syncope-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ilgro...@apache.org
Subject [07/15] syncope git commit: [SYNCOPE-1041] SAML 2.0 SP extension: core components
Date Fri, 31 Mar 2017 13:27:03 GMT
http://git-wip-us.apache.org/repos/asf/syncope/blob/d9079e13/ext/saml2sp/common-lib/src/main/java/org/apache/syncope/common/lib/to/SAML2LoginResponseTO.java
----------------------------------------------------------------------
diff --git a/ext/saml2sp/common-lib/src/main/java/org/apache/syncope/common/lib/to/SAML2LoginResponseTO.java b/ext/saml2sp/common-lib/src/main/java/org/apache/syncope/common/lib/to/SAML2LoginResponseTO.java
new file mode 100644
index 0000000..b6ece53
--- /dev/null
+++ b/ext/saml2sp/common-lib/src/main/java/org/apache/syncope/common/lib/to/SAML2LoginResponseTO.java
@@ -0,0 +1,120 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.syncope.common.lib.to;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+import java.util.Date;
+import java.util.HashSet;
+import java.util.Set;
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlElementWrapper;
+import javax.xml.bind.annotation.XmlRootElement;
+import javax.xml.bind.annotation.XmlType;
+import org.apache.syncope.common.lib.AbstractBaseBean;
+
+@XmlRootElement(name = "saml2LoginResponse")
+@XmlType
+public class SAML2LoginResponseTO extends AbstractBaseBean {
+
+    private static final long serialVersionUID = 794772343787258010L;
+
+    private String nameID;
+
+    private String sessionIndex;
+
+    private Date authInstant;
+
+    private Date notOnOrAfter;
+
+    private String accessToken;
+
+    private String username;
+
+    private final Set<AttrTO> attrs = new HashSet<>();
+
+    public String getNameID() {
+        return nameID;
+    }
+
+    public void setNameID(final String nameID) {
+        this.nameID = nameID;
+    }
+
+    public String getSessionIndex() {
+        return sessionIndex;
+    }
+
+    public void setSessionIndex(final String sessionIndex) {
+        this.sessionIndex = sessionIndex;
+    }
+
+    public Date getAuthInstant() {
+        if (authInstant != null) {
+            return new Date(authInstant.getTime());
+        }
+        return null;
+    }
+
+    public void setAuthInstant(final Date authInstant) {
+        if (authInstant != null) {
+            this.authInstant = new Date(authInstant.getTime());
+        } else {
+            this.authInstant = null;
+        }
+    }
+
+    public Date getNotOnOrAfter() {
+        if (notOnOrAfter != null) {
+            return new Date(notOnOrAfter.getTime());
+        }
+        return null;
+    }
+
+    public void setNotOnOrAfter(final Date notOnOrAfter) {
+        if (notOnOrAfter != null) {
+            this.notOnOrAfter = new Date(notOnOrAfter.getTime());
+        } else {
+            this.notOnOrAfter = null;
+        }
+    }
+
+    public String getAccessToken() {
+        return accessToken;
+    }
+
+    public void setAccessToken(final String accessToken) {
+        this.accessToken = accessToken;
+    }
+
+    public String getUsername() {
+        return username;
+    }
+
+    public void setUsername(final String username) {
+        this.username = username;
+    }
+
+    @XmlElementWrapper(name = "attrs")
+    @XmlElement(name = "attr")
+    @JsonProperty("attrs")
+    public Set<AttrTO> getAttrs() {
+        return attrs;
+    }
+
+}

http://git-wip-us.apache.org/repos/asf/syncope/blob/d9079e13/ext/saml2sp/common-lib/src/main/java/org/apache/syncope/common/lib/to/SAML2RequestTO.java
----------------------------------------------------------------------
diff --git a/ext/saml2sp/common-lib/src/main/java/org/apache/syncope/common/lib/to/SAML2RequestTO.java b/ext/saml2sp/common-lib/src/main/java/org/apache/syncope/common/lib/to/SAML2RequestTO.java
new file mode 100644
index 0000000..136b58e
--- /dev/null
+++ b/ext/saml2sp/common-lib/src/main/java/org/apache/syncope/common/lib/to/SAML2RequestTO.java
@@ -0,0 +1,61 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.syncope.common.lib.to;
+
+import javax.xml.bind.annotation.XmlRootElement;
+import javax.xml.bind.annotation.XmlType;
+import org.apache.syncope.common.lib.AbstractBaseBean;
+
+@XmlRootElement(name = "saml2request")
+@XmlType
+public class SAML2RequestTO extends AbstractBaseBean {
+
+    private static final long serialVersionUID = -2454209295007372086L;
+
+    private String idpServiceAddress;
+
+    private String content;
+
+    private String relayState;
+
+    public String getIdpServiceAddress() {
+        return idpServiceAddress;
+    }
+
+    public void setIdpServiceAddress(final String idpServiceAddress) {
+        this.idpServiceAddress = idpServiceAddress;
+    }
+
+    public String getContent() {
+        return content;
+    }
+
+    public void setContent(final String content) {
+        this.content = content;
+    }
+
+    public String getRelayState() {
+        return relayState;
+    }
+
+    public void setRelayState(final String relayState) {
+        this.relayState = relayState;
+    }
+
+}

http://git-wip-us.apache.org/repos/asf/syncope/blob/d9079e13/ext/saml2sp/common-lib/src/main/java/org/apache/syncope/common/lib/types/SAML2SPEntitlement.java
----------------------------------------------------------------------
diff --git a/ext/saml2sp/common-lib/src/main/java/org/apache/syncope/common/lib/types/SAML2SPEntitlement.java b/ext/saml2sp/common-lib/src/main/java/org/apache/syncope/common/lib/types/SAML2SPEntitlement.java
new file mode 100644
index 0000000..985bf8b
--- /dev/null
+++ b/ext/saml2sp/common-lib/src/main/java/org/apache/syncope/common/lib/types/SAML2SPEntitlement.java
@@ -0,0 +1,58 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.syncope.common.lib.types;
+
+import java.lang.reflect.Field;
+import java.lang.reflect.Modifier;
+import java.util.Collections;
+import java.util.Set;
+import java.util.TreeSet;
+
+public final class SAML2SPEntitlement {
+
+    public static final String IDP_READ = "IDP_READ";
+
+    public static final String IDP_LIST = "IDP_LIST";
+
+    public static final String IDP_IMPORT = "IDP_IMPORT";
+
+    public static final String IDP_UPDATE = "IDP_UPDATE";
+
+    public static final String IDP_DELETE = "IDP_DELETE";
+
+    private static final Set<String> VALUES;
+
+    static {
+        Set<String> values = new TreeSet<>();
+        for (Field field : SAML2SPEntitlement.class.getDeclaredFields()) {
+            if (Modifier.isStatic(field.getModifiers()) && String.class.equals(field.getType())) {
+                values.add(field.getName());
+            }
+        }
+        VALUES = Collections.unmodifiableSet(values);
+    }
+
+    public static Set<String> values() {
+        return VALUES;
+    }
+
+    private SAML2SPEntitlement() {
+        // private constructor for static utility class
+    }
+}

http://git-wip-us.apache.org/repos/asf/syncope/blob/d9079e13/ext/saml2sp/logic/pom.xml
----------------------------------------------------------------------
diff --git a/ext/saml2sp/logic/pom.xml b/ext/saml2sp/logic/pom.xml
new file mode 100644
index 0000000..b0ffe56
--- /dev/null
+++ b/ext/saml2sp/logic/pom.xml
@@ -0,0 +1,77 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+
+  <modelVersion>4.0.0</modelVersion>
+
+  <parent>
+    <groupId>org.apache.syncope.ext</groupId>
+    <artifactId>syncope-ext-saml2sp</artifactId>
+    <version>2.0.3-SNAPSHOT</version>
+  </parent>
+
+  <name>Apache Syncope Extensions: SAML 2.0 SP Logic</name>
+  <description>Apache Syncope Extensions: SAML 2.0 SP Logic</description>
+  <groupId>org.apache.syncope.ext.saml2sp</groupId>
+  <artifactId>syncope-ext-saml2sp-logic</artifactId>
+  <packaging>jar</packaging>
+  
+  <properties>
+    <rootpom.basedir>${basedir}/../../..</rootpom.basedir>
+  </properties>
+
+  <dependencies>
+    <dependency>
+      <groupId>org.apache.syncope.core</groupId>
+      <artifactId>syncope-core-logic</artifactId>
+      <version>${project.version}</version>
+    </dependency>
+    
+    <dependency>
+      <groupId>org.apache.syncope.ext.saml2sp</groupId>
+      <artifactId>syncope-ext-saml2sp-provisioning-java</artifactId>
+      <version>${project.version}</version>
+    </dependency>
+    
+    <dependency>
+      <groupId>org.apache.cxf</groupId>
+      <artifactId>cxf-rt-rs-security-sso-saml</artifactId>
+    </dependency>
+
+    <dependency>
+      <groupId>org.apache.wss4j</groupId>
+      <artifactId>wss4j-ws-security-dom</artifactId>
+    </dependency>
+
+    <dependency>
+      <groupId>org.opensaml</groupId>
+      <artifactId>opensaml-saml-impl</artifactId>
+    </dependency>
+  </dependencies>
+
+  <build>
+    <plugins>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-checkstyle-plugin</artifactId>
+      </plugin>
+    </plugins>
+  </build>
+</project>

http://git-wip-us.apache.org/repos/asf/syncope/blob/d9079e13/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2IdPLogic.java
----------------------------------------------------------------------
diff --git a/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2IdPLogic.java b/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2IdPLogic.java
new file mode 100644
index 0000000..3f6b4a3
--- /dev/null
+++ b/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2IdPLogic.java
@@ -0,0 +1,226 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.syncope.core.logic;
+
+import java.io.ByteArrayOutputStream;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.io.OutputStreamWriter;
+import java.lang.reflect.Method;
+import java.util.ArrayList;
+import java.util.List;
+import org.apache.commons.codec.binary.Base64;
+import org.apache.commons.collections4.CollectionUtils;
+import org.apache.commons.collections4.Transformer;
+import org.apache.commons.lang3.ArrayUtils;
+import org.apache.syncope.common.lib.SyncopeClientException;
+import org.apache.syncope.common.lib.to.MappingItemTO;
+import org.apache.syncope.common.lib.to.SAML2IdPTO;
+import org.apache.syncope.common.lib.types.ClientExceptionType;
+import org.apache.syncope.common.lib.types.SAML2SPEntitlement;
+import org.apache.syncope.core.logic.saml2.SAML2ReaderWriter;
+import org.apache.syncope.core.logic.saml2.SAML2IdPCache;
+import org.apache.syncope.core.logic.saml2.SAML2IdPEntity;
+import org.apache.syncope.core.persistence.api.dao.NotFoundException;
+import org.apache.syncope.core.persistence.api.dao.SAML2IdPDAO;
+import org.apache.syncope.core.persistence.api.entity.SAML2IdP;
+import org.apache.syncope.core.provisioning.api.data.SAML2IdPDataBinder;
+import org.apache.wss4j.common.saml.OpenSAMLUtil;
+import org.opensaml.saml.common.xml.SAMLConstants;
+import org.opensaml.saml.saml2.metadata.EntitiesDescriptor;
+import org.opensaml.saml.saml2.metadata.EntityDescriptor;
+import org.opensaml.saml.saml2.metadata.IDPSSODescriptor;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.prepost.PreAuthorize;
+import org.springframework.stereotype.Component;
+import org.springframework.transaction.annotation.Transactional;
+import org.w3c.dom.Element;
+import org.w3c.dom.Node;
+import org.w3c.dom.NodeList;
+
+@Component
+public class SAML2IdPLogic extends AbstractTransactionalLogic<SAML2IdPTO> {
+
+    static {
+        OpenSAMLUtil.initSamlEngine(false);
+    }
+
+    @Autowired
+    private SAML2IdPCache cache;
+
+    @Autowired
+    private SAML2IdPDataBinder binder;
+
+    @Autowired
+    private SAML2IdPDAO idpDAO;
+
+    @Autowired
+    private SAML2ReaderWriter saml2rw;
+
+    @PreAuthorize("hasRole('" + SAML2SPEntitlement.IDP_LIST + "')")
+    @Transactional(readOnly = true)
+    public List<SAML2IdPTO> list() {
+        return CollectionUtils.collect(idpDAO.findAll(), new Transformer<SAML2IdP, SAML2IdPTO>() {
+
+            @Override
+            public SAML2IdPTO transform(final SAML2IdP input) {
+                return binder.getIdPTO(input);
+            }
+        }, new ArrayList<SAML2IdPTO>());
+    }
+
+    @PreAuthorize("hasRole('" + SAML2SPEntitlement.IDP_READ + "')")
+    @Transactional(readOnly = true)
+    public SAML2IdPTO read(final String key) {
+        SAML2IdP idp = idpDAO.find(key);
+        if (idp == null) {
+            throw new NotFoundException("SAML 2.0 IdP '" + key + "'");
+        }
+
+        return binder.getIdPTO(idp);
+    }
+
+    private List<SAML2IdPTO> importIdPs(final InputStream input) throws Exception {
+        List<EntityDescriptor> idpEntityDescriptors = new ArrayList<>();
+
+        Element root = OpenSAMLUtil.getParserPool().parse(new InputStreamReader(input)).getDocumentElement();
+        if (SAMLConstants.SAML20MD_NS.equals(root.getNamespaceURI())
+                && EntityDescriptor.DEFAULT_ELEMENT_LOCAL_NAME.equals(root.getLocalName())) {
+
+            idpEntityDescriptors.add((EntityDescriptor) OpenSAMLUtil.fromDom(root));
+        } else if (SAMLConstants.SAML20MD_NS.equals(root.getNamespaceURI())
+                && EntitiesDescriptor.DEFAULT_ELEMENT_LOCAL_NAME.equals(root.getLocalName())) {
+
+            NodeList children = root.getChildNodes();
+            for (int i = 0; i < children.getLength(); i++) {
+                Node child = children.item(i);
+                if (SAMLConstants.SAML20MD_NS.equals(child.getNamespaceURI())
+                        && EntityDescriptor.DEFAULT_ELEMENT_LOCAL_NAME.equals(child.getLocalName())) {
+
+                    NodeList descendants = child.getChildNodes();
+                    for (int j = 0; j < descendants.getLength(); j++) {
+                        Node descendant = descendants.item(j);
+                        if (SAMLConstants.SAML20MD_NS.equals(descendant.getNamespaceURI())
+                                && IDPSSODescriptor.DEFAULT_ELEMENT_LOCAL_NAME.equals(descendant.getLocalName())) {
+
+                            idpEntityDescriptors.add((EntityDescriptor) OpenSAMLUtil.fromDom((Element) child));
+                        }
+                    }
+                }
+            }
+        }
+
+        List<SAML2IdPTO> result = new ArrayList<>(idpEntityDescriptors.size());
+        for (EntityDescriptor idpEntityDescriptor : idpEntityDescriptors) {
+            SAML2IdPTO idpTO = new SAML2IdPTO();
+            idpTO.setEntityID(idpEntityDescriptor.getEntityID());
+            idpTO.setUseDeflateEncoding(false);
+            try (ByteArrayOutputStream baos = new ByteArrayOutputStream()) {
+                saml2rw.write(new OutputStreamWriter(baos), idpEntityDescriptor, false);
+                idpTO.setMetadata(Base64.encodeBase64String(baos.toByteArray()));
+            }
+            MappingItemTO connObjectKeyItem = new MappingItemTO();
+            connObjectKeyItem.setIntAttrName("username");
+            connObjectKeyItem.setExtAttrName("NameID");
+            idpTO.setConnObjectKeyItem(connObjectKeyItem);
+            result.add(idpTO);
+
+            cache.put(idpEntityDescriptor, connObjectKeyItem, false);
+        }
+
+        return result;
+    }
+
+    @PreAuthorize("hasRole('" + SAML2SPEntitlement.IDP_IMPORT + "')")
+    public List<String> importFromMetadata(final InputStream input) {
+        List<String> imported = new ArrayList<>();
+
+        try {
+            for (SAML2IdPTO idpTO : importIdPs(input)) {
+                SAML2IdP idp = idpDAO.save(binder.create(idpTO));
+                imported.add(idp.getKey());
+            }
+        } catch (SyncopeClientException e) {
+            throw e;
+        } catch (Exception e) {
+            LOG.error("Unexpected error while importing IdP metadata", e);
+            SyncopeClientException ex = SyncopeClientException.build(ClientExceptionType.InvalidEntity);
+            ex.getElements().add(e.getMessage());
+            throw ex;
+        }
+
+        return imported;
+    }
+
+    @PreAuthorize("hasRole('" + SAML2SPEntitlement.IDP_UPDATE + "')")
+    public void update(final SAML2IdPTO saml2IdpTO) {
+        SAML2IdP saml2Idp = idpDAO.find(saml2IdpTO.getKey());
+        if (saml2Idp == null) {
+            throw new NotFoundException("SAML 2.0 IdP '" + saml2IdpTO.getKey() + "'");
+        }
+
+        saml2Idp = idpDAO.save(binder.update(saml2Idp, saml2IdpTO));
+
+        SAML2IdPEntity idpEntity = cache.get(saml2Idp.getEntityID());
+        if (idpEntity != null) {
+            idpEntity.setUseDeflateEncoding(saml2Idp.isUseDeflateEncoding());
+            idpEntity.setConnObjectKeyItem(binder.getIdPTO(saml2Idp).getConnObjectKeyItem());
+        }
+    }
+
+    @PreAuthorize("hasRole('" + SAML2SPEntitlement.IDP_DELETE + "')")
+    public void delete(final String key) {
+        SAML2IdP idp = idpDAO.find(key);
+        if (idp == null) {
+            throw new NotFoundException("SAML 2.0 IdP '" + key + "'");
+        }
+
+        idpDAO.delete(key);
+        cache.remove(idp.getEntityID());
+    }
+
+    @Override
+    protected SAML2IdPTO resolveReference(final Method method, final Object... args)
+            throws UnresolvedReferenceException {
+
+        String key = null;
+
+        if (ArrayUtils.isNotEmpty(args)) {
+            for (int i = 0; key == null && i < args.length; i++) {
+                if (args[i] instanceof String) {
+                    key = (String) args[i];
+                } else if (args[i] instanceof SAML2IdPTO) {
+                    key = ((SAML2IdPTO) args[i]).getKey();
+                }
+            }
+        }
+
+        if (key != null) {
+            try {
+                return binder.getIdPTO(idpDAO.find(key));
+            } catch (Throwable ignore) {
+                LOG.debug("Unresolved reference", ignore);
+                throw new UnresolvedReferenceException(ignore);
+            }
+        }
+
+        throw new UnresolvedReferenceException();
+    }
+
+}

http://git-wip-us.apache.org/repos/asf/syncope/blob/d9079e13/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java
----------------------------------------------------------------------
diff --git a/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java b/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java
new file mode 100644
index 0000000..f452208
--- /dev/null
+++ b/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java
@@ -0,0 +1,689 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.syncope.core.logic;
+
+import com.fasterxml.uuid.Generators;
+import com.fasterxml.uuid.impl.RandomBasedGenerator;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.io.OutputStreamWriter;
+import java.lang.reflect.Method;
+import java.net.URLDecoder;
+import java.nio.charset.StandardCharsets;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.Date;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import javax.ws.rs.core.MultivaluedMap;
+import org.apache.commons.collections4.CollectionUtils;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.commons.lang3.tuple.Pair;
+import org.apache.commons.lang3.tuple.Triple;
+import org.apache.cxf.helpers.IOUtils;
+import org.apache.cxf.jaxrs.utils.JAXRSUtils;
+import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer;
+import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
+import org.apache.cxf.rs.security.saml.sso.SSOConstants;
+import org.apache.syncope.common.lib.AbstractBaseBean;
+import org.apache.syncope.common.lib.SyncopeClientException;
+import org.apache.syncope.common.lib.to.AttrTO;
+import org.apache.syncope.common.lib.to.SAML2RequestTO;
+import org.apache.syncope.common.lib.to.SAML2LoginResponseTO;
+import org.apache.syncope.common.lib.to.MappingItemTO;
+import org.apache.syncope.common.lib.types.AnyTypeKind;
+import org.apache.syncope.common.lib.types.ClientExceptionType;
+import org.apache.syncope.common.lib.types.StandardEntitlement;
+import org.apache.syncope.core.logic.init.SAML2SPLoader;
+import org.apache.syncope.core.logic.saml2.SAML2ReaderWriter;
+import org.apache.syncope.core.logic.saml2.SAML2IdPCache;
+import org.apache.syncope.core.logic.saml2.SAML2IdPEntity;
+import org.apache.syncope.core.logic.saml2.SAML2Signer;
+import org.apache.syncope.core.persistence.api.attrvalue.validation.ParsingValidationException;
+import org.apache.syncope.core.persistence.api.dao.AccessTokenDAO;
+import org.apache.syncope.core.persistence.api.dao.NotFoundException;
+import org.apache.syncope.core.persistence.api.dao.PlainSchemaDAO;
+import org.apache.syncope.core.persistence.api.dao.SAML2IdPDAO;
+import org.apache.syncope.core.persistence.api.dao.UserDAO;
+import org.apache.syncope.core.persistence.api.entity.EntityFactory;
+import org.apache.syncope.core.persistence.api.entity.PlainAttrValue;
+import org.apache.syncope.core.persistence.api.entity.PlainSchema;
+import org.apache.syncope.core.persistence.api.entity.SAML2IdP;
+import org.apache.syncope.core.persistence.api.entity.user.UPlainAttrValue;
+import org.apache.syncope.core.persistence.api.entity.user.User;
+import org.apache.syncope.core.provisioning.api.IntAttrName;
+import org.apache.syncope.core.provisioning.api.data.AccessTokenDataBinder;
+import org.apache.syncope.core.provisioning.api.data.MappingItemTransformer;
+import org.apache.syncope.core.provisioning.api.utils.EntityUtils;
+import org.apache.syncope.core.provisioning.java.IntAttrNameParser;
+import org.apache.syncope.core.provisioning.java.utils.MappingUtils;
+import org.apache.wss4j.common.saml.OpenSAMLUtil;
+import org.joda.time.DateTime;
+import org.opensaml.core.xml.XMLObject;
+import org.opensaml.core.xml.schema.XSString;
+import org.opensaml.saml.common.SAMLVersion;
+import org.opensaml.saml.common.xml.SAMLConstants;
+import org.opensaml.saml.saml2.core.Assertion;
+import org.opensaml.saml.saml2.core.Attribute;
+import org.opensaml.saml.saml2.core.AttributeStatement;
+import org.opensaml.saml.saml2.core.AuthnContext;
+import org.opensaml.saml.saml2.core.AuthnContextClassRef;
+import org.opensaml.saml.saml2.core.AuthnContextComparisonTypeEnumeration;
+import org.opensaml.saml.saml2.core.AuthnRequest;
+import org.opensaml.saml.saml2.core.AuthnStatement;
+import org.opensaml.saml.saml2.core.Issuer;
+import org.opensaml.saml.saml2.core.LogoutRequest;
+import org.opensaml.saml.saml2.core.LogoutResponse;
+import org.opensaml.saml.saml2.core.NameID;
+import org.opensaml.saml.saml2.core.NameIDPolicy;
+import org.opensaml.saml.saml2.core.NameIDType;
+import org.opensaml.saml.saml2.core.RequestedAuthnContext;
+import org.opensaml.saml.saml2.core.Response;
+import org.opensaml.saml.saml2.core.SessionIndex;
+import org.opensaml.saml.saml2.core.StatusCode;
+import org.opensaml.saml.saml2.core.impl.AuthnContextClassRefBuilder;
+import org.opensaml.saml.saml2.core.impl.AuthnRequestBuilder;
+import org.opensaml.saml.saml2.core.impl.IssuerBuilder;
+import org.opensaml.saml.saml2.core.impl.LogoutRequestBuilder;
+import org.opensaml.saml.saml2.core.impl.NameIDBuilder;
+import org.opensaml.saml.saml2.core.impl.NameIDPolicyBuilder;
+import org.opensaml.saml.saml2.core.impl.RequestedAuthnContextBuilder;
+import org.opensaml.saml.saml2.core.impl.SessionIndexBuilder;
+import org.opensaml.saml.saml2.metadata.AssertionConsumerService;
+import org.opensaml.saml.saml2.metadata.EntityDescriptor;
+import org.opensaml.saml.saml2.metadata.KeyDescriptor;
+import org.opensaml.saml.saml2.metadata.NameIDFormat;
+import org.opensaml.saml.saml2.metadata.SPSSODescriptor;
+import org.opensaml.saml.saml2.metadata.SingleLogoutService;
+import org.opensaml.saml.saml2.metadata.impl.AssertionConsumerServiceBuilder;
+import org.opensaml.saml.saml2.metadata.impl.EntityDescriptorBuilder;
+import org.opensaml.saml.saml2.metadata.impl.KeyDescriptorBuilder;
+import org.opensaml.saml.saml2.metadata.impl.NameIDFormatBuilder;
+import org.opensaml.saml.saml2.metadata.impl.SPSSODescriptorBuilder;
+import org.opensaml.saml.saml2.metadata.impl.SingleLogoutServiceBuilder;
+import org.opensaml.xmlsec.keyinfo.KeyInfoGenerator;
+import org.opensaml.xmlsec.keyinfo.impl.X509KeyInfoGeneratorFactory;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.prepost.PreAuthorize;
+import org.springframework.security.authentication.BadCredentialsException;
+import org.springframework.stereotype.Component;
+
+@Component
+public class SAML2SPLogic extends AbstractTransactionalLogic<AbstractBaseBean> {
+
+    private static final Integer JWT_RELAY_STATE_DURATION = 5;
+
+    private static final String JWT_CLAIM_IDP_DEFLATE = "IDP_DEFLATE";
+
+    private static final String JWT_CLAIM_IDP_ENTITYID = "IDP_ENTITYID";
+
+    private static final String JWT_CLAIM_NAMEID_FORMAT = "NAMEID_FORMAT";
+
+    private static final String JWT_CLAIM_NAMEID_VALUE = "NAMEID_VALUE";
+
+    private static final String JWT_CLAIM_SESSIONINDEX = "SESSIONINDEX";
+
+    private static final RandomBasedGenerator UUID_GENERATOR = Generators.randomBasedGenerator();
+
+    static {
+        OpenSAMLUtil.initSamlEngine(false);
+    }
+
+    @Autowired
+    private JwsSignatureVerifier jwsSignatureCerifier;
+
+    @Autowired
+    private AccessTokenDataBinder accessTokenDataBinder;
+
+    @Autowired
+    private SAML2SPLoader loader;
+
+    @Autowired
+    private SAML2IdPCache cache;
+
+    @Autowired
+    private UserDAO userDAO;
+
+    @Autowired
+    private SAML2IdPDAO saml2IdPDAO;
+
+    @Autowired
+    private PlainSchemaDAO plainSchemaDAO;
+
+    @Autowired
+    private AccessTokenDAO accessTokenDAO;
+
+    @Autowired
+    private IntAttrNameParser intAttrNameParser;
+
+    @Autowired
+    private EntityFactory entityFactory;
+
+    @Autowired
+    private SAML2ReaderWriter saml2rw;
+
+    @Autowired
+    private SAML2Signer saml2Signer;
+
+    @PreAuthorize("hasRole('" + StandardEntitlement.ANONYMOUS + "')")
+    public void getMetadata(final String spEntityID, final OutputStream os) {
+        try {
+            EntityDescriptor spEntityDescriptor = new EntityDescriptorBuilder().buildObject();
+            spEntityDescriptor.setEntityID(spEntityID);
+
+            SPSSODescriptor spSSODescriptor = new SPSSODescriptorBuilder().buildObject();
+            spSSODescriptor.setWantAssertionsSigned(true);
+            spSSODescriptor.setAuthnRequestsSigned(true);
+
+            X509KeyInfoGeneratorFactory keyInfoGeneratorFactory = new X509KeyInfoGeneratorFactory();
+            keyInfoGeneratorFactory.setEmitEntityCertificate(true);
+            KeyInfoGenerator keyInfoGenerator = keyInfoGeneratorFactory.newInstance();
+            keyInfoGenerator.generate(loader.getCredential());
+
+            KeyDescriptor keyDescriptor = new KeyDescriptorBuilder().buildObject();
+            keyDescriptor.setKeyInfo(keyInfoGenerator.generate(loader.getCredential()));
+            spSSODescriptor.getKeyDescriptors().add(keyDescriptor);
+
+            SingleLogoutService singleLogoutService = new SingleLogoutServiceBuilder().buildObject();
+            singleLogoutService.setBinding(SAMLConstants.SAML2_POST_BINDING_URI);
+            singleLogoutService.setLocation(spEntityID + "saml2sp/logout");
+            singleLogoutService.setResponseLocation(spEntityID + "saml2sp/logout");
+            spSSODescriptor.getSingleLogoutServices().add(singleLogoutService);
+
+            NameIDFormat nameIDFormat = new NameIDFormatBuilder().buildObject();
+            nameIDFormat.setFormat(NameIDType.PERSISTENT);
+            spSSODescriptor.getNameIDFormats().add(nameIDFormat);
+            nameIDFormat = new NameIDFormatBuilder().buildObject();
+            nameIDFormat.setFormat(NameIDType.TRANSIENT);
+            spSSODescriptor.getNameIDFormats().add(nameIDFormat);
+
+            AssertionConsumerService assertionConsumerService = new AssertionConsumerServiceBuilder().buildObject();
+            assertionConsumerService.setIndex(0);
+            assertionConsumerService.setBinding(SAMLConstants.SAML2_POST_BINDING_URI);
+            assertionConsumerService.setLocation(spEntityID + "saml2sp/assertion-consumer");
+
+            spSSODescriptor.getAssertionConsumerServices().add(assertionConsumerService);
+            spSSODescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS);
+
+            spEntityDescriptor.getRoleDescriptors().add(spSSODescriptor);
+
+            saml2rw.write(new OutputStreamWriter(os), spEntityDescriptor, true);
+        } catch (Exception e) {
+            LOG.error("While getting SP metadata", e);
+            SyncopeClientException sce = SyncopeClientException.build(ClientExceptionType.Unknown);
+            sce.getElements().add(e.getMessage());
+            throw sce;
+        }
+    }
+
+    private SAML2IdPEntity getIdP(final String entityID) {
+        SAML2IdPEntity idp = null;
+
+        SAML2IdP saml2IdP = saml2IdPDAO.findByEntityID(entityID);
+        if (saml2IdP != null) {
+            try {
+                idp = cache.put(saml2IdP);
+            } catch (Exception e) {
+                LOG.error("Could not build SAML 2.0 IdP with key ", entityID, e);
+                SyncopeClientException sce = SyncopeClientException.build(ClientExceptionType.Unknown);
+                sce.getElements().add(e.getMessage());
+                throw sce;
+            }
+        }
+
+        if (idp == null) {
+            throw new NotFoundException("SAML 2.0 IdP '" + entityID + "'");
+        }
+        return idp;
+    }
+
+    @PreAuthorize("hasRole('" + StandardEntitlement.ANONYMOUS + "')")
+    public SAML2RequestTO createLoginRequest(
+            final String spEntityID, final String idpEntityID) {
+
+        // 1. look for IdP
+        SAML2IdPEntity idp = StringUtils.isBlank(idpEntityID) ? cache.getFirst() : cache.get(idpEntityID);
+        if (idp == null) {
+            if (StringUtils.isBlank(idpEntityID)) {
+                List<SAML2IdP> all = saml2IdPDAO.findAll();
+                if (!all.isEmpty()) {
+                    idp = getIdP(all.get(0).getKey());
+                }
+            } else {
+                idp = getIdP(idpEntityID);
+            }
+        }
+        if (idp == null) {
+            throw new NotFoundException(StringUtils.isBlank(idpEntityID)
+                    ? "Any SAML 2.0 IdP"
+                    : "SAML 2.0 IdP '" + idpEntityID + "'");
+        }
+
+        // 2. create AuthnRequest
+        Issuer issuer = new IssuerBuilder().buildObject();
+        issuer.setValue(spEntityID);
+
+        NameIDPolicy nameIDPolicy = new NameIDPolicyBuilder().buildObject();
+        if (idp.supportsNameIDFormat(NameIDType.TRANSIENT)) {
+            nameIDPolicy.setFormat(NameIDType.TRANSIENT);
+        } else if (idp.supportsNameIDFormat(NameIDType.PERSISTENT)) {
+            nameIDPolicy.setFormat(NameIDType.PERSISTENT);
+        } else {
+            throw new IllegalArgumentException("Could not find supported NameIDFormat for IdP " + idpEntityID);
+        }
+        nameIDPolicy.setAllowCreate(true);
+        nameIDPolicy.setSPNameQualifier(spEntityID);
+
+        AuthnContextClassRef authnContextClassRef = new AuthnContextClassRefBuilder().buildObject();
+        authnContextClassRef.setAuthnContextClassRef(AuthnContext.PPT_AUTHN_CTX);
+        RequestedAuthnContext requestedAuthnContext = new RequestedAuthnContextBuilder().buildObject();
+        requestedAuthnContext.setComparison(AuthnContextComparisonTypeEnumeration.EXACT);
+        requestedAuthnContext.getAuthnContextClassRefs().add(authnContextClassRef);
+
+        AuthnRequest authnRequest = new AuthnRequestBuilder().buildObject();
+        authnRequest.setID("_" + UUID_GENERATOR.generate().toString());
+        authnRequest.setAssertionConsumerServiceURL(spEntityID + "saml2sp/assertion-consumer");
+        authnRequest.setForceAuthn(false);
+        authnRequest.setIsPassive(false);
+        authnRequest.setVersion(SAMLVersion.VERSION_20);
+        authnRequest.setProtocolBinding(SAMLConstants.SAML2_POST_BINDING_URI);
+        authnRequest.setIssueInstant(new DateTime());
+        authnRequest.setIssuer(issuer);
+        authnRequest.setNameIDPolicy(nameIDPolicy);
+        authnRequest.setRequestedAuthnContext(requestedAuthnContext);
+        authnRequest.setDestination(idp.getSSOLocation(SAMLConstants.SAML2_POST_BINDING_URI).getLocation());
+
+        SAML2RequestTO requestTO = new SAML2RequestTO();
+        requestTO.setIdpServiceAddress(authnRequest.getDestination());
+        try {
+            // 3. sign and encode AuthnRequest
+            requestTO.setContent(saml2Signer.signAndEncode(authnRequest, idp.isUseDeflateEncoding()));
+
+            // 4. generate relay state as JWT
+            Map<String, Object> claims = new HashMap<>();
+            claims.put(JWT_CLAIM_IDP_DEFLATE, idp.isUseDeflateEncoding());
+            Triple<String, String, Date> relayState =
+                    accessTokenDataBinder.generateJWT(authnRequest.getID(), JWT_RELAY_STATE_DURATION, claims);
+            requestTO.setRelayState(relayState.getMiddle());
+        } catch (Exception e) {
+            LOG.error("While generating AuthnRequest", e);
+            SyncopeClientException sce = SyncopeClientException.build(ClientExceptionType.Unknown);
+            sce.getElements().add(e.getMessage());
+            throw sce;
+        }
+
+        return requestTO;
+    }
+
+    private List<String> findMatchingUser(final String keyValue, final MappingItemTO connObjectKeyItem) {
+        List<String> result = new ArrayList<>();
+
+        String transformed = keyValue;
+        for (MappingItemTransformer transformer : MappingUtils.getMappingItemTransformers(connObjectKeyItem)) {
+            List<Object> output = transformer.beforePull(
+                    null,
+                    null,
+                    Collections.<Object>singletonList(transformed));
+            if (output != null && !output.isEmpty()) {
+                transformed = output.get(0).toString();
+            }
+        }
+
+        IntAttrName intAttrName = intAttrNameParser.parse(connObjectKeyItem.getIntAttrName(), AnyTypeKind.USER);
+
+        if (intAttrName.getField() != null) {
+            switch (intAttrName.getField()) {
+                case "key":
+                    User byKey = userDAO.find(transformed);
+                    if (byKey != null) {
+                        result.add(byKey.getKey());
+                    }
+                    break;
+
+                case "username":
+                    User byUsername = userDAO.findByUsername(transformed);
+                    if (byUsername != null) {
+                        result.add(byUsername.getKey());
+                    }
+                    break;
+
+                default:
+            }
+        } else if (intAttrName.getSchemaType() != null) {
+            switch (intAttrName.getSchemaType()) {
+                case PLAIN:
+                    PlainAttrValue value = entityFactory.newEntity(UPlainAttrValue.class);
+
+                    PlainSchema schema = plainSchemaDAO.find(intAttrName.getSchemaName());
+                    if (schema == null) {
+                        value.setStringValue(transformed);
+                    } else {
+                        try {
+                            value.parseValue(schema, transformed);
+                        } catch (ParsingValidationException e) {
+                            LOG.error("While parsing provided key value {}", transformed, e);
+                            value.setStringValue(transformed);
+                        }
+                    }
+
+                    CollectionUtils.collect(userDAO.findByAttrValue(intAttrName.getSchemaName(), value),
+                            EntityUtils.keyTransformer(), result);
+                    break;
+
+                case DERIVED:
+                    CollectionUtils.collect(userDAO.findByDerAttrValue(intAttrName.getSchemaName(), transformed),
+                            EntityUtils.keyTransformer(), result);
+                    break;
+
+                default:
+            }
+        }
+
+        return result;
+    }
+
+    private Pair<String, String> extract(final InputStream response) throws IOException {
+        String strForm = IOUtils.toString(response);
+        MultivaluedMap<String, String> params = JAXRSUtils.getStructuredParams(strForm, "&", false, false);
+
+        String samlResponse = URLDecoder.decode(
+                params.getFirst(SSOConstants.SAML_RESPONSE), StandardCharsets.UTF_8.name());
+        LOG.debug("Received SAML Response: {}", samlResponse);
+
+        String relayState = params.getFirst(SSOConstants.RELAY_STATE);
+        LOG.debug("Received Relay State: {}", relayState);
+
+        return Pair.of(samlResponse, relayState);
+    }
+
+    @PreAuthorize("hasRole('" + StandardEntitlement.ANONYMOUS + "')")
+    public SAML2LoginResponseTO validateLoginResponse(final InputStream response) {
+        // 1. extract raw SAML response and relay state
+        Pair<String, String> extracted;
+        try {
+            extracted = extract(response);
+        } catch (Exception e) {
+            LOG.error("While reading AuthnResponse", e);
+            SyncopeClientException sce = SyncopeClientException.build(ClientExceptionType.Unknown);
+            sce.getElements().add(e.getMessage());
+            throw sce;
+        }
+
+        // 2. first checks for the provided relay state
+        JwsJwtCompactConsumer relayState = new JwsJwtCompactConsumer(extracted.getRight());
+        if (!relayState.verifySignatureWith(jwsSignatureCerifier)) {
+            throw new IllegalArgumentException("Invalid signature found in Relay State");
+        }
+        Boolean useDeflateEncoding = Boolean.valueOf(
+                relayState.getJwtClaims().getClaim(JWT_CLAIM_IDP_DEFLATE).toString());
+
+        // 3. parse the provided SAML response
+        Response samlResponse;
+        try {
+            XMLObject responseObject = saml2rw.read(true, useDeflateEncoding, extracted.getLeft());
+            if (!(responseObject instanceof Response)) {
+                throw new IllegalArgumentException("Expected " + Response.class.getName()
+                        + ", got " + responseObject.getClass().getName());
+            }
+            samlResponse = (Response) responseObject;
+        } catch (Exception e) {
+            LOG.error("While parsing AuthnResponse", e);
+            SyncopeClientException sce = SyncopeClientException.build(ClientExceptionType.Unknown);
+            sce.getElements().add(e.getMessage());
+            throw sce;
+        }
+
+        // 4. further checks:
+        //   4a. the SAML Reponse's InResponseTo
+        if (!relayState.getJwtClaims().getSubject().equals(samlResponse.getInResponseTo())) {
+            throw new IllegalArgumentException("Unmatching request ID: " + samlResponse.getInResponseTo());
+        }
+        //   4b. the SAML Response status
+        if (!StatusCode.SUCCESS.equals(samlResponse.getStatus().getStatusCode().getValue())) {
+            throw new BadCredentialsException("The SAML IdP replied with "
+                    + samlResponse.getStatus().getStatusCode().getValue());
+        }
+
+        // 5. validate the SAML response and, if needed, decrypt the provided assertion(s)
+        SAML2IdPEntity idp = getIdP(samlResponse.getIssuer().getValue());
+        if (idp.getConnObjectKeyItem() == null) {
+            throw new IllegalArgumentException("No mapping provided for SAML 2.0 IdP '" + idp.getId() + "'");
+        }
+        try {
+            saml2rw.validate(samlResponse, idp.getTrustStore());
+        } catch (Exception e) {
+            LOG.error("While validating AuthnResponse", e);
+            SyncopeClientException sce = SyncopeClientException.build(ClientExceptionType.Unknown);
+            sce.getElements().add(e.getMessage());
+            throw sce;
+        }
+
+        // 6. prepare the result: find matching user (if any) and return the received attributes
+        SAML2LoginResponseTO responseTO = new SAML2LoginResponseTO();
+
+        NameID nameID = null;
+        String keyValue = null;
+        for (Assertion assertion : samlResponse.getAssertions()) {
+            nameID = assertion.getSubject().getNameID();
+            if (StringUtils.isNotBlank(nameID.getValue())
+                    && idp.getConnObjectKeyItem().getExtAttrName().equals("NameID")) {
+
+                keyValue = nameID.getValue();
+            }
+
+            if (assertion.getConditions().getNotOnOrAfter() != null) {
+                responseTO.setNotOnOrAfter(assertion.getConditions().getNotOnOrAfter().toDate());
+            }
+            for (AuthnStatement authnStmt : assertion.getAuthnStatements()) {
+                responseTO.setSessionIndex(authnStmt.getSessionIndex());
+
+                responseTO.setAuthInstant(authnStmt.getAuthnInstant().toDate());
+                if (authnStmt.getSessionNotOnOrAfter() != null) {
+                    responseTO.setNotOnOrAfter(authnStmt.getSessionNotOnOrAfter().toDate());
+                }
+            }
+
+            for (AttributeStatement attrStmt : assertion.getAttributeStatements()) {
+                for (Attribute attr : attrStmt.getAttributes()) {
+                    if (!attr.getAttributeValues().isEmpty()) {
+                        String attrName = attr.getFriendlyName() == null ? attr.getName() : attr.getFriendlyName();
+                        if (attrName.equals(idp.getConnObjectKeyItem().getExtAttrName())
+                                && attr.getAttributeValues().get(0) instanceof XSString) {
+
+                            keyValue = ((XSString) attr.getAttributeValues().get(0)).getValue();
+                        }
+
+                        AttrTO attrTO = new AttrTO();
+                        attrTO.setSchema(attrName);
+                        for (XMLObject value : attr.getAttributeValues()) {
+                            if (value.getDOM() != null) {
+                                attrTO.getValues().add(value.getDOM().getTextContent());
+                            }
+                        }
+                        responseTO.getAttrs().add(attrTO);
+                    }
+                }
+            }
+        }
+        if (nameID == null) {
+            throw new IllegalArgumentException("NameID not found");
+        }
+
+        List<String> matchingUsers = keyValue == null
+                ? Collections.<String>emptyList()
+                : findMatchingUser(keyValue, idp.getConnObjectKeyItem());
+        LOG.debug("Found {} matching users for NameID {}", matchingUsers.size(), nameID.getValue());
+
+        if (matchingUsers.isEmpty()) {
+            throw new NotFoundException("User matching the provided NameID value " + nameID.getValue());
+        } else if (matchingUsers.size() > 1) {
+            throw new IllegalArgumentException("Several users match the provided NameID value " + nameID.getValue());
+        }
+        responseTO.setUsername(userDAO.find(matchingUsers.get(0)).getUsername());
+
+        responseTO.setNameID(nameID.getValue());
+        // 7. generate JWT for further access
+        Map<String, Object> claims = new HashMap<>();
+        claims.put(JWT_CLAIM_IDP_ENTITYID, idp.getId());
+        claims.put(JWT_CLAIM_NAMEID_FORMAT, nameID.getFormat());
+        claims.put(JWT_CLAIM_NAMEID_VALUE, nameID.getValue());
+        claims.put(JWT_CLAIM_SESSIONINDEX, responseTO.getSessionIndex());
+        responseTO.setAccessToken(accessTokenDataBinder.create(responseTO.getUsername(), claims, true));
+
+        return responseTO;
+    }
+
+    @PreAuthorize("isAuthenticated() and not(hasRole('" + StandardEntitlement.ANONYMOUS + "'))")
+    public SAML2RequestTO createLogoutRequest(final String accessToken, final String spEntityID) {
+        // 1. fetch the current JWT used for Syncope authentication
+        JwsJwtCompactConsumer consumer = new JwsJwtCompactConsumer(accessToken);
+        if (!consumer.verifySignatureWith(jwsSignatureCerifier)) {
+            throw new IllegalArgumentException("Invalid signature found in Access Token");
+        }
+
+        // 2. look for IdP
+        String idpEntityID = (String) consumer.getJwtClaims().getClaim(JWT_CLAIM_IDP_ENTITYID);
+        SAML2IdPEntity idp = cache.get(idpEntityID);
+        if (idp == null) {
+            throw new NotFoundException("SAML 2.0 IdP '" + idpEntityID + "'");
+        }
+        if (idp.getSLOLocation(SAMLConstants.SAML2_POST_BINDING_URI) == null) {
+            throw new IllegalArgumentException("No SingleLogoutService available for " + idp.getId());
+        }
+
+        // 3. create LogoutRequest
+        LogoutRequest logoutRequest = new LogoutRequestBuilder().buildObject();
+        logoutRequest.setID("_" + UUID_GENERATOR.generate().toString());
+        logoutRequest.setDestination(idp.getSLOLocation(SAMLConstants.SAML2_POST_BINDING_URI).getLocation());
+
+        DateTime now = new DateTime();
+        logoutRequest.setIssueInstant(now);
+        logoutRequest.setNotOnOrAfter(now.plusMinutes(5));
+
+        Issuer issuer = new IssuerBuilder().buildObject();
+        issuer.setValue(spEntityID);
+        logoutRequest.setIssuer(issuer);
+
+        NameID nameID = new NameIDBuilder().buildObject();
+        nameID.setFormat((String) consumer.getJwtClaims().getClaim(JWT_CLAIM_NAMEID_FORMAT));
+        nameID.setValue((String) consumer.getJwtClaims().getClaim(JWT_CLAIM_NAMEID_VALUE));
+        logoutRequest.setNameID(nameID);
+
+        SessionIndex sessionIndex = new SessionIndexBuilder().buildObject();
+        sessionIndex.setSessionIndex((String) consumer.getJwtClaims().getClaim(JWT_CLAIM_SESSIONINDEX));
+        logoutRequest.getSessionIndexes().add(sessionIndex);
+
+        SAML2RequestTO requestTO = new SAML2RequestTO();
+        requestTO.setIdpServiceAddress(logoutRequest.getDestination());
+        try {
+            // 3. sign and encode LogoutRequest
+            requestTO.setContent(saml2Signer.signAndEncode(logoutRequest, idp.isUseDeflateEncoding()));
+
+            // 4. generate relay state as JWT
+            Map<String, Object> claims = new HashMap<>();
+            claims.put(JWT_CLAIM_IDP_DEFLATE, idp.isUseDeflateEncoding());
+            Triple<String, String, Date> relayState =
+                    accessTokenDataBinder.generateJWT(logoutRequest.getID(), JWT_RELAY_STATE_DURATION, claims);
+            requestTO.setRelayState(relayState.getMiddle());
+        } catch (Exception e) {
+            LOG.error("While generating LogoutRequest", e);
+            SyncopeClientException sce = SyncopeClientException.build(ClientExceptionType.Unknown);
+            sce.getElements().add(e.getMessage());
+            throw sce;
+        }
+
+        return requestTO;
+    }
+
+    @PreAuthorize("isAuthenticated() and not(hasRole('" + StandardEntitlement.ANONYMOUS + "'))")
+    public void validateLogoutResponse(final String accessToken, final InputStream response) {
+        // 1. fetch the current JWT used for Syncope authentication
+        JwsJwtCompactConsumer consumer = new JwsJwtCompactConsumer(accessToken);
+        if (!consumer.verifySignatureWith(jwsSignatureCerifier)) {
+            throw new IllegalArgumentException("Invalid signature found in Access Token");
+        }
+
+        // 2. extract raw SAML response and relay state
+        Pair<String, String> extracted;
+        try {
+            extracted = extract(response);
+        } catch (Exception e) {
+            LOG.error("While reading LogoutResponse", e);
+            SyncopeClientException sce = SyncopeClientException.build(ClientExceptionType.Unknown);
+            sce.getElements().add(e.getMessage());
+            throw sce;
+        }
+
+        JwsJwtCompactConsumer relayState = null;
+        Boolean useDeflateEncoding = false;
+        if (StringUtils.isNotBlank(extracted.getRight())) {
+            // first checks for the provided relay state, if available
+            relayState = new JwsJwtCompactConsumer(extracted.getRight());
+            if (!relayState.verifySignatureWith(jwsSignatureCerifier)) {
+                throw new IllegalArgumentException("Invalid signature found in Relay State");
+            }
+            useDeflateEncoding = Boolean.valueOf(
+                    relayState.getJwtClaims().getClaim(JWT_CLAIM_IDP_DEFLATE).toString());
+        }
+
+        // 3. parse the provided SAML response
+        LogoutResponse logoutResponse;
+        try {
+            XMLObject responseObject = saml2rw.read(true, useDeflateEncoding, extracted.getLeft());
+            if (!(responseObject instanceof LogoutResponse)) {
+                throw new IllegalArgumentException("Expected " + LogoutResponse.class.getName()
+                        + ", got " + responseObject.getClass().getName());
+            }
+            logoutResponse = (LogoutResponse) responseObject;
+        } catch (Exception e) {
+            LOG.error("While parsing LogoutResponse", e);
+            SyncopeClientException sce = SyncopeClientException.build(ClientExceptionType.Unknown);
+            sce.getElements().add(e.getMessage());
+            throw sce;
+        }
+
+        // 4. if relay state was available, check the SAML Reponse's InResponseTo
+        if (relayState != null && !relayState.getJwtClaims().getSubject().equals(logoutResponse.getInResponseTo())) {
+            throw new IllegalArgumentException("Unmatching request ID: " + logoutResponse.getInResponseTo());
+        }
+
+        // 5. finally check for the logout status
+        if (StatusCode.SUCCESS.equals(logoutResponse.getStatus().getStatusCode().getValue())) {
+            accessTokenDAO.delete(consumer.getJwtClaims().getTokenId());
+        } else {
+            SyncopeClientException sce = SyncopeClientException.build(ClientExceptionType.Unknown);
+            if (logoutResponse.getStatus().getStatusMessage() == null) {
+                sce.getElements().add(logoutResponse.getStatus().getStatusCode().getValue());
+            } else {
+                sce.getElements().add(logoutResponse.getStatus().getStatusMessage().getMessage());
+            }
+            throw sce;
+        }
+    }
+
+    @Override
+    protected AbstractBaseBean resolveReference(
+            final Method method, final Object... args) throws UnresolvedReferenceException {
+
+        throw new UnresolvedReferenceException();
+    }
+
+}

http://git-wip-us.apache.org/repos/asf/syncope/blob/d9079e13/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/init/SAML2SPLoader.java
----------------------------------------------------------------------
diff --git a/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/init/SAML2SPLoader.java b/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/init/SAML2SPLoader.java
new file mode 100644
index 0000000..dee85ef
--- /dev/null
+++ b/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/init/SAML2SPLoader.java
@@ -0,0 +1,140 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.syncope.core.logic.init;
+
+import java.io.File;
+import java.io.InputStream;
+import java.security.KeyStore;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Properties;
+import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
+import org.apache.commons.io.FileUtils;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.syncope.core.persistence.api.SyncopeLoader;
+import org.apache.syncope.core.provisioning.api.EntitlementsHolder;
+import org.apache.syncope.common.lib.types.SAML2SPEntitlement;
+import org.apache.syncope.core.spring.ApplicationContextProvider;
+import org.apache.syncope.core.spring.ResourceWithFallbackLoader;
+import org.opensaml.core.criterion.EntityIdCriterion;
+import org.opensaml.security.credential.Credential;
+import org.opensaml.security.credential.impl.KeyStoreCredentialResolver;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.stereotype.Component;
+
+@Component
+public class SAML2SPLoader implements SyncopeLoader {
+
+    private static final Logger LOG = LoggerFactory.getLogger(SAML2SPLoader.class);
+
+    private static final String SAML2SP_LOGIC_PROPERTIES = "saml2sp-logic.properties";
+
+    private static <T> T assertNotNull(final T argument, final String name) {
+        if (argument == null) {
+            throw new IllegalArgumentException("Argument '" + name + "' may not be null.");
+        }
+        return argument;
+    }
+
+    private KeyStore keystore;
+
+    private String keyPass;
+
+    private Credential credential;
+
+    @Override
+    public Integer getPriority() {
+        return 1000;
+    }
+
+    @Override
+    public void load() {
+        EntitlementsHolder.getInstance().init(SAML2SPEntitlement.values());
+
+        String confDirectory = null;
+
+        Properties props = new Properties();
+        try (InputStream is = getClass().getResourceAsStream("/" + SAML2SP_LOGIC_PROPERTIES)) {
+            props.load(is);
+            confDirectory = props.getProperty("conf.directory");
+
+            File confDir = new File(confDirectory);
+            if (confDir.exists() && confDir.canRead() && confDir.isDirectory()) {
+                File confDirProps = FileUtils.getFile(confDir, SAML2SP_LOGIC_PROPERTIES);
+                if (confDirProps.exists() && confDirProps.canRead() && confDirProps.isFile()) {
+                    props.clear();
+                    props.load(FileUtils.openInputStream(confDirProps));
+                    confDirectory = props.getProperty("conf.directory");
+                }
+            }
+        } catch (Exception e) {
+            throw new RuntimeException("Could not read " + SAML2SP_LOGIC_PROPERTIES, e);
+        }
+
+        assertNotNull(confDirectory, "<conf.directory>");
+
+        String name = props.getProperty("keystore.name");
+        assertNotNull(name, "<keystore.name>");
+        String type = props.getProperty("keystore.type");
+        assertNotNull(type, "<keystore.type>");
+        String storePass = props.getProperty("keystore.storepass");
+        assertNotNull(storePass, "<keystore.storepass>");
+        keyPass = props.getProperty("keystore.keypass");
+        assertNotNull(keyPass, "<keystore.keypass>");
+        String certAlias = props.getProperty("sp.cert.alias");
+        assertNotNull(certAlias, "<sp.cert.alias>");
+
+        LOG.debug("Attempting to load the provided keystore...");
+        try {
+            ResourceWithFallbackLoader loader = new ResourceWithFallbackLoader();
+            loader.setResourceLoader(ApplicationContextProvider.getApplicationContext());
+            loader.setPrimary(StringUtils.appendIfMissing("file:" + confDirectory, "/") + name);
+            loader.setFallback("classpath:" + name);
+
+            keystore = KeyStore.getInstance(type);
+            try (InputStream inputStream = loader.getResource().getInputStream()) {
+                keystore.load(inputStream, storePass.toCharArray());
+                LOG.debug("Keystore loaded");
+            }
+
+            Map<String, String> passwordMap = new HashMap<>();
+            passwordMap.put(certAlias, keyPass);
+            KeyStoreCredentialResolver resolver = new KeyStoreCredentialResolver(keystore, passwordMap);
+
+            this.credential = resolver.resolveSingle(new CriteriaSet(new EntityIdCriterion(certAlias)));
+            LOG.debug("SAML 2.0 Service Provider certificate loaded");
+        } catch (Exception e) {
+            throw new RuntimeException("Could not initialize the SAML 2.0 Service Provider certificate", e);
+        }
+    }
+
+    public KeyStore getKeyStore() {
+        return keystore;
+    }
+
+    public String getKeyPass() {
+        return keyPass;
+    }
+
+    public Credential getCredential() {
+        return credential;
+    }
+
+}

http://git-wip-us.apache.org/repos/asf/syncope/blob/d9079e13/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/saml2/SAML2IdPCache.java
----------------------------------------------------------------------
diff --git a/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/saml2/SAML2IdPCache.java b/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/saml2/SAML2IdPCache.java
new file mode 100644
index 0000000..21e185d
--- /dev/null
+++ b/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/saml2/SAML2IdPCache.java
@@ -0,0 +1,90 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.syncope.core.logic.saml2;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStreamReader;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.CertificateException;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.Map;
+import net.shibboleth.utilities.java.support.xml.XMLParserException;
+import org.apache.syncope.common.lib.to.MappingItemTO;
+import org.apache.syncope.core.logic.init.SAML2SPLoader;
+import org.apache.syncope.core.persistence.api.entity.SAML2IdP;
+import org.apache.syncope.core.provisioning.api.data.SAML2IdPDataBinder;
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.common.saml.OpenSAMLUtil;
+import org.opensaml.saml.saml2.metadata.EntityDescriptor;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Component;
+import org.springframework.transaction.annotation.Transactional;
+import org.w3c.dom.Element;
+
+/**
+ * Basic in-memory cache for available {@link SAML2IdPEntity} identity providers.
+ */
+@Component
+public class SAML2IdPCache {
+
+    private final Map<String, SAML2IdPEntity> cache =
+            Collections.synchronizedMap(new HashMap<String, SAML2IdPEntity>());
+
+    @Autowired
+    private SAML2SPLoader loader;
+
+    @Autowired
+    private SAML2IdPDataBinder binder;
+
+    public SAML2IdPEntity get(final String entityID) {
+        return cache.get(entityID);
+    }
+
+    public SAML2IdPEntity getFirst() {
+        return cache.isEmpty() ? null : cache.entrySet().iterator().next().getValue();
+    }
+
+    public SAML2IdPEntity put(
+            final EntityDescriptor entityDescriptor,
+            final MappingItemTO connObjectKeyItem,
+            final boolean useDeflateEncoding)
+            throws CertificateException, IOException, KeyStoreException, NoSuchAlgorithmException {
+
+        return cache.put(entityDescriptor.getEntityID(),
+                new SAML2IdPEntity(entityDescriptor, connObjectKeyItem, useDeflateEncoding, loader.getKeyPass()));
+    }
+
+    @Transactional(readOnly = true)
+    public SAML2IdPEntity put(final SAML2IdP idp)
+            throws CertificateException, IOException, KeyStoreException, NoSuchAlgorithmException, WSSecurityException,
+            XMLParserException {
+
+        Element element = OpenSAMLUtil.getParserPool().parse(
+                new InputStreamReader(new ByteArrayInputStream(idp.getMetadata()))).getDocumentElement();
+        EntityDescriptor entityDescriptor = (EntityDescriptor) OpenSAMLUtil.fromDom(element);
+        return put(entityDescriptor, binder.getIdPTO(idp).getConnObjectKeyItem(), idp.isUseDeflateEncoding());
+    }
+
+    public SAML2IdPEntity remove(final String entityID) {
+        return cache.remove(entityID);
+    }
+}

http://git-wip-us.apache.org/repos/asf/syncope/blob/d9079e13/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/saml2/SAML2IdPCallbackHandler.java
----------------------------------------------------------------------
diff --git a/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/saml2/SAML2IdPCallbackHandler.java b/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/saml2/SAML2IdPCallbackHandler.java
new file mode 100644
index 0000000..17cf6f0
--- /dev/null
+++ b/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/saml2/SAML2IdPCallbackHandler.java
@@ -0,0 +1,45 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.syncope.core.logic.saml2;
+
+import java.io.IOException;
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.UnsupportedCallbackException;
+import org.apache.wss4j.common.ext.WSPasswordCallback;
+
+public class SAML2IdPCallbackHandler implements CallbackHandler {
+
+    private final String keyPass;
+
+    public SAML2IdPCallbackHandler(final String keyPass) {
+        this.keyPass = keyPass;
+    }
+
+    @Override
+    public void handle(final Callback[] callbacks) throws IOException, UnsupportedCallbackException {
+        for (Callback callback : callbacks) {
+            if (callback instanceof WSPasswordCallback) {
+                WSPasswordCallback wspc = (WSPasswordCallback) callback;
+                wspc.setPassword(keyPass);
+            }
+        }
+    }
+
+}

http://git-wip-us.apache.org/repos/asf/syncope/blob/d9079e13/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/saml2/SAML2IdPEntity.java
----------------------------------------------------------------------
diff --git a/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/saml2/SAML2IdPEntity.java b/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/saml2/SAML2IdPEntity.java
new file mode 100644
index 0000000..35eacaf
--- /dev/null
+++ b/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/saml2/SAML2IdPEntity.java
@@ -0,0 +1,155 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.syncope.core.logic.saml2;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import org.apache.commons.codec.binary.Base64;
+import org.apache.syncope.common.lib.to.MappingItemTO;
+import org.opensaml.saml.common.xml.SAMLConstants;
+import org.opensaml.saml.saml2.metadata.Endpoint;
+import org.opensaml.saml.saml2.metadata.EntityDescriptor;
+import org.opensaml.saml.saml2.metadata.IDPSSODescriptor;
+import org.opensaml.saml.saml2.metadata.KeyDescriptor;
+import org.opensaml.saml.saml2.metadata.NameIDFormat;
+import org.opensaml.saml.saml2.metadata.SingleLogoutService;
+import org.opensaml.saml.saml2.metadata.SingleSignOnService;
+import org.opensaml.xmlsec.signature.X509Data;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class SAML2IdPEntity {
+
+    private static final Logger LOG = LoggerFactory.getLogger(SAML2IdPEntity.class);
+
+    private final String id;
+
+    private boolean useDeflateEncoding;
+
+    private MappingItemTO connObjectKeyItem;
+
+    private final Map<String, Endpoint> ssoBindings = new HashMap<>();
+
+    private final Map<String, SingleLogoutService> sloBindings = new HashMap<>();
+
+    private final List<String> nameIDFormats = new ArrayList<>();
+
+    private final KeyStore trustStore;
+
+    public SAML2IdPEntity(
+            final EntityDescriptor entityDescriptor,
+            final MappingItemTO connObjectKeyItem,
+            final boolean useDeflateEncoding,
+            final String keyPass)
+            throws CertificateException, IOException, KeyStoreException, NoSuchAlgorithmException {
+
+        this.id = entityDescriptor.getEntityID();
+        this.connObjectKeyItem = connObjectKeyItem;
+        this.useDeflateEncoding = useDeflateEncoding;
+
+        IDPSSODescriptor idpdescriptor = entityDescriptor.getIDPSSODescriptor(SAMLConstants.SAML20P_NS);
+
+        for (SingleSignOnService sso : idpdescriptor.getSingleSignOnServices()) {
+            LOG.debug("[{}] Add SSO binding {}({})", id, sso.getBinding(), sso.getLocation());
+            this.ssoBindings.put(sso.getBinding(), sso);
+        }
+
+        for (SingleLogoutService slo : idpdescriptor.getSingleLogoutServices()) {
+            LOG.debug("[{}] Add SLO binding '{}'\n\tLocation: '{}'\n\tResponse Location: '{}'",
+                    id, slo.getBinding(), slo.getLocation(), slo.getResponseLocation());
+            this.sloBindings.put(slo.getBinding(), slo);
+        }
+
+        for (NameIDFormat nameIDFormat : idpdescriptor.getNameIDFormats()) {
+            LOG.debug("[{}] Add NameIDFormat '{}'", id, nameIDFormat.getFormat());
+            nameIDFormats.add(nameIDFormat.getFormat());
+        }
+
+        CertificateFactory cf = CertificateFactory.getInstance("X.509");
+
+        List<X509Certificate> chain = new ArrayList<>();
+        for (KeyDescriptor key : idpdescriptor.getKeyDescriptors()) {
+            for (X509Data x509Data : key.getKeyInfo().getX509Datas()) {
+                for (org.opensaml.xmlsec.signature.X509Certificate cert : x509Data.getX509Certificates()) {
+                    try (ByteArrayInputStream bais = new ByteArrayInputStream(Base64.decodeBase64(cert.getValue()))) {
+                        chain.add(X509Certificate.class.cast(cf.generateCertificate(bais)));
+                    }
+                }
+            }
+        }
+
+        this.trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
+        this.trustStore.load(null, keyPass.toCharArray());
+        if (!chain.isEmpty()) {
+            for (X509Certificate cert : chain) {
+                LOG.debug("[{}] Add X.509 certificate {}", id, cert.getSubjectX500Principal().getName());
+                this.trustStore.setCertificateEntry(cert.getSubjectX500Principal().getName(), cert);
+            }
+            LOG.debug("[{}] Set default X.509 certificate {}", id, chain.get(0).getSubjectX500Principal().getName());
+            this.trustStore.setCertificateEntry(id, chain.get(0));
+        }
+    }
+
+    public String getId() {
+        return id;
+    }
+
+    public boolean isUseDeflateEncoding() {
+        return useDeflateEncoding;
+    }
+
+    public void setUseDeflateEncoding(final boolean useDeflateEncoding) {
+        this.useDeflateEncoding = useDeflateEncoding;
+    }
+
+    public MappingItemTO getConnObjectKeyItem() {
+        return connObjectKeyItem;
+    }
+
+    public void setConnObjectKeyItem(final MappingItemTO connObjectKeyItem) {
+        this.connObjectKeyItem = connObjectKeyItem;
+    }
+
+    public Endpoint getSSOLocation(final String binding) {
+        return ssoBindings.get(binding);
+    }
+
+    public Endpoint getSLOLocation(final String binding) {
+        return sloBindings.get(binding);
+    }
+
+    public boolean supportsNameIDFormat(final String nameIDFormat) {
+        return nameIDFormats.contains(nameIDFormat);
+    }
+
+    public KeyStore getTrustStore() {
+        return trustStore;
+    }
+
+}

http://git-wip-us.apache.org/repos/asf/syncope/blob/d9079e13/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/saml2/SAML2ReaderWriter.java
----------------------------------------------------------------------
diff --git a/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/saml2/SAML2ReaderWriter.java b/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/saml2/SAML2ReaderWriter.java
new file mode 100644
index 0000000..23b3a38
--- /dev/null
+++ b/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/saml2/SAML2ReaderWriter.java
@@ -0,0 +1,145 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.syncope.core.logic.saml2;
+
+import java.io.ByteArrayInputStream;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.io.StringWriter;
+import java.io.UnsupportedEncodingException;
+import java.io.Writer;
+import java.net.URLDecoder;
+import java.nio.charset.StandardCharsets;
+import java.security.KeyStore;
+import java.util.zip.DataFormatException;
+import javax.xml.stream.XMLStreamException;
+import javax.xml.transform.Transformer;
+import javax.xml.transform.TransformerConfigurationException;
+import javax.xml.transform.TransformerException;
+import javax.xml.transform.TransformerFactory;
+import javax.xml.transform.dom.DOMSource;
+import javax.xml.transform.stream.StreamResult;
+import org.apache.commons.codec.binary.Base64;
+import org.apache.cxf.rs.security.saml.DeflateEncoderDecoder;
+import org.apache.cxf.rs.security.saml.sso.SAMLProtocolResponseValidator;
+import org.apache.cxf.staxutils.StaxUtils;
+import org.apache.syncope.core.logic.init.SAML2SPLoader;
+import org.apache.wss4j.common.crypto.Merlin;
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.common.saml.OpenSAMLUtil;
+import org.opensaml.core.xml.XMLObject;
+import org.opensaml.saml.saml2.core.Response;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.InitializingBean;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Component;
+import org.w3c.dom.Document;
+
+@Component
+public class SAML2ReaderWriter implements InitializingBean {
+
+    private static final Logger LOG = LoggerFactory.getLogger(SAML2ReaderWriter.class);
+
+    private static final TransformerFactory TRANSFORMER_FACTORY = TransformerFactory.newInstance();
+
+    static {
+        OpenSAMLUtil.initSamlEngine(false);
+    }
+
+    @Autowired
+    private SAML2SPLoader loader;
+
+    private SAMLProtocolResponseValidator protocolValidator;
+
+    private SAML2IdPCallbackHandler callbackHandler;
+
+    @Override
+    public void afterPropertiesSet() throws Exception {
+        protocolValidator = new SAMLProtocolResponseValidator();
+        protocolValidator.setKeyInfoMustBeAvailable(true);
+
+        callbackHandler = new SAML2IdPCallbackHandler(loader.getKeyPass());
+    }
+
+    public void write(final Writer writer, final XMLObject object, final boolean signObject)
+            throws TransformerConfigurationException, WSSecurityException, TransformerException {
+
+        Transformer transformer = TRANSFORMER_FACTORY.newTransformer();
+        StreamResult streamResult = new StreamResult(writer);
+        DOMSource source = new DOMSource(OpenSAMLUtil.toDom(object, null, signObject));
+        transformer.transform(source, streamResult);
+    }
+
+    public XMLObject read(final boolean postBinding, final boolean useDeflateEncoding, final String response)
+            throws DataFormatException, UnsupportedEncodingException, XMLStreamException, WSSecurityException {
+
+        String decodedResponse = response;
+        // URL Decoding only applies for the redirect binding
+        if (!postBinding) {
+            decodedResponse = URLDecoder.decode(response, StandardCharsets.UTF_8.name());
+        }
+
+        InputStream tokenStream;
+        byte[] deflatedToken = Base64.decodeBase64(decodedResponse);
+        tokenStream = !postBinding && useDeflateEncoding
+                ? new DeflateEncoderDecoder().inflateToken(deflatedToken)
+                : new ByteArrayInputStream(deflatedToken);
+
+        // parse the provided SAML response
+        Document responseDoc = StaxUtils.read(new InputStreamReader(tokenStream, StandardCharsets.UTF_8));
+        XMLObject responseObject = OpenSAMLUtil.fromDom(responseDoc.getDocumentElement());
+
+        if (LOG.isDebugEnabled()) {
+            try {
+                StringWriter writer = new StringWriter();
+                write(writer, responseObject, false);
+                writer.close();
+
+                LOG.debug("Parsed SAML response: {}", writer.toString());
+            } catch (Exception e) {
+                LOG.error("Could not log the received SAML response", e);
+            }
+        }
+
+        return responseObject;
+    }
+
+    public void validate(final Response samlResponse, final KeyStore idpTrustStore) throws WSSecurityException {
+        // validate the SAML response and, if needed, decrypt the provided assertion(s)
+        Merlin crypto = new Merlin();
+        crypto.setKeyStore(loader.getKeyStore());
+        crypto.setTrustStore(idpTrustStore);
+
+        protocolValidator.validateSamlResponse(samlResponse, crypto, callbackHandler);
+
+        if (LOG.isDebugEnabled()) {
+            try {
+                StringWriter writer = new StringWriter();
+                write(writer, samlResponse, false);
+                writer.close();
+
+                LOG.debug("SAML response with decrypted assertions: {}", writer.toString());
+            } catch (Exception e) {
+                LOG.error("Could not log the SAML response with decrypted assertions", e);
+            }
+        }
+    }
+
+}

http://git-wip-us.apache.org/repos/asf/syncope/blob/d9079e13/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/saml2/SAML2Signer.java
----------------------------------------------------------------------
diff --git a/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/saml2/SAML2Signer.java b/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/saml2/SAML2Signer.java
new file mode 100644
index 0000000..9a03627
--- /dev/null
+++ b/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/saml2/SAML2Signer.java
@@ -0,0 +1,104 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.syncope.core.logic.saml2;
+
+import java.io.IOException;
+import java.io.StringWriter;
+import java.nio.charset.StandardCharsets;
+import javax.xml.transform.TransformerException;
+import org.apache.commons.codec.binary.Base64;
+import org.apache.cxf.rs.security.saml.DeflateEncoderDecoder;
+import org.apache.syncope.core.logic.init.SAML2SPLoader;
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.common.saml.OpenSAMLUtil;
+import org.opensaml.saml.common.SignableSAMLObject;
+import org.opensaml.saml.saml2.core.RequestAbstractType;
+import org.opensaml.security.SecurityException;
+import org.opensaml.xmlsec.keyinfo.KeyInfoGenerator;
+import org.opensaml.xmlsec.keyinfo.impl.X509KeyInfoGeneratorFactory;
+import org.opensaml.xmlsec.signature.Signature;
+import org.opensaml.xmlsec.signature.support.SignatureConstants;
+import org.springframework.beans.factory.InitializingBean;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Component;
+
+@Component
+public class SAML2Signer implements InitializingBean {
+
+    static {
+        OpenSAMLUtil.initSamlEngine(false);
+    }
+
+    @Autowired
+    private SAML2SPLoader loader;
+
+    @Autowired
+    private SAML2ReaderWriter saml2rw;
+
+    private KeyInfoGenerator keyInfoGenerator;
+
+    private String signatureAlgorithm;
+
+    @Override
+    public void afterPropertiesSet() throws Exception {
+        X509KeyInfoGeneratorFactory keyInfoGeneratorFactory = new X509KeyInfoGeneratorFactory();
+        keyInfoGeneratorFactory.setEmitEntityCertificate(true);
+        keyInfoGenerator = keyInfoGeneratorFactory.newInstance();
+
+        signatureAlgorithm = SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1;
+        String pubKeyAlgo = loader.getCredential().getPublicKey().getAlgorithm();
+        if (pubKeyAlgo.equalsIgnoreCase("DSA")) {
+            signatureAlgorithm = SignatureConstants.ALGO_ID_SIGNATURE_DSA_SHA1;
+        }
+    }
+
+    public String signAndEncode(final RequestAbstractType request, final boolean useDeflateEncoding)
+            throws SecurityException, WSSecurityException, TransformerException, IOException {
+
+        // 1. sign request
+        Signature signature = OpenSAMLUtil.buildSignature();
+        signature.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
+        signature.setSignatureAlgorithm(signatureAlgorithm);
+        signature.setSigningCredential(loader.getCredential());
+        signature.setKeyInfo(keyInfoGenerator.generate(loader.getCredential()));
+
+        SignableSAMLObject signableObject = (SignableSAMLObject) request;
+        signableObject.setSignature(signature);
+        signableObject.releaseDOM();
+        signableObject.releaseChildrenDOM(true);
+
+        // 2. serialize and encode request
+        StringWriter writer = new StringWriter();
+        saml2rw.write(writer, request, true);
+        writer.close();
+
+        String requestMessage = writer.toString();
+        byte[] deflatedBytes;
+        // not correct according to the spec but required by some IdPs.
+        if (useDeflateEncoding) {
+            deflatedBytes = new DeflateEncoderDecoder().
+                    deflateToken(requestMessage.getBytes(StandardCharsets.UTF_8));
+        } else {
+            deflatedBytes = requestMessage.getBytes(StandardCharsets.UTF_8);
+        }
+
+        return Base64.encodeBase64String(deflatedBytes);
+    }
+
+}

http://git-wip-us.apache.org/repos/asf/syncope/blob/d9079e13/ext/saml2sp/logic/src/main/resources/saml2sp-logic.properties
----------------------------------------------------------------------
diff --git a/ext/saml2sp/logic/src/main/resources/saml2sp-logic.properties b/ext/saml2sp/logic/src/main/resources/saml2sp-logic.properties
new file mode 100644
index 0000000..2d7e918
--- /dev/null
+++ b/ext/saml2sp/logic/src/main/resources/saml2sp-logic.properties
@@ -0,0 +1,23 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+conf.directory=${conf.directory}
+
+keystore.name=keystore
+keystore.type=jks
+keystore.storepass=changeit
+keystore.keypass=changeit
+sp.cert.alias=sp


Mime
View raw message