org.opensaml.saml.saml2.metadata.SingleSignOnService Java Examples

The following examples show how to use org.opensaml.saml.saml2.metadata.SingleSignOnService. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: Saml2SettingsProvider.java    From deprecated-security-advanced-modules with Apache License 2.0 6 votes vote down vote up
private void initIdpEndpoints(IDPSSODescriptor idpSsoDescriptor, HashMap<String, Object> configProperties)
        throws SamlConfigException {
    SingleSignOnService singleSignOnService = this.findSingleSignOnService(idpSsoDescriptor,
            "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect");

    configProperties.put(SettingsBuilder.IDP_SINGLE_SIGN_ON_SERVICE_URL_PROPERTY_KEY,
            singleSignOnService.getLocation());
    configProperties.put(SettingsBuilder.IDP_SINGLE_SIGN_ON_SERVICE_BINDING_PROPERTY_KEY,
            singleSignOnService.getBinding());
    configProperties.put(SettingsBuilder.IDP_ENTITYID_PROPERTY_KEY, this.esSettings.get("idp.entity_id"));

    SingleLogoutService singleLogoutService = this.findSingleLogoutService(idpSsoDescriptor,
            "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect");

    if (singleLogoutService != null) {
        configProperties.put(SettingsBuilder.IDP_SINGLE_LOGOUT_SERVICE_URL_PROPERTY_KEY,
                singleLogoutService.getLocation());
        configProperties.put(SettingsBuilder.IDP_SINGLE_LOGOUT_SERVICE_BINDING_PROPERTY_KEY,
                singleLogoutService.getBinding());
    } else {
        log.warn(
                "The IdP does not provide a Single Logout Service. In order to ensure that users have to re-enter their password after logging out, Open Distro Security will issue all SAML authentication requests with a mandatory password input (ForceAuthn=true)");
    }
}
 
Example #2
Source File: Saml2SettingsProvider.java    From deprecated-security-advanced-modules with Apache License 2.0 5 votes vote down vote up
private SingleSignOnService findSingleSignOnService(IDPSSODescriptor idpSsoDescriptor, String binding)
        throws SamlConfigException {
    for (SingleSignOnService singleSignOnService : idpSsoDescriptor.getSingleSignOnServices()) {
        if (binding.equals(singleSignOnService.getBinding())) {
            return singleSignOnService;
        }
    }

    throw new SamlConfigException("Could not find SingleSignOnService endpoint for binding " + binding
            + "; available services: " + idpSsoDescriptor.getSingleSignOnServices());
}
 
Example #3
Source File: AccessFilter.java    From OpenSAML-ref-project-demo-v3 with Apache License 2.0 5 votes vote down vote up
private Endpoint getIPDEndpoint() {
    SingleSignOnService endpoint = OpenSAMLUtils.buildSAMLObject(SingleSignOnService.class);
    endpoint.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
    endpoint.setLocation(getIPDSSODestination());

    return endpoint;
}
 
Example #4
Source File: SamlClient.java    From saml-client with MIT License 5 votes vote down vote up
private static SingleSignOnService getIdpBinding(
    IDPSSODescriptor idpSsoDescriptor, SamlIdpBinding samlBinding) throws SamlException {
  return idpSsoDescriptor
      .getSingleSignOnServices()
      .stream()
      .filter(
          x
              -> x.getBinding()
                  .equals("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-" + samlBinding.toString()))
      .findAny()
      .orElseThrow(() -> new SamlException("Cannot find HTTP-POST SSO binding in metadata"));
}
 
Example #5
Source File: MockSamlIdpServer.java    From deprecated-security-advanced-modules with Apache License 2.0 4 votes vote down vote up
private String createMetadata() {
    try {
        EntityDescriptor idpEntityDescriptor = createSamlElement(EntityDescriptor.class);
        idpEntityDescriptor.setEntityID(idpEntityId);

        IDPSSODescriptor idpSsoDescriptor = createSamlElement(IDPSSODescriptor.class);
        idpEntityDescriptor.getRoleDescriptors().add(idpSsoDescriptor);

        idpSsoDescriptor.setWantAuthnRequestsSigned(wantAuthnRequestsSigned);
        idpSsoDescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS);

        SingleLogoutService redirectSingleLogoutService = createSamlElement(SingleLogoutService.class);
        idpSsoDescriptor.getSingleLogoutServices().add(redirectSingleLogoutService);

        redirectSingleLogoutService.setBinding("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect");
        redirectSingleLogoutService.setLocation(getSamlSloUri());

        idpSsoDescriptor.getNameIDFormats()
                .add(createNameIDFormat("urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"));

        SingleSignOnService redirectSingleSignOnService = createSamlElement(SingleSignOnService.class);
        idpSsoDescriptor.getSingleSignOnServices().add(redirectSingleSignOnService);

        redirectSingleSignOnService.setBinding("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect");
        redirectSingleSignOnService.setLocation(getSamlSsoUri());

        X509KeyInfoGeneratorFactory keyInfoGeneratorFactory = new X509KeyInfoGeneratorFactory();
        keyInfoGeneratorFactory.setEmitEntityCertificate(true);
        KeyInfoGenerator keyInfoGenerator = keyInfoGeneratorFactory.newInstance();

        KeyDescriptor signingKeyDescriptor = createSamlElement(KeyDescriptor.class);
        idpSsoDescriptor.getKeyDescriptors().add(signingKeyDescriptor);

        signingKeyDescriptor.setUse(UsageType.SIGNING);

        signingKeyDescriptor
                .setKeyInfo(keyInfoGenerator.generate(new BasicX509Credential(this.signingCertificate)));

        return marshallSamlXml(idpEntityDescriptor);
    } catch (org.opensaml.security.SecurityException e) {
        throw new RuntimeException(e);
    }
}
 
Example #6
Source File: AuthenticationHandlerSAML2.java    From sling-whiteboard with Apache License 2.0 4 votes vote down vote up
private Endpoint getIPDEndpoint() {
    SingleSignOnService endpoint = Helpers.buildSAMLObject(SingleSignOnService.class);
    endpoint.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
    endpoint.setLocation(saml2ConfigService.getSaml2IDPDestination());
    return endpoint;
}
 
Example #7
Source File: SamlClient.java    From saml-client with MIT License 4 votes vote down vote up
/**
 * Constructs an SAML client using XML metadata obtained from the identity provider. <p> When
 * using Okta as an identity provider, it is possible to pass null to relyingPartyIdentifier and
 * assertionConsumerServiceUrl; they will be inferred from the metadata provider XML.
 *
 * @param relyingPartyIdentifier      the identifier for the relying party.
 * @param assertionConsumerServiceUrl the url where the identity provider will post back the
 *                                    SAML response.
 * @param metadata                    the XML metadata obtained from the identity provider.
 * @param samlBinding                 the HTTP method to use for binding to the IdP.
 * @param certificates                list of certificates.
 * @return The created {@link SamlClient}.
 * @throws SamlException thrown if any error occur while loading the metadata information.
 */
public static SamlClient fromMetadata(
    String relyingPartyIdentifier,
    String assertionConsumerServiceUrl,
    Reader metadata,
    SamlIdpBinding samlBinding,
    List<X509Certificate> certificates)
    throws SamlException {

  ensureOpenSamlIsInitialized();

  DOMMetadataResolver metadataResolver = createMetadataResolver(skipBom(metadata));
  EntityDescriptor entityDescriptor = getEntityDescriptor(metadataResolver);

  IDPSSODescriptor idpSsoDescriptor = getIDPSSODescriptor(entityDescriptor);
  SingleSignOnService idpBinding = null;
  if (idpSsoDescriptor.getSingleSignOnServices() != null
      && !idpSsoDescriptor.getSingleSignOnServices().isEmpty()) {
    idpBinding = getIdpBinding(idpSsoDescriptor, samlBinding);
  }

  List<X509Certificate> x509Certificates = getCertificates(idpSsoDescriptor);
  boolean isOkta = entityDescriptor.getEntityID().contains(".okta.com");

  if (relyingPartyIdentifier == null) {
    // Okta's own toolkit uses the entity ID as a relying party identifier, so if we
    // detect that the IDP is Okta let's tolerate a null value for this parameter.
    if (isOkta) {
      relyingPartyIdentifier = entityDescriptor.getEntityID();
    } else {
      throw new IllegalArgumentException("relyingPartyIdentifier");
    }
  }

  if (idpBinding != null && assertionConsumerServiceUrl == null && isOkta) {
    // Again, Okta's own toolkit uses this value for the assertion consumer url, which
    // kinda makes no sense since this is supposed to be a url pointing to a server
    // outside Okta, but it probably just straight ignores this and use the one from
    // it's own config anyway.
    assertionConsumerServiceUrl = idpBinding.getLocation();
  }

  if (certificates != null) {
    // Adding certificates given to this method
    // because some idp metadata file does not embedded signing certificate
    x509Certificates.addAll(certificates);
  }

  String identityProviderUrl;
  if (idpBinding != null) {
    identityProviderUrl = idpBinding.getLocation();
  } else {
    identityProviderUrl = assertionConsumerServiceUrl;
  }
  String responseIssuer = entityDescriptor.getEntityID();

  return new SamlClient(
      relyingPartyIdentifier,
      assertionConsumerServiceUrl,
      identityProviderUrl,
      responseIssuer,
      x509Certificates,
      samlBinding);
}