Advertisement
Wilgeno

SAMLAssertionValidation

Oct 17th, 2016
624
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. <!--- SAML Assertion Validation --->
  2.  
  3. <cfscript>
  4.     isValid = 0;
  5.  
  6.     try {
  7.         if (!len(trim(rawdata.content))) {
  8.             throw("No content in response body","custom");
  9.         }
  10.         rawdata.content = rawdata.content.split("=")[2];
  11.         rawdata.content = urlDecode(rawdata.content);
  12.  
  13.         xmlResponse = CharsetEncode(BinaryDecode(rawdata.content,"base64" ),"utf-8" );
  14.         if (isXML(xmlResponse)) {
  15.             docElement = XMLParse(XMLResponse).getDocumentElement();
  16.         } else {
  17.             throw("Not Valid XML","custom");
  18.         }
  19.  
  20.         CreateObject("Java", "org.apache.xml.security.Init").Init().init();
  21.  
  22.         //IdP is signing the SAML Response using a "non standard" ID attribute, which is only supported in DOM3 and XMLBeans does not support DOM3
  23.         //the Assertion ID must be registerd before Signature Validation
  24.         idResolver = CreateObject("Java", "org.apache.xml.security.utils.IdResolver");
  25.         assertionElement = docElement.getElementsByTagNameNS("urn:oasis:names:tc:SAML:2.0:assertion", "Assertion").item(0);
  26.         attrStore = assertionElement.getAttributes();
  27.         idAttr = CreateObject("Java","org.w3c.dom.Attr");
  28.         idAttr = attrStore.getNamedItem("ID");
  29.         idResolver.registerElementById(assertionElement, idAttr);
  30.         // end compensating for "non standard" ID
  31.  
  32.         SignatureConstants = CreateObject("Java", "org.apache.xml.security.utils.Constants");
  33.         SignatureSpecNS = SignatureConstants.SignatureSpecNS;
  34.  
  35.         XMLSignatureClass = CreateObject("Java","org.apache.xml.security.signature.XMLSignature");
  36.         xmlSignature = XMLSignatureClass.init(docElement.getElementsByTagNameNS(SignatureSpecNS,"Signature").item(1),"");
  37.         keyInfo = xmlSignature.getKeyInfo();
  38.  
  39.         // get x509 cert from Keystore - you must import into keystore first
  40.         keyResolver = createObject("component", "com.Keystore").init("C:\Java\jdk1.7.0_55\jre\lib\security\cacerts","changeit","uat-wahbexchange");
  41.         x509cert = keyResolver.getX509Certificate();
  42.  
  43.         isValid = xmlSignature.checkSignatureValue(x509cert);
  44.  
  45.         if (isValid) {
  46.             //Extract conditions
  47.             SAMLConditions = {};
  48.             conditionElement = docElement.getElementsByTagName("saml:Conditions").item(0);
  49.             conditions = conditionElement.getAttributes();
  50.             SAMLConditions.before = conditions.getNamedItem("NotBefore").getNodeValue();
  51.             SAMLConditions.after = conditions.getNamedItem("NotOnOrAfter").getNodeValue();
  52.  
  53.             // Extract SAML Attribute Data
  54.             attributesElement = docElement.getElementsByTagName("saml:AttributeStatement").item(0);
  55.             attributes = attributesElement.getAttributes();
  56.  
  57.             SAMLAttributes = StructNew();
  58.             for (attNo = 0; attNo LT attributesElement.getLength(); attNo = (attNo + 1)){
  59.                 name = attributesElement.item(attNo).getAttributes().getNamedItem('Name').getTextContent();
  60.                 value = attributesElement.item(attNo).item(0).getTextContent();
  61.                 SAMLAttributes[name] = value;
  62.             }
  63.  
  64.         } else {
  65.             throw("Signatures do not match","custom")
  66.         }
  67.  
  68.  
  69.     }
  70.     catch (custom e) {
  71.         writeDump(e.message);
  72.         abort;
  73.     }
  74.     catch (any e) {
  75.         writeOutput(e.message);
  76.         abort;
  77.     }
  78.  
  79. </cfscript>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement