org.opensaml.saml.saml2.metadata.IDPSSODescriptor Java Examples
The following examples show how to use
org.opensaml.saml.saml2.metadata.IDPSSODescriptor.
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
| Source File: Saml2SettingsProvider.java From deprecated-security-advanced-modules with Apache License 2.0 | 6 votes |
|
private void initIdpEndpoints(IDPSSODescriptor idpSsoDescriptor, HashMap<String, Object> configProperties)
throws SamlConfigException {
SingleSignOnService singleSignOnService = this.findSingleSignOnService(idpSsoDescriptor,
"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect");
configProperties.put(SettingsBuilder.IDP_SINGLE_SIGN_ON_SERVICE_URL_PROPERTY_KEY,
singleSignOnService.getLocation());
configProperties.put(SettingsBuilder.IDP_SINGLE_SIGN_ON_SERVICE_BINDING_PROPERTY_KEY,
singleSignOnService.getBinding());
configProperties.put(SettingsBuilder.IDP_ENTITYID_PROPERTY_KEY, this.esSettings.get("idp.entity_id"));
SingleLogoutService singleLogoutService = this.findSingleLogoutService(idpSsoDescriptor,
"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect");
if (singleLogoutService != null) {
configProperties.put(SettingsBuilder.IDP_SINGLE_LOGOUT_SERVICE_URL_PROPERTY_KEY,
singleLogoutService.getLocation());
configProperties.put(SettingsBuilder.IDP_SINGLE_LOGOUT_SERVICE_BINDING_PROPERTY_KEY,
singleLogoutService.getBinding());
} else {
log.warn(
"The IdP does not provide a Single Logout Service. In order to ensure that users have to re-enter their password after logging out, Open Distro Security will issue all SAML authentication requests with a mandatory password input (ForceAuthn=true)");
}
}
Example #2
| Source File: SamlClient.java From saml-client with MIT License | 6 votes |
|
private static List<X509Certificate> getCertificates(IDPSSODescriptor idpSsoDescriptor)
throws SamlException {
List<X509Certificate> certificates;
try {
certificates =
idpSsoDescriptor
.getKeyDescriptors()
.stream()
.filter(x -> x.getUse() == UsageType.SIGNING)
.flatMap(SamlClient::getDatasWithCertificates)
.map(SamlClient::getFirstCertificate)
.collect(Collectors.toList());
} catch (Exception e) {
throw new SamlException("Exception in getCertificates", e);
}
return certificates;
}
Example #3
| Source File: MockMetadataAggregatorServer.java From verify-service-provider with MIT License | 6 votes |
|
private String buildTestCountryEntityDescriptor(String countryEntityId) throws Exception {
KeyDescriptor signingKeyDescriptor = KeyDescriptorBuilder.aKeyDescriptor()
.withX509ForSigning(STUB_COUNTRY_PUBLIC_PRIMARY_CERT)
.build();
IDPSSODescriptor idpSsoDescriptor = IdpSsoDescriptorBuilder.anIdpSsoDescriptor()
.withoutDefaultSigningKey()
.addKeyDescriptor(signingKeyDescriptor)
.build();
Signature signature = SignatureBuilder.aSignature()
.withSigningCredential(new TestCredentialFactory(METADATA_SIGNING_A_PUBLIC_CERT, METADATA_SIGNING_A_PRIVATE_KEY).getSigningCredential())
.withX509Data(METADATA_SIGNING_A_PUBLIC_CERT)
.build();
EntityDescriptor entityDescriptor = EntityDescriptorBuilder.anEntityDescriptor()
.withEntityId(countryEntityId)
.withIdpSsoDescriptor(idpSsoDescriptor)
.setAddDefaultSpServiceDescriptor(false)
.withValidUntil(DateTime.now().plusWeeks(2))
.withSignature(signature)
.build();
String s = new MetadataFactory().singleEntityMetadata(entityDescriptor);
return s;
}
Example #4
| Source File: VerifyAssertionTranslatorTest.java From verify-service-provider with MIT License | 5 votes |
|
@Test
public void shouldThrowExceptionIfIssuerMissingWhenValidatingIdpAssertion() {
Assertion assertion = aMatchingDatasetAssertionWithSignature(emptyList(), anIdpSignature(), "requestId").buildUnencrypted();
assertion.setIssuer(null);
exception.expect(SamlResponseValidationException.class);
exception.expectMessage("Assertion with id mds-assertion has missing or blank Issuer.");
verifyAssertionService.validateIdpAssertion(assertion, "not-used", IDPSSODescriptor.DEFAULT_ELEMENT_NAME);
}
Example #5
| Source File: SamlClient.java From saml-client with MIT License | 5 votes |
|
private static SingleSignOnService getIdpBinding(
IDPSSODescriptor idpSsoDescriptor, SamlIdpBinding samlBinding) throws SamlException {
return idpSsoDescriptor
.getSingleSignOnServices()
.stream()
.filter(
x
-> x.getBinding()
.equals("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-" + samlBinding.toString()))
.findAny()
.orElseThrow(() -> new SamlException("Cannot find HTTP-POST SSO binding in metadata"));
}
Example #6
| Source File: SamlClient.java From saml-client with MIT License | 5 votes |
|
private static IDPSSODescriptor getIDPSSODescriptor(EntityDescriptor entityDescriptor)
throws SamlException {
IDPSSODescriptor idpssoDescriptor =
entityDescriptor.getIDPSSODescriptor("urn:oasis:names:tc:SAML:2.0:protocol");
if (idpssoDescriptor == null) {
throw new SamlException("Cannot retrieve IDP SSO descriptor");
}
return idpssoDescriptor;
}
Example #7
| Source File: VerifyAssertionTranslatorTest.java From verify-service-provider with MIT License | 5 votes |
|
@Test
public void shouldThrowExceptionIfAssertionVersionInvalidWhenValidatingIdpAssertion() {
Assertion assertion = aMatchingDatasetAssertionWithSignature(emptyList(), anIdpSignature(), "requestId").buildUnencrypted();
assertion.setVersion(SAMLVersion.VERSION_10);
exception.expect(SamlResponseValidationException.class);
exception.expectMessage("Assertion with id mds-assertion declared an illegal Version attribute value.");
verifyAssertionService.validateIdpAssertion(assertion, "not-used", IDPSSODescriptor.DEFAULT_ELEMENT_NAME);
}
Example #8
| Source File: VerifyAssertionTranslatorTest.java From verify-service-provider with MIT License | 5 votes |
|
@Test
public void shouldThrowExceptionIfMissingAssertionVersionWhenValidatingIdpAssertion() {
Assertion assertion = aMatchingDatasetAssertionWithSignature(emptyList(), anIdpSignature(), "requestId").buildUnencrypted();
assertion.setVersion(null);
exception.expect(SamlResponseValidationException.class);
exception.expectMessage("Assertion with id mds-assertion has missing Version.");
verifyAssertionService.validateIdpAssertion(assertion, "not-used", IDPSSODescriptor.DEFAULT_ELEMENT_NAME);
}
Example #9
| Source File: VerifyAssertionTranslatorTest.java From verify-service-provider with MIT License | 5 votes |
|
@Test
public void shouldThrowExceptionIfIssuerValueIsBlankWhenValidatingIdpAssertion() {
Assertion assertion = aMatchingDatasetAssertionWithSignature(emptyList(), anIdpSignature(), "requestId").buildUnencrypted();
assertion.setIssuer(anIssuer().withIssuerId("").build());
exception.expect(SamlResponseValidationException.class);
exception.expectMessage("Assertion with id mds-assertion has missing or blank Issuer.");
verifyAssertionService.validateIdpAssertion(assertion, "not-used", IDPSSODescriptor.DEFAULT_ELEMENT_NAME);
}
Example #10
| Source File: VerifyAssertionTranslatorTest.java From verify-service-provider with MIT License | 5 votes |
|
@Test
public void shouldThrowExceptionIfIssuerValueMissingWhenValidatingIdpAssertion() {
Assertion assertion = aMatchingDatasetAssertionWithSignature(emptyList(), anIdpSignature(), "requestId").buildUnencrypted();
assertion.setIssuer(anIssuer().withIssuerId(null).build());
exception.expect(SamlResponseValidationException.class);
exception.expectMessage("Assertion with id mds-assertion has missing or blank Issuer.");
verifyAssertionService.validateIdpAssertion(assertion, "not-used", IDPSSODescriptor.DEFAULT_ELEMENT_NAME);
}
Example #11
| Source File: Saml2SettingsProvider.java From deprecated-security-advanced-modules with Apache License 2.0 | 5 votes |
|
Saml2Settings get() throws SamlConfigException {
try {
HashMap<String, Object> configProperties = new HashMap<>();
EntityDescriptor entityDescriptor = this.metadataResolver
.resolveSingle(new CriteriaSet(new EntityIdCriterion(this.idpEntityId)));
if (entityDescriptor == null) {
throw new SamlConfigException("Could not find entity descriptor for " + this.idpEntityId);
}
IDPSSODescriptor idpSsoDescriptor = entityDescriptor
.getIDPSSODescriptor("urn:oasis:names:tc:SAML:2.0:protocol");
if (idpSsoDescriptor == null) {
throw new SamlConfigException("Could not find IDPSSODescriptor supporting SAML 2.0 in "
+ this.idpEntityId + "; role descriptors: " + entityDescriptor.getRoleDescriptors());
}
initIdpEndpoints(idpSsoDescriptor, configProperties);
initIdpCerts(idpSsoDescriptor, configProperties);
initSpEndpoints(configProperties);
initMisc(configProperties);
SettingsBuilder settingsBuilder = new SettingsBuilder();
// TODO allow overriding of IdP metadata?
settingsBuilder.fromValues(configProperties);
settingsBuilder.fromValues(new SamlSettingsMap(this.esSettings));
return settingsBuilder.build();
} catch (ResolverException e) {
throw new AuthenticatorUnavailableException(e);
}
}
Example #12
| Source File: VerifyAssertionTranslatorTest.java From verify-service-provider with MIT License | 5 votes |
|
@Test
public void shouldThrowExceptionIfAssertionIdIsBlankWhenValidatingIdpAssertion() {
Assertion assertion = aMatchingDatasetAssertionWithSignature(emptyList(), anIdpSignature(), "requestId").buildUnencrypted();
assertion.setID("");
exception.expect(SamlResponseValidationException.class);
exception.expectMessage("Assertion Id is missing or blank.");
verifyAssertionService.validateIdpAssertion(assertion, "not-used", IDPSSODescriptor.DEFAULT_ELEMENT_NAME);
}
Example #13
| Source File: VerifyAssertionTranslatorTest.java From verify-service-provider with MIT License | 5 votes |
|
@Test
public void shouldThrowExceptionIfAssertionIdIsMissingWhenValidatingIdpAssertion() {
Assertion assertion = aMatchingDatasetAssertionWithSignature(emptyList(), anIdpSignature(), "requestId").buildUnencrypted();
assertion.setID(null);
exception.expect(SamlResponseValidationException.class);
exception.expectMessage("Assertion Id is missing or blank.");
verifyAssertionService.validateIdpAssertion(assertion, "not-used", IDPSSODescriptor.DEFAULT_ELEMENT_NAME);
}
Example #14
| Source File: VerifyAssertionTranslatorTest.java From verify-service-provider with MIT License | 5 votes |
|
@Test
public void shouldThrowExceptionIfIssueInstantMissingWhenValidatingIdpAssertion() {
Assertion assertion = aMatchingDatasetAssertionWithSignature(emptyList(), anIdpSignature(), "requestId").buildUnencrypted();
assertion.setIssueInstant(null);
exception.expect(SamlResponseValidationException.class);
exception.expectMessage("Assertion IssueInstant is missing.");
verifyAssertionService.validateIdpAssertion(assertion, "not-used", IDPSSODescriptor.DEFAULT_ELEMENT_NAME);
}
Example #15
| Source File: MatchingAssertionTranslator.java From verify-service-provider with MIT License | 5 votes |
|
@Override
public TranslatedResponseBody translateSuccessResponse(
List<Assertion> assertions,
String expectedInResponseTo,
LevelOfAssurance expectedLevelOfAssurance,
String entityId
) {
// 1. check saml has assertions
checkSamlhasAssertions(assertions);
// 2. validate assertions
Assertion assertion = assertions.get(0);
assertionValidator.validate(assertion, expectedInResponseTo, entityId);
assertionsSignatureValidator.validate(assertions, IDPSSODescriptor.DEFAULT_ELEMENT_NAME);
// 3. validate levelOfAssurance
AuthnStatement authnStatement = assertion.getAuthnStatements().get(0);
LevelOfAssurance levelOfAssurance = extractLevelOfAssurance(authnStatement);
levelOfAssuranceValidator.validate(levelOfAssurance, expectedLevelOfAssurance);
// 4. translateAssertions
String nameID = assertion.getSubject().getNameID().getValue();
List<AttributeStatement> attributeStatements = assertion.getAttributeStatements();
if (isUserAccountCreation(attributeStatements)) {
return new TranslatedMatchingResponseBody(
ACCOUNT_CREATION,
nameID,
levelOfAssurance,
AttributeTranslator.translateAttributes(attributeStatements.get(0))
);
}
return new TranslatedMatchingResponseBody(SUCCESS_MATCH, nameID, levelOfAssurance, null);
}
Example #16
| Source File: VerifyAssertionTranslator.java From verify-service-provider with MIT License | 5 votes |
|
public void validate(Assertion authnAssertion, Assertion mdsAssertion, String requestId, LevelOfAssurance expectedLevelOfAssurance, LevelOfAssurance levelOfAssurance) {
validateIdpAssertion(authnAssertion, requestId, IDPSSODescriptor.DEFAULT_ELEMENT_NAME);
validateIdpAssertion(mdsAssertion, requestId, IDPSSODescriptor.DEFAULT_ELEMENT_NAME);
levelOfAssuranceValidator.validate(levelOfAssurance, expectedLevelOfAssurance);
if (!mdsAssertion.getIssuer().getValue().equals(authnAssertion.getIssuer().getValue())) {
throw new SamlResponseValidationException(MISMATCHED_ISSUERS);
}
if (!mdsAssertion.getSubject().getNameID().getValue().equals(authnAssertion.getSubject().getNameID().getValue())) {
throw new SamlResponseValidationException(MISMATCHED_PIDS);
}
}
Example #17
| Source File: EidasAssertionTranslator.java From verify-service-provider with MIT License | 5 votes |
|
@Override
protected void validateSignature(Assertion assertion, String issuerEntityId) {
metadataResolverRepository.getSignatureTrustEngine(issuerEntityId)
.map(signatureValidatorFactory::getSignatureValidator)
.orElseThrow(() -> new SamlResponseValidationException("Unable to find metadata resolver for entity Id " + issuerEntityId))
.validate(singletonList(assertion), IDPSSODescriptor.DEFAULT_ELEMENT_NAME);
}
Example #18
| Source File: Saml2SettingsProvider.java From deprecated-security-advanced-modules with Apache License 2.0 | 5 votes |
|
private SingleLogoutService findSingleLogoutService(IDPSSODescriptor idpSsoDescriptor, String binding)
throws SamlConfigException {
for (SingleLogoutService singleLogoutService : idpSsoDescriptor.getSingleLogoutServices()) {
if (binding.equals(singleLogoutService.getBinding())) {
return singleLogoutService;
}
}
return null;
}
Example #19
| Source File: Saml2SettingsProvider.java From deprecated-security-advanced-modules with Apache License 2.0 | 5 votes |
|
private SingleSignOnService findSingleSignOnService(IDPSSODescriptor idpSsoDescriptor, String binding)
throws SamlConfigException {
for (SingleSignOnService singleSignOnService : idpSsoDescriptor.getSingleSignOnServices()) {
if (binding.equals(singleSignOnService.getBinding())) {
return singleSignOnService;
}
}
throw new SamlConfigException("Could not find SingleSignOnService endpoint for binding " + binding
+ "; available services: " + idpSsoDescriptor.getSingleSignOnServices());
}
Example #20
| Source File: Saml2SettingsProvider.java From deprecated-security-advanced-modules with Apache License 2.0 | 5 votes |
|
private void initIdpCerts(IDPSSODescriptor idpSsoDescriptor, HashMap<String, Object> configProperties) {
int i = 0;
for (KeyDescriptor keyDescriptor : idpSsoDescriptor.getKeyDescriptors()) {
if (UsageType.SIGNING.equals(keyDescriptor.getUse())
|| UsageType.UNSPECIFIED.equals(keyDescriptor.getUse())) {
for (X509Data x509data : keyDescriptor.getKeyInfo().getX509Datas()) {
for (X509Certificate x509Certificate : x509data.getX509Certificates()) {
configProperties.put(SettingsBuilder.IDP_X509CERTMULTI_PROPERTY_KEY + "." + (i++),
x509Certificate.getValue());
}
}
}
}
}
Example #21
| Source File: MockSamlIdpServer.java From deprecated-security-advanced-modules with Apache License 2.0 | 4 votes |
|
private String createMetadata() {
try {
EntityDescriptor idpEntityDescriptor = createSamlElement(EntityDescriptor.class);
idpEntityDescriptor.setEntityID(idpEntityId);
IDPSSODescriptor idpSsoDescriptor = createSamlElement(IDPSSODescriptor.class);
idpEntityDescriptor.getRoleDescriptors().add(idpSsoDescriptor);
idpSsoDescriptor.setWantAuthnRequestsSigned(wantAuthnRequestsSigned);
idpSsoDescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS);
SingleLogoutService redirectSingleLogoutService = createSamlElement(SingleLogoutService.class);
idpSsoDescriptor.getSingleLogoutServices().add(redirectSingleLogoutService);
redirectSingleLogoutService.setBinding("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect");
redirectSingleLogoutService.setLocation(getSamlSloUri());
idpSsoDescriptor.getNameIDFormats()
.add(createNameIDFormat("urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"));
SingleSignOnService redirectSingleSignOnService = createSamlElement(SingleSignOnService.class);
idpSsoDescriptor.getSingleSignOnServices().add(redirectSingleSignOnService);
redirectSingleSignOnService.setBinding("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect");
redirectSingleSignOnService.setLocation(getSamlSsoUri());
X509KeyInfoGeneratorFactory keyInfoGeneratorFactory = new X509KeyInfoGeneratorFactory();
keyInfoGeneratorFactory.setEmitEntityCertificate(true);
KeyInfoGenerator keyInfoGenerator = keyInfoGeneratorFactory.newInstance();
KeyDescriptor signingKeyDescriptor = createSamlElement(KeyDescriptor.class);
idpSsoDescriptor.getKeyDescriptors().add(signingKeyDescriptor);
signingKeyDescriptor.setUse(UsageType.SIGNING);
signingKeyDescriptor
.setKeyInfo(keyInfoGenerator.generate(new BasicX509Credential(this.signingCertificate)));
return marshallSamlXml(idpEntityDescriptor);
} catch (org.opensaml.security.SecurityException e) {
throw new RuntimeException(e);
}
}
Example #22
| Source File: SamlClient.java From saml-client with MIT License | 4 votes |
|
/**
* Constructs an SAML client using XML metadata obtained from the identity provider. <p> When
* using Okta as an identity provider, it is possible to pass null to relyingPartyIdentifier and
* assertionConsumerServiceUrl; they will be inferred from the metadata provider XML.
*
* @param relyingPartyIdentifier the identifier for the relying party.
* @param assertionConsumerServiceUrl the url where the identity provider will post back the
* SAML response.
* @param metadata the XML metadata obtained from the identity provider.
* @param samlBinding the HTTP method to use for binding to the IdP.
* @param certificates list of certificates.
* @return The created {@link SamlClient}.
* @throws SamlException thrown if any error occur while loading the metadata information.
*/
public static SamlClient fromMetadata(
String relyingPartyIdentifier,
String assertionConsumerServiceUrl,
Reader metadata,
SamlIdpBinding samlBinding,
List<X509Certificate> certificates)
throws SamlException {
ensureOpenSamlIsInitialized();
DOMMetadataResolver metadataResolver = createMetadataResolver(skipBom(metadata));
EntityDescriptor entityDescriptor = getEntityDescriptor(metadataResolver);
IDPSSODescriptor idpSsoDescriptor = getIDPSSODescriptor(entityDescriptor);
SingleSignOnService idpBinding = null;
if (idpSsoDescriptor.getSingleSignOnServices() != null
&& !idpSsoDescriptor.getSingleSignOnServices().isEmpty()) {
idpBinding = getIdpBinding(idpSsoDescriptor, samlBinding);
}
List<X509Certificate> x509Certificates = getCertificates(idpSsoDescriptor);
boolean isOkta = entityDescriptor.getEntityID().contains(".okta.com");
if (relyingPartyIdentifier == null) {
// Okta's own toolkit uses the entity ID as a relying party identifier, so if we
// detect that the IDP is Okta let's tolerate a null value for this parameter.
if (isOkta) {
relyingPartyIdentifier = entityDescriptor.getEntityID();
} else {
throw new IllegalArgumentException("relyingPartyIdentifier");
}
}
if (idpBinding != null && assertionConsumerServiceUrl == null && isOkta) {
// Again, Okta's own toolkit uses this value for the assertion consumer url, which
// kinda makes no sense since this is supposed to be a url pointing to a server
// outside Okta, but it probably just straight ignores this and use the one from
// it's own config anyway.
assertionConsumerServiceUrl = idpBinding.getLocation();
}
if (certificates != null) {
// Adding certificates given to this method
// because some idp metadata file does not embedded signing certificate
x509Certificates.addAll(certificates);
}
String identityProviderUrl;
if (idpBinding != null) {
identityProviderUrl = idpBinding.getLocation();
} else {
identityProviderUrl = assertionConsumerServiceUrl;
}
String responseIssuer = entityDescriptor.getEntityID();
return new SamlClient(
relyingPartyIdentifier,
assertionConsumerServiceUrl,
identityProviderUrl,
responseIssuer,
x509Certificates,
samlBinding);
}
Example #23
| Source File: ClientEntityDescriptor.java From shibboleth-oidc with Apache License 2.0 | 4 votes |
|
@Override
public IDPSSODescriptor getIDPSSODescriptor(final String supportedProtocol) {
return null;
}
Example #24
| Source File: SAML2IdPLogic.java From syncope with Apache License 2.0 | 4 votes |
|
private List<SAML2IdPTO> importIdPs(final InputStream input) throws Exception {
List<EntityDescriptor> idpEntityDescriptors = new ArrayList<>();
Element root = OpenSAMLUtil.getParserPool().parse(new InputStreamReader(input)).getDocumentElement();
if (SAMLConstants.SAML20MD_NS.equals(root.getNamespaceURI())
&& EntityDescriptor.DEFAULT_ELEMENT_LOCAL_NAME.equals(root.getLocalName())) {
idpEntityDescriptors.add((EntityDescriptor) OpenSAMLUtil.fromDom(root));
} else if (SAMLConstants.SAML20MD_NS.equals(root.getNamespaceURI())
&& EntitiesDescriptor.DEFAULT_ELEMENT_LOCAL_NAME.equals(root.getLocalName())) {
NodeList children = root.getChildNodes();
for (int i = 0; i < children.getLength(); i++) {
Node child = children.item(i);
if (SAMLConstants.SAML20MD_NS.equals(child.getNamespaceURI())
&& EntityDescriptor.DEFAULT_ELEMENT_LOCAL_NAME.equals(child.getLocalName())) {
NodeList descendants = child.getChildNodes();
for (int j = 0; j < descendants.getLength(); j++) {
Node descendant = descendants.item(j);
if (SAMLConstants.SAML20MD_NS.equals(descendant.getNamespaceURI())
&& IDPSSODescriptor.DEFAULT_ELEMENT_LOCAL_NAME.equals(descendant.getLocalName())) {
idpEntityDescriptors.add((EntityDescriptor) OpenSAMLUtil.fromDom((Element) child));
}
}
}
}
}
List<SAML2IdPTO> result = new ArrayList<>(idpEntityDescriptors.size());
for (EntityDescriptor idpEntityDescriptor : idpEntityDescriptors) {
SAML2IdPTO idpTO = new SAML2IdPTO();
idpTO.setEntityID(idpEntityDescriptor.getEntityID());
idpTO.setName(idpEntityDescriptor.getEntityID());
idpTO.setUseDeflateEncoding(false);
try (ByteArrayOutputStream baos = new ByteArrayOutputStream()) {
SAML2ReaderWriter.write(new OutputStreamWriter(baos), idpEntityDescriptor, false);
idpTO.setMetadata(Base64.getEncoder().encodeToString(baos.toByteArray()));
}
ItemTO connObjectKeyItem = new ItemTO();
connObjectKeyItem.setIntAttrName("username");
connObjectKeyItem.setExtAttrName(NameID.DEFAULT_ELEMENT_LOCAL_NAME);
idpTO.setConnObjectKeyItem(connObjectKeyItem);
SAML2IdPEntity idp = cache.put(idpEntityDescriptor, idpTO);
if (idp.getSSOLocation(SAML2BindingType.POST) != null) {
idpTO.setBindingType(SAML2BindingType.POST);
} else if (idp.getSSOLocation(SAML2BindingType.REDIRECT) != null) {
idpTO.setBindingType(SAML2BindingType.REDIRECT);
} else {
throw new IllegalArgumentException("Neither POST nor REDIRECT artifacts supported by " + idp.getId());
}
result.add(idpTO);
}
return result;
}
