Search in sources :

Example 51 with SessionProvider

use of com.sun.identity.plugin.session.SessionProvider in project OpenAM by OpenRock.

the class SAML2SDKUtils method getDiscoveryBootStrapResourceOffering.

/**
     * Gets the Discovery bootstrap resource offering in an attribute
     * statement. After a single sign-on with an Identity Provider, a service
     * provider may get Discovery service esource Offerings through a SAML2
     * assertion. This APIs helps in retrieving the resource offerings
     * if the user has been authenticated through the SAML2 SSO. It will
     * need to have a valid single sign on token (generated through the
     * SAML2 SSO).
     *
     * @param request <code>HttpServletRequest</code> associated with a user
     *        session.
     * @return <code>ResourceOffering</code> Discovery Resource Offering,
     *         null if there is any failure  or if there is not one
     */
public static ResourceOffering getDiscoveryBootStrapResourceOffering(HttpServletRequest request) {
    if (request == null) {
        if (debug.messageEnabled()) {
            debug.message("SAML2Utils.getDiscoveryBootStrapResource" + "Offerings: null Input params");
        }
        return null;
    }
    try {
        SessionProvider sessionProvider = SessionManager.getProvider();
        Object session = sessionProvider.getSession(request);
        String[] roStr = sessionProvider.getProperty(session, SAML2Constants.DISCOVERY_BOOTSTRAP_ATTRIBUTE_NAME);
        if ((roStr == null) || (roStr.length == 0)) {
            return null;
        }
        return new ResourceOffering(XMLUtils.toDOMDocument(roStr[0], debug).getDocumentElement());
    } catch (Exception ex) {
        debug.error("SAML2Utils.getDiscoveryBootStrapResourceOfferings: " + " Exception while retrieving discovery boot strap info.", ex);
        return null;
    }
}
Also used : ResourceOffering(com.sun.identity.liberty.ws.disco.ResourceOffering) SOAPException(javax.xml.soap.SOAPException) InvocationTargetException(java.lang.reflect.InvocationTargetException) SessionProvider(com.sun.identity.plugin.session.SessionProvider)

Example 52 with SessionProvider

use of com.sun.identity.plugin.session.SessionProvider in project OpenAM by OpenRock.

the class UtilProxySAMLAuthenticatorLookup method retrieveAuthenticationFromCache.

@Override
public void retrieveAuthenticationFromCache() throws SessionException, ServerFaultException, ClientFaultException {
    final String classMethod = "UtilProxySAMLAuthenticatorLookup.retrieveAuthenticationFromCache: ";
    // the second visit, the user has already authenticated
    // retrieve the cache authn request and relay state
    // We need the session to pass it to the IDP Adapter preSendResponse
    SessionProvider sessionProvider = SessionManager.getProvider();
    try {
        data.setSession(sessionProvider.getSession(request));
        data.getEventAuditor().setSSOTokenId(data.getSession());
    } catch (SessionException se) {
        SAML2Utils.debug.error("An error occurred while retrieving the session: " + se.getMessage());
        data.setSession(null);
    }
    // Get the cached Authentication Request and Relay State before
    // invoking the IDP Adapter
    CacheObject cacheObj;
    synchronized (IDPCache.authnRequestCache) {
        cacheObj = (CacheObject) IDPCache.authnRequestCache.get(data.getRequestID());
    }
    if (cacheObj != null) {
        data.setAuthnRequest((AuthnRequest) cacheObj.getObject());
    }
    data.setRelayState((String) IDPCache.relayStateCache.get(data.getRequestID()));
    if (!isSessionValid(sessionProvider)) {
        return;
    }
    // Invoke the IDP Adapter after the user has been authenticated
    if (preSendResponse(request, response, data)) {
        return;
    }
    synchronized (IDPCache.authnRequestCache) {
        cacheObj = (CacheObject) IDPCache.authnRequestCache.remove(data.getRequestID());
    }
    if (cacheObj != null) {
        data.setAuthnRequest((AuthnRequest) cacheObj.getObject());
    }
    synchronized (IDPCache.idpAuthnContextCache) {
        cacheObj = (CacheObject) IDPCache.idpAuthnContextCache.remove(data.getRequestID());
    }
    if (cacheObj != null) {
        data.setMatchingAuthnContext((AuthnContext) cacheObj.getObject());
    }
    data.setRelayState((String) IDPCache.relayStateCache.remove(data.getRequestID()));
    if (data.getAuthnRequest() == null) {
        authNotAvailable();
        return;
    }
    SAML2Utils.debug.message("{} RequestID= {}", classMethod, data.getRequestID());
    boolean isSessionUpgrade = false;
    if (CollectionUtils.isNotEmpty(IDPCache.isSessionUpgradeCache)) {
        isSessionUpgrade = IDPCache.isSessionUpgradeCache.contains(data.getRequestID());
    }
    if (isSessionUpgrade) {
        IDPSession oldSess = (IDPSession) IDPCache.oldIDPSessionCache.remove(data.getRequestID());
        String sessionIndex = IDPSSOUtil.getSessionIndex(data.getSession());
        if (StringUtils.isNotEmpty(sessionIndex)) {
            IDPCache.idpSessionsByIndices.put(sessionIndex, oldSess);
            final FedMonAgent agent = MonitorManager.getAgent();
            if (agent != null && agent.isRunning()) {
                final FedMonSAML2Svc saml2Svc = MonitorManager.getSAML2Svc();
                if (saml2Svc != null) {
                    saml2Svc.setIdpSessionCount(IDPCache.idpSessionsByIndices.size());
                }
            }
        }
    }
    if (data.getSession() != null) {
        // call multi-federation protocol to set the protocol
        MultiProtocolUtils.addFederationProtocol(data.getSession(), SingleLogoutManager.SAML2);
    }
    // generate assertion response
    data.setSpEntityID(data.getAuthnRequest().getIssuer().getValue());
    NameIDPolicy policy = data.getAuthnRequest().getNameIDPolicy();
    String nameIDFormat = (policy == null) ? null : policy.getFormat();
    try {
        IDPSSOUtil.sendResponseToACS(request, response, out, data.getSession(), data.getAuthnRequest(), data.getSpEntityID(), data.getIdpEntityID(), data.getIdpMetaAlias(), data.getRealm(), nameIDFormat, data.getRelayState(), data.getMatchingAuthnContext());
    } catch (SAML2Exception se) {
        SAML2Utils.debug.error(classMethod + "Unable to do sso or federation.", se);
        throw new ServerFaultException(data.getIdpAdapter(), SSO_OR_FEDERATION_ERROR, se.getMessage());
    }
}
Also used : SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) IDPSession(com.sun.identity.saml2.profile.IDPSession) FedMonSAML2Svc(com.sun.identity.plugin.monitoring.FedMonSAML2Svc) NameIDPolicy(com.sun.identity.saml2.protocol.NameIDPolicy) ServerFaultException(com.sun.identity.saml2.profile.ServerFaultException) SessionException(com.sun.identity.plugin.session.SessionException) CacheObject(com.sun.identity.saml2.profile.CacheObject) FedMonAgent(com.sun.identity.plugin.monitoring.FedMonAgent) SessionProvider(com.sun.identity.plugin.session.SessionProvider)

Example 53 with SessionProvider

use of com.sun.identity.plugin.session.SessionProvider in project OpenAM by OpenRock.

the class FSSSOAndFedHandler method doAccountFederation.

protected FSAccountFedInfo doAccountFederation(Object ssoToken, FSAuthnRequest authnRequest, FSSession session) {
    FSUtils.debug.message("FSSSOAndFedHandler.doAccountFederation: Called");
    String nameIDPolicy = authnRequest.getNameIDPolicy();
    String affiliationID = authnRequest.getAffiliationID();
    boolean isAffiliationFed = false;
    if (affiliationID != null) {
        try {
            isAffiliationFed = metaManager.isAffiliateMember(realm, hostedEntityId, affiliationID);
        } catch (Exception e) {
            if (FSUtils.debug.messageEnabled()) {
                FSUtils.debug.message("FSSSOAndFedHandler.doAccount" + "Federation:Error in checking for the affiliation:", e);
            }
        }
    }
    try {
        SessionProvider sessionProvider = SessionManager.getProvider();
        String userID = sessionProvider.getPrincipalName(ssoToken);
        FSAccountFedInfo existActInfo = null;
        if (isAffiliationFed) {
            existActInfo = accountManager.readAccountFedInfo(userID, affiliationID);
            if (existActInfo != null && existActInfo.isFedStatusActive()) {
                return existActInfo;
            }
        }
        // Check if there is an existing fed info
        String nameQualifier = authnRequest.getProviderId();
        existActInfo = accountManager.readAccountFedInfo(userID, nameQualifier);
        if (existActInfo != null && existActInfo.isFedStatusActive()) {
            return existActInfo;
        }
        FSNameIdentifierHelper nameHelper = new FSNameIdentifierHelper(hostedConfig);
        String opaqueHandle = nameHelper.createNameIdentifier();
        if (opaqueHandle == null) {
            FSUtils.debug.error("FSSSOAndFedHandler.doAccountFederation: " + "Could not generate handle");
            return null;
        }
        if (FSUtils.debug.messageEnabled()) {
            FSUtils.debug.message("FSSSOAndFedHandler.doAccountFederation: " + "Generated handle: " + opaqueHandle);
        }
        if (isAffiliationFed) {
            nameQualifier = affiliationID;
        }
        NameIdentifier ni = new NameIdentifier(opaqueHandle, nameQualifier);
        if (authnRequest.getMinorVersion() == IFSConstants.FF_12_PROTOCOL_MINOR_VERSION) {
            if (nameIDPolicy == null || !nameIDPolicy.equals(IFSConstants.NAME_ID_POLICY_ONETIME)) {
                ni.setFormat(IFSConstants.NI_FEDERATED_FORMAT_URI);
            } else {
                ni.setFormat(IFSConstants.NI_ONETIME_FORMAT_URI);
            }
        }
        FSAccountFedInfo accountInfo = new FSAccountFedInfo(authnRequest.getProviderId(), ni, null, false);
        FSAccountFedInfoKey fedKey = null;
        if (isAffiliationFed) {
            fedKey = new FSAccountFedInfoKey(affiliationID, opaqueHandle);
            accountInfo.setAffiliation(true);
        } else {
            fedKey = new FSAccountFedInfoKey(authnRequest.getProviderId(), opaqueHandle);
        }
        if (nameIDPolicy == null || !nameIDPolicy.equals("onetime")) {
            accountManager.writeAccountFedInfo(userID, fedKey, accountInfo);
        } else {
            session.setOneTime(true);
            session.setAccountFedInfo(accountInfo);
            session.setUserID(userID);
        }
        return accountInfo;
    } catch (Exception ex) {
        FSUtils.debug.error("FSSSOAndFedHandler.doAccountFederation: " + "Exception when doing account federation", ex);
        return null;
    }
}
Also used : FSAccountFedInfo(com.sun.identity.federation.accountmgmt.FSAccountFedInfo) NameIdentifier(com.sun.identity.saml.assertion.NameIdentifier) FSAccountFedInfoKey(com.sun.identity.federation.accountmgmt.FSAccountFedInfoKey) SessionException(com.sun.identity.plugin.session.SessionException) IDFFMetaException(com.sun.identity.federation.meta.IDFFMetaException) FSAccountMgmtException(com.sun.identity.federation.accountmgmt.FSAccountMgmtException) SAMLException(com.sun.identity.saml.common.SAMLException) FSException(com.sun.identity.federation.common.FSException) IOException(java.io.IOException) FSRedirectException(com.sun.identity.federation.common.FSRedirectException) SessionProvider(com.sun.identity.plugin.session.SessionProvider) FSNameIdentifierHelper(com.sun.identity.federation.services.util.FSNameIdentifierHelper)

Example 54 with SessionProvider

use of com.sun.identity.plugin.session.SessionProvider in project OpenAM by OpenRock.

the class FSSSOAndFedHandler method processPostAuthnSSO.

/**
     * Handles authentication request after local login.
     * @param authnRequest <code>FSAuthnRequest</code> object
     * @return <code>true</code> if the request is handled successfully;
     *  <code>false</code> otherwise.
     */
public boolean processPostAuthnSSO(FSAuthnRequest authnRequest) {
    FSUtils.debug.message("FSSSOAndFedHandler.processPostAuthnSSO: Called");
    SessionProvider sessionProvider = null;
    try {
        sessionProvider = SessionManager.getProvider();
        if (ssoToken == null) {
            ssoToken = sessionProvider.getSession(request);
        }
        if ((ssoToken == null) || (!sessionProvider.isValid(ssoToken))) {
            FSUtils.debug.error("FSSSOAndFedHandler.processPostAuthnSSO: " + "session is not valid.");
            return false;
        } else {
            if (FSUtils.debug.messageEnabled()) {
                FSUtils.debug.message("FSSSOAndFedHandler.processPostAuthnSSO: " + "session is valid.");
            }
        }
    } catch (SessionException se) {
        FSUtils.debug.error("FSSSOAndFedHandler.processPostAuthnSSO: ", se);
        return false;
    }
    //save session
    String userID = null;
    String sessionID = null;
    try {
        userID = sessionProvider.getPrincipalName(ssoToken);
        sessionID = sessionProvider.getSessionID(ssoToken);
        if (FSUtils.debug.messageEnabled()) {
            FSUtils.debug.message("FSSSOAndFedHandler.processPostAuthnSSO: " + "UserID of the principal in the session: " + userID + "sessionID of the session: " + sessionID);
        }
    } catch (SessionException ex) {
        FSUtils.debug.error("FSSSOAndFedHandler.processPostAuthnSSO: " + "SessionException occured. " + "Principal information not found in the session: ", ex);
        return false;
    }
    FSSessionManager sessionManager = FSSessionManager.getInstance(metaAlias);
    FSSession session = sessionManager.getSession(userID, sessionID);
    if (session != null) {
        if (FSUtils.debug.messageEnabled()) {
            FSUtils.debug.message("FSSSOAndFedHandler.processPostAuthnSSO: " + "An existing SSO session found with ID:" + session.getSessionID());
        }
        session.addSessionPartner(new FSSessionPartner(spEntityId, false));
        sessionManager.addSession(userID, session);
    } else {
        if (FSUtils.debug.messageEnabled()) {
            FSUtils.debug.message("FSSSOAndFedHandler.processPostAuthnSSO: " + "No existing SSO session found. " + "Entering a new session to the session manager with ID: " + sessionID);
        }
        session = new FSSession(sessionID);
        String sessionIndex = SAMLUtils.generateID();
        session.setSessionIndex(sessionIndex);
        session.addSessionPartner(new FSSessionPartner(spEntityId, false));
        sessionManager.addSession(userID, session);
    }
    // check for federation
    String autoFedStr = IDFFMetaUtils.getFirstAttributeValueFromConfig(hostedConfig, IFSConstants.ENABLE_AUTO_FEDERATION);
    if (authnRequest.getFederate() || (autoFedStr != null && autoFedStr.equalsIgnoreCase("true"))) {
        FSAccountFedInfo fedInfo = doAccountFederation(ssoToken, authnRequest, session);
        NameIdentifier spNI = null;
        NameIdentifier idpNI = null;
        if (fedInfo == null) {
            FSUtils.debug.error("FSSSOAndFedHandler.processPostAuthnSSO: " + "Accountfederation failed");
            return false;
        } else {
            spNI = fedInfo.getRemoteNameIdentifier();
            idpNI = fedInfo.getLocalNameIdentifier();
            if (idpNI == null) {
                idpNI = fedInfo.getRemoteNameIdentifier();
                if (idpNI == null) {
                    FSUtils.debug.error("FSSSOAndFedHandler.processPost" + "AuthnSSO: Opaque handle not found");
                    return false;
                }
            }
            if (spNI == null) {
                spNI = idpNI;
            }
        }
        return doSingleSignOn(ssoToken, authnRequest.getRequestID(), spNI, idpNI);
    } else {
        return doSingleSignOn(ssoToken, authnRequest.getRequestID());
    }
}
Also used : FSAccountFedInfo(com.sun.identity.federation.accountmgmt.FSAccountFedInfo) FSSessionPartner(com.sun.identity.federation.services.FSSessionPartner) NameIdentifier(com.sun.identity.saml.assertion.NameIdentifier) FSSession(com.sun.identity.federation.services.FSSession) SessionException(com.sun.identity.plugin.session.SessionException) FSSessionManager(com.sun.identity.federation.services.FSSessionManager) SessionProvider(com.sun.identity.plugin.session.SessionProvider)

Example 55 with SessionProvider

use of com.sun.identity.plugin.session.SessionProvider in project OpenAM by OpenRock.

the class FSTerminationInitiationServlet method getValidToken.

/**
     * Retrieves session token from <code>HTTPServletRequest</code>
     * object.
     * @param request HTTP request object
     * @return the valid session token from the request object;
     *  <code>null</code> otherwise.
     */
private Object getValidToken(HttpServletRequest request) {
    FSUtils.debug.message("Entered FSTerminationInitiationServlet::getValidToken");
    try {
        SessionProvider sessionProvider = SessionManager.getProvider();
        Object ssoToken = sessionProvider.getSession(request);
        if ((ssoToken == null) || (!sessionProvider.isValid(ssoToken))) {
            FSUtils.debug.error("session token is not valid, " + "redirecting for authentication");
            return null;
        }
        return ssoToken;
    } catch (SessionException e) {
        FSUtils.debug.error("SessionException caught: ", e);
        return null;
    }
}
Also used : SessionException(com.sun.identity.plugin.session.SessionException) SessionProvider(com.sun.identity.plugin.session.SessionProvider)

Aggregations

SessionProvider (com.sun.identity.plugin.session.SessionProvider)66 SessionException (com.sun.identity.plugin.session.SessionException)61 SAMLException (com.sun.identity.saml.common.SAMLException)22 List (java.util.List)15 IOException (java.io.IOException)14 FSException (com.sun.identity.federation.common.FSException)13 HashMap (java.util.HashMap)12 SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)11 IDFFMetaException (com.sun.identity.federation.meta.IDFFMetaException)10 Set (java.util.Set)10 FSAccountMgmtException (com.sun.identity.federation.accountmgmt.FSAccountMgmtException)9 FSSession (com.sun.identity.federation.services.FSSession)9 FSSessionManager (com.sun.identity.federation.services.FSSessionManager)9 ArrayList (java.util.ArrayList)9 Iterator (java.util.Iterator)8 Map (java.util.Map)8 FSAccountFedInfo (com.sun.identity.federation.accountmgmt.FSAccountFedInfo)6 Assertion (com.sun.identity.saml.assertion.Assertion)6 SAML2MetaException (com.sun.identity.saml2.meta.SAML2MetaException)6 HashSet (java.util.HashSet)6