ePrivacy and GPDR Cookie Consent by Cookie Consent

Resolve an artifact with OpenSAML

In my case the, after the sign on at the IdP is completed, the user is redirected to my `Assertion Consumer Service URL defined in meta data. The IdP sends an artifact back as a parameter.The artifact is a label pointing to the actual user data/login information(the assertion) at the IdP. The user data is not sent in the HTTP request of security reasons. Instead the consumer servlet send a Artifact Resolve Request over a SOAP back channel to get the data.

Here is an example of a servlet sending ArtifactResolveRequest and receiving an ArtifactResolveResponse.

 1private Envelope sendArtifactResolve(final ArtifactResolve artifactResolve) throws SOAPException, SecurityException, CertificateEncodingException,
 2  MarshallingException, SignatureException, IllegalAccessException {
 3  Envelope envelope = SAMLUtil.wrapInSOAPEnvelope(artifactResolve);
 4 
 5  BasicSOAPMessageContext soapContext = new BasicSOAPMessageContext();
 6  soapContext.setOutboundMessage(envelope);
 7  HttpClientBuilder clientBuilder = new HttpClientBuilder();
 8  HttpSOAPClient soapClient = new HttpSOAPClient(clientBuilder.buildClient(), new BasicParserPool());
 9 
10  String artifactResolutionServiceURL = null;
11  for (ArtifactResolutionService ars : SAMLMetaData.getIdpEntityDescriptor().getIDPSSODescriptor(SAMLConstants.SAML20P_NS)
12      .getArtifactResolutionServices()) {
13    if (ars.getBinding().equals(SAMLConstants.SAML2_SOAP11_BINDING_URI)) {
14       artifactResolutionServiceURL = ars.getLocation();
15    }
16  }
17 
18  soapClient.send(artifactResolutionServiceURL, soapContext);
19 
20  return (Envelope)soapContext.getInboundMessage();
21}
22 
23private ArtifactResolve generateArtifactResolve(final String artifactString) throws CertificateEncodingException, MarshallingException, SignatureException, IllegalArgumentException,  java.lang.SecurityException, IllegalAccessException {
24  ArtifactResolve artifactResolve = SAMLUtil.buildSAMLObjectWithDefaultName(ArtifactResolve.class);
25 
26  Issuer issuer = SAMLUtil.buildSAMLObjectWithDefaultName(Issuer.class);
27  issuer.setValue(EvoteProperties.getProperty("SPEntityId"));
28  artifactResolve.setIssuer(issuer);
29  artifactResolve.setIssueInstant(new DateTime());
30 
31  artifactResolveId = SAMLUtil.getSecureRandomIdentifier();
32  artifactResolve.setID(artifactResolveId);
33 
34  for (ArtifactResolutionService sss : metaData.getIdpEntityDescriptor().getIDPSSODescriptor(SAMLConstants.SAML20P_NS).getArtifactResolutionServices()) {
35    if (sss.getBinding().equals(SAMLConstants.SAML2_SOAP11_BINDING_URI)) {
36      artifactResolve.setDestination(sss.getLocation());
37    }
38  }
39 
40  Artifact artifact = SAMLUtil.buildSAMLObjectWithDefaultName(Artifact.class);
41  artifact.setArtifact(artifactString);
42  artifactResolve.setArtifact(artifact);
43 
44  return artifactResolve;
45 }
ArtifactResolveRequest sent:
 1<saml2p:artifactresolve
 2        destination="http://myIDP.test.com:80/opensso/ArtifactResolver/metaAlias/idp1" 
 3        id="_586f2345b514f6214b511f389e30ef60" 
 4        issueinstant="2011-01-24T08:47:52.895Z" 
 5        version="2.0" 
 6        xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
 7    <saml2:issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
 8        my-alias
 9    </saml2:issuer>
10    <saml2p:artifact>
11        AAQAAKHWNqF94IiJ1SjFRLxjyBBxq3RIkRN7/tJdnT2sFDU1tUtBRKJQMDE=
12    </saml2p:artifact>
13</saml2p:artifactresolve>
This is the resulting ArtifactResponse in my case:
 1<samlp:artifactresponse 
 2        destination="https://myIDP.test.com/saml/consumer" 
 3        id="s2df8548d497d8c779a1abddfad72adda2f06eefdd" 
 4        inresponseto="_586f2345b514f6214b511f389e30ef60" 
 5        issueinstant="2011-01-24T08:47:53Z" 
 6        version="2.0" 
 7        xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
 8    <saml:issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
 9        IDP-alias
10    </saml:issuer>
11    <samlp:status>
12        <samlp:statuscode value="urn:oasis:names:tc:SAML:2.0:status:Success">
13        </samlp:statuscode>
14    </samlp:status>
15    <samlp:response 
16            destination="https://myIDP.test.com/saml/consumer" 
17            id="s23a356af812e879b3bfbbded4b62f000c7c8c27bb" 
18            inresponseto="_bba7e8a2f7a7c51e339d614b2c2d1178" 
19            issueinstant="2011-01-24T08:47:50Z" 
20            version="2.0">
21        <saml:issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
22            IDP-alias
23        </saml:issuer>
24        <samlp:status>
25            <samlp:statuscode value="urn:oasis:names:tc:SAML:2.0:status:Success">
26            </samlp:statuscode>
27        </samlp:status>
28        <saml:assertion 
29                id="s2365479533bf942f8eaaa2c267f9bd4ff679ebc1f" 
30                issueinstant="2011-01-24T08:47:50Z" 
31                version="2.0" 
32                xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
33            <saml:issuer>
34                IDP-alias
35            </saml:issuer>
36            <saml:subject>
37                <saml:nameid 
38                        format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" 
39                        namequalifier="IDP-alias" 
40                        spnamequalifier="my-alias">
41                    5VkzP/MZ1PMJ62o45/7DdFms9y7K
42                </saml:nameid>
43                <saml:subjectconfirmation method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
44                    <saml:subjectconfirmationdata 
45                            inresponseto="_bba7e8a2f7a7c51e339d614b2c2d1178" 
46                            notonorafter="2011-01-24T08:57:50Z" 
47                            recipient="https://myIDP.test.com/saml/consumer">
48                    </saml:subjectconfirmationdata>
49                </saml:subjectconfirmation>
50            </saml:subject>
51            <saml:conditions 
52                    notbefore="2011-01-24T08:37:50Z" 
53                    notonorafter="2011-01-24T08:57:50Z">
54                <saml:audiencerestriction>
55                    <saml:audience>
56                        my-alias
57                    </saml:audience>
58                </saml:audiencerestriction>
59            </saml:conditions>
60            <saml:authnstatement 
61                    authninstant="2011-01-24T08:47:50Z"
62                    sessionindex="s212cd7811734a92405b6ef8308a1b1a98e32e6f01">
63                <saml:authncontext>
64                    <saml:authncontextclassref>
65                        urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
66                    </saml:authncontextclassref>
67                </saml:authncontext>
68            </saml:authnstatement>
69            <saml:attributestatement>
70                <saml:attribute name="uid">
71                    <saml:attributevalue 
72                            xmlns:xs="http://www.w3.org/2001/XMLSchema" 
73                            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
74                            xsi:type="xs:string">
75                        03011700143
76                    </saml:attributevalue>
77                </saml:attribute>
78                <saml:attribute name="mail">    
79                    <saml:attributevalue 
80                            xmlns:xs="http://www.w3.org/2001/XMLSchema" 
81                            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
82                            xsi:type="xs:string">
83                        something@test.com
84                    </saml:attributevalue>
85                </saml:attribute>
86                <saml:attribute name="telephone">
87                    <saml:attributevalue 
88                            xmlns:xs="http://www.w3.org/2001/XMLSchema" 
89                            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
90                            xsi:type="xs:string">
91                        546848134886
92                    </saml:attributevalue>
93                </saml:attribute>
94            </saml:attributestatement>
95        </saml:assertion>
96    </samlp:response>
97</samlp:artifactresponse>