SAMLAssertionValidation

1. <!--- SAML Assertion Validation --->
2.  
3. <cfscript>
4.     isValid = 0;
5.  
6.     try {
7.         if (!len(trim(rawdata.content))) {
8.             throw("No content in response body","custom");
9.         }
10.         rawdata.content = rawdata.content.split("=")[2];
11.         rawdata.content = urlDecode(rawdata.content);
12.  
13.         xmlResponse = CharsetEncode(BinaryDecode(rawdata.content,"base64" ),"utf-8" );
14.         if (isXML(xmlResponse)) {
15.             docElement = XMLParse(XMLResponse).getDocumentElement();
16.         } else {
17.             throw("Not Valid XML","custom");
18.         }
19.  
20.         CreateObject("Java", "org.apache.xml.security.Init").Init().init();
21.  
22.         //IdP is signing the SAML Response using a "non standard" ID attribute, which is only supported in DOM3 and XMLBeans does not support DOM3
23.         //the Assertion ID must be registerd before Signature Validation
24.         idResolver = CreateObject("Java", "org.apache.xml.security.utils.IdResolver");
25.         assertionElement = docElement.getElementsByTagNameNS("urn:oasis:names:tc:SAML:2.0:assertion", "Assertion").item(0);
26.         attrStore = assertionElement.getAttributes();
27.         idAttr = CreateObject("Java","org.w3c.dom.Attr");
28.         idAttr = attrStore.getNamedItem("ID");
29.         idResolver.registerElementById(assertionElement, idAttr);
30.         // end compensating for "non standard" ID
31.  
32.         SignatureConstants = CreateObject("Java", "org.apache.xml.security.utils.Constants");
33.         SignatureSpecNS = SignatureConstants.SignatureSpecNS;
34.  
35.         XMLSignatureClass = CreateObject("Java","org.apache.xml.security.signature.XMLSignature");
36.         xmlSignature = XMLSignatureClass.init(docElement.getElementsByTagNameNS(SignatureSpecNS,"Signature").item(1),"");
37.         keyInfo = xmlSignature.getKeyInfo();
38.  
39.         // get x509 cert from Keystore - you must import into keystore first
40.         keyResolver = createObject("component", "com.Keystore").init("C:\Java\jdk1.7.0_55\jre\lib\security\cacerts","changeit","uat-wahbexchange");
41.         x509cert = keyResolver.getX509Certificate();
42.  
43.         isValid = xmlSignature.checkSignatureValue(x509cert);
44.  
45.         if (isValid) {
46.             //Extract conditions
47.             SAMLConditions = {};
48.             conditionElement = docElement.getElementsByTagName("saml:Conditions").item(0);
49.             conditions = conditionElement.getAttributes();
50.             SAMLConditions.before = conditions.getNamedItem("NotBefore").getNodeValue();
51.             SAMLConditions.after = conditions.getNamedItem("NotOnOrAfter").getNodeValue();
52.  
53.             // Extract SAML Attribute Data
54.             attributesElement = docElement.getElementsByTagName("saml:AttributeStatement").item(0);
55.             attributes = attributesElement.getAttributes();
56.  
57.             SAMLAttributes = StructNew();
58.             for (attNo = 0; attNo LT attributesElement.getLength(); attNo = (attNo + 1)){
59.                 name = attributesElement.item(attNo).getAttributes().getNamedItem('Name').getTextContent();
60.                 value = attributesElement.item(attNo).item(0).getTextContent();
61.                 SAMLAttributes[name] = value;
62.             }
63.  
64.         } else {
65.             throw("Signatures do not match","custom")
66.         }
67.  
68.  
69.     }
70.     catch (custom e) {
71.         writeDump(e.message);
72.         abort;
73.     }
74.     catch (any e) {
75.         writeOutput(e.message);
76.         abort;
77.     }
78.  
79. </cfscript>