2 * Copyright 2001-2009 Internet2
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
20 * Specialized SOAPClient for SAML 2.0 SOAP binding.
24 #include "exceptions.h"
25 #include "binding/SecurityPolicy.h"
26 #include "binding/SOAPClient.h"
27 #include "saml2/binding/SAML2SOAPClient.h"
28 #include "saml2/core/Protocols.h"
29 #include "saml2/metadata/Metadata.h"
30 #include "saml2/metadata/MetadataProvider.h"
32 #include <xmltooling/logging.h>
33 #include <xmltooling/soap/SOAP.h>
35 using namespace opensaml::saml2;
36 using namespace opensaml::saml2p;
37 using namespace opensaml::saml2md;
38 using namespace opensaml;
39 using namespace soap11;
40 using namespace xmltooling::logging;
41 using namespace xmltooling;
44 SAML2SOAPClient::SAML2SOAPClient(opensaml::SOAPClient& soaper, bool fatalSAMLErrors)
45 : m_soaper(soaper), m_fatal(fatalSAMLErrors), m_correlate(NULL)
49 SAML2SOAPClient::~SAML2SOAPClient()
51 XMLString::release(&m_correlate);
54 void SAML2SOAPClient::sendSAML(RequestAbstractType* request, const char* from, MetadataCredentialCriteria& to, const char* endpoint)
56 auto_ptr<Envelope> env(EnvelopeBuilder::buildEnvelope());
57 Body* body = BodyBuilder::buildBody();
59 body->getUnknownXMLObjects().push_back(request);
60 m_soaper.send(*env.get(), from, to, endpoint);
61 m_correlate = XMLString::replicate(request->getID());
64 StatusResponseType* SAML2SOAPClient::receiveSAML()
66 auto_ptr<Envelope> env(m_soaper.receive());
68 Body* body = env->getBody();
69 if (body && body->hasChildren()) {
70 // Check for SAML Response.
71 StatusResponseType* response = dynamic_cast<StatusResponseType*>(body->getUnknownXMLObjects().front());
73 // Check InResponseTo.
74 if (m_correlate && response->getInResponseTo() && !XMLString::equals(m_correlate, response->getInResponseTo()))
75 throw SecurityPolicyException("InResponseTo attribute did not correlate with the Request ID.");
77 SecurityPolicy& policy = m_soaper.getPolicy();
80 // Extract Response details.
81 policy.setMessageID(response->getID());
82 policy.setIssueInstant(response->getIssueInstantEpoch());
84 // Extract and re-verify Issuer if present.
85 const Issuer* issuer = response->getIssuer();
87 policy.setIssuer(issuer); // This will throw if it conflicts with the known peer identity.
89 // Now run the policy.
90 policy.evaluate(*response);
93 Status* status = response->getStatus();
95 const XMLCh* code = status->getStatusCode() ? status->getStatusCode()->getValue() : NULL;
96 if (code && !XMLString::equals(code,StatusCode::SUCCESS) && handleError(*status)) {
97 BindingException ex("SAML response contained an error.");
98 annotateException(&ex, policy.getIssuerMetadata(), status); // throws it
103 body->detach(); // frees Envelope
104 response->detach(); // frees Body
109 BindingException ex("SOAP Envelope did not contain a SAML Response or a Fault.");
110 if (m_soaper.getPolicy().getIssuerMetadata())
111 annotateException(&ex, m_soaper.getPolicy().getIssuerMetadata()); // throws it
118 bool SAML2SOAPClient::handleError(const Status& status)
120 auto_ptr_char code((status.getStatusCode() ? status.getStatusCode()->getValue() : NULL));
121 auto_ptr_char str((status.getStatusMessage() ? status.getStatusMessage()->getMessage() : NULL));
122 Category::getInstance(SAML_LOGCAT".SOAPClient").error(
123 "SOAP client detected a SAML error: (%s) (%s)",
124 (code.get() ? code.get() : "no code"),
125 (str.get() ? str.get() : "no message")