Monday, December 30, 2013

How to create a valid SAML 2.0 Assertion with OpenSAML for JAVA

Recently I had to implement SAML 2.0 for a client project for a Single Sign On (SSO) process.
For this purpose our system needed to create a SAML Assertion containing all the information of the user who is currently logging in.
I was using the OpenSAML classes for JAVA.
Initially I had some issues because I couldn’t find good documentation / examples about what how such an Assertion is to be created using OpenSAML.
I had to do lots of googling and trial & error and finally I got it working.
The following sites were useful and led to my solution.
http://blogs.sun.com/JoachimAndres/entry/creating_a_saml_assertion_with1
http://www.capcourse.com/Library/OpenSAML/index.html
http://ekschi.com/technology/2009/09/01/creating-a-saml-assertion-with-opensaml-part-2/
Though I had to make modifications to some of the solutions above.
To save you this pain, I am posting my final example here. The class below is only for demonstration purposes of this blog entry, and I have stripped out lots of other stuff (e.g. error handling, client specific stuff, encryption via EncryptedAssertion). The only purpose is to give you some kind of template and idea how to start.
import java.util.HashMap;
import java.util.Map;
import java.util.Set;
 
import org.joda.time.DateTime;
import org.opensaml.Configuration;
import org.opensaml.DefaultBootstrap;
import org.opensaml.common.SAMLObjectBuilder;
import org.opensaml.common.SAMLVersion;
import org.opensaml.saml2.core.Assertion;
import org.opensaml.saml2.core.Attribute;
import org.opensaml.saml2.core.AttributeStatement;
import org.opensaml.saml2.core.AttributeValue;
import org.opensaml.saml2.core.AuthnContext;
import org.opensaml.saml2.core.AuthnContextClassRef;
import org.opensaml.saml2.core.AuthnStatement;
import org.opensaml.saml2.core.Condition;
import org.opensaml.saml2.core.Conditions;
import org.opensaml.saml2.core.Issuer;
import org.opensaml.saml2.core.NameID;
import org.opensaml.saml2.core.OneTimeUse;
import org.opensaml.saml2.core.Subject;
import org.opensaml.saml2.core.SubjectConfirmation;
import org.opensaml.saml2.core.SubjectConfirmationData;
import org.opensaml.saml2.core.impl.AssertionMarshaller;
import org.opensaml.xml.ConfigurationException;
import org.opensaml.xml.XMLObjectBuilder;
import org.opensaml.xml.XMLObjectBuilderFactory;
import org.opensaml.xml.io.MarshallingException;
import org.opensaml.xml.schema.XSString;
import org.opensaml.xml.util.XMLHelper;
import org.w3c.dom.Element;
 
/**
 * This is a demo class which creates a valid SAML 2.0 Assertion.
 */
public class SAMLWriter
{
 
 public static void main(String[] args) {
     try {
   SAMLInputContainer input = new SAMLInputContainer();
   input.strIssuer = "http://synesty.com";
   input.strNameID = "UserJohnSmith";
   input.strNameQualifier = "My Website";
   input.sessionId = "abcdedf1234567";
 
   Map customAttributes = new HashMap();
   customAttributes.put("FirstName", "John");
   customAttributes.put("LastName", "Smith");
 
   input.attributes = customAttributes;
 
   Assertion assertion = SAMLWriter.buildDefaultAssertion(input);
   AssertionMarshaller marshaller = new AssertionMarshaller();
   Element plaintextElement = marshaller.marshall(assertion);
   String originalAssertionString = XMLHelper.nodeToString(plaintextElement);
 
   System.out.println("Assertion String: " + originalAssertionString);
 
   // TODO: now you can also add encryption....
 
  } catch (MarshallingException e) {
   // TODO Auto-generated catch block
   e.printStackTrace();
  }
 
 }
 
 private static XMLObjectBuilderFactory builderFactory;
 
 public static XMLObjectBuilderFactory getSAMLBuilder() throws ConfigurationException{
 
  if(builderFactory == null){
   // OpenSAML 2.3
    DefaultBootstrap.bootstrap();
          builderFactory = Configuration.getBuilderFactory();
  }
 
  return builderFactory;
 }
 
 /**
  * Builds a SAML Attribute of type String
  * @param name
  * @param value
  * @param builderFactory
  * @return
  * @throws ConfigurationException
  */
 public static Attribute buildStringAttribute(String name, String value, XMLObjectBuilderFactory builderFactory) throws ConfigurationException
 {
  SAMLObjectBuilder attrBuilder = (SAMLObjectBuilder) getSAMLBuilder().getBuilder(Attribute.DEFAULT_ELEMENT_NAME);
   Attribute attrFirstName = (Attribute) attrBuilder.buildObject();
   attrFirstName.setName(name);
 
   // Set custom Attributes
   XMLObjectBuilder stringBuilder = getSAMLBuilder().getBuilder(XSString.TYPE_NAME);
   XSString attrValueFirstName = (XSString) stringBuilder.buildObject(AttributeValue.DEFAULT_ELEMENT_NAME, XSString.TYPE_NAME);
   attrValueFirstName.setValue(value);
 
   attrFirstName.getAttributeValues().add(attrValueFirstName);
  return attrFirstName;
 }
 
 /**
  * Helper method which includes some basic SAML fields which are part of almost every SAML Assertion.
  *
  * @param input
  * @return
  */
 public static Assertion buildDefaultAssertion(SAMLInputContainer input)
 {
  try
  {
          // Create the NameIdentifier
          SAMLObjectBuilder nameIdBuilder = (SAMLObjectBuilder) SAMLWriter.getSAMLBuilder().getBuilder(NameID.DEFAULT_ELEMENT_NAME);
          NameID nameId = (NameID) nameIdBuilder.buildObject();
          nameId.setValue(input.getStrNameID());
          nameId.setNameQualifier(input.getStrNameQualifier());
          nameId.setFormat(NameID.UNSPECIFIED);
 
          // Create the SubjectConfirmation
 
          SAMLObjectBuilder confirmationMethodBuilder = (SAMLObjectBuilder)  SAMLWriter.getSAMLBuilder().getBuilder(SubjectConfirmationData.DEFAULT_ELEMENT_NAME);
          SubjectConfirmationData confirmationMethod = (SubjectConfirmationData) confirmationMethodBuilder.buildObject();
          DateTime now = new DateTime();
          confirmationMethod.setNotBefore(now);
          confirmationMethod.setNotOnOrAfter(now.plusMinutes(2));
 
          SAMLObjectBuilder subjectConfirmationBuilder = (SAMLObjectBuilder) SAMLWriter.getSAMLBuilder().getBuilder(SubjectConfirmation.DEFAULT_ELEMENT_NAME);
          SubjectConfirmation subjectConfirmation = (SubjectConfirmation) subjectConfirmationBuilder.buildObject();
          subjectConfirmation.setSubjectConfirmationData(confirmationMethod);
 
          // Create the Subject
          SAMLObjectBuilder subjectBuilder = (SAMLObjectBuilder) SAMLWriter.getSAMLBuilder().getBuilder(Subject.DEFAULT_ELEMENT_NAME);
          Subject subject = (Subject) subjectBuilder.buildObject();
 
          subject.setNameID(nameId);
          subject.getSubjectConfirmations().add(subjectConfirmation);
 
          // Create Authentication Statement
          SAMLObjectBuilder authStatementBuilder = (SAMLObjectBuilder) SAMLWriter.getSAMLBuilder().getBuilder(AuthnStatement.DEFAULT_ELEMENT_NAME);
          AuthnStatement authnStatement = (AuthnStatement) authStatementBuilder.buildObject();
          //authnStatement.setSubject(subject);
          //authnStatement.setAuthenticationMethod(strAuthMethod);
          DateTime now2 = new DateTime();
          authnStatement.setAuthnInstant(now2);
          authnStatement.setSessionIndex(input.getSessionId());
          authnStatement.setSessionNotOnOrAfter(now2.plus(input.getMaxSessionTimeoutInMinutes()));
 
          SAMLObjectBuilder authContextBuilder = (SAMLObjectBuilder) SAMLWriter.getSAMLBuilder().getBuilder(AuthnContext.DEFAULT_ELEMENT_NAME);
          AuthnContext authnContext = (AuthnContext) authContextBuilder.buildObject();
 
          SAMLObjectBuilder authContextClassRefBuilder = (SAMLObjectBuilder) SAMLWriter.getSAMLBuilder().getBuilder(AuthnContextClassRef.DEFAULT_ELEMENT_NAME);
          AuthnContextClassRef authnContextClassRef = (AuthnContextClassRef) authContextClassRefBuilder.buildObject();
          authnContextClassRef.setAuthnContextClassRef("urn:oasis:names:tc:SAML:2.0:ac:classes:Password"); // TODO not sure exactly about this
 
   authnContext.setAuthnContextClassRef(authnContextClassRef);
         authnStatement.setAuthnContext(authnContext);
 
         // Builder Attributes
          SAMLObjectBuilder attrStatementBuilder = (SAMLObjectBuilder) SAMLWriter.getSAMLBuilder().getBuilder(AttributeStatement.DEFAULT_ELEMENT_NAME);
          AttributeStatement attrStatement = (AttributeStatement) attrStatementBuilder.buildObject();
 
       // Create the attribute statement
          Map attributes = input.getAttributes();
          if(attributes != null){
           Set keySet = attributes.keySet();
           for (String key : keySet)
    {
            Attribute attrFirstName = buildStringAttribute(key, attributes.get(key), getSAMLBuilder());
            attrStatement.getAttributes().add(attrFirstName);
    }
          }
 
          // Create the do-not-cache condition
          SAMLObjectBuilder doNotCacheConditionBuilder = (SAMLObjectBuilder) SAMLWriter.getSAMLBuilder().getBuilder(OneTimeUse.DEFAULT_ELEMENT_NAME);
          Condition condition = (Condition) doNotCacheConditionBuilder.buildObject();
 
          SAMLObjectBuilder conditionsBuilder = (SAMLObjectBuilder) SAMLWriter.getSAMLBuilder().getBuilder(Conditions.DEFAULT_ELEMENT_NAME);
          Conditions conditions = (Conditions) conditionsBuilder.buildObject();
          conditions.getConditions().add(condition);
 
          // Create Issuer
          SAMLObjectBuilder issuerBuilder = (SAMLObjectBuilder) SAMLWriter.getSAMLBuilder().getBuilder(Issuer.DEFAULT_ELEMENT_NAME);
          Issuer issuer = (Issuer) issuerBuilder.buildObject();
          issuer.setValue(input.getStrIssuer());
 
          // Create the assertion
          SAMLObjectBuilder assertionBuilder = (SAMLObjectBuilder) SAMLWriter.getSAMLBuilder().getBuilder(Assertion.DEFAULT_ELEMENT_NAME);
          Assertion assertion = (Assertion) assertionBuilder.buildObject();
          assertion.setIssuer(issuer);
          assertion.setIssueInstant(now);
          assertion.setVersion(SAMLVersion.VERSION_20);
 
          assertion.getAuthnStatements().add(authnStatement);
          assertion.getAttributeStatements().add(attrStatement);
          assertion.setConditions(conditions);
 
   return assertion;
  }
  catch (Exception e)
  {
   e.printStackTrace();
  }
  return null;
 }
 
 public static class SAMLInputContainer
 {
 
  private String strIssuer;
  private String strNameID;
  private String strNameQualifier;
  private String sessionId;
  private int maxSessionTimeoutInMinutes = 15; // default is 15 minutes
 
  private Map attributes;
 
  /**
   * Returns the strIssuer.
   *
   * @return the strIssuer
   */
  public String getStrIssuer()
  {
   return strIssuer;
  }
 
  /**
   * Sets the strIssuer.
   *
   * @param strIssuer
   *            the strIssuer to set
   */
  public void setStrIssuer(String strIssuer)
  {
   this.strIssuer = strIssuer;
  }
 
  /**
   * Returns the strNameID.
   *
   * @return the strNameID
   */
  public String getStrNameID()
  {
   return strNameID;
  }
 
  /**
   * Sets the strNameID.
   *
   * @param strNameID
   *            the strNameID to set
   */
  public void setStrNameID(String strNameID)
  {
   this.strNameID = strNameID;
  }
 
  /**
   * Returns the strNameQualifier.
   *
   * @return the strNameQualifier
   */
  public String getStrNameQualifier()
  {
   return strNameQualifier;
  }
 
  /**
   * Sets the strNameQualifier.
   *
   * @param strNameQualifier
   *            the strNameQualifier to set
   */
  public void setStrNameQualifier(String strNameQualifier)
  {
   this.strNameQualifier = strNameQualifier;
  }
 
  /**
   * Sets the attributes.
   *
   * @param attributes
   *            the attributes to set
   */
  public void setAttributes(Map attributes)
  {
   this.attributes = attributes;
  }
 
  /**
   * Returns the attributes.
   *
   * @return the attributes
   */
  public Map getAttributes()
  {
   return attributes;
  }
 
  /**
   * Sets the sessionId.
   * @param sessionId the sessionId to set
   */
  public void setSessionId(String sessionId)
  {
   this.sessionId = sessionId;
  }
 
  /**
   * Returns the sessionId.
   * @return the sessionId
   */
  public String getSessionId()
  {
   return sessionId;
  }
 
  /**
   * Sets the maxSessionTimeoutInMinutes.
   * @param maxSessionTimeoutInMinutes the maxSessionTimeoutInMinutes to set
   */
  public void setMaxSessionTimeoutInMinutes(int maxSessionTimeoutInMinutes)
  {
   this.maxSessionTimeoutInMinutes = maxSessionTimeoutInMinutes;
  }
 
  /**
   * Returns the maxSessionTimeoutInMinutes.
   * @return the maxSessionTimeoutInMinutes
   */
  public int getMaxSessionTimeoutInMinutes()
  {
   return maxSessionTimeoutInMinutes;
  }
 
 }
 
}
Dieser Beitrag wurde unter Software-Development abgelegt und mit verschlagwortet. Setze ein Lesezeichen auf den Permalink.

7 comments:

oakleyses said...

louis vuitton handbags, oakley sunglasses, louboutin, longchamp outlet, nike shoes, louis vuitton outlet stores, chanel handbags, burberry outlet, prada outlet, jordan shoes, tiffany and co, michael kors outlet, tory burch outlet, louis vuitton outlet, longchamp handbags, nike free, true religion jeans, michael kors outlet, kate spade outlet, polo ralph lauren outlet, tiffany and co, prada handbags, polo ralph lauren outlet, michael kors outlet, michael kors outlet, longchamp handbags, oakley sunglasses, ray ban sunglasses, kate spade handbags, burberry outlet, louis vuitton outlet, louboutin outlet, louboutin, coach factory outlet, air max, air max, coach outlet, gucci outlet, christian louboutin shoes, michael kors outlet, coach purses, ray ban sunglasses, michael kors outlet, louis vuitton, coach outlet store online, true religion jeans, oakley sunglasses cheap

oakleyses said...

ralph lauren, lululemon, air max, hollister, north face, nike air max, polo lacoste, vanessa bruno, timberland, vans pas cher, louboutin, louis vuitton, oakley pas cher, air max pas cher, nike roshe run, air max, true religion outlet, barbour, sac longchamp, air force, hollister, sac louis vuitton, nike free, polo ralph lauren, nike trainers, louis vuitton uk, nike roshe, sac hermes, longchamp, michael kors, sac burberry, sac guess, mulberry, new balance pas cher, converse pas cher, sac louis vuitton, hogan outlet, nike tn, north face, true religion outlet, ray ban pas cher, michael kors, air jordan, nike blazer, nike free pas cher, michael kors pas cher, abercrombie and fitch, ray ban sunglasses

oakleyses said...

mac cosmetics, mont blanc, marc jacobs, canada goose outlet, nike huarache, vans shoes, soccer jerseys, hollister, giuseppe zanotti, beats by dre, abercrombie and fitch, longchamp, insanity workout, celine handbags, bottega veneta, ghd, nfl jerseys, north face outlet, chi flat iron, ugg boots, birkin bag, ugg australia, canada goose, herve leger, ugg pas cher, rolex watches, valentino shoes, canada goose uk, canada goose, ferragamo shoes, canada goose, ugg boots, uggs outlet, north face jackets, soccer shoes, asics running shoes, new balance shoes, p90x, lululemon outlet, canada goose jackets, mcm handbags, instyler, babyliss pro, ugg, wedding dresses, jimmy choo outlet, reebok outlet, nike roshe run

oakleyses said...

parajumpers, karen millen, air max, converse, pandora charms, moncler, louboutin, moncler, links of london, lancel, juicy couture outlet, oakley, hollister, pandora charms, supra shoes, thomas sabo, canada goose, gucci, wedding dresses, timberland boots, swarovski crystal, air max, coach outlet store online, moncler, ray ban, canada goose, moncler, ugg, louis vuitton, swarovski, hollister, montre homme, moncler, hollister clothing store, ralph lauren, rolex watches, moncler outlet, moncler, iphone 6 cases, baseball bats, juicy couture outlet, toms shoes, vans, pandora jewelry, ugg, converse shoes

Anna said...

Great and Useful Article.

Online Java Course

Java Online Training

Java Course Online

Best Recommended books for Spring framework

Java Interview Questions












Java Training Institutes in Chennai

Java Training in Chennai

J2EE Training in Chennai

java j2ee training institutes in chennai

Java Course in Chennai

Zheng junxai5 said...

zhengjx20160721
michael kors outlet clearance
jordan retro 4
kobe 8
coach factory outlet online
rolex watches
nike free uk
coach factory outlet
air max
kate spade handbags
louis vuitton outlet stores
cheap ray ban sunglasses
kd 8
ralph lauren polo
air jordan 4
jordan 6s
air jordan homme
michael kors outlet clearance
rolex watches
louis vuitton handbags
designer handbags
coach outlet online
cheap basketball shoes
oakley canada
kate spade outlet
louis vuitton bags
cheap jordans
toms wedges
longchamp handbags
ralph lauren home
coach outlet
louis vuitton outlet
michael kors outlet
kate spade outlet
nike air max uk
michael kors outlet
louis vuitton outlet stores
montblanc pen
true religion outlet

raybanoutlet001 said...

adidas tubular x
true religion jeans
ray ban sunglasses outlet
tiffany and co jewelry
tiffany and co uk
mlb jerseys shop
chrome hearts online store
yeezy
chrome hearts online
yeezy boost 350
http://www.chromehearts.com.co
adidas yeezy uk
louboutin shoes
michael kors outlet
cheap oakley sunglasses
http://www.nikedunks.us.org
retro jordans
ralph lauren uk
michael jordan shoes
toms outlet store
yeezy boost
tiffany and co uk