Add support for Subjects on AuthNRequests by the new parameter nameIdValueReq

Author: pitbulk

README.md

@@ -393,11 +393,12 @@ We can set a 'returnTo' url parameter to the login function and that will be con
 String targetUrl = 'https://example.com';
 auth.login(returnTo=targetUrl)
 ```
-The login method can receive 4 more optional parameters:
+The login method can receive 5 more optional parameters:
 - *forceAuthn* When true the AuthNRequest will have the 'ForceAuthn' attribute set to 'true'
 - *isPassive* When true the AuthNRequest will have the 'Ispassive' attribute set to 'true'
 - *setNameIdPolicy* When true the AuthNRequest will set a nameIdPolicy element.
 - *stay* Set to true to stay (returns the url string), otherwise set to false to execute a redirection to that url (IdP SSO URL)
+- *nameIdValueReq* Indicates to the IdP the subject that should be authenticated
 
 By default, the login method initiates a redirect to the SAML Identity Provider. You can use the *stay* parameter, to prevent that, and execute the redirection manually. We need to use that if a match on the future SAMLResponse ID and the AuthNRequest ID to be sent is required.  That AuthNRequest ID must be extracted and stored for future validation, so we can't execute the redirection on the login.  Instead, set *stay* to true, then get that ID by
 ```

core/src/main/java/com/onelogin/saml2/authn/AuthnRequest.java

@@ -57,6 +57,10 @@ public class AuthnRequest {
 	 */
 	private final boolean setNameIdPolicy;
 
+	/**
+	 * Indicates to the IdP the subject that should be authenticated
+	 */
+	private final String nameIdValueReq;
 
 	/**
 	 * Time stamp that indicates when the AuthNRequest was created
@@ -84,20 +88,39 @@ public AuthnRequest(Saml2Settings settings) {
 	 *            When true the AuthNReuqest will set the IsPassive='true'
 	 * @param setNameIdPolicy
 	 *            When true the AuthNReuqest will set a nameIdPolicy
+	 * @param nameIdValueReq
+	 *            Indicates to the IdP the subject that should be authenticated
 	 */
-	public AuthnRequest(Saml2Settings settings, boolean forceAuthn, boolean isPassive, boolean setNameIdPolicy) {
+	public AuthnRequest(Saml2Settings settings, boolean forceAuthn, boolean isPassive, boolean setNameIdPolicy, String nameIdValueReq) {
 		this.id = Util.generateUniqueID(settings.getUniqueIDPrefix());
 		issueInstant = Calendar.getInstance();
 		this.isPassive = isPassive;
 		this.settings = settings;
 		this.forceAuthn = forceAuthn;
 		this.setNameIdPolicy = setNameIdPolicy;
+		this.nameIdValueReq = nameIdValueReq;
 
 		StrSubstitutor substitutor = generateSubstitutor(settings);
 		authnRequestString = substitutor.replace(getAuthnRequestTemplate());
 		LOGGER.debug("AuthNRequest --> " + authnRequestString);
 	}
 
+	/**
+	 * Constructs the AuthnRequest object.
+	 *
+	 * @param settings
+	 *            OneLogin_Saml2_Settings
+	 * @param forceAuthn
+	 *            When true the AuthNReuqest will set the ForceAuthn='true'
+	 * @param isPassive
+	 *            When true the AuthNReuqest will set the IsPassive='true'
+	 * @param setNameIdPolicy
+	 *            When true the AuthNReuqest will set a nameIdPolicy
+	 */
+	public AuthnRequest(Saml2Settings settings, boolean forceAuthn, boolean isPassive, boolean setNameIdPolicy) {
+		this(settings, forceAuthn, isPassive, setNameIdPolicy, null);
+	}
+
 	/**
 	 * @return the base64 encoded unsigned AuthnRequest (deflated or not)
 	 *
@@ -167,6 +190,16 @@ private StrSubstitutor generateSubstitutor(Saml2Settings settings) {
 		}
 		valueMap.put("destinationStr", destinationStr);
 
+		String subjectStr = "";
+		if (nameIdValueReq != null && !nameIdValueReq.isEmpty()) {
+			String nameIDFormat = settings.getSpNameIDFormat();
+			subjectStr = "<saml:Subject>";
+			subjectStr += "<saml:NameID Format=\"" + nameIDFormat + "\">" + nameIdValueReq + "</saml:NameID>";
+			subjectStr += "<saml:SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"></saml:SubjectConfirmation>";
+			subjectStr += "</saml:Subject>";
+        }
+        valueMap.put("subjectStr", subjectStr);
+
 		String nameIDPolicyStr = "";
 		if (setNameIdPolicy) {
 			String nameIDPolicyFormat = settings.getSpNameIDFormat();
@@ -216,7 +249,7 @@ private static StringBuilder getAuthnRequestTemplate() {
 		StringBuilder template = new StringBuilder();
 		template.append("<samlp:AuthnRequest xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"${id}\" Version=\"2.0\" IssueInstant=\"${issueInstant}\"${providerStr}${forceAuthnStr}${isPassiveStr}${destinationStr} ProtocolBinding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" AssertionConsumerServiceURL=\"${assertionConsumerServiceURL}\">");
 		template.append("<saml:Issuer>${spEntityid}</saml:Issuer>");
-		template.append("${nameIDPolicyStr}${requestedAuthnContextStr}</samlp:AuthnRequest>");
+		template.append("${subjectStr}${nameIDPolicyStr}${requestedAuthnContextStr}</samlp:AuthnRequest>");
 		return template;
 	}
 

core/src/test/java/com/onelogin/saml2/test/authn/AuthnRequestTest.java

@@ -272,6 +272,42 @@ public void testAuthNContext() throws Exception {
 		assertThat(authnRequestStr, containsString("<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:X509</saml:AuthnContextClassRef>"));
 	}
 
+	/**
+	 * Tests the AuthnRequest Constructor
+	 * The creation of a deflated SAML Request with and without Subject
+	 *
+	 * @throws Exception
+	 *
+	 * @see com.onelogin.saml2.authn.AuthnRequest
+	 */
+	@Test
+	public void testSubject() throws Exception {
+		Saml2Settings settings = new SettingsBuilder().fromFile("config/config.min.properties").build();
+
+		AuthnRequest authnRequest = new AuthnRequest(settings);
+		String authnRequestStringBase64 = authnRequest.getEncodedAuthnRequest();
+		String authnRequestStr = Util.base64decodedInflated(authnRequestStringBase64);
+		assertThat(authnRequestStr, containsString("<samlp:AuthnRequest"));
+		assertThat(authnRequestStr, not(containsString("<saml:Subject")));
+
+		authnRequest = new AuthnRequest(settings, false, false, false, "testuser@example.com");
+		authnRequestStringBase64 = authnRequest.getEncodedAuthnRequest();
+		authnRequestStr = Util.base64decodedInflated(authnRequestStringBase64);
+		assertThat(authnRequestStr, containsString("<samlp:AuthnRequest"));
+		assertThat(authnRequestStr, containsString("<saml:Subject"));
+		assertThat(authnRequestStr, containsString("Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified\">testuser@example.com</saml:NameID>"));
+		assertThat(authnRequestStr, containsString("<saml:SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\">"));
+
+		settings = new SettingsBuilder().fromFile("config/config.emailaddressformat.properties").build();
+		authnRequest = new AuthnRequest(settings, false, false, false, "testuser@example.com");
+		authnRequestStringBase64 = authnRequest.getEncodedAuthnRequest();
+		authnRequestStr = Util.base64decodedInflated(authnRequestStringBase64);
+		assertThat(authnRequestStr, containsString("<samlp:AuthnRequest"));
+		assertThat(authnRequestStr, containsString("<saml:Subject"));
+		assertThat(authnRequestStr, containsString("Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\">testuser@example.com</saml:NameID>"));
+		assertThat(authnRequestStr, containsString("<saml:SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\">"));
+	}
+
 	/**
 	 * Tests the getId method of AuthnRequest
 	 *

toolkit/src/main/java/com/onelogin/saml2/Auth.java

@@ -261,16 +261,18 @@ public void setStrict(Boolean value)
 	 *            When true the AuthNRequest will set a nameIdPolicy
 	 * @param stay
 	 *            True if we want to stay (returns the url string) False to execute redirection
+	 * @param nameIdValueReq
+	 *            Indicates to the IdP the subject that should be authenticated
 	 *
 	 * @return the SSO URL with the AuthNRequest if stay = True
 	 *
 	 * @throws IOException
 	 * @throws SettingsException
 	 */
-	public String login(String returnTo, Boolean forceAuthn, Boolean isPassive, Boolean setNameIdPolicy, Boolean stay) throws IOException, SettingsException {
+	public String login(String returnTo, Boolean forceAuthn, Boolean isPassive, Boolean setNameIdPolicy, Boolean stay, String nameIdValueReq) throws IOException, SettingsException {
 		Map<String, String> parameters = new HashMap<String, String>();
 
-		AuthnRequest authnRequest = new AuthnRequest(settings, forceAuthn, isPassive, setNameIdPolicy);
+		AuthnRequest authnRequest = new AuthnRequest(settings, forceAuthn, isPassive, setNameIdPolicy, nameIdValueReq);
 
 		String samlRequest = authnRequest.getEncodedAuthnRequest();
 
@@ -305,6 +307,30 @@ public String login(String returnTo, Boolean forceAuthn, Boolean isPassive, Bool
 		return ServletUtils.sendRedirect(response, ssoUrl, parameters, stay);
 	}
 
+	/**
+	 * Initiates the SSO process.
+	 *
+	 * @param returnTo
+	 *				The target URL the user should be returned to after login (relayState).
+	 *				Will be a self-routed URL when null, or not be appended at all when an empty string is provided
+	 * @param forceAuthn
+	 *				When true the AuthNRequest will set the ForceAuthn='true'
+	 * @param isPassive
+	 *				When true the AuthNRequest will set the IsPassive='true'
+	 * @param setNameIdPolicy
+	 *            When true the AuthNRequest will set a nameIdPolicy
+	 * @param stay
+	 *            True if we want to stay (returns the url string) False to execute redirection
+	 *
+	 * @return the SSO URL with the AuthNRequest if stay = True
+	 *
+	 * @throws IOException
+	 * @throws SettingsException
+	 */
+	public String login(String returnTo, Boolean forceAuthn, Boolean isPassive, Boolean setNameIdPolicy, Boolean stay) throws IOException, SettingsException {
+		return login(returnTo ,forceAuthn, isPassive, setNameIdPolicy, stay, null);
+	}
+
 	/**
 	 * Initiates the SSO process.
 	 *

toolkit/src/test/java/com/onelogin/saml2/test/AuthTest.java

@@ -19,7 +19,10 @@
 import static org.mockito.Mockito.when;
 
 import java.io.IOException;
+import java.io.UnsupportedEncodingException;
+import java.net.URI;
 import java.net.URISyntaxException;
+import java.net.URLDecoder;
 import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
@@ -51,6 +54,20 @@ public class AuthTest {
 	@Rule
 	public ExpectedException expectedEx = ExpectedException.none();
 
+	private String getSAMLRequestFromURL(String url) throws URISyntaxException, UnsupportedEncodingException {
+		String xml = "";
+		URI uri = new URI(url);
+		String query = uri.getQuery();
+		String[] pairs = query.split("&");
+		for (String pair : pairs) {
+	        int idx = pair.indexOf("=");
+	        if (pair.substring(0, idx).equals("SAMLRequest")) {
+	        	xml = Util.base64decodedInflated(pair.substring(idx + 1));
+	        }
+	    }
+		return xml;
+	}
+
 	/**
 	 * Tests the constructor of Auth
 	 * Case: No parameters
@@ -1161,7 +1178,56 @@ public void testLoginStay() throws IOException, SettingsException, URISyntaxExce
 		assertThat(target, startsWith("https://pitbulk.no-ip.org/simplesaml/saml2/idp/SSOService.php?SAMLRequest="));
 		assertThat(target, containsString("&RelayState=http%3A%2F%2Flocalhost%3A8080%2Fexpected.jsp"));		
 	}
-	
+
+	/**
+	 * Tests the login method of Auth
+	 * Case: Login with Subject enabled
+	 *
+	 * @throws SettingsException
+	 * @throws IOException
+	 * @throws URISyntaxException
+	 * @throws Error
+	 *
+	 * @see com.onelogin.saml2.Auth#login
+	 */
+	@Test
+	public void testLoginSubject() throws IOException, SettingsException, URISyntaxException, Error {
+		HttpServletRequest request = mock(HttpServletRequest.class);
+		HttpServletResponse response = mock(HttpServletResponse.class);
+		when(request.getScheme()).thenReturn("http");
+		when(request.getServerPort()).thenReturn(8080);
+		when(request.getServerName()).thenReturn("localhost");
+		when(request.getRequestURI()).thenReturn("/initial.jsp");
+
+		Saml2Settings settings = new SettingsBuilder().fromFile("config/config.min.properties").build();
+
+		Auth auth = new Auth(settings, request, response);
+		String target = auth.login("", false, false, false, true);
+		assertThat(target, startsWith("http://idp.example.com/simplesaml/saml2/idp/SSOService.php?SAMLRequest="));
+		String authNRequestStr = getSAMLRequestFromURL(target);
+		assertThat(authNRequestStr, containsString("<samlp:AuthnRequest"));
+		assertThat(authNRequestStr, not(containsString("<saml:Subject")));
+
+		target = auth.login("", false, false, false, true, "testuser@example.com");
+		assertThat(target, startsWith("http://idp.example.com/simplesaml/saml2/idp/SSOService.php?SAMLRequest="));
+		authNRequestStr = getSAMLRequestFromURL(target);
+		assertThat(authNRequestStr, containsString("<samlp:AuthnRequest"));
+		assertThat(authNRequestStr, containsString("<saml:Subject"));
+		assertThat(authNRequestStr, containsString("Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified\">testuser@example.com</saml:NameID>"));
+		assertThat(authNRequestStr, containsString("<saml:SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\">"));
+
+		settings = new SettingsBuilder().fromFile("config/config.emailaddressformat.properties").build();
+		auth = new Auth(settings, request, response);
+		target = auth.login("", false, false, false, true, "testuser@example.com");
+		assertThat(target, startsWith("http://idp.example.com/simplesaml/saml2/idp/SSOService.php?SAMLRequest="));
+		authNRequestStr = getSAMLRequestFromURL(target);
+		assertThat(authNRequestStr, containsString("<samlp:AuthnRequest"));
+		assertThat(authNRequestStr, containsString("<saml:Subject"));
+		assertThat(authNRequestStr, containsString("Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\">testuser@example.com</saml:NameID>"));
+		assertThat(authNRequestStr, containsString("<saml:SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\">"));
+
+	}
+
 	/**
 	 * Tests the login method of Auth
 	 * Case: Signed Login but no sp key