Resolve an artifact with OpenSAML

In my case the, after the sign on at the IdP is completed, the user is redirected to my `Assertion Consumer Service URL defined in meta data. The IdP sends an artifact back as a parameter.The artifact is a label pointing to the actual user data/login information(the assertion) at the IdP. The user data is not sent in the HTTP request of security reasons. Instead the consumer servlet send a Artifact Resolve Request over a SOAP back channel to get the data.

Here is an example of a servlet sending ArtifactResolveRequest and receiving an ArtifactResolveResponse.

 1private Envelope sendArtifactResolve(final ArtifactResolve artifactResolve) throws SOAPException, SecurityException, CertificateEncodingException,
 2  MarshallingException, SignatureException, IllegalAccessException {
 3  Envelope envelope = SAMLUtil.wrapInSOAPEnvelope(artifactResolve);
 4 
 5  BasicSOAPMessageContext soapContext = new BasicSOAPMessageContext();
 6  soapContext.setOutboundMessage(envelope);
 7  HttpClientBuilder clientBuilder = new HttpClientBuilder();
 8  HttpSOAPClient soapClient = new HttpSOAPClient(clientBuilder.buildClient(), new BasicParserPool());
 9 
10  String artifactResolutionServiceURL = null;
11  for (ArtifactResolutionService ars : SAMLMetaData.getIdpEntityDescriptor().getIDPSSODescriptor(SAMLConstants.SAML20P_NS)
12      .getArtifactResolutionServices()) {
13    if (ars.getBinding().equals(SAMLConstants.SAML2_SOAP11_BINDING_URI)) {
14       artifactResolutionServiceURL = ars.getLocation();
15    }
16  }
17 
18  soapClient.send(artifactResolutionServiceURL, soapContext);
19 
20  return (Envelope)soapContext.getInboundMessage();
21}
22 
23private ArtifactResolve generateArtifactResolve(final String artifactString) throws CertificateEncodingException, MarshallingException, SignatureException, IllegalArgumentException,  java.lang.SecurityException, IllegalAccessException {
24  ArtifactResolve artifactResolve = SAMLUtil.buildSAMLObjectWithDefaultName(ArtifactResolve.class);
25 
26  Issuer issuer = SAMLUtil.buildSAMLObjectWithDefaultName(Issuer.class);
27  issuer.setValue(EvoteProperties.getProperty("SPEntityId"));
28  artifactResolve.setIssuer(issuer);
29  artifactResolve.setIssueInstant(new DateTime());
30 
31  artifactResolveId = SAMLUtil.getSecureRandomIdentifier();
32  artifactResolve.setID(artifactResolveId);
33 
34  for (ArtifactResolutionService sss : metaData.getIdpEntityDescriptor().getIDPSSODescriptor(SAMLConstants.SAML20P_NS).getArtifactResolutionServices()) {
35    if (sss.getBinding().equals(SAMLConstants.SAML2_SOAP11_BINDING_URI)) {
36      artifactResolve.setDestination(sss.getLocation());
37    }
38  }
39 
40  Artifact artifact = SAMLUtil.buildSAMLObjectWithDefaultName(Artifact.class);
41  artifact.setArtifact(artifactString);
42  artifactResolve.setArtifact(artifact);
43 
44  return artifactResolve;
45 }
ArtifactResolveRequest sent:
 1<saml2p:artifactresolve
 2        destination="http://myIDP.test.com:80/opensso/ArtifactResolver/metaAlias/idp1" 
 3        id="_586f2345b514f6214b511f389e30ef60" 
 4        issueinstant="2011-01-24T08:47:52.895Z" 
 5        version="2.0" 
 6        xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
 7    <saml2:issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
 8        my-alias
 9    </saml2:issuer>
10    <saml2p:artifact>
11        AAQAAKHWNqF94IiJ1SjFRLxjyBBxq3RIkRN7/tJdnT2sFDU1tUtBRKJQMDE=
12    </saml2p:artifact>
13</saml2p:artifactresolve>
This is the resulting ArtifactResponse in my case:
 1<samlp:artifactresponse 
 2        destination="https://myIDP.test.com/saml/consumer" 
 3        id="s2df8548d497d8c779a1abddfad72adda2f06eefdd" 
 4        inresponseto="_586f2345b514f6214b511f389e30ef60" 
 5        issueinstant="2011-01-24T08:47:53Z" 
 6        version="2.0" 
 7        xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
 8    <saml:issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
 9        IDP-alias
10    </saml:issuer>
11    <samlp:status>
12        <samlp:statuscode value="urn:oasis:names:tc:SAML:2.0:status:Success">
13        </samlp:statuscode>
14    </samlp:status>
15    <samlp:response 
16            destination="https://myIDP.test.com/saml/consumer" 
17            id="s23a356af812e879b3bfbbded4b62f000c7c8c27bb" 
18            inresponseto="_bba7e8a2f7a7c51e339d614b2c2d1178" 
19            issueinstant="2011-01-24T08:47:50Z" 
20            version="2.0">
21        <saml:issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
22            IDP-alias
23        </saml:issuer>
24        <samlp:status>
25            <samlp:statuscode value="urn:oasis:names:tc:SAML:2.0:status:Success">
26            </samlp:statuscode>
27        </samlp:status>
28        <saml:assertion 
29                id="s2365479533bf942f8eaaa2c267f9bd4ff679ebc1f" 
30                issueinstant="2011-01-24T08:47:50Z" 
31                version="2.0" 
32                xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
33            <saml:issuer>
34                IDP-alias
35            </saml:issuer>
36            <saml:subject>
37                <saml:nameid 
38                        format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" 
39                        namequalifier="IDP-alias" 
40                        spnamequalifier="my-alias">
41                    5VkzP/MZ1PMJ62o45/7DdFms9y7K
42                </saml:nameid>
43                <saml:subjectconfirmation method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
44                    <saml:subjectconfirmationdata 
45                            inresponseto="_bba7e8a2f7a7c51e339d614b2c2d1178" 
46                            notonorafter="2011-01-24T08:57:50Z" 
47                            recipient="https://myIDP.test.com/saml/consumer">
48                    </saml:subjectconfirmationdata>
49                </saml:subjectconfirmation>
50            </saml:subject>
51            <saml:conditions 
52                    notbefore="2011-01-24T08:37:50Z" 
53                    notonorafter="2011-01-24T08:57:50Z">
54                <saml:audiencerestriction>
55                    <saml:audience>
56                        my-alias
57                    </saml:audience>
58                </saml:audiencerestriction>
59            </saml:conditions>
60            <saml:authnstatement 
61                    authninstant="2011-01-24T08:47:50Z"
62                    sessionindex="s212cd7811734a92405b6ef8308a1b1a98e32e6f01">
63                <saml:authncontext>
64                    <saml:authncontextclassref>
65                        urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
66                    </saml:authncontextclassref>
67                </saml:authncontext>
68            </saml:authnstatement>
69            <saml:attributestatement>
70                <saml:attribute name="uid">
71                    <saml:attributevalue 
72                            xmlns:xs="http://www.w3.org/2001/XMLSchema" 
73                            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
74                            xsi:type="xs:string">
75                        03011700143
76                    </saml:attributevalue>
77                </saml:attribute>
78                <saml:attribute name="mail">    
79                    <saml:attributevalue 
80                            xmlns:xs="http://www.w3.org/2001/XMLSchema" 
81                            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
82                            xsi:type="xs:string">
83                        something@test.com
84                    </saml:attributevalue>
85                </saml:attribute>
86                <saml:attribute name="telephone">
87                    <saml:attributevalue 
88                            xmlns:xs="http://www.w3.org/2001/XMLSchema" 
89                            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
90                            xsi:type="xs:string">
91                        546848134886
92                    </saml:attributevalue>
93                </saml:attribute>
94            </saml:attributestatement>
95        </saml:assertion>
96    </samlp:response>
97</samlp:artifactresponse>