2 * Copyright 2001-2007 Internet2
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * ArtifactResolver.cpp
20 * SAML artifact resolver for SP use.
24 #include "Application.h"
25 #include "exceptions.h"
26 #include "binding/ArtifactResolver.h"
27 #include "binding/SOAPClient.h"
28 #include "security/SecurityPolicy.h"
30 #include <saml/saml1/core/Protocols.h>
31 #include <saml/saml1/binding/SAML1SOAPClient.h>
32 #include <saml/saml2/core/Protocols.h>
33 #include <saml/saml2/binding/SAML2Artifact.h>
34 #include <saml/saml2/binding/SAML2SOAPClient.h>
35 #include <saml/saml2/metadata/MetadataCredentialCriteria.h>
36 #include <saml/util/SAMLConstants.h>
38 #include <log4cpp/Category.hh>
40 using namespace shibsp;
41 using namespace opensaml::saml1p;
42 using namespace opensaml::saml2;
43 using namespace opensaml::saml2p;
44 using namespace opensaml::saml2md;
45 using namespace opensaml;
46 using namespace log4cpp;
47 using namespace xmltooling;
50 saml1p::Response* ArtifactResolver::resolve(
51 const vector<SAMLArtifact*>& artifacts,
52 const IDPSSODescriptor& idpDescriptor,
53 opensaml::SecurityPolicy& policy
56 MetadataCredentialCriteria mcc(idpDescriptor);
57 shibsp::SOAPClient soaper(dynamic_cast<shibsp::SecurityPolicy&>(policy));
59 auto_ptr_XMLCh binding(samlconstants::SAML1_BINDING_SOAP);
60 saml1p::Response* response=NULL;
61 const vector<ArtifactResolutionService*>& endpoints=idpDescriptor.getArtifactResolutionServices();
62 for (vector<ArtifactResolutionService*>::const_iterator ep=endpoints.begin(); !response && ep!=endpoints.end(); ++ep) {
64 if (!XMLString::equals((*ep)->getBinding(),binding.get()))
66 auto_ptr_char loc((*ep)->getLocation());
67 saml1p::Request* request = saml1p::RequestBuilder::buildRequest();
68 request->setMinorVersion(idpDescriptor.hasSupport(samlconstants::SAML11_PROTOCOL_ENUM) ? 1 : 0);
69 for (vector<SAMLArtifact*>::const_iterator a = artifacts.begin(); a!=artifacts.end(); ++a) {
70 auto_ptr_XMLCh artbuf((*a)->encode().c_str());
71 AssertionArtifact* aa = AssertionArtifactBuilder::buildAssertionArtifact();
72 aa->setArtifact(artbuf.get());
73 request->getAssertionArtifacts().push_back(aa);
76 SAML1SOAPClient client(soaper, false);
77 client.sendSAML(request, mcc, loc.get());
78 response = client.receiveSAML();
80 catch (exception& ex) {
81 Category::getInstance(SHIBSP_LOGCAT".ArtifactResolver").error("exception resolving SAML 1.x artifact(s): %s", ex.what());
87 throw BindingException("Unable to resolve artifact(s) into a SAML response.");
88 const QName* code = (response->getStatus() && response->getStatus()->getStatusCode()) ? response->getStatus()->getStatusCode()->getValue() : NULL;
89 if (!code || *code != saml1p::StatusCode::SUCCESS) {
91 throw BindingException("Identity provider returned a SAML error in response to artifact(s).");
97 ArtifactResponse* ArtifactResolver::resolve(
98 const SAML2Artifact& artifact,
99 const SSODescriptorType& ssoDescriptor,
100 opensaml::SecurityPolicy& policy
103 MetadataCredentialCriteria mcc(ssoDescriptor);
104 shibsp::SecurityPolicy& sppolicy = dynamic_cast<shibsp::SecurityPolicy&>(policy);
105 shibsp::SOAPClient soaper(sppolicy);
107 auto_ptr_XMLCh binding(samlconstants::SAML20_BINDING_SOAP);
108 ArtifactResponse* response=NULL;
109 const vector<ArtifactResolutionService*>& endpoints=ssoDescriptor.getArtifactResolutionServices();
110 for (vector<ArtifactResolutionService*>::const_iterator ep=endpoints.begin(); !response && ep!=endpoints.end(); ++ep) {
112 if (!XMLString::equals((*ep)->getBinding(),binding.get()))
114 auto_ptr_char loc((*ep)->getLocation());
115 auto_ptr_XMLCh issuer(sppolicy.getApplication().getString("entityID").second);
116 ArtifactResolve* request = ArtifactResolveBuilder::buildArtifactResolve();
117 Issuer* iss = IssuerBuilder::buildIssuer();
118 request->setIssuer(iss);
119 iss->setName(issuer.get());
120 auto_ptr_XMLCh artbuf(artifact.encode().c_str());
121 Artifact* a = ArtifactBuilder::buildArtifact();
122 a->setArtifact(artbuf.get());
123 request->setArtifact(a);
125 SAML2SOAPClient client(soaper, false);
126 client.sendSAML(request, mcc, loc.get());
127 StatusResponseType* srt = client.receiveSAML();
128 if (!(response = dynamic_cast<ArtifactResponse*>(srt))) {
133 catch (exception& ex) {
134 Category::getInstance(SHIBSP_LOGCAT".ArtifactResolver").error("exception resolving SAML 2.0 artifact: %s", ex.what());
140 throw BindingException("Unable to resolve artifact(s) into a SAML response.");
141 if (!response->getStatus() || !response->getStatus()->getStatusCode() ||
142 !XMLString::equals(response->getStatus()->getStatusCode()->getValue(), saml2p::StatusCode::SUCCESS)) {
144 throw BindingException("Identity provider returned a SAML error in response to artifact.");