protected AuthnRequest buildAuthnRequest(HttpServletRequest request) throws SSOAgentException { IssuerBuilder issuerBuilder = new IssuerBuilder(); Issuer issuer = issuerBuilder.buildObject("urn:oasis:names:tc:SAML:2.0:assertion", "Issuer", "samlp"); issuer.setValue(ssoAgentConfig.getSAML2().getSPEntityId()); /* NameIDPolicy */ NameIDPolicyBuilder nameIdPolicyBuilder = new NameIDPolicyBuilder(); NameIDPolicy nameIdPolicy = nameIdPolicyBuilder.buildObject(); nameIdPolicy.setFormat("urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"); nameIdPolicy.setSPNameQualifier("Issuer"); nameIdPolicy.setAllowCreate(true); /* AuthnContextClass */ AuthnContextClassRefBuilder authnContextClassRefBuilder = new AuthnContextClassRefBuilder(); AuthnContextClassRef authnContextClassRef = authnContextClassRefBuilder.buildObject( "urn:oasis:names:tc:SAML:2.0:assertion", "AuthnContextClassRef", "saml"); authnContextClassRef.setAuthnContextClassRef( "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"); /* AuthnContex */ RequestedAuthnContextBuilder requestedAuthnContextBuilder = new RequestedAuthnContextBuilder(); RequestedAuthnContext requestedAuthnContext = requestedAuthnContextBuilder.buildObject(); requestedAuthnContext.setComparison(AuthnContextComparisonTypeEnumeration.EXACT); requestedAuthnContext.getAuthnContextClassRefs().add(authnContextClassRef); DateTime issueInstant = new DateTime(); /* Creation of AuthRequestObject */ AuthnRequestBuilder authRequestBuilder = new AuthnRequestBuilder(); AuthnRequest authRequest = authRequestBuilder.buildObject( "urn:oasis:names:tc:SAML:2.0:protocol", "AuthnRequest", "samlp"); authRequest.setForceAuthn(ssoAgentConfig.getSAML2().isForceAuthn()); authRequest.setIsPassive(ssoAgentConfig.getSAML2().isPassiveAuthn()); authRequest.setIssueInstant(issueInstant); authRequest.setProtocolBinding(ssoAgentConfig.getSAML2().getHttpBinding()); authRequest.setAssertionConsumerServiceURL(ssoAgentConfig.getSAML2().getACSURL()); authRequest.setIssuer(issuer); authRequest.setNameIDPolicy(nameIdPolicy); authRequest.setRequestedAuthnContext(requestedAuthnContext); authRequest.setID(SSOAgentUtils.createID()); authRequest.setVersion(SAMLVersion.VERSION_20); authRequest.setDestination(ssoAgentConfig.getSAML2().getIdPURL()); if (request.getAttribute(Extensions.LOCAL_NAME) != null) { authRequest.setExtensions((Extensions) request.getAttribute(Extensions.LOCAL_NAME)); } /* Requesting Attributes. This Index value is registered in the IDP */ if (ssoAgentConfig.getSAML2().getAttributeConsumingServiceIndex() != null && ssoAgentConfig.getSAML2().getAttributeConsumingServiceIndex().trim().length() > 0) { authRequest.setAttributeConsumingServiceIndex( Integer.parseInt(ssoAgentConfig.getSAML2().getAttributeConsumingServiceIndex())); } return authRequest; }
/** * Fills the request with required AuthNContext according to selected options. * * @param request request to fill * @param options options driving generation of the element */ protected void builNameIDPolicy(AuthnRequest request, WebSSOProfileOptions options) { if (options.getNameID() != null) { SAMLObjectBuilder<NameIDPolicy> builder = (SAMLObjectBuilder<NameIDPolicy>) builderFactory.getBuilder(NameIDPolicy.DEFAULT_ELEMENT_NAME); NameIDPolicy nameIDPolicy = builder.buildObject(); nameIDPolicy.setFormat(options.getNameID()); nameIDPolicy.setAllowCreate(options.isAllowCreate()); nameIDPolicy.setSPNameQualifier(getSPNameQualifier()); request.setNameIDPolicy(nameIDPolicy); } }
private AuthnRequest buildAuthnRequest( HttpServletRequest request, boolean isPassive, String idpUrl, AuthenticationContext context) throws SAMLSSOException { IssuerBuilder issuerBuilder = new IssuerBuilder(); Issuer issuer = issuerBuilder.buildObject("urn:oasis:names:tc:SAML:2.0:assertion", "Issuer", "samlp"); String spEntityId = properties.get(IdentityApplicationConstants.Authenticator.SAML2SSO.SP_ENTITY_ID); if (spEntityId != null && !spEntityId.isEmpty()) { issuer.setValue(spEntityId); } else { issuer.setValue("carbonServer"); } DateTime issueInstant = new DateTime(); /* Creation of AuthRequestObject */ AuthnRequestBuilder authRequestBuilder = new AuthnRequestBuilder(); AuthnRequest authRequest = authRequestBuilder.buildObject( "urn:oasis:names:tc:SAML:2.0:protocol", "AuthnRequest", "samlp"); authRequest.setForceAuthn(isForceAuthenticate(context)); authRequest.setIsPassive(isPassive); authRequest.setIssueInstant(issueInstant); String includeProtocolBindingProp = properties.get( IdentityApplicationConstants.Authenticator.SAML2SSO.INCLUDE_PROTOCOL_BINDING); if (StringUtils.isEmpty(includeProtocolBindingProp) || Boolean.parseBoolean(includeProtocolBindingProp)) { authRequest.setProtocolBinding(SAMLConstants.SAML2_POST_BINDING_URI); } String acsUrl = IdentityUtil.getServerURL(FrameworkConstants.COMMONAUTH); authRequest.setAssertionConsumerServiceURL(acsUrl); authRequest.setIssuer(issuer); authRequest.setID(SSOUtils.createID()); authRequest.setVersion(SAMLVersion.VERSION_20); authRequest.setDestination(idpUrl); String attributeConsumingServiceIndexProp = properties.get( IdentityApplicationConstants.Authenticator.SAML2SSO.ATTRIBUTE_CONSUMING_SERVICE_INDEX); if (StringUtils.isNotEmpty(attributeConsumingServiceIndexProp)) { try { authRequest.setAttributeConsumingServiceIndex( Integer.valueOf(attributeConsumingServiceIndexProp)); } catch (NumberFormatException e) { log.error( "Error while populating SAMLRequest with AttributeConsumingServiceIndex: " + attributeConsumingServiceIndexProp, e); } } String includeNameIDPolicyProp = properties.get(IdentityApplicationConstants.Authenticator.SAML2SSO.INCLUDE_NAME_ID_POLICY); if (StringUtils.isEmpty(includeNameIDPolicyProp) || Boolean.parseBoolean(includeNameIDPolicyProp)) { NameIDPolicyBuilder nameIdPolicyBuilder = new NameIDPolicyBuilder(); NameIDPolicy nameIdPolicy = nameIdPolicyBuilder.buildObject(); nameIdPolicy.setFormat(NameIDType.UNSPECIFIED); // nameIdPolicy.setSPNameQualifier("Issuer"); nameIdPolicy.setAllowCreate(true); authRequest.setNameIDPolicy(nameIdPolicy); } // Get the inbound SAMLRequest AuthnRequest inboundAuthnRequest = getAuthnRequest(context); RequestedAuthnContext requestedAuthnContext = buildRequestedAuthnContext(inboundAuthnRequest); if (requestedAuthnContext != null) { authRequest.setRequestedAuthnContext(requestedAuthnContext); } Extensions extensions = getSAMLExtensions(request); if (extensions != null) { authRequest.setExtensions(extensions); } return authRequest; }
/** * Returns AuthnRequest SAML message to be used to demand authentication from an IDP described * using idpEntityDescriptor, with an expected response to the assertionConsumer address. * * @param context message context * @param options preferences of message creation * @param assertionConsumer assertion consumer where the IDP should respond * @param bindingService service used to deliver the request * @return authnRequest ready to be sent to IDP * @throws SAMLException error creating the message * @throws MetadataProviderException error retreiving metadata */ protected AuthnRequest getAuthnRequest( SAMLMessageContext context, WebSSOProfileOptions options, AssertionConsumerService assertionConsumer, SingleSignOnService bindingService) throws SAMLException, MetadataProviderException { SAMLObjectBuilder<AuthnRequest> builder = (SAMLObjectBuilder<AuthnRequest>) builderFactory.getBuilder(AuthnRequest.DEFAULT_ELEMENT_NAME); AuthnRequest request = builder.buildObject(); request.setIsPassive(options.getPassive()); request.setForceAuthn(options.getForceAuthN()); request.setProviderName(options.getProviderName()); request.setVersion(SAMLVersion.VERSION_20); if (options.getIncludeEidas()) { // ne sert à rien // request.setAssertionConsumerServiceURL(options.getIssuer()); // IssuerBuilder issuerBuilder = new IssuerBuilder(); // Issuer issuer = issuerBuilder.buildObject(); // issuer.setFormat(NAME_ISSUER_FORMAT_EIDAS); // log.debug("issuer="+options.getIssuer()); // issuer.setValue(options.getIssuer()); // request.setIssuer(issuer); NameIDPolicy nameIDPolicy = new NameIDPolicyBuilder().buildObject(); nameIDPolicy.setFormat(NAME_POLICY_FORMAT_EIDAS); nameIDPolicy.setAllowCreate(true); request.setNameIDPolicy(nameIDPolicy); QName eidas = new QName("xmlns:eidas", "http://eidas.europa.eu/saml-extensions"); request.getNamespaceManager().registerAttributeName(eidas); Extensions extEidas = new ExtensionsBuilder() .buildObject("urn:oasis:names:tc:SAML:2.0:protocol", "Extensions", "saml2p"); // Extensions extEidas = new EidasExtensions(); Collection<String> colAttr = options.getEidasAttributes(); // XSAnyBuilder raBuild = new XSAnyBuilder(); // <eidas:SPType>public</eidas:SPType> SPType pub = new SPTypeBuilder() .buildObject("http://eidas.europa.eu/saml-extensions", "SPType", "eidas"); // pub.setTextContent(EIDAS_PUBLIC); pub.setSPType(EIDAS_PUBLIC); // XSAny attrs = new XSAnyBuilder().buildObject("http://eidas.europa.eu/saml-extensions", // "RequestedAttributes", "eidas"); extEidas.getUnknownXMLObjects().add(pub); // XSAnyBuilder anyBuilder = (XSAnyBuilder) // Configuration.getBuilderFactory().getBuilder(XSAny.TYPE_NAME); String resAttrs = "<eidas:RequestedAttributes xmlns:eidas=\"http://eidas.europa.eu/saml-extensions\">"; for (String attr : colAttr) { resAttrs += oneAttribute(attr); } resAttrs += "</eidas:RequestedAttributes>"; log.debug("resAttrs=" + resAttrs); EidasExtensionConfiguration eidasExt = new EidasExtensionConfiguration(); eidasExt.configureExtension(); SAMLSchemaBuilder.addExtensionSchema("/schema/saml_eidas_extension.xsd"); BasicParserPool ppMgr = new BasicParserPool(); ppMgr.setNamespaceAware(true); try { ppMgr.setSchema(SAMLSchemaBuilder.getSAML11Schema()); } catch (SAXException ex) { log.error("Erreur schema=" + ex); return null; } InputStream is = new ByteArrayInputStream(resAttrs.getBytes()); Document domAttrsRaq = null; try { domAttrsRaq = ppMgr.parse(is); } catch (XMLParserException e) { log.error("Erreur dom=" + e); return null; } if (domAttrsRaq == null) { log.error("Erreur dom vide"); return null; } RequestedAttributesUnmarshaller unMars = new RequestedAttributesUnmarshaller(); XMLObject attrs = null; try { attrs = unMars.unmarshall(domAttrsRaq.getDocumentElement()); } catch (UnmarshallingException e) { System.err.println("Erreur unMarsh error=" + e); } extEidas.getUnknownXMLObjects().add(attrs); request.setExtensions(extEidas); } buildCommonAttributes(context.getLocalEntityId(), request, bindingService); buildScoping(request, bindingService, options); builNameIDPolicy(request, options); buildAuthnContext(request, options); buildReturnAddress(request, assertionConsumer); return request; }