Search in sources :

Example 1 with FSSubject

use of com.sun.identity.federation.message.FSSubject in project OpenAM by OpenRock.

the class FSAssertionManager method createFSAssertion.

/**
     * Creates an assertion artifact.
     * @param id session ID
     * @param artifact assertion artifact
     * @param realm the realm under which the entity resides.
     * @param spEntityID service provider's entity ID
     * @param spHandle service provider issued <code>NameIdentifier</code>
     * @param idpHandle identity provider issued <code>NameIdentifier</code>
     * @param inResponseTo value to InResponseTo attribute. It's the request ID.
     * @param assertionMinorVersion minor version the assertion should use
     * @exception FSException,SAMLException if error occurrs
     */
public FSAssertion createFSAssertion(String id, AssertionArtifact artifact, String realm, String spEntityID, NameIdentifier spHandle, NameIdentifier idpHandle, String inResponseTo, int assertionMinorVersion) throws FSException, SAMLException {
    FSUtils.debug.message("FSAssertionManager.createFSAssertion(id): Called");
    // check input
    if ((id == null) || (spEntityID == null)) {
        if (FSUtils.debug.messageEnabled()) {
            FSUtils.debug.message("FSAssertionManager: null input for" + " method createFSAssertion.");
        }
        throw new FSException("nullInput", null);
    }
    String destID = spEntityID;
    String authMethod = null;
    String authnContextStatementRef = null;
    String authnContextClassRef = null;
    Date authInstant = null;
    String securityDomain = null;
    Object token = null;
    String univId = null;
    SubjectLocality authLocality = null;
    FSSessionManager sessionManager = FSSessionManager.getInstance(metaAlias);
    IDFFMetaManager metaManager = FSUtils.getIDFFMetaManager();
    Map attributes = new HashMap();
    if (metaManager != null) {
        BaseConfigType idpConfig = null;
        try {
            idpConfig = metaManager.getIDPDescriptorConfig(realm, hostEntityId);
        } catch (IDFFMetaException e) {
            if (FSUtils.debug.messageEnabled()) {
                FSUtils.debug.message("FSAssertionManager.createFSAssertion: exception while" + " obtaining idp extended meta:", e);
            }
            idpConfig = null;
        }
        if (idpConfig != null) {
            attributes = IDFFMetaUtils.getAttributes(idpConfig);
        }
    }
    try {
        SessionProvider sessionProvider = SessionManager.getProvider();
        token = sessionProvider.getSession(id);
        String[] strAuthInst = null;
        try {
            strAuthInst = sessionProvider.getProperty(token, SessionProvider.AUTH_INSTANT);
        } catch (UnsupportedOperationException ue) {
            if (FSUtils.debug.warningEnabled()) {
                FSUtils.debug.warning("FSAssertionManager.createFSAssertion(id):", ue);
            }
        } catch (SessionException se) {
            if (FSUtils.debug.warningEnabled()) {
                FSUtils.debug.warning("FSAssertionManager.createFSAssertion(id):", se);
            }
        }
        if ((strAuthInst != null) && (strAuthInst.length >= 1)) {
            try {
                authInstant = DateUtils.stringToDate(strAuthInst[0]);
            } catch (ParseException ex) {
                if (FSUtils.debug.messageEnabled()) {
                    FSUtils.debug.message("FSAssertionManager." + "createFSAssertion(id): AuthInstant not found" + "in the Token");
                }
            }
        } else {
            authInstant = new java.util.Date();
        }
        if (FSUtils.debug.messageEnabled()) {
            FSUtils.debug.message("FSAssertionManager.createFSAssertion(id):AuthInstant = " + authInstant);
        }
        try {
            String[] strAuthMethod = sessionProvider.getProperty(token, SessionProvider.AUTH_METHOD);
            if ((strAuthMethod != null) && (strAuthMethod.length >= 1)) {
                authMethod = strAuthMethod[0];
            }
        } catch (UnsupportedOperationException ue) {
            if (FSUtils.debug.warningEnabled()) {
                FSUtils.debug.warning("FSAssertionManager.createFSAssertion(id):", ue);
            }
        } catch (SessionException se) {
            if (FSUtils.debug.warningEnabled()) {
                FSUtils.debug.warning("FSAssertionManager.createFSAssertion(id):", se);
            }
        }
        String assertionIssuer = IDFFMetaUtils.getFirstAttributeValue(attributes, IFSConstants.ASSERTION_ISSUER);
        if (assertionIssuer == null) {
            assertionIssuer = SystemConfigurationUtil.getProperty("com.iplanet.am.server.host");
        }
        try {
            String ipAddress = InetAddress.getByName(assertionIssuer).getHostAddress();
            authLocality = new SubjectLocality(ipAddress, assertionIssuer);
        } catch (UnknownHostException uhe) {
            FSUtils.debug.error("FSAssertionManager.constructor: couldn't" + " obtain the localhost's ipaddress:", uhe);
        }
        try {
            FSSession session = sessionManager.getSession(token);
            authnContextClassRef = session.getAuthnContext();
            authnContextStatementRef = authnContextClassRef;
        } catch (Exception ex) {
            if (FSUtils.debug.messageEnabled()) {
                FSUtils.debug.message("FSAssertionManager.createFSAssertion" + "(id): AuthnContextStatement for the token is null" + " Assertion will not contain any " + " AuthenticationStatement");
            }
            authnContextStatementRef = null;
        }
        if (authnContextStatementRef != null) {
            if (assertionMinorVersion == IFSConstants.FF_11_ASSERTION_MINOR_VERSION) {
                authMethod = IFSConstants.AC_XML_NS;
            } else {
                authMethod = IFSConstants.AC_12_XML_NS;
            }
        }
        if (FSUtils.debug.messageEnabled()) {
            FSUtils.debug.message("FSAssertionManager.createFSAssertion(id):" + "AuthnContextStatement used for authenticating the user: " + authnContextStatementRef);
        }
        univId = sessionProvider.getPrincipalName(token);
        securityDomain = hostEntityId;
    } catch (Exception e) {
        FSUtils.debug.error("FSAssertionManager.createAssertion(id):" + " exception retrieving info from the session: ", e);
        throw new FSException("alliance_manager_no_local_descriptor", null, e);
    }
    if (FSUtils.debug.messageEnabled()) {
        FSUtils.debug.message("FSAssertionManager.createAssertion(id):" + " Creating Authentication Assertion for user with" + "opaqueHandle= " + spHandle.getName() + " And SecurityDomain= " + securityDomain);
    }
    SubjectConfirmation subConfirmation = null;
    String artString = null;
    if (artifact != null) {
        artString = artifact.getAssertionArtifact();
        if (assertionMinorVersion == IFSConstants.FF_11_ASSERTION_MINOR_VERSION) {
            subConfirmation = new SubjectConfirmation(SAMLConstants.DEPRECATED_CONFIRMATION_METHOD_ARTIFACT);
        } else {
            subConfirmation = new SubjectConfirmation(SAMLConstants.CONFIRMATION_METHOD_ARTIFACT);
        }
        subConfirmation.setSubjectConfirmationData(artString);
    } else {
        // set to bearer for POST profile
        subConfirmation = new SubjectConfirmation(SAMLConstants.CONFIRMATION_METHOD_BEARER);
    }
    IDPProvidedNameIdentifier idpNi = null;
    if (assertionMinorVersion == IFSConstants.FF_12_POST_ASSERTION_MINOR_VERSION || assertionMinorVersion == IFSConstants.FF_12_ART_ASSERTION_MINOR_VERSION) {
        idpNi = new IDPProvidedNameIdentifier(idpHandle.getName(), idpHandle.getNameQualifier(), spHandle.getFormat());
        idpNi.setMinorVersion(IFSConstants.FF_12_PROTOCOL_MINOR_VERSION);
    } else {
        idpNi = new IDPProvidedNameIdentifier(idpHandle.getNameQualifier(), idpHandle.getName());
    }
    FSSubject sub = new FSSubject(spHandle, subConfirmation, idpNi);
    AuthnContext authnContext = new AuthnContext(authnContextClassRef, authnContextStatementRef);
    authnContext.setMinorVersion(assertionMinorVersion);
    FSAuthenticationStatement statement = new FSAuthenticationStatement(authMethod, authInstant, sub, authLocality, null, authnContext);
    FSSession session = sessionManager.getSession(univId, id);
    if (session == null) {
        if (FSUtils.debug.messageEnabled()) {
            FSUtils.debug.message("FSAssertionManager.createAssertion(id): " + "AssertionManager could not find a valid Session for" + "userId: " + univId + " SessionID: " + id);
        }
        return null;
    }
    String sessionIndex = session.getSessionIndex();
    if (sessionIndex == null) {
        sessionIndex = SAMLUtils.generateID();
        session.setSessionIndex(sessionIndex);
    }
    if (FSUtils.debug.messageEnabled()) {
        FSUtils.debug.message("FSAssertionManager.createAssertion(id): SessionIndex: " + sessionIndex);
    }
    statement.setSessionIndex(sessionIndex);
    //setReauthenticateOnOrAfter date
    Date issueInstant = new Date();
    // get this period from the config
    FSUtils.debug.message("here before date");
    Date notAfter;
    if (artifact != null) {
        notAfter = new Date(issueInstant.getTime() + artifactTimeout);
    } else {
        notAfter = new Date(issueInstant.getTime() + assertionTimeout);
    }
    FSUtils.debug.message("here after date");
    statement.setReauthenticateOnOrAfter(notAfter);
    if (FSUtils.debug.messageEnabled()) {
        FSUtils.debug.message("FSAssertionManager.createAssertion(id):" + " Authentication Statement: " + statement.toXMLString());
    }
    Conditions cond = new Conditions(null, notAfter);
    if ((destID != null) && (destID.length() != 0)) {
        List targets = new ArrayList();
        targets.add(destID);
        cond.addAudienceRestrictionCondition(new AudienceRestrictionCondition(targets));
    }
    if (FSUtils.debug.messageEnabled()) {
        FSUtils.debug.message("FSAssertionManager.createAssertion(id):" + " Authentication Statement: " + statement.toXMLString());
    }
    /**
         * This is added to create an attribute statement for the bootstrap
         * information.
         */
    AttributeStatement attribStatement = null;
    Advice advice = null;
    String generateBootstrapping = IDFFMetaUtils.getFirstAttributeValue(attributes, IFSConstants.GENERATE_BOOTSTRAPPING);
    if (assertionMinorVersion != IFSConstants.FF_11_ASSERTION_MINOR_VERSION && (generateBootstrapping != null && generateBootstrapping.equals("true"))) {
        AuthnContext authContext = new AuthnContext(null, authnContextStatementRef);
        authContext.setMinorVersion(IFSConstants.FF_12_PROTOCOL_MINOR_VERSION);
        try {
            FSDiscoveryBootStrap bootStrap = new FSDiscoveryBootStrap(token, authContext, sub, univId, destID, realm);
            attribStatement = bootStrap.getBootStrapStatement();
            if (bootStrap.hasCredentials()) {
                advice = bootStrap.getCredentials();
            }
        } catch (Exception e) {
            FSUtils.debug.error("FSAssertionManager.createAssertion(id):" + "exception when generating bootstrapping resource " + "offering:", e);
        }
    }
    AssertionIDReference aID = new AssertionIDReference();
    Set statements = new HashSet();
    statements.add(statement);
    if (attribStatement != null) {
        statements.add(attribStatement);
    }
    String attributePluginImpl = IDFFMetaUtils.getFirstAttributeValue(attributes, IFSConstants.ATTRIBUTE_PLUGIN);
    if ((attributePluginImpl != null) && (attributePluginImpl.length() != 0)) {
        try {
            Object pluginClass = Thread.currentThread().getContextClassLoader().loadClass(attributePluginImpl).newInstance();
            List attribStatements = null;
            if (pluginClass instanceof FSRealmAttributePlugin) {
                FSRealmAttributePlugin attributePlugin = (FSRealmAttributePlugin) pluginClass;
                attribStatements = attributePlugin.getAttributeStatements(realm, hostEntityId, destID, sub, token);
            } else if (pluginClass instanceof FSAttributePlugin) {
                FSAttributePlugin attributePlugin = (FSAttributePlugin) pluginClass;
                attribStatements = attributePlugin.getAttributeStatements(hostEntityId, destID, sub, token);
            }
            if ((attribStatements != null) && (attribStatements.size() != 0)) {
                Iterator iter = attribStatements.iterator();
                while (iter.hasNext()) {
                    statements.add((AttributeStatement) iter.next());
                }
            }
        } catch (Exception ex) {
            FSUtils.debug.error("FSAssertion.createAssertion(id):getAttributePlugin:", ex);
        }
    }
    if (IDFFMetaUtils.isAutoFedEnabled(attributes)) {
        AttributeStatement autoFedStatement = FSAttributeStatementHelper.getAutoFedAttributeStatement(realm, hostEntityId, sub, token);
        statements.add(autoFedStatement);
    }
    FSAssertion assertion = new FSAssertion(aID.getAssertionIDReference(), hostEntityId, issueInstant, cond, advice, statements, inResponseTo);
    assertion.setMinorVersion(assertionMinorVersion);
    assertion.setID(aID.getAssertionIDReference());
    if (FSUtils.debug.messageEnabled()) {
        FSUtils.debug.message("FSAssertionManager.createAssertion(id):" + " Assertion created successfully: " + assertion.toXMLString());
    }
    String aIDString = assertion.getAssertionID();
    Entry entry = new Entry(assertion, destID, artString, token);
    Integer maxNumber = null;
    try {
        int temp = Integer.parseInt(IDFFMetaUtils.getFirstAttributeValue(attributes, IFSConstants.ASSERTION_LIMIT));
        maxNumber = new Integer(temp);
    } catch (Exception ex) {
        if (FSUtils.debug.messageEnabled()) {
            FSUtils.debug.message("FSAssertionManager.createAssertion(id):" + " Assertion MAX number configuration not found in " + "FSConfig. Using Default");
        }
        maxNumber = null;
    }
    if (maxNumber == null) {
        maxNumber = new Integer(IFSConstants.ASSERTION_MAX_NUMBER_DEFAULT);
    }
    int maxValue = maxNumber.intValue();
    if ((maxValue != 0) && (idEntryMap.size() > maxValue)) {
        FSUtils.debug.error("FSAssertionManager.createAssertion: " + "reached maxNumber of assertions.");
        throw new FSException("errorCreateAssertion", null);
    }
    Object oldEntry = null;
    try {
        synchronized (idEntryMap) {
            oldEntry = idEntryMap.put(aIDString, entry);
        }
        if ((agent != null) && agent.isRunning() && (idffSvc != null)) {
            idffSvc.setAssertions((long) idEntryMap.size());
        }
    } catch (Exception e) {
        if (FSUtils.debug.messageEnabled()) {
            FSUtils.debug.message("FSAssertionManager: couldn't add " + "to idEntryMap.", e);
        }
        throw new FSException("errorCreateAssertion", null);
    }
    if (LogUtil.isAccessLoggable(Level.FINER)) {
        String[] data = { assertion.toString() };
        LogUtil.access(Level.FINER, LogUtil.CREATE_ASSERTION, data, token);
    } else {
        String[] data = { assertion.getAssertionID() };
        LogUtil.access(Level.INFO, LogUtil.CREATE_ASSERTION, data, token);
    }
    if (artString != null) {
        try {
            synchronized (artIdMap) {
                oldEntry = artIdMap.put(artString, aIDString);
            }
            if ((agent != null) && agent.isRunning() && (idffSvc != null)) {
                idffSvc.setArtifacts((long) artIdMap.size());
            }
        } catch (Exception e) {
            if (FSUtils.debug.messageEnabled()) {
                FSUtils.debug.message("FSAssertionManager: couldn't add " + "artifact to the artIdMap.", e);
            }
            throw new FSException("errorCreateArtifact", null);
        }
        if (oldEntry != null) {
            artifactTimeoutRunnable.removeElement(aIDString);
        }
        artifactTimeoutRunnable.addElement(aIDString);
    } else {
        if (oldEntry != null) {
            assertionTimeoutRunnable.removeElement(aIDString);
        }
        assertionTimeoutRunnable.addElement(aIDString);
    }
    if (FSUtils.debug.messageEnabled()) {
        FSUtils.debug.message("FSAssertionManager.createAssertion(id):" + " Returning Assertion: " + assertion.toXMLString());
    }
    return assertion;
}
Also used : Set(java.util.Set) HashSet(java.util.HashSet) HashMap(java.util.HashMap) FSSubject(com.sun.identity.federation.message.FSSubject) Date(java.util.Date) ArrayList(java.util.ArrayList) SessionException(com.sun.identity.plugin.session.SessionException) SubjectLocality(com.sun.identity.saml.assertion.SubjectLocality) Conditions(com.sun.identity.saml.assertion.Conditions) AuthnContext(com.sun.identity.federation.message.common.AuthnContext) BaseConfigType(com.sun.identity.federation.jaxb.entityconfig.BaseConfigType) SubjectConfirmation(com.sun.identity.saml.assertion.SubjectConfirmation) FSAssertion(com.sun.identity.federation.message.FSAssertion) FSException(com.sun.identity.federation.common.FSException) Iterator(java.util.Iterator) List(java.util.List) ArrayList(java.util.ArrayList) AudienceRestrictionCondition(com.sun.identity.saml.assertion.AudienceRestrictionCondition) SessionProvider(com.sun.identity.plugin.session.SessionProvider) HashSet(java.util.HashSet) UnknownHostException(java.net.UnknownHostException) FSAuthenticationStatement(com.sun.identity.federation.message.FSAuthenticationStatement) IDFFMetaException(com.sun.identity.federation.meta.IDFFMetaException) Date(java.util.Date) SessionException(com.sun.identity.plugin.session.SessionException) IDFFMetaException(com.sun.identity.federation.meta.IDFFMetaException) ParseException(java.text.ParseException) SAMLException(com.sun.identity.saml.common.SAMLException) FSException(com.sun.identity.federation.common.FSException) UnknownHostException(java.net.UnknownHostException) IDFFMetaManager(com.sun.identity.federation.meta.IDFFMetaManager) AttributeStatement(com.sun.identity.saml.assertion.AttributeStatement) ParseException(java.text.ParseException) Advice(com.sun.identity.saml.assertion.Advice) IDPProvidedNameIdentifier(com.sun.identity.federation.message.common.IDPProvidedNameIdentifier) AssertionIDReference(com.sun.identity.saml.assertion.AssertionIDReference) Map(java.util.Map) HashMap(java.util.HashMap)

Example 2 with FSSubject

use of com.sun.identity.federation.message.FSSubject in project OpenAM by OpenRock.

the class FSBrowserArtifactConsumerHandler method processSAMLResponse.

private void processSAMLResponse(FSResponse samlResponse) {
    FSUtils.debug.message("FSBrowserArtifactConsumerHandler.processSAMLResponse: Called");
    String baseURL = FSServiceUtils.getBaseURL(request);
    String framedPageURL = FSServiceUtils.getCommonLoginPageURL(hostMetaAlias, relayState, null, request, baseURL);
    try {
        if (samlResponse == null) {
            FSUtils.debug.error("FSBrowserArtifactConsumerHandler." + "processSAMLResponse: null input " + FSUtils.bundle.getString("missingResponse"));
            String[] data = { FSUtils.bundle.getString("missingResponse") };
            LogUtil.error(Level.INFO, LogUtil.MISSING_RESPONSE, data);
            FSUtils.forwardRequest(request, response, framedPageURL);
            return;
        }
        FederationSPAdapter spAdapter = FSServiceUtils.getSPAdapter(hostEntityId, hostConfig);
        if (FSUtils.debug.messageEnabled()) {
            FSUtils.debug.message("FSBrowserArtifactConsumerHandler." + "processSAMLResponse: Received " + samlResponse.toXMLString());
        }
        boolean valid = verifyResponseStatus(samlResponse);
        if (!valid) {
            FSUtils.debug.error("FSBrowserArtifactConsumerHandler." + "processSAMLResponse: verify Status failed " + FSUtils.bundle.getString("invalidResponse"));
            String[] data = { samlResponse.toXMLString() };
            LogUtil.error(Level.INFO, LogUtil.INVALID_RESPONSE, data);
            if (spAdapter == null || !spAdapter.postSSOFederationFailure(hostEntityId, request, response, authnRequest, null, samlResponse, FederationSPAdapter.INVALID_RESPONSE)) {
                FSUtils.forwardRequest(request, response, framedPageURL);
            }
            return;
        }
        // check Assertion
        List assertions = samlResponse.getAssertion();
        if ((assertions == null) || !(assertions.size() > 0)) {
            FSUtils.debug.error("FSBrowserArtifactConsumerHandler." + "processSAMLResponse" + FSUtils.bundle.getString("invalidResponse") + ": No assertion found inside the AuthnResponse");
            String[] data = { samlResponse.toXMLString() };
            LogUtil.error(Level.INFO, LogUtil.INVALID_RESPONSE, data);
            FSUtils.forwardRequest(request, response, framedPageURL);
            return;
        }
        Iterator iter = assertions.iterator();
        FSAssertion assertion = (FSAssertion) iter.next();
        FSAuthnRequest authnRequestRef = getInResponseToRequest(assertion.getInResponseTo());
        if (authnRequestRef == null) {
            FSUtils.debug.error("FSBrowserArtifactConsumerHandler." + "processSAMLResponse: " + FSUtils.bundle.getString("invalidResponse") + ": Assertion does not correspond to any AuthnRequest");
            String[] data = { samlResponse.toXMLString() };
            LogUtil.error(Level.INFO, LogUtil.INVALID_RESPONSE, data);
            FSUtils.forwardRequest(request, response, framedPageURL);
            return;
        }
        this.authnRequest = authnRequestRef;
        this.relayState = authnRequest.getRelayState();
        if ((this.relayState == null) || (this.relayState.trim().length() == 0)) {
            this.relayState = IDFFMetaUtils.getFirstAttributeValueFromConfig(hostConfig, IFSConstants.PROVIDER_HOME_PAGE_URL);
            if ((this.relayState == null) || (this.relayState.trim().length() == 0)) {
                this.relayState = baseURL + IFSConstants.SP_DEFAULT_RELAY_STATE;
            }
        }
        this.doFederate = authnRequest.getFederate();
        this.nameIDPolicy = authnRequest.getNameIDPolicy();
        // Call SP preSSOFederationProcess for Artifact case
        if (spAdapter != null) {
            if (FSUtils.debug.messageEnabled()) {
                FSUtils.debug.message("FSBrowserArtifactConsumerHandler, " + "Artifact, Invoke spAdapter.preSSOFederationProcess");
            }
            try {
                spAdapter.preSSOFederationProcess(hostEntityId, request, response, authnRequest, null, (FSResponse) samlResponse);
            } catch (Exception e) {
                // log run time exception in Adapter
                // implementation, continue
                FSUtils.debug.error("FSAssertionArtifactHandler" + " SPAdapter.preSSOFederationSuccess", e);
            }
        }
        framedPageURL = FSServiceUtils.getCommonLoginPageURL(hostMetaAlias, authnRequest.getRelayState(), null, request, baseURL);
        String idpEntityIdRef = getProvider(assertion.getInResponseTo());
        if ((idpEntityIdRef == null) || !(idpEntityIdRef.equals(idpEntityId))) {
            FSUtils.debug.error("FSBrowserArtifactConsumerHandler." + "processSAMLResponse: " + FSUtils.bundle.getString("invalidAssertion") + ": Assertion does not correspond to any IDP");
            String[] data = { FSUtils.bundle.getString("invalidAssertion") };
            LogUtil.error(Level.INFO, LogUtil.INVALID_ASSERTION, data);
            FSUtils.forwardRequest(request, response, framedPageURL);
            return;
        }
        FSSubject validSubject = (FSSubject) validateAssertions(assertions);
        if (validSubject == null) {
            FSUtils.debug.error("FSBrowserArtifactConsumerHandler." + "processSAMLResponse: validateAssertions failed: " + FSUtils.bundle.getString("invalidAssertion"));
            String[] data = { FSUtils.bundle.getString("invalidAssertion") };
            LogUtil.error(Level.INFO, LogUtil.INVALID_ASSERTION, data);
            if (spAdapter == null || !spAdapter.postSSOFederationFailure(hostEntityId, request, response, authnRequest, null, samlResponse, FederationSPAdapter.INVALID_RESPONSE)) {
                FSUtils.forwardRequest(request, response, framedPageURL);
            }
            return;
        }
        if (doFederate) {
            NameIdentifier ni = validSubject.getIDPProvidedNameIdentifier();
            if (ni == null) {
                ni = validSubject.getNameIdentifier();
            }
            if (ni != null) {
                int returnCode = doAccountFederation(ni);
                if (returnCode == FederationSPAdapter.SUCCESS) {
                    // remove it from session manager table
                    FSSessionManager sessionManager = FSSessionManager.getInstance(hostMetaAlias);
                    sessionManager.removeAuthnRequest(assertion.getInResponseTo());
                    return;
                } else {
                    FSUtils.debug.error("FSBrowserArtifactConsumerHandler." + "processSAMLResponse: " + FSUtils.bundle.getString("AccountFederationFailed"));
                    String[] data = { FSUtils.bundle.getString("AccountFederationFailed") };
                    LogUtil.error(Level.INFO, LogUtil.ACCOUNT_FEDERATION_FAILED, data);
                    if (spAdapter == null || !spAdapter.postSSOFederationFailure(hostEntityId, request, response, authnRequest, authnResponse, samlResponse, returnCode)) {
                        FSUtils.forwardRequest(request, response, framedPageURL);
                    }
                }
            } else {
                FSUtils.debug.error("FSBrowserArtifactConsumerHandler." + "processSAMLResponse: Single Sign-On failed. " + "NameIdentifier of the subject is null: ");
                String[] data = { FSUtils.bundle.getString("SingleSignOnFailed") };
                LogUtil.error(Level.INFO, LogUtil.SINGLE_SIGNON_FAILED, data);
                throw new FSException("missingNIofSubject", null);
            }
        } else {
            // remove it from session manager table
            FSSessionManager sessionManager = FSSessionManager.getInstance(hostMetaAlias);
            sessionManager.removeAuthnRequest(assertion.getInResponseTo());
            NameIdentifier niIdp = validSubject.getIDPProvidedNameIdentifier();
            NameIdentifier ni = validSubject.getNameIdentifier();
            if (niIdp == null) {
                niIdp = ni;
            }
            if ((niIdp == null) || (ni == null)) {
                String[] data = { FSUtils.bundle.getString("invalidResponse") };
                LogUtil.error(Level.INFO, LogUtil.INVALID_RESPONSE, data);
                FSUtils.forwardRequest(request, response, framedPageURL);
                return;
            }
            String idpHandle = niIdp.getName();
            String spHandle = ni.getName();
            int handleType;
            if ((idpHandle == null) || (spHandle == null)) {
                String[] data = { FSUtils.bundle.getString("invalidResponse") };
                LogUtil.error(Level.INFO, LogUtil.INVALID_RESPONSE, data);
                FSUtils.forwardRequest(request, response, framedPageURL);
                return;
            }
            if (idpHandle.equals(spHandle)) {
                ni = niIdp;
                handleType = IFSConstants.REMOTE_OPAQUE_HANDLE;
            } else {
                handleType = IFSConstants.LOCAL_OPAQUE_HANDLE;
            }
            if (ni != null) {
                if (FSUtils.debug.messageEnabled()) {
                    FSUtils.debug.message("FSBrowserArtifactConsumerHandler." + "processSAMLResponse: NameIdentifier=" + ni.getName() + " securityDomain=" + ni.getNameQualifier());
                }
                Map env = new HashMap();
                env.put(IFSConstants.FS_USER_PROVIDER_ENV_FSRESPONSE_KEY, samlResponse);
                int returnCode = doSingleSignOn(ni, handleType, niIdp, env);
                if (returnCode == FederationSPAdapter.SUCCESS) {
                    String requestID = assertion.getInResponseTo();
                    if (isIDPProxyEnabled(requestID)) {
                        sendProxyResponse(requestID);
                        return;
                    }
                    String[] data = { this.relayState };
                    LogUtil.access(Level.INFO, LogUtil.ACCESS_GRANTED_REDIRECT_TO, data, ssoToken);
                    // Call SP Adapter
                    if (spAdapter != null) {
                        FSUtils.debug.message("Invoke spAdapter");
                        try {
                            if (spAdapter.postSSOFederationSuccess(hostEntityId, request, response, ssoToken, authnRequest, null, samlResponse)) {
                                return;
                            }
                        } catch (Exception e) {
                            // log run time exception in Adapter
                            // implementation, continue
                            FSUtils.debug.error("FSAssertionArtifactHandler" + " SPAdapter.postSSOFederationSuccess:", e);
                        }
                    }
                    redirectToResource(this.relayState);
                    return;
                } else {
                    FSUtils.debug.error("FSBrowserArtifactConsumerHandler." + "processSAMLResponse: SingleSignOnFailed, ni=" + ni.getName() + "[" + ni.getNameQualifier() + "]");
                    String[] data = { ni.getName() };
                    LogUtil.error(Level.INFO, LogUtil.SINGLE_SIGNON_FAILED, data);
                    if (spAdapter == null || !spAdapter.postSSOFederationFailure(hostEntityId, request, response, authnRequest, null, samlResponse, returnCode)) {
                        FSUtils.forwardRequest(request, response, framedPageURL);
                    }
                    return;
                }
            } else {
                FSUtils.debug.error("FSBrowserArtifactConsumerHandler." + "processSAMLResponse: SingleSignOnFailed (null)");
                String[] data = { FSUtils.bundle.getString("SingleSignOnFailed") };
                LogUtil.error(Level.INFO, LogUtil.SINGLE_SIGNON_FAILED, data);
                throw new FSException("missingNIofSubject", null);
            }
        }
    } catch (Exception e) {
        FSUtils.debug.error("FSBrowserArtifactConsumerHandler." + "processSAMLResponse: Exception occured: ", e);
        return;
    }
}
Also used : FSSubject(com.sun.identity.federation.message.FSSubject) NameIdentifier(com.sun.identity.saml.assertion.NameIdentifier) HashMap(java.util.HashMap) FSAuthnRequest(com.sun.identity.federation.message.FSAuthnRequest) SAMLResponderException(com.sun.identity.saml.common.SAMLResponderException) SAMLException(com.sun.identity.saml.common.SAMLException) FSException(com.sun.identity.federation.common.FSException) FSAssertion(com.sun.identity.federation.message.FSAssertion) Iterator(java.util.Iterator) FSException(com.sun.identity.federation.common.FSException) List(java.util.List) FSSessionManager(com.sun.identity.federation.services.FSSessionManager) FederationSPAdapter(com.sun.identity.federation.plugins.FederationSPAdapter) HashMap(java.util.HashMap) Map(java.util.Map)

Example 3 with FSSubject

use of com.sun.identity.federation.message.FSSubject in project OpenAM by OpenRock.

the class CDCServlet method createAssertion.

private FSAssertion createAssertion(String destID, String sourceID, String tokenID, String authType, String strAuthInst, String userDN, String inResponseTo) throws FSException, SAMLException {
    debug.message("Entering CDCServlet.createAssertion Method");
    if ((destID == null) || (sourceID == null) || (tokenID == null) || (authType == null) || (userDN == null) || (inResponseTo == null)) {
        debug.message("CDCServlet,createAssertion: null input");
        throw new FSException(FSUtils.bundle.getString("nullInput"));
    }
    String securityDomain = sourceID;
    NameIdentifier idpHandle = new NameIdentifier(URLEncDec.encode(tokenID), sourceID);
    NameIdentifier spHandle = idpHandle;
    String authMethod = authType;
    Date authInstant = convertAuthInstanceToDate(strAuthInst);
    if (debug.messageEnabled()) {
        debug.message("CDCServlet.createAssertion " + "Creating Authentication Assertion for user with opaqueHandle =" + spHandle.getName() + " and SecurityDomain = " + securityDomain);
    }
    SubjectConfirmation subConfirmation = new SubjectConfirmation(IFSConstants.CONFIRMATION_METHOD_BEARER);
    IDPProvidedNameIdentifier idpNi = new IDPProvidedNameIdentifier(idpHandle.getNameQualifier(), idpHandle.getName());
    FSSubject sub = new FSSubject(spHandle, subConfirmation, idpNi);
    SubjectLocality authLocality = new SubjectLocality(IPAddress, DNSAddress);
    AuthnContext authnContextStmt = new AuthnContext(null, null);
    FSAuthenticationStatement statement = new FSAuthenticationStatement(authMethod, authInstant, sub, authLocality, null, authnContextStmt);
    //setReauthenticateOnOrAfter date
    Date issueInstant = new Date();
    // get this period from the config
    Integer assertionTimeout = new Integer(IFSConstants.ASSERTION_TIMEOUT_DEFAULT);
    long period = (assertionTimeout.intValue()) * 1000;
    if (period < IFSConstants.ASSERTION_TIMEOUT_ALLOWED_DIFFERENCE) {
        period = IFSConstants.ASSERTION_TIMEOUT_ALLOWED_DIFFERENCE;
    }
    Date notAfter = new Date(issueInstant.getTime() + period);
    statement.setReauthenticateOnOrAfter(notAfter);
    if (debug.messageEnabled()) {
        debug.message("CDCServlet.createAssertion: " + "Authentication Statement: " + statement.toXMLString());
    }
    Conditions cond = new Conditions(issueInstant, notAfter);
    if ((destID != null) && (destID.length() != 0)) {
        List targets = new ArrayList(1);
        targets.add(destID);
        cond.addAudienceRestrictionCondition(new AudienceRestrictionCondition(targets));
    }
    if (debug.messageEnabled()) {
        debug.message("CDCServlet.createAssertion: " + "Condition: " + cond.toString());
    }
    AssertionIDReference aID = new AssertionIDReference();
    Set statements = new HashSet(2);
    statements.add(statement);
    FSAssertion assertion = new FSAssertion(aID.getAssertionIDReference(), sourceID, issueInstant, cond, statements, inResponseTo);
    assertion.setID(aID.getAssertionIDReference());
    String[] params = { FSUtils.bundle.getString("assertionCreated") + ":" + assertion.toString() };
    LogUtil.access(Level.INFO, "CREATE_ASSERTION", params);
    if (debug.messageEnabled()) {
        debug.message("CDCServlet.createAssertion:" + " Returning Assertion: " + assertion.toXMLString());
    }
    return assertion;
}
Also used : Set(java.util.Set) HashSet(java.util.HashSet) NameIdentifier(com.sun.identity.saml.assertion.NameIdentifier) IDPProvidedNameIdentifier(com.sun.identity.federation.message.common.IDPProvidedNameIdentifier) FSSubject(com.sun.identity.federation.message.FSSubject) FSAuthenticationStatement(com.sun.identity.federation.message.FSAuthenticationStatement) ArrayList(java.util.ArrayList) Date(java.util.Date) SubjectLocality(com.sun.identity.saml.assertion.SubjectLocality) Conditions(com.sun.identity.saml.assertion.Conditions) AuthnContext(com.sun.identity.federation.message.common.AuthnContext) SubjectConfirmation(com.sun.identity.saml.assertion.SubjectConfirmation) FSAssertion(com.sun.identity.federation.message.FSAssertion) FSException(com.sun.identity.federation.common.FSException) List(java.util.List) ArrayList(java.util.ArrayList) AudienceRestrictionCondition(com.sun.identity.saml.assertion.AudienceRestrictionCondition) IDPProvidedNameIdentifier(com.sun.identity.federation.message.common.IDPProvidedNameIdentifier) AssertionIDReference(com.sun.identity.saml.assertion.AssertionIDReference) HashSet(java.util.HashSet)

Example 4 with FSSubject

use of com.sun.identity.federation.message.FSSubject in project OpenAM by OpenRock.

the class FSDefaultSPAdapter method postSSOFederationSuccess.

/**
     * Invokes this method after the successful Single Sign-On or Federation.
     * @param hostedEntityID provider ID for the hosted SP
     * @param request servlet request
     * @param response servlet response
     * @param ssoToken user's SSO token
     * @param authnRequest the original authentication request sent from SP 
     * @param authnResponse response from IDP if Browser POST or LECP profile
     *        is used for the request, value will be null if Browser Artifact
     *        profile is used. 
     * @param samlResponse response from IDP if Browser Artifact profile is used
     *        for the request, value will be null if Browser POST or LECP 
     *        profile is used.
     * @exception FederationException if user want to fail the process.
     * @return true if browser redirection happened, false otherwise.
     */
public boolean postSSOFederationSuccess(String hostedEntityID, HttpServletRequest request, HttpServletResponse response, Object ssoToken, FSAuthnRequest authnRequest, FSAuthnResponse authnResponse, FSResponse samlResponse) throws FederationException {
    if (FSUtils.debug.messageEnabled()) {
        FSUtils.debug.message("FSDefaultSPAdapter.postFedSuccess, " + "process " + hostedEntityID);
    }
    // find out if this is a federation request
    boolean isFederation = false;
    if (authnRequest == null) {
        FSUtils.debug.error("FSDefaultSPAdapter.postFedSuccess null");
    } else {
        String nameIDPolicy = authnRequest.getNameIDPolicy();
        if (FSUtils.debug.messageEnabled()) {
            FSUtils.debug.message("FSDefaultSPAdapter.postSuccess " + nameIDPolicy);
        }
        if (nameIDPolicy.equals(IFSConstants.NAME_ID_POLICY_FEDERATED)) {
            isFederation = true;
        }
    }
    SSOToken adminToken = (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance());
    if (isFederation && adminToken != null) {
        try {
            // get name Identifier
            String nameId = null;
            List assertions = null;
            String idpEntityId = null;
            if (authnResponse != null) {
                // POST profile
                assertions = authnResponse.getAssertion();
                idpEntityId = authnResponse.getProviderId();
            } else {
                // Artifact profile
                assertions = samlResponse.getAssertion();
            }
            FSAssertion assertion = (FSAssertion) assertions.iterator().next();
            if (idpEntityId == null) {
                idpEntityId = assertion.getIssuer();
            }
            if (FSUtils.debug.messageEnabled()) {
                FSUtils.debug.message("FSAdapter.postSuccess: idp=" + idpEntityId);
            }
            Iterator stmtIter = assertion.getStatement().iterator();
            while (stmtIter.hasNext()) {
                Statement statement = (Statement) stmtIter.next();
                int stmtType = statement.getStatementType();
                if (stmtType == Statement.AUTHENTICATION_STATEMENT) {
                    FSAuthenticationStatement authStatement = (FSAuthenticationStatement) statement;
                    FSSubject subject = (FSSubject) authStatement.getSubject();
                    NameIdentifier ni = subject.getIDPProvidedNameIdentifier();
                    if (ni == null) {
                        ni = subject.getNameIdentifier();
                    }
                    if (ni != null) {
                        nameId = ni.getName();
                    }
                    if (FSUtils.debug.messageEnabled()) {
                        FSUtils.debug.message("FSAdapter.postSuccess: " + "found name id =" + nameId);
                    }
                    break;
                }
            }
            if (nameId == null) {
                FSUtils.debug.warning("FSAdapter.postSuc : null nameID");
                return false;
            }
            Map map = new HashMap();
            Set set = new HashSet();
            set.add("|" + hostedEntityID + "|" + nameId + "|");
            map.put("iplanet-am-user-federation-info-key", set);
            AMIdentityRepository idRepo = new AMIdentityRepository(adminToken, ((SSOToken) ssoToken).getProperty(ISAuthConstants.ORGANIZATION));
            IdSearchControl searchControl = new IdSearchControl();
            searchControl.setTimeOut(0);
            searchControl.setMaxResults(0);
            searchControl.setAllReturnAttributes(false);
            searchControl.setSearchModifiers(IdSearchOpModifier.AND, map);
            IdSearchResults searchResults = idRepo.searchIdentities(IdType.USER, "*", searchControl);
            Set amIdSet = searchResults.getSearchResults();
            if (amIdSet.size() > 1) {
                String univId = ((SSOToken) ssoToken).getProperty(Constants.UNIVERSAL_IDENTIFIER);
                if (FSUtils.debug.messageEnabled()) {
                    FSUtils.debug.message("FSAdapter.postSuccess: found " + amIdSet.size() + " federation with same ID as " + univId);
                }
                String metaAlias = null;
                try {
                    IDFFMetaManager metaManager = new IDFFMetaManager(ssoToken);
                    if (metaManager != null) {
                        SPDescriptorConfigElement spConfig = metaManager.getSPDescriptorConfig(realm, hostedEntityID);
                        if (spConfig != null) {
                            metaAlias = spConfig.getMetaAlias();
                        }
                    }
                } catch (IDFFMetaException ie) {
                    if (FSUtils.debug.messageEnabled()) {
                        FSUtils.debug.message("FSAdapter.postSuccess: " + "couldn't find meta alias:", ie);
                    }
                }
                FSAccountManager accManager = FSAccountManager.getInstance(metaAlias);
                FSAccountFedInfoKey fedInfoKey = new FSAccountFedInfoKey(hostedEntityID, nameId);
                // previous federation exists with different users
                Iterator it = amIdSet.iterator();
                while (it.hasNext()) {
                    AMIdentity amId = (AMIdentity) it.next();
                    // compare with the SSO token
                    String tmpUnivId = IdUtils.getUniversalId(amId);
                    if (univId.equalsIgnoreCase(tmpUnivId)) {
                        continue;
                    }
                    // remove federation information for this user
                    if (FSUtils.debug.messageEnabled()) {
                        FSUtils.debug.message("FSAdapter.postSucces, " + "remove fed info for user " + tmpUnivId);
                    }
                    accManager.removeAccountFedInfo(tmpUnivId, fedInfoKey, idpEntityId);
                }
            }
        } catch (FSAccountMgmtException f) {
            FSUtils.debug.warning("FSDefaultSPAdapter.postSSOSuccess", f);
        } catch (IdRepoException i) {
            FSUtils.debug.warning("FSDefaultSPAdapter.postSSOSuccess", i);
        } catch (SSOException e) {
            FSUtils.debug.warning("FSDefaultSPAdapter.postSSOSuccess", e);
        }
    }
    return false;
}
Also used : SSOToken(com.iplanet.sso.SSOToken) Set(java.util.Set) HashSet(java.util.HashSet) FSSubject(com.sun.identity.federation.message.FSSubject) NameIdentifier(com.sun.identity.saml.assertion.NameIdentifier) HashMap(java.util.HashMap) IdSearchResults(com.sun.identity.idm.IdSearchResults) SPDescriptorConfigElement(com.sun.identity.federation.jaxb.entityconfig.SPDescriptorConfigElement) SSOException(com.iplanet.sso.SSOException) FSAccountFedInfoKey(com.sun.identity.federation.accountmgmt.FSAccountFedInfoKey) FSAccountManager(com.sun.identity.federation.accountmgmt.FSAccountManager) FSAssertion(com.sun.identity.federation.message.FSAssertion) Iterator(java.util.Iterator) IdSearchControl(com.sun.identity.idm.IdSearchControl) List(java.util.List) HashSet(java.util.HashSet) FSAuthenticationStatement(com.sun.identity.federation.message.FSAuthenticationStatement) Statement(com.sun.identity.saml.assertion.Statement) FSAuthenticationStatement(com.sun.identity.federation.message.FSAuthenticationStatement) IDFFMetaException(com.sun.identity.federation.meta.IDFFMetaException) IdRepoException(com.sun.identity.idm.IdRepoException) IDFFMetaManager(com.sun.identity.federation.meta.IDFFMetaManager) AMIdentity(com.sun.identity.idm.AMIdentity) AMIdentityRepository(com.sun.identity.idm.AMIdentityRepository) FSAccountMgmtException(com.sun.identity.federation.accountmgmt.FSAccountMgmtException) Map(java.util.Map) HashMap(java.util.HashMap)

Example 5 with FSSubject

use of com.sun.identity.federation.message.FSSubject in project OpenAM by OpenRock.

the class FSAssertionArtifactHandler method validateAssertions.

protected Subject validateAssertions(List assertions) {
    FSUtils.debug.message("FSAssertionArtifactHandler.validateAssertions: Called");
    // loop to check assertions
    FSSubject subject = null;
    Iterator iter = assertions.iterator();
    FSAssertion assertion = null;
    String aIDString = null;
    String issuer = null;
    Iterator stmtIter = null;
    Statement statement = null;
    int stmtType = Statement.NOT_SUPPORTED;
    SubjectConfirmation subConf = null;
    Set confMethods = null;
    String confMethod = null;
    Date date = null;
    long time = System.currentTimeMillis() + 180000;
    while (iter.hasNext()) {
        assertion = (FSAssertion) iter.next();
        if (!authnRequest.getRequestID().equals(assertion.getInResponseTo())) {
            FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion:" + " assertion does not correspond to any valid request");
            return null;
        }
        if (FSServiceUtils.isSigningOn()) {
            if (!verifyAssertionSignature(assertion)) {
                FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion:" + " assertion signature verification failed");
                return null;
            }
        }
        if (FSUtils.debug.messageEnabled()) {
            FSUtils.debug.message("FSAssertionArtifactHandler." + "validateAssertion: Assertion signature verified");
        }
        aIDString = assertion.getAssertionID();
        // make sure it's not being used            
        if (idTimeMap.containsKey(aIDString)) {
            FSUtils.debug.error("FSAssertionArtifactHandler.validateAssertion: Assertion: " + aIDString + " is used");
            return null;
        }
        // check issuer of the assertions
        issuer = assertion.getIssuer();
        try {
            if (idpEntityId != null) {
                if (!idpEntityId.equals(issuer)) {
                    FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion: " + "Assertion issuer is not the entity where " + "AuthnRequest was sent originally.");
                    return null;
                }
            } else {
                FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion: " + "Assertion issuer is: " + issuer);
                IDFFMetaManager metaManager = FSUtils.getIDFFMetaManager();
                IDPDescriptorType idpDesc = metaManager.getIDPDescriptor(realm, issuer);
                if (idpDesc == null) {
                    FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion:" + " Assertion issuer is not on the trust list");
                    return null;
                }
                setProviderDescriptor(idpDesc);
                setProviderEntityId(issuer);
            }
        } catch (Exception ex) {
            FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion: " + "Assertion issuer is not on the trust list");
            return null;
        }
        // must be valid(timewise)
        if (!assertion.isTimeValid()) {
            FSUtils.debug.error("FSAssertionArtifactHandler.validateAssertion:" + " Assertion's time is not valid.");
            return null;
        }
        // TODO: IssuerInstant of the assertion is within a few minutes
        // This is a MAY in spec. Which number to use for the few minutes?
        // if present, target of the assertions must == local server IP
        Conditions conds = assertion.getConditions();
        if (!forThisServer(conds)) {
            FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion: " + "assertion is not issued for this site.");
            return null;
        }
        //for each assertion, loop to check each statement
        boolean authnStatementFound = false;
        if (assertion.getStatement() != null) {
            stmtIter = assertion.getStatement().iterator();
            while (stmtIter.hasNext()) {
                statement = (Statement) stmtIter.next();
                stmtType = statement.getStatementType();
                if (stmtType == Statement.AUTHENTICATION_STATEMENT) {
                    FSAuthenticationStatement authStatement = (FSAuthenticationStatement) statement;
                    authnStatementFound = true;
                    try {
                        if (FSUtils.debug.messageEnabled()) {
                            FSUtils.debug.message("FSAssertionArtifactHandler." + "validateAssertion: " + "validating AuthenticationStatement:" + authStatement.toXMLString());
                        }
                    } catch (FSException e) {
                        FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion: Exception. " + "Invalid AuthenticationStatement: ", e);
                        return null;
                    }
                    //check ReauthenticateOnOrAfter
                    reAuthnOnOrAfterDate = authStatement.getReauthenticateOnOrAfter();
                    //process SessionIndex
                    idpSessionIndex = authStatement.getSessionIndex();
                    authnContextStmt = authStatement.getAuthnContext();
                    subject = (FSSubject) authStatement.getSubject();
                    if (subject == null) {
                        FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion: Subject is null");
                        return null;
                    } else {
                        try {
                            if (FSUtils.debug.messageEnabled()) {
                                FSUtils.debug.message("FSAssertionArtifactHandler." + "validateAssertion: " + "found Authentication Statement. " + "Subject = " + subject.toXMLString());
                            }
                        } catch (FSException e) {
                            FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion: " + " Exception. Invalid subject: ", e);
                            continue;
                        }
                    }
                    //bearer
                    if (((subConf = subject.getSubjectConfirmation()) == null) || ((confMethods = subConf.getConfirmationMethod()) == null) || (confMethods.size() != 1)) {
                        FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion: " + "missing or extra ConfirmationMethod.");
                        return null;
                    }
                    if (((confMethod = (String) confMethods.iterator().next()) == null) || !((confMethod.equals(SAMLConstants.CONFIRMATION_METHOD_BEARER)) || (confMethod.equals(SAMLConstants.CONFIRMATION_METHOD_ARTIFACT)) || (confMethod.equals(SAMLConstants.DEPRECATED_CONFIRMATION_METHOD_ARTIFACT)))) {
                        FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion: wrong " + "ConfirmationMethod");
                        return null;
                    }
                    if (FSUtils.debug.messageEnabled()) {
                        FSUtils.debug.message("FSAssertionArtifactHandler." + "validateAssertion: Confirmation method: " + confMethod);
                    }
                } else if (stmtType == Statement.ATTRIBUTE_STATEMENT) {
                    AttributeStatement attrStatement = (AttributeStatement) statement;
                    if (!checkForAttributeStatement(attrStatement)) {
                        attrStatements.add(attrStatement);
                    }
                }
            }
        }
        if (!authnStatementFound) {
            if (FSUtils.debug.messageEnabled()) {
                FSUtils.debug.message("FSAssertionArtifactHandler." + "validateAssertion: " + "No Authentication statement found in the Assertion. " + "User is not authenticated by the IDP");
            }
            return null;
        }
        if (FSUtils.debug.messageEnabled()) {
            FSUtils.debug.message("FSAssertionArtifactHandler." + "validateAssertion: Adding " + aIDString + " to idTimeMap.");
        }
        // add the assertion to idTimeMap
        if ((date = conds.getNotOnorAfter()) != null) {
            cGoThrough.addElement(aIDString);
            idTimeMap.put(aIDString, new Long(date.getTime()));
        } else {
            cPeriodic.addElement(aIDString);
            // it doesn't matter what we store for the value.
            idTimeMap.put(aIDString, aIDString);
        }
        securityAssertions = assertion.getDiscoveryCredential();
    }
    if (subject == null) {
        FSUtils.debug.error("FSAssertionArtifactHandler.validateAssertion:" + " couldn't find Subject.");
        return null;
    }
    return subject;
}
Also used : Set(java.util.Set) HashSet(java.util.HashSet) FSSubject(com.sun.identity.federation.message.FSSubject) FSAuthenticationStatement(com.sun.identity.federation.message.FSAuthenticationStatement) Statement(com.sun.identity.saml.assertion.Statement) AttributeStatement(com.sun.identity.saml.assertion.AttributeStatement) FSAuthenticationStatement(com.sun.identity.federation.message.FSAuthenticationStatement) Date(java.util.Date) SessionException(com.sun.identity.plugin.session.SessionException) IDFFMetaException(com.sun.identity.federation.meta.IDFFMetaException) FSAccountMgmtException(com.sun.identity.federation.accountmgmt.FSAccountMgmtException) SAMLResponderException(com.sun.identity.saml.common.SAMLResponderException) SAMLException(com.sun.identity.saml.common.SAMLException) FSException(com.sun.identity.federation.common.FSException) IOException(java.io.IOException) Conditions(com.sun.identity.saml.assertion.Conditions) IDPDescriptorType(com.sun.identity.liberty.ws.meta.jaxb.IDPDescriptorType) SubjectConfirmation(com.sun.identity.saml.assertion.SubjectConfirmation) IDFFMetaManager(com.sun.identity.federation.meta.IDFFMetaManager) AttributeStatement(com.sun.identity.saml.assertion.AttributeStatement) FSAssertion(com.sun.identity.federation.message.FSAssertion) Iterator(java.util.Iterator) FSException(com.sun.identity.federation.common.FSException)

Aggregations

FSSubject (com.sun.identity.federation.message.FSSubject)6 FSException (com.sun.identity.federation.common.FSException)5 FSAssertion (com.sun.identity.federation.message.FSAssertion)5 List (java.util.List)5 FSAuthenticationStatement (com.sun.identity.federation.message.FSAuthenticationStatement)4 IDFFMetaException (com.sun.identity.federation.meta.IDFFMetaException)4 NameIdentifier (com.sun.identity.saml.assertion.NameIdentifier)4 SAMLException (com.sun.identity.saml.common.SAMLException)4 HashMap (java.util.HashMap)4 HashSet (java.util.HashSet)4 Iterator (java.util.Iterator)4 Map (java.util.Map)4 Set (java.util.Set)4 FSAccountMgmtException (com.sun.identity.federation.accountmgmt.FSAccountMgmtException)3 IDFFMetaManager (com.sun.identity.federation.meta.IDFFMetaManager)3 SessionException (com.sun.identity.plugin.session.SessionException)3 Conditions (com.sun.identity.saml.assertion.Conditions)3 SubjectConfirmation (com.sun.identity.saml.assertion.SubjectConfirmation)3 ArrayList (java.util.ArrayList)3 Date (java.util.Date)3