2 * Copyright 2001-2010 Internet2
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * ArtifactResolver.cpp
20 * SAML artifact resolver for SP use.
24 #include "Application.h"
25 #include "binding/ArtifactResolver.h"
26 #include "binding/SOAPClient.h"
27 #include "security/SecurityPolicy.h"
29 #include <saml/exceptions.h>
30 #include <saml/saml1/core/Protocols.h>
31 #include <saml/saml1/binding/SAML1SOAPClient.h>
32 #include <saml/saml2/core/Protocols.h>
33 #include <saml/saml2/binding/SAML2Artifact.h>
34 #include <saml/saml2/binding/SAML2SOAPClient.h>
35 #include <saml/saml2/metadata/Metadata.h>
36 #include <saml/saml2/metadata/MetadataCredentialCriteria.h>
37 #include <saml/util/SAMLConstants.h>
39 using namespace shibsp;
40 using namespace opensaml::saml1p;
41 using namespace opensaml::saml2;
42 using namespace opensaml::saml2p;
43 using namespace opensaml::saml2md;
44 using namespace opensaml;
45 using namespace xmltooling;
48 ArtifactResolver::ArtifactResolver()
52 ArtifactResolver::~ArtifactResolver()
56 saml1p::Response* ArtifactResolver::resolve(
57 const vector<SAMLArtifact*>& artifacts,
58 const IDPSSODescriptor& idpDescriptor,
59 opensaml::SecurityPolicy& policy
62 MetadataCredentialCriteria mcc(idpDescriptor);
63 shibsp::SecurityPolicy& sppolicy = dynamic_cast<shibsp::SecurityPolicy&>(policy);
64 shibsp::SOAPClient soaper(sppolicy);
66 bool foundEndpoint = false;
67 auto_ptr_XMLCh binding(samlconstants::SAML1_BINDING_SOAP);
68 saml1p::Response* response=nullptr;
69 const vector<ArtifactResolutionService*>& endpoints=idpDescriptor.getArtifactResolutionServices();
70 for (vector<ArtifactResolutionService*>::const_iterator ep=endpoints.begin(); !response && ep!=endpoints.end(); ++ep) {
72 if (!XMLString::equals((*ep)->getBinding(),binding.get()))
75 auto_ptr_char loc((*ep)->getLocation());
76 saml1p::Request* request = saml1p::RequestBuilder::buildRequest();
77 request->setMinorVersion(idpDescriptor.hasSupport(samlconstants::SAML11_PROTOCOL_ENUM) ? 1 : 0);
78 for (vector<SAMLArtifact*>::const_iterator a = artifacts.begin(); a!=artifacts.end(); ++a) {
79 auto_ptr_XMLCh artbuf((*a)->encode().c_str());
80 AssertionArtifact* aa = AssertionArtifactBuilder::buildAssertionArtifact();
81 aa->setArtifact(artbuf.get());
82 request->getAssertionArtifacts().push_back(aa);
85 SAML1SOAPClient client(soaper, false);
86 client.sendSAML(request, sppolicy.getApplication().getId(), mcc, loc.get());
87 response = client.receiveSAML();
89 catch (exception& ex) {
90 Category::getInstance(SHIBSP_LOGCAT".ArtifactResolver").error("exception resolving SAML 1.x artifact(s): %s", ex.what());
96 throw MetadataException("No compatible endpoint found in issuer's metadata.");
98 throw BindingException("Unable to resolve artifact(s) into a SAML response.");
99 const xmltooling::QName* code = (response->getStatus() && response->getStatus()->getStatusCode()) ? response->getStatus()->getStatusCode()->getValue() : nullptr;
100 if (!code || *code != saml1p::StatusCode::SUCCESS) {
102 throw BindingException("Identity provider returned a SAML error in response to artifact(s).");
105 // The SOAP client handles policy evaluation against the SOAP and Response layer,
106 // but no security checking is done here.
110 ArtifactResponse* ArtifactResolver::resolve(
111 const SAML2Artifact& artifact,
112 const SSODescriptorType& ssoDescriptor,
113 opensaml::SecurityPolicy& policy
116 MetadataCredentialCriteria mcc(ssoDescriptor);
117 shibsp::SecurityPolicy& sppolicy = dynamic_cast<shibsp::SecurityPolicy&>(policy);
118 shibsp::SOAPClient soaper(sppolicy);
120 bool foundEndpoint = false;
121 auto_ptr_XMLCh binding(samlconstants::SAML20_BINDING_SOAP);
122 ArtifactResponse* response=nullptr;
123 const vector<ArtifactResolutionService*>& endpoints=ssoDescriptor.getArtifactResolutionServices();
124 for (vector<ArtifactResolutionService*>::const_iterator ep=endpoints.begin(); !response && ep!=endpoints.end(); ++ep) {
126 if (!XMLString::equals((*ep)->getBinding(),binding.get()))
128 foundEndpoint = true;
129 auto_ptr_char loc((*ep)->getLocation());
130 ArtifactResolve* request = ArtifactResolveBuilder::buildArtifactResolve();
131 Issuer* iss = IssuerBuilder::buildIssuer();
132 request->setIssuer(iss);
133 iss->setName(sppolicy.getApplication().getRelyingParty(dynamic_cast<EntityDescriptor*>(ssoDescriptor.getParent()))->getXMLString("entityID").second);
134 auto_ptr_XMLCh artbuf(artifact.encode().c_str());
135 Artifact* a = ArtifactBuilder::buildArtifact();
136 a->setArtifact(artbuf.get());
137 request->setArtifact(a);
139 SAML2SOAPClient client(soaper, false);
140 client.sendSAML(request, sppolicy.getApplication().getId(), mcc, loc.get());
141 StatusResponseType* srt = client.receiveSAML();
142 if (!(response = dynamic_cast<ArtifactResponse*>(srt))) {
147 catch (exception& ex) {
148 Category::getInstance(SHIBSP_LOGCAT".ArtifactResolver").error("exception resolving SAML 2.0 artifact: %s", ex.what());
154 throw MetadataException("No compatible endpoint found in issuer's metadata.");
156 throw BindingException("Unable to resolve artifact(s) into a SAML response.");
157 else if (!response->getStatus() || !response->getStatus()->getStatusCode() ||
158 !XMLString::equals(response->getStatus()->getStatusCode()->getValue(), saml2p::StatusCode::SUCCESS)) {
159 auto_ptr<ArtifactResponse> wrapper(response);
160 BindingException ex("Identity provider returned a SAML error in response to artifact.");
161 annotateException(&ex, &ssoDescriptor, response->getStatus()); // rethrow
164 // The SOAP client handles policy evaluation against the SOAP and Response layer,
165 // but no security checking is done here.