Search in sources :

Example 6 with SessionException

use of com.sun.identity.plugin.session.SessionException in project OpenAM by OpenRock.

the class FSServiceUtils method getLocale.

/**
     * Retrieves locale of a http request.
     * @param request <code>HttpServletRequest</code> object
     * @return locale of the request; or <code>null</code> if locale cannot
     *  be retrieved.
     */
public static String getLocale(HttpServletRequest request) {
    if (request == null) {
        FSUtils.debug.error("FSServiceUtil.getLocale: Request param is " + "null, returning null");
        return null;
    }
    try {
        SessionProvider sessionProvider = SessionManager.getProvider();
        Object ISSSOToken = sessionProvider.getSession(request);
        String[] returnStr = sessionProvider.getProperty(ISSSOToken, "Locale");
        if ((returnStr != null) && (returnStr.length > 0)) {
            if (FSUtils.debug.messageEnabled()) {
                FSUtils.debug.message("FSServiceUtil.getLocale returning locale from token " + returnStr[0]);
            }
            return returnStr[0];
        }
    } catch (SessionException ssoe) {
        FSUtils.debug.error("FSServiceUtil::getLocale():SessionException:", ssoe);
    } catch (UnsupportedOperationException ex) {
        FSUtils.debug.error("FSServiceUtil::getLocale():Exception:", ex);
    }
    Locale locale = request.getLocale();
    if (locale != null) {
        String returnStr = locale.toString();
        if (FSUtils.debug.messageEnabled()) {
            FSUtils.debug.message("FSServiceUtil.getLocale returning :locale from request:" + returnStr);
        }
        return returnStr;
    }
    if (FSUtils.debug.messageEnabled()) {
        FSUtils.debug.message("FSServiceUtil.getLocale Not able to get " + "locale from request either from token or header. returning " + "null ");
    }
    return null;
}
Also used : Locale(java.util.Locale) SessionException(com.sun.identity.plugin.session.SessionException) SessionProvider(com.sun.identity.plugin.session.SessionProvider)

Example 7 with SessionException

use of com.sun.identity.plugin.session.SessionException in project OpenAM by OpenRock.

the class FSRegistrationInitiationServlet method getValidToken.

/**
     * Retrieves the session from HTTPRequest object.
     * @param request HTTP request object
     * @return valid session from the request object;
     *  <code>null</code> otherwise.
     */
private Object getValidToken(HttpServletRequest request) {
    FSUtils.debug.message("Entered FSRegistrationInitiationServlet::getValidToken");
    try {
        SessionProvider sessionProvider = SessionManager.getProvider();
        Object ssoToken = sessionProvider.getSession(request);
        if ((ssoToken == null) || (!sessionProvider.isValid(ssoToken))) {
            FSUtils.debug.error("Session is not valid redirecting for authentication");
            return null;
        }
        return ssoToken;
    } catch (SessionException e) {
        FSUtils.debug.error("SessionException caught: ", e);
        return null;
    }
}
Also used : SessionException(com.sun.identity.plugin.session.SessionException) SessionProvider(com.sun.identity.plugin.session.SessionProvider)

Example 8 with SessionException

use of com.sun.identity.plugin.session.SessionException in project OpenAM by OpenRock.

the class DefaultIDPAccountMapper method getNameID.

@Override
public NameID getNameID(Object session, String hostEntityID, String remoteEntityID, String realm, String nameIDFormat) throws SAML2Exception {
    String userID;
    try {
        SessionProvider sessionProv = SessionManager.getProvider();
        userID = sessionProv.getPrincipalName(session);
    } catch (SessionException se) {
        throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSSOToken"));
    }
    String nameIDValue = null;
    if (nameIDFormat.equals(SAML2Constants.NAMEID_TRANSIENT_FORMAT)) {
        String sessionIndex = IDPSSOUtil.getSessionIndex(session);
        if (sessionIndex != null) {
            IDPSession idpSession = IDPCache.idpSessionsByIndices.get(sessionIndex);
            if (idpSession != null) {
                List<NameIDandSPpair> list = idpSession.getNameIDandSPpairs();
                if (list != null) {
                    for (NameIDandSPpair pair : list) {
                        if (pair.getSPEntityID().equals(remoteEntityID)) {
                            nameIDValue = pair.getNameID().getValue();
                            break;
                        }
                    }
                }
            }
        }
        if (nameIDValue == null) {
            nameIDValue = getNameIDValueFromUserProfile(realm, hostEntityID, userID, nameIDFormat);
            if (nameIDValue == null) {
                nameIDValue = SAML2Utils.createNameIdentifier();
            }
        }
    } else {
        nameIDValue = getNameIDValueFromUserProfile(realm, hostEntityID, userID, nameIDFormat);
        if (nameIDValue == null) {
            if (nameIDFormat.equals(SAML2Constants.PERSISTENT)) {
                nameIDValue = SAML2Utils.createNameIdentifier();
            } else {
                throw new SAML2Exception(bundle.getString("unableToGenerateNameIDValue"));
            }
        }
    }
    NameID nameID = AssertionFactory.getInstance().createNameID();
    nameID.setValue(nameIDValue);
    nameID.setFormat(nameIDFormat);
    nameID.setNameQualifier(hostEntityID);
    nameID.setSPNameQualifier(remoteEntityID);
    nameID.setSPProvidedID(null);
    return nameID;
}
Also used : SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) NameIDandSPpair(com.sun.identity.saml2.profile.NameIDandSPpair) IDPSession(com.sun.identity.saml2.profile.IDPSession) NameID(com.sun.identity.saml2.assertion.NameID) SessionException(com.sun.identity.plugin.session.SessionException) SessionProvider(com.sun.identity.plugin.session.SessionProvider)

Example 9 with SessionException

use of com.sun.identity.plugin.session.SessionException in project OpenAM by OpenRock.

the class LibertyManager method getMappedNameIdentifier.

/**
     * Returns <code>NameIdentifier</code> between the IDP and
     * the other SP for the same principal. This method should
     * be used by the code on the hosted SP, where the user
     * has logged in, and has an account linking with the IDP.
     * Futhermore, the same principal has an account linking
     * between his/her other (remote) SP account and the IDP
     * account.
     *
     * @param hostedSPMetaAlias The <code>metaAlias</code> of
     * the local service provider.
     * @param ssoToken The session token of the logged-
     * in user on the local service provider.
     * @param remoteSPEntityID The entity ID of the remote
     * service provider. In other words, it is the targeted
     * name space for the returned name identifier.
     * @return <code>NameIdentifier</code> of the same principal
     * but original established between the remote SP and
     * the IDP
     */
public static NameIdentifier getMappedNameIdentifier(String hostedSPMetaAlias, Object ssoToken, String remoteSPEntityID) {
    String classMethod = "LibertyManager.getMappedNameIdentifier: ";
    String hostedEntityID = getEntityID(hostedSPMetaAlias);
    String realm = IDFFMetaUtils.getRealmByMetaAlias(hostedSPMetaAlias);
    if (debug.messageEnabled()) {
        debug.message("NameMappingRequester: hostedEntityID=" + hostedEntityID);
    }
    SPDescriptorType hostedDescriptor = null;
    BaseConfigType hostedConfig = null;
    try {
        hostedDescriptor = metaManager.getSPDescriptor(realm, hostedEntityID);
        hostedConfig = metaManager.getSPDescriptorConfig(realm, hostedEntityID);
    } catch (IDFFMetaException ie) {
        debug.error(classMethod + "couldn't obtain hosted meta:", ie);
        return null;
    }
    String userID = null;
    try {
        userID = SessionManager.getProvider().getPrincipalName(ssoToken);
    } catch (SessionException ssoe) {
        debug.error("SessionException caught when trying to " + "get user DN from session token:", ssoe);
        return null;
    }
    if (debug.messageEnabled()) {
        debug.message(classMethod + "userID=" + userID);
    }
    FSNameMappingHandler handler = new FSNameMappingHandler(hostedEntityID, hostedDescriptor, hostedConfig, hostedSPMetaAlias);
    NameIdentifier ni = null;
    if (debug.messageEnabled()) {
        debug.message(classMethod + "targetNamespace (remoteSPEntityID)=" + remoteSPEntityID);
    }
    FSSessionManager sMgr = FSSessionManager.getInstance(hostedSPMetaAlias);
    FSSession sess = null;
    if (sMgr != null) {
        sess = sMgr.getSession(ssoToken);
    }
    FSSessionPartner partner = null;
    if (sess != null) {
        partner = sess.getCurrentSessionPartner();
    } else {
        debug.error(classMethod + "session is null");
        return null;
    }
    String remoteIDPEntityID = null;
    if (partner != null) {
        remoteIDPEntityID = partner.getPartner();
    }
    if (debug.messageEnabled()) {
        debug.message(classMethod + "Remote IDP EntityID = " + remoteIDPEntityID);
    }
    try {
        ni = handler.getNameIdentifier(userID, remoteIDPEntityID, true);
    } catch (Exception e) {
        debug.error(classMethod + "Exception caught when trying to get Name " + "Identifier between local SP and remote IDP: ", e);
        return null;
    }
    if (debug.messageEnabled()) {
        debug.message(classMethod + "Name Identifier between local SP and " + " remote IDP: " + ni.toString());
    }
    FSNameIdentifierMappingRequest mappingRequest = null;
    try {
        mappingRequest = new FSNameIdentifierMappingRequest(hostedEntityID, ni, remoteSPEntityID);
    } catch (com.sun.identity.federation.message.common.FSMsgException fe) {
        debug.error(classMethod, fe);
        return null;
    }
    if (FSServiceUtils.isSigningOn()) {
        try {
            mappingRequest.signXML(IDFFMetaUtils.getFirstAttributeValueFromConfig(hostedConfig, IFSConstants.SIGNING_CERT_ALIAS));
        } catch (SAMLException se) {
            debug.error(classMethod, se);
            return null;
        }
    }
    IDPDescriptorType remoteProviderDesc = null;
    try {
        remoteProviderDesc = metaManager.getIDPDescriptor(realm, remoteIDPEntityID);
    } catch (IDFFMetaException fme1) {
        debug.error(classMethod, fme1);
        return null;
    }
    String remoteSOAPEndPoint = remoteProviderDesc.getSoapEndpoint();
    if (debug.messageEnabled()) {
        debug.message(classMethod + "IDP's soap end point=" + remoteSOAPEndPoint);
    }
    FSSOAPService soapService = FSSOAPService.getInstance();
    SOAPMessage returnMsg = null;
    try {
        SOAPMessage msg = soapService.bind(mappingRequest.toXMLString(true, true));
        returnMsg = soapService.sendMessage(msg, remoteSOAPEndPoint);
    } catch (FSMsgException mex) {
        debug.error(classMethod, mex);
        return null;
    } catch (java.io.IOException ioe) {
        debug.error(classMethod, ioe);
        return null;
    } catch (javax.xml.soap.SOAPException soape) {
        debug.error(classMethod, soape);
        return null;
    }
    Element elt = soapService.parseSOAPMessage(returnMsg);
    FSNameIdentifierMappingResponse mappingResponse = null;
    try {
        mappingResponse = new FSNameIdentifierMappingResponse(elt);
    } catch (FSMsgException fme2) {
        debug.error(classMethod, fme2);
        return null;
    }
    if (debug.messageEnabled()) {
        String resStr = null;
        try {
            resStr = mappingResponse.toXMLString();
        } catch (FSMsgException fme3) {
            debug.error(classMethod, fme3);
            return null;
        }
        debug.message(classMethod + "NameIdentifierMappingResponse: " + resStr);
    }
    if (FSServiceUtils.isSigningOn()) {
        if (FSNameMappingHandler.verifyNameIdMappingResponseSignature(elt, returnMsg, realm)) {
            if (debug.messageEnabled()) {
                debug.message(classMethod + "Success in verifying Name Identifier Mapping" + " Response Signature");
            }
        } else {
            debug.error(classMethod + "Failed verifying Name Identifier Mapping " + "Response");
            return null;
        }
    }
    return mappingResponse.getNameIdentifier();
}
Also used : NameIdentifier(com.sun.identity.saml.assertion.NameIdentifier) FSSession(com.sun.identity.federation.services.FSSession) SessionException(com.sun.identity.plugin.session.SessionException) FSSOAPService(com.sun.identity.federation.services.FSSOAPService) SAMLException(com.sun.identity.saml.common.SAMLException) SOAPMessage(javax.xml.soap.SOAPMessage) BaseConfigType(com.sun.identity.federation.jaxb.entityconfig.BaseConfigType) FSSessionPartner(com.sun.identity.federation.services.FSSessionPartner) FSSessionManager(com.sun.identity.federation.services.FSSessionManager) FSMsgException(com.sun.identity.federation.message.common.FSMsgException) IDFFMetaException(com.sun.identity.federation.meta.IDFFMetaException) FSNameIdentifierMappingResponse(com.sun.identity.federation.message.FSNameIdentifierMappingResponse) SPDescriptorType(com.sun.identity.liberty.ws.meta.jaxb.SPDescriptorType) COTException(com.sun.identity.cot.COTException) SessionException(com.sun.identity.plugin.session.SessionException) SAMLException(com.sun.identity.saml.common.SAMLException) IDFFMetaException(com.sun.identity.federation.meta.IDFFMetaException) FSLoginHelperException(com.sun.identity.federation.services.FSLoginHelperException) FSAccountMgmtException(com.sun.identity.federation.accountmgmt.FSAccountMgmtException) FSMsgException(com.sun.identity.federation.message.common.FSMsgException) IDPDescriptorType(com.sun.identity.liberty.ws.meta.jaxb.IDPDescriptorType) FSNameMappingHandler(com.sun.identity.federation.services.namemapping.FSNameMappingHandler) FSNameIdentifierMappingRequest(com.sun.identity.federation.message.FSNameIdentifierMappingRequest) FSMsgException(com.sun.identity.federation.message.common.FSMsgException)

Example 10 with SessionException

use of com.sun.identity.plugin.session.SessionException in project OpenAM by OpenRock.

the class UtilProxySAMLAuthenticator method authenticate.

@Override
public void authenticate() throws FederatedSSOException, IOException {
    final String classMethod = "UtilProxySAMLAuthenticator.authenticate: ";
    SPSSODescriptorElement spSSODescriptor = null;
    String preferredIDP;
    // There is no reqID, this is the first time that we pass here.
    String binding = SAML2Constants.HTTP_REDIRECT;
    if (request.getMethod().equals("POST")) {
        binding = SAML2Constants.HTTP_POST;
    }
    data.setAuthnRequest(getAuthnRequest(request, isFromECP, binding));
    if (data.getAuthnRequest() == null) {
        throw new ClientFaultException(data.getIdpAdapter(), INVALID_SAML_REQUEST);
    }
    data.getEventAuditor().setRequestId(data.getRequestID());
    data.setSpEntityID(data.getAuthnRequest().getIssuer().getValue());
    try {
        logAccess(isFromECP ? LogUtil.RECEIVED_AUTHN_REQUEST_ECP : LogUtil.RECEIVED_AUTHN_REQUEST, Level.INFO, data.getSpEntityID(), data.getIdpMetaAlias(), data.getAuthnRequest().toXMLString());
    } catch (SAML2Exception saml2ex) {
        SAML2Utils.debug.error(classMethod, saml2ex);
        throw new ClientFaultException(data.getIdpAdapter(), INVALID_SAML_REQUEST, saml2ex.getMessage());
    }
    if (!SAML2Utils.isSourceSiteValid(data.getAuthnRequest().getIssuer(), data.getRealm(), data.getIdpEntityID())) {
        SAML2Utils.debug.warning("{} Issuer in Request is not valid.", classMethod);
        throw new ClientFaultException(data.getIdpAdapter(), INVALID_SAML_REQUEST);
    }
    // verify the signature of the query string if applicable
    IDPSSODescriptorElement idpSSODescriptor;
    try {
        idpSSODescriptor = IDPSSOUtil.metaManager.getIDPSSODescriptor(data.getRealm(), data.getIdpEntityID());
    } catch (SAML2MetaException sme) {
        SAML2Utils.debug.error(classMethod + "Unable to get IDP SSO Descriptor from meta.");
        throw new ServerFaultException(data.getIdpAdapter(), METADATA_ERROR);
    }
    try {
        spSSODescriptor = IDPSSOUtil.metaManager.getSPSSODescriptor(data.getRealm(), data.getSpEntityID());
    } catch (SAML2MetaException sme) {
        SAML2Utils.debug.error(classMethod + "Unable to get SP SSO Descriptor from meta.");
        SAML2Utils.debug.error(classMethod, sme);
    }
    if (isFromECP || idpSSODescriptor.isWantAuthnRequestsSigned() || (spSSODescriptor != null && spSSODescriptor.isAuthnRequestsSigned())) {
        // need to verify the query string containing authnRequest
        if (StringUtils.isBlank(data.getSpEntityID())) {
            throw new ClientFaultException(data.getIdpAdapter(), INVALID_SAML_REQUEST);
        }
        if (spSSODescriptor == null) {
            SAML2Utils.debug.error(classMethod + "Unable to get SP SSO Descriptor from meta.");
            throw new ServerFaultException(data.getIdpAdapter(), METADATA_ERROR);
        }
        Set<X509Certificate> certificates = KeyUtil.getVerificationCerts(spSSODescriptor, data.getSpEntityID(), SAML2Constants.SP_ROLE);
        try {
            boolean isSignatureOK;
            if (isFromECP) {
                isSignatureOK = data.getAuthnRequest().isSignatureValid(certificates);
            } else {
                if ("POST".equals(request.getMethod())) {
                    isSignatureOK = data.getAuthnRequest().isSignatureValid(certificates);
                } else {
                    isSignatureOK = QuerySignatureUtil.verify(request.getQueryString(), certificates);
                }
            }
            if (!isSignatureOK) {
                SAML2Utils.debug.error(classMethod + "authn request verification failed.");
                throw new ClientFaultException(data.getIdpAdapter(), "invalidSignInRequest");
            }
            // In ECP profile, sp doesn't know idp.
            if (!isFromECP) {
                // verify Destination
                List ssoServiceList = idpSSODescriptor.getSingleSignOnService();
                String ssoURL = SPSSOFederate.getSSOURL(ssoServiceList, binding);
                if (!SAML2Utils.verifyDestination(data.getAuthnRequest().getDestination(), ssoURL)) {
                    SAML2Utils.debug.error(classMethod + "authn request destination verification failed.");
                    throw new ClientFaultException(data.getIdpAdapter(), "invalidDestination");
                }
            }
        } catch (SAML2Exception se) {
            SAML2Utils.debug.error(classMethod + "authn request verification failed.", se);
            throw new ClientFaultException(data.getIdpAdapter(), "invalidSignInRequest");
        }
        SAML2Utils.debug.message("{} authn request signature verification is successful.", classMethod);
    }
    SAML2Utils.debug.message("{} request id= {}", classMethod, data.getRequestID());
    if (data.getRequestID() == null) {
        SAML2Utils.debug.error(classMethod + "Request id is null");
        throw new ClientFaultException(data.getIdpAdapter(), "InvalidSAMLRequestID");
    }
    if (isFromECP) {
        try {
            IDPECPSessionMapper idpECPSessonMapper = IDPSSOUtil.getIDPECPSessionMapper(data.getRealm(), data.getIdpEntityID());
            data.setSession(idpECPSessonMapper.getSession(request, response));
        } catch (SAML2Exception se) {
            SAML2Utils.debug.message("Unable to retrieve user session.", classMethod);
        }
    } else {
        // get the user sso session from the request
        try {
            data.setSession(SessionManager.getProvider().getSession(request));
        } catch (SessionException se) {
            SAML2Utils.debug.message("{} Unable to retrieve user session.", classMethod);
        }
    }
    if (null != data.getSession()) {
        data.getEventAuditor().setAuthTokenId(data.getSession());
    }
    // will not trigger this adapter call
    if (preSingleSignOn(request, response, data)) {
        return;
    }
    // End of adapter invocation
    IDPAuthnContextMapper idpAuthnContextMapper = null;
    try {
        idpAuthnContextMapper = IDPSSOUtil.getIDPAuthnContextMapper(data.getRealm(), data.getIdpEntityID());
    } catch (SAML2Exception sme) {
        SAML2Utils.debug.error(classMethod, sme);
    }
    if (idpAuthnContextMapper == null) {
        SAML2Utils.debug.error(classMethod + "Unable to get IDPAuthnContextMapper from meta.");
        throw new ServerFaultException(data.getIdpAdapter(), METADATA_ERROR);
    }
    IDPAuthnContextInfo idpAuthnContextInfo = null;
    try {
        idpAuthnContextInfo = idpAuthnContextMapper.getIDPAuthnContextInfo(data.getAuthnRequest(), data.getIdpEntityID(), data.getRealm());
    } catch (SAML2Exception sme) {
        SAML2Utils.debug.error(classMethod, sme);
    }
    if (idpAuthnContextInfo == null) {
        SAML2Utils.debug.message("{} Unable to find valid AuthnContext. Sending error Response.", classMethod);
        try {
            Response res = SAML2Utils.getErrorResponse(data.getAuthnRequest(), SAML2Constants.REQUESTER, SAML2Constants.NO_AUTHN_CONTEXT, null, data.getIdpEntityID());
            StringBuffer returnedBinding = new StringBuffer();
            String acsURL = IDPSSOUtil.getACSurl(data.getSpEntityID(), data.getRealm(), data.getAuthnRequest(), request, returnedBinding);
            String acsBinding = returnedBinding.toString();
            IDPSSOUtil.sendResponse(request, response, out, acsBinding, data.getSpEntityID(), data.getIdpEntityID(), data.getIdpMetaAlias(), data.getRealm(), data.getRelayState(), acsURL, res, data.getSession());
        } catch (SAML2Exception sme) {
            SAML2Utils.debug.error(classMethod, sme);
            throw new ServerFaultException(data.getIdpAdapter(), METADATA_ERROR);
        }
        return;
    }
    // get the relay state query parameter from the request
    data.setRelayState(request.getParameter(SAML2Constants.RELAY_STATE));
    data.setMatchingAuthnContext(idpAuthnContextInfo.getAuthnContext());
    if (data.getSession() == null) {
        // the user has not logged in yet, redirect to auth
        redirectToAuth(spSSODescriptor, binding, idpAuthnContextInfo, data);
    } else {
        SAML2Utils.debug.message("{} There is an existing session", classMethod);
        // Let's verify that the realm is the same for the user and the IdP
        boolean isValidSessionInRealm = IDPSSOUtil.isValidSessionInRealm(data.getRealm(), data.getSession());
        String sessionIndex = IDPSSOUtil.getSessionIndex(data.getSession());
        boolean sessionUpgrade = false;
        if (isValidSessionInRealm) {
            sessionUpgrade = isSessionUpgrade(idpAuthnContextInfo, data.getSession());
            SAML2Utils.debug.message("{} IDP Session Upgrade is : {}", classMethod, sessionUpgrade);
        }
        // Holder for any exception encountered while redirecting for authentication:
        FederatedSSOException redirectException = null;
        if (sessionUpgrade || !isValidSessionInRealm || ((Boolean.TRUE.equals(data.getAuthnRequest().isForceAuthn())) && (!Boolean.TRUE.equals(data.getAuthnRequest().isPassive())))) {
            // sessionIndex
            if (sessionIndex != null && sessionIndex.length() != 0) {
                // Save the original IDP Session
                IDPSession oldIDPSession = IDPCache.idpSessionsByIndices.get(sessionIndex);
                if (oldIDPSession != null) {
                    IDPCache.oldIDPSessionCache.put(data.getRequestID(), oldIDPSession);
                } else {
                    SAML2Utils.debug.error(classMethod + "The old SAML2 session  was not found in the idp session " + "by indices cache");
                }
            }
            // Save the new requestId and AuthnRequest
            IDPCache.authnRequestCache.put(data.getRequestID(), new CacheObject(data.getAuthnRequest()));
            // Save the new requestId and AuthnContext
            IDPCache.idpAuthnContextCache.put(data.getRequestID(), new CacheObject(data.getMatchingAuthnContext()));
            // save if the request was an Session Upgrade case.
            IDPCache.isSessionUpgradeCache.add(data.getRequestID());
            // authenticates
            if (StringUtils.isNotBlank(data.getRelayState())) {
                IDPCache.relayStateCache.put(data.getRequestID(), data.getRelayState());
            }
            // Session upgrade could be requested by asking a greater AuthnContext
            if (isValidSessionInRealm) {
                try {
                    boolean isProxy = IDPProxyUtil.isIDPProxyEnabled(data.getAuthnRequest(), data.getRealm());
                    if (isProxy) {
                        preferredIDP = IDPProxyUtil.getPreferredIDP(data.getAuthnRequest(), data.getIdpEntityID(), data.getRealm(), request, response);
                        if (preferredIDP != null) {
                            if ((SPCache.reqParamHash != null) && (!(SPCache.reqParamHash.containsKey(preferredIDP)))) {
                                // IDP Proxy with configured proxy list
                                SAML2Utils.debug.message("{} IDP to be proxied {}", classMethod, preferredIDP);
                                IDPProxyUtil.sendProxyAuthnRequest(data.getAuthnRequest(), preferredIDP, spSSODescriptor, data.getIdpEntityID(), request, response, data.getRealm(), data.getRelayState(), binding);
                                return;
                            } else {
                                // IDP proxy with introduction cookie
                                Map paramsMap = (Map) SPCache.reqParamHash.get(preferredIDP);
                                paramsMap.put("authnReq", data.getAuthnRequest());
                                paramsMap.put("spSSODescriptor", spSSODescriptor);
                                paramsMap.put("idpEntityID", data.getIdpEntityID());
                                paramsMap.put("realm", data.getRealm());
                                paramsMap.put("relayState", data.getRelayState());
                                paramsMap.put("binding", binding);
                                SPCache.reqParamHash.put(preferredIDP, paramsMap);
                                return;
                            }
                        }
                    }
                //else continue for the local authentication.
                } catch (SAML2Exception re) {
                    SAML2Utils.debug.message("{} Redirecting for the proxy handling error: {}", classMethod, re.getMessage());
                    redirectException = new ServerFaultException(data.getIdpAdapter(), "UnableToRedirectToPreferredIDP", re.getMessage());
                }
            // End of IDP Proxy: Initiate proxying when session upgrade is requested
            }
            // Invoke the IDP Adapter before redirecting to authn
            if (preAuthenticationAdapter(request, response, data)) {
                return;
            }
            //we don't have a session
            try {
                //and they want to authenticate
                if (!Boolean.TRUE.equals(data.getAuthnRequest().isPassive())) {
                    redirectAuthentication(request, response, idpAuthnContextInfo, data, true);
                    return;
                } else {
                    try {
                        //and they want to get into the system with passive auth - response no passive
                        IDPSSOUtil.sendNoPassiveResponse(request, response, out, data.getIdpMetaAlias(), data.getIdpEntityID(), data.getRealm(), data.getAuthnRequest(), data.getRelayState(), data.getSpEntityID());
                    } catch (SAML2Exception sme) {
                        SAML2Utils.debug.error(classMethod, sme);
                        redirectException = new ServerFaultException(data.getIdpAdapter(), METADATA_ERROR);
                    }
                }
            } catch (IOException | SAML2Exception e) {
                SAML2Utils.debug.error(classMethod + "Unable to redirect to authentication.", e);
                sessionUpgrade = false;
                cleanUpCache(data.getRequestID());
                redirectException = new ServerFaultException(data.getIdpAdapter(), "UnableToRedirectToAuth", e.getMessage());
            }
        }
        // generate assertion response
        if (!sessionUpgrade && isValidSessionInRealm) {
            generateAssertionResponse(data);
        }
        if (redirectException != null) {
            throw redirectException;
        }
    }
}
Also used : IDPAuthnContextInfo(com.sun.identity.saml2.plugins.IDPAuthnContextInfo) IDPAuthnContextMapper(com.sun.identity.saml2.plugins.IDPAuthnContextMapper) IDPSession(com.sun.identity.saml2.profile.IDPSession) ServerFaultException(com.sun.identity.saml2.profile.ServerFaultException) SPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement) SessionException(com.sun.identity.plugin.session.SessionException) IOException(java.io.IOException) X509Certificate(java.security.cert.X509Certificate) IDPECPSessionMapper(com.sun.identity.saml2.plugins.IDPECPSessionMapper) SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) Response(com.sun.identity.saml2.protocol.Response) HttpServletResponse(javax.servlet.http.HttpServletResponse) ClientFaultException(com.sun.identity.saml2.profile.ClientFaultException) List(java.util.List) CacheObject(com.sun.identity.saml2.profile.CacheObject) FederatedSSOException(com.sun.identity.saml2.profile.FederatedSSOException) SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException) Map(java.util.Map) IDPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)

Aggregations

SessionException (com.sun.identity.plugin.session.SessionException)121 SessionProvider (com.sun.identity.plugin.session.SessionProvider)55 List (java.util.List)40 SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)35 IOException (java.io.IOException)28 ArrayList (java.util.ArrayList)28 Set (java.util.Set)24 SAMLException (com.sun.identity.saml.common.SAMLException)23 Iterator (java.util.Iterator)20 HashMap (java.util.HashMap)18 HashSet (java.util.HashSet)18 Map (java.util.Map)18 FSSession (com.sun.identity.federation.services.FSSession)17 SAML2MetaException (com.sun.identity.saml2.meta.SAML2MetaException)17 FSSessionManager (com.sun.identity.federation.services.FSSessionManager)15 FSException (com.sun.identity.federation.common.FSException)13 IDFFMetaException (com.sun.identity.federation.meta.IDFFMetaException)12 SAML2TokenRepositoryException (org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException)11 ServletException (javax.servlet.ServletException)10 DataStoreProviderException (com.sun.identity.plugin.datastore.DataStoreProviderException)9