justinbleach / saml-client Goto Github PK
View Code? Open in Web Editor NEWA dead simple SAML 2.0 client.
License: MIT License
A dead simple SAML 2.0 client.
License: MIT License
The cause appears to be the one discussed in this OpenSAML thread https://groups.google.com/d/msg/opensaml-users/gpXvwaZ53NA/qA5XcJHkYCgJ
We have applied the described fix to a local fork that had the original PR for handling encrypted messages already included, we've got some time set aside in our next sprint to work on a test case and should be able to submit a PR fixing the issue soon.
Hi All,
How should solved this problem ? Thank you so much. I used Okta SSO .
com.coveo.saml.SamlException: The assertion cannot be used after 2021-09-29T03:13:30.979Z
at com.coveo.saml.ValidatorUtils.enforceConditions(ValidatorUtils.java:133)
at com.coveo.saml.ValidatorUtils.validateAssertion(ValidatorUtils.java:110)
at com.coveo.saml.ValidatorUtils.validate(ValidatorUtils.java:215)
at com.coveo.saml.SamlClient.decodeAndValidateSamlResponse(SamlClient.java:281)
at com.coveo.saml.SamlClient.processPostFromIdentityProvider(SamlClient.java:316)
at com.oktasaml.demo.MyController.index(MyController.java:95)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:197)
at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:141)
We are integrating SAML into an existing Java 'Spring MVC' web app (war) that is not using springboot or maven.
Our IDE is Netbeans.
How would we configure an endpoint to receive the SAML Response callback from the idp?
https://www.billgoobs.com/myapp/saml/SSO?SAMLResponse=ghgadhgkjadhgkjahkga
I'm not asking about how to extract the value from the SAMLResponse query string.
My question is how to setup a post endpoint or listener in our java web app that will be hit when the idp makes the https://www.billgoobs.com/myapp/saml/SSO?SAMLResponse=ghgadhgkjadhgkjahkga callback.
Using saml-client
version 4.0.3
with maven-enforcer-plugin
enabled throws the dependency convergence error:
[ERROR]
Dependency convergence error for org.slf4j:slf4j-api:1.7.7 paths to dependency are:
+-org.example:testing:1.0-SNAPSHOT
+-com.coveo:saml-client:4.0.3
+-org.opensaml:opensaml-core:3.4.6
+-io.dropwizard.metrics:metrics-core:3.1.5
+-org.slf4j:slf4j-api:1.7.7
and
+-org.example:testing:1.0-SNAPSHOT
+-com.coveo:saml-client:4.0.3
+-org.opensaml:opensaml-core:3.4.6
+-net.shibboleth.utilities:java-support:7.5.2
+-org.slf4j:slf4j-api:1.7.30
and
+-org.example:testing:1.0-SNAPSHOT
+-com.coveo:saml-client:4.0.3
+-org.opensaml:opensaml-core:3.4.6
+-org.slf4j:slf4j-api:1.7.30
and
+-org.example:testing:1.0-SNAPSHOT
+-com.coveo:saml-client:4.0.3
+-org.opensaml:opensaml-saml-api:3.4.6
+-org.opensaml:opensaml-xmlsec-api:3.4.6
+-org.opensaml:opensaml-security-api:3.4.6
+-org.slf4j:slf4j-api:1.7.30
and
+-org.example:testing:1.0-SNAPSHOT
+-com.coveo:saml-client:4.0.3
+-org.opensaml:opensaml-saml-api:3.4.6
+-org.opensaml:opensaml-xmlsec-api:3.4.6
+-org.slf4j:slf4j-api:1.7.30
and
+-org.example:testing:1.0-SNAPSHOT
+-com.coveo:saml-client:4.0.3
+-org.opensaml:opensaml-saml-api:3.4.6
+-org.opensaml:opensaml-soap-api:3.4.6
+-org.slf4j:slf4j-api:1.7.30
and
+-org.example:testing:1.0-SNAPSHOT
+-com.coveo:saml-client:4.0.3
+-org.opensaml:opensaml-saml-api:3.4.6
+-org.opensaml:opensaml-messaging-api:3.4.6
+-org.slf4j:slf4j-api:1.7.30
and
+-org.example:testing:1.0-SNAPSHOT
+-com.coveo:saml-client:4.0.3
+-org.opensaml:opensaml-saml-api:3.4.6
+-org.opensaml:opensaml-profile-api:3.4.6
+-org.slf4j:slf4j-api:1.7.30
and
+-org.example:testing:1.0-SNAPSHOT
+-com.coveo:saml-client:4.0.3
+-org.opensaml:opensaml-saml-api:3.4.6
+-org.opensaml:opensaml-storage-api:3.4.6
+-org.slf4j:slf4j-api:1.7.30
and
+-org.example:testing:1.0-SNAPSHOT
+-com.coveo:saml-client:4.0.3
+-org.opensaml:opensaml-saml-api:3.4.6
+-org.slf4j:slf4j-api:1.7.30
and
+-org.example:testing:1.0-SNAPSHOT
+-com.coveo:saml-client:4.0.3
+-org.opensaml:opensaml-saml-impl:3.4.6
+-org.opensaml:opensaml-security-impl:3.4.6
+-org.slf4j:slf4j-api:1.7.30
and
+-org.example:testing:1.0-SNAPSHOT
+-com.coveo:saml-client:4.0.3
+-org.opensaml:opensaml-saml-impl:3.4.6
+-org.opensaml:opensaml-xmlsec-impl:3.4.6
+-org.apache.santuario:xmlsec:2.0.10
+-org.slf4j:slf4j-api:1.7.25
and
+-org.example:testing:1.0-SNAPSHOT
+-com.coveo:saml-client:4.0.3
+-org.opensaml:opensaml-saml-impl:3.4.6
+-org.opensaml:opensaml-xmlsec-impl:3.4.6
+-org.slf4j:slf4j-api:1.7.30
and
+-org.example:testing:1.0-SNAPSHOT
+-com.coveo:saml-client:4.0.3
+-org.opensaml:opensaml-saml-impl:3.4.6
+-org.opensaml:opensaml-soap-impl:3.4.6
+-org.slf4j:slf4j-api:1.7.30
and
+-org.example:testing:1.0-SNAPSHOT
+-com.coveo:saml-client:4.0.3
+-org.opensaml:opensaml-saml-impl:3.4.6
+-org.slf4j:slf4j-api:1.7.30
and
+-org.example:testing:1.0-SNAPSHOT
+-com.coveo:saml-client:4.0.3
+-org.slf4j:slf4j-api:1.7.30
[ERROR]
Dependency convergence error for commons-codec:commons-codec:1.10 paths to dependency are:
+-org.example:testing:1.0-SNAPSHOT
+-com.coveo:saml-client:4.0.3
+-org.opensaml:opensaml-core:3.4.6
+-net.shibboleth.utilities:java-support:7.5.2
+-commons-codec:commons-codec:1.10
and
+-org.example:testing:1.0-SNAPSHOT
+-com.coveo:saml-client:4.0.3
+-org.opensaml:opensaml-core:3.4.6
+-commons-codec:commons-codec:1.10
and
+-org.example:testing:1.0-SNAPSHOT
+-com.coveo:saml-client:4.0.3
+-org.opensaml:opensaml-saml-api:3.4.6
+-org.opensaml:opensaml-xmlsec-api:3.4.6
+-org.opensaml:opensaml-security-api:3.4.6
+-commons-codec:commons-codec:1.10
and
+-org.example:testing:1.0-SNAPSHOT
+-com.coveo:saml-client:4.0.3
+-org.opensaml:opensaml-saml-api:3.4.6
+-org.opensaml:opensaml-xmlsec-api:3.4.6
+-commons-codec:commons-codec:1.10
and
+-org.example:testing:1.0-SNAPSHOT
+-com.coveo:saml-client:4.0.3
+-org.opensaml:opensaml-saml-api:3.4.6
+-org.opensaml:opensaml-soap-api:3.4.6
+-commons-codec:commons-codec:1.10
and
+-org.example:testing:1.0-SNAPSHOT
+-com.coveo:saml-client:4.0.3
+-org.opensaml:opensaml-saml-api:3.4.6
+-org.opensaml:opensaml-messaging-api:3.4.6
+-commons-codec:commons-codec:1.10
and
+-org.example:testing:1.0-SNAPSHOT
+-com.coveo:saml-client:4.0.3
+-org.opensaml:opensaml-saml-api:3.4.6
+-org.opensaml:opensaml-profile-api:3.4.6
+-commons-codec:commons-codec:1.10
and
+-org.example:testing:1.0-SNAPSHOT
+-com.coveo:saml-client:4.0.3
+-org.opensaml:opensaml-saml-api:3.4.6
+-org.opensaml:opensaml-storage-api:3.4.6
+-commons-codec:commons-codec:1.10
and
+-org.example:testing:1.0-SNAPSHOT
+-com.coveo:saml-client:4.0.3
+-org.opensaml:opensaml-saml-api:3.4.6
+-commons-codec:commons-codec:1.10
and
+-org.example:testing:1.0-SNAPSHOT
+-com.coveo:saml-client:4.0.3
+-org.opensaml:opensaml-saml-impl:3.4.6
+-org.opensaml:opensaml-security-impl:3.4.6
+-commons-codec:commons-codec:1.10
and
+-org.example:testing:1.0-SNAPSHOT
+-com.coveo:saml-client:4.0.3
+-org.opensaml:opensaml-saml-impl:3.4.6
+-org.opensaml:opensaml-xmlsec-impl:3.4.6
+-org.apache.santuario:xmlsec:2.0.10
+-commons-codec:commons-codec:1.11
and
+-org.example:testing:1.0-SNAPSHOT
+-com.coveo:saml-client:4.0.3
+-org.opensaml:opensaml-saml-impl:3.4.6
+-org.opensaml:opensaml-xmlsec-impl:3.4.6
+-commons-codec:commons-codec:1.10
and
+-org.example:testing:1.0-SNAPSHOT
+-com.coveo:saml-client:4.0.3
+-org.opensaml:opensaml-saml-impl:3.4.6
+-org.opensaml:opensaml-soap-impl:3.4.6
+-commons-codec:commons-codec:1.10
and
+-org.example:testing:1.0-SNAPSHOT
+-com.coveo:saml-client:4.0.3
+-org.opensaml:opensaml-saml-impl:3.4.6
+-org.apache.httpcomponents:httpclient:4.5.13
+-commons-codec:commons-codec:1.11
and
+-org.example:testing:1.0-SNAPSHOT
+-com.coveo:saml-client:4.0.3
+-org.opensaml:opensaml-saml-impl:3.4.6
+-commons-codec:commons-codec:1.10
and
+-org.example:testing:1.0-SNAPSHOT
+-com.coveo:saml-client:4.0.3
+-commons-codec:commons-codec:1.14
[ERROR]
Dependency convergence error for com.fasterxml.woodstox:woodstox-core:5.0.3 paths to dependency are:
+-org.example:testing:1.0-SNAPSHOT
+-com.coveo:saml-client:4.0.3
+-org.opensaml:opensaml-saml-impl:3.4.6
+-org.opensaml:opensaml-xmlsec-impl:3.4.6
+-org.apache.santuario:xmlsec:2.0.10
+-com.fasterxml.woodstox:woodstox-core:5.0.3
and
+-org.example:testing:1.0-SNAPSHOT
+-com.coveo:saml-client:4.0.3
+-com.fasterxml.woodstox:woodstox-core:5.3.0
[ERROR]
Dependency convergence error for org.bouncycastle:bcprov-jdk15on:1.59 paths to dependency are:
+-org.example:testing:1.0-SNAPSHOT
+-com.coveo:saml-client:4.0.3
+-org.opensaml:opensaml-saml-api:3.4.6
+-org.opensaml:opensaml-xmlsec-api:3.4.6
+-org.opensaml:opensaml-security-api:3.4.6
+-org.bouncycastle:bcprov-jdk15on:1.59
and
+-org.example:testing:1.0-SNAPSHOT
+-com.coveo:saml-client:4.0.3
+-org.opensaml:opensaml-saml-impl:3.4.6
+-org.opensaml:opensaml-xmlsec-impl:3.4.6
+-org.cryptacular:cryptacular:1.1.4
+-org.bouncycastle:bcprov-jdk15on:1.59
and
+-org.example:testing:1.0-SNAPSHOT
+-com.coveo:saml-client:4.0.3
+-org.bouncycastle:bcprov-jdk15on:1.67
[ERROR]
Dependency convergence error for commons-collections:commons-collections:3.2.1 paths to dependency are:
+-org.example:testing:1.0-SNAPSHOT
+-com.coveo:saml-client:4.0.3
+-org.opensaml:opensaml-saml-impl:3.4.6
+-org.apache.velocity:velocity:1.7
+-commons-collections:commons-collections:3.2.1
and
+-org.example:testing:1.0-SNAPSHOT
+-com.coveo:saml-client:4.0.3
+-commons-collections:commons-collections:3.2.2
Here's my pom.xml
file
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>org.example</groupId>
<artifactId>testing</artifactId>
<version>1.0-SNAPSHOT</version>
<properties>
<maven.compiler.source>17</maven.compiler.source>
<maven.compiler.target>17</maven.compiler.target>
</properties>
<dependencies>
<dependency>
<groupId>com.coveo</groupId>
<artifactId>saml-client</artifactId>
<version>4.0.3</version>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-enforcer-plugin</artifactId>
<version>1.0.1</version>
<executions>
<execution>
<id>enforce</id>
<configuration>
<rules>
<DependencyConvergence/>
</rules>
</configuration>
<goals>
<goal>enforce</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
</project>
If my IdP url is https://www.idpurl.com/ and my Sp url is https://www.spurl.com/
then, is this correct? SamlClient client = SamlClient.fromMetadata("SPIdentifier", "https://www.idpurl.com/", "<your.IDP.metadata.xml>")
; what is a good metadata xml that is related to these urls, I always get Unmarshalling exception. how to generate the best metadata for this library. any tool you recommend. Thanks in advance.
Hello.
I have seen that when the logout request is made, it does not contain the attribute "Destination". Is there any way to add it? The IdP gives me an error for that reason.
Thanks.
When creating a SamlClient
from metadata, it sets identityProviderUrl
to the SingleSignOnService
location, but nothing ever pulls out the SingleLogoutService
. So later if you call one of the logout helpers, it will send a LogoutRequest
to the SingSignOnService
instead of the SingleLogoutService
.
To work around this I wrote this code where I hard coded the URL of the SingleLogoutService
:
final String logoutRequest = samlClient.getLogoutRequest(userIdentity);
Map<String, String> values = new HashMap<>();
values.put("SAMLRequest", logoutRequest);
if (relayState != null) {
values.put("RelayState", relayState);
}
BrowserUtils.postUsingBrowser(singleLogoutUrl, response, values);
The IDP responded with a 400 "Error processing LogoutRequest. Single Logout Response Service location not found"
I compared the request with a LogoutRequest
from a different application that uses spring-security-saml
and succeeded, and the main difference I can see is the request that succeeded had a Destination
attribute on the root element.
Currently SamlClient only sets that on the login request:
https://github.com/coveooss/saml-client/blob/master/src/main/java/com/coveo/saml/SamlClient.java#L779
But doesn't set that on the logout request:
https://github.com/coveooss/saml-client/blob/master/src/main/java/com/coveo/saml/SamlClient.java#L803
Hi
is there a specific reason to use several Decrypter and not use just one ?
Currently, SamlClient.fromMetadata takes a single samlBinding and uses it to both resolve the IDP endpoint and to populate the ProtocolBinding parameter in the AuthnRequest. But I should be able to set these up independently.
Title sums it up. The 4.1.0, 4.1.1, and 4.1.2 releases don't have corresponding tags or github release notation.
Hi, Can you please how can we convert federationmetadata.xml file to *.md file format. In my application they are not using any xml file but we have only *.md file, now its time to update that file as providers signatures changed I have update metadata info on my code, this is not an issue but I am not getting help any where, by looking into my code closing previously just copy pasted ur samlclient.java code but they used *.md file for metadata it is not there in your code and no guidelines how to create it also.
Please help me on this. Thanks
Hello, with this client is it possible to generate a logout request and send it to the IdP so that it also closes the session there? If possible, what would such an implementation look like?
Thanks.
Please delete.
It's currently possible to modify the AuthnRequest string and replace the name id format, but this does not work when using client request signing.
It would be nice to have a function exposed to set the format of the name id policy, to be used when composing an AuthnRequest.
Hi.
When I have "Logout URL" configured in Azure SAML, then I'll get a request from Azure containing a SAMLResponse which contains a LogoutResponse
.
But the client bails out when parsing the response.
The response seems to be signed.
Hi,
I'm curious to know if you are looking to publish a new tag with what's in master now. I'm looking to use this library and get attributes from XML response, but 3.0.2 doesn't have some handy methods like getAttributes
Thanks,
Jimmy
When running on Java 11, I get a NoClassDefFound error for javax.xml.bind.ValidationException. This is because JAXB was deprecated in Java 9, and removed entirely from Java 11. Two possible fixes:
I have tried and tested the first way, and it works in 3.0.1 and 4.0.0 snapshot. I can create a pull request for that. Some people might prefer the second way, which I have not tried yet. Is there a preference?
Hi there I am new to SAML and SSO. I was trying to instance SamlClient and Copied my idp Metadata.xml as an argument. The metadata I am using does have ds:X509Certificatetag in it but I am getting "certificate" exception. Can you please let me know why this is happening or is there any workaround that I could try? Thank you!
The saml puzzle me many days! and this client solve it in the simplest way! thanks a lot
String encodedResponse = servletRequest.getParameter("SAMLResponse");
SamlResponse response = client.decodeAndValidateSamlResponse(encodedResponse);
String authenticatedUser = response.getNameID();
client.redirectToIdentityProvider(servletResponse, null);
SamlResponse response1 = client.processPostFromIdentityProvider(servletRequest);
I've written in support for retrieving the HTTP-Redirect information from IdP Metadata and will submit a Pull Request for it. At least the CAS SSO server supports this method for logging into SAML SSO IdPs.
Hi,
I would like to connect to a SAML2 SSO IDP with java. Is this the library to do it or should I use Spring?
Cheers
Al
We found that saml-client is vulnerable to XSW2 attacks. I have not been able to establish if the cause lays in this library, or the underlying OpenSaml library.
Hello,
I'm having the following issues when trying to decodeAndValidateSamlResponse:
java.lang.ClassCastException: org.opensaml.saml2.core.impl.AssertionImpl cannot be cast to org.opensaml.saml2.core.Response
that occurs in the following part.
(Response) Configuration.getUnmarshallerFactory()
.getUnmarshaller(parser.getDocument().getDocumentElement())
.unmarshall(parser.getDocument().getDocumentElement());
Does anyone have any suggestions?
Hi
Should I close the Reader passed to SamlClient.fromMetadata ?
Thanks
Eric
SamlClient.decodeAndValidateSamlResponse()
fails if the response doesn't contain NameID
. It seems like the field used to be required, but isn't anymore at the moment.
Although most IDPs probably do send it, or should be configurable to, we currently have no way of accepting responses without NameID, and no way of convincing IDPs outside of our control to change this (since they are apparently sending out a compliant response).
Could the requirement be dropped, perhaps in favor of a warning, or otherwise have some option of disabling the requirement?
See also this thread: SAML-Toolkits/python-saml#112
I have the following setup that works perfectly in my test cases;
InputStream inputStream = ClassLoader.getSystemResourceAsStream("misc/idp_meta.xml");
Reader metadata = new InputStreamReader(inputStream);
// Create the client
SamlClient client = SamlClient.fromMetadata(
"https://...",
"https://.../#/login",
metadata,
SamlClient.SamlIdpBinding.POST);
This works exactly as expected. However when I build the project using maven-shade-plugin
and run the identical method I get the following error;
java.lang.NullPointerException: [org.opensaml.saml.metadata.resolver.impl.DOMMetadataResolver.initMetadataResolver(DOMMetadataResolver.java:68), org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver.doInitialize(AbstractMetadataResolver.java:287), net.shibboleth.utilities.java.support.component.AbstractInitializableComponent.initialize(AbstractInitializableComponent.java:61), com.coveo.saml.SamlClient.createMetadataResolver(SamlClient.java:574), com.coveo.saml.SamlClient.fromMetadata(SamlClient.java:390), com.coveo.saml.SamlClient.fromMetadata(SamlClient.java:362)
Any ideas on why this might be happening?
I'm trying to use this saml-client tool, but when I introduce it with maven dependency version 3.0.2, it show different from the newest code on github. did you update maven repository?
We're considering SAML for providing SSO for our app but don't want to waste a bunch of time if it's not going to work! :)
I am getting following error while doing maven install. Can some please look into this.
[ERROR] COMPILATION ERROR :
[INFO] -------------------------------------------------------------
[ERROR] error: error reading /Users/xxx/.m2/repository/org/opensaml/opensaml/2.6.4/opensaml-2.6.4.jar; invalid LOC header (bad signature)
[ERROR] error: error reading /Users/xxx/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.51/bcprov-jdk15on-1.51.jar; invalid CEN header (bad signature)
[INFO] 2 errors
I'm trying to use the client for identity provider redirection, and force authentication in the provider
What I need is to add ForceAuthn="true"
to the saml2p:AuthnRequest
tag, but I don't see any way to do it in the client. I'm using the client as follows:
SamlClient client = new SamlClient(relyingPartyIdentifier assertionConsumerService, identityProviderUrl, responseIssuer, certs, SamlClient.SamlIdpBinding.POST);
client.getSamlRequest();
client.redirectToIdentityProvider(response, customerId);
And I can see the ForceAuthn
attribute exists in the lib code, but I didn't find how to use it
Hello. I was testing the client with an ADFS identity provider. When sending a logout request to it, an error returns me indicating the following message "SAML logout request and logout response messages must be signed when using SAML HTTP Redirect or HTTP POST binding". How could I fix this issue?
Thanks.
Hi,
is this client affected by the SAML vulnerability https://www.kb.cert.org/vuls/id/475445 ?
Thanks!
Klaus
In Redirect binding, SAML Request should be compressed and then base64-encoded. But the current (1.5.0) code doesn't compress. That makes some IDPs (OpenAM) unhappy.
Processing a POST containing the SAML logout request method in SamlClient always expect NameID but in my case, I'm not getting NameID as an additional parameter from IDP in the parameters.
The method I'm using is: https://github.com/coveooss/saml-client/blob/7d334b40558aaa02d3931e0db21c8d39dde5f640/src/main/java/com/coveo/saml/SamlClient.java#L871
There should be an overloaded method that should validate the LogoutRequest but without NameID.
Like below.
/**
* Processes a POST containing the SAML logout request.
*
* @param request the {@link HttpServletRequest}.
* @return An {@link LogoutRequest} object containing information decoded from the SAML Logout
* Request.
* @throws SamlException thrown is an unexpected error occurs.
*/
public LogoutRequest processLogoutRequestPostFromIdentityProvider(HttpServletRequest request)
throws SamlException {
String encodedResponse = request.getParameter(HTTP_REQ_SAML_PARAM);
return decodeSamlLogoutRequest(encodedResponse, request.getMethod());
}
unable to use SLO, how to direct request to SLO url
public String sendSAMLRequest(String loggedinUser) throws SamlException, FileNotFoundException {
String publicKeyPath = "cert.x509.pem";
String privateKeyPath = "private.pk8";
final String fileSeparator = System.getProperty("file.separator");
final File file = PathUtils.getTempFile(getServerPath(), "metadata", ".xml");
final File directory = FileUtils.getFile(getServerPath(), "WEB-INF" + fileSeparator + "classes");
final File metadatafile = new File(directory + fileSeparator + SamlReportAuditFactory.FILE_NAME);
FileReader fileReader = new FileReader(metadatafile);
SamlClient client = SamlClient.fromMetadata("http://www.okta.com/jlsdjflsjdflsjjlfjlsj", "https://localhost:8443/myapp/rest/sp/consumer", fileReader);
final File privateKeyFile = new File(directory + fileSeparator + privateKeyPath);
final File publicKeyFile = new File(directory + fileSeparator + publicKeyPath);
client.setSPKeys(publicKeyFile.getAbsolutePath(),privateKeyFile.getAbsolutePath());
String encodedRequest = client.getLogoutRequest(loggedinUser);
return encodedRequest;
}
This library looks very useful. Given that OpenSAML 2.x has been EOL'd since July 2016, are there any plans to upgrade to use OpenSAML 3.x?
At the current time, 3.3.0 is the latest version
So the LogoutRequest
works for Azure Saml.
But for Okta I'm getting a 400 Bad Request.
Well, I'm not sure where to send therequest in the first place, but I assume it's where the LoginRequest goes to.
Though Azure has a separate URL for that.
Processing SAML response XML is susceptible to XXE injection.
Potential solutions include disallowing doc-type at all and/or disabling external entity processing as described in
https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
Attempting to use saml-client
version 4.1.0
fails to build:
[ERROR] Failed to execute goal on project testing: Could not resolve dependencies for project org.example:testing:jar:1.0-SNAPSHOT: The following artifacts could not be resolved: org.opensaml:opensaml-core:jar:4.2.0, org.opensaml:opensaml-saml-api:jar:4.2.0, org.opensaml:opensaml-saml-impl:jar:4.2.0: Could not find artifact org.opensaml:opensaml-core:jar:4.2.0 in artifactory ...
I believe this is because maven central does not have version 4.2.0 yet: https://mvnrepository.com/artifact/org.opensaml/opensaml-core
The latest version in maven central seems to be 4.0.1
I am trying to hookup SAML with PingFederate.
The metadata.xml file generated by their system does NOT include any md:SingleSignOnService... data.
It would be nice for my users if they could just export the metadata.xml and use it as is in my system instead of having to manually add an entry for md:SingleSignOnService
I would like to build up a PR to make getIdpBinding() to return NULL if there were no md:SingleSignOnService at all, vs there were some, but none matched. Then downstream, I will make the places using the results of it handle null by defaulting to the value from assertionConsumerServiceUrl - sort of like the opposite of what you do if its Okta
Hi I notice that there isn't a deflate compression before base64 encode, any plans to add that?
Thanks
Any plan to add logout request?
Hi
I would like to link an SAML request to its response. After reading some stuff on internet it seems that the relayState is ment to be used.
Is it the same as defined in redirectToIdentityProvider method ?
And by the way do you know how to get it form an SamlResponse ?
Regards
Eric (again)
We are trying to use this client for Ping ID. How can we use it for Ping ID? If it already works, could you please share some examples.
Thank you
When redirecting to Okta, I'm receiving a 400 Bad Request error on the Okta side. I'm using the metadata that they provided and all of the URLs appear to match up between my side and the Okta side. Is there a particular Reader I should be using to serialize the metadata.xml? I've used a FileReader, BufferedReader, and InputStreamReader, but all have failed. I suspect that the bad SAML is a problem with the serialization or encoding of the request.
I am having invalid singaure request when sign with 509x and AuthnRequestsSigned="true" WantAssertionsSigned="true"
Please see datb-com fork of this for a 3 line modification to decodeEncryptedAssertion() that uses SimpleRetrievalMethodEncryptedKeyResolver to add support where an IDP (in this case Liferay7.4) provides encrypted assertions and specifies the EncryptionKey outside of the EncryptedData, referenced using RetrievalMethod. There is already a pull request open from a previous change (and i'm not a github expert) so please contact me for further info.
I am able to login via ADFS and also successfully redirected to the desired page but on the ADFS Event Viewer there is an error-
Microsoft.IdentityServer.Protocols.Saml.InvalidNameIdPolicyException: MSIS7070: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: False Format: urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified SPNameQualifier: . Actual NameID properties: null. at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Issue(HttpSamlRequestMessage httpSamlRequestMessage, SecurityTokenElement onBehalfOf, String sessionState, String relayState, String& newSamlSession, String& samlpAuthenticationProvider, Boolean isUrlTranslationNeeded, WrappedHttpListenerContext context, Boolean isKmsiRequested) at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.RequestBearerToken(WrappedHttpListenerContext context, HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String relyingPartyIdentifier, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired, String& samlpSessionState, String& samlpAuthenticationProvider) at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSerializedToken(HttpSamlRequestMessage httpSamlRequest, WrappedHttpListenerContext context, String relyingPartyIdentifier, SecurityTokenElement signOnTokenElement, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired) at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken) at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Process(ProtocolContext context) at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler) at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
Also when I am trying to decode the response via SamlClient.decodeAndValidateSamlResponse()
then it is failing while validateResponse()
. This is the error while devoding the SAMLResponse
-
Exception in thread "main" com.coveo.saml.SamlException: Invalid status code: urn:oasis:names:tc:SAML:2.0:status:Requester at com.coveo.saml.SamlClient.validateResponse(SamlClient.java:457) at com.coveo.saml.SamlClient.decodeAndValidateSamlResponse(SamlClient.java:284) at com.coveo.saml.Main.decodeAndValidateResponse(Main.java:41) at com.coveo.saml.Main.main(Main.java:48)
What other things I need to do?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.