Add support for multiple Attribute Consuming Services

Attribute Consuming Services can now be configured in settings. They
will then be parsed and added to the generated metadata. On SSO
initiation a selector mechanism can be used to select the desired ACS,
producing the proper AttributeConsumingServiceIndex attribute in the
AuthnRequest.

Author: mauromol

README.md

@@ -247,6 +247,9 @@ onelogin.saml2.sp.x509certNew =
 # If you have     PKCS#1   BEGIN RSA PRIVATE KEY  convert it by   openssl pkcs8 -topk8 -inform pem -nocrypt -in sp.rsa_key -outform pem -out sp.pem
 onelogin.saml2.sp.privatekey =
 
+# Attribute Consuming Services
+# SEE BELOW
+
 ## Identity Provider Data that we want connect with our SP ##
 
 # Identifier of the IdP entity  (must be a URI)
@@ -492,9 +495,88 @@ The getSPMetadata will return the metadata signed or not based on the security p
 
 Before the XML metadata is exposed, a check takes place to ensure that the info to be provided is valid.
 
-##### Attribute Consumer Service(ACS)
-This code handles the SAML response that the IdP forwards to the SP through the user's client.
+##### Attribute Consuming Service (ACS)
+The SP may optionally specify one or more Attribute Consuming Services in its metadata. These can be configured in the settings.
+
+If just one ACS is required:
+
+```properties
+# Attribute Consuming Service name when just one ACS should be declared by the SP.
+# Comment out or set to empty if no ACS should be declared, or if multiple ones should (see below). 
+# The service name is mandatory.
+onelogin.saml2.sp.attribute_consuming_service.name = My service
+
+# Attribute Consuming Service description when just one ACS should be declared by the SP.
+# Ignored if the previous property is commented or empty. 
+# The service description is optional.
+onelogin.saml2.sp.attribute_consuming_service.description = My service description
+
+# Language used for Attribute Consuming Service name and description when just one ACS should be declared by the SP.
+# Ignored if the name property is commented or empty. 
+# The language is optional and default to "en" (English).
+onelogin.saml2.sp.attribute_consuming_service.lang = en
+
+# Requested attributes to be included in the Attribute Consuming Service when just one ACS should be declared by the SP.
+# At least one requested attribute must be specified, otherwise schema validation will fail.
+# Attribute properties are indexed properties, starting from 0. The index is used only to enumerate and sort attributes, but it's required.
+# The following properties allow to define each requested attribute:
+# - name: mandatory
+# - name_format: optional; if omitted, defaults to urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
+# - friendly_name: optional; if omitted, it won't appear in SP metadata
+# - required: optional; if omitted or empty, defaults to false
+# - value[x]: an attribute value; the [x] is only used only to enumerate and sort values, but it's required
+# Please note that only simple values are currently supported and treated internally as strings. Hence no structured values
+# and no ability to specify an xsi:type attribute. 
+# Attribute values are optional and most often they are simply omitted.
+onelogin.saml2.sp.attribute_consuming_service.attribute[0].name = Email
+onelogin.saml2.sp.attribute_consuming_service.attribute[0].name_format = urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
+onelogin.saml2.sp.attribute_consuming_service.attribute[0].friendly_name = E-mail address
+onelogin.saml2.sp.attribute_consuming_service.attribute[0].required = true
+onelogin.saml2.sp.attribute_consuming_service.attribute[0].value[0] = foo@example.org
+onelogin.saml2.sp.attribute_consuming_service.attribute[0].value[1] = bar@example.org
+```
+
+If multiple ACSs are required, they can be specified in a similar way, but using indexes: these indexes are used to enumerate and
+identify attribute consuming services within the SP metadata and can be subsequently used in the auth process to specify which
+attribute set should be requested to the IdP. The "default" property can also be set to designate the default ACS. Here is an example:
+
+```properties
+onelogin.saml2.sp.attribute_consuming_service[0].name = Just e-mail
+onelogin.saml2.sp.attribute_consuming_service[0].attribute[0].name = Email
+onelogin.saml2.sp.attribute_consuming_service[0].attribute[0].name_format = urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
+onelogin.saml2.sp.attribute_consuming_service[0].attribute[0].friendly_name = E-mail address
+onelogin.saml2.sp.attribute_consuming_service[0].attribute[0].required = true
+onelogin.saml2.sp.attribute_consuming_service[0].attribute[0].value[0] = foo@example.org
+onelogin.saml2.sp.attribute_consuming_service[0].attribute[0].value[1] = bar@example.org
+onelogin.saml2.sp.attribute_consuming_service[1].name = Anagrafica
+onelogin.saml2.sp.attribute_consuming_service[1].description = Set completo
+onelogin.saml2.sp.attribute_consuming_service[1].lang = it
+onelogin.saml2.sp.attribute_consuming_service[1].default = true
+onelogin.saml2.sp.attribute_consuming_service[1].attribute[0].name = FirstName
+onelogin.saml2.sp.attribute_consuming_service[1].attribute[1].name = LastName
+onelogin.saml2.sp.attribute_consuming_service[1].attribute[1].required = true
+```
+
+Please note that if you specify (multiple) indexed Attribute Consuming Services, the non-indexed properties will be ignored.
+
+As said, to request a specific attribute set when initiating SSO, a selection mechanism is available:
+
+```java
+import static com.onelogin.saml2.authn.AttributeConsumingServiceSelector.*;
+Auth auth = new Auth(request, response);
+// select by index 1
+auth.login(new AuthnRequestParams(false, false, true, byIndex(1));
+// or select by ACS name
+auth.login(new AuthnRequestParams(false, false, true, byServiceName(auth.getSettings(), "Anagrafica"));
+// or see AttributeConsumingServiceSelector interface implementations for more options
 ```
+
+If no selector is specified, `AttributeConsumingServiceSelector.useDefault()` will be used, which will simply omit any
+`AttributeConsumingServiceIndex` from the request, hence leaving the IdP choose the default attribute set agreed upon.
+
+Then, the following code handles the SAML response that the IdP forwards to the SP through the user's client:
+
+```java
 Auth auth = new Auth(request, response);
 auth.processResponse();
 if (!auth.isAuthenticated()) {

core/src/main/java/com/onelogin/saml2/authn/AttributeConsumingServiceSelector.java

@@ -0,0 +1,75 @@
+package com.onelogin.saml2.authn;
+
+import java.util.List;
+
+import com.onelogin.saml2.model.AttributeConsumingService;
+import com.onelogin.saml2.settings.Saml2Settings;
+
+/**
+ * Interfaced used to select the Attribute Consuming Service to be specified in
+ * an authentication request. An instance of this interface can be passed as an
+ * input parameter in a {@link AuthnRequestParams} to be used when initiating a
+ * login operation.
+ * <p>
+ * A set of predefined implementations are provided: they should cover the most
+ * common cases.
+ */
+@FunctionalInterface
+public interface AttributeConsumingServiceSelector {
+
+	/**
+	 * @return a selector of the default Attribute Consuming Service
+	 */
+	static AttributeConsumingServiceSelector useDefault() {
+		return () -> null;
+	}
+
+	/**
+	 * @param attributeConsumingService
+	 *              the Attribute Consuming Service to select
+	 * @return a selector the chooses the specified Attribute Consuming Service;
+	 *         indeed, its index is used
+	 */
+	static AttributeConsumingServiceSelector use(final AttributeConsumingService attributeConsumingService) {
+		return byIndex(attributeConsumingService.getIndex());
+	}
+
+	/**
+	 * @param index
+	 *              the index of the Attribute Consuming Service to select
+	 * @return a selector that chooses the Attribute Consuming Service with the
+	 *         given index
+	 */
+	static AttributeConsumingServiceSelector byIndex(final int index) {
+		return () -> index;
+	}
+
+	/**
+	 * @param settings
+	 *              the SAML settings, containing the list of the available
+	 *              Attribute Consuming Services (see
+	 *              {@link Saml2Settings#getSpAttributeConsumingServices()})
+	 * @param serviceName
+	 *              the name of the Attribute Consuming Service to select
+	 * @return a selector that chooses the Attribute Consuming Service with the
+	 *         given name; please note that this selector will select the default
+	 *         service if no one is found with the given name
+	 */
+	static AttributeConsumingServiceSelector byServiceName(final Saml2Settings settings, final String serviceName) {
+		return () -> {
+			final List<AttributeConsumingService> services = settings.getSpAttributeConsumingServices();
+			if (services != null)
+				return services.stream().filter(service -> service.getServiceName().equals(serviceName))
+				            .findFirst().map(AttributeConsumingService::getIndex).orElse(null);
+			else
+				return null;
+		};
+	}
+
+	/**
+	 * Returns the index of the selected Attribute Consuming Service.
+	 * 
+	 * @return the service index, or <code>null</code> if the default one should be selected
+	 */
+	Integer getAttributeConsumingServiceIndex();
+}

core/src/main/java/com/onelogin/saml2/authn/AuthnRequest.java

@@ -262,6 +262,12 @@ private StrSubstitutor generateSubstitutor(AuthnRequestParams params, Saml2Setti
 		}
 
 		valueMap.put("requestedAuthnContextStr", requestedAuthnContextStr);
+		
+		String attributeConsumingServiceIndexStr = "";
+		final Integer acsIndex = params.getAttributeConsumingServiceSelector().getAttributeConsumingServiceIndex();
+		if (acsIndex != null)
+			attributeConsumingServiceIndexStr = " AttributeConsumingServiceIndex=\"" + acsIndex + "\"";
+		valueMap.put("attributeConsumingServiceIndexStr", attributeConsumingServiceIndexStr);
 
 		return new StrSubstitutor(valueMap);
 	}
@@ -271,7 +277,7 @@ private StrSubstitutor generateSubstitutor(AuthnRequestParams params, Saml2Setti
 	 */
 	private static StringBuilder getAuthnRequestTemplate() {
 		StringBuilder template = new StringBuilder();
-		template.append("<samlp:AuthnRequest xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"${id}\" Version=\"2.0\" IssueInstant=\"${issueInstant}\"${providerStr}${forceAuthnStr}${isPassiveStr}${destinationStr} ProtocolBinding=\"${protocolBinding}\" AssertionConsumerServiceURL=\"${assertionConsumerServiceURL}\">");
+		template.append("<samlp:AuthnRequest xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"${id}\" Version=\"2.0\" IssueInstant=\"${issueInstant}\"${providerStr}${forceAuthnStr}${isPassiveStr}${destinationStr} ProtocolBinding=\"${protocolBinding}\" AssertionConsumerServiceURL=\"${assertionConsumerServiceURL}${attributeConsumingServiceIndexStr}\">");
 		template.append("<saml:Issuer>${spEntityid}</saml:Issuer>");
 		template.append("${subjectStr}${nameIDPolicyStr}${requestedAuthnContextStr}</samlp:AuthnRequest>");
 		return template;

core/src/main/java/com/onelogin/saml2/authn/AuthnRequestParams.java

@@ -22,8 +22,15 @@ public class AuthnRequestParams {
 	 */
 	private final String nameIdValueReq;
 
+	/*
+	 * / Selector to use to specify the Attribute Consuming Service index
+	 */
+	private AttributeConsumingServiceSelector attributeConsumingServiceSelector;
+
 	/**
-	 * Create a set of authentication request input parameters.
+	 * Create a set of authentication request input parameters. The
+	 * {@link AttributeConsumingServiceSelector#useDefault()} selector is used to
+	 * select the Attribute Consuming Service.
 	 *
 	 * @param forceAuthn
 	 *              whether the <code>ForceAuthn</code> attribute should be set to
@@ -35,11 +42,13 @@ public class AuthnRequestParams {
 	 *              whether a <code>NameIDPolicy</code> should be set
 	 */
 	public AuthnRequestParams(boolean forceAuthn, boolean isPassive, boolean setNameIdPolicy) {
-		this(forceAuthn, isPassive, setNameIdPolicy, null);
+		this(forceAuthn, isPassive, setNameIdPolicy, null, null);
 	}
 
 	/**
-	 * Create a set of authentication request input parameters.
+	 * Create a set of authentication request input parameters. The
+	 * {@link AttributeConsumingServiceSelector#useDefault()} selector is used to
+	 * select the Attribute Consuming Service.
 	 *
 	 * @param forceAuthn
 	 *              whether the <code>ForceAuthn</code> attribute should be set to
@@ -53,10 +62,57 @@ public AuthnRequestParams(boolean forceAuthn, boolean isPassive, boolean setName
 	 *              the subject that should be authenticated
 	 */
 	public AuthnRequestParams(boolean forceAuthn, boolean isPassive, boolean setNameIdPolicy, String nameIdValueReq) {
+		this(forceAuthn, isPassive, setNameIdPolicy, nameIdValueReq, null);
+	}
+
+	/**
+	 * Create a set of authentication request input parameters.
+	 *
+	 * @param forceAuthn
+	 *              whether the <code>ForceAuthn</code> attribute should be set to
+	 *              <code>true</code>
+	 * @param isPassive
+	 *              whether the <code>isPassive</code> attribute should be set to
+	 *              <code>true</code>
+	 * @param setNameIdPolicy
+	 *              whether a <code>NameIDPolicy</code> should be set
+	 * @param attributeConsumingServiceSelector
+	 *              the selector to use to specify the Attribute Consuming Service
+	 *              index; if <code>null</code>,
+	 *              {@link AttributeConsumingServiceSelector#useDefault()} is used
+	 */
+	public AuthnRequestParams(boolean forceAuthn, boolean isPassive, boolean setNameIdPolicy,
+	            AttributeConsumingServiceSelector attributeConsumingServiceSelector) {
+		this(forceAuthn, isPassive, setNameIdPolicy, null, attributeConsumingServiceSelector);
+	}
+
+	/**
+	 * Create a set of authentication request input parameters.
+	 *
+	 * @param forceAuthn
+	 *              whether the <code>ForceAuthn</code> attribute should be set to
+	 *              <code>true</code>
+	 * @param isPassive
+	 *              whether the <code>isPassive</code> attribute should be set to
+	 *              <code>true</code>
+	 * @param setNameIdPolicy
+	 *              whether a <code>NameIDPolicy</code> should be set
+	 * @param nameIdValueReq
+	 *              the subject that should be authenticated
+	 * @param attributeConsumingServiceSelector
+	 *              the selector to use to specify the Attribute Consuming Service
+	 *              index; if <code>null</code>,
+	 *              {@link AttributeConsumingServiceSelector#useDefault()} is used
+	 */
+	public AuthnRequestParams(boolean forceAuthn, boolean isPassive, boolean setNameIdPolicy, String nameIdValueReq,
+	            AttributeConsumingServiceSelector attributeConsumingServiceSelector) {
 		this.forceAuthn = forceAuthn;
 		this.isPassive = isPassive;
 		this.setNameIdPolicy = setNameIdPolicy;
 		this.nameIdValueReq = nameIdValueReq;
+		this.attributeConsumingServiceSelector = attributeConsumingServiceSelector != null
+		            ? attributeConsumingServiceSelector
+		            : AttributeConsumingServiceSelector.useDefault();
 	}
 
 	/**
@@ -71,6 +127,7 @@ protected AuthnRequestParams(AuthnRequestParams source) {
 		this.isPassive = source.isPassive();
 		this.setNameIdPolicy = source.isSetNameIdPolicy();
 		this.nameIdValueReq = source.getNameIdValueReq();
+		this.attributeConsumingServiceSelector = source.getAttributeConsumingServiceSelector();
 	}
 
 	/**
@@ -102,4 +159,11 @@ protected boolean isSetNameIdPolicy() {
 	protected String getNameIdValueReq() {
 		return nameIdValueReq;
 	}
+
+	/**
+	 * @return the selector to use to specify the Attribute Consuming Service index
+	 */
+	public AttributeConsumingServiceSelector getAttributeConsumingServiceSelector() {
+		return attributeConsumingServiceSelector;
+	}
 }