Search in sources :

Example 6 with FSSessionPartner

use of com.sun.identity.federation.services.FSSessionPartner in project OpenAM by OpenRock.

the class FSPreLogoutHandler method handleSingleLogout.

/**
     * Initiates logout at this provider when the user has clicked on the
     * logout option.
     * @param request <code>HttPServletRequest</code> object from the user agent
     * @param response <code>HttPServletRsponse</code> to be sent back to the
     *  user agent
     * @param ssoToken used to identify the principal who wants to logout
     * @param sourceCheck where the logout coming from
     * @return <code>true</code> if the logout is successful; <code>false</code>
     *  otherwise.
     */
public FSLogoutStatus handleSingleLogout(HttpServletRequest request, HttpServletResponse response, Object ssoToken, String sourceCheck) {
    this.request = request;
    setLogoutURL();
    FSUtils.debug.message("Entered FSPreLogoutHandler::handleSingleLogout");
    try {
        this.response = response;
        this.ssoToken = ssoToken;
        this.userID = SessionManager.getProvider().getPrincipalName(ssoToken);
        String acceptString = request.getHeader("Accept");
        if ((acceptString != null) && (acceptString.indexOf("text/vnd.wap.wml") != -1)) {
            isWMLAgent = true;
        }
        FSSessionManager sMgr = FSSessionManager.getInstance(metaAlias);
        FSSession session = sMgr.getSession(ssoToken);
        String sessionIndex = null;
        List partners = null;
        if (session != null) {
            sessionIndex = session.getSessionIndex();
            partners = session.getSessionPartners();
        }
        if (FSUtils.debug.messageEnabled()) {
            if (partners != null && partners.size() != 0) {
                Iterator iter = partners.iterator();
                while (iter.hasNext()) {
                    FSSessionPartner partner = (FSSessionPartner) iter.next();
                    if (FSUtils.debug.messageEnabled()) {
                        FSUtils.debug.message("PARTNER:" + partner.getPartner());
                    }
                }
            }
        }
        if (FSLogoutUtil.liveConnectionsExist(userID, metaAlias)) {
            HashMap providerMap = FSLogoutUtil.getCurrentProvider(userID, metaAlias, ssoToken);
            if (providerMap != null) {
                FSSessionPartner currentSessionProvider = (FSSessionPartner) providerMap.get(IFSConstants.PARTNER_SESSION);
                sessionIndex = (String) providerMap.get(IFSConstants.SESSION_INDEX);
                if (currentSessionProvider != null) {
                    // this is IDP initiated based single logout
                    // HTTP or SOAP is based on metadata
                    FSUtils.debug.message("creating IDP handler");
                    FSSingleLogoutHandler handlerObj = new FSSingleLogoutHandler();
                    handlerObj.setHostedDescriptor(hostedDescriptor);
                    handlerObj.setHostedDescriptorConfig(hostedConfig);
                    handlerObj.setRealm(realm);
                    handlerObj.setHostedEntityId(hostedEntityId);
                    handlerObj.setHostedProviderRole(hostedRole);
                    handlerObj.setMetaAlias(metaAlias);
                    handlerObj.setRelayState(relayState);
                    return handlerObj.handleSingleLogout(response, request, currentSessionProvider, userID, sessionIndex, isWMLAgent, ssoToken);
                }
            }
            if (FSUtils.debug.messageEnabled()) {
                FSUtils.debug.message("No more providers, nothing to broadcast " + "\ndestroy user session call destroyPrincipalSession");
            }
            FSLogoutUtil.destroyPrincipalSession(userID, metaAlias, sessionIndex, request, response);
            // control could come here when local login has happened
            // In this FSSessionmap will not have anything and so we destroy
            // the session based on ssoToken
            FSLogoutUtil.destroyLocalSession(ssoToken, request, response);
            returnToPostLogout(IFSConstants.SAML_SUCCESS);
            return new FSLogoutStatus(IFSConstants.SAML_SUCCESS);
        } else {
            if (FSUtils.debug.messageEnabled()) {
                FSUtils.debug.message("No live connections, destroy user" + " session call destroyPrincipalSession. source=" + sourceCheck);
            }
            FSLogoutResponse logoutResponse = null;
            FederationSPAdapter spAdapter = null;
            // Call SP Adapter preSingleLogoutProcess for SP/HTTP
            if (hostedRole != null && hostedRole.equalsIgnoreCase(IFSConstants.SP) && sourceCheck.equals("remote")) {
                spAdapter = FSServiceUtils.getSPAdapter(hostedEntityId, hostedConfig);
                if (spAdapter != null) {
                    if (FSUtils.debug.messageEnabled()) {
                        FSUtils.debug.message("FSPreLogoutHandler, " + "call preSingleLogoutProcess, SP/HTTP");
                    }
                    try {
                        logoutResponse = FSLogoutResponse.parseURLEncodedRequest(request);
                        relayState = logoutResponse.getRelayState();
                        // unabled to access logoutRequest here
                        spAdapter.preSingleLogoutProcess(hostedEntityId, request, response, userID, null, logoutResponse, IFSConstants.LOGOUT_SP_REDIRECT_PROFILE);
                    } catch (Exception e) {
                        // ignore adapter error
                        FSUtils.debug.error("preSingleLogoutProcess.SP/HTTP", e);
                    }
                }
            }
            FSLogoutUtil.destroyPrincipalSession(userID, metaAlias, sessionIndex, request, response);
            // the session based on ssoToken
            if (SessionManager.getProvider().isValid(ssoToken)) {
                FSLogoutUtil.destroyLocalSession(ssoToken, request, response);
            }
            // Call SP Adapter postSingleLogoutProcess for SP/HTTP
            if (hostedRole != null && hostedRole.equalsIgnoreCase(IFSConstants.SP) && sourceCheck.equals("remote")) {
                if (spAdapter != null) {
                    if (FSUtils.debug.messageEnabled()) {
                        FSUtils.debug.message("FSPreLogoutHandler, " + "call postSingleLogoutProcess, SP/HTTP");
                    }
                    try {
                        spAdapter.postSingleLogoutSuccess(hostedEntityId, request, response, userID, null, logoutResponse, IFSConstants.LOGOUT_SP_REDIRECT_PROFILE);
                    } catch (Exception e) {
                        // ignore adapter exception
                        FSUtils.debug.error("postSingleLogoutSuccess.SP/HTTP:", e);
                    }
                }
            }
            returnToPostLogout(IFSConstants.SAML_SUCCESS);
            return new FSLogoutStatus(IFSConstants.SAML_SUCCESS);
        }
    } catch (SessionException e) {
        FSUtils.debug.error("SessionException in liveConnectionsExist" + " So destroy self and exit");
        FSLogoutUtil.destroyPrincipalSession(userID, metaAlias, null, request, response);
        // cannot call FSLogoutUtil.destroyLocalSession(ssoToken)
        // since session exception has occurred
        returnToPostLogout(IFSConstants.SAML_SUCCESS);
        return new FSLogoutStatus(IFSConstants.SAML_SUCCESS);
    }
}
Also used : HashMap(java.util.HashMap) FSSession(com.sun.identity.federation.services.FSSession) SessionException(com.sun.identity.plugin.session.SessionException) FSLogoutResponse(com.sun.identity.federation.message.FSLogoutResponse) SAMLResponderException(com.sun.identity.saml.common.SAMLResponderException) SessionException(com.sun.identity.plugin.session.SessionException) IDFFMetaException(com.sun.identity.federation.meta.IDFFMetaException) IOException(java.io.IOException) FSSessionPartner(com.sun.identity.federation.services.FSSessionPartner) Iterator(java.util.Iterator) List(java.util.List) FSSessionManager(com.sun.identity.federation.services.FSSessionManager) FederationSPAdapter(com.sun.identity.federation.plugins.FederationSPAdapter)

Example 7 with FSSessionPartner

use of com.sun.identity.federation.services.FSSessionPartner in project OpenAM by OpenRock.

the class FSLogoutUtil method getLogoutGETProviders.

/**
     * Returns the list of all providers who want to be
     * notified of logout using HTTP GET profile.
     * @param userID principal who needs to be logged out
     * @param entityId current provider who uses HTTP GET profile for logout
     * @param sessionIndex for the current provider
     * @param realm the realm in which the provider resides
     * @param metaAlias the hosted provider performing logout
     * @return HashMap list of providers who indicate preference to be notified 
     * of logout using GET profile
     */
protected static HashMap getLogoutGETProviders(String userID, String entityId, String sessionIndex, String realm, String metaAlias) {
    try {
        FSUtils.debug.message("Entered FSLogoutUtil::getLogoutGETProviders");
        HashMap retMap = new HashMap();
        Vector providerVector = new Vector();
        HashMap sessionProvider = new HashMap();
        providerVector.addElement(entityId);
        sessionProvider.put(entityId, sessionIndex);
        FSSessionManager sessionMgr = FSSessionManager.getInstance(metaAlias);
        synchronized (sessionMgr) {
            FSUtils.debug.message("About to call getSessionList");
            List sessionList = sessionMgr.getSessionList(userID);
            if (sessionList != null && !sessionList.isEmpty()) {
                FSUtils.debug.message("Session List is not empty");
                Iterator iSessionIter = sessionList.iterator();
                FSSession sessionObj;
                while (iSessionIter.hasNext()) {
                    sessionObj = (FSSession) iSessionIter.next();
                    if ((sessionObj.getSessionPartners()).isEmpty()) {
                        continue;
                    } else {
                        String nSessionIndex = sessionObj.getSessionIndex();
                        List sessionPartners = sessionObj.getSessionPartners();
                        Iterator iPartnerIter = sessionPartners.iterator();
                        FSSessionPartner sessionPartner;
                        while (iPartnerIter.hasNext()) {
                            sessionPartner = (FSSessionPartner) iPartnerIter.next();
                            // Only SP can specify GET profile for logout
                            if (!sessionPartner.getIsRoleIDP()) {
                                String curEntityId = sessionPartner.getPartner();
                                ProviderDescriptorType curDesc = metaManager.getSPDescriptor(realm, curEntityId);
                                if (curDesc != null) {
                                    List profiles = curDesc.getSingleLogoutProtocolProfile();
                                    if (profiles != null && !profiles.isEmpty()) {
                                        if (((String) profiles.iterator().next()).equals(IFSConstants.LOGOUT_IDP_GET_PROFILE)) {
                                            if (FSUtils.debug.messageEnabled()) {
                                                FSUtils.debug.message("provider " + curEntityId + " Added for GET");
                                            }
                                            providerVector.addElement(curEntityId);
                                            sessionProvider.put(curEntityId, nSessionIndex);
                                        }
                                    }
                                }
                            }
                        }
                    }
                }
            } else {
                if (FSUtils.debug.messageEnabled()) {
                    FSUtils.debug.message("Session List is  empty, returning " + "current provider from getLogoutGETProviders");
                }
            }
            retMap.put(IFSConstants.PROVIDER, providerVector);
            retMap.put(IFSConstants.SESSION_INDEX, sessionProvider);
            return retMap;
        }
    } catch (IDFFMetaException e) {
        FSUtils.debug.error("IDFFMetaException in function " + " getLogoutGETProviders", e);
        return null;
    }
}
Also used : FSSessionPartner(com.sun.identity.federation.services.FSSessionPartner) HashMap(java.util.HashMap) IDFFMetaException(com.sun.identity.federation.meta.IDFFMetaException) ProviderDescriptorType(com.sun.identity.liberty.ws.meta.jaxb.ProviderDescriptorType) Iterator(java.util.Iterator) FSSession(com.sun.identity.federation.services.FSSession) List(java.util.List) FSSessionManager(com.sun.identity.federation.services.FSSessionManager) Vector(java.util.Vector)

Example 8 with FSSessionPartner

use of com.sun.identity.federation.services.FSSessionPartner in project OpenAM by OpenRock.

the class FSAssertionArtifactHandler method doAccountFederation.

protected int doAccountFederation(NameIdentifier ni) {
    FSUtils.debug.message("FSAssertionArtifactHandler.doAccountFederation:Called");
    if (ni == null) {
        FSUtils.debug.error("FSAssertionArtifactHandler.doAccountFederation:" + FSUtils.bundle.getString("invalidInput"));
        return FederationSPAdapter.FEDERATION_FAILED;
    }
    Object ssoToken = null;
    SessionProvider sessionProvider = null;
    try {
        sessionProvider = SessionManager.getProvider();
    } catch (SessionException se) {
        FSUtils.debug.error("FSAssertionArtifactHandler.doAccountFederation: " + "Couldn't obtain session provider:", se);
        String[] data = { FSUtils.bundle.getString("failGenerateSSOToken") };
        LogUtil.error(Level.INFO, LogUtil.FAILED_SSO_TOKEN_GENERATION, data);
        return FederationSPAdapter.FEDERATION_FAILED_SSO_TOKEN_GENERATION;
    }
    try {
        ssoToken = sessionProvider.getSession(request);
        if ((ssoToken == null) || (!sessionProvider.isValid(ssoToken))) {
            if (FSUtils.debug.messageEnabled()) {
                FSUtils.debug.message("FSAssertionArtifactHandler." + "doAccountFederation: couldn't obtain session from " + "cookie");
            }
            ssoToken = null;
        }
    } catch (SessionException se) {
        if (FSUtils.debug.messageEnabled()) {
            FSUtils.debug.message("FSAssertionArtifactHandler." + "doAccountFederation: exception when getting session " + "from cookie:");
        }
        ssoToken = null;
    }
    // try URL rewriting
    FSSessionManager sessionManager = null;
    if (ssoToken == null && nameIDPolicy != null && nameIDPolicy.equals(IFSConstants.NAME_ID_POLICY_ONETIME)) {
        try {
            ssoToken = generateAnonymousToken(response);
        } catch (SessionException se) {
            int failureCode = se.getErrCode();
            if (failureCode == SessionException.AUTH_USER_INACTIVE) {
                failureCode = FederationSPAdapter.FEDERATION_FAILED_ANON_AUTH_USER_INACTIVE;
            } else if (failureCode == SessionException.AUTH_USER_LOCKED) {
                failureCode = FederationSPAdapter.FEDERATION_FAILED_ANON_AUTH_USER_LOCKED;
            } else if (failureCode == SessionException.AUTH_ACCOUNT_EXPIRED) {
                failureCode = FederationSPAdapter.FEDERATION_FAILED_ANON_AUTH_ACCOUNT_EXPIRED;
            } else {
                failureCode = FederationSPAdapter.FEDERATION_FAILED_ANON_TOKEN_GENERATION;
            }
            return failureCode;
        }
    }
    if (ssoToken == null) {
        FSUtils.debug.error("FSAssertionArtifactHandler.doAccountFederation:" + "Account federation failed. Invalid session");
        return FederationSPAdapter.FEDERATION_FAILED_ANON_TOKEN_GENERATION;
    }
    try {
        String opaqueHandle = ni.getName();
        String userID = sessionProvider.getPrincipalName(ssoToken);
        String securityDomain = ni.getNameQualifier();
        if ((securityDomain == null) || (securityDomain.length() == 0)) {
            securityDomain = hostEntityId;
        }
        FSAccountFedInfo accountInfo = new FSAccountFedInfo(idpEntityId, null, ni, true);
        FSAccountManager accountManager = FSAccountManager.getInstance(hostMetaAlias);
        FSAccountFedInfoKey fedKey = null;
        String affiliationID = authnRequest.getAffiliationID();
        if (affiliationID != null) {
            fedKey = new FSAccountFedInfoKey(affiliationID, opaqueHandle);
            accountInfo.setAffiliation(true);
        } else {
            fedKey = new FSAccountFedInfoKey(securityDomain, opaqueHandle);
        }
        if (nameIDPolicy == null || !nameIDPolicy.equals(IFSConstants.NAME_ID_POLICY_ONETIME)) {
            accountManager.writeAccountFedInfo(userID, fedKey, accountInfo);
        }
        //keep local session ref
        if (sessionManager == null) {
            sessionManager = FSSessionManager.getInstance(hostMetaAlias);
        }
        String sessionID = sessionProvider.getSessionID(ssoToken);
        FSSession session = sessionManager.getSession(userID, sessionID);
        if (session != null) {
            if (FSUtils.debug.messageEnabled()) {
                FSUtils.debug.message("FSAssertionArtifactHandler." + "doAccountFederation: No existing session found " + " for userID:" + userID + " And SessionID: " + sessionID + " Creating a new Session");
            }
            session.addSessionPartner(new FSSessionPartner(idpEntityId, true));
            session.setSessionIndex(idpSessionIndex);
        } else {
            if (FSUtils.debug.messageEnabled()) {
                FSUtils.debug.message("FSAssertionArtifactHandler." + "doAccountFederation: An Existing session found" + "for userID:" + userID + " And SessionID: " + sessionID + " Adding partner to the Session");
            }
            session = new FSSession(sessionID);
            session.addSessionPartner(new FSSessionPartner(idpEntityId, true));
            if (idpSessionIndex != null) {
                session.setSessionIndex(idpSessionIndex);
            }
        }
        if (nameIDPolicy != null && nameIDPolicy.equals(IFSConstants.NAME_ID_POLICY_ONETIME)) {
            session.setOneTime(true);
            session.setUserID(userID);
        }
        String authnContextClassRef = null;
        if (authnContextStmt != null) {
            authnContextClassRef = authnContextStmt.getAuthnContextClassRef();
        }
        if ((authnContextClassRef == null) || (authnContextClassRef.length() == 0)) {
            authnContextClassRef = IDFFMetaUtils.getFirstAttributeValueFromConfig(hostConfig, IFSConstants.DEFAULT_AUTHNCONTEXT);
        }
        if (authnContextClassRef != null) {
            session.setAuthnContext(authnContextClassRef);
        }
        session.setAccountFedInfo(accountInfo);
        if (bootStrapStatement != null) {
            session.setBootStrapAttributeStatement(bootStrapStatement);
        }
        if (attrStatements.size() != 0) {
            Map attributeMap = null;
            setAttributeMapper();
            if (realmAttributeMapper != null) {
                attributeMap = realmAttributeMapper.getAttributes(attrStatements, realm, hostEntityId, idpEntityId, ssoToken);
            } else if (attributeMapper != null) {
                attributeMap = attributeMapper.getAttributes(attrStatements, hostEntityId, idpEntityId, ssoToken);
            }
            if (FSUtils.debug.messageEnabled()) {
                FSUtils.debug.message("FSAssertionArtifactHandler." + "generateToken: Attribute map :" + attributeMap);
            }
            if (attributeMap != null) {
                setAttributeMap(ssoToken, attributeMap);
            }
        }
        if (securityAssertions != null) {
            session.setBootStrapCredential(securityAssertions);
        }
        sessionManager.addSession(userID, session);
    } catch (Exception ex) {
        FSUtils.debug.error("FSAssertionArtifactHandler.doAccountFederation:" + FSUtils.bundle.getString("ExceptionOccured"), ex);
        return FederationSPAdapter.FEDERATION_FAILED_WRITING_ACCOUNT_INFO;
    }
    String[] data = { this.relayState };
    LogUtil.access(Level.INFO, LogUtil.ACCESS_GRANTED_REDIRECT_TO, data, ssoToken);
    //Set fed cookie
    if (nameIDPolicy == null || !nameIDPolicy.equals(IFSConstants.NAME_ID_POLICY_ONETIME)) {
        String fedCookieName = SystemConfigurationUtil.getProperty(IFSConstants.FEDERATE_COOKIE_NAME);
        String fedCookieValue = "yes";
        for (String domain : SystemConfigurationUtil.getCookieDomainsForRequest(request)) {
            CookieUtils.addCookieToResponse(response, CookieUtils.newCookie(fedCookieName, fedCookieValue, IFSConstants.PERSISTENT_COOKIE_AGE, "/", domain));
        }
    }
    //Name registration        
    // comment it out for now as the spec doesn't mendate this.
    /*
        try {
            // get if need name registration from sp extended meta
            String indicator = IDFFMetaUtils.getFirstAttributeValueFromConfig(
                hostConfig, IFSConstants.ENABLE_REGISTRATION_AFTER_SSO);
            if (indicator != null && indicator.equalsIgnoreCase("true")) {
                FSServiceManager serviceManager = 
                    FSServiceManager.getInstance();
                FSNameRegistrationHandler handlerObj = 
                    serviceManager.getNameRegistrationHandler(
                        realm,
                        idpEntityId,
                        IFSConstants.IDP);
                if (handlerObj != null) {
                    handlerObj.setHostedDescriptor(hostDesc);
                    handlerObj.setHostedDescriptorConfig(hostConfig);
                    handlerObj.setHostedEntityId(hostEntityId);
                    handlerObj.setMetaAlias(hostMetaAlias);
                    handlerObj.setAccountInfo(accountInfo);
                    handlerObj.handleRegistrationAfterFederation(
                        this.relayState, response);
                }
                if (!FSServieUtils.isRegisProfileSOAP(
                    sessionProvider.getPrincipalName(ssoToken),
                    idpEntityId,
                    idpDescriptor,
                    hostMetaAlias,
                    hostDesc)) 
                {
                    return FederationSPAdapter.SUCCESS;
                }
            }
        } catch (SessionException se) {
            if (FSUtils.debug.messageEnabled()) {
                FSUtils.debug.message("doAccountFederation: exception:", se);
            }
        }
        */
    // Call SP adapter
    FederationSPAdapter spAdapter = FSServiceUtils.getSPAdapter(hostEntityId, hostConfig);
    if (spAdapter != null) {
        FSUtils.debug.message("Invoke spAdapter");
        try {
            if (spAdapter.postSSOFederationSuccess(hostEntityId, request, response, ssoToken, authnRequest, authnResponse, (FSResponse) samlResponse)) {
                // return true if service provider SPI redirection happened
                return FederationSPAdapter.SUCCESS;
            }
        } catch (Exception e) {
            // log run time exception in Adapter
            // implementation, continue
            FSUtils.debug.error("FSAssertionArtifactHandler" + " SPAdapter.postSSOFederationSuccess", e);
        }
    }
    try {
        redirectToResource(this.relayState);
        return FederationSPAdapter.SUCCESS;
    } catch (Exception e) {
        return FederationSPAdapter.FEDERATION_FAILED;
    }
}
Also used : FSAccountFedInfo(com.sun.identity.federation.accountmgmt.FSAccountFedInfo) FSSession(com.sun.identity.federation.services.FSSession) SessionException(com.sun.identity.plugin.session.SessionException) FSAccountFedInfoKey(com.sun.identity.federation.accountmgmt.FSAccountFedInfoKey) FSAccountManager(com.sun.identity.federation.accountmgmt.FSAccountManager) SessionException(com.sun.identity.plugin.session.SessionException) IDFFMetaException(com.sun.identity.federation.meta.IDFFMetaException) FSAccountMgmtException(com.sun.identity.federation.accountmgmt.FSAccountMgmtException) SAMLResponderException(com.sun.identity.saml.common.SAMLResponderException) SAMLException(com.sun.identity.saml.common.SAMLException) FSException(com.sun.identity.federation.common.FSException) IOException(java.io.IOException) FSSessionPartner(com.sun.identity.federation.services.FSSessionPartner) FSSessionManager(com.sun.identity.federation.services.FSSessionManager) Map(java.util.Map) HashMap(java.util.HashMap) FederationSPAdapter(com.sun.identity.federation.plugins.FederationSPAdapter) SessionProvider(com.sun.identity.plugin.session.SessionProvider)

Example 9 with FSSessionPartner

use of com.sun.identity.federation.services.FSSessionPartner in project OpenAM by OpenRock.

the class FSAssertionArtifactHandler method generateToken.

protected int generateToken(NameIdentifier ni, int handleType, NameIdentifier niIdp, Map env) {
    FSUtils.debug.message("FSAssertionArtifactHandler.generateToken: Called");
    if ((ni == null)) {
        FSUtils.debug.error("FSAssertionArtifactHandler." + "generateToken: Invalid userDN input");
        return FederationSPAdapter.SSO_FAILED;
    }
    try {
        String name = ni.getName();
        String nameSpace = ni.getNameQualifier();
        if ((nameSpace == null) || (nameSpace.length() == 0)) {
            nameSpace = hostEntityId;
        }
        if (FSUtils.debug.messageEnabled()) {
            FSUtils.debug.message("FSAssertionArtifactHandler." + "generateToken: Trying to get userDN for opaqueHandle= " + name + " ,securityDomain= " + nameSpace + " And HandleType=" + handleType);
        }
        String affiliationID = authnRequest.getAffiliationID();
        FSAccountFedInfoKey fedKey = new FSAccountFedInfoKey(nameSpace, name);
        FSAccountManager accountManager = FSAccountManager.getInstance(hostMetaAlias);
        String userID = accountManager.getUserID(fedKey, realm, env);
        FSAccountFedInfo fedInfo = null;
        if (userID == null) {
            if (niIdp != null && nameSpace.equals(affiliationID)) {
                fedKey = new FSAccountFedInfoKey(affiliationID, niIdp.getName());
                userID = accountManager.getUserID(fedKey, realm, env);
                if (userID != null) {
                    FSAccountFedInfo oldInfo = accountManager.readAccountFedInfo(userID, affiliationID);
                    if (oldInfo != null) {
                        accountManager.removeAccountFedInfo(userID, oldInfo);
                    }
                    fedInfo = new FSAccountFedInfo(idpEntityId, ni, niIdp, true);
                    fedInfo.setAffiliation(true);
                    fedKey = new FSAccountFedInfoKey(nameSpace, name);
                    accountManager.writeAccountFedInfo(userID, fedKey, fedInfo);
                } else {
                    FSUtils.debug.error("FSAssertionArtifactHandler.generateToken: " + "Can't dereference handle. fedKey=" + fedKey.toString());
                    return FederationSPAdapter.SSO_FAILED_FEDERATION_DOESNOT_EXIST;
                }
            } else {
                // Check if there is any 6.2 format? 
                FSAccountFedInfoKey oldKey = new FSAccountFedInfoKey(idpEntityId, name);
                if (oldKey != null) {
                    userID = accountManager.getUserID(oldKey, realm, env);
                    if (userID != null) {
                        fedInfo = accountManager.readAccountFedInfo(userID, idpEntityId);
                        if (fedInfo != null && fedInfo.isFedStatusActive()) {
                            // rewrite it.
                            NameIdentifier localNI = fedInfo.getLocalNameIdentifier();
                            if (localNI != null) {
                                localNI.setNameQualifier(hostEntityId);
                            }
                            accountManager.removeAccountFedInfo(userID, fedInfo);
                            NameIdentifier remoteNI = fedInfo.getRemoteNameIdentifier();
                            if (remoteNI != null) {
                                remoteNI.setNameQualifier(hostEntityId);
                            }
                            fedInfo = new FSAccountFedInfo(idpEntityId, localNI, remoteNI, true);
                            accountManager.removeAccountFedInfoKey(userID, oldKey);
                            FSAccountFedInfoKey newKey = new FSAccountFedInfoKey(hostEntityId, name);
                            accountManager.writeAccountFedInfo(userID, newKey, fedInfo);
                        } else {
                            FSUtils.debug.error("FSAssertionArtifactHandler." + "generateToken: Can't dereference handle.");
                            return FederationSPAdapter.SSO_FAILED_FEDERATION_DOESNOT_EXIST;
                        }
                    } else {
                        String enabledStr = IDFFMetaUtils.getFirstAttributeValueFromConfig(hostConfig, IFSConstants.ENABLE_AUTO_FEDERATION);
                        if (enabledStr != null && enabledStr.equalsIgnoreCase("true") && _autoFedStatement != null) {
                            userID = accountManager.getUserID(autoFedSearchMap, realm, null);
                            if (userID != null) {
                                FSAccountFedInfoKey newKey = new FSAccountFedInfoKey(hostEntityId, name);
                                fedInfo = new FSAccountFedInfo(idpEntityId, null, ni, true);
                                accountManager.writeAccountFedInfo(userID, newKey, fedInfo);
                            } else {
                                FSUtils.debug.error("FSAssertionArtifactHandler. " + "generateToken:" + "Can't dereference handle.");
                                return FederationSPAdapter.SSO_FAILED_AUTO_FED;
                            }
                        } else {
                            FSUtils.debug.error("FSAssertionArtifactHandler." + "generateToken: Can't dereference handle.");
                            return FederationSPAdapter.SSO_FAILED_FEDERATION_DOESNOT_EXIST;
                        }
                    }
                } else {
                    FSUtils.debug.error("FSAssertionArtifactHandler." + "generateToken: Can't dereference handle.");
                    return FederationSPAdapter.SSO_FAILED_FEDERATION_DOESNOT_EXIST;
                }
            }
        } else {
            if (affiliationID != null) {
                fedInfo = accountManager.readAccountFedInfo(userID, affiliationID);
            } else {
                fedInfo = accountManager.readAccountFedInfo(userID, idpEntityId, name);
            }
            if (fedInfo == null) {
                FSUtils.debug.error("FSAssertionArtifactHandler.generateToken: " + "User's account is not federated, id=" + userID);
                return FederationSPAdapter.SSO_FAILED_FEDERATION_DOESNOT_EXIST;
            }
        }
        //get AuthnLevel from authnContext
        String authnContextClassRef = null;
        int authnLevel = 0;
        Map authnContextInfoMap = FSServiceUtils.getSPAuthContextInfo(hostConfig);
        if (authnContextStmt != null && authnContextStmt.getAuthnContextClassRef() != null && authnContextStmt.getAuthnContextClassRef().length() != 0) {
            authnContextClassRef = authnContextStmt.getAuthnContextClassRef();
            if (authnContextClassRef != null && authnContextClassRef.length() != 0) {
                if (FSUtils.debug.messageEnabled()) {
                    FSUtils.debug.message("FSAssertionArtifactHandler." + "generateToken: AuthnContextClassRef " + "found in AuthenticationStatement:" + authnContextClassRef);
                }
                FSSPAuthenticationContextInfo authnContextInfo = (FSSPAuthenticationContextInfo) authnContextInfoMap.get(authnContextClassRef);
                if (authnContextInfo != null) {
                    authnLevel = authnContextInfo.getAuthenticationLevel();
                } else {
                    FSUtils.debug.error("FSAssertionArtifactHandler." + "generateToken: Could not find " + "AuthnContextClassInfo for authnContextClassRef: " + authnContextClassRef + "Using default authnContextClass");
                    authnContextClassRef = null;
                }
            }
        } else {
            FSUtils.debug.warning("FSAssertionArtifactHandler.generateToken: " + "Could not find AuthnContextClassRef in the " + "AuthenticationStatement. Using default authnContextClass");
        }
        if (authnContextClassRef == null || authnContextClassRef.length() == 0) {
            authnContextClassRef = IDFFMetaUtils.getFirstAttributeValueFromConfig(hostConfig, IFSConstants.DEFAULT_AUTHNCONTEXT);
            FSSPAuthenticationContextInfo authnContextInfo = (FSSPAuthenticationContextInfo) authnContextInfoMap.get(authnContextClassRef);
            if (authnContextInfo != null) {
                authnLevel = authnContextInfo.getAuthenticationLevel();
            } else {
                FSUtils.debug.error("FSAssertionArtifactHandler." + "generateToken: Could not find authentication level " + "for default authentication context class");
                return FederationSPAdapter.SSO_FAILED;
            }
        }
        Map valueMap = new HashMap();
        valueMap.put(SessionProvider.PRINCIPAL_NAME, userID);
        valueMap.put(SessionProvider.REALM, realm);
        valueMap.put(SessionProvider.AUTH_LEVEL, String.valueOf(authnLevel));
        valueMap.put(SessionProvider.AUTH_INSTANT, getAuthInstant());
        valueMap.put("idpEntityID", idpEntityId);
        //valueMap.put("resourceOffering",            
        //valueMap.put("securityToken",
        SessionProvider sessionProvider = SessionManager.getProvider();
        Object ssoSession;
        try {
            ssoSession = sessionProvider.createSession(valueMap, request, response, new StringBuffer(this.relayState));
        } catch (SessionException se) {
            FSUtils.debug.error("FSAssertionArtifactHandler.generateToken:" + "cannot generate token:", se);
            int failureCode = se.getErrCode();
            if (failureCode == SessionException.AUTH_USER_INACTIVE) {
                failureCode = FederationSPAdapter.SSO_FAILED_AUTH_USER_INACTIVE;
            } else if (failureCode == SessionException.AUTH_USER_LOCKED) {
                failureCode = FederationSPAdapter.SSO_FAILED_AUTH_USER_LOCKED;
            } else if (failureCode == SessionException.AUTH_ACCOUNT_EXPIRED) {
                failureCode = FederationSPAdapter.SSO_FAILED_AUTH_ACCOUNT_EXPIRED;
            } else {
                failureCode = FederationSPAdapter.SSO_FAILED_TOKEN_GENERATION;
            }
            return failureCode;
        }
        try {
            sessionProvider.addListener(ssoSession, new FSTokenListener(hostMetaAlias));
        } catch (Exception e) {
            if (FSUtils.debug.messageEnabled()) {
                FSUtils.debug.message("FSAssertionArtifactHandler.generateToken:" + "Couldn't add listener to session:", e);
            }
        }
        String value = sessionProvider.getSessionID(ssoSession);
        ssoToken = ssoSession;
        Iterator iter = null;
        //Set fed cookie
        String fedCookieName = SystemConfigurationUtil.getProperty(IFSConstants.FEDERATE_COOKIE_NAME);
        String fedCookieValue = "yes";
        for (String domain : SystemConfigurationUtil.getCookieDomainsForRequest(request)) {
            CookieUtils.addCookieToResponse(response, CookieUtils.newCookie(fedCookieName, fedCookieValue, IFSConstants.PERSISTENT_COOKIE_AGE, "/", domain));
        }
        //keep local session ref
        FSSessionManager sessionManager = FSSessionManager.getInstance(hostMetaAlias);
        FSSession session = sessionManager.getSession(userID, value);
        if (session != null) {
            if (FSUtils.debug.messageEnabled()) {
                FSUtils.debug.message("FSAssertionArtifactHandler." + "generateToken: An Existing session found for userID:" + userID + " And SessionID: " + value + " Adding partner to the Session");
            }
            session.addSessionPartner(new FSSessionPartner(idpEntityId, true));
            session.setSessionIndex(idpSessionIndex);
            sessionManager.addSession(userID, session);
        } else {
            if (FSUtils.debug.messageEnabled()) {
                FSUtils.debug.message("FSAssertionArtifactHandler." + "generateToken: No existing session found for userID:" + userID + " And SessionID: " + value + " Creating a new Session");
            }
            session = new FSSession(value);
            session.addSessionPartner(new FSSessionPartner(idpEntityId, true));
            if (idpSessionIndex != null) {
                session.setSessionIndex(idpSessionIndex);
            }
            sessionManager.addSession(userID, session);
        }
        // keep authncontext in FSSession.
        if (authnContextClassRef != null) {
            session.setAuthnContext(authnContextClassRef);
        }
        if (fedInfo != null) {
            session.setAccountFedInfo(fedInfo);
        }
        // keep the attr statement in FSSession.
        if (bootStrapStatement != null) {
            session.setBootStrapAttributeStatement(bootStrapStatement);
        }
        if (_autoFedStatement != null) {
            session.setAutoFedStatement(_autoFedStatement);
        }
        if (attrStatements.size() != 0) {
            session.setAttributeStatements(attrStatements);
            Map attributeMap = null;
            setAttributeMapper();
            if (realmAttributeMapper != null) {
                attributeMap = realmAttributeMapper.getAttributes(attrStatements, realm, hostEntityId, idpEntityId, ssoToken);
            } else if (attributeMapper != null) {
                attributeMap = attributeMapper.getAttributes(attrStatements, hostEntityId, idpEntityId, ssoToken);
            }
            if (FSUtils.debug.messageEnabled()) {
                FSUtils.debug.message("FSAssertionArtifactHandler." + "generateToken: Attribute map :" + attributeMap);
            }
            if (attributeMap != null) {
                setAttributeMap(ssoToken, attributeMap);
            }
        }
        if (securityAssertions != null) {
            session.setBootStrapCredential(securityAssertions);
        }
        return FederationSPAdapter.SUCCESS;
    } catch (Exception e) {
        FSUtils.debug.error("FSAssertionArtifactHandler.generateToken: " + "Exception Occured ", e);
        return FederationSPAdapter.SSO_FAILED;
    }
}
Also used : FSAccountFedInfo(com.sun.identity.federation.accountmgmt.FSAccountFedInfo) NameIdentifier(com.sun.identity.saml.assertion.NameIdentifier) HashMap(java.util.HashMap) FSSession(com.sun.identity.federation.services.FSSession) SessionException(com.sun.identity.plugin.session.SessionException) FSAccountFedInfoKey(com.sun.identity.federation.accountmgmt.FSAccountFedInfoKey) FSAccountManager(com.sun.identity.federation.accountmgmt.FSAccountManager) SessionException(com.sun.identity.plugin.session.SessionException) IDFFMetaException(com.sun.identity.federation.meta.IDFFMetaException) FSAccountMgmtException(com.sun.identity.federation.accountmgmt.FSAccountMgmtException) SAMLResponderException(com.sun.identity.saml.common.SAMLResponderException) SAMLException(com.sun.identity.saml.common.SAMLException) FSException(com.sun.identity.federation.common.FSException) IOException(java.io.IOException) FSSessionPartner(com.sun.identity.federation.services.FSSessionPartner) Iterator(java.util.Iterator) FSTokenListener(com.sun.identity.federation.services.logout.FSTokenListener) FSSessionManager(com.sun.identity.federation.services.FSSessionManager) Map(java.util.Map) HashMap(java.util.HashMap) FSSPAuthenticationContextInfo(com.sun.identity.federation.services.FSSPAuthenticationContextInfo) SessionProvider(com.sun.identity.plugin.session.SessionProvider)

Example 10 with FSSessionPartner

use of com.sun.identity.federation.services.FSSessionPartner in project OpenAM by OpenRock.

the class FSSingleLogoutHandler method continueLogout.

/**
     * Invoked in the case of Single Logout using SOAP profile.
     * Only in the case of SOAP do we have control to initiate logout for the
     * next-in-line provider. In the case of HTTP GET/Redirect we send the
     * message to one provider and lose control. Here in SOAP profile 
     * <code>continueLogout</code> continues the logout process.
     * @param isSuccess if true, means logout preformed successfully so far;
     *     if false, means logout failed in one or more providers.
     */
private void continueLogout(boolean isSuccess) {
    FSUtils.debug.message("Entered FSSingleLogoutHandler::continueLogout");
    if (FSLogoutUtil.liveConnectionsExist(userID, metaAlias)) {
        FSUtils.debug.message("More liveConnectionsExist");
        HashMap providerMap = FSLogoutUtil.getCurrentProvider(userID, metaAlias, ssoToken);
        if (providerMap != null) {
            FSSessionPartner currentSessionProvider = (FSSessionPartner) providerMap.get(IFSConstants.PARTNER_SESSION);
            this.sessionIndex = (String) providerMap.get(IFSConstants.SESSION_INDEX);
            if (currentSessionProvider != null) {
                String currentEntityId = currentSessionProvider.getPartner();
                isCurrentProviderIDPRole = currentSessionProvider.getIsRoleIDP();
                ProviderDescriptorType currentDesc = null;
                try {
                    if (isCurrentProviderIDPRole) {
                        currentDesc = metaManager.getIDPDescriptor(realm, currentEntityId);
                    } else {
                        currentDesc = metaManager.getSPDescriptor(realm, currentEntityId);
                    }
                } catch (Exception e) {
                    FSUtils.debug.error("FSSingleLogoutHandler:cannot get meta:", e);
                }
                setRemoteDescriptor(currentDesc);
                // Clean session Map
                FSSessionManager sessionManager = FSSessionManager.getInstance(metaAlias);
                FSSession session = sessionManager.getSession(sessionManager.getSessionList(userID), sessionIndex);
                if (!supportSOAPProfile(remoteDescriptor)) {
                    if (FSUtils.debug.messageEnabled()) {
                        FSUtils.debug.message("Single Logout Profile cannot" + " be processed. Verify profile in metadata");
                    }
                    String[] data = { IFSConstants.LOGOUT_IDP_SOAP_PROFILE };
                    LogUtil.error(Level.INFO, LogUtil.LOGOUT_PROFILE_NOT_SUPPORTED, data, ssoToken);
                    return;
                }
                FSUtils.debug.message("FSSLOHandler, SOAP in case 2");
                // this is IDP
                if ((doIDPSoapProfile(currentEntityId)).getStatus().equalsIgnoreCase(IFSConstants.SAML_SUCCESS) || !isCurrentProviderIDPRole) {
                    FSLogoutUtil.removeCurrentSessionPartner(metaAlias, currentEntityId, ssoToken, userID);
                    FSUtils.debug.message("SOAP partner removed, case 3");
                }
                return;
            } else {
                if (FSUtils.debug.messageEnabled()) {
                    FSUtils.debug.message("Reached else part " + " currentSessionProvider " + "is null. nothing more to broadcast" + "\nNo more providers, destroy user" + "session call destroyPrincipalSession");
                }
                FSLogoutUtil.destroyPrincipalSession(userID, metaAlias, sessionIndex, request, response);
                if (response != null) {
                    returnAfterCompletion();
                }
                return;
            }
        } else {
            if (FSUtils.debug.messageEnabled()) {
                FSUtils.debug.message("GetCurrentProvider returns null HashMap" + " Clean session and return" + "\nNo live connections, destroy user" + "  session call destroyPrincipalSession");
            }
            FSLogoutUtil.destroyPrincipalSession(userID, metaAlias, sessionIndex, request, response);
            if (response != null) {
                returnAfterCompletion();
            }
            return;
        }
    } else {
        FSUtils.debug.message("Reached else part in continuelogout");
        // for SP does not logout local session in case IDP logout failed.
        if (isSuccess || !isCurrentProviderIDPRole) {
            FSUtils.debug.message("No live connections, destroy session");
            FSLogoutUtil.destroyPrincipalSession(userID, metaAlias, sessionIndex, request, response);
        }
        // Call SP Adapter postSingleLogoutSuccess for SP/SOAP
        callPostSingleLogoutSuccess(respObj, IFSConstants.LOGOUT_SP_SOAP_PROFILE);
        if (response != null) {
            returnAfterCompletion();
        }
        return;
    }
}
Also used : FSSessionPartner(com.sun.identity.federation.services.FSSessionPartner) HashMap(java.util.HashMap) ProviderDescriptorType(com.sun.identity.liberty.ws.meta.jaxb.ProviderDescriptorType) FSSession(com.sun.identity.federation.services.FSSession) FSSessionManager(com.sun.identity.federation.services.FSSessionManager) ServletException(javax.servlet.ServletException) SAMLResponderException(com.sun.identity.saml.common.SAMLResponderException) SessionException(com.sun.identity.plugin.session.SessionException) SAMLException(com.sun.identity.saml.common.SAMLException) IDFFMetaException(com.sun.identity.federation.meta.IDFFMetaException) IOException(java.io.IOException) FSMsgException(com.sun.identity.federation.message.common.FSMsgException)

Aggregations

FSSessionManager (com.sun.identity.federation.services.FSSessionManager)13 FSSessionPartner (com.sun.identity.federation.services.FSSessionPartner)13 FSSession (com.sun.identity.federation.services.FSSession)12 SessionException (com.sun.identity.plugin.session.SessionException)10 IDFFMetaException (com.sun.identity.federation.meta.IDFFMetaException)9 HashMap (java.util.HashMap)9 SAMLResponderException (com.sun.identity.saml.common.SAMLResponderException)7 IOException (java.io.IOException)7 SAMLException (com.sun.identity.saml.common.SAMLException)6 Iterator (java.util.Iterator)6 FSAccountMgmtException (com.sun.identity.federation.accountmgmt.FSAccountMgmtException)5 List (java.util.List)5 BaseConfigType (com.sun.identity.federation.jaxb.entityconfig.BaseConfigType)4 ProviderDescriptorType (com.sun.identity.liberty.ws.meta.jaxb.ProviderDescriptorType)4 FSAccountFedInfo (com.sun.identity.federation.accountmgmt.FSAccountFedInfo)3 FSException (com.sun.identity.federation.common.FSException)3 FSMsgException (com.sun.identity.federation.message.common.FSMsgException)3 SessionProvider (com.sun.identity.plugin.session.SessionProvider)3 NameIdentifier (com.sun.identity.saml.assertion.NameIdentifier)3 FSAccountFedInfoKey (com.sun.identity.federation.accountmgmt.FSAccountFedInfoKey)2