Consume SAMLResponse Token

2019-01-24 05:36发布

问题:

SAML sp-based authentication has following short workflow.

  • User wants to access application at sp.
  • sp sends SAMLRequest token to idp.
  • idp consume it and generate SAMLResponse token.
  • idp sends this SAMLResponse token to AC-URL given by sp.

My Question is how sp consume this SAMLResponse token. What is the logic? If I can get some JAVA code help it will be beneficial.

回答1:

The next recipe is working for me:

  1. Get the SAMLResponse token and decode it and inflate:

    // Base64 decode
    Base64 base64Decoder = new Base64();
    byte[] xmlBytes = encodedXmlString.getBytes("UTF-8");
    byte[] base64DecodedByteArray = base64Decoder.decode(xmlBytes);
    
    // Inflate (uncompress) the AuthnRequest data
    // First attempt to unzip the byte array according to DEFLATE (rfc 1951)
    
    Inflater inflater = new Inflater(true);
    inflater.setInput(base64DecodedByteArray);
    // since we are decompressing, it's impossible to know how much space we
    // might need; hopefully this number is suitably big
    byte[] xmlMessageBytes = new byte[5000];
    int resultLength = inflater.inflate(xmlMessageBytes);
    
    if (!inflater.finished()) {
        throw new RuntimeException("didn't allocate enough space to hold "
                + "decompressed data");
    }
    
    inflater.end();
    
    String decodedResponse = new String(xmlMessageBytes, 0, resultLength,
            "UTF-8");
    
    return decodedResponse;
    
  2. Parse the resulting XML. Here you can get the info that you need and for example, create a POJO with it (this is a sample code for parsing LogoutRequest's but would be analogous for responses):

    // Parse the XML. SAX approach, we just need the ID attribute
    SAXParserFactory saxParserFactory = SAXParserFactory.newInstance();
    
    // If we want to validate the doc we need to load the DTD
    // saxParserFactory.setValidating(true);
    
    // Get a SAXParser instance
    SAXParser saxParser = saxParserFactory.newSAXParser();
    
    // Parse it
    XMLhandler xmLhandler = new XMLhandler();
    saxParser.parse(new ByteArrayInputStream(xmlLogoutRequest.getBytes()),
            xmLhandler);
    
    // Return the SamlVO
    return xmLhandler.getSamlVO();
    

For my use case I am interesting in only a few elements, so I am using SAX:

public class XMLhandler extends DefaultHandler {

    private SamlVO samlVO;

    public XMLhandler() {
        samlVO = new SamlVO();
    }

    @Override
    public void startElement(String uri, String localName, String qName,
        Attributes attributes) throws SAXException {

        // Managing a LogoutRequest means that we are going to build a LogoutResponse
        if (qName.equals("samlp:LogoutRequest")) {
            // The ID value of a request will be the LogoutResponse's InReponseTo attribute 
            samlVO.setInResponseTo(attributes.getValue("ID"));
            // From the destination we can get the Issuer element
            String destination = attributes.getValue("Destination");
            if (destination != null) {
                URL destinationUrl = null;
                try {
                    destinationUrl = new URL(destination);
                } catch (MalformedURLException e) {
                     // TODO: We could set the server hostname (take it from a property), but this URL SHOULD be well formed!
                     e.printStackTrace();
                }
                samlVO.setIssuer(destinationUrl.getHost());
            }
        }   
    }

    public SamlVO getSamlVO() {
        return samlVO;
    }

}

Hope it helps,

Luis

PS: you also can use a library like OpenSAML

DefaultBootstrap.bootstrap();

HTTPRedirectDeflateDecoder decode = new HTTPRedirectDeflateDecoder(new BasicParserPool());
BasicSAMLMessageContext<LogoutRequest, ?, ?> messageContext = new BasicSAMLMessageContext<LogoutRequest, SAMLObject, SAMLObject>();
messageContext.setInboundMessageTransport(new HttpServletRequestAdapter(request));
decode.decode(messageContext);
XMLObjectBuilderFactory builderFactory = org.opensaml.Configuration.getBuilderFactory();
LogoutRequestBuilder logoutRequestBuilder = (LogoutRequestBuilder) builderFactory.getBuilder(LogoutRequest.DEFAULT_ELEMENT_NAME);
LogoutRequest logoutRequest = logoutRequestBuilder.buildObject();
logoutRequest = (LogoutRequest) messageContext.getInboundMessage();

But be prepared to include a few libraries in your CLASSPATH!!!



回答2:

Asking for code is a bit much, but the basic processing is that the SP validates the SAMLResponse, including for well-formedness, presence of required values, correct protocol, and any other SP-specific validation (time constraints, data correspondence, etc.), maps user identified in token to user on SP (could involve creating user), and transfers user to requested resource.



回答3:

Here is how I do it in Java. I use XMLBeans to parse the SAMLResponse, then decrypt it (if it's encrypted) and then verify the signature:

WebBrowserSSOAuthConsumerService