break out saml1 response building from views

docs/cas-server-documentation/configuration/Configuration-Properties.md

@@ -4185,7 +4185,7 @@ The signing and encryption keys [are both JWKs](Configuration-Properties-Common.
 
 #### Spring Webflow Client-Side Session
 
-The encryption key must be randomly-generated string of size f`16`. The signing key [is a JWK](Configuration-Properties-Common.html#signing--encryption) of size `512`.
+The encryption key must be randomly-generated string of size `16`. The signing key [is a JWK](Configuration-Properties-Common.html#signing--encryption) of size `512`.
 
 Signing & encryption settings for this feature are available [here](Configuration-Properties-Common.html#signing--encryption) under the configuration key `cas.webflow`.
 

docs/cas-server-documentation/protocol/SAML-Protocol.md

@@ -36,7 +36,15 @@ Support is enabled by including the following dependency in the WAR overlay:
 </dependency>
 ```
 
-## Sample Request
+### Administrative Endpoints
+
+The following endpoints are provided by CAS:
+
+| Endpoint          | Description
+|-------------------|---------------------------------------------------------------------------------------------------
+| `samlValidate`    | Obtain a SAML 1.1 validation payload by supplying a `username`, `password` and `service` as parameters.
+
+### Sample Request
 
 ```xml
 POST /cas/samlValidate?ticket=
@@ -58,7 +66,7 @@ Content-Type: text/xml
 </SOAP-ENV:Envelope>
 ```
 
-## Sample Response
+### Sample Response
 
 ```xml
 <?xml version="1.0" encoding="UTF-8"?>

docs/cas-server-documentation/webflow/Webflow-Customization-Interrupt.md

@@ -112,7 +112,7 @@ The following parameters are passed to the script:
 | Parameter             | Description
 |------------------------------------------------------------------------------------------------------------------------
 | `uid`                 | Authenticated principal id.
-| `attributes`          | A map of type `Map<String, Objec>` that contains both principal and authentication attributes. 
+| `attributes`          | A map of type `Map<String, Object>` that contains both principal and authentication attributes. 
 | `service`             | The identifier (i.e. URL) of the requesting application.
 | `logger`              | The object responsible for issuing log messages such as `logger.info(...)`.
 

gradle/dependencies.gradle

@@ -1508,11 +1508,6 @@ ext.libraries = [
                     exclude(module: "commons-io")
                     force = true
                 },
-                dependencies.create("com.unboundid:unboundid-ldapsdk:$unboundidVersion") {
-                    exclude(group: "org.slf4j", module: "slf4j-api")
-                    exclude(group: "commons-cli", module: "commons-cli")
-                    force = true
-                },
                 dependencies.create("org.mockito:mockito-core:$mockitoVersion") {
                     exclude(group: "org.hamcrest", module: "hamcrest-core")
                     exclude(group: "org.objenesis", module: "objenesis")
@@ -1625,6 +1620,11 @@ ext.libraries = [
                     exclude(group: "commons-cli", module: "commons-cli")
                     exclude(group: "com.unboundid", module: "unboundid-ldapsdk")
                     force = true
+                },
+                dependencies.create("com.unboundid:unboundid-ldapsdk:$unboundidVersion") {
+                    exclude(group: "org.slf4j", module: "slf4j-api")
+                    exclude(group: "commons-cli", module: "commons-cli")
+                    force = true
                 }
         ],
         log4j                   : [

gradle/webapp.gradle

@@ -50,7 +50,7 @@ dependencies {
     implementation project(":support:cas-server-support-reports")
     implementation project(":support:cas-server-support-throttle")
     implementation project(":support:cas-server-support-validation")
-
+    
     implementation project(":webapp:cas-server-webapp-config")
     implementation project(":webapp:cas-server-webapp-init")
 

support/cas-server-support-saml-core-api/src/main/java/org/apereo/cas/support/saml/util/AbstractSamlObjectBuilder.java

@@ -347,7 +347,7 @@ protected void addAttributeValuesToSamlAttribute(final String attributeName,
             return;
         }
 
-        LOGGER.debug("Attempting to generate SAML attribute [{}] with value(s) [{}]", attributeName, attributeValue);
+        LOGGER.trace("Attempting to generate SAML attribute [{}] with value(s) [{}]", attributeName, attributeValue);
         if (attributeValue instanceof Collection<?>) {
             val c = (Collection<?>) attributeValue;
             LOGGER.debug("Generating multi-valued SAML attribute [{}] with values [{}]", attributeName, c);

support/cas-server-support-saml/src/main/java/org/apereo/cas/config/SamlConfiguration.java

@@ -4,14 +4,18 @@
 import org.apereo.cas.authentication.AuthenticationServiceSelectionPlan;
 import org.apereo.cas.authentication.AuthenticationSystemSupport;
 import org.apereo.cas.authentication.ProtocolAttributeEncoder;
+import org.apereo.cas.authentication.principal.PrincipalFactoryUtils;
 import org.apereo.cas.authentication.principal.ResponseBuilder;
+import org.apereo.cas.authentication.principal.ServiceFactory;
+import org.apereo.cas.authentication.principal.WebApplicationService;
 import org.apereo.cas.configuration.CasConfigurationProperties;
 import org.apereo.cas.services.ServicesManager;
 import org.apereo.cas.support.saml.OpenSamlConfigBean;
 import org.apereo.cas.support.saml.authentication.SamlResponseBuilder;
 import org.apereo.cas.support.saml.authentication.principal.SamlServiceResponseBuilder;
 import org.apereo.cas.support.saml.util.Saml10ObjectBuilder;
 import org.apereo.cas.support.saml.web.SamlValidateController;
+import org.apereo.cas.support.saml.web.SamlValidateEndpoint;
 import org.apereo.cas.support.saml.web.view.Saml10FailureResponseView;
 import org.apereo.cas.support.saml.web.view.Saml10SuccessResponseView;
 import org.apereo.cas.ticket.proxy.ProxyHandler;
@@ -26,6 +30,7 @@
 import org.springframework.beans.factory.ObjectProvider;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Qualifier;
+import org.springframework.boot.actuate.autoconfigure.endpoint.condition.ConditionalOnEnabledEndpoint;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
 import org.springframework.cloud.context.config.annotation.RefreshScope;
@@ -52,6 +57,10 @@ public class SamlConfiguration {
     @Autowired
     private CasConfigurationProperties casProperties;
 
+    @Autowired
+    @Qualifier("webApplicationServiceFactory")
+    private ObjectProvider<ServiceFactory<WebApplicationService>> webApplicationServiceFactory;
+
     @Autowired
     @Qualifier("casAttributeEncoder")
     private ObjectProvider<ProtocolAttributeEncoder> protocolAttributeEncoder;
@@ -70,7 +79,7 @@ public class SamlConfiguration {
 
     @Autowired
     @Qualifier("shibboleth.OpenSAMLConfig")
-    private ObjectProvider<OpenSamlConfigBean> configBean;
+    private ObjectProvider<OpenSamlConfigBean> openSamlConfigBean;
 
     @Autowired
     @Qualifier("servicesManager")
@@ -151,7 +160,7 @@ public ResponseBuilder samlServiceResponseBuilder() {
     @ConditionalOnMissingBean(name = "saml10ObjectBuilder")
     @Bean
     public Saml10ObjectBuilder saml10ObjectBuilder() {
-        return new Saml10ObjectBuilder(this.configBean.getIfAvailable());
+        return new Saml10ObjectBuilder(this.openSamlConfigBean.getIfAvailable());
     }
 
     @Bean
@@ -170,4 +179,15 @@ public SamlValidateController samlValidateController() {
             validationAuthorizers.getIfAvailable(),
             casProperties.getSso().isRenewAuthnEnabled());
     }
+
+    @Bean
+    @ConditionalOnEnabledEndpoint
+    public SamlValidateEndpoint samlValidateEndpoint() {
+        return new SamlValidateEndpoint(casProperties, servicesManager.getIfAvailable(),
+            authenticationSystemSupport.getIfAvailable(),
+            webApplicationServiceFactory.getIfAvailable(),
+            PrincipalFactoryUtils.newPrincipalFactory(),
+            samlResponseBuilder(),
+            openSamlConfigBean.getIfAvailable());
+    }
 }

support/cas-server-support-saml/src/main/java/org/apereo/cas/support/saml/authentication/SamlResponseBuilder.java

@@ -41,6 +41,13 @@ public class SamlResponseBuilder {
     private final ProtocolAttributeEncoder protocolAttributeEncoder;
     private final ServicesManager servicesManager;
 
+    /**
+     * Create response.
+     *
+     * @param serviceId the service id
+     * @param service   the service
+     * @return the response
+     */
     public Response createResponse(final String serviceId, final WebApplicationService service) {
         return this.samlObjectBuilder.newResponse(
             this.samlObjectBuilder.generateSecureRandomId(),

support/cas-server-support-saml/src/main/java/org/apereo/cas/support/saml/web/SamlValidateEndpoint.java

@@ -9,15 +9,14 @@
 import org.apereo.cas.authentication.principal.WebApplicationService;
 import org.apereo.cas.configuration.CasConfigurationProperties;
 import org.apereo.cas.services.ServicesManager;
+import org.apereo.cas.support.saml.OpenSamlConfigBean;
+import org.apereo.cas.support.saml.SamlUtils;
 import org.apereo.cas.support.saml.authentication.SamlResponseBuilder;
-import org.apereo.cas.util.CollectionUtils;
-import org.apereo.cas.validation.DefaultAssertionBuilder;
 import org.apereo.cas.web.BaseCasMvcEndpoint;
 
 import lombok.val;
 import org.springframework.boot.actuate.endpoint.annotation.Endpoint;
 import org.springframework.boot.actuate.endpoint.annotation.ReadOperation;
-import org.springframework.web.servlet.View;
 
 import java.util.LinkedHashMap;
 import java.util.Map;
@@ -35,21 +34,32 @@ public class SamlValidateEndpoint extends BaseCasMvcEndpoint {
     private final ServiceFactory<WebApplicationService> serviceFactory;
     private final PrincipalFactory principalFactory;
     private final SamlResponseBuilder samlResponseBuilder;
+    private final OpenSamlConfigBean openSamlConfigBean;
 
     public SamlValidateEndpoint(final CasConfigurationProperties casProperties,
                                 final ServicesManager servicesManager,
                                 final AuthenticationSystemSupport authenticationSystemSupport,
                                 final ServiceFactory<WebApplicationService> serviceFactory,
                                 final PrincipalFactory principalFactory,
-                                final SamlResponseBuilder samlResponseBuilder) {
+                                final SamlResponseBuilder samlResponseBuilder,
+                                final OpenSamlConfigBean openSamlConfigBean) {
         super(casProperties);
         this.servicesManager = servicesManager;
         this.authenticationSystemSupport = authenticationSystemSupport;
         this.serviceFactory = serviceFactory;
         this.principalFactory = principalFactory;
         this.samlResponseBuilder = samlResponseBuilder;
+        this.openSamlConfigBean = openSamlConfigBean;
     }
 
+    /**
+     * Handle validation request and produce saml1 payload.
+     *
+     * @param username the username
+     * @param password the password
+     * @param service  the service
+     * @return the map
+     */
     @ReadOperation
     public Map<String, Object> handle(final String username,
                                       final String password,
@@ -75,7 +85,8 @@ public Map<String, Object> handle(final String username,
             finalAuthentication.getAttributes(), principal.getAttributes());
 
         val resValidation = new LinkedHashMap<String, Object>();
-        resValidation.put(CasViewConstants.MODEL_ATTRIBUTE_NAME_ASSERTION, samlResponse);
+        val encoded = SamlUtils.transformSamlObject(this.openSamlConfigBean, samlResponse).toString();
+        resValidation.put(CasViewConstants.MODEL_ATTRIBUTE_NAME_ASSERTION, encoded);
         resValidation.put(CasViewConstants.MODEL_ATTRIBUTE_NAME_SERVICE, selectedService);
         resValidation.put("registeredService", registeredService);