org.opensaml.saml.saml2.metadata.SingleLogoutService Java Examples
The following examples show how to use
org.opensaml.saml.saml2.metadata.SingleLogoutService.
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
| Source File: Saml2SettingsProvider.java From deprecated-security-advanced-modules with Apache License 2.0 | 6 votes |
|
private void initIdpEndpoints(IDPSSODescriptor idpSsoDescriptor, HashMap<String, Object> configProperties)
throws SamlConfigException {
SingleSignOnService singleSignOnService = this.findSingleSignOnService(idpSsoDescriptor,
"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect");
configProperties.put(SettingsBuilder.IDP_SINGLE_SIGN_ON_SERVICE_URL_PROPERTY_KEY,
singleSignOnService.getLocation());
configProperties.put(SettingsBuilder.IDP_SINGLE_SIGN_ON_SERVICE_BINDING_PROPERTY_KEY,
singleSignOnService.getBinding());
configProperties.put(SettingsBuilder.IDP_ENTITYID_PROPERTY_KEY, this.esSettings.get("idp.entity_id"));
SingleLogoutService singleLogoutService = this.findSingleLogoutService(idpSsoDescriptor,
"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect");
if (singleLogoutService != null) {
configProperties.put(SettingsBuilder.IDP_SINGLE_LOGOUT_SERVICE_URL_PROPERTY_KEY,
singleLogoutService.getLocation());
configProperties.put(SettingsBuilder.IDP_SINGLE_LOGOUT_SERVICE_BINDING_PROPERTY_KEY,
singleLogoutService.getBinding());
} else {
log.warn(
"The IdP does not provide a Single Logout Service. In order to ensure that users have to re-enter their password after logging out, Open Distro Security will issue all SAML authentication requests with a mandatory password input (ForceAuthn=true)");
}
}
Example #2
| Source File: Saml2SettingsProvider.java From deprecated-security-advanced-modules with Apache License 2.0 | 5 votes |
|
private SingleLogoutService findSingleLogoutService(IDPSSODescriptor idpSsoDescriptor, String binding)
throws SamlConfigException {
for (SingleLogoutService singleLogoutService : idpSsoDescriptor.getSingleLogoutServices()) {
if (binding.equals(singleLogoutService.getBinding())) {
return singleLogoutService;
}
}
return null;
}
Example #3
| Source File: SamlServiceProviderTest.java From armeria with Apache License 2.0 | 5 votes |
|
@Test
public void shouldRespondMetadataWithoutAuthentication() throws Exception {
final AggregatedHttpResponse resp = client.get("/saml/metadata").aggregate().join();
assertThat(resp.status()).isEqualTo(HttpStatus.OK);
assertThat(resp.contentType()).isEqualTo(CONTENT_TYPE_SAML_METADATA);
final EntityDescriptor metadata =
(EntityDescriptor) deserialize(resp.contentUtf8().getBytes());
assertThat(metadata).isNotNull();
final SPSSODescriptor sp = metadata.getSPSSODescriptor(SAMLConstants.SAML20P_NS);
assertThat(sp.isAuthnRequestsSigned()).isTrue();
assertThat(sp.getWantAssertionsSigned()).isTrue();
final List<KeyDescriptor> kd = sp.getKeyDescriptors();
assertThat(kd.get(0).getUse().name()).isEqualToIgnoringCase("signing");
assertThat(kd.get(1).getUse().name()).isEqualToIgnoringCase("encryption");
final List<SingleLogoutService> slo = sp.getSingleLogoutServices();
assertThat(slo.get(0).getLocation())
.isEqualTo("http://" + spHostname + ':' + rule.httpPort() + "/saml/slo/post");
assertThat(slo.get(0).getBinding()).isEqualTo(SAMLConstants.SAML2_POST_BINDING_URI);
assertThat(slo.get(1).getLocation())
.isEqualTo("http://" + spHostname + ':' + rule.httpPort() + "/saml/slo/redirect");
assertThat(slo.get(1).getBinding()).isEqualTo(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
final List<AssertionConsumerService> acs = sp.getAssertionConsumerServices();
// index 0 (default)
assertThat(acs.get(0).getIndex()).isEqualTo(0);
assertThat(acs.get(0).isDefault()).isTrue();
assertThat(acs.get(0).getLocation())
.isEqualTo("http://" + spHostname + ':' + rule.httpPort() + "/saml/acs/post");
assertThat(acs.get(0).getBinding()).isEqualTo(SAMLConstants.SAML2_POST_BINDING_URI);
// index 1
assertThat(acs.get(1).getIndex()).isEqualTo(1);
assertThat(acs.get(1).isDefault()).isFalse();
assertThat(acs.get(1).getLocation())
.isEqualTo("http://" + spHostname + ':' + rule.httpPort() + "/saml/acs/redirect");
assertThat(acs.get(1).getBinding()).isEqualTo(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
}
Example #4
| Source File: MockSamlIdpServer.java From deprecated-security-advanced-modules with Apache License 2.0 | 4 votes |
|
private String createMetadata() {
try {
EntityDescriptor idpEntityDescriptor = createSamlElement(EntityDescriptor.class);
idpEntityDescriptor.setEntityID(idpEntityId);
IDPSSODescriptor idpSsoDescriptor = createSamlElement(IDPSSODescriptor.class);
idpEntityDescriptor.getRoleDescriptors().add(idpSsoDescriptor);
idpSsoDescriptor.setWantAuthnRequestsSigned(wantAuthnRequestsSigned);
idpSsoDescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS);
SingleLogoutService redirectSingleLogoutService = createSamlElement(SingleLogoutService.class);
idpSsoDescriptor.getSingleLogoutServices().add(redirectSingleLogoutService);
redirectSingleLogoutService.setBinding("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect");
redirectSingleLogoutService.setLocation(getSamlSloUri());
idpSsoDescriptor.getNameIDFormats()
.add(createNameIDFormat("urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"));
SingleSignOnService redirectSingleSignOnService = createSamlElement(SingleSignOnService.class);
idpSsoDescriptor.getSingleSignOnServices().add(redirectSingleSignOnService);
redirectSingleSignOnService.setBinding("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect");
redirectSingleSignOnService.setLocation(getSamlSsoUri());
X509KeyInfoGeneratorFactory keyInfoGeneratorFactory = new X509KeyInfoGeneratorFactory();
keyInfoGeneratorFactory.setEmitEntityCertificate(true);
KeyInfoGenerator keyInfoGenerator = keyInfoGeneratorFactory.newInstance();
KeyDescriptor signingKeyDescriptor = createSamlElement(KeyDescriptor.class);
idpSsoDescriptor.getKeyDescriptors().add(signingKeyDescriptor);
signingKeyDescriptor.setUse(UsageType.SIGNING);
signingKeyDescriptor
.setKeyInfo(keyInfoGenerator.generate(new BasicX509Credential(this.signingCertificate)));
return marshallSamlXml(idpEntityDescriptor);
} catch (org.opensaml.security.SecurityException e) {
throw new RuntimeException(e);
}
}
Example #5
| Source File: SamlMetadataServiceFunction.java From armeria with Apache License 2.0 | 4 votes |
|
private EntityDescriptor buildMetadataEntityDescriptorElement(
String defaultHostname, SamlPortConfig portConfig) {
final EntityDescriptor entityDescriptor = build(EntityDescriptor.DEFAULT_ELEMENT_NAME);
entityDescriptor.setEntityID(entityId);
final SPSSODescriptor spSsoDescriptor = build(SPSSODescriptor.DEFAULT_ELEMENT_NAME);
spSsoDescriptor.setAuthnRequestsSigned(true);
spSsoDescriptor.setWantAssertionsSigned(true);
spSsoDescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS);
final List<String> nameIdFormats = idpConfigs.values().stream()
.map(p -> p.nameIdPolicy().format())
.distinct()
.map(SamlNameIdFormat::urn)
.collect(Collectors.toList());
spSsoDescriptor.getNameIDFormats().addAll(buildNameIdFormatElements(nameIdFormats));
final List<SingleLogoutService> sloList = spSsoDescriptor.getSingleLogoutServices();
singleLogoutEndpoints.forEach(endpoint -> {
final SingleLogoutService slo = build(SingleLogoutService.DEFAULT_ELEMENT_NAME);
slo.setBinding(endpoint.bindingProtocol().urn());
slo.setLocation(endpoint.toUriString(portConfig.scheme().uriText(),
defaultHostname,
portConfig.port()));
sloList.add(slo);
});
int acsIndex = 0;
final List<AssertionConsumerService> services = spSsoDescriptor.getAssertionConsumerServices();
for (final SamlAssertionConsumerConfig acs : assertionConsumerConfigs) {
services.add(buildAssertionConsumerServiceElement(acs, portConfig, defaultHostname, acsIndex++));
}
final X509KeyInfoGeneratorFactory keyInfoGeneratorFactory = new X509KeyInfoGeneratorFactory();
keyInfoGeneratorFactory.setEmitEntityCertificate(true);
keyInfoGeneratorFactory.setEmitEntityCertificateChain(true);
final KeyInfoGenerator keyInfoGenerator = keyInfoGeneratorFactory.newInstance();
try {
spSsoDescriptor.getKeyDescriptors().add(
buildKeyDescriptorElement(UsageType.SIGNING,
keyInfoGenerator.generate(signingCredential)));
spSsoDescriptor.getKeyDescriptors().add(
buildKeyDescriptorElement(UsageType.ENCRYPTION,
keyInfoGenerator.generate(encryptionCredential)));
} catch (SecurityException e) {
throw new SamlException("failed to generate KeyInfo element", e);
}
entityDescriptor.getRoleDescriptors().add(spSsoDescriptor);
return entityDescriptor;
}
Example #6
| Source File: SAML2SPLogic.java From syncope with Apache License 2.0 | 4 votes |
|
@PreAuthorize("isAuthenticated()")
public void getMetadata(final String spEntityID, final String urlContext, final OutputStream os) {
check();
try {
EntityDescriptor spEntityDescriptor = new EntityDescriptorBuilder().buildObject();
spEntityDescriptor.setEntityID(spEntityID);
SPSSODescriptor spSSODescriptor = new SPSSODescriptorBuilder().buildObject();
spSSODescriptor.setWantAssertionsSigned(true);
spSSODescriptor.setAuthnRequestsSigned(true);
spSSODescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS);
X509KeyInfoGeneratorFactory keyInfoGeneratorFactory = new X509KeyInfoGeneratorFactory();
keyInfoGeneratorFactory.setEmitEntityCertificate(true);
KeyInfoGenerator keyInfoGenerator = keyInfoGeneratorFactory.newInstance();
keyInfoGenerator.generate(loader.getCredential());
KeyDescriptor keyDescriptor = new KeyDescriptorBuilder().buildObject();
keyDescriptor.setKeyInfo(keyInfoGenerator.generate(loader.getCredential()));
spSSODescriptor.getKeyDescriptors().add(keyDescriptor);
NameIDFormat nameIDFormat = new NameIDFormatBuilder().buildObject();
nameIDFormat.setFormat(NameIDType.PERSISTENT);
spSSODescriptor.getNameIDFormats().add(nameIDFormat);
nameIDFormat = new NameIDFormatBuilder().buildObject();
nameIDFormat.setFormat(NameIDType.TRANSIENT);
spSSODescriptor.getNameIDFormats().add(nameIDFormat);
for (SAML2BindingType bindingType : SAML2BindingType.values()) {
AssertionConsumerService assertionConsumerService = new AssertionConsumerServiceBuilder().buildObject();
assertionConsumerService.setIndex(bindingType.ordinal());
assertionConsumerService.setBinding(bindingType.getUri());
assertionConsumerService.setLocation(getAssertionConsumerURL(spEntityID, urlContext));
spSSODescriptor.getAssertionConsumerServices().add(assertionConsumerService);
spEntityDescriptor.getRoleDescriptors().add(spSSODescriptor);
String sloUrl = spEntityID + urlContext + "/logout";
validateUrl(sloUrl);
SingleLogoutService singleLogoutService = new SingleLogoutServiceBuilder().buildObject();
singleLogoutService.setBinding(bindingType.getUri());
singleLogoutService.setLocation(sloUrl);
singleLogoutService.setResponseLocation(sloUrl);
spSSODescriptor.getSingleLogoutServices().add(singleLogoutService);
}
spEntityDescriptor.getRoleDescriptors().add(spSSODescriptor);
saml2rw.sign(spEntityDescriptor);
SAML2ReaderWriter.write(new OutputStreamWriter(os), spEntityDescriptor, true);
} catch (Exception e) {
LOG.error("While getting SP metadata", e);
SyncopeClientException sce = SyncopeClientException.build(ClientExceptionType.Unknown);
sce.getElements().add(e.getMessage());
throw sce;
}
}
