Search code examples
javaobjectcastingshibbolethopensaml

OpenSaml retrieving wrong RoleDescriptor object

I'm trying to retrieve the RoleDescriptor node fom a Service Provider metadata file (SAML 2.0) using the following code and the OpenSaml libraries:

EntitiesDescriptor entityDescriptors = getConfiguration(providerId);
List<RoleDescriptor> roleDescriptors = (List<RoleDescriptor>) entityDescriptors.getEntityDescriptors().get(0).
            getRoleDescriptors();
EntityDescriptor ed = entityDescriptors.getEntityDescriptors().get(0);
if(roleDescriptors != null && !roleDescriptors.isEmpty()){
    RoleDescriptor r = (RoleDescriptor) roleDescriptors.get(0); 
    return roleDescriptors.get(0).getErrorURL();
}

My issue is that variable r ends being of type org.opensaml.saml2.metadata.impl.SPSSODescriptorImpl and not org.opensaml.saml2.metadata.impl.RoleDescriptorImpl

This is the metadata xml file I'm using:

<EntityDescriptor entityID="http://mysp.com/resource">

    <RoleDescriptor errorURL="http://localhost:8080/dummy-sp/error.jsp">
    </RoleDescriptor>

    <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <KeyDescriptor use="encryption">
            <EncryptionMethod Algorithm=
                "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256">
            </EncryptionMethod>
        </KeyDescriptor>

        <AssertionConsumerService index="1"
            isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
            Location="http://localhost:8080/dummy-sp/dummysp" />

    </SPSSODescriptor>

    <Organization>
        <OrganizationName xml:lang="en">Your Service
        </OrganizationName>
        <OrganizationDisplayName xml:lang="en">Your
            Service
        </OrganizationDisplayName>
        <OrganizationURL xml:lang="en">http://sp.example.org/
        </OrganizationURL>
    </Organization>
    <ContactPerson contactType="technical">
        <GivenName>Your</GivenName>
        <SurName>Admin</SurName>
        <EmailAddress>admin@example.org</EmailAddress>
    </ContactPerson>

</EntityDescriptor>

And finally there's a scan of my Eclipse debugging screen:

image

https://i.sstatic.net/Aujgw.jpg

Solution

  • I tried to validate your metadata xml using the method described in here. https://wiki.surfnet.nl/display/OpenConext/Validating+SAML2+metadata

    It says that element (after adding the metadata namespace)

    RoleDescriptor: Schemas validity error : Element '{urn:oasis:names:tc:SAML:2.0:metadata}RoleDescriptor': The type definition is abstract.

    As the saml metadata spec says,

    The RoleDescriptor element is an abstract extension point that contains common descriptive information intended to provide processing commonality across different roles. New roles can be defined by extending its abstract RoleDescriptorType complex type

    So you cannot have a RoleDescriptor element in your metadata xml. Either you have to use a concrete role described in spec (SSO Identity Provider, SSO Service Provider, Authentication Authority, Attribute Authority, Policy Decision Point, Affiliation) or extend the abstract RoleDescriptor.

    So because of the above reason, org.opensaml.saml2.metadata.impl.RoleDescriptorImpl is an abstract class in opensaml and the implementations of the concrete roles extends this abstract class.