Package org.apache.rahas.impl.util

Class SAMLUtils

java.lang.Object
org.apache.rahas.impl.util.SAMLUtils
public class SAMLUtils extends Object
Utility class for SAML 1 assertions. Responsible for manipulating all SAML1 specific objects like Assertion, ConfirmationMethod etc ...

  • Constructor Summary

    Constructors
    Constructor
    Description
    SAMLUtils()
     

  • Method Summary

    Modifier and Type
    Method
    Description
    static org.opensaml.saml.saml1.core.Assertion
    buildAssertion(Element assertionElement)
    Builds an assertion from an XML element.
    static org.opensaml.saml.saml1.core.Assertion
    createAssertion(String issuerName, Instant notBefore, Instant notOnOrAfter, List<org.opensaml.saml.saml1.core.Statement> statements)
    This method creates the final SAML assertion.
    static org.opensaml.saml.saml1.core.Attribute
    createAttribute(String name, String namespace, String value)
    Creates a SAML attribute similar to following,
    static org.opensaml.saml.saml1.core.AttributeStatement
    createAttributeStatement(org.opensaml.saml.saml1.core.Subject subject, List<org.opensaml.saml.saml1.core.Attribute> attributeList)
    Creates an attribute statement.
    static org.opensaml.saml.saml1.core.AuthenticationStatement
    createAuthenticationStatement(org.opensaml.saml.saml1.core.Subject subject, String authenticationMethod, Instant authenticationInstant)
    Creates an AuthenticationStatement.
    static org.opensaml.saml.saml1.core.Conditions
    createConditions(Instant notBefore, Instant notOnOrAfter)
    Creates Conditions object.
    static org.opensaml.xmlsec.signature.KeyInfo
    createKeyInfo()
    Creates a KeyInfo object
    static org.opensaml.xmlsec.signature.KeyInfo
    createKeyInfo(org.opensaml.xmlsec.encryption.EncryptedKey encryptedKey)
    Creates a KeyInfo element given EncryptedKey.
    static org.opensaml.xmlsec.signature.KeyInfo
    createKeyInfo(org.opensaml.xmlsec.signature.X509Data x509Data)
    Creates a KeyInfo element given EncryptedKey.
    static org.opensaml.saml.saml1.core.NameIdentifier
    createNamedIdentifier(String principalName, String format)
    Create named identifier.
    static org.opensaml.saml.saml1.core.Subject
    createSubject(org.opensaml.saml.saml1.core.NameIdentifier nameIdentifier, String confirmationMethod, org.opensaml.xmlsec.signature.KeyInfo keyInfoContent)
    Creates an opensaml Subject representation.
    static org.opensaml.saml.saml1.core.SubjectConfirmation
    createSubjectConfirmation(String confirmationMethod, org.opensaml.xmlsec.signature.KeyInfo keyInfoContent)
    Creates opensaml SubjectConfirmation representation.
    static org.opensaml.saml.saml1.core.ConfirmationMethod
    createSubjectConfirmationMethod(String confirmationMethod)
    Creates the subject confirmation method.
    static Collection<X509Certificate>
    getCertChainCollection(X509Certificate[] issuerCerts)
     
    static String
    getSAML11SubjectConfirmationMethod(org.opensaml.saml.saml1.core.Assertion assertion)
    Get subject confirmation method of the given SAML 1.1 Assertion.
    static void
    signAssertion(org.opensaml.saml.saml1.core.Assertion assertion, org.apache.wss4j.common.crypto.Crypto crypto, String issuerKeyAlias, String issuerKeyPassword)
    Signs the SAML assertion.

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

  • Constructor Details

    • SAMLUtils

      public SAMLUtils()

  • Method Details

    • getCertChainCollection

      public static Collection<X509Certificate> getCertChainCollection(X509Certificate[] issuerCerts)

    • buildAssertion

      public static org.opensaml.saml.saml1.core.Assertion buildAssertion(Element assertionElement)
      Builds an assertion from an XML element.
      Parameters:
      assertionElement - The XML element.
      Returns:
      An Assertion object.

    • signAssertion

      public static void signAssertion(org.opensaml.saml.saml1.core.Assertion assertion, org.apache.wss4j.common.crypto.Crypto crypto, String issuerKeyAlias, String issuerKeyPassword) throws TrustException
      Signs the SAML assertion. The steps to sign SAML assertion is as follows,
      1. Get certificate for issuer alias
      2. Extract private key
      3. Create Credential object
      4. Create Signature object
      5. Set Signature object in Assertion
      6. Prepare signing environment - SecurityHelper.prepareSignatureParams
      7. Perform signing action - Signer.signObject
      Parameters:
      assertion - The assertion to be signed.
      crypto - Certificate and private key data are stored in Crypto object
      issuerKeyAlias - Key alias
      issuerKeyPassword - Key password
      Throws:
      TrustException - If an error occurred while signing the assertion.

    • getSAML11SubjectConfirmationMethod

      public static String getSAML11SubjectConfirmationMethod(org.opensaml.saml.saml1.core.Assertion assertion)
      Get subject confirmation method of the given SAML 1.1 Assertion. This is used in rampart-core.
      Parameters:
      assertion - SAML 1.1 Assertion
      Returns:
      subject confirmation method

    • createNamedIdentifier

      public static org.opensaml.saml.saml1.core.NameIdentifier createNamedIdentifier(String principalName, String format) throws TrustException
      Create named identifier.
      Parameters:
      principalName - Name of the subject.
      format - Format of the subject, whether it is an email, uid etc ...
      Returns:
      The NamedIdentifier object.
      Throws:
      TrustException - If unable to find the builder.

    • createSubjectConfirmationMethod

      public static org.opensaml.saml.saml1.core.ConfirmationMethod createSubjectConfirmationMethod(String confirmationMethod) throws TrustException
      Creates the subject confirmation method. Relevant XML element would look like as follows, 
        <saml:ConfirmationMethod>
       urn:oasis:names:tc:SAML:1.0:cm:holder-of-key
  </saml:ConfirmationMethod>
      Parameters:
      confirmationMethod - Name of the actual confirmation method. Could be holder-of-key - "urn:oasis:names:tc:SAML:1.0:cm:holder-of-key" sender-vouches - "urn:oasis:names:tc:SAML:1.0:cm:sender-vouches" bearer - TODO
      Returns:
      Returns the opensaml representation of the ConfirmationMethod.
      Throws:
      TrustException - If unable to find appropriate XMLObject builder for confirmation QName.

    • createSubjectConfirmation

      public static org.opensaml.saml.saml1.core.SubjectConfirmation createSubjectConfirmation(String confirmationMethod, org.opensaml.xmlsec.signature.KeyInfo keyInfoContent) throws TrustException
      Creates opensaml SubjectConfirmation representation. The relevant XML would looks as follows, 
         <saml:SubjectConfirmation>
       <saml:ConfirmationMethod>
           urn:oasis:names:tc:SAML:1.0:cm:sender-vouches
       </saml:ConfirmationMethod>
   </saml:SubjectConfirmation>
      Parameters:
      confirmationMethod - The subject confirmation method. Bearer, Sender-Vouches or Holder-Of-Key.
      keyInfoContent - The KeyInfo content. According to SPEC (SAML 1.1) this could be null.
      Returns:
      OpenSAML representation of SubjectConfirmation.
      Throws:
      TrustException - If unable to find any of the XML builders.

    • createSubject

      public static org.opensaml.saml.saml1.core.Subject createSubject(org.opensaml.saml.saml1.core.NameIdentifier nameIdentifier, String confirmationMethod, org.opensaml.xmlsec.signature.KeyInfo keyInfoContent) throws TrustException
      Creates an opensaml Subject representation. The relevant XML would looks as follows, 
         <saml:Subject>
       <saml:NameIdentifier
       NameQualifier="www.example.com"
       Format="...">
       uid=joe,ou=people,ou=saml-demo,o=baltimore.com
       </saml:NameIdentifier>
       <saml:SubjectConfirmation>
           <saml:ConfirmationMethod>
           urn:oasis:names:tc:SAML:1.0:cm:holder-of-key
           </saml:ConfirmationMethod>
       <ds:KeyInfo>
           <ds:KeyValue>...</ds:KeyValue>
       </ds:KeyInfo>
       </saml:SubjectConfirmation>
   </saml:Subject>
      Parameters:
      nameIdentifier - Represent the "NameIdentifier" of XML element above.
      confirmationMethod - Represent the bearer, HOK or Sender-Vouches.
      keyInfoContent - Key info information. This could be null.
      Returns:
      OpenSAML representation of the Subject.
      Throws:
      TrustException - If a relevant XML builder is unable to find.

    • createAuthenticationStatement

      public static org.opensaml.saml.saml1.core.AuthenticationStatement createAuthenticationStatement(org.opensaml.saml.saml1.core.Subject subject, String authenticationMethod, Instant authenticationInstant) throws TrustException
      Creates an AuthenticationStatement. The relevant XML element looks as follows, 
         <AuthenticationStatement
       AuthenticationInstant="2003-04-17T00:46:00Z"
       AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">
       <Subject>
           <NameIdentifier
           Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
           scott@example.org</NameIdentifier>
               <SubjectConfirmation>
                   <ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</ConfirmationMethod>
               </SubjectConfirmation>
       </Subject>
       <SubjectLocality IPAddress="127.0.0.1"/>
   </AuthenticationStatement>
      Parameters:
      subject - OpenSAML Subject implementation.
      authenticationMethod - How subject is authenticated ? i.e. by using a password, kerberos, certificate etc ... The method is defined as a URL in SAML specification.
      authenticationInstant - Time which authentication took place.
      Returns:
      opensaml AuthenticationStatement object.
      Throws:
      TrustException - If unable to find the builder.

    • createAttributeStatement

      public static org.opensaml.saml.saml1.core.AttributeStatement createAttributeStatement(org.opensaml.saml.saml1.core.Subject subject, List<org.opensaml.saml.saml1.core.Attribute> attributeList) throws TrustException
      Creates an attribute statement. Sample attribute statement would look like follows, 
         <saml:AttributeStatement>
       <saml:Subject>
           <saml:NameIdentifier
               NameQualifier="www.example.com"
               Format="...">
               uid=joe,ou=people,ou=saml-demo,o=baltimore.com
           </saml:NameIdentifier>
           <saml:SubjectConfirmation>
               <saml:ConfirmationMethod>
               urn:oasis:names:tc:SAML:1.0:cm:holder-of-key
               </saml:ConfirmationMethod>
               <ds:KeyInfo>
                 <ds:KeyValue>...</ds:KeyValue>
               </ds:KeyInfo>
           </saml:SubjectConfirmation>
       </saml:Subject>
       <saml:Attribute
           AttributeName="MemberLevel"
           AttributeNamespace="http://www.oasis.open.org/Catalyst2002/attributes">
           <saml:AttributeValue>gold</saml:AttributeValue>
       </saml:Attribute>
       <saml:Attribute
           AttributeName="E-mail"
           AttributeNamespace="http://www.oasis.open.org/Catalyst2002/attributes">
           <saml:AttributeValue>joe@yahoo.com</saml:AttributeValue>
       </saml:Attribute>
   </saml:AttributeStatement>
      Parameters:
      subject - The OpenSAML representation of the Subject.
      attributeList - List of attribute values to include within the message.
      Returns:
      OpenSAML representation of AttributeStatement.
      Throws:
      TrustException - If unable to find the appropriate builder.

    • createConditions

      public static org.opensaml.saml.saml1.core.Conditions createConditions(Instant notBefore, Instant notOnOrAfter) throws TrustException
      Creates Conditions object. Analogous XML element is as follows, 
      <saml:Conditions
       NotBefore="2002-06-19T16:53:33.173Z"
       NotOnOrAfter="2002-06-19T17:08:33.173Z"/>
      Parameters:
      notBefore - The validity of the Assertion starts from this value.
      notOnOrAfter - The validity ends from this value.
      Returns:
      OpenSAML Conditions object.
      Throws:
      TrustException - If unable to find appropriate builder.

    • createAssertion

      public static org.opensaml.saml.saml1.core.Assertion createAssertion(String issuerName, Instant notBefore, Instant notOnOrAfter, List<org.opensaml.saml.saml1.core.Statement> statements) throws TrustException
      This method creates the final SAML assertion. The final SAML assertion would looks like as follows, 
         <saml:Assertion AssertionID="_a75adf55-01d7-40cc-929f-dbd8372ebdfc"
                   IssueInstant="2003-04-17T00:46:02Z"
                   Issuer="www.opensaml.org"
                   MajorVersion="1"
                   MinorVersion="1"
                   xmlns="urn:oasis:names:tc:SAML:1.0:assertion">
       <saml:Conditions>
           NotBefore="2002-06-19T16:53:33.173Z"
           NotOnOrAfter="2002-06-19T17:08:33.173Z"/>
       <saml:AttributeStatement>
           <saml:Subject>
               <saml:NameIdentifier
                       NameQualifier="www.example.com"
                       Format="...">
                       uid=joe,ou=people,ou=saml-demo,o=baltimore.com
               </saml:NameIdentifier>
               <saml:SubjectConfirmation>
                   <saml:ConfirmationMethod>
                       urn:oasis:names:tc:SAML:1.0:cm:holder-of-key
                   </saml:ConfirmationMethod>
                   <ds:KeyInfo>
                       <ds:KeyValue>...</ds:KeyValue>
                   </ds:KeyInfo>
               </saml:SubjectConfirmation>
           </saml:Subject>
           <saml:Attribute
               AttributeName="MemberLevel"
               AttributeNamespace="http://www.oasis.open.org/Catalyst2002/attributes">
               <saml:AttributeValue>gold</saml:AttributeValue>
           </saml:Attribute>
           <saml:Attribute
               AttributeName="E-mail" AttributeNamespace="http://www.oasis.open.org/Catalyst2002/attributes">
               <saml:AttributeValue>joe@yahoo.com</saml:AttributeValue>
           </saml:Attribute>
       </saml:AttributeStatement>
       <ds:Signature>...</ds:Signature>
   </saml:Assertion>
      Parameters:
      issuerName - Represents the "Issuer" in Assertion.
      notBefore - The Condition's NotBefore value
      notOnOrAfter - The Condition's NotOnOrAfter value
      statements - Other statements.
      Returns:
      An opensaml Assertion object.
      Throws:
      TrustException - If unable to find the appropriate builder.

    • createAttribute

      public static org.opensaml.saml.saml1.core.Attribute createAttribute(String name, String namespace, String value) throws TrustException
      Creates a SAML attribute similar to following, 
         <saml:Attribute
       AttributeName="MemberLevel"
       AttributeNamespace="http://www.oasis.open.org/Catalyst2002/attributes">
       <saml:AttributeValue>gold</saml:AttributeValue>
   </saml:Attribute>
      Parameters:
      name - attribute name
      namespace - attribute namespace.
      value - attribute value.
      Returns:
      OpenSAML representation of the attribute.
      Throws:
      TrustException - If unable to find the appropriate builder.

    • createKeyInfo

      public static org.opensaml.xmlsec.signature.KeyInfo createKeyInfo() throws TrustException
      Creates a KeyInfo object
      Returns:
      OpenSAML KeyInfo representation.
      Throws:
      TrustException - If an error occurred while creating KeyInfo.

    • createKeyInfo

      public static org.opensaml.xmlsec.signature.KeyInfo createKeyInfo(org.opensaml.xmlsec.encryption.EncryptedKey encryptedKey) throws TrustException
      Creates a KeyInfo element given EncryptedKey. The relevant XML would looks as follows, 
         <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
     <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
           ....
     </xenc:EncryptedKey>
   </ds:KeyInfo>
      Parameters:
      encryptedKey - The OpemSAML representation of encrypted key.
      Returns:
      The appropriate opensaml representation of the KeyInfo.
      Throws:
      TrustException - If unable to find the builder.

    • createKeyInfo

      public static org.opensaml.xmlsec.signature.KeyInfo createKeyInfo(org.opensaml.xmlsec.signature.X509Data x509Data) throws TrustException
      Creates a KeyInfo element given EncryptedKey. The relevant XML would looks as follows, 
         <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
     <X509Data xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
           ....
     </X509Data>
   </ds:KeyInfo>
      Parameters:
      x509Data - The OpemSAML representation X509Data
      Returns:
      The appropriate opensaml representation of the KeyInfo.
      Throws:
      TrustException - If unable to find the builder.