Support for conditional encryption and signing based on what the transport and bindin...
authorlajoie <lajoie@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Tue, 8 Jan 2008 12:27:15 +0000 (12:27 +0000)
committerlajoie <lajoie@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Tue, 8 Jan 2008 12:27:15 +0000 (12:27 +0000)
git-svn-id: https://subversion.switch.ch/svn/shibboleth/java-idp/trunk@2526 ab3bd59b-922f-494d-bb5f-6f0a3c29deca

src/edu/internet2/middleware/shibboleth/idp/profile/AbstractSAMLProfileHandler.java
src/edu/internet2/middleware/shibboleth/idp/profile/saml1/AbstractSAML1ProfileHandler.java
src/edu/internet2/middleware/shibboleth/idp/profile/saml1/ArtifactResolution.java
src/edu/internet2/middleware/shibboleth/idp/profile/saml1/AttributeQueryProfileHandler.java
src/edu/internet2/middleware/shibboleth/idp/profile/saml1/ShibbolethSSOProfileHandler.java
src/edu/internet2/middleware/shibboleth/idp/profile/saml2/AbstractSAML2ProfileHandler.java
src/edu/internet2/middleware/shibboleth/idp/profile/saml2/ArtifactResolution.java
src/edu/internet2/middleware/shibboleth/idp/profile/saml2/AttributeQueryProfileHandler.java
src/edu/internet2/middleware/shibboleth/idp/profile/saml2/SSOProfileHandler.java

index 1414702..269144f 100644 (file)
@@ -30,6 +30,7 @@ import org.opensaml.ws.message.encoder.MessageEncodingException;
 import org.opensaml.ws.security.SecurityPolicyResolver;
 import org.opensaml.ws.transport.InTransport;
 import org.opensaml.ws.transport.http.HttpServletRequestAdapter;
+import org.opensaml.xml.security.credential.Credential;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -38,7 +39,9 @@ import edu.internet2.middleware.shibboleth.common.profile.ProfileException;
 import edu.internet2.middleware.shibboleth.common.profile.provider.AbstractShibbolethProfileHandler;
 import edu.internet2.middleware.shibboleth.common.profile.provider.BaseSAMLProfileRequestContext;
 import edu.internet2.middleware.shibboleth.common.relyingparty.RelyingPartySecurityPolicyResolver;
+import edu.internet2.middleware.shibboleth.common.relyingparty.provider.CryptoOperationRequirementLevel;
 import edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager;
+import edu.internet2.middleware.shibboleth.common.relyingparty.provider.saml1.AbstractSAML1ProfileConfiguration;
 import edu.internet2.middleware.shibboleth.idp.session.Session;
 
 /**
@@ -67,7 +70,7 @@ public abstract class AbstractSAMLProfileHandler extends
 
     /** SAML message bindings that may be used by outbound messages. */
     private List<String> supportedOutboundBindings;
-    
+
     /** Resolver used to determine active security policy for an incoming request. */
     private SecurityPolicyResolver securityPolicyResolver;
 
@@ -75,21 +78,20 @@ public abstract class AbstractSAMLProfileHandler extends
     protected AbstractSAMLProfileHandler() {
         super();
     }
-    
-    
+
     /**
      * Gets the resolver used to determine active security policy for an incoming request.
      * 
      * @return resolver used to determine active security policy for an incoming request
      */
     public SecurityPolicyResolver getSecurityPolicyResolver() {
-        if(securityPolicyResolver == null){
+        if (securityPolicyResolver == null) {
             setSecurityPolicyResolver(new RelyingPartySecurityPolicyResolver(getRelyingPartyConfigurationManager()));
         }
-        
+
         return securityPolicyResolver;
     }
-    
+
     /**
      * Sets the resolver used to determine active security policy for an incoming request.
      * 
@@ -250,9 +252,11 @@ public abstract class AbstractSAMLProfileHandler extends
      */
     protected void encodeResponse(BaseSAMLProfileRequestContext requestContext) throws ProfileException {
         try {
+
             Endpoint peerEndpoint = requestContext.getPeerEntityEndpoint();
             if (peerEndpoint == null) {
-                log.error("No return endpoint available for relying party {}", requestContext
+                log
+                        .error("No return endpoint available for relying party {}", requestContext
                                 .getInboundMessageIssuer());
                 throw new ProfileException("No peer endpoint available to which to send SAML response");
             }
@@ -264,6 +268,27 @@ public abstract class AbstractSAMLProfileHandler extends
                 throw new ProfileException("No outbound message encoder configured for binding "
                         + requestContext.getPeerEntityEndpoint().getBinding());
             }
+
+            AbstractSAML1ProfileConfiguration profileConfig = (AbstractSAML1ProfileConfiguration) requestContext
+                    .getProfileConfiguration();
+            if (profileConfig.getSignResponses() == CryptoOperationRequirementLevel.always
+                    || (profileConfig.getSignResponses() == CryptoOperationRequirementLevel.conditional && !encoder
+                            .providesMessageIntegrity(requestContext))) {
+                Credential signingCredential = null;
+                if (profileConfig.getSigningCredential() != null) {
+                    signingCredential = profileConfig.getSigningCredential();
+                } else if (requestContext.getRelyingPartyConfiguration().getDefaultSigningCredential() != null) {
+                    signingCredential = requestContext.getRelyingPartyConfiguration().getDefaultSigningCredential();
+                }
+
+                if (signingCredential == null) {
+                    throw new ProfileException(
+                            "Signing of responses is required but no signing credential is available");
+                }
+
+                requestContext.setOutboundSAMLMessageSigningCredential(signingCredential);
+            }
+
             log.debug("Encoding response to SAML request {} from relying party {}", requestContext
                     .getInboundSAMLMessageId(), requestContext.getInboundMessageIssuer());
 
index 79b6ed1..953bbce 100644 (file)
@@ -28,6 +28,7 @@ import org.opensaml.Configuration;
 import org.opensaml.common.SAMLObject;
 import org.opensaml.common.SAMLObjectBuilder;
 import org.opensaml.common.SAMLVersion;
+import org.opensaml.common.binding.encoding.SAMLMessageEncoder;
 import org.opensaml.saml1.core.Assertion;
 import org.opensaml.saml1.core.AttributeQuery;
 import org.opensaml.saml1.core.AttributeStatement;
@@ -52,6 +53,7 @@ import org.opensaml.saml2.metadata.PDPDescriptor;
 import org.opensaml.saml2.metadata.RoleDescriptor;
 import org.opensaml.saml2.metadata.SPSSODescriptor;
 import org.opensaml.saml2.metadata.SSODescriptor;
+import org.opensaml.ws.message.encoder.MessageEncodingException;
 import org.opensaml.xml.XMLObjectBuilder;
 import org.opensaml.xml.io.Marshaller;
 import org.opensaml.xml.io.MarshallingException;
@@ -70,6 +72,7 @@ import edu.internet2.middleware.shibboleth.common.attribute.encoding.AttributeEn
 import edu.internet2.middleware.shibboleth.common.attribute.encoding.SAML1NameIdentifierEncoder;
 import edu.internet2.middleware.shibboleth.common.attribute.provider.SAML1AttributeAuthority;
 import edu.internet2.middleware.shibboleth.common.profile.ProfileException;
+import edu.internet2.middleware.shibboleth.common.relyingparty.provider.CryptoOperationRequirementLevel;
 import edu.internet2.middleware.shibboleth.common.relyingparty.provider.saml1.AbstractSAML1ProfileConfiguration;
 import edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler;
 
@@ -333,7 +336,9 @@ public abstract class AbstractSAML1ProfileHandler extends AbstractSAMLProfileHan
                     if (encoder instanceof SAML1NameIdentifierEncoder) {
                         nameIdEncoder = (SAML1NameIdentifierEncoder) encoder;
                         if (supportedNameFormats.contains(nameIdEncoder.getNameFormat())) {
-                            log.debug("Using attribute {} suppoting name format {} to create the NameIdentifier for principal",
+                            log
+                                    .debug(
+                                            "Using attribute {} suppoting name format {} to create the NameIdentifier for principal",
                                             attribute.getId(), nameIdEncoder.getNameFormat());
                             return nameIdEncoder.encode(attribute);
                         }
@@ -538,7 +543,7 @@ public abstract class AbstractSAML1ProfileHandler extends AbstractSAMLProfileHan
                         .values());
             }
 
-            if(statment != null){
+            if (statment != null) {
                 Subject statementSubject = buildSubject(requestContext, subjectConfMethod);
                 statment.setSubject(statementSubject);
             }
@@ -597,11 +602,20 @@ public abstract class AbstractSAML1ProfileHandler extends AbstractSAMLProfileHan
         boolean signAssertion = false;
 
         RoleDescriptor relyingPartyRole = requestContext.getPeerEntityRoleMetadata();
+        SAMLMessageEncoder encoder = getMessageEncoders().get(requestContext.getPeerEntityEndpoint().getBinding());
         AbstractSAML1ProfileConfiguration profileConfig = requestContext.getProfileConfiguration();
-        if (profileConfig.getSignAssertions()) {
-            signAssertion = true;
-            log.debug("IdP relying party configuration {} indicates to sign assertions: {}", requestContext
-                    .getRelyingPartyConfiguration().getRelyingPartyId(), signAssertion);
+
+        try {
+            if (profileConfig.getSignAssertions() == CryptoOperationRequirementLevel.always
+                    || (profileConfig.getSignAssertions() == CryptoOperationRequirementLevel.conditional && !encoder
+                            .providesMessageIntegrity(requestContext))) {
+                signAssertion = true;
+                log.debug("IdP relying party configuration {} indicates to sign assertions: {}", requestContext
+                        .getRelyingPartyConfiguration().getRelyingPartyId(), signAssertion);
+            }
+        } catch (MessageEncodingException e) {
+            log.error("Unable to determine if outbound encoding {} can provide integrity", encoder.getBindingURI());
+            throw new ProfileException("Unable to determine if outbound message should be signed");
         }
 
         if (!signAssertion && relyingPartyRole instanceof SPSSODescriptor) {
index 795aafb..ba5de11 100644 (file)
@@ -181,15 +181,7 @@ public class ArtifactResolution extends AbstractSAML1ProfileHandler {
 
             ArtifactResolutionConfiguration profileConfig = (ArtifactResolutionConfiguration) rpConfig
                     .getProfileConfiguration(ArtifactResolutionConfiguration.PROFILE_ID);
-            if (profileConfig != null) {
-                requestContext.setProfileConfiguration(profileConfig);
-                if (profileConfig.getSigningCredential() != null) {
-                    requestContext.setOutboundSAMLMessageSigningCredential(profileConfig.getSigningCredential());
-                } else if (rpConfig.getDefaultSigningCredential() != null) {
-                    requestContext.setOutboundSAMLMessageSigningCredential(rpConfig.getDefaultSigningCredential());
-                }
-            }
-
+            requestContext.setProfileConfiguration(profileConfig);
             requestContext.setPeerEntityEndpoint(selectEndpoint(requestContext));
 
             String assertingPartyId = requestContext.getRelyingPartyConfiguration().getProviderId();
index da25b73..11d8e57 100644 (file)
@@ -197,11 +197,6 @@ public class AttributeQueryProfileHandler extends AbstractSAML1ProfileHandler {
             if (profileConfig != null) {
                 requestContext.setProfileConfiguration(profileConfig);
                 requestContext.setOutboundMessageArtifactType(profileConfig.getOutboundArtifactType());
-                if (profileConfig.getSigningCredential() != null) {
-                    requestContext.setOutboundSAMLMessageSigningCredential(profileConfig.getSigningCredential());
-                } else if (rpConfig.getDefaultSigningCredential() != null) {
-                    requestContext.setOutboundSAMLMessageSigningCredential(rpConfig.getDefaultSigningCredential());
-                }
             }
             requestContext.setPeerEntityEndpoint(selectEndpoint(requestContext));
 
index b8f892a..348c21e 100644 (file)
@@ -335,12 +335,6 @@ public class ShibbolethSSOProfileHandler extends AbstractSAML1ProfileHandler {
                 .getProfileConfiguration(ShibbolethSSOConfiguration.PROFILE_ID);
         requestContext.setProfileConfiguration(profileConfig);
         requestContext.setOutboundMessageArtifactType(profileConfig.getOutboundArtifactType());
-        if (profileConfig.getSigningCredential() != null) {
-            requestContext.setOutboundSAMLMessageSigningCredential(profileConfig.getSigningCredential());
-        } else if (rpConfig.getDefaultSigningCredential() != null) {
-            requestContext.setOutboundSAMLMessageSigningCredential(rpConfig.getDefaultSigningCredential());
-        }
-
         requestContext.setPeerEntityEndpoint(selectEndpoint(requestContext));
 
         String assertingPartyId = rpConfig.getProviderId();
index 14c4bdd..d25adce 100644 (file)
@@ -25,6 +25,7 @@ import org.joda.time.DateTime;
 import org.opensaml.Configuration;
 import org.opensaml.common.SAMLObjectBuilder;
 import org.opensaml.common.SAMLVersion;
+import org.opensaml.common.binding.encoding.SAMLMessageEncoder;
 import org.opensaml.common.xml.SAMLConstants;
 import org.opensaml.saml2.core.Assertion;
 import org.opensaml.saml2.core.AttributeQuery;
@@ -57,6 +58,7 @@ import org.opensaml.saml2.metadata.SPSSODescriptor;
 import org.opensaml.saml2.metadata.SSODescriptor;
 import org.opensaml.security.MetadataCredentialResolver;
 import org.opensaml.security.MetadataCriteria;
+import org.opensaml.ws.message.encoder.MessageEncodingException;
 import org.opensaml.ws.transport.http.HTTPInTransport;
 import org.opensaml.xml.XMLObjectBuilder;
 import org.opensaml.xml.encryption.EncryptionException;
@@ -85,6 +87,7 @@ import edu.internet2.middleware.shibboleth.common.attribute.encoding.AttributeEn
 import edu.internet2.middleware.shibboleth.common.attribute.encoding.SAML2NameIDEncoder;
 import edu.internet2.middleware.shibboleth.common.attribute.provider.SAML2AttributeAuthority;
 import edu.internet2.middleware.shibboleth.common.profile.ProfileException;
+import edu.internet2.middleware.shibboleth.common.relyingparty.provider.CryptoOperationRequirementLevel;
 import edu.internet2.middleware.shibboleth.common.relyingparty.provider.saml2.AbstractSAML2ProfileConfiguration;
 import edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler;
 
@@ -221,24 +224,34 @@ public abstract class AbstractSAML2ProfileHandler extends AbstractSAMLProfileHan
         // sign the assertion if it should be signed
         signAssertion(requestContext, assertion);
 
-        if (requestContext.getProfileConfiguration().getEncryptAssertion()) {
-            log.debug("Attempting to encrypt assertion to relying party {}", requestContext.getInboundMessageIssuer());
-            try {
-                Encrypter encrypter = getEncrypter(requestContext.getInboundMessageIssuer());
-                samlResponse.getEncryptedAssertions().add(encrypter.encrypt(assertion));
-            } catch (SecurityException e) {
-                log.error("Unable to construct encrypter", e);
-                requestContext.setFailureStatus(buildStatus(StatusCode.RESPONDER_URI, null,
-                        "Unable to encrypt assertion"));
-                throw new ProfileException("Unable to construct encrypter", e);
-            } catch (EncryptionException e) {
-                log.error("Unable to encrypt assertion", e);
-                requestContext.setFailureStatus(buildStatus(StatusCode.RESPONDER_URI, null,
-                        "Unable to encrypt assertion"));
-                throw new ProfileException("Unable to encrypt assertion", e);
+        SAMLMessageEncoder encoder = getMessageEncoders().get(requestContext.getPeerEntityEndpoint().getBinding());
+        try {
+            if (requestContext.getProfileConfiguration().getEncryptAssertion() == CryptoOperationRequirementLevel.always
+                    || (requestContext.getProfileConfiguration().getEncryptAssertion() == CryptoOperationRequirementLevel.conditional && !encoder
+                            .providesMessageConfidentiality(requestContext))) {
+                log.debug("Attempting to encrypt assertion to relying party {}", requestContext
+                        .getInboundMessageIssuer());
+                try {
+                    Encrypter encrypter = getEncrypter(requestContext.getInboundMessageIssuer());
+                    samlResponse.getEncryptedAssertions().add(encrypter.encrypt(assertion));
+                } catch (SecurityException e) {
+                    log.error("Unable to construct encrypter", e);
+                    requestContext.setFailureStatus(buildStatus(StatusCode.RESPONDER_URI, null,
+                            "Unable to encrypt assertion"));
+                    throw new ProfileException("Unable to construct encrypter", e);
+                } catch (EncryptionException e) {
+                    log.error("Unable to encrypt assertion", e);
+                    requestContext.setFailureStatus(buildStatus(StatusCode.RESPONDER_URI, null,
+                            "Unable to encrypt assertion"));
+                    throw new ProfileException("Unable to encrypt assertion", e);
+                }
+            } else {
+                samlResponse.getAssertions().add(assertion);
             }
-        } else {
-            samlResponse.getAssertions().add(assertion);
+        } catch (MessageEncodingException e) {
+            log.error("Unable to determine if outbound encoding {} can provide confidentiality", encoder
+                    .getBindingURI());
+            throw new ProfileException("Unable to determine if assertions should be encrypted");
         }
 
         Status status = buildStatus(StatusCode.SUCCESS_URI, null, null);
@@ -303,7 +316,7 @@ public abstract class AbstractSAML2ProfileHandler extends AbstractSAMLProfileHan
 
         // add audience restrictions
         AudienceRestriction audienceRestriction = audienceRestrictionBuilder.buildObject();
-        //TODO we should only do this for certain outgoing bindings, not globally
+        // TODO we should only do this for certain outgoing bindings, not globally
         Audience audience = audienceBuilder.buildObject();
         audience.setAudienceURI(requestContext.getInboundMessageIssuer());
         audienceRestriction.getAudiences().add(audience);
@@ -462,11 +475,20 @@ public abstract class AbstractSAML2ProfileHandler extends AbstractSAMLProfileHan
 
         boolean signAssertion = false;
 
+        SAMLMessageEncoder encoder = getMessageEncoders().get(requestContext.getPeerEntityEndpoint().getBinding());
         AbstractSAML2ProfileConfiguration profileConfig = requestContext.getProfileConfiguration();
-        if (profileConfig.getSignAssertions()) {
-            signAssertion = true;
-            log.debug("IdP relying party configuration {} indicates to sign assertions: {}", requestContext
-                    .getRelyingPartyConfiguration().getRelyingPartyId(), signAssertion);
+        try {
+            if (profileConfig.getSignAssertions() == CryptoOperationRequirementLevel.always
+                    || (profileConfig.getSignAssertions() == CryptoOperationRequirementLevel.conditional && !encoder
+                            .providesMessageIntegrity(requestContext))) {
+                signAssertion = true;
+                log.debug("IdP relying party configuration {} indicates to sign assertions: {}", requestContext
+                        .getRelyingPartyConfiguration().getRelyingPartyId(), signAssertion);
+            }
+        } catch (MessageEncodingException e) {
+            log.error("Unable to determine if outbound encoding {} can provide integrity protection", encoder
+                    .getBindingURI());
+            throw new ProfileException("Unable to determine if outbound message should be signed");
         }
 
         if (!signAssertion && requestContext.getPeerEntityRoleMetadata() instanceof SPSSODescriptor) {
@@ -590,25 +612,33 @@ public abstract class AbstractSAML2ProfileHandler extends AbstractSAMLProfileHan
 
         Subject subject = subjectBuilder.buildObject();
         subject.getSubjectConfirmations().add(subjectConfirmation);
-
-        if (requestContext.getProfileConfiguration().getEncryptNameID()) {
-            log.debug("Attempting to encrypt NameID to relying party {}", requestContext.getInboundMessageIssuer());
-            try {
-                Encrypter encrypter = getEncrypter(requestContext.getInboundMessageIssuer());
-                subject.setEncryptedID(encrypter.encrypt(nameID));
-            } catch (SecurityException e) {
-                log.error("Unable to construct encrypter", e);
-                requestContext.setFailureStatus(buildStatus(StatusCode.RESPONDER_URI, null,
-                        "Unable to construct NameID"));
-                throw new ProfileException("Unable to construct encrypter", e);
-            } catch (EncryptionException e) {
-                log.error("Unable to encrypt NameID", e);
-                requestContext.setFailureStatus(buildStatus(StatusCode.RESPONDER_URI, null,
-                        "Unable to construct NameID"));
-                throw new ProfileException("Unable to encrypt NameID", e);
+        SAMLMessageEncoder encoder = getMessageEncoders().get(requestContext.getPeerEntityEndpoint().getBinding());
+        try {
+            if (requestContext.getProfileConfiguration().getEncryptNameID() == CryptoOperationRequirementLevel.always
+                    || (requestContext.getProfileConfiguration().getEncryptNameID() == CryptoOperationRequirementLevel.conditional && !encoder
+                            .providesMessageConfidentiality(requestContext))) {
+                log.debug("Attempting to encrypt NameID to relying party {}", requestContext.getInboundMessageIssuer());
+                try {
+                    Encrypter encrypter = getEncrypter(requestContext.getInboundMessageIssuer());
+                    subject.setEncryptedID(encrypter.encrypt(nameID));
+                } catch (SecurityException e) {
+                    log.error("Unable to construct encrypter", e);
+                    requestContext.setFailureStatus(buildStatus(StatusCode.RESPONDER_URI, null,
+                            "Unable to construct NameID"));
+                    throw new ProfileException("Unable to construct encrypter", e);
+                } catch (EncryptionException e) {
+                    log.error("Unable to encrypt NameID", e);
+                    requestContext.setFailureStatus(buildStatus(StatusCode.RESPONDER_URI, null,
+                            "Unable to construct NameID"));
+                    throw new ProfileException("Unable to encrypt NameID", e);
+                }
+            } else {
+                subject.setNameID(nameID);
             }
-        } else {
-            subject.setNameID(nameID);
+        } catch (MessageEncodingException e) {
+            log.error("Unable to determine if outbound encoding {} can provide confidentiality", encoder
+                    .getBindingURI());
+            throw new ProfileException("Unable to determine if assertions should be encrypted");
         }
 
         return subject;
@@ -631,7 +661,7 @@ public abstract class AbstractSAML2ProfileHandler extends AbstractSAMLProfileHan
     protected NameID buildNameId(BaseSAML2ProfileRequestContext<?, ?, ?> requestContext) throws ProfileException {
         log.debug("Building assertion NameID for principal/relying party:{}/{}", requestContext.getPrincipalName(),
                 requestContext.getInboundMessageIssuer());
-        
+
         Map<String, BaseAttribute> principalAttributes = requestContext.getPrincipalAttributes();
         if (principalAttributes == null || principalAttributes.isEmpty()) {
             log.error("No attributes for principal {}, unable to construct of NameID", requestContext
@@ -640,15 +670,15 @@ public abstract class AbstractSAML2ProfileHandler extends AbstractSAMLProfileHan
                     "Unable to construct NameID"));
             throw new ProfileException("No principal attributes support NameID construction");
         }
-        
-        List<String> supportedNameFormats = getNameFormats(requestContext);        
+
+        List<String> supportedNameFormats = getNameFormats(requestContext);
         if (supportedNameFormats == null || supportedNameFormats.isEmpty()) {
             log.error("No common NameID formats supported by SP {} and IdP", requestContext.getInboundMessageIssuer());
             requestContext.setFailureStatus(buildStatus(StatusCode.RESPONDER_URI, StatusCode.INVALID_NAMEID_POLICY_URI,
                     "Unable to construct NameID"));
             throw new ProfileException("No principal attributes support NameID construction");
         }
-        
+
         log.debug("Supported NameID formats: {}", supportedNameFormats);
         try {
             SAML2NameIDEncoder nameIdEncoder;
index 61b80d1..bc948a3 100644 (file)
@@ -156,7 +156,7 @@ public class ArtifactResolution extends AbstractSAML2ProfileHandler {
     protected ArtifactResolutionRequestContext decodeRequest(HTTPInTransport inTransport, HTTPOutTransport outTransport)
             throws ProfileException {
         log.debug("Decoding message with decoder binding {}", getInboundBinding());
-        
+
         MetadataProvider metadataProvider = getMetadataProvider();
 
         ArtifactResolutionRequestContext requestContext = new ArtifactResolutionRequestContext();
@@ -201,15 +201,7 @@ public class ArtifactResolution extends AbstractSAML2ProfileHandler {
 
             ArtifactResolutionConfiguration profileConfig = (ArtifactResolutionConfiguration) rpConfig
                     .getProfileConfiguration(ArtifactResolutionConfiguration.PROFILE_ID);
-            if (profileConfig != null) {
-                requestContext.setProfileConfiguration(profileConfig);
-                if (profileConfig.getSigningCredential() != null) {
-                    requestContext.setOutboundSAMLMessageSigningCredential(profileConfig.getSigningCredential());
-                } else if (rpConfig.getDefaultSigningCredential() != null) {
-                    requestContext.setOutboundSAMLMessageSigningCredential(rpConfig.getDefaultSigningCredential());
-                }
-            }
-
+            requestContext.setProfileConfiguration(profileConfig);
             requestContext.setPeerEntityEndpoint(selectEndpoint(requestContext));
 
             String assertingPartyId = requestContext.getRelyingPartyConfiguration().getProviderId();
index 8c9fcef..00fa3b3 100644 (file)
@@ -193,11 +193,6 @@ public class AttributeQueryProfileHandler extends AbstractSAML2ProfileHandler {
             if (profileConfig != null) {
                 requestContext.setProfileConfiguration(profileConfig);
                 requestContext.setOutboundMessageArtifactType(profileConfig.getOutboundArtifactType());
-                if (profileConfig.getSigningCredential() != null) {
-                    requestContext.setOutboundSAMLMessageSigningCredential(profileConfig.getSigningCredential());
-                } else if (rpConfig.getDefaultSigningCredential() != null) {
-                    requestContext.setOutboundSAMLMessageSigningCredential(rpConfig.getDefaultSigningCredential());
-                }
             }
 
             requestContext.setPeerEntityEndpoint(selectEndpoint(requestContext));
index 4a0eb55..05f1e0e 100644 (file)
@@ -132,7 +132,8 @@ public class SSOProfileHandler extends AbstractSAML2ProfileHandler {
             log.debug("User session does not contain a login context, processing as first leg of request");
             performAuthentication(inTransport, outTransport);
         } else if (!loginContext.isPrincipalAuthenticated() && !loginContext.getAuthenticationAttempted()) {
-            log.debug("User session contained a login context but user was not authenticated, processing as first leg of request");
+            log
+                    .debug("User session contained a login context but user was not authenticated, processing as first leg of request");
             performAuthentication(inTransport, outTransport);
         } else {
             log.debug("User session contains a login context, processing as second leg of request");
@@ -221,21 +222,24 @@ public class SSOProfileHandler extends AbstractSAML2ProfileHandler {
             if (loginContext.getPrincipalName() == null) {
                 log.error("User's login context did not contain a principal, user considered unauthenticiated.");
                 if (loginContext.getPassiveAuth()) {
-                    requestContext
-                        .setFailureStatus(buildStatus(StatusCode.RESPONDER_URI, StatusCode.NO_PASSIVE_URI, null));
+                    requestContext.setFailureStatus(buildStatus(StatusCode.RESPONDER_URI, StatusCode.NO_PASSIVE_URI,
+                            null));
                 } else {
-                    requestContext
-                        .setFailureStatus(buildStatus(StatusCode.RESPONDER_URI, StatusCode.AUTHN_FAILED_URI, null));
+                    requestContext.setFailureStatus(buildStatus(StatusCode.RESPONDER_URI, StatusCode.AUTHN_FAILED_URI,
+                            null));
                 }
                 throw new ProfileException("User failed authentication");
             }
 
             if (requestContext.getSubjectNameIdentifier() != null) {
-                log.debug("Authentication request contained a subject with a name identifier, resolving principal from NameID");
+                log
+                        .debug("Authentication request contained a subject with a name identifier, resolving principal from NameID");
                 resolvePrincipal(requestContext);
                 String requestedPrincipalName = requestContext.getPrincipalName();
                 if (!DatatypeHelper.safeEquals(loginContext.getPrincipalName(), requestedPrincipalName)) {
-                    log.error("Authentication request identified principal {} but authentication mechanism identified principal {}",
+                    log
+                            .error(
+                                    "Authentication request identified principal {} but authentication mechanism identified principal {}",
                                     requestedPrincipalName, loginContext.getPrincipalName());
                     requestContext.setFailureStatus(buildStatus(StatusCode.RESPONDER_URI, StatusCode.AUTHN_FAILED_URI,
                             null));
@@ -297,7 +301,7 @@ public class SSOProfileHandler extends AbstractSAML2ProfileHandler {
             requestContext.setMessageDecoder(decoder);
             decoder.decode(requestContext);
             log.debug("Decoded request");
-            
+
             if (!(requestContext.getInboundMessage() instanceof AuthnRequest)) {
                 log.error("Incomming message was not a AuthnRequest, it was a {}", requestContext.getInboundMessage()
                         .getClass().getName());
@@ -305,7 +309,7 @@ public class SSOProfileHandler extends AbstractSAML2ProfileHandler {
                         "Invalid SAML AuthnRequest message."));
                 throw new ProfileException("Invalid SAML AuthnRequest message.");
             }
-            
+
             return requestContext;
         } catch (MessageDecodingException e) {
             log.error("Error decoding authentication request message", e);
@@ -394,11 +398,6 @@ public class SSOProfileHandler extends AbstractSAML2ProfileHandler {
                 .getProfileConfiguration(SSOConfiguration.PROFILE_ID);
         requestContext.setProfileConfiguration(profileConfig);
         requestContext.setOutboundMessageArtifactType(profileConfig.getOutboundArtifactType());
-        if (profileConfig.getSigningCredential() != null) {
-            requestContext.setOutboundSAMLMessageSigningCredential(profileConfig.getSigningCredential());
-        } else if (rpConfig.getDefaultSigningCredential() != null) {
-            requestContext.setOutboundSAMLMessageSigningCredential(rpConfig.getDefaultSigningCredential());
-        }
         requestContext.setPeerEntityEndpoint(selectEndpoint(requestContext));
 
         String assertingPartyId = rpConfig.getProviderId();