Skip to content

Commit

Permalink
#29 allow metadata.xml files without SingleSignOnService bindings to …
Browse files Browse the repository at this point in the history 
…support PingFederate (#30)
  • Loading branch information
@claylehman @malaporte
claylehman authored and malaporte committed May 20, 2019
1 parent a1b3704 commit a29929f
Show file tree
Hide file tree
Showing 3 changed files with 47 additions and 5 deletions.
17 changes: 13 additions & 4 deletions src/main/java/com/coveo/saml/SamlClient.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -394,8 +394,12 @@ public static SamlClient fromMetadata(
DOMMetadataResolver metadataResolver = createMetadataResolver(metadata);
EntityDescriptor entityDescriptor = getEntityDescriptor(metadataResolver);

IDPSSODescriptor idpSsoDescriptor = getIDPSSODescriptor(entityDescriptor);
SingleSignOnService idpBinding = getIdpBinding(idpSsoDescriptor, samlBinding);
IDPSSODescriptor idpSsoDescriptor = getIDPSSODescriptor(entityDescriptor);
SingleSignOnService idpBinding = null;
if(idpSsoDescriptor.getSingleSignOnServices()!=null && !idpSsoDescriptor.getSingleSignOnServices().isEmpty()) {
idpBinding = getIdpBinding(idpSsoDescriptor, samlBinding);
}

List<X509Certificate> x509Certificates = getCertificates(idpSsoDescriptor);
boolean isOkta = entityDescriptor.getEntityID().contains(".okta.com");

Expand All @@ -409,7 +413,7 @@ public static SamlClient fromMetadata(
}
}

if (assertionConsumerServiceUrl == null && isOkta) {
if (idpBinding!=null && assertionConsumerServiceUrl == null && isOkta) {
// Again, Okta's own toolkit uses this value for the assertion consumer url, which
// kinda makes no sense since this is supposed to be a url pointing to a server
// outside Okta, but it probably just straight ignores this and use the one from
Expand All @@ -423,7 +427,12 @@ public static SamlClient fromMetadata(
x509Certificates.addAll(certificates);
}

String identityProviderUrl = idpBinding.getLocation();
String identityProviderUrl;
if(idpBinding!=null) {
identityProviderUrl = idpBinding.getLocation();
}else {
identityProviderUrl = assertionConsumerServiceUrl;
}
String responseIssuer = entityDescriptor.getEntityID();

return new SamlClient(
Expand Down
6 changes: 5 additions & 1 deletion src/test/java/com/coveo/saml/SamlClientTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,11 @@ public void metadataXMLFromHubCanBeLoaded() throws Throwable {
SamlClient.SamlIdpBinding.POST,
certificates);
}

@Test
public void metadataXMLFromPingFederateCanBeLoaded() throws Throwable {
SamlClient.fromMetadata(
"myidentifier", "http://some/url", getXml("ping.xml"), SamlClient.SamlIdpBinding.POST);
}
@Test
public void relyingPartyIdentifierAndAssertionConsumerServiceUrlCanBeOmittedForOkta()
throws Throwable {
Expand Down
29 changes: 29 additions & 0 deletions src/test/resources/com/coveo/saml/ping.xml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="KZQ51hv.F4GbTQtJnn9OBtbWHmB" cacheDuration="PT1439M" entityID="evaluation">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#KZQ51hv.F4GbTQtJnn9OBtbWHmB">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>lIaSJ9XPEnfGgkIHBdn5c0LHL7Rascc+dygu11bVdTE=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>FylX4iXBB38TKqN5iOVeE5AM83NfV9Tx/WWuRudy2n91jEFi+7mj2D+4vT38Eb0y9LQNhn7aQtmu9IPaUlmCKV3/PzZuTHnUCUDGMe8HXQHOaiB6K6ON178iPWd+UU7zjY0UT7RvijMFvDceuuhd95AgLP1PpsNnnRZ65bOjyWGWDPyF5se4M7Yw7mcIjOwVL5wZdMAmvonA6vcnNyiS45DrGzhjNUijnlQCI8iW/y1lMbWw+o1JjGJaSxmg4TlNINwNadF7m0g5lTIJtwmUJ51IGOE9Bq5QQdwPJvtAXGiqRK+xSPciemIms5sHi4GxC+4f3uos/g4t2rcCCQ1Ptg==</ds:SignatureValue>
</ds:Signature>
<md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" WantAuthnRequestsSigned="false">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIC3jCCAcagAwIBAgIGAWm6hCWjMA0GCSqGSIb3DQEBCwUAMDAxCzAJBgNVBAYTAlVTMRIwEAYDVQQKEwl3aW5nc3dlcHQxDTALBgNVBAMTBGNtdHMwHhcNMTkwMzI2MTUwMDE2WhcNMjAwMzI1MTUwMDE2WjAwMQswCQYDVQQGEwJVUzESMBAGA1UEChMJd2luZ3N3ZXB0MQ0wCwYDVQQDEwRjbXRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAglKI99UE3Ifn0h+Ft5jOg6B1318RkrJ7jWerJ2rO79zaOeoWfydhUuUbfjbRlRS4rFsdUKoLZT5+zgYiQ3S0kCnU3le1Riw5muN9UIMbZKeS5wUSMpS0W3rlmRN5XpnDw1YZMZXnAwGNWT97cAPBPAiQ9Mik2IZYaEJutGOl31to4a1RQLW3CnPR23acalk/2TbLi0FMBKmBVXaJVfQp3HU/wXNaSgksBpZeEHmj7qXh3gxBQB8fs5m4n15jA2K0HN/v8fUT49qLbp9dpzxkTDbvCeLauJfeY1EquScirY29AgvU+yRbAKZCcqCxaXq4SfL6zsUtGVEvHwOk67YrFQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQB8wa2aAkIj+4LReK83NjeBMIRIrFaina6Ix3KvBWscsbqGCOPEypZsakV9CS5NqMmxcM3r5GH2R4grEPV4IsZy+yxKcRPBnrv1PltB9QlzU1W/cGwPFwFX0/eDT3ruAaz4tRv4bOszck0pzf3giFvhYhkQN/NPFSH+k+3AE1akHMFiwr0s47iieuTR5d4B73lLVqvDE9TJNDyE6bXvXvwUP+VP7lTQEXG1mf6h+bne1niLcGuEutQF75CtP19lSC2HPXEsWse4dQKoPy7vvp7pGaP3PViz1cAcib1E554OC3OOVo1S4UNKB+QZwJ2XShs8kqRyWJXgQMr4mIfFT0Tt</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:entity</md:NameIDFormat>
</md:IDPSSODescriptor>
<md:ContactPerson contactType="administrative" />
</md:EntityDescriptor>

0 comments on commit a29929f

Please sign in to comment.