2 * The Shibboleth License, Version 1.
4 * University Corporation for Advanced Internet Development, Inc.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions are met:
11 * Redistributions of source code must retain the above copyright notice, this
12 * list of conditions and the following disclaimer.
14 * Redistributions in binary form must reproduce the above copyright notice,
15 * this list of conditions and the following disclaimer in the documentation
16 * and/or other materials provided with the distribution, if any, must include
17 * the following acknowledgment: "This product includes software developed by
18 * the University Corporation for Advanced Internet Development
19 * <http://www.ucaid.edu>Internet2 Project. Alternately, this acknowledegement
20 * may appear in the software itself, if and wherever such third-party
21 * acknowledgments normally appear.
23 * Neither the name of Shibboleth nor the names of its contributors, nor
24 * Internet2, nor the University Corporation for Advanced Internet Development,
25 * Inc., nor UCAID may be used to endorse or promote products derived from this
26 * software without specific prior written permission. For written permission,
27 * please contact shibboleth@shibboleth.org
29 * Products derived from this software may not be called Shibboleth, Internet2,
30 * UCAID, or the University Corporation for Advanced Internet Development, nor
31 * may Shibboleth appear in their name, without prior written permission of the
32 * University Corporation for Advanced Internet Development.
35 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
36 * AND WITH ALL FAULTS. ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
37 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
38 * PARTICULAR PURPOSE, AND NON-INFRINGEMENT ARE DISCLAIMED AND THE ENTIRE RISK
39 * OF SATISFACTORY QUALITY, PERFORMANCE, ACCURACY, AND EFFORT IS WITH LICENSEE.
40 * IN NO EVENT SHALL THE COPYRIGHT OWNER, CONTRIBUTORS OR THE UNIVERSITY
41 * CORPORATION FOR ADVANCED INTERNET DEVELOPMENT, INC. BE LIABLE FOR ANY DIRECT,
42 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
43 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
44 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
45 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
46 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
47 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
50 /* ArtifactMapper.cpp - a ShibTarget-aware SAML artifact->binding mapper
61 using namespace log4cpp;
63 using namespace shibboleth;
64 using namespace shibtarget;
66 SAMLResponse* STArtifactMapper::resolve(SAMLRequest* request)
68 Category& log=Category::getInstance("shibtarget.ArtifactMapper");
70 // First do a search for the issuer.
71 SAMLArtifact* artifact=request->getArtifacts().next();
72 Metadata m(m_app->getMetadataProviders());
73 const IEntityDescriptor* entity=m.lookup(artifact);
76 "metadata lookup failed, unable to determine issuer of artifact (0x%s)",
77 SAMLArtifact::toHex(artifact->getBytes()).c_str()
79 throw MetadataException("Metadata lookup failed, unable to determine artifact issuer");
82 auto_ptr_char issuer(entity->getId());
83 log.info("lookup succeeded, artifact issued by (%s)", issuer.get());
86 const IPropertySet* credUse=m_app->getCredentialUse(entity);
87 pair<bool,bool> signRequest=credUse ? credUse->getBool("signRequest") : make_pair(false,false);
88 pair<bool,bool> signedResponse=credUse ? credUse->getBool("signedResponse") : make_pair(false,false);
89 pair<bool,const char*> signingCred=credUse ? credUse->getString("Signing") : pair<bool,const char*>(false,NULL);
90 if (signRequest.first && signRequest.second && signingCred.first) {
91 Credentials creds(ShibTargetConfig::getConfig().getINI()->getCredentialsProviders());
92 const ICredResolver* cr=creds.lookup(signingCred.second);
94 request->sign(cr->getKey(),cr->getCertificates());
96 log.error("unable to sign artifact request, specified credential (%) was not found",signingCred.second);
99 SAMLResponse* response = NULL;
100 bool authenticated = false;
102 // Depends on type of artifact.
103 const SAMLArtifactType0001* type1=dynamic_cast<const SAMLArtifactType0001*>(artifact);
105 // With type 01, any endpoint will do.
106 const IIDPSSODescriptor* idp=entity->getIDPSSODescriptor(
107 request->getMinorVersion()==1 ? saml::XML::SAML11_PROTOCOL_ENUM : saml::XML::SAML10_PROTOCOL_ENUM
110 ShibHTTPHook::ShibHTTPHookCallContext callCtx(credUse ? credUse->getString("TLS").second : NULL,idp);
111 const IEndpointManager* mgr=idp->getArtifactResolutionServiceManager();
112 Iterator<const IEndpoint*> eps=mgr ? mgr->getEndpoints() : EMPTY(const IEndpoint*);
113 while (!response && eps.hasNext()) {
114 const IEndpoint* ep=eps.next();
115 const SAMLBinding* binding = m_app->getBinding(ep->getBinding());
117 auto_ptr_char prot(ep->getBinding());
118 log.warn("skipping binding on unsupported protocol (%s)", prot.get());
121 auto_ptr_char loc(ep->getLocation());
123 response = binding->send(ep->getLocation(),*request,&callCtx);
124 if (log.isDebugEnabled())
125 log.debugStream() << "SAML response from artifact request:\n" << *response << CategoryStream::ENDLINE;
127 if (!response->getAssertions().hasNext()) {
129 throw FatalProfileException("No SAML assertions returned in response to artifact profile request.");
131 authenticated = callCtx.isAuthenticated();
133 catch (SAMLException& ex) {
134 annotateException(&ex,idp); // rethrows it
140 const SAMLArtifactType0002* type2=dynamic_cast<const SAMLArtifactType0002*>(artifact);
142 // With type 02, we have to find the matching location.
143 const IIDPSSODescriptor* idp=entity->getIDPSSODescriptor(
144 request->getMinorVersion()==1 ? saml::XML::SAML11_PROTOCOL_ENUM : saml::XML::SAML10_PROTOCOL_ENUM
147 ShibHTTPHook::ShibHTTPHookCallContext callCtx(credUse ? credUse->getString("TLS").second : NULL,idp);
148 const IEndpointManager* mgr=idp->getArtifactResolutionServiceManager();
149 Iterator<const IEndpoint*> eps=mgr ? mgr->getEndpoints() : EMPTY(const IEndpoint*);
150 while (eps.hasNext()) {
151 const IEndpoint* ep=eps.next();
152 auto_ptr_char loc(ep->getLocation());
153 if (strcmp(loc.get(),type2->getSourceLocation()))
155 const SAMLBinding* binding = m_app->getBinding(ep->getBinding());
157 auto_ptr_char prot(ep->getBinding());
158 log.warn("skipping binding on unsupported protocol (%s)", prot.get());
162 response = binding->send(ep->getLocation(),*request,&callCtx);
163 if (log.isDebugEnabled())
164 log.debugStream() << "SAML response from artifact request:\n" << *response << CategoryStream::ENDLINE;
166 if (!response->getAssertions().hasNext()) {
168 throw FatalProfileException("No SAML assertions returned in response to artifact profile request.");
170 authenticated = callCtx.isAuthenticated();
172 catch (SAMLException& ex) {
173 annotateException(&ex,idp); // rethrows it
179 log.error("unrecognized artifact type (0x%s)", SAMLArtifact::toHex(artifact->getTypeCode()).c_str());
180 throw UnsupportedExtensionException(
181 string("Received unrecognized artifact type (0x") + SAMLArtifact::toHex(artifact->getTypeCode()) + ")"
187 log.error("unable to locate acceptable binding/endpoint to resolve artifact");
188 MetadataException ex("Unable to locate acceptable binding/endpoint to resolve artifact.");
189 annotateException(&ex,entity); // throws it
191 else if (!response->isSigned()) {
192 if (!authenticated || (signedResponse.first && signedResponse.second)) {
193 log.error("unsigned response obtained, but it must be signed.");
194 TrustException ex("Unable to obtain a signed response from artifact request.");
195 annotateException(&ex,entity); // throws it