Add support for multiple Assertion Consumer Services (ACS)

The approach is very similar to the one adopted to implement support for
multiple Attribute Consuming Services and it is 100% backward compatible
with the old way of specifying just one ACS, both from a configuration
and from an API point of view. The generated metadata and AuthnRequest
XMLs are also exactly the same as before when just one ACS is specified
with non-indexed properties.

Author: mauromol

README.md

@@ -214,6 +214,18 @@ onelogin.saml2.sp.assertion_consumer_service.url = http://localhost:8080/java-sa
 # HTTP-POST binding only
 onelogin.saml2.sp.assertion_consumer_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
 
+# The above two settings declare just one Assertion Consumer Service (ACS). As an alternative, it's also
+# possible to specify multiple Assertion Consumer Services by providing indexed properties: the index
+# is used as the ACS index as well and one of the defined services may be marked as the default one.
+# Please note that, when indexed ACS properties are present, the non-indexed ones are ignored.
+# Here is a complete example, but remember that Onelogin Toolkit still actually supports HTTP-POST binding 
+# only for response processing:
+#onelogin.saml2.sp.assertion_consumer_service[0].url = http://localhost:8081/java-saml-jspsample/acs1.jsp
+#onelogin.saml2.sp.assertion_consumer_service[0].binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
+#onelogin.saml2.sp.assertion_consumer_service[1].url = http://localhost:8081/java-saml-jspsample/acs2.jsp
+#onelogin.saml2.sp.assertion_consumer_service[1].binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
+#onelogin.saml2.sp.assertion_consumer_service[1].default = true
+
 # Specifies info about where and how the <Logout Response> message MUST be
 # returned to the requester, in this case our SP.
 onelogin.saml2.sp.single_logout_service.url = http://localhost:8080/java-saml-tookit-jspsample/sls.jsp

core/src/main/java/com/onelogin/saml2/authn/AssertionConsumerServiceSelector.java

@@ -0,0 +1,116 @@
+package com.onelogin.saml2.authn;
+
+import java.net.URL;
+
+import com.onelogin.saml2.model.AssertionConsumerService;
+
+/**
+ * Interfaced used to select the Assertion Consumer Service (ACS) to be
+ * specified in an authentication request. An instance of this interface can be
+ * passed as an input parameter in a {@link AuthnRequestParams} to be used when
+ * initiating a login operation.
+ * <p>
+ * A set of predefined implementations are provided: they should cover the most
+ * common cases.
+ */
+@FunctionalInterface
+public interface AssertionConsumerServiceSelector {
+
+	/**
+	 * Simple class holding data used to select an Assertion Consumer Service (ACS)
+	 * within an authentication request.
+	 * <p>
+	 * The index, if specified, has priority over the pair URL/protocol binding.
+	 */
+	static class AssertionConsumerServiceSelection {
+		/** Assertion Consumer Service index. */
+		public final Integer index;
+		/** Assertion Consumer Service URL. */
+		public final URL url;
+		/** Assertion Consumer Service protocol binding. */
+		public final String protocolBinding;
+
+		/**
+		 * Creates an Assertion Consumer Service selection by index.
+		 * 
+		 * @param index
+		 *              the ACS index
+		 */
+		public AssertionConsumerServiceSelection(final int index) {
+			this.index = index;
+			this.url = null;
+			this.protocolBinding = null;
+		}
+
+		/**
+		 * Creates an Assertion Consumer Service selection by URL and protocol binding.
+		 * 
+		 * @param url
+		 *              the ACS URL
+		 * @param protocolBinding
+		 *              the ACS protocol binding
+		 */
+		public AssertionConsumerServiceSelection(final URL url, final String protocolBinding) {
+			this.index = null;
+			this.url = url;
+			this.protocolBinding = protocolBinding;
+		}
+	}
+
+	/**
+	 * @return a selector of the default Assertion Consumer Service
+	 */
+	static AssertionConsumerServiceSelector useDefault() {
+		return () -> null;
+	}
+
+	/**
+	 * @param assertionConsumerService
+	 *              the Assertion Consumer Service to select
+	 * @return a selector the chooses the specified Assertion Consumer Service by
+	 *         index
+	 */
+	static AssertionConsumerServiceSelector byIndex(final AssertionConsumerService assertionConsumerService) {
+		return byIndex(assertionConsumerService.getIndex());
+	}
+
+	/**
+	 * @param assertionConsumerService
+	 *              the Assertion Consumer Service to select
+	 * @return a selector the chooses the specified Assertion Consumer Service by location URL and protocol
+	 *         binding
+	 */
+	static AssertionConsumerServiceSelector byUrlAndBinding(final AssertionConsumerService assertionConsumerService) {
+		return () -> new AssertionConsumerServiceSelection(assertionConsumerService.getLocation(), assertionConsumerService.getBinding());
+	}
+
+	/**
+	 * @param index
+	 *              the index of the Assertion Consumer Service to select
+	 * @return a selector that chooses the Assertion Consumer Service with the given
+	 *         index
+	 */
+	static AssertionConsumerServiceSelector byIndex(final int index) {
+		return () -> new AssertionConsumerServiceSelection(index);
+	}
+
+	/**
+	 * @param url
+	 *              the URL of the Assertion Consumer Service to select
+	 * @param protocolBinding
+	 *              the protocol binding of the Assertion Consumer Service to select
+	 * @return a selector that chooses the Assertion Consumer Service with the given
+	 *         URL and protocol binding
+	 */
+	static AssertionConsumerServiceSelector byUrlAndBinding(final URL url, final String protocolBinding) {
+		return () -> new AssertionConsumerServiceSelection(url, protocolBinding);
+	}
+
+	/**
+	 * Returns a description of the selected Assertion Consumer Service.
+	 * 
+	 * @return the service index, or <code>null</code> if the default one should be
+	 *         selected
+	 */
+	AssertionConsumerServiceSelection getAssertionConsumerServiceSelection();
+}

core/src/main/java/com/onelogin/saml2/authn/AuthnRequest.java

@@ -12,6 +12,8 @@
 import org.slf4j.LoggerFactory;
 
 import com.onelogin.saml2.settings.Saml2Settings;
+import com.onelogin.saml2.authn.AssertionConsumerServiceSelector.AssertionConsumerServiceSelection;
+import com.onelogin.saml2.model.AssertionConsumerService;
 import com.onelogin.saml2.model.Organization;
 import com.onelogin.saml2.util.Constants;
 import com.onelogin.saml2.util.Util;
@@ -241,8 +243,6 @@ private StrSubstitutor generateSubstitutor(Saml2Settings settings) {
 		String issueInstantString = Util.formatDateTime(issueInstant.getTimeInMillis());
 		valueMap.put("issueInstant", issueInstantString);
 		valueMap.put("id", Util.toXml(String.valueOf(id)));
-		valueMap.put("assertionConsumerServiceURL", Util.toXml(String.valueOf(settings.getSpAssertionConsumerServiceUrl())));
-		valueMap.put("protocolBinding", Util.toXml(settings.getSpAssertionConsumerServiceBinding()));
 		valueMap.put("spEntityid", Util.toXml(settings.getSpEntityId()));
 
 		String requestedAuthnContextStr = "";
@@ -258,10 +258,37 @@ private StrSubstitutor generateSubstitutor(Saml2Settings settings) {
 
 		valueMap.put("requestedAuthnContextStr", requestedAuthnContextStr);
 
+		String assertionConsumerServiceSelectionStr = "";
+		AssertionConsumerServiceSelection acsSelection = getAssertionConsumerServiceSelector()
+		            .getAssertionConsumerServiceSelection();
+		List<AssertionConsumerService> spAssertionConsumerServices = settings.getSpAssertionConsumerServices();
+		if (spAssertionConsumerServices.size() == 1) {
+			/*
+			 * For backward compatibility: when just one single ACS is defined in the
+			 * settings and it has index 1 (which was the default index used before
+			 * introducing multi ACS support), then select the ACS by using the URL and
+			 * binding of that ACS: indeed, the old way to specify the ACS in the
+			 * AuhtnRequest was just this.
+			 */
+			final AssertionConsumerService acs = spAssertionConsumerServices.get(0);
+			if (acsSelection == null && acs.getIndex() == 1)
+				acsSelection = AssertionConsumerServiceSelector.byUrlAndBinding(acs)
+				            .getAssertionConsumerServiceSelection();
+		}
+		if (acsSelection != null) {
+			if (acsSelection.index != null)
+				assertionConsumerServiceSelectionStr = " AssertionConsumerServiceIndex=\"" + acsSelection.index
+				            + "\"";
+			else
+				assertionConsumerServiceSelectionStr = " ProtocolBinding=\"" + Util.toXml(acsSelection.protocolBinding)
+				            + "\" AssertionConsumerServiceURL=\"" + Util.toXml(String.valueOf(acsSelection.url)) + "\"";
+		}
+		valueMap.put("assertionConsumerServiceSelection", assertionConsumerServiceSelectionStr);
+		
 		String attributeConsumingServiceIndexStr = "";
-		final Integer acsIndex = getAttributeConsumingServiceSelector().getAttributeConsumingServiceIndex();
-		if (acsIndex != null)
-			attributeConsumingServiceIndexStr = " AttributeConsumingServiceIndex=\"" + acsIndex + "\"";
+		final Integer attributeConsumingServiceIndex = getAttributeConsumingServiceSelector().getAttributeConsumingServiceIndex();
+		if (attributeConsumingServiceIndex != null)
+			attributeConsumingServiceIndexStr = " AttributeConsumingServiceIndex=\"" + attributeConsumingServiceIndex + "\"";
 		valueMap.put("attributeConsumingServiceIndexStr", attributeConsumingServiceIndexStr);
 
 		return new StrSubstitutor(valueMap);
@@ -272,7 +299,7 @@ private StrSubstitutor generateSubstitutor(Saml2Settings settings) {
 	 */
 	private static StringBuilder getAuthnRequestTemplate() {
 		StringBuilder template = new StringBuilder();
-		template.append("<samlp:AuthnRequest xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"${id}\" Version=\"2.0\" IssueInstant=\"${issueInstant}\"${providerStr}${forceAuthnStr}${isPassiveStr}${destinationStr} ProtocolBinding=\"${protocolBinding}\" AssertionConsumerServiceURL=\"${assertionConsumerServiceURL}${attributeConsumingServiceIndexStr}\">");
+		template.append("<samlp:AuthnRequest xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"${id}\" Version=\"2.0\" IssueInstant=\"${issueInstant}\"${providerStr}${forceAuthnStr}${isPassiveStr}${destinationStr}${assertionConsumerServiceSelection}${attributeConsumingServiceIndexStr}\">");
 		template.append("<saml:Issuer>${spEntityid}</saml:Issuer>");
 		template.append("${subjectStr}${nameIDPolicyStr}${requestedAuthnContextStr}</samlp:AuthnRequest>");
 		return template;

core/src/main/java/com/onelogin/saml2/authn/AuthnRequestParams.java

@@ -23,9 +23,15 @@ public class AuthnRequestParams {
 	private final String nameIdValueReq;
 
 	/*
-	 * / Selector to use to specify the Attribute Consuming Service index
+	 * Selector to use to specify the Assertion Consumer Service that will consume
+	 * the response
 	 */
-	private AttributeConsumingServiceSelector attributeConsumingServiceSelector;
+	private final AssertionConsumerServiceSelector assertionConsumerServiceSelector;
+
+	/*
+	 * Selector to use to specify the Attribute Consuming Service index
+	 */
+	private final AttributeConsumingServiceSelector attributeConsumingServiceSelector;
 
 	/**
 	 * Create a set of authentication request input parameters. The
@@ -42,7 +48,7 @@ public class AuthnRequestParams {
 	 *              whether a <code>NameIDPolicy</code> should be set
 	 */
 	public AuthnRequestParams(boolean forceAuthn, boolean isPassive, boolean setNameIdPolicy) {
-		this(forceAuthn, isPassive, setNameIdPolicy, null, null);
+		this(forceAuthn, isPassive, setNameIdPolicy, null, null, null);
 	}
 
 	/**
@@ -62,7 +68,28 @@ public AuthnRequestParams(boolean forceAuthn, boolean isPassive, boolean setName
 	 *              the subject that should be authenticated
 	 */
 	public AuthnRequestParams(boolean forceAuthn, boolean isPassive, boolean setNameIdPolicy, String nameIdValueReq) {
-		this(forceAuthn, isPassive, setNameIdPolicy, nameIdValueReq, null);
+		this(forceAuthn, isPassive, setNameIdPolicy, nameIdValueReq, null, null);
+	}
+
+	/**
+	 * Create a set of authentication request input parameters.
+	 *
+	 * @param forceAuthn
+	 *              whether the <code>ForceAuthn</code> attribute should be set to
+	 *              <code>true</code>
+	 * @param isPassive
+	 *              whether the <code>isPassive</code> attribute should be set to
+	 *              <code>true</code>
+	 * @param setNameIdPolicy
+	 *              whether a <code>NameIDPolicy</code> should be set
+	 * @param assertionConsumerServiceSelector
+	 *              the selector to use to specify the Assertion Consumer Service
+	 *              that will consume the response; if <code>null</code>,
+	 *              {@link AssertionConsumerServiceSelector#useDefault()} is used
+	 */
+	public AuthnRequestParams(boolean forceAuthn, boolean isPassive, boolean setNameIdPolicy,
+	            AssertionConsumerServiceSelector assertionConsumerServiceSelector) {
+		this(forceAuthn, isPassive, setNameIdPolicy, null, assertionConsumerServiceSelector);
 	}
 
 	/**
@@ -99,17 +126,71 @@ public AuthnRequestParams(boolean forceAuthn, boolean isPassive, boolean setName
 	 *              whether a <code>NameIDPolicy</code> should be set
 	 * @param nameIdValueReq
 	 *              the subject that should be authenticated
+	 * @param assertionConsumerServiceSelector
+	 *              the selector to use to specify the Assertion Consumer Service
+	 *              that will consume the response; if <code>null</code>,
+	 *              {@link AssertionConsumerServiceSelector#useDefault()} is used
+	 */
+	public AuthnRequestParams(boolean forceAuthn, boolean isPassive, boolean setNameIdPolicy, String nameIdValueReq,
+	            AssertionConsumerServiceSelector assertionConsumerServiceSelector) {
+		this(forceAuthn, isPassive, setNameIdPolicy, nameIdValueReq, assertionConsumerServiceSelector, null);
+	}
+
+	/**
+	 * Create a set of authentication request input parameters.
+	 *
+	 * @param forceAuthn
+	 *              whether the <code>ForceAuthn</code> attribute should be set to
+	 *              <code>true</code>
+	 * @param isPassive
+	 *              whether the <code>isPassive</code> attribute should be set to
+	 *              <code>true</code>
+	 * @param setNameIdPolicy
+	 *              whether a <code>NameIDPolicy</code> should be set
+	 * @param nameIdValueReq
+	 *              the subject that should be authenticated
+	 * @param attributeConsumingServiceSelector
+	 *              the selector to use to specify the Attribute Consuming Service
+	 *              index; if <code>null</code>,
+	 *              {@link AttributeConsumingServiceSelector#useDefault()} is used
+	 */
+	public AuthnRequestParams(boolean forceAuthn, boolean isPassive, boolean setNameIdPolicy, String nameIdValueReq,
+	            AttributeConsumingServiceSelector attributeConsumingServiceSelector) {
+		this(forceAuthn, isPassive, setNameIdPolicy, nameIdValueReq, null, attributeConsumingServiceSelector);
+	}
+
+	/**
+	 * Create a set of authentication request input parameters.
+	 *
+	 * @param forceAuthn
+	 *              whether the <code>ForceAuthn</code> attribute should be set to
+	 *              <code>true</code>
+	 * @param isPassive
+	 *              whether the <code>isPassive</code> attribute should be set to
+	 *              <code>true</code>
+	 * @param setNameIdPolicy
+	 *              whether a <code>NameIDPolicy</code> should be set
+	 * @param nameIdValueReq
+	 *              the subject that should be authenticated
+	 * @param assertionConsumerServiceSelector
+	 *              the selector to use to specify the Assertion Consumer Service
+	 *              that will consume the response; if <code>null</code>,
+	 *              {@link AssertionConsumerServiceSelector#useDefault()} is used
 	 * @param attributeConsumingServiceSelector
 	 *              the selector to use to specify the Attribute Consuming Service
 	 *              index; if <code>null</code>,
 	 *              {@link AttributeConsumingServiceSelector#useDefault()} is used
 	 */
 	public AuthnRequestParams(boolean forceAuthn, boolean isPassive, boolean setNameIdPolicy, String nameIdValueReq,
+	            AssertionConsumerServiceSelector assertionConsumerServiceSelector,
 	            AttributeConsumingServiceSelector attributeConsumingServiceSelector) {
 		this.forceAuthn = forceAuthn;
 		this.isPassive = isPassive;
 		this.setNameIdPolicy = setNameIdPolicy;
 		this.nameIdValueReq = nameIdValueReq;
+		this.assertionConsumerServiceSelector = assertionConsumerServiceSelector != null
+		            ? assertionConsumerServiceSelector
+		            : AssertionConsumerServiceSelector.useDefault();
 		this.attributeConsumingServiceSelector = attributeConsumingServiceSelector != null
 		            ? attributeConsumingServiceSelector
 		            : AttributeConsumingServiceSelector.useDefault();
@@ -127,6 +208,7 @@ protected AuthnRequestParams(AuthnRequestParams source) {
 		this.isPassive = source.isPassive();
 		this.setNameIdPolicy = source.isSetNameIdPolicy();
 		this.nameIdValueReq = source.getNameIdValueReq();
+		this.assertionConsumerServiceSelector = source.getAssertionConsumerServiceSelector();
 		this.attributeConsumingServiceSelector = source.getAttributeConsumingServiceSelector();
 	}
 
@@ -166,4 +248,12 @@ protected String getNameIdValueReq() {
 	protected AttributeConsumingServiceSelector getAttributeConsumingServiceSelector() {
 		return attributeConsumingServiceSelector;
 	}
+
+	/**
+	 * @return the selector to use to specify the Assertion Consumer Service that
+	 *         will consume the response
+	 */
+	protected AssertionConsumerServiceSelector getAssertionConsumerServiceSelector() {
+		return assertionConsumerServiceSelector;
+	}
 }