2 * Copyright 2001-2007 Internet2
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * ArtifactResolver.cpp
20 * SAML artifact resolver for SP use.
24 #include "Application.h"
25 #include "exceptions.h"
26 #include "binding/ArtifactResolver.h"
27 #include "binding/SOAPClient.h"
28 #include "security/SecurityPolicy.h"
30 #include <saml/saml1/core/Protocols.h>
31 #include <saml/saml1/binding/SAML1SOAPClient.h>
32 #include <saml/saml2/core/Protocols.h>
33 #include <saml/saml2/binding/SAML2Artifact.h>
34 #include <saml/saml2/binding/SAML2SOAPClient.h>
35 #include <saml/saml2/metadata/MetadataCredentialCriteria.h>
36 #include <saml/util/SAMLConstants.h>
38 using namespace shibsp;
39 using namespace opensaml::saml1p;
40 using namespace opensaml::saml2;
41 using namespace opensaml::saml2p;
42 using namespace opensaml::saml2md;
43 using namespace opensaml;
44 using namespace xmltooling;
47 saml1p::Response* ArtifactResolver::resolve(
48 const vector<SAMLArtifact*>& artifacts,
49 const IDPSSODescriptor& idpDescriptor,
50 opensaml::SecurityPolicy& policy
53 MetadataCredentialCriteria mcc(idpDescriptor);
54 shibsp::SecurityPolicy& sppolicy = dynamic_cast<shibsp::SecurityPolicy&>(policy);
55 shibsp::SOAPClient soaper(sppolicy);
57 bool foundEndpoint = false;
58 auto_ptr_XMLCh binding(samlconstants::SAML1_BINDING_SOAP);
59 saml1p::Response* response=NULL;
60 const vector<ArtifactResolutionService*>& endpoints=idpDescriptor.getArtifactResolutionServices();
61 for (vector<ArtifactResolutionService*>::const_iterator ep=endpoints.begin(); !response && ep!=endpoints.end(); ++ep) {
63 if (!XMLString::equals((*ep)->getBinding(),binding.get()))
66 auto_ptr_char loc((*ep)->getLocation());
67 saml1p::Request* request = saml1p::RequestBuilder::buildRequest();
68 request->setMinorVersion(idpDescriptor.hasSupport(samlconstants::SAML11_PROTOCOL_ENUM) ? 1 : 0);
69 for (vector<SAMLArtifact*>::const_iterator a = artifacts.begin(); a!=artifacts.end(); ++a) {
70 auto_ptr_XMLCh artbuf((*a)->encode().c_str());
71 AssertionArtifact* aa = AssertionArtifactBuilder::buildAssertionArtifact();
72 aa->setArtifact(artbuf.get());
73 request->getAssertionArtifacts().push_back(aa);
76 SAML1SOAPClient client(soaper, false);
77 client.sendSAML(request, sppolicy.getApplication().getId(), mcc, loc.get());
78 response = client.receiveSAML();
80 catch (exception& ex) {
81 Category::getInstance(SHIBSP_LOGCAT".ArtifactResolver").error("exception resolving SAML 1.x artifact(s): %s", ex.what());
87 throw MetadataException("No compatible endpoint found in issuer's metadata.");
89 throw BindingException("Unable to resolve artifact(s) into a SAML response.");
90 const xmltooling::QName* code = (response->getStatus() && response->getStatus()->getStatusCode()) ? response->getStatus()->getStatusCode()->getValue() : NULL;
91 if (!code || *code != saml1p::StatusCode::SUCCESS) {
93 throw BindingException("Identity provider returned a SAML error in response to artifact(s).");
96 // The SOAP client handles policy evaluation against the SOAP and Response layer,
97 // but no security checking is done here.
101 ArtifactResponse* ArtifactResolver::resolve(
102 const SAML2Artifact& artifact,
103 const SSODescriptorType& ssoDescriptor,
104 opensaml::SecurityPolicy& policy
107 MetadataCredentialCriteria mcc(ssoDescriptor);
108 shibsp::SecurityPolicy& sppolicy = dynamic_cast<shibsp::SecurityPolicy&>(policy);
109 shibsp::SOAPClient soaper(sppolicy);
111 bool foundEndpoint = false;
112 auto_ptr_XMLCh binding(samlconstants::SAML20_BINDING_SOAP);
113 ArtifactResponse* response=NULL;
114 const vector<ArtifactResolutionService*>& endpoints=ssoDescriptor.getArtifactResolutionServices();
115 for (vector<ArtifactResolutionService*>::const_iterator ep=endpoints.begin(); !response && ep!=endpoints.end(); ++ep) {
117 if (!XMLString::equals((*ep)->getBinding(),binding.get()))
119 foundEndpoint = true;
120 auto_ptr_char loc((*ep)->getLocation());
121 ArtifactResolve* request = ArtifactResolveBuilder::buildArtifactResolve();
122 Issuer* iss = IssuerBuilder::buildIssuer();
123 request->setIssuer(iss);
124 iss->setName(sppolicy.getApplication().getRelyingParty(dynamic_cast<EntityDescriptor*>(ssoDescriptor.getParent()))->getXMLString("entityID").second);
125 auto_ptr_XMLCh artbuf(artifact.encode().c_str());
126 Artifact* a = ArtifactBuilder::buildArtifact();
127 a->setArtifact(artbuf.get());
128 request->setArtifact(a);
130 SAML2SOAPClient client(soaper, false);
131 client.sendSAML(request, sppolicy.getApplication().getId(), mcc, loc.get());
132 StatusResponseType* srt = client.receiveSAML();
133 if (!(response = dynamic_cast<ArtifactResponse*>(srt))) {
138 catch (exception& ex) {
139 Category::getInstance(SHIBSP_LOGCAT".ArtifactResolver").error("exception resolving SAML 2.0 artifact: %s", ex.what());
145 throw MetadataException("No compatible endpoint found in issuer's metadata.");
147 throw BindingException("Unable to resolve artifact(s) into a SAML response.");
148 else if (!response->getStatus() || !response->getStatus()->getStatusCode() ||
149 !XMLString::equals(response->getStatus()->getStatusCode()->getValue(), saml2p::StatusCode::SUCCESS)) {
150 auto_ptr<ArtifactResponse> wrapper(response);
151 BindingException ex("Identity provider returned a SAML error in response to artifact.");
152 annotateException(&ex, &ssoDescriptor, response->getStatus()); // rethrow
155 // The SOAP client handles policy evaluation against the SOAP and Response layer,
156 // but no security checking is done here.