.setLocalEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME); }
/** * Based on the settings in the extended metadata either creates a PKIX trust engine with trusted * keys specified in the extended metadata as anchors or (by default) an explicit trust engine * using data from the metadata or from the values overridden in the ExtendedMetadata. The trust * engine is used to verify SSL connections. * * @param samlContext context to populate */ protected void populateSSLTrustEngine(SAMLMessageContext samlContext) { TrustEngine<X509Credential> engine; if ("pkix".equalsIgnoreCase(samlContext.getLocalExtendedMetadata().getSslSecurityProfile())) { engine = new PKIXX509CredentialTrustEngine(pkixResolver); } else { engine = new ExplicitX509CertificateTrustEngine(metadataResolver); } samlContext.setLocalSSLTrustEngine(engine); }
/** * Populates X509 Credential used to authenticate this machine against peer servers. Uses key with * alias specified in extended metadata under TlsKey, when not set uses the default credential. * * @param samlContext context to populate */ protected void populateSSLCredential(SAMLMessageContext samlContext) { X509Credential tlsCredential; if (samlContext.getLocalExtendedMetadata().getTlsKey() != null) { tlsCredential = (X509Credential) keyManager.getCredential(samlContext.getLocalExtendedMetadata().getTlsKey()); } else { tlsCredential = null; } samlContext.setLocalSSLCredential(tlsCredential); }
private void populateGenericContext( HttpServletRequest request, HttpServletResponse response, SAMLMessageContext context) throws MetadataProviderException { HttpServletRequestAdapter inTransport = new HttpServletRequestAdapter(request); HttpServletResponseAdapter outTransport = new HttpServletResponseAdapter(response, false); context.setMetadataProvider(metadata); context.setInboundMessageTransport(inTransport); context.setOutboundMessageTransport(outTransport); context.setMessageStorage(storageFactory.getMessageStorage(request)); }
/** * Based on the settings in the extended metadata either creates a PKIX trust engine with trusted * keys specified in the extended metadata as anchors or (by default) an explicit trust engine * using data from the metadata or from the values overridden in the ExtendedMetadata. * * @param samlContext context to populate */ protected void populateTrustEngine(SAMLMessageContext samlContext) { SignatureTrustEngine engine; if ("pkix".equalsIgnoreCase(samlContext.getLocalExtendedMetadata().getSecurityProfile())) { engine = new PKIXSignatureTrustEngine( pkixResolver, Configuration.getGlobalSecurityConfiguration().getDefaultKeyInfoCredentialResolver()); } else { engine = new ExplicitKeySignatureTrustEngine( metadataResolver, Configuration.getGlobalSecurityConfiguration().getDefaultKeyInfoCredentialResolver()); } samlContext.setLocalTrustEngine(engine); }
/** * Tries to load peer SSL certificate from the inbound message transport using attribute * "javax.servlet.request.X509Certificate". If found sets peerSSLCredential in the context. * * @param samlContext context to populate */ protected void populatePeerSSLCredential(SAMLMessageContext samlContext) { X509Certificate[] chain = (X509Certificate[]) samlContext .getInboundMessageTransport() .getAttribute(ServletRequestX509CredentialAdapter.X509_CERT_REQUEST_ATTRIBUTE); if (chain != null && chain.length > 0) { logger.debug("Found certificate chain from request {}", chain[0]); BasicX509Credential credential = new BasicX509Credential(); credential.setEntityCertificate(chain[0]); credential.setEntityCertificateChain(Arrays.asList(chain)); samlContext.setPeerSSLCredential(credential); } }
/** * Method tries to load localEntityAlias and localEntityRole from the request path. Path is * supposed to be in format: * https(s)://server:port/application/saml/filterName/alias/aliasName/idp|sp?query. In case alias * is missing from the path defaults are used. Otherwise localEntityId and sp or idp * localEntityRole is entered into the context. * * <p>In case alias entity id isn't found an exception is raised. * * @param context context to populate fields localEntityId and localEntityRole for * @param contextPath context path to parse entityId and entityRole from * @throws MetadataProviderException in case entityId can't be populated */ protected void populateLocalEntityId(SAMLMessageContext context, String contextPath) throws MetadataProviderException { if (contextPath == null) { contextPath = ""; } int filterIndex = contextPath.indexOf("/alias/"); if (filterIndex != -1) { // Alias entityId String localAlias = contextPath.substring(filterIndex + 7); QName localEntityRole; int entityTypePosition = localAlias.lastIndexOf('/'); if (entityTypePosition != -1) { String entityRole = localAlias.substring(entityTypePosition + 1); if ("idp".equalsIgnoreCase(entityRole)) { localEntityRole = IDPSSODescriptor.DEFAULT_ELEMENT_NAME; } else { localEntityRole = SPSSODescriptor.DEFAULT_ELEMENT_NAME; } localAlias = localAlias.substring(0, entityTypePosition); } else { localEntityRole = SPSSODescriptor.DEFAULT_ELEMENT_NAME; } // Populate entityId String localEntityId = metadata.getEntityIdForAlias(localAlias); if (localEntityId == null) { throw new MetadataProviderException( "No local entity found for alias " + localAlias + ", verify your configuration."); } context.setLocalEntityId(localEntityId); context.setLocalEntityRole(localEntityRole); } else { // Defaults context.setLocalEntityId(metadata.getHostedSPName()); context.setLocalEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME); } }
/** * Populates a decrypter based on settings in the extended metadata or using a default credential * when no encryption credential is specified in the extended metadata. * * @param samlContext context to populate decryptor for. */ protected void populateDecrypter(SAMLMessageContext samlContext) { // Locate encryption key for this entity Credential encryptionCredential; if (samlContext.getLocalExtendedMetadata().getEncryptionKey() != null) { encryptionCredential = keyManager.getCredential(samlContext.getLocalExtendedMetadata().getEncryptionKey()); } else { encryptionCredential = keyManager.getDefaultCredential(); } // Entity used for decrypting of encrypted XML parts // Extracts EncryptedKey from the encrypted XML using the encryptedKeyResolver and attempts to // decrypt it // using private keys supplied by the resolver. KeyInfoCredentialResolver resolver = new StaticKeyInfoCredentialResolver(encryptionCredential); Decrypter decrypter = new Decrypter(null, resolver, encryptedKeyResolver); decrypter.setRootInNewDocument(true); samlContext.setLocalDecrypter(decrypter); }
/** * Loads the IDP_PARAMETER from the request and if it is not null verifies whether IDP with this * value is valid IDP in our circle of trust. Processing fails when IDP is not valid. IDP is set * as PeerEntityId in the context. * * <p>If request parameter is null the default IDP is returned. * * @param context context to populate ID for * @throws MetadataProviderException in case provided IDP value is invalid */ protected void populatePeerEntityId(SAMLMessageContext context) throws MetadataProviderException { String idp = ((HTTPInTransport) context.getInboundMessageTransport()) .getParameterValue(SAMLEntryPoint.IDP_PARAMETER); if (idp != null) { if (!metadata.isIDPValid(idp)) { logger.debug("User specified IDP {} is invalid", idp); throw new MetadataProviderException("Specified IDP is not valid: " + idp); } else { logger.debug("Using user specified IDP {}", idp); context.setPeerUserSelected(true); } } else { idp = metadata.getDefaultIDP(); logger.debug("No IDP specified, using default {}", idp); context.setPeerUserSelected(false); } context.setPeerEntityId(idp); context.setPeerEntityRole(IDPSSODescriptor.DEFAULT_ELEMENT_NAME); }
/** * Populates additional information about the peer based on the previously loaded peerEntityId. * * @param samlContext to populate * @throws MetadataProviderException in case metadata problem is encountered */ private void populatePeerContext(SAMLMessageContext samlContext) throws MetadataProviderException { String peerEntityId = samlContext.getPeerEntityId(); QName peerEntityRole = samlContext.getPeerEntityRole(); if (peerEntityId == null) { throw new MetadataProviderException("Peer entity ID wasn't specified, but is requested"); } EntityDescriptor entityDescriptor = metadata.getEntityDescriptor(peerEntityId); RoleDescriptor roleDescriptor = metadata.getRole(peerEntityId, peerEntityRole, SAMLConstants.SAML20P_NS); ExtendedMetadata extendedMetadata = metadata.getExtendedMetadata(peerEntityId); if (entityDescriptor == null || roleDescriptor == null) { throw new MetadataProviderException( "Metadata for entity " + peerEntityId + " and role " + peerEntityRole + " wasn't found"); } samlContext.setPeerEntityMetadata(entityDescriptor); samlContext.setPeerEntityRoleMetadata(roleDescriptor); samlContext.setPeerExtendedMetadata(extendedMetadata); }
/** * Method populates fields localEntityId, localEntityRole, localEntityMetadata, * localEntityRoleMetadata and peerEntityRole. In case fields localAlias, localEntityId, * localEntiyRole or peerEntityRole are set they are used, defaults of default SP and IDP as a * peer are used instead. * * @param samlContext context to populate * @throws org.opensaml.saml2.metadata.provider.MetadataProviderException in case metadata do not * contain expected entities or localAlias is specified but not found */ private void populateLocalEntity(SAMLMessageContext samlContext) throws MetadataProviderException { String localEntityId = samlContext.getLocalEntityId(); QName localEntityRole = samlContext.getLocalEntityRole(); if (localEntityId == null) { throw new MetadataProviderException( "No hosted service provider is configured and no alias was selected"); } EntityDescriptor entityDescriptor = metadata.getEntityDescriptor(localEntityId); RoleDescriptor roleDescriptor = metadata.getRole(localEntityId, localEntityRole, SAMLConstants.SAML20P_NS); ExtendedMetadata extendedMetadata = metadata.getExtendedMetadata(localEntityId); if (entityDescriptor == null || roleDescriptor == null) { throw new MetadataProviderException( "Metadata for entity " + localEntityId + " and role " + localEntityRole + " wasn't found"); } samlContext.setLocalEntityMetadata(entityDescriptor); samlContext.setLocalEntityRoleMetadata(roleDescriptor); samlContext.setLocalExtendedMetadata(extendedMetadata); if (extendedMetadata.getSigningKey() != null) { samlContext.setLocalSigningCredential( keyManager.getCredential(extendedMetadata.getSigningKey())); } else { samlContext.setLocalSigningCredential(keyManager.getDefaultCredential()); } }