Repository: syncope Updated Branches: refs/heads/master 5da5326ac -> 883911633
Take the valid SAML Assertion from the validator response instead. Project: http://git-wip-us.apache.org/repos/asf/syncope/repo Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/88391163 Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/88391163 Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/88391163 Branch: refs/heads/master Commit: 88391163320f5d73ca51e4c03b0edc5371ab6e1e Parents: d8d5fe5 Author: Colm O hEigeartaigh <cohei...@apache.org> Authored: Fri Aug 11 12:51:22 2017 +0100 Committer: Colm O hEigeartaigh <cohei...@apache.org> Committed: Fri Aug 11 13:15:07 2017 +0100 ---------------------------------------------------------------------- .../apache/syncope/core/logic/SAML2SPLogic.java | 65 ++++++++++---------- .../core/logic/saml2/SAML2ReaderWriter.java | 8 ++- 2 files changed, 39 insertions(+), 34 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/syncope/blob/88391163/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java ---------------------------------------------------------------------- diff --git a/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java b/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java index 31ef8c4..03576ab 100644 --- a/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java +++ b/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java @@ -37,6 +37,7 @@ import org.apache.commons.lang3.tuple.Pair; import org.apache.commons.lang3.tuple.Triple; import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer; import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier; +import org.apache.cxf.rs.security.saml.sso.SSOValidatorResponse; import org.apache.syncope.common.lib.AbstractBaseBean; import org.apache.syncope.common.lib.SyncopeClientException; import org.apache.syncope.common.lib.to.AttrTO; @@ -371,8 +372,10 @@ public class SAML2SPLogic extends AbstractSAML2Logic<AbstractBaseBean> { if (idp.getConnObjectKeyItem() == null) { throw new IllegalArgumentException("No mapping provided for SAML 2.0 IdP '" + idp.getId() + "'"); } + + SSOValidatorResponse validatorResponse = null; try { - saml2rw.validate( + validatorResponse = saml2rw.validate( samlResponse, idp, getAssertionConsumerURL(response.getSpEntityID(), response.getUrlContext()), @@ -390,47 +393,45 @@ public class SAML2SPLogic extends AbstractSAML2Logic<AbstractBaseBean> { responseTO.setIdp(idp.getId()); responseTO.setSloSupported(idp.getSLOLocation(idp.getBindingType()) != null); - NameID nameID = null; + Assertion assertion = validatorResponse.getOpensamlAssertion(); + NameID nameID = assertion.getSubject().getNameID(); String keyValue = null; - for (Assertion assertion : samlResponse.getAssertions()) { - nameID = assertion.getSubject().getNameID(); - if (StringUtils.isNotBlank(nameID.getValue()) - && idp.getConnObjectKeyItem().getExtAttrName().equals("NameID")) { + if (StringUtils.isNotBlank(nameID.getValue()) + && idp.getConnObjectKeyItem().getExtAttrName().equals("NameID")) { - keyValue = nameID.getValue(); - } + keyValue = nameID.getValue(); + } - if (assertion.getConditions().getNotOnOrAfter() != null) { - responseTO.setNotOnOrAfter(assertion.getConditions().getNotOnOrAfter().toDate()); - } - for (AuthnStatement authnStmt : assertion.getAuthnStatements()) { - responseTO.setSessionIndex(authnStmt.getSessionIndex()); + if (assertion.getConditions().getNotOnOrAfter() != null) { + responseTO.setNotOnOrAfter(assertion.getConditions().getNotOnOrAfter().toDate()); + } + for (AuthnStatement authnStmt : assertion.getAuthnStatements()) { + responseTO.setSessionIndex(authnStmt.getSessionIndex()); - responseTO.setAuthInstant(authnStmt.getAuthnInstant().toDate()); - if (authnStmt.getSessionNotOnOrAfter() != null) { - responseTO.setNotOnOrAfter(authnStmt.getSessionNotOnOrAfter().toDate()); - } + responseTO.setAuthInstant(authnStmt.getAuthnInstant().toDate()); + if (authnStmt.getSessionNotOnOrAfter() != null) { + responseTO.setNotOnOrAfter(authnStmt.getSessionNotOnOrAfter().toDate()); } + } - for (AttributeStatement attrStmt : assertion.getAttributeStatements()) { - for (Attribute attr : attrStmt.getAttributes()) { - if (!attr.getAttributeValues().isEmpty()) { - String attrName = attr.getFriendlyName() == null ? attr.getName() : attr.getFriendlyName(); - if (attrName.equals(idp.getConnObjectKeyItem().getExtAttrName()) - && attr.getAttributeValues().get(0) instanceof XSString) { + for (AttributeStatement attrStmt : assertion.getAttributeStatements()) { + for (Attribute attr : attrStmt.getAttributes()) { + if (!attr.getAttributeValues().isEmpty()) { + String attrName = attr.getFriendlyName() == null ? attr.getName() : attr.getFriendlyName(); + if (attrName.equals(idp.getConnObjectKeyItem().getExtAttrName()) + && attr.getAttributeValues().get(0) instanceof XSString) { - keyValue = ((XSString) attr.getAttributeValues().get(0)).getValue(); - } + keyValue = ((XSString) attr.getAttributeValues().get(0)).getValue(); + } - AttrTO attrTO = new AttrTO(); - attrTO.setSchema(attrName); - for (XMLObject value : attr.getAttributeValues()) { - if (value.getDOM() != null) { - attrTO.getValues().add(value.getDOM().getTextContent()); - } + AttrTO attrTO = new AttrTO(); + attrTO.setSchema(attrName); + for (XMLObject value : attr.getAttributeValues()) { + if (value.getDOM() != null) { + attrTO.getValues().add(value.getDOM().getTextContent()); } - responseTO.getAttrs().add(attrTO); } + responseTO.getAttrs().add(attrTO); } } } http://git-wip-us.apache.org/repos/asf/syncope/blob/88391163/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/saml2/SAML2ReaderWriter.java ---------------------------------------------------------------------- diff --git a/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/saml2/SAML2ReaderWriter.java b/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/saml2/SAML2ReaderWriter.java index fa48e77..3c2d547 100644 --- a/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/saml2/SAML2ReaderWriter.java +++ b/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/saml2/SAML2ReaderWriter.java @@ -44,6 +44,7 @@ import javax.xml.transform.stream.StreamResult; import org.apache.cxf.rs.security.saml.DeflateEncoderDecoder; import org.apache.cxf.rs.security.saml.sso.SAMLProtocolResponseValidator; import org.apache.cxf.rs.security.saml.sso.SAMLSSOResponseValidator; +import org.apache.cxf.rs.security.saml.sso.SSOValidatorResponse; import org.apache.cxf.staxutils.StaxUtils; import org.apache.syncope.common.lib.SSOConstants; import org.apache.syncope.common.lib.types.SAML2BindingType; @@ -203,7 +204,7 @@ public class SAML2ReaderWriter { return Base64.getEncoder().encodeToString(deflatedBytes); } - public void validate( + public SSOValidatorResponse validate( final Response samlResponse, final SAML2IdPEntity idp, final String assertionConsumerURL, @@ -225,7 +226,8 @@ public class SAML2ReaderWriter { ssoResponseValidator.setIssuerIDP(idp.getId()); ssoResponseValidator.setRequestId(requestId); ssoResponseValidator.setSpIdentifier(spEntityID); - ssoResponseValidator.validateSamlResponse(samlResponse, idp.getBindingType() == SAML2BindingType.POST); + SSOValidatorResponse validatorResponse = + ssoResponseValidator.validateSamlResponse(samlResponse, idp.getBindingType() == SAML2BindingType.POST); if (LOG.isDebugEnabled()) { try { @@ -238,5 +240,7 @@ public class SAML2ReaderWriter { LOG.error("Could not log the SAML response with decrypted assertions", e); } } + + return validatorResponse; } }