Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <!--- SAML Assertion Validation --->
- <cfscript>
- isValid = 0;
- try {
- if (!len(trim(rawdata.content))) {
- throw("No content in response body","custom");
- }
- rawdata.content = rawdata.content.split("=")[2];
- rawdata.content = urlDecode(rawdata.content);
- xmlResponse = CharsetEncode(BinaryDecode(rawdata.content,"base64" ),"utf-8" );
- if (isXML(xmlResponse)) {
- docElement = XMLParse(XMLResponse).getDocumentElement();
- } else {
- throw("Not Valid XML","custom");
- }
- CreateObject("Java", "org.apache.xml.security.Init").Init().init();
- //IdP is signing the SAML Response using a "non standard" ID attribute, which is only supported in DOM3 and XMLBeans does not support DOM3
- //the Assertion ID must be registerd before Signature Validation
- idResolver = CreateObject("Java", "org.apache.xml.security.utils.IdResolver");
- assertionElement = docElement.getElementsByTagNameNS("urn:oasis:names:tc:SAML:2.0:assertion", "Assertion").item(0);
- attrStore = assertionElement.getAttributes();
- idAttr = CreateObject("Java","org.w3c.dom.Attr");
- idAttr = attrStore.getNamedItem("ID");
- idResolver.registerElementById(assertionElement, idAttr);
- // end compensating for "non standard" ID
- SignatureConstants = CreateObject("Java", "org.apache.xml.security.utils.Constants");
- SignatureSpecNS = SignatureConstants.SignatureSpecNS;
- XMLSignatureClass = CreateObject("Java","org.apache.xml.security.signature.XMLSignature");
- xmlSignature = XMLSignatureClass.init(docElement.getElementsByTagNameNS(SignatureSpecNS,"Signature").item(1),"");
- keyInfo = xmlSignature.getKeyInfo();
- // get x509 cert from Keystore - you must import into keystore first
- keyResolver = createObject("component", "com.Keystore").init("C:\Java\jdk1.7.0_55\jre\lib\security\cacerts","changeit","uat-wahbexchange");
- x509cert = keyResolver.getX509Certificate();
- isValid = xmlSignature.checkSignatureValue(x509cert);
- if (isValid) {
- //Extract conditions
- SAMLConditions = {};
- conditionElement = docElement.getElementsByTagName("saml:Conditions").item(0);
- conditions = conditionElement.getAttributes();
- SAMLConditions.before = conditions.getNamedItem("NotBefore").getNodeValue();
- SAMLConditions.after = conditions.getNamedItem("NotOnOrAfter").getNodeValue();
- // Extract SAML Attribute Data
- attributesElement = docElement.getElementsByTagName("saml:AttributeStatement").item(0);
- attributes = attributesElement.getAttributes();
- SAMLAttributes = StructNew();
- for (attNo = 0; attNo LT attributesElement.getLength(); attNo = (attNo + 1)){
- name = attributesElement.item(attNo).getAttributes().getNamedItem('Name').getTextContent();
- value = attributesElement.item(attNo).item(0).getTextContent();
- SAMLAttributes[name] = value;
- }
- } else {
- throw("Signatures do not match","custom")
- }
- }
- catch (custom e) {
- writeDump(e.message);
- abort;
- }
- catch (any e) {
- writeOutput(e.message);
- abort;
- }
- </cfscript>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement