Example 6 with FSAccountFedInfo
use of com.sun.identity.federation.accountmgmt.FSAccountFedInfo in project OpenAM by OpenRock.
the class FSSSOAndFedHandler method doSingleSignOn.
protected boolean doSingleSignOn(Object ssoToken, String inResponseTo) {
FSUtils.debug.message("FSSSOAndFedHandler.doSingleSignOn(2): Called");
try {
String securityDomain = authnRequest.getProviderId();
String affiliationID = authnRequest.getAffiliationID();
if (affiliationID != null) {
securityDomain = affiliationID;
}
SessionProvider sessionProvider = SessionManager.getProvider();
String userID = sessionProvider.getPrincipalName(ssoToken);
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOAndFedHandler.doSingleSignOn: " + "Initiating SSO for user with ID: " + userID);
}
FSAccountFedInfo accountInfo = accountManager.readAccountFedInfo(userID, securityDomain);
if (accountInfo == null) {
FSUtils.debug.error("FSSSOAndFedHandler.doSingleSignOn: Account Federation " + "Information not found for user with ID: " + userID);
noFedStatus = new Status(new StatusCode("samlp:Responder", new StatusCode("lib:FederationDoesNotExist", null)), FSUtils.bundle.getString("AuthnRequestProcessingFailed"), null);
String[] data = { userID };
LogUtil.error(Level.INFO, LogUtil.USER_ACCOUNT_FEDERATION_INFO_NOT_FOUND, data, ssoToken);
return false;
}
if (accountInfo != null && accountInfo.isFedStatusActive() && accountInfo.getLocalNameIdentifier() != null) {
// Check if this is 6.2
NameIdentifier localNI = accountInfo.getLocalNameIdentifier();
String qualifier = localNI.getNameQualifier();
if (qualifier != null && qualifier.equals(hostedEntityId)) {
localNI = new NameIdentifier(localNI.getName(), securityDomain);
NameIdentifier remoteNI = accountInfo.getRemoteNameIdentifier();
if (remoteNI != null) {
remoteNI = new NameIdentifier(remoteNI.getName(), securityDomain);
}
FSAccountFedInfoKey newFedKey = new FSAccountFedInfoKey(securityDomain, localNI.getName());
accountInfo = new FSAccountFedInfo(securityDomain, localNI, remoteNI, false);
accountManager.writeAccountFedInfo(userID, newFedKey, accountInfo);
FSAccountFedInfoKey oldFedKey = new FSAccountFedInfoKey(hostedEntityId, localNI.getName());
accountManager.removeAccountFedInfoKey(userID, oldFedKey);
}
}
NameIdentifier idpNI = accountInfo.getLocalNameIdentifier();
if (idpNI == null) {
idpNI = accountInfo.getRemoteNameIdentifier();
if (idpNI == null) {
FSUtils.debug.error("FSSSOAndFedHandler.doSingleSignOn: " + "NameIdentifier not found");
return false;
}
} else {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOAndFedHandler.doSingleSignOn: " + "IDP generated opaque handle: " + idpNI.getName());
}
}
NameIdentifier spNI = accountInfo.getRemoteNameIdentifier();
if (spNI == null) {
spNI = idpNI;
} else {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOAndFedHandler.doSingleSignOn: " + "SP generated opaque handle: " + spNI.getName());
}
}
return doSingleSignOn(ssoToken, inResponseTo, spNI, idpNI);
} catch (Exception e) {
FSUtils.debug.error("FSSSOAndFedHandler.doSingleSignOn: " + "Exception during Single Sign-On:", e);
return false;
}
}
Also used :
Status(com.sun.identity.saml.protocol.Status)
FSAccountFedInfo(com.sun.identity.federation.accountmgmt.FSAccountFedInfo)
NameIdentifier(com.sun.identity.saml.assertion.NameIdentifier)
FSAccountFedInfoKey(com.sun.identity.federation.accountmgmt.FSAccountFedInfoKey)
StatusCode(com.sun.identity.saml.protocol.StatusCode)
SessionException(com.sun.identity.plugin.session.SessionException)
IDFFMetaException(com.sun.identity.federation.meta.IDFFMetaException)
FSAccountMgmtException(com.sun.identity.federation.accountmgmt.FSAccountMgmtException)
SAMLException(com.sun.identity.saml.common.SAMLException)
FSException(com.sun.identity.federation.common.FSException)
IOException(java.io.IOException)
FSRedirectException(com.sun.identity.federation.common.FSRedirectException)
SessionProvider(com.sun.identity.plugin.session.SessionProvider)
Example 7 with FSAccountFedInfo
use of com.sun.identity.federation.accountmgmt.FSAccountFedInfo in project OpenAM by OpenRock.
the class FSSingleLogoutHandler method doSoapProfile.
/**
* Initiates SOAP proifle logout.
* @param providerId the first provider with SOAP as logout profile
*/
private FSLogoutStatus doSoapProfile(String providerId) {
FSUtils.debug.message("Entered IDP's doSoapProfile");
try {
FSSessionManager sMgr = FSSessionManager.getInstance(metaAlias);
FSSession session = sMgr.getSession(ssoToken);
FSAccountFedInfo currentAccount = null;
if (session != null) {
currentAccount = session.getAccountFedInfo();
}
if (currentAccount == null && !session.getOneTime()) {
currentAccount = FSLogoutUtil.getCurrentWorkingAccount(userID, providerId, metaAlias);
}
if (currentAccount == null) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSingleLogoutHandler. User's " + "account may have been terminated.");
}
return new FSLogoutStatus(IFSConstants.SAML_SUCCESS);
}
FSLogoutNotification reqLogout = createSingleLogoutRequest(currentAccount, sessionIndex);
reqLogout.setMinorVersion(getMinorVersion(remoteDescriptor));
if (reqLogout != null) {
FSSOAPService instSOAP = FSSOAPService.getInstance();
if (instSOAP != null) {
FSUtils.debug.message("Signing suceeded. To call bindLogoutRequest");
reqLogout.setID(IFSConstants.LOGOUTID);
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("logout request before sign: " + reqLogout.toXMLString(true, true));
}
SOAPMessage msgLogout = instSOAP.bind(reqLogout.toXMLString(true, true));
if (msgLogout != null) {
SOAPMessage retSOAPMessage = null;
try {
if (FSServiceUtils.isSigningOn()) {
int minorVersion = reqLogout.getMinorVersion();
switch(minorVersion) {
case IFSConstants.FF_11_PROTOCOL_MINOR_VERSION:
msgLogout = signLogoutRequest(msgLogout, IFSConstants.ID, reqLogout.getID());
break;
case IFSConstants.FF_12_PROTOCOL_MINOR_VERSION:
msgLogout = signLogoutRequest(msgLogout, IFSConstants.REQUEST_ID, reqLogout.getRequestID());
break;
default:
FSUtils.debug.message("invalid minor version.");
break;
}
}
retSOAPMessage = instSOAP.sendMessage(msgLogout, remoteDescriptor.getSoapEndpoint());
} catch (Exception e) {
FSUtils.debug.error("FSSOAPException in doSOAPProfile" + " Cannot send request", e);
return new FSLogoutStatus(IFSConstants.SAML_RESPONDER);
}
if (retSOAPMessage != null) {
Element elt = instSOAP.parseSOAPMessage(retSOAPMessage);
if (FSServiceUtils.isSigningOn()) {
if (!verifyResponseSignature(retSOAPMessage)) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("Response " + "signature verification failed");
}
FSServiceUtils.returnLocallyAfterOperation(response, LOGOUT_DONE_URL, false, IFSConstants.LOGOUT_SUCCESS, IFSConstants.LOGOUT_FAILURE);
return new FSLogoutStatus(IFSConstants.SAML_REQUESTER);
}
}
this.requestLogout = reqLogout;
respObj = new FSLogoutResponse(elt);
// Call SP Adapter preSingleLogout for SP/SOAP
if (hostedRole != null && hostedRole.equalsIgnoreCase(IFSConstants.SP)) {
FederationSPAdapter spAdapter = FSServiceUtils.getSPAdapter(hostedEntityId, hostedConfig);
if (spAdapter != null) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSLOHandler." + "preSingleLogoutProcess, SP/SOAP");
}
try {
spAdapter.preSingleLogoutProcess(hostedEntityId, request, response, userID, reqLogout, respObj, IFSConstants.LOGOUT_SP_SOAP_PROFILE);
} catch (Exception e) {
// ignore adapter error
FSUtils.debug.error("spAdapter." + "preSingleLogoutProcess, SP/SOAP:", e);
}
}
}
Status status = respObj.getStatus();
StatusCode statusCode = status.getStatusCode();
StatusCode secondLevelStatus = statusCode.getStatusCode();
String statusString = statusCode.getValue();
if (statusString.equalsIgnoreCase(IFSConstants.SAML_SUCCESS)) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSingleLogoutHandler: " + " doSoapProfile returning success");
}
return new FSLogoutStatus(IFSConstants.SAML_SUCCESS);
} else {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSingleLogoutHandler: " + "SOAP Profile failure " + statusString);
}
return new FSLogoutStatus(statusString);
}
}
}
}
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("Unable to bindLogoutRequest." + "Current Provider cannot be processed");
}
} else {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("Unable to create logout request" + " Current Provider cannot be processed");
}
}
} catch (Exception e) {
FSUtils.debug.error("In IOException of doSOAPProfile : ", e);
}
return new FSLogoutStatus(IFSConstants.SAML_RESPONDER);
}
Also used :
Status(com.sun.identity.saml.protocol.Status)
FSAccountFedInfo(com.sun.identity.federation.accountmgmt.FSAccountFedInfo)
Element(org.w3c.dom.Element)
FSSession(com.sun.identity.federation.services.FSSession)
FSLogoutNotification(com.sun.identity.federation.message.FSLogoutNotification)
FSSOAPService(com.sun.identity.federation.services.FSSOAPService)
SOAPMessage(javax.xml.soap.SOAPMessage)
FSLogoutResponse(com.sun.identity.federation.message.FSLogoutResponse)
StatusCode(com.sun.identity.saml.protocol.StatusCode)
ServletException(javax.servlet.ServletException)
SAMLResponderException(com.sun.identity.saml.common.SAMLResponderException)
SessionException(com.sun.identity.plugin.session.SessionException)
SAMLException(com.sun.identity.saml.common.SAMLException)
IDFFMetaException(com.sun.identity.federation.meta.IDFFMetaException)
IOException(java.io.IOException)
FSMsgException(com.sun.identity.federation.message.common.FSMsgException)
FSSessionManager(com.sun.identity.federation.services.FSSessionManager)
FederationSPAdapter(com.sun.identity.federation.plugins.FederationSPAdapter)
Example 8 with FSAccountFedInfo
use of com.sun.identity.federation.accountmgmt.FSAccountFedInfo in project OpenAM by OpenRock.
the class FSSingleLogoutHandler method getMultiLogoutRequest.
/**
* Prepares the IMG tags that correspond to Single logout requests that
* will all be shown in a single page when HTTP GET profile is used.
* @param providerMap contains information about all the providers
* for whom GET is the logout profile
* @return String that has the IMG tags for each provider to be notified
*/
private String getMultiLogoutRequest(HashMap providerMap) {
try {
Vector providerList = (Vector) providerMap.get(IFSConstants.PROVIDER);
HashMap sessionList = (HashMap) providerMap.get(IFSConstants.SESSION_INDEX);
StringBuffer imgString = new StringBuffer();
if (providerList != null) {
for (int i = 0; i < providerList.size(); i++) {
String providerId = (String) providerList.elementAt(i);
FSAccountFedInfo currentAccount = FSLogoutUtil.getCurrentWorkingAccount(userID, providerId, metaAlias);
FSLogoutNotification reqLogout = createSingleLogoutRequest(currentAccount, (String) sessionList.get(providerId));
ProviderDescriptorType descriptor = metaManager.getSPDescriptor(realm, providerId);
reqLogout.setMinorVersion(getMinorVersion(descriptor));
String urlEncodedRequest = reqLogout.toURLEncodedQueryString();
// Sign the request querystring
String certAlias = IDFFMetaUtils.getFirstAttributeValueFromConfig(hostedConfig, IFSConstants.SIGNING_CERT_ALIAS);
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("certalias : " + certAlias);
}
if (certAlias == null || certAlias.length() == 0) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSingleLogoutHandler" + " getMultiLogoutRequest: couldn't obtain " + "this site's cert alias.");
}
continue;
}
urlEncodedRequest = FSSignatureUtil.signAndReturnQueryString(urlEncodedRequest, certAlias);
StringBuffer redirectURL = new StringBuffer();
String retURL = descriptor.getSingleLogoutServiceURL();
redirectURL.append(retURL);
if (retURL.indexOf(QUESTION_MARK) == -1) {
redirectURL.append(QUESTION_MARK);
} else {
redirectURL.append(AMPERSAND);
}
redirectURL.append(urlEncodedRequest);
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSingleLogoutHandler::" + "doHttpRedirect URL is " + redirectURL.toString());
}
imgString.append("<IMG SRC=\"").append(redirectURL.toString()).append("\" />");
}
return imgString.toString();
}
} catch (FSMsgException e) {
FSUtils.debug.error("FSSingleLogoutHandler::getMultiLogoutRequest" + " FSMsgException", e);
} catch (IDFFMetaException e) {
FSUtils.debug.error("FSSingleLogoutHandler::getMultiLogoutRequest" + " IDFFMetaException", e);
}
FSUtils.debug.error("Returning null from getMultiLogoutRequest");
return null;
}
Also used :
FSMsgException(com.sun.identity.federation.message.common.FSMsgException)
FSAccountFedInfo(com.sun.identity.federation.accountmgmt.FSAccountFedInfo)
HashMap(java.util.HashMap)
IDFFMetaException(com.sun.identity.federation.meta.IDFFMetaException)
ProviderDescriptorType(com.sun.identity.liberty.ws.meta.jaxb.ProviderDescriptorType)
FSLogoutNotification(com.sun.identity.federation.message.FSLogoutNotification)
Vector(java.util.Vector)
Example 9 with FSAccountFedInfo
use of com.sun.identity.federation.accountmgmt.FSAccountFedInfo in project OpenAM by OpenRock.
the class FSLogoutUtil method getCurrentWorkingAccount.
/**
* Returns the <code>FSAccountFedInfo</code> object for the given
* principal and provider Id.
* @param userID principal whose working account we want to retrieve
* @param entityID the provider Id to whom logout notification needs to
* be sent
* @param metaAlias hosted provider's meta alias
* @return account object for the given user, provider
*/
protected static FSAccountFedInfo getCurrentWorkingAccount(String userID, String entityID, String metaAlias) {
try {
FSAccountManager accountInst = FSAccountManager.getInstance(metaAlias);
if (metaManager != null) {
try {
String realm = IDFFMetaUtils.getRealmByMetaAlias(metaAlias);
Set affiliates = metaManager.getAffiliateEntity(realm, entityID);
if (affiliates != null && !affiliates.isEmpty()) {
Iterator iter = affiliates.iterator();
while (iter.hasNext()) {
AffiliationDescriptorType desc = (AffiliationDescriptorType) iter.next();
String affiliationID = desc.getAffiliationID();
FSAccountFedInfo accountInfo = accountInst.readAccountFedInfo(userID, affiliationID);
if ((accountInfo != null) && (accountInfo.isFedStatusActive())) {
return accountInfo;
}
}
} else {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSLogoutUtil.getCurrent" + "WorkingAccount: No affiliations");
}
}
} catch (Exception ex) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSLogoutUtil.getCurrentWorking" + "Account. No Affiliation for:" + entityID, ex);
}
}
FSAccountFedInfo acctInfo = accountInst.readAccountFedInfo(userID, entityID);
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSLogoutUtil::" + "getCurrentWorkingAccount after readAccountFedInfo");
}
return acctInfo;
} else {
return null;
}
} catch (Exception e) {
FSUtils.debug.error("FSLogoutUtil::getCurrentWorkingAccount" + " readAccountFedInfo failed", e);
}
return null;
}
Also used :
Set(java.util.Set)
FSAccountFedInfo(com.sun.identity.federation.accountmgmt.FSAccountFedInfo)
Iterator(java.util.Iterator)
AffiliationDescriptorType(com.sun.identity.liberty.ws.meta.jaxb.AffiliationDescriptorType)
FSAccountManager(com.sun.identity.federation.accountmgmt.FSAccountManager)
SAMLResponderException(com.sun.identity.saml.common.SAMLResponderException)
SessionException(com.sun.identity.plugin.session.SessionException)
IDFFMetaException(com.sun.identity.federation.meta.IDFFMetaException)
IOException(java.io.IOException)
FSAccountMgmtException(com.sun.identity.federation.accountmgmt.FSAccountMgmtException)
Example 10 with FSAccountFedInfo
use of com.sun.identity.federation.accountmgmt.FSAccountFedInfo in project OpenAM by OpenRock.
the class FSServiceManager method getFedTerminationHandler.
/*
* Returns federation termination handler. This method is invoked at the
* end where the termination is initiated. The handler is responsible
* for doing account defederation locally and then invoking termination at
* remote provider end.
* @param remoteEntityId provider with whom termination needs to be done
* @param remoteProviderRole role of remote provider
* @param userID user who is terminating federation with remote provider
* @param realm the realm under which the entity resides
* @param hostedEntityId hosted provider's entity id
* @param metaAlias hosted provider's meta alias
* @return <code>FSFedTerminationHandler</code> object
*/
public FSFedTerminationHandler getFedTerminationHandler(String remoteEntityId, String remoteProviderRole, String userID, String realm, String hostEntityId, String metaAlias) {
try {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("Entered FSServicemanager::" + " getFedTerminationHandler");
}
// check for null
FSFedTerminationHandler handlerTermination = null;
IDFFMetaManager metaManager = FSUtils.getIDFFMetaManager();
FSAccountManager managerInst = FSAccountManager.getInstance(metaAlias);
if (metaManager == null || managerInst == null) {
FSUtils.debug.message("Error in retrieving meta, account manager");
return null;
}
FSAccountFedInfo acctInfo = managerInst.readAccountFedInfo(userID, remoteEntityId);
if (acctInfo == null) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("Account federation with provider " + remoteEntityId + " does not exist");
}
return null;
}
// Pass USERDN TO HANDLER to AVOID SEARCH AGAIN
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSServiceManager.getFedTermination" + "Handler: remoteEntityID = " + remoteEntityId + " remoteProviderRole = " + remoteProviderRole);
}
handlerTermination = new FSFedTerminationHandler();
if (handlerTermination != null) {
ProviderDescriptorType remoteDesc = null;
if (remoteProviderRole.equalsIgnoreCase(IFSConstants.IDP)) {
remoteDesc = metaManager.getIDPDescriptor(realm, remoteEntityId);
} else {
remoteDesc = metaManager.getSPDescriptor(realm, remoteEntityId);
}
handlerTermination.setRemoteDescriptor(remoteDesc);
handlerTermination.setRemoteEntityId(remoteEntityId);
handlerTermination.setUserID(userID);
handlerTermination.setAccountInfo(acctInfo);
return handlerTermination;
} else {
FSUtils.debug.message("Termination Handler is null");
return null;
}
} catch (Exception e) {
FSUtils.debug.error("FSServiceManager::getFedTerminationHandler " + "failed to get termination handler");
}
return null;
}
Also used :
FSAccountFedInfo(com.sun.identity.federation.accountmgmt.FSAccountFedInfo)
IDFFMetaManager(com.sun.identity.federation.meta.IDFFMetaManager)
ProviderDescriptorType(com.sun.identity.liberty.ws.meta.jaxb.ProviderDescriptorType)
FSAccountManager(com.sun.identity.federation.accountmgmt.FSAccountManager)
FSFedTerminationHandler(com.sun.identity.federation.services.termination.FSFedTerminationHandler)
IDFFMetaException(com.sun.identity.federation.meta.IDFFMetaException)
Aggregations
FSAccountFedInfo (com.sun.identity.federation.accountmgmt.FSAccountFedInfo)21
FSAccountMgmtException (com.sun.identity.federation.accountmgmt.FSAccountMgmtException)12
IDFFMetaException (com.sun.identity.federation.meta.IDFFMetaException)10
SessionException (com.sun.identity.plugin.session.SessionException)10
NameIdentifier (com.sun.identity.saml.assertion.NameIdentifier)10
IOException (java.io.IOException)10
FSAccountFedInfoKey (com.sun.identity.federation.accountmgmt.FSAccountFedInfoKey)9
FSSession (com.sun.identity.federation.services.FSSession)8
FSSessionManager (com.sun.identity.federation.services.FSSessionManager)8
SAMLException (com.sun.identity.saml.common.SAMLException)8
HashMap (java.util.HashMap)7
FSAccountManager (com.sun.identity.federation.accountmgmt.FSAccountManager)6
SessionProvider (com.sun.identity.plugin.session.SessionProvider)6
Map (java.util.Map)6
FSException (com.sun.identity.federation.common.FSException)5
SAMLResponderException (com.sun.identity.saml.common.SAMLResponderException)4
FSLogoutNotification (com.sun.identity.federation.message.FSLogoutNotification)3
FSMsgException (com.sun.identity.federation.message.common.FSMsgException)3
FSSessionPartner (com.sun.identity.federation.services.FSSessionPartner)3
Set (java.util.Set)3
