Example 16 with FSAccountFedInfo
use of com.sun.identity.federation.accountmgmt.FSAccountFedInfo in project OpenAM by OpenRock.
the class IDFFNameIdentifierMapper method getNameIdentifier.
/**
* Returns mapped <code>NameIdentifier</code> for specified user.
* This is used by Discovery Service to generate correct
* <code>NameIdentifier</code> when creating credentials for remote
* service provider. A <code>NameIdentifier</code> in encrypted format
* will be returned if the mapped <code>NameIdentifier</code> is
* different from the original <code>NameIdentifier</code>, this
* is to prevent the <code>NameIdentifier</code> to be revealed
* to a proxy service provider.
* @param spProviderID Provider ID of the service provider to which
* the <code>NameIdentifier</code> needs to be mapped.
* @param idpProviderID Provider ID of the identifier provider.
* @param nameId The <code>NameIdentifier</code> needs to be mapped.
* @param userID The user whose mapped <code>NameIdentifier</code> will
* be returned. The value is the universal identifier of the user.
* @return the mapped <code>NameIdentifier</code> for specified user,
* return null if unable to map the <code>NameIdentifier</code>,
* return original name identifier if no need to mapp the
* <code>NameIdentifier</code>.
*/
public NameIdentifier getNameIdentifier(String spProviderID, String idpProviderID, NameIdentifier nameId, String userID) {
try {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("IDFFNameIdentifierMapper, enter " + "spProviderID=" + spProviderID + ", idpProviderID=" + idpProviderID + ", userID=" + userID);
if (nameId != null) {
FSUtils.debug.message("IDFFNameIdentifierMapper, enter " + "name identifier=" + nameId.toString());
}
}
if ((spProviderID == null) || (idpProviderID == null) || (userID == null)) {
return null;
}
if (spProviderID.equals(idpProviderID)) {
// same entity, this is for the case of discovery service as IDP
return nameId;
}
if (nameId != null) {
String nameQualifier = nameId.getNameQualifier();
if ((nameQualifier != null) && nameQualifier.equals(spProviderID)) {
// current name id is intended for the spProviderID
return nameId;
}
}
IDFFMetaManager metaManager = FSUtils.getIDFFMetaManager();
String metaAlias = metaManager.getIDPDescriptorConfig("/", idpProviderID).getMetaAlias();
FSAccountManager fsaccountmgr = FSAccountManager.getInstance(metaAlias);
FSAccountFedInfo accountinfo = fsaccountmgr.readAccountFedInfo(userID, spProviderID);
if (accountinfo != null) {
NameIdentifier ni = accountinfo.getLocalNameIdentifier();
FSUtils.debug.message("IDFFNameIdentifierMapper : new Ni");
ProviderManager pm = ProviderUtil.getProviderManager();
if (pm != null) {
Key encKey = pm.getEncryptionKey(spProviderID);
if (encKey != null) {
// passed down through a proxy WSC
return EncryptedNameIdentifier.getEncryptedNameIdentifier(ni, spProviderID, encKey, pm.getEncryptionKeyAlgorithm(spProviderID), pm.getEncryptionKeyStrength(spProviderID));
} else {
return ni;
}
} else {
return ni;
}
} else {
return nameId;
}
} catch (FSAccountMgmtException e) {
// the federation info might not be there, just ignore
FSUtils.debug.message("IDFFNameIdentifierMapper, account error", e);
} catch (FSException e) {
// the federation info might not be there, just ignore
FSUtils.debug.message("IDFFNameIdentifierMapper, encrypt error", e);
} catch (IDFFMetaException e) {
// the provider might not be a IDFF provider, just ignore
FSUtils.debug.message("IDFFNameIdentifierMapper, meta error", e);
}
return null;
}
Also used :
FSAccountFedInfo(com.sun.identity.federation.accountmgmt.FSAccountFedInfo)
NameIdentifier(com.sun.identity.saml.assertion.NameIdentifier)
EncryptedNameIdentifier(com.sun.identity.federation.message.common.EncryptedNameIdentifier)
IDFFMetaManager(com.sun.identity.federation.meta.IDFFMetaManager)
IDFFMetaException(com.sun.identity.federation.meta.IDFFMetaException)
ProviderManager(com.sun.identity.liberty.ws.util.ProviderManager)
FSException(com.sun.identity.federation.common.FSException)
FSAccountMgmtException(com.sun.identity.federation.accountmgmt.FSAccountMgmtException)
FSAccountManager(com.sun.identity.federation.accountmgmt.FSAccountManager)
Key(java.security.Key)
Example 17 with FSAccountFedInfo
use of com.sun.identity.federation.accountmgmt.FSAccountFedInfo in project OpenAM by OpenRock.
the class FSSSOAndFedHandler method doAccountFederation.
protected FSAccountFedInfo doAccountFederation(Object ssoToken, FSAuthnRequest authnRequest, FSSession session) {
FSUtils.debug.message("FSSSOAndFedHandler.doAccountFederation: Called");
String nameIDPolicy = authnRequest.getNameIDPolicy();
String affiliationID = authnRequest.getAffiliationID();
boolean isAffiliationFed = false;
if (affiliationID != null) {
try {
isAffiliationFed = metaManager.isAffiliateMember(realm, hostedEntityId, affiliationID);
} catch (Exception e) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOAndFedHandler.doAccount" + "Federation:Error in checking for the affiliation:", e);
}
}
}
try {
SessionProvider sessionProvider = SessionManager.getProvider();
String userID = sessionProvider.getPrincipalName(ssoToken);
FSAccountFedInfo existActInfo = null;
if (isAffiliationFed) {
existActInfo = accountManager.readAccountFedInfo(userID, affiliationID);
if (existActInfo != null && existActInfo.isFedStatusActive()) {
return existActInfo;
}
}
// Check if there is an existing fed info
String nameQualifier = authnRequest.getProviderId();
existActInfo = accountManager.readAccountFedInfo(userID, nameQualifier);
if (existActInfo != null && existActInfo.isFedStatusActive()) {
return existActInfo;
}
FSNameIdentifierHelper nameHelper = new FSNameIdentifierHelper(hostedConfig);
String opaqueHandle = nameHelper.createNameIdentifier();
if (opaqueHandle == null) {
FSUtils.debug.error("FSSSOAndFedHandler.doAccountFederation: " + "Could not generate handle");
return null;
}
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOAndFedHandler.doAccountFederation: " + "Generated handle: " + opaqueHandle);
}
if (isAffiliationFed) {
nameQualifier = affiliationID;
}
NameIdentifier ni = new NameIdentifier(opaqueHandle, nameQualifier);
if (authnRequest.getMinorVersion() == IFSConstants.FF_12_PROTOCOL_MINOR_VERSION) {
if (nameIDPolicy == null || !nameIDPolicy.equals(IFSConstants.NAME_ID_POLICY_ONETIME)) {
ni.setFormat(IFSConstants.NI_FEDERATED_FORMAT_URI);
} else {
ni.setFormat(IFSConstants.NI_ONETIME_FORMAT_URI);
}
}
FSAccountFedInfo accountInfo = new FSAccountFedInfo(authnRequest.getProviderId(), ni, null, false);
FSAccountFedInfoKey fedKey = null;
if (isAffiliationFed) {
fedKey = new FSAccountFedInfoKey(affiliationID, opaqueHandle);
accountInfo.setAffiliation(true);
} else {
fedKey = new FSAccountFedInfoKey(authnRequest.getProviderId(), opaqueHandle);
}
if (nameIDPolicy == null || !nameIDPolicy.equals("onetime")) {
accountManager.writeAccountFedInfo(userID, fedKey, accountInfo);
} else {
session.setOneTime(true);
session.setAccountFedInfo(accountInfo);
session.setUserID(userID);
}
return accountInfo;
} catch (Exception ex) {
FSUtils.debug.error("FSSSOAndFedHandler.doAccountFederation: " + "Exception when doing account federation", ex);
return null;
}
}
Also used :
FSAccountFedInfo(com.sun.identity.federation.accountmgmt.FSAccountFedInfo)
NameIdentifier(com.sun.identity.saml.assertion.NameIdentifier)
FSAccountFedInfoKey(com.sun.identity.federation.accountmgmt.FSAccountFedInfoKey)
SessionException(com.sun.identity.plugin.session.SessionException)
IDFFMetaException(com.sun.identity.federation.meta.IDFFMetaException)
FSAccountMgmtException(com.sun.identity.federation.accountmgmt.FSAccountMgmtException)
SAMLException(com.sun.identity.saml.common.SAMLException)
FSException(com.sun.identity.federation.common.FSException)
IOException(java.io.IOException)
FSRedirectException(com.sun.identity.federation.common.FSRedirectException)
SessionProvider(com.sun.identity.plugin.session.SessionProvider)
FSNameIdentifierHelper(com.sun.identity.federation.services.util.FSNameIdentifierHelper)
Example 18 with FSAccountFedInfo
use of com.sun.identity.federation.accountmgmt.FSAccountFedInfo in project OpenAM by OpenRock.
the class FSSSOAndFedHandler method processPostAuthnSSO.
/**
* Handles authentication request after local login.
* @param authnRequest <code>FSAuthnRequest</code> object
* @return <code>true</code> if the request is handled successfully;
* <code>false</code> otherwise.
*/
public boolean processPostAuthnSSO(FSAuthnRequest authnRequest) {
FSUtils.debug.message("FSSSOAndFedHandler.processPostAuthnSSO: Called");
SessionProvider sessionProvider = null;
try {
sessionProvider = SessionManager.getProvider();
if (ssoToken == null) {
ssoToken = sessionProvider.getSession(request);
}
if ((ssoToken == null) || (!sessionProvider.isValid(ssoToken))) {
FSUtils.debug.error("FSSSOAndFedHandler.processPostAuthnSSO: " + "session is not valid.");
return false;
} else {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOAndFedHandler.processPostAuthnSSO: " + "session is valid.");
}
}
} catch (SessionException se) {
FSUtils.debug.error("FSSSOAndFedHandler.processPostAuthnSSO: ", se);
return false;
}
//save session
String userID = null;
String sessionID = null;
try {
userID = sessionProvider.getPrincipalName(ssoToken);
sessionID = sessionProvider.getSessionID(ssoToken);
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOAndFedHandler.processPostAuthnSSO: " + "UserID of the principal in the session: " + userID + "sessionID of the session: " + sessionID);
}
} catch (SessionException ex) {
FSUtils.debug.error("FSSSOAndFedHandler.processPostAuthnSSO: " + "SessionException occured. " + "Principal information not found in the session: ", ex);
return false;
}
FSSessionManager sessionManager = FSSessionManager.getInstance(metaAlias);
FSSession session = sessionManager.getSession(userID, sessionID);
if (session != null) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOAndFedHandler.processPostAuthnSSO: " + "An existing SSO session found with ID:" + session.getSessionID());
}
session.addSessionPartner(new FSSessionPartner(spEntityId, false));
sessionManager.addSession(userID, session);
} else {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOAndFedHandler.processPostAuthnSSO: " + "No existing SSO session found. " + "Entering a new session to the session manager with ID: " + sessionID);
}
session = new FSSession(sessionID);
String sessionIndex = SAMLUtils.generateID();
session.setSessionIndex(sessionIndex);
session.addSessionPartner(new FSSessionPartner(spEntityId, false));
sessionManager.addSession(userID, session);
}
// check for federation
String autoFedStr = IDFFMetaUtils.getFirstAttributeValueFromConfig(hostedConfig, IFSConstants.ENABLE_AUTO_FEDERATION);
if (authnRequest.getFederate() || (autoFedStr != null && autoFedStr.equalsIgnoreCase("true"))) {
FSAccountFedInfo fedInfo = doAccountFederation(ssoToken, authnRequest, session);
NameIdentifier spNI = null;
NameIdentifier idpNI = null;
if (fedInfo == null) {
FSUtils.debug.error("FSSSOAndFedHandler.processPostAuthnSSO: " + "Accountfederation failed");
return false;
} else {
spNI = fedInfo.getRemoteNameIdentifier();
idpNI = fedInfo.getLocalNameIdentifier();
if (idpNI == null) {
idpNI = fedInfo.getRemoteNameIdentifier();
if (idpNI == null) {
FSUtils.debug.error("FSSSOAndFedHandler.processPost" + "AuthnSSO: Opaque handle not found");
return false;
}
}
if (spNI == null) {
spNI = idpNI;
}
}
return doSingleSignOn(ssoToken, authnRequest.getRequestID(), spNI, idpNI);
} else {
return doSingleSignOn(ssoToken, authnRequest.getRequestID());
}
}
Also used :
FSAccountFedInfo(com.sun.identity.federation.accountmgmt.FSAccountFedInfo)
FSSessionPartner(com.sun.identity.federation.services.FSSessionPartner)
NameIdentifier(com.sun.identity.saml.assertion.NameIdentifier)
FSSession(com.sun.identity.federation.services.FSSession)
SessionException(com.sun.identity.plugin.session.SessionException)
FSSessionManager(com.sun.identity.federation.services.FSSessionManager)
SessionProvider(com.sun.identity.plugin.session.SessionProvider)
Example 19 with FSAccountFedInfo
use of com.sun.identity.federation.accountmgmt.FSAccountFedInfo in project OpenAM by OpenRock.
the class FSServiceUtils method isRegisProfileSOAP.
/**
* Determines if the registration profile is SOAP or not.
* @param userID id of the user subject to registration
* @param remoteEntityId remote provider's entity ID
* @param remoteDescriptor remote provider's meta descriptor
* @param metaAlias hosted provider's meta alias
* @param hostedDescriptor hosted provider's meta descriptor
* @return <code>true</code> if the registration profile is SOAP;
* <code>false</code> otherwise.
*/
public static boolean isRegisProfileSOAP(String userID, String remoteEntityId, SPDescriptorType remoteDescriptor, String metaAlias, IDPDescriptorType hostedDescriptor) {
FSAccountFedInfo acctInfo = null;
try {
acctInfo = FSAccountManager.getInstance(metaAlias).readAccountFedInfo(userID, remoteEntityId);
} catch (FSAccountMgmtException e) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("in exception:", e);
}
return true;
}
String hostedProfile = FSServiceUtils.getFirstProtocolProfile(hostedDescriptor.getRegisterNameIdentifierProtocolProfile());
String remoteProfile = FSServiceUtils.getFirstProtocolProfile(remoteDescriptor.getRegisterNameIdentifierProtocolProfile());
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("host profile is:" + hostedProfile + "\nremote profile is " + remoteProfile);
}
if (acctInfo.isRoleIDP()) {
if (hostedProfile.equalsIgnoreCase(IFSConstants.REGISTRATION_SP_SOAP_PROFILE) || hostedProfile.equalsIgnoreCase(IFSConstants.REGISTRATION_IDP_SOAP_PROFILE)) {
return true;
} else if (hostedProfile.equalsIgnoreCase(IFSConstants.REGISTRATION_SP_HTTP_PROFILE) || hostedProfile.equalsIgnoreCase(IFSConstants.REGISTRATION_IDP_HTTP_PROFILE)) {
return false;
} else {
FSUtils.debug.error("FSServiceUtils.isRegisProfileSOAP:" + "Invalid registration profile.");
return true;
}
} else {
if (remoteProfile.equalsIgnoreCase(IFSConstants.REGISTRATION_SP_SOAP_PROFILE) || remoteProfile.equalsIgnoreCase(IFSConstants.REGISTRATION_IDP_SOAP_PROFILE)) {
return true;
} else if (remoteProfile.equalsIgnoreCase(IFSConstants.REGISTRATION_SP_HTTP_PROFILE) || remoteProfile.equalsIgnoreCase(IFSConstants.REGISTRATION_IDP_HTTP_PROFILE)) {
return false;
} else {
FSUtils.debug.error("FSServiceUtils.isRegisProfileSOAP:" + "Invalid registration profile.");
return true;
}
}
}
Also used :
FSAccountFedInfo(com.sun.identity.federation.accountmgmt.FSAccountFedInfo)
FSAccountMgmtException(com.sun.identity.federation.accountmgmt.FSAccountMgmtException)
Example 20 with FSAccountFedInfo
use of com.sun.identity.federation.accountmgmt.FSAccountFedInfo in project OpenAM by OpenRock.
the class BulkFederation method idffFederateUser.
private void idffFederateUser(String localUserId, String remoteUserId, BufferedWriter out) throws CLIException {
SSOToken adminSSOToken = getAdminSSOToken();
try {
AMIdentity amid = IdUtils.getIdentity(adminSSOToken, localUserId);
String nameId = createNameIdentifier();
FSAccountFedInfoKey key = (isIDP) ? new FSAccountFedInfoKey(remoteEntityId, nameId) : new FSAccountFedInfoKey(localEntityId, nameId);
FSAccountFedInfo info = null;
if (isIDP) {
info = new FSAccountFedInfo(remoteEntityId, new NameIdentifier(nameId, remoteEntityId, IFSConstants.NI_FEDERATED_FORMAT_URI), IFSConstants.LOCAL_NAME_IDENTIFIER, true);
} else {
info = new FSAccountFedInfo(remoteEntityId, new NameIdentifier(nameId, localEntityId, IFSConstants.NI_FEDERATED_FORMAT_URI), IFSConstants.REMOTE_NAME_IDENTIFIER, true);
}
Map attributes = amid.getAttributes(idffUserAttributesFed);
Set setInfoKey = (Set) attributes.get(FSAccountUtils.USER_FED_INFO_KEY_ATTR);
if ((setInfoKey == null) || setInfoKey.isEmpty()) {
setInfoKey = new HashSet(2);
attributes.put(FSAccountUtils.USER_FED_INFO_KEY_ATTR, setInfoKey);
}
setInfoKey.add(FSAccountUtils.objectToKeyString(key));
Set setInfo = (Set) attributes.get(FSAccountUtils.USER_FED_INFO_ATTR);
if ((setInfo == null) || setInfo.isEmpty()) {
setInfo = new HashSet(2);
attributes.put(FSAccountUtils.USER_FED_INFO_ATTR, setInfo);
}
setInfo.add(FSAccountUtils.objectToInfoString(info));
amid.setAttributes(attributes);
amid.store();
out.write(remoteUserId + "|" + nameId);
out.newLine();
} catch (FSAccountMgmtException e) {
debugError("BulkFederation.idffFederateUser", e);
Object[] param = { localUserId };
throw new CLIException(MessageFormat.format(getResourceString("bulk-federation-cannot-federate"), param), ExitCodes.REQUEST_CANNOT_BE_PROCESSED);
} catch (SAMLException e) {
debugError("BulkFederation.idffFederateUser", e);
Object[] param = { localUserId };
throw new CLIException(MessageFormat.format(getResourceString("bulk-federation-cannot-federate"), param), ExitCodes.REQUEST_CANNOT_BE_PROCESSED);
} catch (IOException e) {
debugError("BulkFederation.idffFederateUser", e);
Object[] param = { localUserId };
throw new CLIException(MessageFormat.format(getResourceString("bulk-federation-cannot-federate"), param), ExitCodes.REQUEST_CANNOT_BE_PROCESSED);
} catch (IdRepoException e) {
debugError("BulkFederation.idffFederateUser", e);
IOutput outputWriter = getOutputWriter();
outputWriter.printlnError(e.getMessage());
} catch (SSOException e) {
debugError("BulkFederation.idffFederateUser", e);
IOutput outputWriter = getOutputWriter();
outputWriter.printlnError(e.getMessage());
}
}
Also used :
SSOToken(com.iplanet.sso.SSOToken)
FSAccountFedInfo(com.sun.identity.federation.accountmgmt.FSAccountFedInfo)
HashSet(java.util.HashSet)
Set(java.util.Set)
NameIdentifier(com.sun.identity.saml.assertion.NameIdentifier)
IdRepoException(com.sun.identity.idm.IdRepoException)
SSOException(com.iplanet.sso.SSOException)
IOException(java.io.IOException)
FSAccountFedInfoKey(com.sun.identity.federation.accountmgmt.FSAccountFedInfoKey)
SAMLException(com.sun.identity.saml.common.SAMLException)
IOutput(com.sun.identity.cli.IOutput)
AMIdentity(com.sun.identity.idm.AMIdentity)
CLIException(com.sun.identity.cli.CLIException)
FSAccountMgmtException(com.sun.identity.federation.accountmgmt.FSAccountMgmtException)
HashMap(java.util.HashMap)
Map(java.util.Map)
HashSet(java.util.HashSet)
Aggregations
FSAccountFedInfo (com.sun.identity.federation.accountmgmt.FSAccountFedInfo)21
FSAccountMgmtException (com.sun.identity.federation.accountmgmt.FSAccountMgmtException)12
IDFFMetaException (com.sun.identity.federation.meta.IDFFMetaException)10
SessionException (com.sun.identity.plugin.session.SessionException)10
NameIdentifier (com.sun.identity.saml.assertion.NameIdentifier)10
IOException (java.io.IOException)10
FSAccountFedInfoKey (com.sun.identity.federation.accountmgmt.FSAccountFedInfoKey)9
FSSession (com.sun.identity.federation.services.FSSession)8
FSSessionManager (com.sun.identity.federation.services.FSSessionManager)8
SAMLException (com.sun.identity.saml.common.SAMLException)8
HashMap (java.util.HashMap)7
FSAccountManager (com.sun.identity.federation.accountmgmt.FSAccountManager)6
SessionProvider (com.sun.identity.plugin.session.SessionProvider)6
Map (java.util.Map)6
FSException (com.sun.identity.federation.common.FSException)5
SAMLResponderException (com.sun.identity.saml.common.SAMLResponderException)4
FSLogoutNotification (com.sun.identity.federation.message.FSLogoutNotification)3
FSMsgException (com.sun.identity.federation.message.common.FSMsgException)3
FSSessionPartner (com.sun.identity.federation.services.FSSessionPartner)3
Set (java.util.Set)3
