From 7f1a1d200e647fce391f674994b908ef2c799f4d Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 15 Apr 2014 13:29:57 +0200 Subject: add SPSSODescriptor for MOA-ID interfederation --- .../moa/id/protocols/pvp2x/MetadataAction.java | 304 ++++++++++++++------- 1 file changed, 206 insertions(+), 98 deletions(-) (limited to 'id') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java index a29728245..fd501fde7 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java @@ -23,6 +23,7 @@ package at.gv.egovernment.moa.id.protocols.pvp2x; import java.io.StringWriter; +import java.security.KeyStore; import java.util.List; import javax.servlet.http.HttpServletRequest; @@ -38,18 +39,27 @@ import org.joda.time.DateTime; import org.opensaml.Configuration; import org.opensaml.common.xml.SAMLConstants; import org.opensaml.saml2.core.NameIDType; +import org.opensaml.saml2.metadata.AssertionConsumerService; +import org.opensaml.saml2.metadata.AttributeConsumingService; import org.opensaml.saml2.metadata.ContactPerson; import org.opensaml.saml2.metadata.EntitiesDescriptor; import org.opensaml.saml2.metadata.EntityDescriptor; import org.opensaml.saml2.metadata.IDPSSODescriptor; import org.opensaml.saml2.metadata.KeyDescriptor; +import org.opensaml.saml2.metadata.LocalizedString; import org.opensaml.saml2.metadata.NameIDFormat; +import org.opensaml.saml2.metadata.RoleDescriptor; +import org.opensaml.saml2.metadata.SPSSODescriptor; +import org.opensaml.saml2.metadata.ServiceName; import org.opensaml.saml2.metadata.SingleSignOnService; import org.opensaml.xml.io.Marshaller; +import org.opensaml.xml.security.SecurityException; import org.opensaml.xml.security.SecurityHelper; import org.opensaml.xml.security.credential.Credential; import org.opensaml.xml.security.credential.UsageType; import org.opensaml.xml.security.keyinfo.KeyInfoGenerator; +import org.opensaml.xml.security.x509.KeyStoreX509CredentialAdapter; +import org.opensaml.xml.security.x509.X509Credential; import org.opensaml.xml.security.x509.X509KeyInfoGeneratorFactory; import org.opensaml.xml.signature.Signature; import org.opensaml.xml.signature.Signer; @@ -57,14 +67,17 @@ import org.w3c.dom.Document; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; +import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.data.SLOInformationInterface; import at.gv.egovernment.moa.id.moduls.IAction; import at.gv.egovernment.moa.id.moduls.IRequest; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAttributeBuilder; import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider; +import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; public class MetadataAction implements IAction { @@ -111,6 +124,7 @@ public class MetadataAction implements IAction { //keyInfoFactory.setEmitPublicKeyValue(true); keyInfoFactory.setEmitEntityIDAsKeyName(true); keyInfoFactory.setEmitEntityCertificate(true); + KeyInfoGenerator keyInfoGenerator = keyInfoFactory.newInstance(); Credential metadataSigningCredential = CredentialProvider.getIDPMetaDataSigningCredential(); @@ -121,106 +135,12 @@ public class MetadataAction implements IAction { SecurityHelper.prepareSignatureParams(signature, metadataSigningCredential, null, null); idpEntitiesDescriptor.setSignature(signature); - -// //set SignatureMethode -// signature.setSignatureAlgorithm(PVPConstants.DEFAULT_SIGNING_METHODE); -// -// //set DigestMethode -// List contentList = signature.getContentReferences(); -// for (ContentReference content : contentList) { -// -// if (content instanceof SAMLObjectContentReference) { -// -// SAMLObjectContentReference el = (SAMLObjectContentReference) content; -// el.setDigestAlgorithm(PVPConstants.DEFAULT_DIGESTMETHODE); -// -// } -// } - - -// KeyInfoBuilder metadataKeyInfoBuilder = new KeyInfoBuilder(); -// KeyInfo metadataKeyInfo = metadataKeyInfoBuilder.buildObject(); -// //KeyInfoHelper.addCertificate(metadataKeyInfo, metadataSigningCredential.); -// signature.setKeyInfo(metadataKeyInfo ); - - - IDPSSODescriptor idpSSODescriptor = SAML2Utils - .createSAMLObject(IDPSSODescriptor.class); - - idpSSODescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS); - - idpSSODescriptor.setWantAuthnRequestsSigned(true); - - if (PVPConfiguration.getInstance().getIDPSSOPostService() != null) { - SingleSignOnService postSingleSignOnService = SAML2Utils - .createSAMLObject(SingleSignOnService.class); - - postSingleSignOnService.setLocation(PVPConfiguration - .getInstance().getIDPSSOPostService()); - postSingleSignOnService - .setBinding(SAMLConstants.SAML2_POST_BINDING_URI); - - idpSSODescriptor.getSingleSignOnServices().add( - postSingleSignOnService); - } - - if (PVPConfiguration.getInstance().getIDPSSORedirectService() != null) { - SingleSignOnService redirectSingleSignOnService = SAML2Utils - .createSAMLObject(SingleSignOnService.class); - - redirectSingleSignOnService.setLocation(PVPConfiguration - .getInstance().getIDPSSORedirectService()); - redirectSingleSignOnService - .setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI); - - idpSSODescriptor.getSingleSignOnServices().add( - redirectSingleSignOnService); - } - - /*if (PVPConfiguration.getInstance().getIDPResolveSOAPService() != null) { - ArtifactResolutionService artifactResolutionService = SAML2Utils - .createSAMLObject(ArtifactResolutionService.class); - - artifactResolutionService - .setBinding(SAMLConstants.SAML2_SOAP11_BINDING_URI); - artifactResolutionService.setLocation(PVPConfiguration - .getInstance().getIDPResolveSOAPService()); - - artifactResolutionService.setIndex(0); - - idpSSODescriptor.getArtifactResolutionServices().add( - artifactResolutionService); - }*/ - - //set assertion signing key - Credential assertionSigingCredential = CredentialProvider - .getIDPAssertionSigningCredential(); - - KeyDescriptor signKeyDescriptor = SAML2Utils - .createSAMLObject(KeyDescriptor.class); - signKeyDescriptor.setUse(UsageType.SIGNING); - signKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(assertionSigingCredential)); - idpSSODescriptor.getKeyDescriptors().add(signKeyDescriptor); - - idpSSODescriptor.getAttributes().addAll(PVPAttributeBuilder.buildSupportedEmptyAttributes()); - - NameIDFormat persistenNameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class); - persistenNameIDFormat.setFormat(NameIDType.PERSISTENT); + //set IDP metadata + idpEntityDescriptor.getRoleDescriptors().add(generateIDPMetadata(keyInfoGenerator)); - idpSSODescriptor.getNameIDFormats().add(persistenNameIDFormat); - - NameIDFormat transientNameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class); - transientNameIDFormat.setFormat(NameIDType.TRANSIENT); - - idpSSODescriptor.getNameIDFormats().add(transientNameIDFormat); - - NameIDFormat unspecifiedNameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class); - unspecifiedNameIDFormat.setFormat(NameIDType.UNSPECIFIED); - - idpSSODescriptor.getNameIDFormats().add(unspecifiedNameIDFormat); - - idpEntityDescriptor.getRoleDescriptors().add(idpSSODescriptor); + //set SP metadata for interfederation + idpEntityDescriptor.getRoleDescriptors().add(generateSPMetadata(keyInfoGenerator)); DocumentBuilder builder; DocumentBuilderFactory factory = DocumentBuilderFactory @@ -269,4 +189,192 @@ public class MetadataAction implements IAction { return (PVP2XProtocol.METADATA); } + private RoleDescriptor generateSPMetadata(KeyInfoGenerator keyInfoGenerator) throws CredentialsNotAvailableException, SecurityException, ConfigurationException { + + Logger.debug("Set SP Metadata key information"); + + SPSSODescriptor spSSODescriptor = SAML2Utils + .createSAMLObject(SPSSODescriptor.class); + + spSSODescriptor.setAuthnRequestsSigned(true); + spSSODescriptor.setWantAssertionsSigned(true); + + + //Set AuthRequest Signing certificate + X509Credential authcredential = CredentialProvider.getIDPAssertionSigningCredential(); + + KeyDescriptor signKeyDescriptor = SAML2Utils + .createSAMLObject(KeyDescriptor.class); + signKeyDescriptor.setUse(UsageType.SIGNING); + signKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(authcredential)); + spSSODescriptor.getKeyDescriptors().add(signKeyDescriptor); + + + //set AuthRequest encryption certificate + + X509Credential authEncCredential = CredentialProvider.getIDPAssertionEncryptionCredential(); + + if (authEncCredential != null) { + KeyDescriptor encryKeyDescriptor = SAML2Utils + .createSAMLObject(KeyDescriptor.class); + encryKeyDescriptor.setUse(UsageType.ENCRYPTION); + encryKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(authEncCredential)); + spSSODescriptor.getKeyDescriptors().add(encryKeyDescriptor); + + } else { + Logger.warn("No Assertion Encryption-Key defined. This setting is not recommended!"); + + } + + NameIDFormat persistentnameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class); + persistentnameIDFormat.setFormat(NameIDType.PERSISTENT); + + spSSODescriptor.getNameIDFormats().add(persistentnameIDFormat); + + NameIDFormat transientnameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class); + transientnameIDFormat.setFormat(NameIDType.TRANSIENT); + + spSSODescriptor.getNameIDFormats().add(transientnameIDFormat); + + NameIDFormat unspecifiednameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class); + unspecifiednameIDFormat.setFormat(NameIDType.UNSPECIFIED); + + spSSODescriptor.getNameIDFormats().add(unspecifiednameIDFormat); + + AssertionConsumerService postassertionConsumerService = + SAML2Utils.createSAMLObject(AssertionConsumerService.class); + postassertionConsumerService.setIndex(0); + postassertionConsumerService.setBinding(SAMLConstants.SAML2_POST_BINDING_URI); + postassertionConsumerService.setLocation(PVPConfiguration + .getInstance().getIDPSSOPostService()); + postassertionConsumerService.setIsDefault(true); + spSSODescriptor.getAssertionConsumerServices().add(postassertionConsumerService); + + + AssertionConsumerService redirectassertionConsumerService = + SAML2Utils.createSAMLObject(AssertionConsumerService.class); + redirectassertionConsumerService.setIndex(1); + redirectassertionConsumerService.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI); + redirectassertionConsumerService.setLocation(PVPConfiguration + .getInstance().getIDPSSORedirectService()); + spSSODescriptor.getAssertionConsumerServices().add(redirectassertionConsumerService); + + spSSODescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS); + + AttributeConsumingService attributeService = + SAML2Utils.createSAMLObject(AttributeConsumingService.class); + + attributeService.setIndex(0); + attributeService.setIsDefault(true); + ServiceName serviceName = SAML2Utils.createSAMLObject(ServiceName.class); + serviceName.setName(new LocalizedString("Default Service", "de")); + attributeService.getNames().add(serviceName); + + return spSSODescriptor; + } + + private IDPSSODescriptor generateIDPMetadata(KeyInfoGenerator keyInfoGenerator) throws ConfigurationException, CredentialsNotAvailableException, SecurityException { + + +// //set SignatureMethode +// signature.setSignatureAlgorithm(PVPConstants.DEFAULT_SIGNING_METHODE); +// +// //set DigestMethode +// List contentList = signature.getContentReferences(); +// for (ContentReference content : contentList) { +// +// if (content instanceof SAMLObjectContentReference) { +// +// SAMLObjectContentReference el = (SAMLObjectContentReference) content; +// el.setDigestAlgorithm(PVPConstants.DEFAULT_DIGESTMETHODE); +// +// } +// } + + +// KeyInfoBuilder metadataKeyInfoBuilder = new KeyInfoBuilder(); +// KeyInfo metadataKeyInfo = metadataKeyInfoBuilder.buildObject(); +// //KeyInfoHelper.addCertificate(metadataKeyInfo, metadataSigningCredential.); +// signature.setKeyInfo(metadataKeyInfo ); + + + IDPSSODescriptor idpSSODescriptor = SAML2Utils + .createSAMLObject(IDPSSODescriptor.class); + + idpSSODescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS); + + idpSSODescriptor.setWantAuthnRequestsSigned(true); + + if (PVPConfiguration.getInstance().getIDPSSOPostService() != null) { + SingleSignOnService postSingleSignOnService = SAML2Utils + .createSAMLObject(SingleSignOnService.class); + + postSingleSignOnService.setLocation(PVPConfiguration + .getInstance().getIDPSSOPostService()); + postSingleSignOnService + .setBinding(SAMLConstants.SAML2_POST_BINDING_URI); + + idpSSODescriptor.getSingleSignOnServices().add( + postSingleSignOnService); + } + + if (PVPConfiguration.getInstance().getIDPSSORedirectService() != null) { + SingleSignOnService redirectSingleSignOnService = SAML2Utils + .createSAMLObject(SingleSignOnService.class); + + redirectSingleSignOnService.setLocation(PVPConfiguration + .getInstance().getIDPSSORedirectService()); + redirectSingleSignOnService + .setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI); + + idpSSODescriptor.getSingleSignOnServices().add( + redirectSingleSignOnService); + } + + /*if (PVPConfiguration.getInstance().getIDPResolveSOAPService() != null) { + ArtifactResolutionService artifactResolutionService = SAML2Utils + .createSAMLObject(ArtifactResolutionService.class); + + artifactResolutionService + .setBinding(SAMLConstants.SAML2_SOAP11_BINDING_URI); + artifactResolutionService.setLocation(PVPConfiguration + .getInstance().getIDPResolveSOAPService()); + + artifactResolutionService.setIndex(0); + + idpSSODescriptor.getArtifactResolutionServices().add( + artifactResolutionService); + }*/ + + //set assertion signing key + Credential assertionSigingCredential = CredentialProvider + .getIDPAssertionSigningCredential(); + + KeyDescriptor signKeyDescriptor = SAML2Utils + .createSAMLObject(KeyDescriptor.class); + signKeyDescriptor.setUse(UsageType.SIGNING); + signKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(assertionSigingCredential)); + idpSSODescriptor.getKeyDescriptors().add(signKeyDescriptor); + + idpSSODescriptor.getAttributes().addAll(PVPAttributeBuilder.buildSupportedEmptyAttributes()); + + NameIDFormat persistenNameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class); + persistenNameIDFormat.setFormat(NameIDType.PERSISTENT); + + idpSSODescriptor.getNameIDFormats().add(persistenNameIDFormat); + + NameIDFormat transientNameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class); + transientNameIDFormat.setFormat(NameIDType.TRANSIENT); + + idpSSODescriptor.getNameIDFormats().add(transientNameIDFormat); + + NameIDFormat unspecifiedNameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class); + unspecifiedNameIDFormat.setFormat(NameIDType.UNSPECIFIED); + + idpSSODescriptor.getNameIDFormats().add(unspecifiedNameIDFormat); + + return idpSSODescriptor; + + } + } -- cgit v1.2.3