From 499350065f6b24f1c083d4ea518a83e0ea02017d Mon Sep 17 00:00:00 2001 From: Ray Lee Date: Fri, 17 Nov 2023 15:01:47 -0500 Subject: [PATCH] Add decryption-x509-credentials to SAML relying party config. --- .../services/common/security/SecurityConfig.java | 16 ++++++++++++++++ .../config/src/main/resources/service-config.xsd | 9 +++++++++ 2 files changed, 25 insertions(+) diff --git a/services/common/src/main/java/org/collectionspace/services/common/security/SecurityConfig.java b/services/common/src/main/java/org/collectionspace/services/common/security/SecurityConfig.java index 46ac92944..d2858b44d 100644 --- a/services/common/src/main/java/org/collectionspace/services/common/security/SecurityConfig.java +++ b/services/common/src/main/java/org/collectionspace/services/common/security/SecurityConfig.java @@ -923,6 +923,22 @@ public class SecurityConfig { }); } + if (relyingPartyConfig.getDecryptionX509Credentials() != null) { + registrationBuilder.decryptionX509Credentials(new Consumer>() { + @Override + public void accept(Collection credentials) { + for (X509CredentialType credentialConfig : relyingPartyConfig.getDecryptionX509Credentials().getX509Credential()) { + PrivateKey privateKey = privateKeyFromUrl(credentialConfig.getPrivateKey().getLocation()); + X509Certificate certificate = certificateFromConfig(credentialConfig.getX509Certificate()); + + if (certificate != null) { + credentials.add(Saml2X509Credential.decryption(privateKey, certificate)); + } + } + } + }); + } + registrations.add(registrationBuilder.build()); } } diff --git a/services/config/src/main/resources/service-config.xsd b/services/config/src/main/resources/service-config.xsd index 9598ba0fd..7161e0c01 100644 --- a/services/config/src/main/resources/service-config.xsd +++ b/services/config/src/main/resources/service-config.xsd @@ -261,6 +261,15 @@ + + + + The credentials used to encrypt/decrypt responses from the IdP. Required if + the IdP requires assertions to be signed. + + + + -- 2.47.3