SAML-Toolkits
diff --git a/‎.java-version‎
Lines changed: 1 addition & 1 deletion b/‎.java-version‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.nvd-suppressions.xml‎
Lines changed: 4 additions & 0 deletions b/‎.nvd-suppressions.xml‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎.travis.yml‎
Lines changed: 15 additions & 5 deletions b/‎.travis.yml‎
Lines changed: 15 additions & 5 deletions
diff --git a/‎README.md‎
Lines changed: 40 additions & 6 deletions b/‎README.md‎
Lines changed: 40 additions & 6 deletions
diff --git a/‎core/pom.xml‎
Lines changed: 9 additions & 9 deletions b/‎core/pom.xml‎
Lines changed: 9 additions & 9 deletions
diff --git a/‎core/src/main/java/com/onelogin/saml2/authn/AuthnRequest.java‎
Lines changed: 37 additions & 3 deletions b/‎core/src/main/java/com/onelogin/saml2/authn/AuthnRequest.java‎
Lines changed: 37 additions & 3 deletions
@@ -1 +1 @@
-1.7
+1.8
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.2.xsd">
+
+</suppressions>
@@ -1,8 +1,18 @@
 language: java
-jdk:
-  - openjdk7
-  - openjdk8
-#  - oraclejdk7 #It seems oraclejdk7 temp fail on Travis
+
+matrix:
+  include:
+  - os: linux
+    dist: trusty
+    jdk: openjdk8
+  - os: linux
+    dist: trusty
+    jdk: oraclejdk8
+  - os: linux
+    dist: xenial
+    jdk: openjdk9
+
+
 install: true
 after_success:
-  - mvn clean test org.jacoco:jacoco-maven-plugin:report org.eluder.coveralls:coveralls-maven-plugin:report
+  - mvn clean verify org.jacoco:jacoco-maven-plugin:report org.eluder.coveralls:coveralls-maven-plugin:report
@@ -5,7 +5,12 @@
 Add SAML support to your Java applications using this library.
 Forget those complicated libraries and use that open source library provided and supported by OneLogin Inc.
 
-Version 2.X.X, compatible with java7 / java8.
+Version >= 2.5.0 compatible with java8 / java9. Not compatible with java7
+2.5.0 sets the 'strict' setting parameter to true.
+2.5.0 uses xmlsec 2.1.4 which fixes [CVE-2019-12400](https://snyk.io/vuln/SNYK-JAVA-ORGAPACHESANTUARIO-460281)
+
+
+Version 2.0.0 - 2.4.0, compatible with java7 / java8.
 
 We [introduced some incompatibilities](https://github.com/onelogin/java-saml/issues/90), that could be fixed and make it compatible with java6.
 
@@ -82,7 +87,7 @@ Install it as a maven dependency:
   <dependency>
       <groupId>com.onelogin</groupId>
       <artifactId>java-saml</artifactId>
-      <version>2.4.0</version>
+      <version>2.5.0</version>
   </dependency>
 ```
 
@@ -105,8 +110,8 @@ java-saml (com.onelogin:java-saml-toolkit) has the following dependencies:
 * For CI:
   * org.jacoco:jacoco-maven-plugin
 
-also the [Java Cryptography Extension (JCE)](https://en.wikipedia.org/wiki/Java_Cryptography_Extension) is required. If you don't have it, download the version of [jce-6](http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html), [jce-7](http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html) or [jce-8](http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html), unzip it, and drop its content at
-*${java.home}/jre/lib/security/*
+also the [Java Cryptography Extension (JCE)](https://en.wikipedia.org/wiki/Java_Cryptography_Extension) is required. If you don't have it, download the version of [jce-8](http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html), unzip it, and drop its content at
+*${java.home}/jre/lib/security/*. JDK 9 and later offer the stronger cryptographic algorithms by default.
 
 *toolkit:*
 * com.onelogin:java-saml-core
@@ -118,7 +123,7 @@ also the [Java Cryptography Extension (JCE)](https://en.wikipedia.org/wiki/Java_
 * org.apache.maven.plugins:maven-enforcer-plugin
 
 For more info, open and read the different pom.xml files:
-[core/pom.xml](https://github.com/onelogin/java-saml/blob/v2.2.0/core/pom.xml), [toolkit/pom.xml](https://github.com/onelogin/java-saml/blob/v2.2.0/toolkit/pom.xml)
+[core/pom.xml](https://github.com/onelogin/java-saml/blob/v2.5.0/core/pom.xml), [toolkit/pom.xml](https://github.com/onelogin/java-saml/blob/v2.5.0/toolkit/pom.xml)
 
 ## Working with the github repository code and Eclipse.
 ### Get the toolkit.
@@ -228,6 +233,9 @@ onelogin.saml2.sp.nameidformat = urn:oasis:names:tc:SAML:1.1:nameid-format:unspe
 
 onelogin.saml2.sp.x509cert =
 
+# Future SP certificate, to be used during SP Key roll over
+onelogin.saml2.sp.x509certNew =
+
 # Requires Format PKCS#8   BEGIN PRIVATE KEY       
 # If you have     PKCS#1   BEGIN RSA PRIVATE KEY  convert it by   openssl pkcs8 -topk8 -inform pem -nocrypt -in sp.rsa_key -outform pem -out sp.pem
 onelogin.saml2.sp.privatekey =
@@ -321,6 +329,9 @@ onelogin.saml2.security.requested_authncontext = urn:oasis:names:tc:SAML:2.0:ac:
 # Allows the authn comparison parameter to be set, defaults to 'exact'
 onelogin.saml2.security.requested_authncontextcomparison = exact
 
+# Allows duplicated names in the attribute statement
+onelogin.saml2.security.allow_duplicated_attribute_name = false
+
 # Indicates if the SP will validate all received xmls.
 # (In order to validate the xml, 'strict' and 'wantXMLValidation' must be true).
 onelogin.saml2.security.want_xml_validation = true
@@ -351,6 +362,28 @@ onelogin.saml2.contacts.support.email_address = support@example.com
 # onelogin.saml2.unique_id_prefix = _
 ```
 
+##### KeyStores
+
+The Auth constructor supports the ability to read SP public cert/private key from a KeyStore. A KeyStoreSettings object must be provided with the KeyStore, the Alias and the KeyEntry password.
+
+```java
+import java.io.FileInputStream;
+import java.security.KeyStore;
+import com.onelogin.saml2.Auth
+import com.onelogin.saml2.model.KeyStoreSettings
+
+String keyStoreFile = "oneloginTestKeystore.jks";
+String alias = "keywithpassword";
+String storePass = "changeit";
+String keyPassword = "keypassword";
+
+KeyStore ks = KeyStore.getInstance("JKS");
+ks.load(new FileInputStream(keyStoreFile), storePass.toCharArray());
+
+KeyStoreSettings keyStoreSettings =  new keyStoreSettings(ks, alias, keyPassword);
+Auth auth = new Auth(KeyStoreSettings keyStoreSetting);
+```
+
 ##### Dynamic Settings
 It is possible to build settings programmatically. You can load your values from different sources such as files, databases, or generated values.
 
@@ -393,11 +426,12 @@ We can set a 'returnTo' url parameter to the login function and that will be con
 String targetUrl = 'https://example.com';
 auth.login(returnTo=targetUrl)
 ```
-The login method can receive 4 more optional parameters:
+The login method can receive 5 more optional parameters:
 - *forceAuthn* When true the AuthNRequest will have the 'ForceAuthn' attribute set to 'true'
 - *isPassive* When true the AuthNRequest will have the 'Ispassive' attribute set to 'true'
 - *setNameIdPolicy* When true the AuthNRequest will set a nameIdPolicy element.
 - *stay* Set to true to stay (returns the url string), otherwise set to false to execute a redirection to that url (IdP SSO URL)
+- *nameIdValueReq* Indicates to the IdP the subject that should be authenticated
 
 By default, the login method initiates a redirect to the SAML Identity Provider. You can use the *stay* parameter, to prevent that, and execute the redirection manually. We need to use that if a match on the future SAMLResponse ID and the AuthNRequest ID to be sent is required.  That AuthNRequest ID must be extracted and stored for future validation, so we can't execute the redirection on the login.  Instead, set *stay* to true, then get that ID by
 ```
 
@@ -3,7 +3,7 @@
 	<parent>
 		<groupId>com.onelogin</groupId>
 		<artifactId>java-saml-toolkit</artifactId>
-		<version>2.4.1-SNAPSHOT</version>
+		<version>2.5.1-SNAPSHOT</version>
 	</parent>
 
 	<packaging>jar</packaging>
@@ -48,7 +48,7 @@
 		<dependency>
 			<groupId>joda-time</groupId>
 			<artifactId>joda-time</artifactId>
-			<version>2.9.4</version>
+			<version>2.10.6</version>
 		</dependency>
 
 		<!-- commons -->
@@ -60,12 +60,12 @@
 		<dependency>
 			<groupId>org.apache.santuario</groupId>
 			<artifactId>xmlsec</artifactId>
-			<version>2.0.7</version>
+			<version>2.2.0</version>
 		</dependency>
 		<dependency>
 			<groupId>commons-codec</groupId>
 			<artifactId>commons-codec</artifactId>
-			<version>1.10</version>
+			<version>1.15</version>
 		</dependency>
 	</dependencies>
 
@@ -74,7 +74,7 @@
 			<plugin>
 				<groupId>org.jacoco</groupId>
 				<artifactId>jacoco-maven-plugin</artifactId>
-				<version>0.8.2</version>
+				<version>0.8.6</version>
 				<configuration>
 					<propertyName>jacoco.agent.argLine</propertyName>
 				</configuration>
@@ -90,7 +90,7 @@
 			<plugin>
 				<groupId>org.apache.maven.plugins</groupId>
 				<artifactId>maven-jar-plugin</artifactId>
-				<version>2.4</version>
+				<version>3.2.0</version>
 				<executions>
 					<execution>
 						<goals>
@@ -102,22 +102,22 @@
 			<plugin>
 				<groupId>org.apache.maven.plugins</groupId>
 				<artifactId>maven-surefire-plugin</artifactId>
-				<version>2.12</version>
+				<version>2.22.2</version>
 				<configuration>
 					<argLine>${jacoco.agent.argLine}</argLine>
 				</configuration>
 			</plugin>
 			<plugin>
 				<groupId>org.apache.maven.plugins</groupId>
 				<artifactId>maven-enforcer-plugin</artifactId>
-				<version>1.1.1</version>
+				<version>1.4.1</version>
 				<executions>
 					<execution>
 						<id>enforce</id>
 						<configuration>
 							<rules>
 								<evaluateBeanshell>
-									<condition>javax.crypto.Cipher.getMaxAllowedKeyLength("AES") &gt; 128</condition>
+									<condition>javax.crypto.Cipher.getMaxAllowedKeyLength("AES") > 128</condition>
 								</evaluateBeanshell>
 							</rules>
 						</configuration>
 
@@ -57,6 +57,10 @@ public class AuthnRequest {
 	 */
 	private final boolean setNameIdPolicy;
 
+	/**
+	 * Indicates to the IdP the subject that should be authenticated
+	 */
+	private final String nameIdValueReq;
 
 	/**
 	 * Time stamp that indicates when the AuthNRequest was created
@@ -84,20 +88,39 @@ public AuthnRequest(Saml2Settings settings) {
 	 *            When true the AuthNReuqest will set the IsPassive='true'
 	 * @param setNameIdPolicy
 	 *            When true the AuthNReuqest will set a nameIdPolicy
+	 * @param nameIdValueReq
+	 *            Indicates to the IdP the subject that should be authenticated
 	 */
-	public AuthnRequest(Saml2Settings settings, boolean forceAuthn, boolean isPassive, boolean setNameIdPolicy) {
+	public AuthnRequest(Saml2Settings settings, boolean forceAuthn, boolean isPassive, boolean setNameIdPolicy, String nameIdValueReq) {
 		this.id = Util.generateUniqueID(settings.getUniqueIDPrefix());
 		issueInstant = Calendar.getInstance();
 		this.isPassive = isPassive;
 		this.settings = settings;
 		this.forceAuthn = forceAuthn;
 		this.setNameIdPolicy = setNameIdPolicy;
+		this.nameIdValueReq = nameIdValueReq;
 
 		StrSubstitutor substitutor = generateSubstitutor(settings);
 		authnRequestString = substitutor.replace(getAuthnRequestTemplate());
 		LOGGER.debug("AuthNRequest --> " + authnRequestString);
 	}
 
+	/**
+	 * Constructs the AuthnRequest object.
+	 *
+	 * @param settings
+	 *            OneLogin_Saml2_Settings
+	 * @param forceAuthn
+	 *            When true the AuthNReuqest will set the ForceAuthn='true'
+	 * @param isPassive
+	 *            When true the AuthNReuqest will set the IsPassive='true'
+	 * @param setNameIdPolicy
+	 *            When true the AuthNReuqest will set a nameIdPolicy
+	 */
+	public AuthnRequest(Saml2Settings settings, boolean forceAuthn, boolean isPassive, boolean setNameIdPolicy) {
+		this(settings, forceAuthn, isPassive, setNameIdPolicy, null);
+	}
+
 	/**
 	 * @return the base64 encoded unsigned AuthnRequest (deflated or not)
 	 *
@@ -167,6 +190,16 @@ private StrSubstitutor generateSubstitutor(Saml2Settings settings) {
 		}
 		valueMap.put("destinationStr", destinationStr);
 
+		String subjectStr = "";
+		if (nameIdValueReq != null && !nameIdValueReq.isEmpty()) {
+			String nameIDFormat = settings.getSpNameIDFormat();
+			subjectStr = "<saml:Subject>";
+			subjectStr += "<saml:NameID Format=\"" + nameIDFormat + "\">" + nameIdValueReq + "</saml:NameID>";
+			subjectStr += "<saml:SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"></saml:SubjectConfirmation>";
+			subjectStr += "</saml:Subject>";
+        }
+        valueMap.put("subjectStr", subjectStr);
+
 		String nameIDPolicyStr = "";
 		if (setNameIdPolicy) {
 			String nameIDPolicyFormat = settings.getSpNameIDFormat();
@@ -191,6 +224,7 @@ private StrSubstitutor generateSubstitutor(Saml2Settings settings) {
 		valueMap.put("issueInstant", issueInstantString);
 		valueMap.put("id", String.valueOf(id));
 		valueMap.put("assertionConsumerServiceURL", String.valueOf(settings.getSpAssertionConsumerServiceUrl()));
+		valueMap.put("protocolBinding", settings.getSpAssertionConsumerServiceBinding());
 		valueMap.put("spEntityid", settings.getSpEntityId());
 
 		String requestedAuthnContextStr = "";
@@ -214,9 +248,9 @@ private StrSubstitutor generateSubstitutor(Saml2Settings settings) {
 	 */
 	private static StringBuilder getAuthnRequestTemplate() {
 		StringBuilder template = new StringBuilder();
-		template.append("<samlp:AuthnRequest xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"${id}\" Version=\"2.0\" IssueInstant=\"${issueInstant}\"${providerStr}${forceAuthnStr}${isPassiveStr}${destinationStr} ProtocolBinding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" AssertionConsumerServiceURL=\"${assertionConsumerServiceURL}\">");
+		template.append("<samlp:AuthnRequest xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"${id}\" Version=\"2.0\" IssueInstant=\"${issueInstant}\"${providerStr}${forceAuthnStr}${isPassiveStr}${destinationStr} ProtocolBinding=\"${protocolBinding}\" AssertionConsumerServiceURL=\"${assertionConsumerServiceURL}\">");
 		template.append("<saml:Issuer>${spEntityid}</saml:Issuer>");
-		template.append("${nameIDPolicyStr}${requestedAuthnContextStr}</samlp:AuthnRequest>");
+		template.append("${subjectStr}${nameIDPolicyStr}${requestedAuthnContextStr}</samlp:AuthnRequest>");
 		return template;
 	}