/**
* Validate the AudienceRestriction of SAML2 Response
*
* @param assertion SAML2 Assertion
* @return validity
*/
protected void validateAudienceRestriction(Assertion assertion) throws SSOAgentException {
if (assertion != null) {
Conditions conditions = assertion.getConditions();
if (conditions != null) {
List<AudienceRestriction> audienceRestrictions = conditions.getAudienceRestrictions();
if (audienceRestrictions != null && !audienceRestrictions.isEmpty()) {
boolean audienceFound = false;
for (AudienceRestriction audienceRestriction : audienceRestrictions) {
if (audienceRestriction.getAudiences() != null
&& !audienceRestriction.getAudiences().isEmpty()) {
for (Audience audience : audienceRestriction.getAudiences()) {
if (ssoAgentConfig.getSAML2().getSPEntityId().equals(audience.getAudienceURI())) {
audienceFound = true;
break;
}
}
}
if (audienceFound) {
break;
}
}
if (!audienceFound) {
throw new SSOAgentException("SAML2 Assertion Audience Restriction validation failed");
}
} else {
throw new SSOAgentException("SAML2 Response doesn't contain AudienceRestrictions");
}
} else {
throw new SSOAgentException("SAML2 Response doesn't contain Conditions");
}
}
}
/**
* Validate the AudienceRestriction of SAML2 Response
*
* @param assertion SAML2 Assertion
* @return validity
*/
private void validateAudienceRestriction(Assertion assertion) throws SAMLSSOException {
if (assertion != null) {
Conditions conditions = assertion.getConditions();
if (conditions != null) {
List<AudienceRestriction> audienceRestrictions = conditions.getAudienceRestrictions();
if (audienceRestrictions != null && !audienceRestrictions.isEmpty()) {
for (AudienceRestriction audienceRestriction : audienceRestrictions) {
if (CollectionUtils.isNotEmpty(audienceRestriction.getAudiences())) {
boolean audienceFound = false;
for (Audience audience : audienceRestriction.getAudiences()) {
if (properties
.get(IdentityApplicationConstants.Authenticator.SAML2SSO.SP_ENTITY_ID)
.equals(audience.getAudienceURI())) {
audienceFound = true;
break;
}
}
if (!audienceFound) {
throw new SAMLSSOException("SAML Assertion Audience Restriction validation failed");
}
} else {
throw new SAMLSSOException(
"SAML Response's AudienceRestriction doesn't contain Audiences");
}
}
} else {
throw new SAMLSSOException("SAML Response doesn't contain AudienceRestrictions");
}
} else {
throw new SAMLSSOException("SAML Response doesn't contain Conditions");
}
}
}
private static List<AttributeStatement> validateAssertion(
Assertion samlAssertion,
SignatureTrustEngine sigTrustEngine,
String myURI,
MessageReplayRule replayRule,
VerifySignatureType verifySignature,
boolean responseSignatureVerified)
throws SAMLValidationException {
if (logger.isDebugEnabled()) {
logger.debug(
"validateAndExtractContext(Assertion, String, SignatureTrustEngine, String, MessageReplayRule, VerifySignatureType) - start"); //$NON-NLS-1$
}
// Check the replay attack
if (replayRule != null) {
BasicSAMLMessageContext messageContext = new BasicSAMLMessageContext();
// messageContext.setInboundMessage(samlResponse);
if (samlAssertion.getIssuer() != null)
messageContext.setInboundMessageIssuer(samlAssertion.getIssuer().getValue());
messageContext.setInboundSAMLMessageId(samlAssertion.getID());
try {
replayRule.evaluate(messageContext);
} catch (SecurityPolicyException e) {
logger.error(
"validateAndExtractContext(Assertion, String, SignatureTrustEngine, String, MessageReplayRule, VerifySignatureType)",
e); //$NON-NLS-1$
throw createSAMLValidationException("Possible Replay Attack for Assertion", false, e);
}
}
if (verifySignature != VerifySignatureType.never) {
Signature signature = samlAssertion.getSignature();
if (signature == null) {
if (verifySignature == VerifySignatureType.force && !responseSignatureVerified) {
throw createSAMLValidationException("Signature does exist in Assertion", true);
}
} else {
verifySignature(signature, samlAssertion.getIssuer().getValue(), sigTrustEngine);
}
}
DateTime dt = new DateTime();
// get subject (code below only processes first Subject confirmation)
Subject subject = samlAssertion.getSubject();
SubjectSchemaValidator subjectSchemaValidator = new SubjectSchemaValidator();
try {
subjectSchemaValidator.validate(subject);
} catch (ValidationException e) {
logger.error(
"validateAndExtractContext(Assertion, String, SignatureTrustEngine, String, MessageReplayRule, VerifySignatureType)",
e); //$NON-NLS-1$
throw createSAMLValidationException("Subject validation failed: " + e.getMessage(), true, e);
}
List<SubjectConfirmation> subjectConfirmations = subject.getSubjectConfirmations();
for (SubjectConfirmation subjectConfirmation : subjectConfirmations) {
SubjectConfirmationSchemaValidator subjectConfirmationSchemaValidator =
new SubjectConfirmationSchemaValidator();
try {
subjectConfirmationSchemaValidator.validate(subjectConfirmation);
} catch (ValidationException e) {
logger.error(
"validateAndExtractContext(Assertion, String, SignatureTrustEngine, String, MessageReplayRule, VerifySignatureType)",
e); //$NON-NLS-1$
throw createSAMLValidationException(
"Subject Confirmation validation failed: " + e.getMessage(), true, e);
}
SubjectConfirmationData subjectConfirmationData =
subjectConfirmation.getSubjectConfirmationData();
try {
subjectConfirmationSchemaValidator.validate(subjectConfirmation);
} catch (ValidationException e) {
logger.error(
"validateAndExtractContext(Assertion, String, SignatureTrustEngine, String, MessageReplayRule, VerifySignatureType)",
e); //$NON-NLS-1$
throw createSAMLValidationException(
"Subject Confirmation validation failed: " + e.getMessage(), true, e);
}
// verify the validity of time using clock skew, subjectConfirmationData.getNotBefore() and
// subjectConfirmationData.getNotOnOrAfter()@
DateTime notBefore = subjectConfirmationData.getNotBefore();
DateTime notAfter = subjectConfirmationData.getNotOnOrAfter();
if (notBefore != null && dt.isBefore(notBefore)) {
throw createSAMLValidationException("Subject confirmation expired.", true);
}
if (notAfter != null && (dt.equals(notAfter) || dt.isAfter(notAfter))) {
throw createSAMLValidationException("Subject confirmation expired.", true);
}
}
// validate conditions
Conditions conditions = samlAssertion.getConditions();
// Validate the spec
ConditionsSpecValidator conditionValidator = new ConditionsSpecValidator();
try {
conditionValidator.validate(conditions);
} catch (ValidationException e) {
logger.error(
"validateAndExtractContext(Assertion, String, SignatureTrustEngine, String, MessageReplayRule, VerifySignatureType)",
e); //$NON-NLS-1$
throw createSAMLValidationException("Condition Validity Failed.", true, e);
}
// verify the validity of time using clock skew, conditions.getNotBefore() and
// conditions.getNotOnOrAfter()@
DateTime notBefore = conditions.getNotBefore();
DateTime notAfter = conditions.getNotOnOrAfter();
if (notBefore != null && dt.isBefore(notBefore)) {
throw createSAMLValidationException("Assertion expired.", true);
}
if (notAfter != null && (dt.equals(notAfter) || dt.isAfter(notAfter))) {
throw createSAMLValidationException("Assertion expired.", true);
}
for (Condition condition : conditions.getConditions()) {
if (condition instanceof AudienceRestriction) {
if (myURI != null && myURI.length() > 0) {
boolean audiencePresent = false;
boolean iAmOneOfTheAudience = false;
AudienceRestriction audienceRestriction = (AudienceRestriction) condition;
for (Audience audience : audienceRestriction.getAudiences()) {
audiencePresent = true;
String audienceURI = audience.getAudienceURI();
if (myURI.equals(audienceURI)) {
iAmOneOfTheAudience = true;
break;
}
}
if (!(audiencePresent && iAmOneOfTheAudience)) {
throw createSAMLValidationException(
"None of the audience is intended for me: " + myURI, false);
}
}
}
}
List<AttributeStatement> asList = samlAssertion.getAttributeStatements();
if (logger.isDebugEnabled()) {
logger.debug(
"validateAndExtractContext(Assertion, String, SignatureTrustEngine, String, MessageReplayRule, VerifySignatureType) - end"); //$NON-NLS-1$
}
return asList;
}