private Response buildMockResponse() throws Exception {
Response samlMessage = new ResponseBuilder().buildObject();
samlMessage.setID("foo");
samlMessage.setVersion(SAMLVersion.VERSION_20);
samlMessage.setIssueInstant(new DateTime(0));
Issuer issuer = new IssuerBuilder().buildObject();
issuer.setValue("MockedIssuer");
samlMessage.setIssuer(issuer);
Status status = new StatusBuilder().buildObject();
StatusCode statusCode = new StatusCodeBuilder().buildObject();
statusCode.setValue(StatusCode.SUCCESS_URI);
status.setStatusCode(statusCode);
samlMessage.setStatus(status);
Assertion assertion = new AssertionBuilder().buildObject();
Subject subject = new SubjectBuilder().buildObject();
NameID nameID = new NameIDBuilder().buildObject();
nameID.setValue("SOME-UNIQUE-ID");
nameID.setFormat(NameIDType.PERSISTENT);
subject.setNameID(nameID);
assertion.setSubject(subject);
AuthnStatement authnStatement = new AuthnStatementBuilder().buildObject();
authnStatement.setSessionIndex("Some Session String");
assertion.getAuthnStatements().add(authnStatement);
AttributeStatement attributeStatement = new AttributeStatementBuilder().buildObject();
assertion.getAttributeStatements().add(attributeStatement);
samlMessage.getAssertions().add(assertion);
return samlMessage;
}
/*
* Process the response and returns the results
*/
private Map<String, String> getAssertionStatements(Assertion assertion) {
Map<String, String> results = new HashMap<String, String>();
if (assertion != null && assertion.getAttributeStatements() != null) {
List<AttributeStatement> attributeStatementList = assertion.getAttributeStatements();
for (AttributeStatement statement : attributeStatementList) {
List<Attribute> attributesList = statement.getAttributes();
for (Attribute attribute : attributesList) {
Element value = attribute.getAttributeValues().get(0).getDOM();
String attributeValue = value.getTextContent();
results.put(attribute.getName(), attributeValue);
}
}
}
return results;
}
/**
* Returns SAML 2.0 Assertion Attribute Statement content.
*
* @param assertion the SAML 2.0 Assertion whose content is to be returned
* @return Attribute Statement content of the SAML 2.0 Assertion specified
*/
protected static Map<String, String> getAssertionStatements(Assertion assertion) {
Map<String, String> results = new HashMap<>();
if ((Optional.ofNullable(assertion).isPresent())
&& (Optional.ofNullable(assertion.getAttributeStatements()).isPresent())) {
Stream<AttributeStatement> attributeStatements = assertion.getAttributeStatements().stream();
attributeStatements.forEach(
attributeStatement ->
attributeStatement
.getAttributes()
.stream()
.forEach(
attribute -> {
Element value = attribute.getAttributeValues().get(0).getDOM();
String attributeValue = value.getTextContent();
results.put(attribute.getName(), attributeValue);
}));
}
return results;
}
private Map<String, Object> getUserAttributes(ResponseImpl samlResponse) {
Map<String, Object> userAttributes = new HashMap<>();
// Add 'Subject'
Assertion assertion = samlResponse.getAssertions().get(0);
userAttributes.put(
SAMLConstants.SAML2_ASSERTION_SUBJECT, assertion.getSubject().getNameID().getValue());
// Add other user attributes.
List<AttributeStatement> attributeStatements = assertion.getAttributeStatements();
if (attributeStatements != null) {
for (AttributeStatement attributeStatement : attributeStatements) {
List<Attribute> attributes = attributeStatement.getAttributes();
for (Attribute attribute : attributes) {
userAttributes.put(
attribute.getName(), attribute.getAttributeValues().get(0).getDOM().getTextContent());
}
}
}
return userAttributes;
}
private Saml2Credentials buildSaml2Credentials(final ExtendedSAMLMessageContext context) {
NameID nameId = (NameID) context.getSubjectNameIdentifier();
Assertion subjectAssertion = context.getSubjectAssertion();
List<Attribute> attributes = new ArrayList<Attribute>();
for (AttributeStatement attributeStatement : subjectAssertion.getAttributeStatements()) {
for (Attribute attribute : attributeStatement.getAttributes()) {
attributes.add(attribute);
}
if (attributeStatement.getEncryptedAttributes().size() > 0) {
logger.warn("Encrypted attributes returned, but no keystore was provided.");
}
for (EncryptedAttribute encryptedAttribute : attributeStatement.getEncryptedAttributes()) {
try {
attributes.add(decrypter.decrypt(encryptedAttribute));
} catch (DecryptionException e) {
logger.warn("Decryption of attribute failed, continue with the next one", e);
}
}
}
return new Saml2Credentials(nameId, attributes, subjectAssertion.getConditions(), getName());
}
private Assertion buildSAMLAssertion(
SAMLSSOAuthnReqDTO authReqDTO, DateTime notOnOrAfter, String sessionId)
throws IdentityException {
try {
DateTime currentTime = new DateTime();
Assertion samlAssertion = new AssertionBuilder().buildObject();
samlAssertion.setID(SAMLSSOUtil.createID());
samlAssertion.setVersion(SAMLVersion.VERSION_20);
samlAssertion.setIssuer(SAMLSSOUtil.getIssuer());
samlAssertion.setIssueInstant(currentTime);
Subject subject = new SubjectBuilder().buildObject();
NameID nameId = new NameIDBuilder().buildObject();
if (authReqDTO.getUseFullyQualifiedUsernameAsSubject()) {
nameId.setValue(authReqDTO.getUsername());
nameId.setFormat(NameIdentifier.EMAIL);
} else {
nameId.setValue(MultitenantUtils.getTenantAwareUsername(authReqDTO.getUsername()));
nameId.setFormat(authReqDTO.getNameIDFormat());
}
subject.setNameID(nameId);
SubjectConfirmation subjectConfirmation = new SubjectConfirmationBuilder().buildObject();
subjectConfirmation.setMethod(SAMLSSOConstants.SUBJECT_CONFIRM_BEARER);
SubjectConfirmationData scData = new SubjectConfirmationDataBuilder().buildObject();
scData.setRecipient(authReqDTO.getAssertionConsumerURL());
scData.setNotOnOrAfter(notOnOrAfter);
scData.setInResponseTo(authReqDTO.getId());
subjectConfirmation.setSubjectConfirmationData(scData);
subject.getSubjectConfirmations().add(subjectConfirmation);
samlAssertion.setSubject(subject);
AuthnStatement authStmt = new AuthnStatementBuilder().buildObject();
authStmt.setAuthnInstant(new DateTime());
AuthnContext authContext = new AuthnContextBuilder().buildObject();
AuthnContextClassRef authCtxClassRef = new AuthnContextClassRefBuilder().buildObject();
authCtxClassRef.setAuthnContextClassRef(AuthnContext.PASSWORD_AUTHN_CTX);
authContext.setAuthnContextClassRef(authCtxClassRef);
authStmt.setAuthnContext(authContext);
if (authReqDTO.isDoSingleLogout()) {
authStmt.setSessionIndex(sessionId);
}
samlAssertion.getAuthnStatements().add(authStmt);
/*
* If <AttributeConsumingServiceIndex> element is in the
* <AuthnRequest> and
* according to the spec 2.0 the subject MUST be in the assertion
*/
Map<String, String> claims = SAMLSSOUtil.getAttributes(authReqDTO);
if (claims != null) {
samlAssertion.getAttributeStatements().add(buildAttributeStatement(claims));
}
AudienceRestriction audienceRestriction = new AudienceRestrictionBuilder().buildObject();
Audience issuerAudience = new AudienceBuilder().buildObject();
issuerAudience.setAudienceURI(authReqDTO.getIssuer());
audienceRestriction.getAudiences().add(issuerAudience);
if (authReqDTO.getRequestedAudiences() != null) {
for (String requestedAudience : authReqDTO.getRequestedAudiences()) {
Audience audience = new AudienceBuilder().buildObject();
audience.setAudienceURI(requestedAudience);
audienceRestriction.getAudiences().add(audience);
}
}
Conditions conditions = new ConditionsBuilder().buildObject();
conditions.setNotBefore(currentTime);
conditions.setNotOnOrAfter(notOnOrAfter);
conditions.getAudienceRestrictions().add(audienceRestriction);
samlAssertion.setConditions(conditions);
if (authReqDTO.getDoSignAssertions()) {
SAMLSSOUtil.setSignature(
samlAssertion,
XMLSignature.ALGO_ID_SIGNATURE_RSA,
new SignKeyDataHolder(authReqDTO.getUsername()));
}
return samlAssertion;
} catch (Exception e) {
log.error("Error when reading claim values for generating SAML Response", e);
throw new IdentityException(
"Error when reading claim values for generating SAML Response", e);
}
}
private static List<AttributeStatement> validateAssertion(
Assertion samlAssertion,
SignatureTrustEngine sigTrustEngine,
String myURI,
MessageReplayRule replayRule,
VerifySignatureType verifySignature,
boolean responseSignatureVerified)
throws SAMLValidationException {
if (logger.isDebugEnabled()) {
logger.debug(
"validateAndExtractContext(Assertion, String, SignatureTrustEngine, String, MessageReplayRule, VerifySignatureType) - start"); //$NON-NLS-1$
}
// Check the replay attack
if (replayRule != null) {
BasicSAMLMessageContext messageContext = new BasicSAMLMessageContext();
// messageContext.setInboundMessage(samlResponse);
if (samlAssertion.getIssuer() != null)
messageContext.setInboundMessageIssuer(samlAssertion.getIssuer().getValue());
messageContext.setInboundSAMLMessageId(samlAssertion.getID());
try {
replayRule.evaluate(messageContext);
} catch (SecurityPolicyException e) {
logger.error(
"validateAndExtractContext(Assertion, String, SignatureTrustEngine, String, MessageReplayRule, VerifySignatureType)",
e); //$NON-NLS-1$
throw createSAMLValidationException("Possible Replay Attack for Assertion", false, e);
}
}
if (verifySignature != VerifySignatureType.never) {
Signature signature = samlAssertion.getSignature();
if (signature == null) {
if (verifySignature == VerifySignatureType.force && !responseSignatureVerified) {
throw createSAMLValidationException("Signature does exist in Assertion", true);
}
} else {
verifySignature(signature, samlAssertion.getIssuer().getValue(), sigTrustEngine);
}
}
DateTime dt = new DateTime();
// get subject (code below only processes first Subject confirmation)
Subject subject = samlAssertion.getSubject();
SubjectSchemaValidator subjectSchemaValidator = new SubjectSchemaValidator();
try {
subjectSchemaValidator.validate(subject);
} catch (ValidationException e) {
logger.error(
"validateAndExtractContext(Assertion, String, SignatureTrustEngine, String, MessageReplayRule, VerifySignatureType)",
e); //$NON-NLS-1$
throw createSAMLValidationException("Subject validation failed: " + e.getMessage(), true, e);
}
List<SubjectConfirmation> subjectConfirmations = subject.getSubjectConfirmations();
for (SubjectConfirmation subjectConfirmation : subjectConfirmations) {
SubjectConfirmationSchemaValidator subjectConfirmationSchemaValidator =
new SubjectConfirmationSchemaValidator();
try {
subjectConfirmationSchemaValidator.validate(subjectConfirmation);
} catch (ValidationException e) {
logger.error(
"validateAndExtractContext(Assertion, String, SignatureTrustEngine, String, MessageReplayRule, VerifySignatureType)",
e); //$NON-NLS-1$
throw createSAMLValidationException(
"Subject Confirmation validation failed: " + e.getMessage(), true, e);
}
SubjectConfirmationData subjectConfirmationData =
subjectConfirmation.getSubjectConfirmationData();
try {
subjectConfirmationSchemaValidator.validate(subjectConfirmation);
} catch (ValidationException e) {
logger.error(
"validateAndExtractContext(Assertion, String, SignatureTrustEngine, String, MessageReplayRule, VerifySignatureType)",
e); //$NON-NLS-1$
throw createSAMLValidationException(
"Subject Confirmation validation failed: " + e.getMessage(), true, e);
}
// verify the validity of time using clock skew, subjectConfirmationData.getNotBefore() and
// subjectConfirmationData.getNotOnOrAfter()@
DateTime notBefore = subjectConfirmationData.getNotBefore();
DateTime notAfter = subjectConfirmationData.getNotOnOrAfter();
if (notBefore != null && dt.isBefore(notBefore)) {
throw createSAMLValidationException("Subject confirmation expired.", true);
}
if (notAfter != null && (dt.equals(notAfter) || dt.isAfter(notAfter))) {
throw createSAMLValidationException("Subject confirmation expired.", true);
}
}
// validate conditions
Conditions conditions = samlAssertion.getConditions();
// Validate the spec
ConditionsSpecValidator conditionValidator = new ConditionsSpecValidator();
try {
conditionValidator.validate(conditions);
} catch (ValidationException e) {
logger.error(
"validateAndExtractContext(Assertion, String, SignatureTrustEngine, String, MessageReplayRule, VerifySignatureType)",
e); //$NON-NLS-1$
throw createSAMLValidationException("Condition Validity Failed.", true, e);
}
// verify the validity of time using clock skew, conditions.getNotBefore() and
// conditions.getNotOnOrAfter()@
DateTime notBefore = conditions.getNotBefore();
DateTime notAfter = conditions.getNotOnOrAfter();
if (notBefore != null && dt.isBefore(notBefore)) {
throw createSAMLValidationException("Assertion expired.", true);
}
if (notAfter != null && (dt.equals(notAfter) || dt.isAfter(notAfter))) {
throw createSAMLValidationException("Assertion expired.", true);
}
for (Condition condition : conditions.getConditions()) {
if (condition instanceof AudienceRestriction) {
if (myURI != null && myURI.length() > 0) {
boolean audiencePresent = false;
boolean iAmOneOfTheAudience = false;
AudienceRestriction audienceRestriction = (AudienceRestriction) condition;
for (Audience audience : audienceRestriction.getAudiences()) {
audiencePresent = true;
String audienceURI = audience.getAudienceURI();
if (myURI.equals(audienceURI)) {
iAmOneOfTheAudience = true;
break;
}
}
if (!(audiencePresent && iAmOneOfTheAudience)) {
throw createSAMLValidationException(
"None of the audience is intended for me: " + myURI, false);
}
}
}
}
List<AttributeStatement> asList = samlAssertion.getAttributeStatements();
if (logger.isDebugEnabled()) {
logger.debug(
"validateAndExtractContext(Assertion, String, SignatureTrustEngine, String, MessageReplayRule, VerifySignatureType) - end"); //$NON-NLS-1$
}
return asList;
}