import java.util.Collection;
import java.util.Date;
import java.util.Iterator;
+import java.util.List;
import java.util.Vector;
import javax.servlet.RequestDispatcher;
import org.opensaml.SAMLSubject;
import org.opensaml.SAMLSubjectStatement;
import org.opensaml.XML;
+import org.opensaml.saml2.metadata.AssertionConsumerService;
+import org.opensaml.saml2.metadata.Endpoint;
+import org.opensaml.saml2.metadata.EntityDescriptor;
+import org.opensaml.saml2.metadata.SPSSODescriptor;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import edu.internet2.middleware.shibboleth.idp.IdPProtocolHandler;
import edu.internet2.middleware.shibboleth.idp.IdPProtocolSupport;
import edu.internet2.middleware.shibboleth.idp.InvalidClientDataException;
-import edu.internet2.middleware.shibboleth.metadata.Endpoint;
-import edu.internet2.middleware.shibboleth.metadata.EntityDescriptor;
-import edu.internet2.middleware.shibboleth.metadata.SPSSODescriptor;
/**
* <code>ProtocolHandler</code> implementation that responds to ADFS SSO flows as specified in "WS-Federation: Passive
RelyingParty relyingParty = support.getServiceProviderMapper().getRelyingParty(remoteProviderId);
// Grab the metadata for the provider
- EntityDescriptor descriptor = support.lookup(relyingParty.getProviderId());
+ EntityDescriptor descriptor = support.getEntityDescriptor(relyingParty.getProviderId());
if (descriptor == null) {
log.info("No metadata found for provider: (" + relyingParty.getProviderId() + ").");
throw new InvalidClientDataException(
} else {
Endpoint endpoint = sp.getAssertionConsumerServiceManager().getEndpointByBinding(
ADFS_SSOHandler.WS_FED_PROTOCOL_ENUM);
+
+
if (endpoint == null || endpoint.getLocation() == null) {
log.error("No Assertion consumer service URL is available for provider ("
+ relyingParty.getProviderId() + ") via request the SSO request or the metadata.");
private static boolean isValidAssertionConsumerURL(SPSSODescriptor descriptor, String shireURL)
throws InvalidClientDataException {
- Iterator endpoints = descriptor.getAssertionConsumerServiceManager().getEndpoints();
- while (endpoints.hasNext()) {
- if (shireURL.equals(((Endpoint) endpoints.next()).getLocation())) { return true; }
+ List<AssertionConsumerService> endpoints = descriptor.getAssertionConsumerServices();
+ for (AssertionConsumerService acs : endpoints) {
+ if (shireURL.equals(acs.getLocation())) { return true; }
}
+
log.info("Supplied consumer URL not found in metadata.");
return false;
}
import org.opensaml.SAMLResponse;
import org.opensaml.XML;
import org.opensaml.artifact.Artifact;
+import org.opensaml.saml2.metadata.EntityDescriptor;
+import org.opensaml.saml2.metadata.SPSSODescriptor;
+import org.opensaml.saml2.metadata.provider.MetadataProviderException;
import org.w3c.dom.Element;
import edu.internet2.middleware.shibboleth.artifact.ArtifactMapping;
import edu.internet2.middleware.shibboleth.common.ShibbolethConfigurationException;
import edu.internet2.middleware.shibboleth.idp.IdPProtocolHandler;
import edu.internet2.middleware.shibboleth.idp.IdPProtocolSupport;
-import edu.internet2.middleware.shibboleth.metadata.EntityDescriptor;
-import edu.internet2.middleware.shibboleth.metadata.RoleDescriptor;
/**
* @author Walter Hoehn
// Pull credential from request
X509Certificate[] chain = (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate");
- if (chain == null || chain.length == 0 || chain[0].getSubjectX500Principal().getName(X500Principal.RFC2253).equals("")) {
+ if (chain == null || chain.length == 0
+ || chain[0].getSubjectX500Principal().getName(X500Principal.RFC2253).equals("")) {
// The spec says that mutual authentication is required for the
// artifact profile
if (samlRequest.isSigned()) {
log.info("Request is signed, will authenticate it later.");
- }
- else {
+ } else {
log.info("Request is from an unauthenticated serviceprovider.");
throw new SAMLException(SAMLException.REQUESTER,
"SAML Artifacts cannot be dereferenced for unauthenticated requesters.");
}
- }
- else {
- log.info("Request contains TLS credential: (" + chain[0].getSubjectX500Principal().getName(X500Principal.RFC2253)
- + ").");
+ } else {
+ log.info("Request contains TLS credential: ("
+ + chain[0].getSubjectX500Principal().getName(X500Principal.RFC2253) + ").");
}
ArrayList<SAMLAssertion> assertions = new ArrayList<SAMLAssertion>();
Iterator artifacts = samlRequest.getArtifacts();
} else {
SAMLAssertion assertion = mapping.getAssertion();
// See if we have metadata for this provider
- EntityDescriptor provider = support.lookup(mapping.getServiceProviderId());
+ EntityDescriptor provider = null;
+ try {
+ provider = support.getEntityDescriptor(mapping.getServiceProviderId());
+ } catch (MetadataProviderException e) {
+ log.error("Metadata lookup for provider (" + mapping.getServiceProviderId()
+ + ") encountered an error: " + e);
+ }
if (provider == null) {
log.info("No metadata found for provider: (" + mapping.getServiceProviderId() + ").");
throw new SAMLException(SAMLException.REQUESTER, "Invalid service provider.");
}
- RoleDescriptor role = provider.getSPSSODescriptor(XML.SAML11_PROTOCOL_ENUM);
+ SPSSODescriptor role = provider.getSPSSODescriptor(XML.SAML11_PROTOCOL_ENUM);
if (role == null) {
- log.info("SPSSO role not found in metadata for provider: (" + mapping.getServiceProviderId()
- + ").");
+ log
+ .info("SPSSO role not found in metadata for provider: (" + mapping.getServiceProviderId()
+ + ").");
throw new SAMLException(SAMLException.REQUESTER, "Invalid service provider role.");
}
boolean authenticated = false;
-
+
// Make sure that the suppplied credential is valid for the provider to which the artifact was issued
if (chain != null && chain.length > 0) {
if (!support.getTrust().validate(chain[0], chain, role)) {
if (samlRequest.isSigned()) {
if (!support.getTrust().validate(samlRequest, role)) {
log.error("Signed SAML request message did NOT contain a valid signature from provider ("
- + mapping.getServiceProviderId()
- + "), to whom this artifact was issued.");
+ + mapping.getServiceProviderId() + "), to whom this artifact was issued.");
throw new SAMLException(SAMLException.REQUESTER, "Invalid signature.");
}
authenticated = true;
import org.opensaml.SAMLStatement;
import org.opensaml.SAMLSubject;
import org.opensaml.XML;
+import org.opensaml.saml2.metadata.EntityDescriptor;
+import org.opensaml.saml2.metadata.SPSSODescriptor;
import org.w3c.dom.Element;
import edu.internet2.middleware.shibboleth.aa.AAException;
import edu.internet2.middleware.shibboleth.common.ShibbolethConfigurationException;
import edu.internet2.middleware.shibboleth.idp.IdPProtocolHandler;
import edu.internet2.middleware.shibboleth.idp.IdPProtocolSupport;
-import edu.internet2.middleware.shibboleth.metadata.AttributeRequesterDescriptor;
-import edu.internet2.middleware.shibboleth.metadata.EntityDescriptor;
-import edu.internet2.middleware.shibboleth.metadata.RoleDescriptor;
-import edu.internet2.middleware.shibboleth.metadata.SPSSODescriptor;
/**
* @author Walter Hoehn
throws InvalidProviderCredentialException {
// See if we have metadata for this provider
- EntityDescriptor provider = support.lookup(assertedId);
+ EntityDescriptor provider = support.getEntityDescriptor(assertedId);
if (provider == null) {
log.info("No metadata found for providerId: (" + assertedId + ").");
return null;
} else {
log.info("Metadata found for providerId: (" + assertedId + ").");
}
+ //TODO this is a shib-specific thing... need to figure out what to do
RoleDescriptor ar_role = provider.getAttributeRequesterDescriptor(XML.SAML11_PROTOCOL_ENUM);
- RoleDescriptor sp_role = provider.getSPSSODescriptor(XML.SAML11_PROTOCOL_ENUM);
+ SPSSODescriptor sp_role = provider.getSPSSODescriptor(XML.SAML11_PROTOCOL_ENUM);
if (ar_role == null && sp_role == null) {
log.info("SPSSO and Stand-Alone Requester roles not found in metadata for provider: (" + assertedId + ").");
return null;
import java.text.ParseException;
import java.text.SimpleDateFormat;
import java.util.Date;
-import java.util.Iterator;
+import java.util.List;
import javax.servlet.http.HttpServletRequest;
import org.apache.log4j.Logger;
import org.opensaml.SAMLException;
import org.opensaml.SAMLNameIdentifier;
+import org.opensaml.saml2.metadata.EntityDescriptor;
+import org.opensaml.saml2.metadata.NameIDFormat;
+import org.opensaml.saml2.metadata.SPSSODescriptor;
import org.w3c.dom.Element;
import edu.internet2.middleware.shibboleth.common.LocalPrincipal;
import edu.internet2.middleware.shibboleth.common.ShibbolethConfigurationException;
import edu.internet2.middleware.shibboleth.idp.IdPProtocolHandler;
import edu.internet2.middleware.shibboleth.idp.InvalidClientDataException;
-import edu.internet2.middleware.shibboleth.metadata.EntityDescriptor;
-import edu.internet2.middleware.shibboleth.metadata.SPSSODescriptor;
/**
* @author Walter Hoehn
// If we have preferred Name Identifier formats from the metadata, see if the we can find one that is configured
// for this relying party
SPSSODescriptor role;
- if (descriptor != null
- && (role = descriptor.getSPSSODescriptor(org.opensaml.XML.SAML11_PROTOCOL_ENUM)) != null) {
- Iterator spPreferredFormats = role.getNameIDFormats();
- while (spPreferredFormats.hasNext()) {
-
- String preferredFormat = (String) spPreferredFormats.next();
+ if (descriptor != null && (role = descriptor.getSPSSODescriptor(org.opensaml.XML.SAML11_PROTOCOL_ENUM)) != null) {
+ List<NameIDFormat> spPreferredFormats = role.getNameIDFormats();
+ for (NameIDFormat preferredFormat : spPreferredFormats) {
for (int i = 0; availableMappings != null && i < availableMappings.length; i++) {
NameIdentifierMapping mapping = mapper.getNameIdentifierMappingById(availableMappings[i]);
- if (mapping != null && preferredFormat.equals(mapping.getNameIdentifierFormat().toString())) {
+ if (mapping != null
+ && preferredFormat.getFormat().equals(mapping.getNameIdentifierFormat().toString())) {
log.debug("Found a supported name identifier format that "
+ "matches the metadata for the relying party: ("
+ mapping.getNameIdentifierFormat().toString() + ").");
import java.util.Collections;
import java.util.Date;
import java.util.Iterator;
+import java.util.List;
import java.util.Vector;
import javax.servlet.RequestDispatcher;
import org.opensaml.SAMLSubject;
import org.opensaml.SAMLSubjectStatement;
import org.opensaml.artifact.Artifact;
+import org.opensaml.saml2.metadata.AssertionConsumerService;
+import org.opensaml.saml2.metadata.EntityDescriptor;
+import org.opensaml.saml2.metadata.SPSSODescriptor;
+import org.opensaml.saml2.metadata.provider.MetadataProviderException;
import org.w3c.dom.Element;
import edu.internet2.middleware.shibboleth.aa.AAException;
import edu.internet2.middleware.shibboleth.idp.IdPProtocolHandler;
import edu.internet2.middleware.shibboleth.idp.IdPProtocolSupport;
import edu.internet2.middleware.shibboleth.idp.InvalidClientDataException;
-import edu.internet2.middleware.shibboleth.metadata.Endpoint;
-import edu.internet2.middleware.shibboleth.metadata.EntityDescriptor;
-import edu.internet2.middleware.shibboleth.metadata.SPSSODescriptor;
/**
* <code>ProtocolHandler</code> implementation that responds to SSO flows as specified in "Shibboleth Architecture:
}
// Grab the metadata for the provider
- EntityDescriptor descriptor = support.lookup(relyingParty.getProviderId());
+ EntityDescriptor descriptor = null;
+ try {
+ descriptor = support.getEntityDescriptor(relyingParty.getProviderId());
+ } catch (MetadataProviderException e1) {
+ log.error("Metadata lookup for provider (" + relyingParty.getProviderId() + ") encountered an error: "
+ + e1);
+ }
// Make sure that the selected relying party configuration is appropriate for this
// acceptance URL
if (descriptor != null) {
SPSSODescriptor sp = descriptor.getSPSSODescriptor(org.opensaml.XML.SAML11_PROTOCOL_ENUM);
if (sp != null) {
- if (sp.getWantAssertionsSigned()) {
+ if (sp.wantAssertionsSigned().getValue()) {
metaDataIndicatesSignAssertions = true;
}
}
if (descriptor != null) {
SPSSODescriptor sp = descriptor.getSPSSODescriptor(org.opensaml.XML.SAML11_PROTOCOL_ENUM);
if (sp != null) {
- if (sp.getWantAssertionsSigned()) {
+ if (sp.wantAssertionsSigned().getValue()) {
metaDataIndicatesSignAssertions = true;
}
}
if (sp != null) {
// See if this is the default endpoint location.
- Endpoint defaultEndpoint = sp.getAssertionConsumerServiceManager().getDefaultEndpoint();
- if (defaultEndpoint.getLocation().equals(acceptanceURL)) {
-
+ AssertionConsumerService defaultEndpoint = sp.getDefaultAssertionConsumerService();
+ if (defaultEndpoint != null && defaultEndpoint.getLocation().equals(acceptanceURL)) {
// If we recognize the default binding, this is the one to use.
if (defaultEndpoint.getBinding().equals(SAMLBrowserProfile.PROFILE_POST_URI)) return false;
else if (defaultEndpoint.getBinding().equals(SAMLBrowserProfile.PROFILE_ARTIFACT_URI)) return true;
}
-
- Iterator endpoints = sp.getAssertionConsumerServiceManager().getEndpoints();
- while (endpoints.hasNext()) {
- Endpoint ep = (Endpoint) endpoints.next();
+ // If not, look through everything we have
+ List<AssertionConsumerService> endpoints = sp.getAssertionConsumerServices();
+ for (AssertionConsumerService ep : endpoints) {
if (acceptanceURL.equals(ep.getLocation())
&& SAMLBrowserProfile.PROFILE_POST_URI.equals(ep.getBinding())) {
log.debug("Metadata indicates support for POST profile.");
continue;
}
}
- endpoints = sp.getAssertionConsumerServiceManager().getEndpoints();
- while (endpoints.hasNext()) {
- Endpoint ep = (Endpoint) endpoints.next();
+
+ endpoints = sp.getAssertionConsumerServices();
+ for (AssertionConsumerService ep : endpoints) {
if (acceptanceURL.equals(ep.getLocation())
&& SAMLBrowserProfile.PROFILE_ARTIFACT_URI.equals(ep.getBinding())) {
log.debug("Metadata indicates support for Artifact profile.");
return false;
}
- Iterator endpoints = sp.getAssertionConsumerServiceManager().getEndpoints();
- while (endpoints.hasNext()) {
- if (shireURL.equals(((Endpoint) endpoints.next()).getLocation())) { return true; }
+ List<AssertionConsumerService> endpoints = sp.getAssertionConsumerServices();
+ for (AssertionConsumerService endpoint : endpoints) {
+ if (shireURL.equals(endpoint.getLocation())) { return true; }
}
log.info("Supplied consumer URL not found in metadata.");
return false;