/**
* Validate the AudienceRestriction of SAML2 Response
*
* @param assertion SAML2 Assertion
* @return validity
*/
private void validateAudienceRestriction(Assertion assertion) throws SAMLSSOException {
if (assertion != null) {
Conditions conditions = assertion.getConditions();
if (conditions != null) {
List<AudienceRestriction> audienceRestrictions = conditions.getAudienceRestrictions();
if (audienceRestrictions != null && !audienceRestrictions.isEmpty()) {
for (AudienceRestriction audienceRestriction : audienceRestrictions) {
if (CollectionUtils.isNotEmpty(audienceRestriction.getAudiences())) {
boolean audienceFound = false;
for (Audience audience : audienceRestriction.getAudiences()) {
if (properties
.get(IdentityApplicationConstants.Authenticator.SAML2SSO.SP_ENTITY_ID)
.equals(audience.getAudienceURI())) {
audienceFound = true;
break;
}
}
if (!audienceFound) {
throw new SAMLSSOException("SAML Assertion Audience Restriction validation failed");
}
} else {
throw new SAMLSSOException(
"SAML Response's AudienceRestriction doesn't contain Audiences");
}
}
} else {
throw new SAMLSSOException("SAML Response doesn't contain AudienceRestrictions");
}
} else {
throw new SAMLSSOException("SAML Response doesn't contain Conditions");
}
}
}
/**
* Validate the AudienceRestriction of SAML2 Response
*
* @param assertion SAML2 Assertion
* @return validity
*/
protected void validateAudienceRestriction(Assertion assertion) throws SSOAgentException {
if (assertion != null) {
Conditions conditions = assertion.getConditions();
if (conditions != null) {
List<AudienceRestriction> audienceRestrictions = conditions.getAudienceRestrictions();
if (audienceRestrictions != null && !audienceRestrictions.isEmpty()) {
boolean audienceFound = false;
for (AudienceRestriction audienceRestriction : audienceRestrictions) {
if (audienceRestriction.getAudiences() != null
&& !audienceRestriction.getAudiences().isEmpty()) {
for (Audience audience : audienceRestriction.getAudiences()) {
if (ssoAgentConfig.getSAML2().getSPEntityId().equals(audience.getAudienceURI())) {
audienceFound = true;
break;
}
}
}
if (audienceFound) {
break;
}
}
if (!audienceFound) {
throw new SSOAgentException("SAML2 Assertion Audience Restriction validation failed");
}
} else {
throw new SSOAgentException("SAML2 Response doesn't contain AudienceRestrictions");
}
} else {
throw new SSOAgentException("SAML2 Response doesn't contain Conditions");
}
}
}
private Assertion buildSAMLAssertion(
SAMLSSOAuthnReqDTO authReqDTO, DateTime notOnOrAfter, String sessionId)
throws IdentityException {
try {
DateTime currentTime = new DateTime();
Assertion samlAssertion = new AssertionBuilder().buildObject();
samlAssertion.setID(SAMLSSOUtil.createID());
samlAssertion.setVersion(SAMLVersion.VERSION_20);
samlAssertion.setIssuer(SAMLSSOUtil.getIssuer());
samlAssertion.setIssueInstant(currentTime);
Subject subject = new SubjectBuilder().buildObject();
NameID nameId = new NameIDBuilder().buildObject();
if (authReqDTO.getUseFullyQualifiedUsernameAsSubject()) {
nameId.setValue(authReqDTO.getUsername());
nameId.setFormat(NameIdentifier.EMAIL);
} else {
nameId.setValue(MultitenantUtils.getTenantAwareUsername(authReqDTO.getUsername()));
nameId.setFormat(authReqDTO.getNameIDFormat());
}
subject.setNameID(nameId);
SubjectConfirmation subjectConfirmation = new SubjectConfirmationBuilder().buildObject();
subjectConfirmation.setMethod(SAMLSSOConstants.SUBJECT_CONFIRM_BEARER);
SubjectConfirmationData scData = new SubjectConfirmationDataBuilder().buildObject();
scData.setRecipient(authReqDTO.getAssertionConsumerURL());
scData.setNotOnOrAfter(notOnOrAfter);
scData.setInResponseTo(authReqDTO.getId());
subjectConfirmation.setSubjectConfirmationData(scData);
subject.getSubjectConfirmations().add(subjectConfirmation);
samlAssertion.setSubject(subject);
AuthnStatement authStmt = new AuthnStatementBuilder().buildObject();
authStmt.setAuthnInstant(new DateTime());
AuthnContext authContext = new AuthnContextBuilder().buildObject();
AuthnContextClassRef authCtxClassRef = new AuthnContextClassRefBuilder().buildObject();
authCtxClassRef.setAuthnContextClassRef(AuthnContext.PASSWORD_AUTHN_CTX);
authContext.setAuthnContextClassRef(authCtxClassRef);
authStmt.setAuthnContext(authContext);
if (authReqDTO.isDoSingleLogout()) {
authStmt.setSessionIndex(sessionId);
}
samlAssertion.getAuthnStatements().add(authStmt);
/*
* If <AttributeConsumingServiceIndex> element is in the
* <AuthnRequest> and
* according to the spec 2.0 the subject MUST be in the assertion
*/
Map<String, String> claims = SAMLSSOUtil.getAttributes(authReqDTO);
if (claims != null) {
samlAssertion.getAttributeStatements().add(buildAttributeStatement(claims));
}
AudienceRestriction audienceRestriction = new AudienceRestrictionBuilder().buildObject();
Audience issuerAudience = new AudienceBuilder().buildObject();
issuerAudience.setAudienceURI(authReqDTO.getIssuer());
audienceRestriction.getAudiences().add(issuerAudience);
if (authReqDTO.getRequestedAudiences() != null) {
for (String requestedAudience : authReqDTO.getRequestedAudiences()) {
Audience audience = new AudienceBuilder().buildObject();
audience.setAudienceURI(requestedAudience);
audienceRestriction.getAudiences().add(audience);
}
}
Conditions conditions = new ConditionsBuilder().buildObject();
conditions.setNotBefore(currentTime);
conditions.setNotOnOrAfter(notOnOrAfter);
conditions.getAudienceRestrictions().add(audienceRestriction);
samlAssertion.setConditions(conditions);
if (authReqDTO.getDoSignAssertions()) {
SAMLSSOUtil.setSignature(
samlAssertion,
XMLSignature.ALGO_ID_SIGNATURE_RSA,
new SignKeyDataHolder(authReqDTO.getUsername()));
}
return samlAssertion;
} catch (Exception e) {
log.error("Error when reading claim values for generating SAML Response", e);
throw new IdentityException(
"Error when reading claim values for generating SAML Response", e);
}
}
/* (non-Javadoc)
* @see com.vmware.identity.samlservice.SamlValidator#validate(java.lang.Object)
*/
@Override
public ValidationResult validate(AuthnRequestState t) {
log.debug("Validating request {}", t);
ValidationResult vr = null;
try {
Validate.notNull(t);
HttpServletRequest httpRequest = t.getRequest();
Validate.notNull(httpRequest);
AuthnRequest request = t.getAuthnRequest();
Validate.notNull(request);
Validate.notNull(request.getIssuer());
IdmAccessor accessor = t.getIdmAccessor();
Validate.notNull(accessor);
Validate.notNull(accessor.getTenant());
// Validate assertion consumer service first, if that is valid, we can send SAML replies
try {
boolean validateACSWithMetadata = !this.isRequestSigned(t);
String acsUrl =
accessor.getAcsForRelyingParty(
request.getIssuer().getValue(),
request.getAssertionConsumerServiceIndex(),
request.getAssertionConsumerServiceURL(),
request.getProtocolBinding(),
validateACSWithMetadata);
t.setAcsUrl(acsUrl);
} catch (IllegalStateException e) {
// set validation result to 400
log.debug("Caught illegal state exception while Validating {} returning 400", e.toString());
vr = new ValidationResult(HttpServletResponse.SC_BAD_REQUEST, e.getMessage(), null);
}
// Validate ID
if (vr == null && request.getID() == null) {
vr = new ValidationResult(OasisNames.REQUESTER);
log.debug("Validation FAILED - Request ID is missing");
}
// Validate version
if (vr == null) {
SAMLVersion version = request.getVersion();
if ((version.getMajorVersion() > Shared.REQUIRED_SAML_VERSION.getMajorVersion())
|| version.getMajorVersion() == Shared.REQUIRED_SAML_VERSION.getMajorVersion()
&& version.getMinorVersion() > Shared.REQUIRED_SAML_VERSION.getMinorVersion()) {
// version too high
vr =
new ValidationResult(
OasisNames.VERSION_MISMATCH, OasisNames.REQUEST_VERSION_TOO_HIGH);
log.debug("Validation FAILED - Version is too high");
} else if ((version.getMajorVersion() < Shared.REQUIRED_SAML_VERSION.getMajorVersion())
|| version.getMajorVersion() == Shared.REQUIRED_SAML_VERSION.getMajorVersion()
&& version.getMinorVersion() < Shared.REQUIRED_SAML_VERSION.getMinorVersion()) {
// version too low
vr =
new ValidationResult(OasisNames.VERSION_MISMATCH, OasisNames.REQUEST_VERSION_TOO_LOW);
log.debug("Validation FAILED - Version is too low");
}
}
// Validate IssueInstant only if this is a new request (i.e. it had not pass been validated)
if (vr == null && !t.isExistingRequest()) {
DateTime dtPlus = request.getIssueInstant();
DateTime dtMinus = request.getIssueInstant();
DateTime instant = new DateTime();
long clockTolerance = accessor.getClockTolerance();
if (dtPlus == null) {
vr = new ValidationResult(OasisNames.REQUESTER);
log.debug("Validation FAILED - Issue Instant is missing");
} else {
dtPlus = dtPlus.plus(clockTolerance);
dtMinus = dtMinus.minus(clockTolerance);
// dtPlus must be after now and dtMinus must be before now
// in order to satisfy clock tolerance
if (dtPlus.isBefore(instant) || dtMinus.isAfter(instant)) {
vr = new ValidationResult(OasisNames.REQUESTER);
log.debug("Validation FAILED - Issue Instant outside of clock tolerance");
log.debug("clockTolerance {}", clockTolerance);
log.debug("now {}", instant);
log.debug("dtPlus {}", dtPlus.toString());
log.debug("dtMinus {}", dtMinus.toString());
}
}
}
// Destination URL skipped, this is already done by OpenSAML when parsing
// validate scoping if presenet
if (vr == null) {
vr = validateScoping(t);
}
// signature must NOT be included
if (vr == null) {
if (request.getSignature() != null) {
log.debug("Validation FAILED - Signature MUST NOT be present");
vr = new ValidationResult(OasisNames.REQUESTER, OasisNames.REQUEST_UNSUPPORTED);
}
}
// ensure that we don't accept unsigned requests if configuration requires signing
if (vr == null) {
try {
boolean mustBeSigned =
accessor.getAuthnRequestsSignedForRelyingParty(request.getIssuer().getValue());
this.validateSigning(mustBeSigned, t);
} catch (IllegalStateException e) {
// set validation result to request denied
log.error("Validation FAILED - unsigned request detected, signing required");
vr = new ValidationResult(OasisNames.RESPONDER, OasisNames.REQUEST_DENIED);
}
}
// validate NameIDPolicy if present
if (vr == null) {
NameIDPolicy policy = request.getNameIDPolicy();
if (policy != null) {
String format = policy.getFormat();
if (format != null
&& !format.equals(OasisNames.PERSISTENT)
&& !format.equals(OasisNames.EMAIL_ADDRESS)
&& !format.equals(SAMLNames.IDFORMAT_VAL_UPN.toString())) {
log.error("Validation FAILED - unknown NameIDPolicy Format");
vr = new ValidationResult(OasisNames.REQUESTER, OasisNames.INVALID_NAMEID_POLICY);
}
}
}
// validate conditions
if (vr == null) {
Conditions conditions = request.getConditions();
if (conditions != null) {
// notBefore processing
DateTime notBefore = conditions.getNotBefore();
if (notBefore != null) {
// no additional validation, we'll use whatever client wants
t.setStartTime(notBefore.toDate());
}
// delegable and renewable conditions
for (Condition c : conditions.getConditions()) {
if (c == null) {
continue;
}
if (c instanceof RenewableType) {
t.setRenewable(true);
}
if (c instanceof DelegableType) {
t.setDelegable(true);
}
}
}
}
if (vr == null) {
computeSupportedAuthnTypes(t, request);
}
// validation done
if (vr == null) {
log.info("Authentication request validation succeeded");
vr = new ValidationResult(); // success
// check if we need to convert a principal into emailAddress
if (request.getNameIDPolicy() != null
&& request.getNameIDPolicy().getFormat() != null
&& request.getNameIDPolicy().getFormat().equals(OasisNames.EMAIL_ADDRESS)) {
t.setIdentityFormat(OasisNames.IDENTITY_FORMAT_EMAIL_ADDRESS);
} else {
t.setIdentityFormat(OasisNames.IDENTITY_FORMAT_UPN);
}
}
} catch (Exception e) {
vr = new ValidationResult(HttpServletResponse.SC_BAD_REQUEST, "BadRequest", null);
log.debug("Caught exception while Validating " + e.toString() + ", returning 400");
}
return vr;
}
private static List<AttributeStatement> validateAssertion(
Assertion samlAssertion,
SignatureTrustEngine sigTrustEngine,
String myURI,
MessageReplayRule replayRule,
VerifySignatureType verifySignature,
boolean responseSignatureVerified)
throws SAMLValidationException {
if (logger.isDebugEnabled()) {
logger.debug(
"validateAndExtractContext(Assertion, String, SignatureTrustEngine, String, MessageReplayRule, VerifySignatureType) - start"); //$NON-NLS-1$
}
// Check the replay attack
if (replayRule != null) {
BasicSAMLMessageContext messageContext = new BasicSAMLMessageContext();
// messageContext.setInboundMessage(samlResponse);
if (samlAssertion.getIssuer() != null)
messageContext.setInboundMessageIssuer(samlAssertion.getIssuer().getValue());
messageContext.setInboundSAMLMessageId(samlAssertion.getID());
try {
replayRule.evaluate(messageContext);
} catch (SecurityPolicyException e) {
logger.error(
"validateAndExtractContext(Assertion, String, SignatureTrustEngine, String, MessageReplayRule, VerifySignatureType)",
e); //$NON-NLS-1$
throw createSAMLValidationException("Possible Replay Attack for Assertion", false, e);
}
}
if (verifySignature != VerifySignatureType.never) {
Signature signature = samlAssertion.getSignature();
if (signature == null) {
if (verifySignature == VerifySignatureType.force && !responseSignatureVerified) {
throw createSAMLValidationException("Signature does exist in Assertion", true);
}
} else {
verifySignature(signature, samlAssertion.getIssuer().getValue(), sigTrustEngine);
}
}
DateTime dt = new DateTime();
// get subject (code below only processes first Subject confirmation)
Subject subject = samlAssertion.getSubject();
SubjectSchemaValidator subjectSchemaValidator = new SubjectSchemaValidator();
try {
subjectSchemaValidator.validate(subject);
} catch (ValidationException e) {
logger.error(
"validateAndExtractContext(Assertion, String, SignatureTrustEngine, String, MessageReplayRule, VerifySignatureType)",
e); //$NON-NLS-1$
throw createSAMLValidationException("Subject validation failed: " + e.getMessage(), true, e);
}
List<SubjectConfirmation> subjectConfirmations = subject.getSubjectConfirmations();
for (SubjectConfirmation subjectConfirmation : subjectConfirmations) {
SubjectConfirmationSchemaValidator subjectConfirmationSchemaValidator =
new SubjectConfirmationSchemaValidator();
try {
subjectConfirmationSchemaValidator.validate(subjectConfirmation);
} catch (ValidationException e) {
logger.error(
"validateAndExtractContext(Assertion, String, SignatureTrustEngine, String, MessageReplayRule, VerifySignatureType)",
e); //$NON-NLS-1$
throw createSAMLValidationException(
"Subject Confirmation validation failed: " + e.getMessage(), true, e);
}
SubjectConfirmationData subjectConfirmationData =
subjectConfirmation.getSubjectConfirmationData();
try {
subjectConfirmationSchemaValidator.validate(subjectConfirmation);
} catch (ValidationException e) {
logger.error(
"validateAndExtractContext(Assertion, String, SignatureTrustEngine, String, MessageReplayRule, VerifySignatureType)",
e); //$NON-NLS-1$
throw createSAMLValidationException(
"Subject Confirmation validation failed: " + e.getMessage(), true, e);
}
// verify the validity of time using clock skew, subjectConfirmationData.getNotBefore() and
// subjectConfirmationData.getNotOnOrAfter()@
DateTime notBefore = subjectConfirmationData.getNotBefore();
DateTime notAfter = subjectConfirmationData.getNotOnOrAfter();
if (notBefore != null && dt.isBefore(notBefore)) {
throw createSAMLValidationException("Subject confirmation expired.", true);
}
if (notAfter != null && (dt.equals(notAfter) || dt.isAfter(notAfter))) {
throw createSAMLValidationException("Subject confirmation expired.", true);
}
}
// validate conditions
Conditions conditions = samlAssertion.getConditions();
// Validate the spec
ConditionsSpecValidator conditionValidator = new ConditionsSpecValidator();
try {
conditionValidator.validate(conditions);
} catch (ValidationException e) {
logger.error(
"validateAndExtractContext(Assertion, String, SignatureTrustEngine, String, MessageReplayRule, VerifySignatureType)",
e); //$NON-NLS-1$
throw createSAMLValidationException("Condition Validity Failed.", true, e);
}
// verify the validity of time using clock skew, conditions.getNotBefore() and
// conditions.getNotOnOrAfter()@
DateTime notBefore = conditions.getNotBefore();
DateTime notAfter = conditions.getNotOnOrAfter();
if (notBefore != null && dt.isBefore(notBefore)) {
throw createSAMLValidationException("Assertion expired.", true);
}
if (notAfter != null && (dt.equals(notAfter) || dt.isAfter(notAfter))) {
throw createSAMLValidationException("Assertion expired.", true);
}
for (Condition condition : conditions.getConditions()) {
if (condition instanceof AudienceRestriction) {
if (myURI != null && myURI.length() > 0) {
boolean audiencePresent = false;
boolean iAmOneOfTheAudience = false;
AudienceRestriction audienceRestriction = (AudienceRestriction) condition;
for (Audience audience : audienceRestriction.getAudiences()) {
audiencePresent = true;
String audienceURI = audience.getAudienceURI();
if (myURI.equals(audienceURI)) {
iAmOneOfTheAudience = true;
break;
}
}
if (!(audiencePresent && iAmOneOfTheAudience)) {
throw createSAMLValidationException(
"None of the audience is intended for me: " + myURI, false);
}
}
}
}
List<AttributeStatement> asList = samlAssertion.getAttributeStatements();
if (logger.isDebugEnabled()) {
logger.debug(
"validateAndExtractContext(Assertion, String, SignatureTrustEngine, String, MessageReplayRule, VerifySignatureType) - end"); //$NON-NLS-1$
}
return asList;
}
