Add option to add Key Descriptors to the SP metadata.

Author: robotdan

build.savant

@@ -15,7 +15,7 @@
  */
 savantVersion = "1.0.0"
 
-project(group: "io.fusionauth", name: "fusionauth-samlv2", version: "0.5.2", licenses: ["ApacheV2_0"]) {
+project(group: "io.fusionauth", name: "fusionauth-samlv2", version: "0.5.3", licenses: ["ApacheV2_0"]) {
   workflow {
     standard()
   }

src/main/java/io/fusionauth/samlv2/domain/MetaData.java

@@ -45,6 +45,8 @@ public static class SPMetaData {
 
     public boolean authnRequestsSigned;
 
+    public List<Certificate> certificates = new ArrayList<>();
+
     public NameIDFormat nameIDFormat;
 
     public boolean wantAssertionsSigned;

src/main/java/io/fusionauth/samlv2/service/DefaultSAMLv2Service.java

@@ -119,6 +119,7 @@
 import io.fusionauth.samlv2.domain.jaxb.oasis.metadata.KeyTypes;
 import io.fusionauth.samlv2.domain.jaxb.oasis.metadata.RoleDescriptorType;
 import io.fusionauth.samlv2.domain.jaxb.oasis.metadata.SPSSODescriptorType;
+import io.fusionauth.samlv2.domain.jaxb.oasis.metadata.SSODescriptorType;
 import io.fusionauth.samlv2.domain.jaxb.oasis.protocol.AuthnRequestType;
 import io.fusionauth.samlv2.domain.jaxb.oasis.protocol.NameIDPolicyType;
 import io.fusionauth.samlv2.domain.jaxb.oasis.protocol.ObjectFactory;
@@ -357,23 +358,8 @@ public String buildMetadataResponse(MetaData metaData) throws SAMLException {
         idp.getSingleLogoutService().add(logOut);
       });
 
-      metaData.idp.certificates.forEach(cert -> {
-        KeyDescriptorType key = new KeyDescriptorType();
-        key.setUse(KeyTypes.SIGNING);
-        KeyInfoType info = new KeyInfoType();
-        key.setKeyInfo(info);
-        X509DataType data = new X509DataType();
-        info.getContent().add(DSIG_OBJECT_FACTORY.createX509Data(data));
-
-        try {
-          JAXBElement<byte[]> certElement = DSIG_OBJECT_FACTORY.createX509DataTypeX509Certificate(cert.getEncoded());
-          data.getX509IssuerSerialOrX509SKIOrX509SubjectName().add(certElement);
-          idp.getKeyDescriptor().add(key);
-        } catch (Exception e) {
-          // Rethrow
-          throw new IllegalArgumentException(e);
-        }
-      });
+      // Add certificates
+      addKeyDescriptors(idp, metaData.idp.certificates);
 
       root.getRoleDescriptorOrIDPSSODescriptorOrSPSSODescriptor().add(idp);
     }
@@ -395,6 +381,9 @@ public String buildMetadataResponse(MetaData metaData) throws SAMLException {
         sp.getNameIDFormat().add(metaData.sp.nameIDFormat.toSAMLFormat());
       }
 
+      // Add certificates
+      addKeyDescriptors(sp, metaData.sp.certificates);
+
       root.getRoleDescriptorOrIDPSSODescriptorOrSPSSODescriptor().add(sp);
     }
 
@@ -637,6 +626,26 @@ public AuthenticationResponse parseResponse(String encodedResponse, boolean veri
     return response;
   }
 
+  private void addKeyDescriptors(SSODescriptorType descriptor, List<Certificate> certificates) {
+    certificates.forEach(cert -> {
+      KeyDescriptorType key = new KeyDescriptorType();
+      key.setUse(KeyTypes.SIGNING);
+      KeyInfoType info = new KeyInfoType();
+      key.setKeyInfo(info);
+      X509DataType data = new X509DataType();
+      info.getContent().add(DSIG_OBJECT_FACTORY.createX509Data(data));
+
+      try {
+        JAXBElement<byte[]> certElement = DSIG_OBJECT_FACTORY.createX509DataTypeX509Certificate(cert.getEncoded());
+        data.getX509IssuerSerialOrX509SKIOrX509SubjectName().add(certElement);
+        descriptor.getKeyDescriptor().add(key);
+      } catch (Exception e) {
+        // Rethrow
+        throw new IllegalArgumentException(e);
+      }
+    });
+  }
+
   private String attributeToString(Object attribute) {
     if (attribute == null) {
       return null;