use of com.sun.identity.federation.services.FSSessionPartner in project OpenAM by OpenRock.
the class FSPreLogoutHandler method handleSingleLogout.
/**
* Initiates logout at this provider when the user has clicked on the
* logout option.
* @param request <code>HttPServletRequest</code> object from the user agent
* @param response <code>HttPServletRsponse</code> to be sent back to the
* user agent
* @param ssoToken used to identify the principal who wants to logout
* @param sourceCheck where the logout coming from
* @return <code>true</code> if the logout is successful; <code>false</code>
* otherwise.
*/
public FSLogoutStatus handleSingleLogout(HttpServletRequest request, HttpServletResponse response, Object ssoToken, String sourceCheck) {
this.request = request;
setLogoutURL();
FSUtils.debug.message("Entered FSPreLogoutHandler::handleSingleLogout");
try {
this.response = response;
this.ssoToken = ssoToken;
this.userID = SessionManager.getProvider().getPrincipalName(ssoToken);
String acceptString = request.getHeader("Accept");
if ((acceptString != null) && (acceptString.indexOf("text/vnd.wap.wml") != -1)) {
isWMLAgent = true;
}
FSSessionManager sMgr = FSSessionManager.getInstance(metaAlias);
FSSession session = sMgr.getSession(ssoToken);
String sessionIndex = null;
List partners = null;
if (session != null) {
sessionIndex = session.getSessionIndex();
partners = session.getSessionPartners();
}
if (FSUtils.debug.messageEnabled()) {
if (partners != null && partners.size() != 0) {
Iterator iter = partners.iterator();
while (iter.hasNext()) {
FSSessionPartner partner = (FSSessionPartner) iter.next();
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("PARTNER:" + partner.getPartner());
}
}
}
}
if (FSLogoutUtil.liveConnectionsExist(userID, metaAlias)) {
HashMap providerMap = FSLogoutUtil.getCurrentProvider(userID, metaAlias, ssoToken);
if (providerMap != null) {
FSSessionPartner currentSessionProvider = (FSSessionPartner) providerMap.get(IFSConstants.PARTNER_SESSION);
sessionIndex = (String) providerMap.get(IFSConstants.SESSION_INDEX);
if (currentSessionProvider != null) {
// this is IDP initiated based single logout
// HTTP or SOAP is based on metadata
FSUtils.debug.message("creating IDP handler");
FSSingleLogoutHandler handlerObj = new FSSingleLogoutHandler();
handlerObj.setHostedDescriptor(hostedDescriptor);
handlerObj.setHostedDescriptorConfig(hostedConfig);
handlerObj.setRealm(realm);
handlerObj.setHostedEntityId(hostedEntityId);
handlerObj.setHostedProviderRole(hostedRole);
handlerObj.setMetaAlias(metaAlias);
handlerObj.setRelayState(relayState);
return handlerObj.handleSingleLogout(response, request, currentSessionProvider, userID, sessionIndex, isWMLAgent, ssoToken);
}
}
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("No more providers, nothing to broadcast " + "\ndestroy user session call destroyPrincipalSession");
}
FSLogoutUtil.destroyPrincipalSession(userID, metaAlias, sessionIndex, request, response);
// control could come here when local login has happened
// In this FSSessionmap will not have anything and so we destroy
// the session based on ssoToken
FSLogoutUtil.destroyLocalSession(ssoToken, request, response);
returnToPostLogout(IFSConstants.SAML_SUCCESS);
return new FSLogoutStatus(IFSConstants.SAML_SUCCESS);
} else {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("No live connections, destroy user" + " session call destroyPrincipalSession. source=" + sourceCheck);
}
FSLogoutResponse logoutResponse = null;
FederationSPAdapter spAdapter = null;
// Call SP Adapter preSingleLogoutProcess for SP/HTTP
if (hostedRole != null && hostedRole.equalsIgnoreCase(IFSConstants.SP) && sourceCheck.equals("remote")) {
spAdapter = FSServiceUtils.getSPAdapter(hostedEntityId, hostedConfig);
if (spAdapter != null) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSPreLogoutHandler, " + "call preSingleLogoutProcess, SP/HTTP");
}
try {
logoutResponse = FSLogoutResponse.parseURLEncodedRequest(request);
relayState = logoutResponse.getRelayState();
// unabled to access logoutRequest here
spAdapter.preSingleLogoutProcess(hostedEntityId, request, response, userID, null, logoutResponse, IFSConstants.LOGOUT_SP_REDIRECT_PROFILE);
} catch (Exception e) {
// ignore adapter error
FSUtils.debug.error("preSingleLogoutProcess.SP/HTTP", e);
}
}
}
FSLogoutUtil.destroyPrincipalSession(userID, metaAlias, sessionIndex, request, response);
// the session based on ssoToken
if (SessionManager.getProvider().isValid(ssoToken)) {
FSLogoutUtil.destroyLocalSession(ssoToken, request, response);
}
// Call SP Adapter postSingleLogoutProcess for SP/HTTP
if (hostedRole != null && hostedRole.equalsIgnoreCase(IFSConstants.SP) && sourceCheck.equals("remote")) {
if (spAdapter != null) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSPreLogoutHandler, " + "call postSingleLogoutProcess, SP/HTTP");
}
try {
spAdapter.postSingleLogoutSuccess(hostedEntityId, request, response, userID, null, logoutResponse, IFSConstants.LOGOUT_SP_REDIRECT_PROFILE);
} catch (Exception e) {
// ignore adapter exception
FSUtils.debug.error("postSingleLogoutSuccess.SP/HTTP:", e);
}
}
}
returnToPostLogout(IFSConstants.SAML_SUCCESS);
return new FSLogoutStatus(IFSConstants.SAML_SUCCESS);
}
} catch (SessionException e) {
FSUtils.debug.error("SessionException in liveConnectionsExist" + " So destroy self and exit");
FSLogoutUtil.destroyPrincipalSession(userID, metaAlias, null, request, response);
// cannot call FSLogoutUtil.destroyLocalSession(ssoToken)
// since session exception has occurred
returnToPostLogout(IFSConstants.SAML_SUCCESS);
return new FSLogoutStatus(IFSConstants.SAML_SUCCESS);
}
}
use of com.sun.identity.federation.services.FSSessionPartner in project OpenAM by OpenRock.
the class FSLogoutUtil method getLogoutGETProviders.
/**
* Returns the list of all providers who want to be
* notified of logout using HTTP GET profile.
* @param userID principal who needs to be logged out
* @param entityId current provider who uses HTTP GET profile for logout
* @param sessionIndex for the current provider
* @param realm the realm in which the provider resides
* @param metaAlias the hosted provider performing logout
* @return HashMap list of providers who indicate preference to be notified
* of logout using GET profile
*/
protected static HashMap getLogoutGETProviders(String userID, String entityId, String sessionIndex, String realm, String metaAlias) {
try {
FSUtils.debug.message("Entered FSLogoutUtil::getLogoutGETProviders");
HashMap retMap = new HashMap();
Vector providerVector = new Vector();
HashMap sessionProvider = new HashMap();
providerVector.addElement(entityId);
sessionProvider.put(entityId, sessionIndex);
FSSessionManager sessionMgr = FSSessionManager.getInstance(metaAlias);
synchronized (sessionMgr) {
FSUtils.debug.message("About to call getSessionList");
List sessionList = sessionMgr.getSessionList(userID);
if (sessionList != null && !sessionList.isEmpty()) {
FSUtils.debug.message("Session List is not empty");
Iterator iSessionIter = sessionList.iterator();
FSSession sessionObj;
while (iSessionIter.hasNext()) {
sessionObj = (FSSession) iSessionIter.next();
if ((sessionObj.getSessionPartners()).isEmpty()) {
continue;
} else {
String nSessionIndex = sessionObj.getSessionIndex();
List sessionPartners = sessionObj.getSessionPartners();
Iterator iPartnerIter = sessionPartners.iterator();
FSSessionPartner sessionPartner;
while (iPartnerIter.hasNext()) {
sessionPartner = (FSSessionPartner) iPartnerIter.next();
// Only SP can specify GET profile for logout
if (!sessionPartner.getIsRoleIDP()) {
String curEntityId = sessionPartner.getPartner();
ProviderDescriptorType curDesc = metaManager.getSPDescriptor(realm, curEntityId);
if (curDesc != null) {
List profiles = curDesc.getSingleLogoutProtocolProfile();
if (profiles != null && !profiles.isEmpty()) {
if (((String) profiles.iterator().next()).equals(IFSConstants.LOGOUT_IDP_GET_PROFILE)) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("provider " + curEntityId + " Added for GET");
}
providerVector.addElement(curEntityId);
sessionProvider.put(curEntityId, nSessionIndex);
}
}
}
}
}
}
}
} else {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("Session List is empty, returning " + "current provider from getLogoutGETProviders");
}
}
retMap.put(IFSConstants.PROVIDER, providerVector);
retMap.put(IFSConstants.SESSION_INDEX, sessionProvider);
return retMap;
}
} catch (IDFFMetaException e) {
FSUtils.debug.error("IDFFMetaException in function " + " getLogoutGETProviders", e);
return null;
}
}
use of com.sun.identity.federation.services.FSSessionPartner in project OpenAM by OpenRock.
the class FSAssertionArtifactHandler method doAccountFederation.
protected int doAccountFederation(NameIdentifier ni) {
FSUtils.debug.message("FSAssertionArtifactHandler.doAccountFederation:Called");
if (ni == null) {
FSUtils.debug.error("FSAssertionArtifactHandler.doAccountFederation:" + FSUtils.bundle.getString("invalidInput"));
return FederationSPAdapter.FEDERATION_FAILED;
}
Object ssoToken = null;
SessionProvider sessionProvider = null;
try {
sessionProvider = SessionManager.getProvider();
} catch (SessionException se) {
FSUtils.debug.error("FSAssertionArtifactHandler.doAccountFederation: " + "Couldn't obtain session provider:", se);
String[] data = { FSUtils.bundle.getString("failGenerateSSOToken") };
LogUtil.error(Level.INFO, LogUtil.FAILED_SSO_TOKEN_GENERATION, data);
return FederationSPAdapter.FEDERATION_FAILED_SSO_TOKEN_GENERATION;
}
try {
ssoToken = sessionProvider.getSession(request);
if ((ssoToken == null) || (!sessionProvider.isValid(ssoToken))) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionArtifactHandler." + "doAccountFederation: couldn't obtain session from " + "cookie");
}
ssoToken = null;
}
} catch (SessionException se) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionArtifactHandler." + "doAccountFederation: exception when getting session " + "from cookie:");
}
ssoToken = null;
}
// try URL rewriting
FSSessionManager sessionManager = null;
if (ssoToken == null && nameIDPolicy != null && nameIDPolicy.equals(IFSConstants.NAME_ID_POLICY_ONETIME)) {
try {
ssoToken = generateAnonymousToken(response);
} catch (SessionException se) {
int failureCode = se.getErrCode();
if (failureCode == SessionException.AUTH_USER_INACTIVE) {
failureCode = FederationSPAdapter.FEDERATION_FAILED_ANON_AUTH_USER_INACTIVE;
} else if (failureCode == SessionException.AUTH_USER_LOCKED) {
failureCode = FederationSPAdapter.FEDERATION_FAILED_ANON_AUTH_USER_LOCKED;
} else if (failureCode == SessionException.AUTH_ACCOUNT_EXPIRED) {
failureCode = FederationSPAdapter.FEDERATION_FAILED_ANON_AUTH_ACCOUNT_EXPIRED;
} else {
failureCode = FederationSPAdapter.FEDERATION_FAILED_ANON_TOKEN_GENERATION;
}
return failureCode;
}
}
if (ssoToken == null) {
FSUtils.debug.error("FSAssertionArtifactHandler.doAccountFederation:" + "Account federation failed. Invalid session");
return FederationSPAdapter.FEDERATION_FAILED_ANON_TOKEN_GENERATION;
}
try {
String opaqueHandle = ni.getName();
String userID = sessionProvider.getPrincipalName(ssoToken);
String securityDomain = ni.getNameQualifier();
if ((securityDomain == null) || (securityDomain.length() == 0)) {
securityDomain = hostEntityId;
}
FSAccountFedInfo accountInfo = new FSAccountFedInfo(idpEntityId, null, ni, true);
FSAccountManager accountManager = FSAccountManager.getInstance(hostMetaAlias);
FSAccountFedInfoKey fedKey = null;
String affiliationID = authnRequest.getAffiliationID();
if (affiliationID != null) {
fedKey = new FSAccountFedInfoKey(affiliationID, opaqueHandle);
accountInfo.setAffiliation(true);
} else {
fedKey = new FSAccountFedInfoKey(securityDomain, opaqueHandle);
}
if (nameIDPolicy == null || !nameIDPolicy.equals(IFSConstants.NAME_ID_POLICY_ONETIME)) {
accountManager.writeAccountFedInfo(userID, fedKey, accountInfo);
}
//keep local session ref
if (sessionManager == null) {
sessionManager = FSSessionManager.getInstance(hostMetaAlias);
}
String sessionID = sessionProvider.getSessionID(ssoToken);
FSSession session = sessionManager.getSession(userID, sessionID);
if (session != null) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionArtifactHandler." + "doAccountFederation: No existing session found " + " for userID:" + userID + " And SessionID: " + sessionID + " Creating a new Session");
}
session.addSessionPartner(new FSSessionPartner(idpEntityId, true));
session.setSessionIndex(idpSessionIndex);
} else {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionArtifactHandler." + "doAccountFederation: An Existing session found" + "for userID:" + userID + " And SessionID: " + sessionID + " Adding partner to the Session");
}
session = new FSSession(sessionID);
session.addSessionPartner(new FSSessionPartner(idpEntityId, true));
if (idpSessionIndex != null) {
session.setSessionIndex(idpSessionIndex);
}
}
if (nameIDPolicy != null && nameIDPolicy.equals(IFSConstants.NAME_ID_POLICY_ONETIME)) {
session.setOneTime(true);
session.setUserID(userID);
}
String authnContextClassRef = null;
if (authnContextStmt != null) {
authnContextClassRef = authnContextStmt.getAuthnContextClassRef();
}
if ((authnContextClassRef == null) || (authnContextClassRef.length() == 0)) {
authnContextClassRef = IDFFMetaUtils.getFirstAttributeValueFromConfig(hostConfig, IFSConstants.DEFAULT_AUTHNCONTEXT);
}
if (authnContextClassRef != null) {
session.setAuthnContext(authnContextClassRef);
}
session.setAccountFedInfo(accountInfo);
if (bootStrapStatement != null) {
session.setBootStrapAttributeStatement(bootStrapStatement);
}
if (attrStatements.size() != 0) {
Map attributeMap = null;
setAttributeMapper();
if (realmAttributeMapper != null) {
attributeMap = realmAttributeMapper.getAttributes(attrStatements, realm, hostEntityId, idpEntityId, ssoToken);
} else if (attributeMapper != null) {
attributeMap = attributeMapper.getAttributes(attrStatements, hostEntityId, idpEntityId, ssoToken);
}
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionArtifactHandler." + "generateToken: Attribute map :" + attributeMap);
}
if (attributeMap != null) {
setAttributeMap(ssoToken, attributeMap);
}
}
if (securityAssertions != null) {
session.setBootStrapCredential(securityAssertions);
}
sessionManager.addSession(userID, session);
} catch (Exception ex) {
FSUtils.debug.error("FSAssertionArtifactHandler.doAccountFederation:" + FSUtils.bundle.getString("ExceptionOccured"), ex);
return FederationSPAdapter.FEDERATION_FAILED_WRITING_ACCOUNT_INFO;
}
String[] data = { this.relayState };
LogUtil.access(Level.INFO, LogUtil.ACCESS_GRANTED_REDIRECT_TO, data, ssoToken);
//Set fed cookie
if (nameIDPolicy == null || !nameIDPolicy.equals(IFSConstants.NAME_ID_POLICY_ONETIME)) {
String fedCookieName = SystemConfigurationUtil.getProperty(IFSConstants.FEDERATE_COOKIE_NAME);
String fedCookieValue = "yes";
for (String domain : SystemConfigurationUtil.getCookieDomainsForRequest(request)) {
CookieUtils.addCookieToResponse(response, CookieUtils.newCookie(fedCookieName, fedCookieValue, IFSConstants.PERSISTENT_COOKIE_AGE, "/", domain));
}
}
//Name registration
// comment it out for now as the spec doesn't mendate this.
/*
try {
// get if need name registration from sp extended meta
String indicator = IDFFMetaUtils.getFirstAttributeValueFromConfig(
hostConfig, IFSConstants.ENABLE_REGISTRATION_AFTER_SSO);
if (indicator != null && indicator.equalsIgnoreCase("true")) {
FSServiceManager serviceManager =
FSServiceManager.getInstance();
FSNameRegistrationHandler handlerObj =
serviceManager.getNameRegistrationHandler(
realm,
idpEntityId,
IFSConstants.IDP);
if (handlerObj != null) {
handlerObj.setHostedDescriptor(hostDesc);
handlerObj.setHostedDescriptorConfig(hostConfig);
handlerObj.setHostedEntityId(hostEntityId);
handlerObj.setMetaAlias(hostMetaAlias);
handlerObj.setAccountInfo(accountInfo);
handlerObj.handleRegistrationAfterFederation(
this.relayState, response);
}
if (!FSServieUtils.isRegisProfileSOAP(
sessionProvider.getPrincipalName(ssoToken),
idpEntityId,
idpDescriptor,
hostMetaAlias,
hostDesc))
{
return FederationSPAdapter.SUCCESS;
}
}
} catch (SessionException se) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("doAccountFederation: exception:", se);
}
}
*/
// Call SP adapter
FederationSPAdapter spAdapter = FSServiceUtils.getSPAdapter(hostEntityId, hostConfig);
if (spAdapter != null) {
FSUtils.debug.message("Invoke spAdapter");
try {
if (spAdapter.postSSOFederationSuccess(hostEntityId, request, response, ssoToken, authnRequest, authnResponse, (FSResponse) samlResponse)) {
// return true if service provider SPI redirection happened
return FederationSPAdapter.SUCCESS;
}
} catch (Exception e) {
// log run time exception in Adapter
// implementation, continue
FSUtils.debug.error("FSAssertionArtifactHandler" + " SPAdapter.postSSOFederationSuccess", e);
}
}
try {
redirectToResource(this.relayState);
return FederationSPAdapter.SUCCESS;
} catch (Exception e) {
return FederationSPAdapter.FEDERATION_FAILED;
}
}
use of com.sun.identity.federation.services.FSSessionPartner in project OpenAM by OpenRock.
the class FSAssertionArtifactHandler method generateToken.
protected int generateToken(NameIdentifier ni, int handleType, NameIdentifier niIdp, Map env) {
FSUtils.debug.message("FSAssertionArtifactHandler.generateToken: Called");
if ((ni == null)) {
FSUtils.debug.error("FSAssertionArtifactHandler." + "generateToken: Invalid userDN input");
return FederationSPAdapter.SSO_FAILED;
}
try {
String name = ni.getName();
String nameSpace = ni.getNameQualifier();
if ((nameSpace == null) || (nameSpace.length() == 0)) {
nameSpace = hostEntityId;
}
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionArtifactHandler." + "generateToken: Trying to get userDN for opaqueHandle= " + name + " ,securityDomain= " + nameSpace + " And HandleType=" + handleType);
}
String affiliationID = authnRequest.getAffiliationID();
FSAccountFedInfoKey fedKey = new FSAccountFedInfoKey(nameSpace, name);
FSAccountManager accountManager = FSAccountManager.getInstance(hostMetaAlias);
String userID = accountManager.getUserID(fedKey, realm, env);
FSAccountFedInfo fedInfo = null;
if (userID == null) {
if (niIdp != null && nameSpace.equals(affiliationID)) {
fedKey = new FSAccountFedInfoKey(affiliationID, niIdp.getName());
userID = accountManager.getUserID(fedKey, realm, env);
if (userID != null) {
FSAccountFedInfo oldInfo = accountManager.readAccountFedInfo(userID, affiliationID);
if (oldInfo != null) {
accountManager.removeAccountFedInfo(userID, oldInfo);
}
fedInfo = new FSAccountFedInfo(idpEntityId, ni, niIdp, true);
fedInfo.setAffiliation(true);
fedKey = new FSAccountFedInfoKey(nameSpace, name);
accountManager.writeAccountFedInfo(userID, fedKey, fedInfo);
} else {
FSUtils.debug.error("FSAssertionArtifactHandler.generateToken: " + "Can't dereference handle. fedKey=" + fedKey.toString());
return FederationSPAdapter.SSO_FAILED_FEDERATION_DOESNOT_EXIST;
}
} else {
// Check if there is any 6.2 format?
FSAccountFedInfoKey oldKey = new FSAccountFedInfoKey(idpEntityId, name);
if (oldKey != null) {
userID = accountManager.getUserID(oldKey, realm, env);
if (userID != null) {
fedInfo = accountManager.readAccountFedInfo(userID, idpEntityId);
if (fedInfo != null && fedInfo.isFedStatusActive()) {
// rewrite it.
NameIdentifier localNI = fedInfo.getLocalNameIdentifier();
if (localNI != null) {
localNI.setNameQualifier(hostEntityId);
}
accountManager.removeAccountFedInfo(userID, fedInfo);
NameIdentifier remoteNI = fedInfo.getRemoteNameIdentifier();
if (remoteNI != null) {
remoteNI.setNameQualifier(hostEntityId);
}
fedInfo = new FSAccountFedInfo(idpEntityId, localNI, remoteNI, true);
accountManager.removeAccountFedInfoKey(userID, oldKey);
FSAccountFedInfoKey newKey = new FSAccountFedInfoKey(hostEntityId, name);
accountManager.writeAccountFedInfo(userID, newKey, fedInfo);
} else {
FSUtils.debug.error("FSAssertionArtifactHandler." + "generateToken: Can't dereference handle.");
return FederationSPAdapter.SSO_FAILED_FEDERATION_DOESNOT_EXIST;
}
} else {
String enabledStr = IDFFMetaUtils.getFirstAttributeValueFromConfig(hostConfig, IFSConstants.ENABLE_AUTO_FEDERATION);
if (enabledStr != null && enabledStr.equalsIgnoreCase("true") && _autoFedStatement != null) {
userID = accountManager.getUserID(autoFedSearchMap, realm, null);
if (userID != null) {
FSAccountFedInfoKey newKey = new FSAccountFedInfoKey(hostEntityId, name);
fedInfo = new FSAccountFedInfo(idpEntityId, null, ni, true);
accountManager.writeAccountFedInfo(userID, newKey, fedInfo);
} else {
FSUtils.debug.error("FSAssertionArtifactHandler. " + "generateToken:" + "Can't dereference handle.");
return FederationSPAdapter.SSO_FAILED_AUTO_FED;
}
} else {
FSUtils.debug.error("FSAssertionArtifactHandler." + "generateToken: Can't dereference handle.");
return FederationSPAdapter.SSO_FAILED_FEDERATION_DOESNOT_EXIST;
}
}
} else {
FSUtils.debug.error("FSAssertionArtifactHandler." + "generateToken: Can't dereference handle.");
return FederationSPAdapter.SSO_FAILED_FEDERATION_DOESNOT_EXIST;
}
}
} else {
if (affiliationID != null) {
fedInfo = accountManager.readAccountFedInfo(userID, affiliationID);
} else {
fedInfo = accountManager.readAccountFedInfo(userID, idpEntityId, name);
}
if (fedInfo == null) {
FSUtils.debug.error("FSAssertionArtifactHandler.generateToken: " + "User's account is not federated, id=" + userID);
return FederationSPAdapter.SSO_FAILED_FEDERATION_DOESNOT_EXIST;
}
}
//get AuthnLevel from authnContext
String authnContextClassRef = null;
int authnLevel = 0;
Map authnContextInfoMap = FSServiceUtils.getSPAuthContextInfo(hostConfig);
if (authnContextStmt != null && authnContextStmt.getAuthnContextClassRef() != null && authnContextStmt.getAuthnContextClassRef().length() != 0) {
authnContextClassRef = authnContextStmt.getAuthnContextClassRef();
if (authnContextClassRef != null && authnContextClassRef.length() != 0) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionArtifactHandler." + "generateToken: AuthnContextClassRef " + "found in AuthenticationStatement:" + authnContextClassRef);
}
FSSPAuthenticationContextInfo authnContextInfo = (FSSPAuthenticationContextInfo) authnContextInfoMap.get(authnContextClassRef);
if (authnContextInfo != null) {
authnLevel = authnContextInfo.getAuthenticationLevel();
} else {
FSUtils.debug.error("FSAssertionArtifactHandler." + "generateToken: Could not find " + "AuthnContextClassInfo for authnContextClassRef: " + authnContextClassRef + "Using default authnContextClass");
authnContextClassRef = null;
}
}
} else {
FSUtils.debug.warning("FSAssertionArtifactHandler.generateToken: " + "Could not find AuthnContextClassRef in the " + "AuthenticationStatement. Using default authnContextClass");
}
if (authnContextClassRef == null || authnContextClassRef.length() == 0) {
authnContextClassRef = IDFFMetaUtils.getFirstAttributeValueFromConfig(hostConfig, IFSConstants.DEFAULT_AUTHNCONTEXT);
FSSPAuthenticationContextInfo authnContextInfo = (FSSPAuthenticationContextInfo) authnContextInfoMap.get(authnContextClassRef);
if (authnContextInfo != null) {
authnLevel = authnContextInfo.getAuthenticationLevel();
} else {
FSUtils.debug.error("FSAssertionArtifactHandler." + "generateToken: Could not find authentication level " + "for default authentication context class");
return FederationSPAdapter.SSO_FAILED;
}
}
Map valueMap = new HashMap();
valueMap.put(SessionProvider.PRINCIPAL_NAME, userID);
valueMap.put(SessionProvider.REALM, realm);
valueMap.put(SessionProvider.AUTH_LEVEL, String.valueOf(authnLevel));
valueMap.put(SessionProvider.AUTH_INSTANT, getAuthInstant());
valueMap.put("idpEntityID", idpEntityId);
//valueMap.put("resourceOffering",
//valueMap.put("securityToken",
SessionProvider sessionProvider = SessionManager.getProvider();
Object ssoSession;
try {
ssoSession = sessionProvider.createSession(valueMap, request, response, new StringBuffer(this.relayState));
} catch (SessionException se) {
FSUtils.debug.error("FSAssertionArtifactHandler.generateToken:" + "cannot generate token:", se);
int failureCode = se.getErrCode();
if (failureCode == SessionException.AUTH_USER_INACTIVE) {
failureCode = FederationSPAdapter.SSO_FAILED_AUTH_USER_INACTIVE;
} else if (failureCode == SessionException.AUTH_USER_LOCKED) {
failureCode = FederationSPAdapter.SSO_FAILED_AUTH_USER_LOCKED;
} else if (failureCode == SessionException.AUTH_ACCOUNT_EXPIRED) {
failureCode = FederationSPAdapter.SSO_FAILED_AUTH_ACCOUNT_EXPIRED;
} else {
failureCode = FederationSPAdapter.SSO_FAILED_TOKEN_GENERATION;
}
return failureCode;
}
try {
sessionProvider.addListener(ssoSession, new FSTokenListener(hostMetaAlias));
} catch (Exception e) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionArtifactHandler.generateToken:" + "Couldn't add listener to session:", e);
}
}
String value = sessionProvider.getSessionID(ssoSession);
ssoToken = ssoSession;
Iterator iter = null;
//Set fed cookie
String fedCookieName = SystemConfigurationUtil.getProperty(IFSConstants.FEDERATE_COOKIE_NAME);
String fedCookieValue = "yes";
for (String domain : SystemConfigurationUtil.getCookieDomainsForRequest(request)) {
CookieUtils.addCookieToResponse(response, CookieUtils.newCookie(fedCookieName, fedCookieValue, IFSConstants.PERSISTENT_COOKIE_AGE, "/", domain));
}
//keep local session ref
FSSessionManager sessionManager = FSSessionManager.getInstance(hostMetaAlias);
FSSession session = sessionManager.getSession(userID, value);
if (session != null) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionArtifactHandler." + "generateToken: An Existing session found for userID:" + userID + " And SessionID: " + value + " Adding partner to the Session");
}
session.addSessionPartner(new FSSessionPartner(idpEntityId, true));
session.setSessionIndex(idpSessionIndex);
sessionManager.addSession(userID, session);
} else {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionArtifactHandler." + "generateToken: No existing session found for userID:" + userID + " And SessionID: " + value + " Creating a new Session");
}
session = new FSSession(value);
session.addSessionPartner(new FSSessionPartner(idpEntityId, true));
if (idpSessionIndex != null) {
session.setSessionIndex(idpSessionIndex);
}
sessionManager.addSession(userID, session);
}
// keep authncontext in FSSession.
if (authnContextClassRef != null) {
session.setAuthnContext(authnContextClassRef);
}
if (fedInfo != null) {
session.setAccountFedInfo(fedInfo);
}
// keep the attr statement in FSSession.
if (bootStrapStatement != null) {
session.setBootStrapAttributeStatement(bootStrapStatement);
}
if (_autoFedStatement != null) {
session.setAutoFedStatement(_autoFedStatement);
}
if (attrStatements.size() != 0) {
session.setAttributeStatements(attrStatements);
Map attributeMap = null;
setAttributeMapper();
if (realmAttributeMapper != null) {
attributeMap = realmAttributeMapper.getAttributes(attrStatements, realm, hostEntityId, idpEntityId, ssoToken);
} else if (attributeMapper != null) {
attributeMap = attributeMapper.getAttributes(attrStatements, hostEntityId, idpEntityId, ssoToken);
}
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAssertionArtifactHandler." + "generateToken: Attribute map :" + attributeMap);
}
if (attributeMap != null) {
setAttributeMap(ssoToken, attributeMap);
}
}
if (securityAssertions != null) {
session.setBootStrapCredential(securityAssertions);
}
return FederationSPAdapter.SUCCESS;
} catch (Exception e) {
FSUtils.debug.error("FSAssertionArtifactHandler.generateToken: " + "Exception Occured ", e);
return FederationSPAdapter.SSO_FAILED;
}
}
use of com.sun.identity.federation.services.FSSessionPartner in project OpenAM by OpenRock.
the class FSSingleLogoutHandler method continueLogout.
/**
* Invoked in the case of Single Logout using SOAP profile.
* Only in the case of SOAP do we have control to initiate logout for the
* next-in-line provider. In the case of HTTP GET/Redirect we send the
* message to one provider and lose control. Here in SOAP profile
* <code>continueLogout</code> continues the logout process.
* @param isSuccess if true, means logout preformed successfully so far;
* if false, means logout failed in one or more providers.
*/
private void continueLogout(boolean isSuccess) {
FSUtils.debug.message("Entered FSSingleLogoutHandler::continueLogout");
if (FSLogoutUtil.liveConnectionsExist(userID, metaAlias)) {
FSUtils.debug.message("More liveConnectionsExist");
HashMap providerMap = FSLogoutUtil.getCurrentProvider(userID, metaAlias, ssoToken);
if (providerMap != null) {
FSSessionPartner currentSessionProvider = (FSSessionPartner) providerMap.get(IFSConstants.PARTNER_SESSION);
this.sessionIndex = (String) providerMap.get(IFSConstants.SESSION_INDEX);
if (currentSessionProvider != null) {
String currentEntityId = currentSessionProvider.getPartner();
isCurrentProviderIDPRole = currentSessionProvider.getIsRoleIDP();
ProviderDescriptorType currentDesc = null;
try {
if (isCurrentProviderIDPRole) {
currentDesc = metaManager.getIDPDescriptor(realm, currentEntityId);
} else {
currentDesc = metaManager.getSPDescriptor(realm, currentEntityId);
}
} catch (Exception e) {
FSUtils.debug.error("FSSingleLogoutHandler:cannot get meta:", e);
}
setRemoteDescriptor(currentDesc);
// Clean session Map
FSSessionManager sessionManager = FSSessionManager.getInstance(metaAlias);
FSSession session = sessionManager.getSession(sessionManager.getSessionList(userID), sessionIndex);
if (!supportSOAPProfile(remoteDescriptor)) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("Single Logout Profile cannot" + " be processed. Verify profile in metadata");
}
String[] data = { IFSConstants.LOGOUT_IDP_SOAP_PROFILE };
LogUtil.error(Level.INFO, LogUtil.LOGOUT_PROFILE_NOT_SUPPORTED, data, ssoToken);
return;
}
FSUtils.debug.message("FSSLOHandler, SOAP in case 2");
// this is IDP
if ((doIDPSoapProfile(currentEntityId)).getStatus().equalsIgnoreCase(IFSConstants.SAML_SUCCESS) || !isCurrentProviderIDPRole) {
FSLogoutUtil.removeCurrentSessionPartner(metaAlias, currentEntityId, ssoToken, userID);
FSUtils.debug.message("SOAP partner removed, case 3");
}
return;
} else {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("Reached else part " + " currentSessionProvider " + "is null. nothing more to broadcast" + "\nNo more providers, destroy user" + "session call destroyPrincipalSession");
}
FSLogoutUtil.destroyPrincipalSession(userID, metaAlias, sessionIndex, request, response);
if (response != null) {
returnAfterCompletion();
}
return;
}
} else {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("GetCurrentProvider returns null HashMap" + " Clean session and return" + "\nNo live connections, destroy user" + " session call destroyPrincipalSession");
}
FSLogoutUtil.destroyPrincipalSession(userID, metaAlias, sessionIndex, request, response);
if (response != null) {
returnAfterCompletion();
}
return;
}
} else {
FSUtils.debug.message("Reached else part in continuelogout");
// for SP does not logout local session in case IDP logout failed.
if (isSuccess || !isCurrentProviderIDPRole) {
FSUtils.debug.message("No live connections, destroy session");
FSLogoutUtil.destroyPrincipalSession(userID, metaAlias, sessionIndex, request, response);
}
// Call SP Adapter postSingleLogoutSuccess for SP/SOAP
callPostSingleLogoutSuccess(respObj, IFSConstants.LOGOUT_SP_SOAP_PROFILE);
if (response != null) {
returnAfterCompletion();
}
return;
}
}
Aggregations