2 * Licensed to the University Corporation for Advanced Internet
3 * Development, Inc. (UCAID) under one or more contributor license
4 * agreements. See the NOTICE file distributed with this work for
5 * additional information regarding copyright ownership.
7 * UCAID licenses this file to you under the Apache License,
8 * Version 2.0 (the "License"); you may not use this file except
9 * in compliance with the License. You may obtain a copy of the
12 * http://www.apache.org/licenses/LICENSE-2.0
14 * Unless required by applicable law or agreed to in writing,
15 * software distributed under the License is distributed on an
16 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
17 * either express or implied. See the License for the specific
18 * language governing permissions and limitations under the License.
22 * ArtifactResolver.cpp
24 * SAML artifact resolver for SP use.
28 #include "Application.h"
29 #include "binding/ArtifactResolver.h"
30 #include "binding/SOAPClient.h"
31 #include "security/SecurityPolicy.h"
33 #include <saml/exceptions.h>
34 #include <saml/saml1/core/Protocols.h>
35 #include <saml/saml1/binding/SAML1SOAPClient.h>
36 #include <saml/saml2/core/Protocols.h>
37 #include <saml/saml2/binding/SAML2Artifact.h>
38 #include <saml/saml2/binding/SAML2SOAPClient.h>
39 #include <saml/saml2/metadata/Metadata.h>
40 #include <saml/saml2/metadata/MetadataCredentialCriteria.h>
41 #include <saml/util/SAMLConstants.h>
43 using namespace shibsp;
44 using namespace opensaml::saml1p;
45 using namespace opensaml::saml2;
46 using namespace opensaml::saml2p;
47 using namespace opensaml::saml2md;
48 using namespace opensaml;
49 using namespace xmltooling;
52 ArtifactResolver::ArtifactResolver()
56 ArtifactResolver::~ArtifactResolver()
60 saml1p::Response* ArtifactResolver::resolve(
61 const vector<SAMLArtifact*>& artifacts,
62 const IDPSSODescriptor& idpDescriptor,
63 opensaml::SecurityPolicy& policy
66 MetadataCredentialCriteria mcc(idpDescriptor);
67 shibsp::SecurityPolicy& sppolicy = dynamic_cast<shibsp::SecurityPolicy&>(policy);
68 shibsp::SOAPClient soaper(sppolicy);
70 bool foundEndpoint = false;
71 auto_ptr_XMLCh binding(samlconstants::SAML1_BINDING_SOAP);
72 saml1p::Response* response=nullptr;
73 const vector<ArtifactResolutionService*>& endpoints=idpDescriptor.getArtifactResolutionServices();
74 for (vector<ArtifactResolutionService*>::const_iterator ep=endpoints.begin(); !response && ep!=endpoints.end(); ++ep) {
76 if (!XMLString::equals((*ep)->getBinding(),binding.get()))
79 auto_ptr_char loc((*ep)->getLocation());
80 saml1p::Request* request = saml1p::RequestBuilder::buildRequest();
81 request->setMinorVersion(idpDescriptor.hasSupport(samlconstants::SAML11_PROTOCOL_ENUM) ? 1 : 0);
82 for (vector<SAMLArtifact*>::const_iterator a = artifacts.begin(); a!=artifacts.end(); ++a) {
83 auto_ptr_XMLCh artbuf((*a)->encode().c_str());
84 AssertionArtifact* aa = AssertionArtifactBuilder::buildAssertionArtifact();
85 aa->setArtifact(artbuf.get());
86 request->getAssertionArtifacts().push_back(aa);
89 SAML1SOAPClient client(soaper, false);
90 client.sendSAML(request, sppolicy.getApplication().getId(), mcc, loc.get());
91 response = client.receiveSAML();
93 catch (exception& ex) {
94 Category::getInstance(SHIBSP_LOGCAT".ArtifactResolver").error("exception resolving SAML 1.x artifact(s): %s", ex.what());
100 throw MetadataException("No compatible endpoint found in issuer's metadata.");
102 throw BindingException("Unable to resolve artifact(s) into a SAML response.");
103 const xmltooling::QName* code = (response->getStatus() && response->getStatus()->getStatusCode()) ? response->getStatus()->getStatusCode()->getValue() : nullptr;
104 if (!code || *code != saml1p::StatusCode::SUCCESS) {
105 auto_ptr<saml1p::Response> wrapper(response);
106 BindingException ex("Identity provider returned a SAML error in response to artifact.");
107 annotateException(&ex, &idpDescriptor, response->getStatus()); // rethrow
110 // The SOAP client handles policy evaluation against the SOAP and Response layer,
111 // but no security checking is done here.
115 ArtifactResponse* ArtifactResolver::resolve(
116 const SAML2Artifact& artifact,
117 const SSODescriptorType& ssoDescriptor,
118 opensaml::SecurityPolicy& policy
121 MetadataCredentialCriteria mcc(ssoDescriptor);
122 shibsp::SecurityPolicy& sppolicy = dynamic_cast<shibsp::SecurityPolicy&>(policy);
123 shibsp::SOAPClient soaper(sppolicy);
125 bool foundEndpoint = false;
126 auto_ptr_XMLCh binding(samlconstants::SAML20_BINDING_SOAP);
127 ArtifactResponse* response=nullptr;
128 const vector<ArtifactResolutionService*>& endpoints=ssoDescriptor.getArtifactResolutionServices();
129 for (vector<ArtifactResolutionService*>::const_iterator ep=endpoints.begin(); !response && ep!=endpoints.end(); ++ep) {
131 if (!XMLString::equals((*ep)->getBinding(),binding.get()))
133 foundEndpoint = true;
134 auto_ptr_char loc((*ep)->getLocation());
135 ArtifactResolve* request = ArtifactResolveBuilder::buildArtifactResolve();
136 Issuer* iss = IssuerBuilder::buildIssuer();
137 request->setIssuer(iss);
138 iss->setName(sppolicy.getApplication().getRelyingParty(dynamic_cast<EntityDescriptor*>(ssoDescriptor.getParent()))->getXMLString("entityID").second);
139 auto_ptr_XMLCh artbuf(artifact.encode().c_str());
140 Artifact* a = ArtifactBuilder::buildArtifact();
141 a->setArtifact(artbuf.get());
142 request->setArtifact(a);
144 SAML2SOAPClient client(soaper, false);
145 client.sendSAML(request, sppolicy.getApplication().getId(), mcc, loc.get());
146 StatusResponseType* srt = client.receiveSAML();
147 if (!(response = dynamic_cast<ArtifactResponse*>(srt))) {
152 catch (exception& ex) {
153 Category::getInstance(SHIBSP_LOGCAT".ArtifactResolver").error("exception resolving SAML 2.0 artifact: %s", ex.what());
159 throw MetadataException("No compatible endpoint found in issuer's metadata.");
161 throw BindingException("Unable to resolve artifact(s) into a SAML response.");
162 else if (!response->getStatus() || !response->getStatus()->getStatusCode() ||
163 !XMLString::equals(response->getStatus()->getStatusCode()->getValue(), saml2p::StatusCode::SUCCESS)) {
164 auto_ptr<ArtifactResponse> wrapper(response);
165 BindingException ex("Identity provider returned a SAML error in response to artifact.");
166 annotateException(&ex, &ssoDescriptor, response->getStatus()); // rethrow
169 // The SOAP client handles policy evaluation against the SOAP and Response layer,
170 // but no security checking is done here.