Example 21 with IdSearchControl
use of com.sun.identity.idm.IdSearchControl in project OpenAM by OpenRock.
the class FSDefaultSPAdapter method postSSOFederationSuccess.
/**
* Invokes this method after the successful Single Sign-On or Federation.
* @param hostedEntityID provider ID for the hosted SP
* @param request servlet request
* @param response servlet response
* @param ssoToken user's SSO token
* @param authnRequest the original authentication request sent from SP
* @param authnResponse response from IDP if Browser POST or LECP profile
* is used for the request, value will be null if Browser Artifact
* profile is used.
* @param samlResponse response from IDP if Browser Artifact profile is used
* for the request, value will be null if Browser POST or LECP
* profile is used.
* @exception FederationException if user want to fail the process.
* @return true if browser redirection happened, false otherwise.
*/
public boolean postSSOFederationSuccess(String hostedEntityID, HttpServletRequest request, HttpServletResponse response, Object ssoToken, FSAuthnRequest authnRequest, FSAuthnResponse authnResponse, FSResponse samlResponse) throws FederationException {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSDefaultSPAdapter.postFedSuccess, " + "process " + hostedEntityID);
}
// find out if this is a federation request
boolean isFederation = false;
if (authnRequest == null) {
FSUtils.debug.error("FSDefaultSPAdapter.postFedSuccess null");
} else {
String nameIDPolicy = authnRequest.getNameIDPolicy();
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSDefaultSPAdapter.postSuccess " + nameIDPolicy);
}
if (nameIDPolicy.equals(IFSConstants.NAME_ID_POLICY_FEDERATED)) {
isFederation = true;
}
}
SSOToken adminToken = (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance());
if (isFederation && adminToken != null) {
try {
// get name Identifier
String nameId = null;
List assertions = null;
String idpEntityId = null;
if (authnResponse != null) {
// POST profile
assertions = authnResponse.getAssertion();
idpEntityId = authnResponse.getProviderId();
} else {
// Artifact profile
assertions = samlResponse.getAssertion();
}
FSAssertion assertion = (FSAssertion) assertions.iterator().next();
if (idpEntityId == null) {
idpEntityId = assertion.getIssuer();
}
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAdapter.postSuccess: idp=" + idpEntityId);
}
Iterator stmtIter = assertion.getStatement().iterator();
while (stmtIter.hasNext()) {
Statement statement = (Statement) stmtIter.next();
int stmtType = statement.getStatementType();
if (stmtType == Statement.AUTHENTICATION_STATEMENT) {
FSAuthenticationStatement authStatement = (FSAuthenticationStatement) statement;
FSSubject subject = (FSSubject) authStatement.getSubject();
NameIdentifier ni = subject.getIDPProvidedNameIdentifier();
if (ni == null) {
ni = subject.getNameIdentifier();
}
if (ni != null) {
nameId = ni.getName();
}
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAdapter.postSuccess: " + "found name id =" + nameId);
}
break;
}
}
if (nameId == null) {
FSUtils.debug.warning("FSAdapter.postSuc : null nameID");
return false;
}
Map map = new HashMap();
Set set = new HashSet();
set.add("|" + hostedEntityID + "|" + nameId + "|");
map.put("iplanet-am-user-federation-info-key", set);
AMIdentityRepository idRepo = new AMIdentityRepository(adminToken, ((SSOToken) ssoToken).getProperty(ISAuthConstants.ORGANIZATION));
IdSearchControl searchControl = new IdSearchControl();
searchControl.setTimeOut(0);
searchControl.setMaxResults(0);
searchControl.setAllReturnAttributes(false);
searchControl.setSearchModifiers(IdSearchOpModifier.AND, map);
IdSearchResults searchResults = idRepo.searchIdentities(IdType.USER, "*", searchControl);
Set amIdSet = searchResults.getSearchResults();
if (amIdSet.size() > 1) {
String univId = ((SSOToken) ssoToken).getProperty(Constants.UNIVERSAL_IDENTIFIER);
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAdapter.postSuccess: found " + amIdSet.size() + " federation with same ID as " + univId);
}
String metaAlias = null;
try {
IDFFMetaManager metaManager = new IDFFMetaManager(ssoToken);
if (metaManager != null) {
SPDescriptorConfigElement spConfig = metaManager.getSPDescriptorConfig(realm, hostedEntityID);
if (spConfig != null) {
metaAlias = spConfig.getMetaAlias();
}
}
} catch (IDFFMetaException ie) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAdapter.postSuccess: " + "couldn't find meta alias:", ie);
}
}
FSAccountManager accManager = FSAccountManager.getInstance(metaAlias);
FSAccountFedInfoKey fedInfoKey = new FSAccountFedInfoKey(hostedEntityID, nameId);
// previous federation exists with different users
Iterator it = amIdSet.iterator();
while (it.hasNext()) {
AMIdentity amId = (AMIdentity) it.next();
// compare with the SSO token
String tmpUnivId = IdUtils.getUniversalId(amId);
if (univId.equalsIgnoreCase(tmpUnivId)) {
continue;
}
// remove federation information for this user
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAdapter.postSucces, " + "remove fed info for user " + tmpUnivId);
}
accManager.removeAccountFedInfo(tmpUnivId, fedInfoKey, idpEntityId);
}
}
} catch (FSAccountMgmtException f) {
FSUtils.debug.warning("FSDefaultSPAdapter.postSSOSuccess", f);
} catch (IdRepoException i) {
FSUtils.debug.warning("FSDefaultSPAdapter.postSSOSuccess", i);
} catch (SSOException e) {
FSUtils.debug.warning("FSDefaultSPAdapter.postSSOSuccess", e);
}
}
return false;
}
Also used :
SSOToken(com.iplanet.sso.SSOToken)
Set(java.util.Set)
HashSet(java.util.HashSet)
FSSubject(com.sun.identity.federation.message.FSSubject)
NameIdentifier(com.sun.identity.saml.assertion.NameIdentifier)
HashMap(java.util.HashMap)
IdSearchResults(com.sun.identity.idm.IdSearchResults)
SPDescriptorConfigElement(com.sun.identity.federation.jaxb.entityconfig.SPDescriptorConfigElement)
SSOException(com.iplanet.sso.SSOException)
FSAccountFedInfoKey(com.sun.identity.federation.accountmgmt.FSAccountFedInfoKey)
FSAccountManager(com.sun.identity.federation.accountmgmt.FSAccountManager)
FSAssertion(com.sun.identity.federation.message.FSAssertion)
Iterator(java.util.Iterator)
IdSearchControl(com.sun.identity.idm.IdSearchControl)
List(java.util.List)
HashSet(java.util.HashSet)
FSAuthenticationStatement(com.sun.identity.federation.message.FSAuthenticationStatement)
Statement(com.sun.identity.saml.assertion.Statement)
FSAuthenticationStatement(com.sun.identity.federation.message.FSAuthenticationStatement)
IDFFMetaException(com.sun.identity.federation.meta.IDFFMetaException)
IdRepoException(com.sun.identity.idm.IdRepoException)
IDFFMetaManager(com.sun.identity.federation.meta.IDFFMetaManager)
AMIdentity(com.sun.identity.idm.AMIdentity)
AMIdentityRepository(com.sun.identity.idm.AMIdentityRepository)
FSAccountMgmtException(com.sun.identity.federation.accountmgmt.FSAccountMgmtException)
Map(java.util.Map)
HashMap(java.util.HashMap)
Example 22 with IdSearchControl
use of com.sun.identity.idm.IdSearchControl in project OpenAM by OpenRock.
the class CramMD5MechanismHandler method getUserPassword.
private static String getUserPassword(String userName) {
try {
SSOToken adminToken = (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance());
AMIdentityRepository idRepo = new AMIdentityRepository(adminToken, SMSEntry.getRootSuffix());
IdSearchControl searchControl = new IdSearchControl();
searchControl.setTimeOut(0);
searchControl.setMaxResults(0);
searchControl.setAllReturnAttributes(false);
IdSearchResults searchResults = idRepo.searchIdentities(IdType.USER, userName, searchControl);
Set users = searchResults.getSearchResults();
if (users == null || users.isEmpty()) {
if (debug.messageEnabled()) {
debug.message("CramMD5MechanismHandler.getUserPassword: " + "no user found");
}
return null;
}
if (users.size() > 1) {
if (debug.messageEnabled()) {
debug.message("CramMD5MechanismHandler.getUserPassword: " + "more than 1 user found");
}
return null;
}
AMIdentity user = (AMIdentity) users.iterator().next();
Set passwords = user.getAttribute("userPassword");
if (passwords == null || passwords.isEmpty()) {
if (debug.messageEnabled()) {
debug.message("CramMD5MechanismHandler.getUserPassword: " + "user has no password");
}
return null;
}
if (passwords.size() > 1) {
if (debug.messageEnabled()) {
debug.message("CramMD5MechanismHandler.getUserPassword: " + "user has more than 1 passwords");
}
return null;
}
String password = (String) passwords.iterator().next();
if (password.startsWith("{CLEAR}")) {
password = password.substring(7);
}
return password;
} catch (Exception ex) {
AuthnSvcUtils.debug.error("CramMD5MechanismHandler.getUserPassword: ", ex);
return null;
}
}
Also used :
SSOToken(com.iplanet.sso.SSOToken)
Set(java.util.Set)
IdSearchResults(com.sun.identity.idm.IdSearchResults)
AMIdentity(com.sun.identity.idm.AMIdentity)
AMIdentityRepository(com.sun.identity.idm.AMIdentityRepository)
IdSearchControl(com.sun.identity.idm.IdSearchControl)
IdRepoException(com.sun.identity.idm.IdRepoException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
AuthLoginException(com.sun.identity.authentication.spi.AuthLoginException)
SSOException(com.iplanet.sso.SSOException)
UnsupportedEncodingException(java.io.UnsupportedEncodingException)
Example 23 with IdSearchControl
use of com.sun.identity.idm.IdSearchControl in project OpenAM by OpenRock.
the class IdRepoDataStoreProvider method getIdSearchControl.
/**
* Returns <code>IdSearchControl</code> object.
* @param avPairs Attribute key/value pairs that is used to construct
* search control. Key is the attribute name, value
* is a Set containing attribute value(s).
* @param modifier Search modification, could be one of:
* <code>IdSearchOpModifier.OR</code>
* <code>IdSearchOpModifier.AND</code>.
* @return <code>IdSearchControl</code> object, null if the
* passing map is null.
*/
private static IdSearchControl getIdSearchControl(Map avPairs, IdSearchOpModifier modifier) {
if ((avPairs == null) || avPairs.isEmpty()) {
return null;
}
IdSearchControl searchControl = new IdSearchControl();
searchControl.setTimeOut(0);
searchControl.setMaxResults(0);
searchControl.setAllReturnAttributes(false);
searchControl.setSearchModifiers(IdSearchOpModifier.AND, avPairs);
return searchControl;
}
Also used :
IdSearchControl(com.sun.identity.idm.IdSearchControl)
Example 24 with IdSearchControl
use of com.sun.identity.idm.IdSearchControl in project OpenAM by OpenRock.
the class IdRepoDataStoreProvider method getUserID.
/**
* Returns user matching the search criteria.
* @param orgDN The realm to search the user. If null,
* searches the root realm.
* @param avPairs Attribute key/value pairs that will be used for
* searching the user. Key is the attribute name, value
* is a Set containing attribute value(s).
* @return Universal identifier of the matching user, null if
* the matching user could not be found.
* @throws DataStoreProviderException if error occurs during search or
* multiple matching users found.
*/
public String getUserID(String orgDN, Map<String, Set<String>> avPairs) throws DataStoreProviderException {
if (orgDN == null) {
orgDN = SMSEntry.getRootSuffix();
}
if (avPairs == null || avPairs.isEmpty()) {
throw new DataStoreProviderException(bundle.getString("nullAvPair"));
}
Set amIdSet = null;
try {
IdSearchControl searchControl = getIdSearchControl(avPairs, IdSearchOpModifier.AND);
AMIdentityRepository idRepo = getAMIdentityRepository(orgDN);
IdSearchResults searchResults = idRepo.searchIdentities(IdType.USER, "*", searchControl);
amIdSet = searchResults.getSearchResults();
} catch (IdRepoException ame) {
debug.error("IdRepoDataStoreProvider.getUserID(): IdRepoException", ame);
throw new DataStoreProviderException(ame);
} catch (SSOException ssoe) {
debug.error("IdRepoDataStoreProvider.getUserID() : SSOException", ssoe);
throw new DataStoreProviderException(ssoe);
}
if (amIdSet == null || amIdSet.isEmpty()) {
debug.message("IdRepoDataStoreProvider.getUserID : user not found");
return null;
} else if (amIdSet.size() > 1) {
debug.message("IdRepoDataStoreProvider.getUserID : multiple match");
throw new DataStoreProviderException(bundle.getString("multipleMatches"));
}
// single user found.
final AMIdentity amId = (AMIdentity) amIdSet.iterator().next();
final String universalId = IdUtils.getUniversalId(amId);
if (debug.messageEnabled()) {
debug.message("IdRepoDataStoreProvider.getUserID()" + " Name=: " + amId.getName() + " DN=: " + amId.getDN() + " univId=: " + universalId);
}
return universalId;
}
Also used :
DataStoreProviderException(com.sun.identity.plugin.datastore.DataStoreProviderException)
Set(java.util.Set)
IdSearchResults(com.sun.identity.idm.IdSearchResults)
AMIdentity(com.sun.identity.idm.AMIdentity)
IdSearchControl(com.sun.identity.idm.IdSearchControl)
AMIdentityRepository(com.sun.identity.idm.AMIdentityRepository)
IdRepoException(com.sun.identity.idm.IdRepoException)
SSOException(com.iplanet.sso.SSOException)
Example 25 with IdSearchControl
use of com.sun.identity.idm.IdSearchControl in project OpenAM by OpenRock.
the class DeviceIdSave method getIdentity.
/**
* Gets the identity of the user.
*
* @return The user's identity.
*/
private AMIdentityWrapper getIdentity() {
AMIdentityWrapper amIdentity = null;
AMIdentityRepository amIdRepo = getAMIdentityRepository(getRequestOrg());
IdSearchControl idsc = new IdSearchControl();
idsc.setAllReturnAttributes(true);
Set<AMIdentity> results = Collections.emptySet();
try {
idsc.setMaxResults(0);
IdSearchResults searchResults = amIdRepo.searchIdentities(IdType.USER, userName, idsc);
if (searchResults != null) {
results = searchResults.getSearchResults();
}
if (results.isEmpty()) {
DEBUG.error("DeviceIdSave.getIdentity : User " + userName + " is not found");
} else if (results.size() > 1) {
DEBUG.error("DeviceIdSave.getIdentity : More than one user found for the userName " + userName);
} else {
amIdentity = new AMIdentityWrapper(results.iterator().next());
}
} catch (IdRepoException e) {
DEBUG.error("DeviceIdSave.getIdentity : Error searching Identities with username : " + userName, e);
} catch (SSOException e) {
DEBUG.error("DeviceIdSave.getIdentity : Module exception : ", e);
}
return amIdentity;
}
Also used :
IdSearchResults(com.sun.identity.idm.IdSearchResults)
AMIdentity(com.sun.identity.idm.AMIdentity)
AMIdentityRepository(com.sun.identity.idm.AMIdentityRepository)
IdSearchControl(com.sun.identity.idm.IdSearchControl)
IdRepoException(com.sun.identity.idm.IdRepoException)
SSOException(com.iplanet.sso.SSOException)
Aggregations
IdSearchControl (com.sun.identity.idm.IdSearchControl)48
IdSearchResults (com.sun.identity.idm.IdSearchResults)43
IdRepoException (com.sun.identity.idm.IdRepoException)41
SSOException (com.iplanet.sso.SSOException)36
AMIdentityRepository (com.sun.identity.idm.AMIdentityRepository)36
AMIdentity (com.sun.identity.idm.AMIdentity)35
Set (java.util.Set)25
HashSet (java.util.HashSet)20
SSOToken (com.iplanet.sso.SSOToken)15
Iterator (java.util.Iterator)14
IdType (com.sun.identity.idm.IdType)9
HashMap (java.util.HashMap)8
Map (java.util.Map)6
AMConsoleException (com.sun.identity.console.base.model.AMConsoleException)4
UnauthorizedClientException (org.forgerock.oauth2.core.exceptions.UnauthorizedClientException)4
CLIException (com.sun.identity.cli.CLIException)3
IOutput (com.sun.identity.cli.IOutput)3
AuthLoginException (com.sun.identity.authentication.spi.AuthLoginException)2
DelegationException (com.sun.identity.delegation.DelegationException)2
TreeSet (java.util.TreeSet)2
