From 47ca9c6c93447788376ba53e394ed3116d5a3dcc Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 2 Jul 2018 18:10:21 +0200 Subject: add requested attributes to PVP S-profile --- .../api/IPVPAuthnRequestBuilderConfiguruation.java | 29 +++++++++++++++++ .../pvp2/sp/impl/PVPAuthnRequestBuilder.java | 38 +++++++++++++++++++--- 2 files changed, 63 insertions(+), 4 deletions(-) (limited to 'eaaf_modules/eaaf_module_pvp2_sp/src/main/java/at/gv/egiz') diff --git a/eaaf_modules/eaaf_module_pvp2_sp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/sp/api/IPVPAuthnRequestBuilderConfiguruation.java b/eaaf_modules/eaaf_module_pvp2_sp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/sp/api/IPVPAuthnRequestBuilderConfiguruation.java index b0439775..7ddf05bd 100644 --- a/eaaf_modules/eaaf_module_pvp2_sp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/sp/api/IPVPAuthnRequestBuilderConfiguruation.java +++ b/eaaf_modules/eaaf_module_pvp2_sp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/sp/api/IPVPAuthnRequestBuilderConfiguruation.java @@ -2,11 +2,15 @@ *******************************************************************************/ package at.gv.egiz.eaaf.modules.pvp2.sp.api; +import java.util.List; + import org.opensaml.saml2.core.AuthnContextComparisonTypeEnumeration; import org.opensaml.saml2.metadata.EntityDescriptor; import org.opensaml.xml.security.credential.Credential; import org.w3c.dom.Element; +import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EAAFRequestedAttribute; + /** * @author tlenz * @@ -139,4 +143,29 @@ public interface IPVPAuthnRequestBuilderConfiguruation { public Element getSubjectConformationDate(); + /** + * Get the EntityId of the SP in case of a SAML2 proxy use-case + * + * @return + */ + public String getScopeRequesterId(); + + + /** + * Get a FriendlyName for the SP that sends the request + * + * @return + */ + public String getProviderName(); + + + /** + * Get a Set of SAML2 attributes that are requested by using SAML2 requested attributes + *
+ * Info: Attributes are requested by using eIDAS SAML2 extension for requested attributes + * + * @return + */ + public List getRequestedAttributes(); + } diff --git a/eaaf_modules/eaaf_module_pvp2_sp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/sp/impl/PVPAuthnRequestBuilder.java b/eaaf_modules/eaaf_module_pvp2_sp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/sp/impl/PVPAuthnRequestBuilder.java index 9b02dc77..087504e6 100644 --- a/eaaf_modules/eaaf_module_pvp2_sp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/sp/impl/PVPAuthnRequestBuilder.java +++ b/eaaf_modules/eaaf_module_pvp2_sp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/sp/impl/PVPAuthnRequestBuilder.java @@ -3,6 +3,7 @@ package at.gv.egiz.eaaf.modules.pvp2.sp.impl; import java.security.NoSuchAlgorithmException; +import java.util.List; import javax.servlet.http.HttpServletResponse; @@ -10,6 +11,7 @@ import org.apache.commons.lang3.StringUtils; import org.joda.time.DateTime; import org.opensaml.common.impl.SecureRandomIdentifierGenerator; import org.opensaml.common.xml.SAMLConstants; +import org.opensaml.saml2.common.Extensions; import org.opensaml.saml2.core.AuthnContextClassRef; import org.opensaml.saml2.core.AuthnContextComparisonTypeEnumeration; import org.opensaml.saml2.core.AuthnRequest; @@ -18,6 +20,8 @@ import org.opensaml.saml2.core.NameID; import org.opensaml.saml2.core.NameIDPolicy; import org.opensaml.saml2.core.NameIDType; import org.opensaml.saml2.core.RequestedAuthnContext; +import org.opensaml.saml2.core.RequesterID; +import org.opensaml.saml2.core.Scoping; import org.opensaml.saml2.core.Subject; import org.opensaml.saml2.core.SubjectConfirmation; import org.opensaml.saml2.core.SubjectConfirmationData; @@ -33,9 +37,12 @@ import org.springframework.stereotype.Service; import at.gv.egiz.eaaf.core.api.IRequest; import at.gv.egiz.eaaf.modules.pvp2.api.binding.IEncoder; +import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EAAFRequestedAttribute; +import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EAAFRequestedAttributes; import at.gv.egiz.eaaf.modules.pvp2.exception.PVP2Exception; import at.gv.egiz.eaaf.modules.pvp2.impl.binding.PostBinding; import at.gv.egiz.eaaf.modules.pvp2.impl.binding.RedirectBinding; +import at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr.EAAFRequestExtensionBuilder; import at.gv.egiz.eaaf.modules.pvp2.impl.utils.SAML2Utils; import at.gv.egiz.eaaf.modules.pvp2.sp.api.IPVPAuthnRequestBuilderConfiguruation; import at.gv.egiz.eaaf.modules.pvp2.sp.exception.AuthnRequestBuildException; @@ -44,7 +51,7 @@ import at.gv.egiz.eaaf.modules.pvp2.sp.exception.AuthnRequestBuildException; * @author tlenz * */ -@Service("PVPAuthnRequestBuilder") +@Service("pvpAuthnRequestBuilder") public class PVPAuthnRequestBuilder { private static final Logger log = LoggerFactory.getLogger(PVPAuthnRequestBuilder.class); @@ -182,8 +189,31 @@ public class PVPAuthnRequestBuilder { } - //TODO: implement requested attributes - //maybe: config.getRequestedAttributes(); + + //set ProviderName + if (StringUtils.isNotEmpty(config.getProviderName())) + authReq.setProviderName(config.getProviderName()); + + //set RequesterId in case of proxy mode + if (StringUtils.isNotEmpty(config.getScopeRequesterId())) { + Scoping scope = SAML2Utils.createSAMLObject(Scoping.class); + RequesterID requesterId = SAML2Utils.createSAMLObject(RequesterID.class); + requesterId.setRequesterID(config.getScopeRequesterId()); + scope.getRequesterIDs().add(requesterId ); + authReq.setScoping(scope ); + + } + + //add optional requested attributes + if (config.getRequestedAttributes() != null) { + List reqAttr = config.getRequestedAttributes(); + Extensions extenstions = new EAAFRequestExtensionBuilder().buildObject(); + EAAFRequestedAttributes reqAttributs = SAML2Utils.createSAMLObject(EAAFRequestedAttributes.class); + reqAttributs.getAttributes().addAll(reqAttr); + extenstions.getUnknownXMLObjects().add(reqAttributs); + authReq.setExtensions(extenstions ); + + } //select message encoder IEncoder binding = null; @@ -201,5 +231,5 @@ public class PVPAuthnRequestBuilder { binding.encodeRequest(null, httpResp, authReq, endpoint.getLocation(), pendingReq.getPendingRequestId(), config.getAuthnRequestSigningCredential(), pendingReq); } - + } -- cgit v1.2.3