use of com.sun.identity.plugin.session.SessionException in project OpenAM by OpenRock.
the class DoManageNameID method processManageNameIDResponse.
/**
* Parses the request parameters and builds the Authentication
* Request to sent to the IDP.
*
* @param request the HttpServletRequest.
* @param response the HttpServletResponse.
* @param paramsMap Map of all other parameters.
* @return return true if the processing is successful.
* @throws SAML2Exception if error initiating request to IDP.
*/
public static boolean processManageNameIDResponse(HttpServletRequest request, HttpServletResponse response, Map paramsMap) throws SAML2Exception {
String method = "processManageNameIDResponse: ";
boolean success = false;
String requestURL = request.getRequestURI();
String metaAlias = SAML2MetaUtils.getMetaAliasByUri(requestURL);
if (metaAlias == null) {
logError("MetaAliasNotFound", LogUtil.MISSING_META_ALIAS, null);
throw new SAML2Exception(SAML2Utils.bundle.getString("MetaAliasNotFound"));
}
String realm = SAML2MetaUtils.getRealmByMetaAlias(metaAlias);
String hostEntityID = metaManager.getEntityByMetaAlias(metaAlias);
String hostRole = SAML2Utils.getHostEntityRole(paramsMap);
boolean isSupported = false;
if (SAML2Constants.IDP_ROLE.equals(hostRole)) {
isSupported = SAML2Utils.isIDPProfileBindingSupported(realm, hostEntityID, SAML2Constants.MNI_SERVICE, SAML2Constants.HTTP_REDIRECT);
} else {
isSupported = SAML2Utils.isSPProfileBindingSupported(realm, hostEntityID, SAML2Constants.MNI_SERVICE, SAML2Constants.HTTP_REDIRECT);
}
if (!isSupported) {
debug.error(method + "MNI binding: Redirect is not supported for " + hostEntityID);
String[] data = { hostEntityID, SAML2Constants.HTTP_REDIRECT };
LogUtil.error(Level.INFO, LogUtil.BINDING_NOT_SUPPORTED, data, null);
throw new SAML2Exception(SAML2Utils.bundle.getString("unsupportedBinding"));
}
String relayState = request.getParameter(SAML2Constants.RELAY_STATE);
String mniRes = request.getParameter(SAML2Constants.SAML_RESPONSE);
String mniResStr = SAML2Utils.decodeFromRedirect(mniRes);
if (mniResStr == null) {
logError("nullDecodedStrFromSamlResponse", LogUtil.CANNOT_DECODE_RESPONSE, null);
throw new SAML2Exception(SAML2Utils.bundle.getString("nullDecodedStrFromSamlResponse"));
}
if (debug.messageEnabled()) {
debug.message(method + "Meta Alias is : " + metaAlias);
debug.message(method + "Host role is : " + hostRole);
debug.message(method + "Relay state is : " + relayState);
debug.message(method + "MNI Response : " + mniResStr);
}
// Validate the RelayState URL.
SAML2Utils.validateRelayStateURL(realm, hostEntityID, relayState, hostRole);
ManageNameIDResponse mniResponse = null;
try {
mniResponse = pf.createManageNameIDResponse(mniResStr);
String remoteEntityID = mniResponse.getIssuer().getValue();
Issuer resIssuer = mniResponse.getIssuer();
String requestId = mniResponse.getInResponseTo();
SAML2Utils.verifyResponseIssuer(realm, hostEntityID, resIssuer, requestId);
boolean needToVerify = SAML2Utils.getWantMNIResponseSigned(realm, hostEntityID, hostRole);
if (needToVerify) {
String queryString = request.getQueryString();
boolean valid = SAML2Utils.verifyQueryString(queryString, realm, hostRole, remoteEntityID);
if (!valid) {
logError("invalidSignInResponse", LogUtil.MNI_RESPONSE_INVALID_SIGNATURE, null);
throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSignInResponse"));
}
}
StringBuffer mniUserId = new StringBuffer();
success = checkMNIResponse(mniResponse, realm, hostEntityID, hostRole, mniUserId);
if (success && (hostRole != null) && hostRole.equals(SAML2Constants.SP_ROLE)) {
// invoke SPAdapter for termination success
postTerminationSuccess(hostEntityID, realm, request, response, mniUserId.toString(), null, mniResponse, SAML2Constants.HTTP_REDIRECT);
}
} catch (SessionException e) {
logError("invalidSSOToken", LogUtil.INVALID_SSOTOKEN, null);
throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSSOToken"));
}
if (debug.messageEnabled()) {
debug.message(method + "Request success : " + success);
}
return success;
}
use of com.sun.identity.plugin.session.SessionException in project OpenAM by OpenRock.
the class SPSingleLogout method initiateLogoutRequest.
/**
* Parses the request parameters and initiates the Logout
* Request to be sent to the IDP.
*
* @param request the HttpServletRequest.
* @param response the HttpServletResponse.
* @param out The print writer for writing out presentation.
* @param binding binding used for this request.
* @param paramsMap Map of all other parameters.
* Following parameters names with their respective
* String values are allowed in this paramsMap.
* "RelayState" - the target URL on successful Single Logout
* "Destination" - A URI Reference indicating the address to
* which the request has been sent.
* "Consent" - Specifies a URI a SAML defined identifier
* known as Consent Identifiers.
* "Extension" - Specifies a list of Extensions as list of
* String objects.
* @param origLogoutRequest original LogoutRequest
* @param msg SOAPMessage
* @param newSession Session object for IDP Proxy
* @param audit the auditor for logging SAML2 Events - may be null
* @throws SAML2Exception if error initiating request to IDP.
*/
public static void initiateLogoutRequest(HttpServletRequest request, HttpServletResponse response, PrintWriter out, String binding, Map paramsMap, LogoutRequest origLogoutRequest, SOAPMessage msg, Object newSession, SAML2EventLogger audit) throws SAML2Exception {
if (debug.messageEnabled()) {
debug.message("SPSingleLogout:initiateLogoutRequest");
debug.message("binding : " + binding);
debug.message("paramsMap : " + paramsMap);
}
String metaAlias = (String) paramsMap.get(SAML2Constants.SP_METAALIAS);
try {
Object session = null;
if (newSession != null) {
session = newSession;
} else {
session = sessionProvider.getSession(request);
}
if (null != audit) {
audit.setSSOTokenId(session);
}
if (!SPCache.isFedlet) {
if (session == null) {
throw new SAML2Exception(SAML2Utils.bundle.getString("nullSSOToken"));
}
}
if (metaAlias == null) {
if (!SPCache.isFedlet) {
String[] values = sessionProvider.getProperty(session, SAML2Constants.SP_METAALIAS);
if (values != null && values.length > 0) {
metaAlias = values[0];
}
} else {
List spMetaAliases = sm.getAllHostedServiceProviderMetaAliases("/");
if ((spMetaAliases != null) && !spMetaAliases.isEmpty()) {
// get first one
metaAlias = (String) spMetaAliases.get(0);
}
}
}
if (metaAlias == null) {
throw new SAML2Exception(SAML2Utils.bundle.getString("nullSPMetaAlias"));
}
paramsMap.put(SAML2Constants.METAALIAS, metaAlias);
String realm = SAML2Utils.getRealm(SAML2MetaUtils.getRealmByMetaAlias(metaAlias));
debug.message("realm : " + realm);
String spEntityID = sm.getEntityByMetaAlias(metaAlias);
if (spEntityID == null) {
debug.error("Service Provider ID is missing");
String[] data = { spEntityID };
LogUtil.error(Level.INFO, LogUtil.INVALID_SP, data, null);
throw new SAML2Exception(SAML2Utils.bundle.getString("nullSPEntityID"));
}
debug.message("spEntityID : " + spEntityID);
// clean up session index
String tokenID = sessionProvider.getSessionID(session);
String infoKeyString = null;
if (SPCache.isFedlet) {
infoKeyString = SAML2Utils.getParameter(paramsMap, SAML2Constants.INFO_KEY);
} else {
try {
String[] values = sessionProvider.getProperty(session, AccountUtils.getNameIDInfoKeyAttribute());
if (values != null && values.length > 0) {
infoKeyString = values[0];
}
} catch (SessionException se) {
debug.error("Unable to get infoKeyString from " + "session.", se);
throw new SAML2Exception(SAML2Utils.bundle.getString("errorInfoKeyString"));
}
}
if (debug.messageEnabled()) {
debug.message("tokenID : " + tokenID);
debug.message("infoKeyString : " + infoKeyString);
}
// get SPSSODescriptor
SPSSODescriptorElement spsso = sm.getSPSSODescriptor(realm, spEntityID);
if (spsso == null) {
String[] data = { spEntityID };
LogUtil.error(Level.INFO, LogUtil.SP_METADATA_ERROR, data, null);
throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
}
List extensionsList = LogoutUtil.getExtensionsList(paramsMap);
String relayState = SAML2Utils.getParameter(paramsMap, SAML2Constants.RELAY_STATE);
if (relayState == null || relayState.equals("")) {
relayState = SAML2Utils.getAttributeValueFromSSOConfig(realm, spEntityID, SAML2Constants.SP_ROLE, SAML2Constants.DEFAULT_RELAY_STATE);
}
// Validate the RelayState URL.
SAML2Utils.validateRelayStateURL(realm, spEntityID, relayState, SAML2Constants.SP_ROLE);
if (infoKeyString == null) {
// termination case, do local logout only and send to
// relay state if any
debug.warning("SPSingleLogout.initiateLogoutRequest : Unable to get infoKeyString from session.");
sessionProvider.invalidateSession(session, request, response);
if ((relayState != null) && !relayState.equals("")) {
try {
response.sendRedirect(relayState);
} catch (IOException e) {
debug.error("SPSingleLogout.initiateLogoutRequest: " + "Error in send redirect to " + relayState, e);
}
} else {
RequestDispatcher dispatcher = request.getRequestDispatcher("saml2/jsp/default.jsp?message=spSloSuccess");
try {
dispatcher.forward(request, response);
} catch (IOException e) {
debug.error("SPSingleLogout.initiateLogoutRequest: " + "Error in forwarding to default.jsp", e);
} catch (ServletException e) {
debug.error("SPSingleLogout.initiateLogoutRequest: " + "Error in forwarding to default.jsp", e);
}
}
return;
}
StringTokenizer st = new StringTokenizer(infoKeyString, SAML2Constants.SECOND_DELIM);
String requestID = null;
while (st.hasMoreTokens()) {
String tmpInfoKeyString = st.nextToken();
NameIDInfoKey nameIdInfoKey = NameIDInfoKey.parse(tmpInfoKeyString);
//logout request to the other SP instance, invalidating the session for both SPs.
if (nameIdInfoKey.getHostEntityID().equals(spEntityID)) {
requestID = prepareForLogout(realm, tokenID, metaAlias, extensionsList, binding, relayState, request, response, paramsMap, tmpInfoKeyString, origLogoutRequest, msg);
}
}
// IDP Proxy
SOAPMessage soapMsg = (SOAPMessage) IDPCache.SOAPMessageByLogoutRequestID.get(requestID);
if (soapMsg != null) {
IDPProxyUtil.sendProxyLogoutResponseBySOAP(soapMsg, response, out);
}
// when SAML Response reached the SP side.
if (binding.equals(SAML2Constants.SOAP) || (requestID == null)) {
sessionProvider.invalidateSession(session, request, response);
}
} catch (SAML2MetaException sme) {
debug.error("Error retreiving metadata", sme);
throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
} catch (SessionException ssoe) {
debug.error("Session exception: ", ssoe);
throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
}
}
use of com.sun.identity.plugin.session.SessionException in project OpenAM by OpenRock.
the class IPRPSignoutRequest method process.
/**
* Processes the sign-out request, returning a response via the
* HttpServletResponse passed to the constructor.
*/
public void process() throws IOException, WSFederationException {
String classMethod = "IPRPSignoutRequest.process: ";
String metaAlias = WSFederationMetaUtils.getMetaAliasByUri(request.getRequestURI());
if ((metaAlias == null) || (metaAlias.trim().length() == 0)) {
debug.error(classMethod + "Unable to get meta alias from request");
throw new WSFederationException(WSFederationUtils.bundle.getString("MetaAliasNotFound"));
}
String realm = WSFederationMetaUtils.getRealmByMetaAlias(metaAlias);
if ((realm == null) || (realm.trim().length() == 0)) {
debug.error(classMethod + "Unable to get realm from request");
throw new WSFederationException(WSFederationUtils.bundle.getString("nullRealm"));
}
WSFederationMetaManager metaManager = WSFederationUtils.getMetaManager();
// retrieve entity id from meta alias
String entityId = metaManager.getEntityByMetaAlias(metaAlias);
if ((entityId == null) || (entityId.trim().length() == 0)) {
debug.error(classMethod + "Unable to get Entity ID from metaAlias" + metaAlias);
throw new WSFederationException(WSFederationUtils.bundle.getString("nullEntityID"));
}
Object session = null;
try {
session = WSFederationUtils.sessionProvider.getSession(request);
} catch (SessionException se) {
if (debug.messageEnabled()) {
debug.message(classMethod + "Session exception" + se.getLocalizedMessage());
}
// Don't care too much about session exceptions here - usual cause
// is trying to log out after the session has expired
}
try {
// Strategy here is to do logouts in parallel via iframes, provide a
// link to wreply, if any
BaseConfigType config = metaManager.getBaseConfig(realm, entityId);
String displayName = WSFederationMetaUtils.getAttribute(config, WSFederationConstants.DISPLAY_NAME);
if (displayName == null || displayName.length() == 0) {
displayName = entityId;
}
request.setAttribute(WSFederationConstants.LOGOUT_DISPLAY_NAME, displayName);
request.setAttribute(WSFederationConstants.LOGOUT_WREPLY, wreply);
request.setAttribute(WSFederationConstants.REALM_PARAM, realm);
request.setAttribute(WSFederationConstants.ENTITYID_PARAM, entityId);
LinkedHashMap<String, String> providerList = new LinkedHashMap<String, String>();
if (session != null) {
String[] idpList = WSFederationUtils.sessionProvider.getProperty(session, WSFederationConstants.SESSION_IDP);
if (idpList != null && idpList.length > 0 && idpList[0] != null && idpList[0].length() > 0) {
FederationElement fed = metaManager.getEntityDescriptor(realm, idpList[0]);
String endpoint = metaManager.getTokenIssuerEndpoint(fed);
String url = endpoint + "?wa=" + WSFederationConstants.WSIGNOUT10;
config = metaManager.getBaseConfig(realm, idpList[0]);
displayName = WSFederationMetaUtils.getAttribute(config, WSFederationConstants.DISPLAY_NAME);
if (displayName == null) {
displayName = idpList[0];
}
if (debug.messageEnabled()) {
debug.message(classMethod + "sending signout to " + url);
}
providerList.put(url, displayName);
}
String[] spList = WSFederationUtils.sessionProvider.getProperty(session, WSFederationConstants.SESSION_SP_LIST);
if (spList != null && spList.length > 0 && spList[0] != null && spList[0].length() > 0) {
for (int i = 0; i < spList.length; i++) {
config = metaManager.getBaseConfig(realm, spList[i]);
displayName = WSFederationMetaUtils.getAttribute(config, WSFederationConstants.DISPLAY_NAME);
if (displayName == null) {
displayName = spList[i];
}
FederationElement fed = metaManager.getEntityDescriptor(realm, spList[i]);
String endpoint = metaManager.getTokenIssuerEndpoint(fed);
String url = endpoint + "?wa=" + WSFederationConstants.WSIGNOUT10;
if (debug.messageEnabled()) {
debug.message(classMethod + "sending signout to " + url);
}
providerList.put(url, displayName);
}
// Can't remove a session property, so just set it to
// an empty string
String[] empty = { "" };
WSFederationUtils.sessionProvider.setProperty(session, WSFederationConstants.SESSION_SP_LIST, empty);
}
if (debug.messageEnabled()) {
debug.message(classMethod + "destroying session " + session);
}
MultiProtocolUtils.invalidateSession(session, request, response, SingleLogoutManager.WS_FED);
}
request.setAttribute(WSFederationConstants.LOGOUT_PROVIDER_LIST, providerList);
request.getRequestDispatcher("/wsfederation/jsp/logout.jsp").forward(request, response);
} catch (ServletException se) {
if (debug.messageEnabled()) {
debug.message(classMethod + "Servlet exception" + se.getLocalizedMessage());
}
throw new WSFederationException(se);
} catch (SessionException se) {
if (debug.messageEnabled()) {
debug.message(classMethod + "Session exception" + se.getLocalizedMessage());
}
throw new WSFederationException(se);
}
// Can't pass session, since we just invalidated it!
String[] data = { wreply };
LogUtil.access(Level.INFO, LogUtil.SLO_SUCCESSFUL, data, null);
}
use of com.sun.identity.plugin.session.SessionException in project OpenAM by OpenRock.
the class IPSigninRequest method sendResponse.
/**
* Sends <code>RequestSecurityTokenResponse</code> containing an
* <code>Assertion</code> back to the requesting service provider
*/
private void sendResponse(Object session, String idpEntityId, String spEntityId, String idpMetaAlias, String realm) throws WSFederationException, IOException {
String classMethod = "IDPSSOFederate.sendResponse: ";
/*
String nameIDFormat = null;
NameIDPolicy policy = authnReq.getNameIDPolicy();
if (policy != null) {
nameIDFormat = policy.getFormat();
}
*/
String acsURL = IDPSSOUtil.getACSurl(spEntityId, realm, wreply);
if ((acsURL == null) || (acsURL.trim().length() == 0)) {
debug.error(classMethod + "no ACS URL found.");
String[] data = { realm, spEntityId, wreply };
LogUtil.error(Level.INFO, LogUtil.NO_ACS_URL, data, null);
throw new WSFederationException(WSFederationUtils.bundle.getString("unableTofindACSURL"));
}
WSFederationMetaManager metaManager = WSFederationUtils.getMetaManager();
IDPSSOConfigElement idpConfig = metaManager.getIDPSSOConfig(realm, idpEntityId);
if (idpConfig == null) {
debug.error(classMethod + "cannot find configuration for IdP " + idpEntityId);
throw new WSFederationException(WSFederationUtils.bundle.getString("unableToFindIDPConfiguration"));
}
SPSSOConfigElement spConfig = metaManager.getSPSSOConfig(realm, spEntityId);
if (spConfig == null) {
debug.error(classMethod + "cannot find configuration for SP " + spEntityId);
throw new WSFederationException(WSFederationUtils.bundle.getString("unableToFindSPConfiguration"));
}
String authMethod = null;
String authSSOInstant = null;
String userid = null;
try {
authMethod = WSFederationUtils.sessionProvider.getProperty(session, SessionProvider.AUTH_METHOD)[0];
authSSOInstant = WSFederationUtils.sessionProvider.getProperty(session, SessionProvider.AUTH_INSTANT)[0];
userid = WSFederationUtils.sessionProvider.getProperty(session, "UserId")[// ISAuthConstants.USER_ID
0];
} catch (SessionException se) {
throw new WSFederationException(se);
}
IDPAttributeMapper attrMapper = getIDPAttributeMapper(WSFederationMetaUtils.getAttributes(idpConfig));
IDPAccountMapper accountMapper = getIDPAccountMapper(WSFederationMetaUtils.getAttributes(idpConfig));
List attributes = attrMapper.getAttributes(session, idpEntityId, spEntityId, realm);
Date authInstant = null;
if (authSSOInstant == null || authSSOInstant.equals("")) {
authInstant = new Date();
} else {
try {
authInstant = DateUtils.stringToDate(authSSOInstant);
} catch (ParseException pe) {
throw new WSFederationException(pe);
}
}
NameIdentifier ni = accountMapper.getNameID(session, realm, idpEntityId, spEntityId);
int notBeforeSkew = SAML2Constants.NOTBEFORE_ASSERTION_SKEW_DEFAULT;
String notBeforeSkewStr = WSFederationMetaUtils.getAttribute(idpConfig, SAML2Constants.ASSERTION_NOTBEFORE_SKEW_ATTRIBUTE);
if (notBeforeSkewStr != null) {
try {
notBeforeSkew = Integer.parseInt(notBeforeSkewStr);
if (debug.messageEnabled()) {
debug.message(classMethod + "got not before skew from config:" + notBeforeSkew);
}
} catch (NumberFormatException nfe) {
debug.error(classMethod + "Failed to get not before skew from IDP SSO config: ", nfe);
throw new WSFederationException(nfe);
}
}
int effectiveTime = SAML2Constants.ASSERTION_EFFECTIVE_TIME;
String effectiveTimeStr = WSFederationMetaUtils.getAttribute(idpConfig, SAML2Constants.ASSERTION_EFFECTIVE_TIME_ATTRIBUTE);
if (effectiveTimeStr != null) {
try {
effectiveTime = Integer.parseInt(effectiveTimeStr);
if (debug.messageEnabled()) {
debug.message(classMethod + "got effective time from config:" + effectiveTime);
}
} catch (NumberFormatException nfe) {
debug.error(classMethod + "Failed to get assertion effective time from " + "IDP SSO config: ", nfe);
throw new WSFederationException(nfe);
}
}
String strWantAssertionSigned = WSFederationMetaUtils.getAttribute(spConfig, WSFederationConstants.WANT_ASSERTION_SIGNED);
// By default, we want to sign assertions
boolean wantAssertionSigned = (strWantAssertionSigned != null) ? Boolean.parseBoolean(strWantAssertionSigned) : true;
String certAlias = WSFederationMetaUtils.getAttribute(idpConfig, SAML2Constants.SIGNING_CERT_ALIAS);
if (wantAssertionSigned && certAlias == null) {
// SP wants us to sign the assertion, but we don't have a signing
// cert
debug.error(classMethod + "SP wants signed assertion, but no signing cert is " + "configured");
throw new WSFederationException(WSFederationUtils.bundle.getString("noIdPCertAlias"));
}
if (!wantAssertionSigned) {
// SP doesn't want us to sign the assertion, so pass null certAlias
// to indicate no assertion signature required
certAlias = null;
}
// generate a response for the authn request
RequestSecurityTokenResponse rstr = new RequestSecurityTokenResponse(new SAML11RequestedSecurityToken(realm, spEntityId, idpEntityId, notBeforeSkew, effectiveTime, certAlias, authMethod, authInstant, ni, attributes), wtrealm);
if (rstr == null) {
debug.error(classMethod + "response is null");
String errorMsg = WSFederationUtils.bundle.getString("UnableToCreateAssertion");
/*
res = IDPSSOUtil.getErrorResponse(authnReq,
SAML2Constants.RESPONDER, errorMsg, idpEntityID);
*/
return;
} else {
try {
String[] values = { idpMetaAlias };
// Add SP to SP list in session
String[] spList = WSFederationUtils.sessionProvider.getProperty(session, WSFederationConstants.SESSION_SP_LIST);
ArrayList<String> newSpList = (spList != null) ? new ArrayList<String>(Arrays.asList(spList)) : new ArrayList<String>();
if (!newSpList.contains(spEntityId)) {
newSpList.add(spEntityId);
WSFederationUtils.sessionProvider.setProperty(session, WSFederationConstants.SESSION_SP_LIST, newSpList.toArray(new String[0]));
}
} catch (SessionException e) {
debug.error(classMethod + "error setting idpMetaAlias into the session: ", e);
}
try {
postToTarget(rstr, acsURL);
} catch (ServletException se) {
throw new WSFederationException(se);
}
}
}
use of com.sun.identity.plugin.session.SessionException in project OpenAM by OpenRock.
the class UtilProxySAMLAuthenticatorLookup method retrieveAuthenticationFromCache.
@Override
public void retrieveAuthenticationFromCache() throws SessionException, ServerFaultException, ClientFaultException {
final String classMethod = "UtilProxySAMLAuthenticatorLookup.retrieveAuthenticationFromCache: ";
// the second visit, the user has already authenticated
// retrieve the cache authn request and relay state
// We need the session to pass it to the IDP Adapter preSendResponse
SessionProvider sessionProvider = SessionManager.getProvider();
try {
data.setSession(sessionProvider.getSession(request));
data.getEventAuditor().setSSOTokenId(data.getSession());
} catch (SessionException se) {
SAML2Utils.debug.error("An error occurred while retrieving the session: " + se.getMessage());
data.setSession(null);
}
// Get the cached Authentication Request and Relay State before
// invoking the IDP Adapter
CacheObject cacheObj;
synchronized (IDPCache.authnRequestCache) {
cacheObj = (CacheObject) IDPCache.authnRequestCache.get(data.getRequestID());
}
if (cacheObj != null) {
data.setAuthnRequest((AuthnRequest) cacheObj.getObject());
}
data.setRelayState((String) IDPCache.relayStateCache.get(data.getRequestID()));
if (!isSessionValid(sessionProvider)) {
return;
}
// Invoke the IDP Adapter after the user has been authenticated
if (preSendResponse(request, response, data)) {
return;
}
synchronized (IDPCache.authnRequestCache) {
cacheObj = (CacheObject) IDPCache.authnRequestCache.remove(data.getRequestID());
}
if (cacheObj != null) {
data.setAuthnRequest((AuthnRequest) cacheObj.getObject());
}
synchronized (IDPCache.idpAuthnContextCache) {
cacheObj = (CacheObject) IDPCache.idpAuthnContextCache.remove(data.getRequestID());
}
if (cacheObj != null) {
data.setMatchingAuthnContext((AuthnContext) cacheObj.getObject());
}
data.setRelayState((String) IDPCache.relayStateCache.remove(data.getRequestID()));
if (data.getAuthnRequest() == null) {
authNotAvailable();
return;
}
SAML2Utils.debug.message("{} RequestID= {}", classMethod, data.getRequestID());
boolean isSessionUpgrade = false;
if (CollectionUtils.isNotEmpty(IDPCache.isSessionUpgradeCache)) {
isSessionUpgrade = IDPCache.isSessionUpgradeCache.contains(data.getRequestID());
}
if (isSessionUpgrade) {
IDPSession oldSess = (IDPSession) IDPCache.oldIDPSessionCache.remove(data.getRequestID());
String sessionIndex = IDPSSOUtil.getSessionIndex(data.getSession());
if (StringUtils.isNotEmpty(sessionIndex)) {
IDPCache.idpSessionsByIndices.put(sessionIndex, oldSess);
final FedMonAgent agent = MonitorManager.getAgent();
if (agent != null && agent.isRunning()) {
final FedMonSAML2Svc saml2Svc = MonitorManager.getSAML2Svc();
if (saml2Svc != null) {
saml2Svc.setIdpSessionCount(IDPCache.idpSessionsByIndices.size());
}
}
}
}
if (data.getSession() != null) {
// call multi-federation protocol to set the protocol
MultiProtocolUtils.addFederationProtocol(data.getSession(), SingleLogoutManager.SAML2);
}
// generate assertion response
data.setSpEntityID(data.getAuthnRequest().getIssuer().getValue());
NameIDPolicy policy = data.getAuthnRequest().getNameIDPolicy();
String nameIDFormat = (policy == null) ? null : policy.getFormat();
try {
IDPSSOUtil.sendResponseToACS(request, response, out, data.getSession(), data.getAuthnRequest(), data.getSpEntityID(), data.getIdpEntityID(), data.getIdpMetaAlias(), data.getRealm(), nameIDFormat, data.getRelayState(), data.getMatchingAuthnContext());
} catch (SAML2Exception se) {
SAML2Utils.debug.error(classMethod + "Unable to do sso or federation.", se);
throw new ServerFaultException(data.getIdpAdapter(), SSO_OR_FEDERATION_ERROR, se.getMessage());
}
}
Aggregations