2 * Copyright [2007] [University Corporation for Advanced Internet Development, Inc.]
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
17 package edu.internet2.middleware.shibboleth.idp.profile.saml2;
19 import java.util.Collection;
21 import org.joda.time.DateTime;
23 import org.opensaml.common.SAMLObjectBuilder;
24 import org.opensaml.common.SAMLVersion;
25 import org.opensaml.common.impl.SAMLObjectContentReference;
27 import org.opensaml.saml2.core.Advice;
28 import org.opensaml.saml2.core.Assertion;
29 import org.opensaml.saml2.core.Audience;
30 import org.opensaml.saml2.core.AudienceRestriction;
31 import org.opensaml.saml2.core.Conditions;
32 import org.opensaml.saml2.core.Issuer;
33 import org.opensaml.saml2.core.ProxyRestriction;
34 import org.opensaml.saml2.core.RequestAbstractType;
35 import org.opensaml.saml2.core.Response;
36 import org.opensaml.saml2.core.Status;
37 import org.opensaml.saml2.core.StatusCode;
38 import org.opensaml.saml2.core.StatusMessage;
39 import org.opensaml.saml2.core.StatusResponseType;
40 import org.opensaml.saml2.core.Subject;
42 import org.opensaml.xml.XMLObjectBuilder;
43 import org.opensaml.xml.encryption.EncryptionException;
44 import org.opensaml.xml.security.credential.Credential;
45 import org.opensaml.xml.signature.Signature;
46 import org.opensaml.xml.signature.Signer;
47 import org.opensaml.xml.util.DatatypeHelper;
49 import edu.internet2.middleware.shibboleth.common.relyingparty.RelyingPartyConfiguration;
50 import edu.internet2.middleware.shibboleth.common.relyingparty.provider.saml2.AbstractSAML2ProfileConfiguration;
51 import edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler;
54 * Common implementation details for profile handlers.
56 public abstract class AbstractSAML2ProfileHandler extends AbstractSAMLProfileHandler {
58 /** SAML Version for this profile handler. */
59 public static final SAMLVersion SAML_VERSION = SAMLVersion.VERSION_20;
61 /** URI for the SAML 2 protocol. */
62 public static final String SAML20_PROTOCOL_URI = "urn:oasis:names:tc:SAML:2.0:protocol";
64 /** For building response. */
65 private SAMLObjectBuilder<Response> responseBuilder;
67 /** For building status. */
68 private SAMLObjectBuilder<Status> statusBuilder;
70 /** For building statuscode. */
71 private SAMLObjectBuilder<StatusCode> statusCodeBuilder;
73 /** For building StatusMessages. */
74 private SAMLObjectBuilder<StatusMessage> statusMessageBuilder;
76 /** For building assertion. */
77 private SAMLObjectBuilder<Assertion> assertionBuilder;
79 /** For building issuer. */
80 private SAMLObjectBuilder<Issuer> issuerBuilder;
82 /** For building subject. */
83 private SAMLObjectBuilder<Subject> subjectBuilder;
85 /** For building conditions. */
86 private SAMLObjectBuilder<Conditions> conditionsBuilder;
88 /** For building audience restriction. */
89 private SAMLObjectBuilder<AudienceRestriction> audienceRestrictionBuilder;
91 /** For building proxy retrictions. */
92 private SAMLObjectBuilder<ProxyRestriction> proxyRestrictionBuilder;
94 /** For building audience. */
95 private SAMLObjectBuilder<Audience> audienceBuilder;
97 /** For building advice. */
98 private SAMLObjectBuilder<Advice> adviceBuilder;
100 /** For building signature. */
101 private XMLObjectBuilder<Signature> signatureBuilder;
104 @SuppressWarnings("unchecked")
105 protected AbstractSAML2ProfileHandler() {
109 responseBuilder = (SAMLObjectBuilder<Response>) getBuilderFactory().getBuilder(Response.DEFAULT_ELEMENT_NAME);
110 statusBuilder = (SAMLObjectBuilder<Status>) getBuilderFactory().getBuilder(Status.DEFAULT_ELEMENT_NAME);
111 statusCodeBuilder = (SAMLObjectBuilder<StatusCode>) getBuilderFactory().getBuilder(
112 StatusCode.DEFAULT_ELEMENT_NAME);
113 statusMessageBuilder = (SAMLObjectBuilder<StatusMessage>) getBuilderFactory().getBuilder(
114 StatusMessage.DEFAULT_ELEMENT_NAME);
115 issuerBuilder = (SAMLObjectBuilder<Issuer>) getBuilderFactory().getBuilder(Issuer.DEFAULT_ELEMENT_NAME);
116 assertionBuilder = (SAMLObjectBuilder<Assertion>) getBuilderFactory()
117 .getBuilder(Assertion.DEFAULT_ELEMENT_NAME);
118 subjectBuilder = (SAMLObjectBuilder<Subject>) getBuilderFactory().getBuilder(Subject.DEFAULT_ELEMENT_NAME);
119 conditionsBuilder = (SAMLObjectBuilder<Conditions>) getBuilderFactory().getBuilder(
120 Conditions.DEFAULT_ELEMENT_NAME);
121 audienceRestrictionBuilder = (SAMLObjectBuilder<AudienceRestriction>) getBuilderFactory().getBuilder(
122 AudienceRestriction.DEFAULT_ELEMENT_NAME);
123 proxyRestrictionBuilder = (SAMLObjectBuilder<ProxyRestriction>) getBuilderFactory().getBuilder(
124 ProxyRestriction.DEFAULT_ELEMENT_NAME);
125 audienceBuilder = (SAMLObjectBuilder<Audience>) getBuilderFactory().getBuilder(Audience.DEFAULT_ELEMENT_NAME);
126 adviceBuilder = (SAMLObjectBuilder<Advice>) getBuilderFactory().getBuilder(Advice.DEFAULT_ELEMENT_NAME);
127 signatureBuilder = (XMLObjectBuilder<Signature>) getBuilderFactory().getBuilder(Signature.DEFAULT_ELEMENT_NAME);
131 * Convenience method for getting the SAML 2 advice builder.
133 * @return SAML 2 advice builder
135 public SAMLObjectBuilder<Advice> getAdviceBuilder() {
136 return adviceBuilder;
140 * Convenience method for getting the SAML 2 assertion builder.
142 * @return SAML 2 assertion builder
144 public SAMLObjectBuilder<Assertion> getAssertionBuilder() {
145 return assertionBuilder;
149 * Convenience method for getting the SAML 2 audience builder.
151 * @return SAML 2 audience builder
153 public SAMLObjectBuilder<Audience> getAudienceBuilder() {
154 return audienceBuilder;
158 * Convenience method for getting the SAML 2 audience restriction builder.
160 * @return SAML 2 audience restriction builder
162 public SAMLObjectBuilder<AudienceRestriction> getAudienceRestrictionBuilder() {
163 return audienceRestrictionBuilder;
167 * Convenience method for getting the SAML 2 conditions builder.
169 * @return SAML 2 conditions builder
171 public SAMLObjectBuilder<Conditions> getConditionsBuilder() {
172 return conditionsBuilder;
176 * Convenience method for getting the SAML 2 Issuer builder.
178 * @return SAML 2 Issuer builder
180 public SAMLObjectBuilder<Issuer> getIssuerBuilder() {
181 return issuerBuilder;
185 * Convenience method for getting the SAML 2 proxy restriction builder.
187 * @return SAML 2 proxy restriction builder
189 public SAMLObjectBuilder<ProxyRestriction> getProxyRestrictionBuilder() {
190 return proxyRestrictionBuilder;
194 * Convenience method for getting the SAML 2 response builder.
196 * @return SAML 2 response builder
198 public SAMLObjectBuilder<Response> getResponseBuilder() {
199 return responseBuilder;
203 * Convenience method for getting the Signature builder.
205 * @return signature builder
207 public XMLObjectBuilder<Signature> getSignatureBuilder() {
208 return signatureBuilder;
212 * Convenience method for getting the SAML 2 status builder.
214 * @return SAML 2 status builder
216 public SAMLObjectBuilder<Status> getStatusBuilder() {
217 return statusBuilder;
221 * Convenience method for getting the SAML 2 status code builder.
223 * @return SAML 2 status code builder
225 public SAMLObjectBuilder<StatusCode> getStatusCodeBuilder() {
226 return statusCodeBuilder;
230 * Convenience method for getting the SAML 2 status message builder.
232 * @return SAML 2 status message builder
234 public SAMLObjectBuilder<StatusMessage> getStatusMessageBuilder() {
235 return statusMessageBuilder;
239 * Convenience method for getting the SAML 2 subject builder.
241 * @return SAML 2 subject builder
243 public SAMLObjectBuilder<Subject> getSubjectBuilder() {
244 return subjectBuilder;
248 * Populates the response's id, in response to, issue instant, version, and issuer properties.
250 * @param response the response to populate
251 * @param issueInstant timestamp to use as the issue instant for the response
252 * @param request the request that the response is for
253 * @param rpConfig the relying party configuration for the request
255 protected void populateStatusResponse(StatusResponseType response, DateTime issueInstant,
256 RequestAbstractType request, RelyingPartyConfiguration rpConfig) {
258 response.setID(getIdGenerator().generateIdentifier());
259 response.setInResponseTo(request.getID());
260 response.setIssueInstant(issueInstant);
261 response.setVersion(SAMLVersion.VERSION_20);
262 response.setIssuer(buildEntityIssuer(rpConfig));
266 * Build a status message, with an optional second-level failure message.
268 * @param topLevelCode The top-level status code. Should be from saml-core-2.0-os, sec. 3.2.2.2
269 * @param secondLevelCode An optional second-level failure code. Should be from saml-core-2.0-is, sec 3.2.2.2. If
270 * null, no second-level Status element will be set.
271 * @param secondLevelFailureMessage An optional second-level failure message.
273 * @return a Status object.
275 protected Status buildStatus(String topLevelCode, String secondLevelCode, String secondLevelFailureMessage) {
277 Status status = statusBuilder.buildObject();
278 StatusCode statusCode = statusCodeBuilder.buildObject();
280 statusCode.setValue(DatatypeHelper.safeTrimOrNullString(topLevelCode));
281 if (secondLevelCode != null) {
282 StatusCode secondLevelStatusCode = statusCodeBuilder.buildObject();
283 secondLevelStatusCode.setValue(DatatypeHelper.safeTrimOrNullString(secondLevelCode));
284 statusCode.setStatusCode(secondLevelStatusCode);
287 if (secondLevelFailureMessage != null) {
288 StatusMessage msg = statusMessageBuilder.buildObject();
289 msg.setMessage(secondLevelFailureMessage);
290 status.setStatusMessage(msg);
297 * Builds a basic assertion with its id, issue instant, SAML version, issuer, subject, and conditions populated.
299 * @param issueInstant time to use as assertion issue instant
300 * @param rpConfig the relying party configuration
301 * @param profileConfig current profile configuration
303 * @return the built assertion
305 protected Assertion buildAssertion(final DateTime issueInstant, final RelyingPartyConfiguration rpConfig,
306 final AbstractSAML2ProfileConfiguration profileConfig) {
308 Assertion assertion = assertionBuilder.buildObject();
309 assertion.setID(getIdGenerator().generateIdentifier());
310 assertion.setIssueInstant(issueInstant);
311 assertion.setVersion(SAMLVersion.VERSION_20);
312 assertion.setIssuer(buildEntityIssuer(rpConfig));
313 // TODO assertion.setSubject(buildSubject());
315 Conditions conditions = buildConditions(issueInstant, profileConfig);
316 assertion.setConditions(conditions);
322 * Builds an entity type Issuer populated with the correct provider Id for this relying party configuration.
324 * @param rpConfig the relying party configuration
326 * @return the built Issuer
328 protected Issuer buildEntityIssuer(final RelyingPartyConfiguration rpConfig) {
330 Issuer issuer = getIssuerBuilder().buildObject();
331 issuer.setFormat(Issuer.ENTITY);
332 issuer.setValue(rpConfig.getProviderId());
338 * Builds the SAML subject for the user for the service provider.
340 * @return SAML subject for the user for the service provider
342 * @throws EncryptionException thrown if there is a problem encryption the subject's NameID
344 protected Subject buildSubject() throws EncryptionException {
350 * Builds a SAML assertion condition set. The following fields are set; not before, not on or after, audience
351 * restrictions, and proxy restrictions.
353 * @param issueInstant timestamp the assertion was created
354 * @param profileConfig current profile configuration
356 * @return constructed conditions
358 protected Conditions buildConditions(final DateTime issueInstant,
359 final AbstractSAML2ProfileConfiguration profileConfig) {
361 Conditions conditions = conditionsBuilder.buildObject();
362 conditions.setNotBefore(issueInstant);
363 conditions.setNotOnOrAfter(issueInstant.plus(profileConfig.getAssertionLifetime()));
365 Collection<String> audiences;
367 // add audience restrictions
368 audiences = profileConfig.getAssertionAudiences();
369 if (audiences != null && audiences.size() > 0) {
370 AudienceRestriction audienceRestriction = audienceRestrictionBuilder.buildObject();
371 for (String audienceUri : audiences) {
372 Audience audience = audienceBuilder.buildObject();
373 audience.setAudienceURI(audienceUri);
374 audienceRestriction.getAudiences().add(audience);
376 conditions.getAudienceRestrictions().add(audienceRestriction);
379 // add proxy restrictions
380 audiences = profileConfig.getProxyAudiences();
381 if (audiences != null && audiences.size() > 0) {
382 ProxyRestriction proxyRestriction = proxyRestrictionBuilder.buildObject();
384 for (String audienceUri : audiences) {
385 audience = audienceBuilder.buildObject();
386 audience.setAudienceURI(audienceUri);
387 proxyRestriction.getAudiences().add(audience);
390 proxyRestriction.setProxyCount(profileConfig.getProxyCount());
391 conditions.getConditions().add(proxyRestriction);
398 * Signs the given assertion if either the current profile configuration or the relying party configuration contains
399 * signing credentials.
401 * @param assertion assertion to sign
402 * @param rpConfig relying party configuration
403 * @param profileConfig current profile configuration
405 protected void signAssertion(Assertion assertion, RelyingPartyConfiguration rpConfig,
406 AbstractSAML2ProfileConfiguration profileConfig) {
407 if (!profileConfig.getSignAssertions()) {
411 Credential signatureCredential = profileConfig.getSigningCredential();
412 if (signatureCredential == null) {
413 signatureCredential = rpConfig.getDefaultSigningCredential();
416 if (signatureCredential == null) {
420 SAMLObjectContentReference contentRef = new SAMLObjectContentReference(assertion);
421 Signature signature = signatureBuilder.buildObject(Signature.DEFAULT_ELEMENT_NAME);
422 signature.getContentReferences().add(contentRef);
423 assertion.setSignature(signature);
425 Signer.signObject(signature);
428 // TODO encryption support