use of com.sun.identity.saml.assertion.NameIdentifier in project OpenAM by OpenRock.
the class FSBrowserArtifactConsumerHandler method processSAMLResponse.
private void processSAMLResponse(FSResponse samlResponse) {
FSUtils.debug.message("FSBrowserArtifactConsumerHandler.processSAMLResponse: Called");
String baseURL = FSServiceUtils.getBaseURL(request);
String framedPageURL = FSServiceUtils.getCommonLoginPageURL(hostMetaAlias, relayState, null, request, baseURL);
try {
if (samlResponse == null) {
FSUtils.debug.error("FSBrowserArtifactConsumerHandler." + "processSAMLResponse: null input " + FSUtils.bundle.getString("missingResponse"));
String[] data = { FSUtils.bundle.getString("missingResponse") };
LogUtil.error(Level.INFO, LogUtil.MISSING_RESPONSE, data);
FSUtils.forwardRequest(request, response, framedPageURL);
return;
}
FederationSPAdapter spAdapter = FSServiceUtils.getSPAdapter(hostEntityId, hostConfig);
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSBrowserArtifactConsumerHandler." + "processSAMLResponse: Received " + samlResponse.toXMLString());
}
boolean valid = verifyResponseStatus(samlResponse);
if (!valid) {
FSUtils.debug.error("FSBrowserArtifactConsumerHandler." + "processSAMLResponse: verify Status failed " + FSUtils.bundle.getString("invalidResponse"));
String[] data = { samlResponse.toXMLString() };
LogUtil.error(Level.INFO, LogUtil.INVALID_RESPONSE, data);
if (spAdapter == null || !spAdapter.postSSOFederationFailure(hostEntityId, request, response, authnRequest, null, samlResponse, FederationSPAdapter.INVALID_RESPONSE)) {
FSUtils.forwardRequest(request, response, framedPageURL);
}
return;
}
// check Assertion
List assertions = samlResponse.getAssertion();
if ((assertions == null) || !(assertions.size() > 0)) {
FSUtils.debug.error("FSBrowserArtifactConsumerHandler." + "processSAMLResponse" + FSUtils.bundle.getString("invalidResponse") + ": No assertion found inside the AuthnResponse");
String[] data = { samlResponse.toXMLString() };
LogUtil.error(Level.INFO, LogUtil.INVALID_RESPONSE, data);
FSUtils.forwardRequest(request, response, framedPageURL);
return;
}
Iterator iter = assertions.iterator();
FSAssertion assertion = (FSAssertion) iter.next();
FSAuthnRequest authnRequestRef = getInResponseToRequest(assertion.getInResponseTo());
if (authnRequestRef == null) {
FSUtils.debug.error("FSBrowserArtifactConsumerHandler." + "processSAMLResponse: " + FSUtils.bundle.getString("invalidResponse") + ": Assertion does not correspond to any AuthnRequest");
String[] data = { samlResponse.toXMLString() };
LogUtil.error(Level.INFO, LogUtil.INVALID_RESPONSE, data);
FSUtils.forwardRequest(request, response, framedPageURL);
return;
}
this.authnRequest = authnRequestRef;
this.relayState = authnRequest.getRelayState();
if ((this.relayState == null) || (this.relayState.trim().length() == 0)) {
this.relayState = IDFFMetaUtils.getFirstAttributeValueFromConfig(hostConfig, IFSConstants.PROVIDER_HOME_PAGE_URL);
if ((this.relayState == null) || (this.relayState.trim().length() == 0)) {
this.relayState = baseURL + IFSConstants.SP_DEFAULT_RELAY_STATE;
}
}
this.doFederate = authnRequest.getFederate();
this.nameIDPolicy = authnRequest.getNameIDPolicy();
// Call SP preSSOFederationProcess for Artifact case
if (spAdapter != null) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSBrowserArtifactConsumerHandler, " + "Artifact, Invoke spAdapter.preSSOFederationProcess");
}
try {
spAdapter.preSSOFederationProcess(hostEntityId, request, response, authnRequest, null, (FSResponse) samlResponse);
} catch (Exception e) {
// log run time exception in Adapter
// implementation, continue
FSUtils.debug.error("FSAssertionArtifactHandler" + " SPAdapter.preSSOFederationSuccess", e);
}
}
framedPageURL = FSServiceUtils.getCommonLoginPageURL(hostMetaAlias, authnRequest.getRelayState(), null, request, baseURL);
String idpEntityIdRef = getProvider(assertion.getInResponseTo());
if ((idpEntityIdRef == null) || !(idpEntityIdRef.equals(idpEntityId))) {
FSUtils.debug.error("FSBrowserArtifactConsumerHandler." + "processSAMLResponse: " + FSUtils.bundle.getString("invalidAssertion") + ": Assertion does not correspond to any IDP");
String[] data = { FSUtils.bundle.getString("invalidAssertion") };
LogUtil.error(Level.INFO, LogUtil.INVALID_ASSERTION, data);
FSUtils.forwardRequest(request, response, framedPageURL);
return;
}
FSSubject validSubject = (FSSubject) validateAssertions(assertions);
if (validSubject == null) {
FSUtils.debug.error("FSBrowserArtifactConsumerHandler." + "processSAMLResponse: validateAssertions failed: " + FSUtils.bundle.getString("invalidAssertion"));
String[] data = { FSUtils.bundle.getString("invalidAssertion") };
LogUtil.error(Level.INFO, LogUtil.INVALID_ASSERTION, data);
if (spAdapter == null || !spAdapter.postSSOFederationFailure(hostEntityId, request, response, authnRequest, null, samlResponse, FederationSPAdapter.INVALID_RESPONSE)) {
FSUtils.forwardRequest(request, response, framedPageURL);
}
return;
}
if (doFederate) {
NameIdentifier ni = validSubject.getIDPProvidedNameIdentifier();
if (ni == null) {
ni = validSubject.getNameIdentifier();
}
if (ni != null) {
int returnCode = doAccountFederation(ni);
if (returnCode == FederationSPAdapter.SUCCESS) {
// remove it from session manager table
FSSessionManager sessionManager = FSSessionManager.getInstance(hostMetaAlias);
sessionManager.removeAuthnRequest(assertion.getInResponseTo());
return;
} else {
FSUtils.debug.error("FSBrowserArtifactConsumerHandler." + "processSAMLResponse: " + FSUtils.bundle.getString("AccountFederationFailed"));
String[] data = { FSUtils.bundle.getString("AccountFederationFailed") };
LogUtil.error(Level.INFO, LogUtil.ACCOUNT_FEDERATION_FAILED, data);
if (spAdapter == null || !spAdapter.postSSOFederationFailure(hostEntityId, request, response, authnRequest, authnResponse, samlResponse, returnCode)) {
FSUtils.forwardRequest(request, response, framedPageURL);
}
}
} else {
FSUtils.debug.error("FSBrowserArtifactConsumerHandler." + "processSAMLResponse: Single Sign-On failed. " + "NameIdentifier of the subject is null: ");
String[] data = { FSUtils.bundle.getString("SingleSignOnFailed") };
LogUtil.error(Level.INFO, LogUtil.SINGLE_SIGNON_FAILED, data);
throw new FSException("missingNIofSubject", null);
}
} else {
// remove it from session manager table
FSSessionManager sessionManager = FSSessionManager.getInstance(hostMetaAlias);
sessionManager.removeAuthnRequest(assertion.getInResponseTo());
NameIdentifier niIdp = validSubject.getIDPProvidedNameIdentifier();
NameIdentifier ni = validSubject.getNameIdentifier();
if (niIdp == null) {
niIdp = ni;
}
if ((niIdp == null) || (ni == null)) {
String[] data = { FSUtils.bundle.getString("invalidResponse") };
LogUtil.error(Level.INFO, LogUtil.INVALID_RESPONSE, data);
FSUtils.forwardRequest(request, response, framedPageURL);
return;
}
String idpHandle = niIdp.getName();
String spHandle = ni.getName();
int handleType;
if ((idpHandle == null) || (spHandle == null)) {
String[] data = { FSUtils.bundle.getString("invalidResponse") };
LogUtil.error(Level.INFO, LogUtil.INVALID_RESPONSE, data);
FSUtils.forwardRequest(request, response, framedPageURL);
return;
}
if (idpHandle.equals(spHandle)) {
ni = niIdp;
handleType = IFSConstants.REMOTE_OPAQUE_HANDLE;
} else {
handleType = IFSConstants.LOCAL_OPAQUE_HANDLE;
}
if (ni != null) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSBrowserArtifactConsumerHandler." + "processSAMLResponse: NameIdentifier=" + ni.getName() + " securityDomain=" + ni.getNameQualifier());
}
Map env = new HashMap();
env.put(IFSConstants.FS_USER_PROVIDER_ENV_FSRESPONSE_KEY, samlResponse);
int returnCode = doSingleSignOn(ni, handleType, niIdp, env);
if (returnCode == FederationSPAdapter.SUCCESS) {
String requestID = assertion.getInResponseTo();
if (isIDPProxyEnabled(requestID)) {
sendProxyResponse(requestID);
return;
}
String[] data = { this.relayState };
LogUtil.access(Level.INFO, LogUtil.ACCESS_GRANTED_REDIRECT_TO, data, ssoToken);
// Call SP Adapter
if (spAdapter != null) {
FSUtils.debug.message("Invoke spAdapter");
try {
if (spAdapter.postSSOFederationSuccess(hostEntityId, request, response, ssoToken, authnRequest, null, samlResponse)) {
return;
}
} catch (Exception e) {
// log run time exception in Adapter
// implementation, continue
FSUtils.debug.error("FSAssertionArtifactHandler" + " SPAdapter.postSSOFederationSuccess:", e);
}
}
redirectToResource(this.relayState);
return;
} else {
FSUtils.debug.error("FSBrowserArtifactConsumerHandler." + "processSAMLResponse: SingleSignOnFailed, ni=" + ni.getName() + "[" + ni.getNameQualifier() + "]");
String[] data = { ni.getName() };
LogUtil.error(Level.INFO, LogUtil.SINGLE_SIGNON_FAILED, data);
if (spAdapter == null || !spAdapter.postSSOFederationFailure(hostEntityId, request, response, authnRequest, null, samlResponse, returnCode)) {
FSUtils.forwardRequest(request, response, framedPageURL);
}
return;
}
} else {
FSUtils.debug.error("FSBrowserArtifactConsumerHandler." + "processSAMLResponse: SingleSignOnFailed (null)");
String[] data = { FSUtils.bundle.getString("SingleSignOnFailed") };
LogUtil.error(Level.INFO, LogUtil.SINGLE_SIGNON_FAILED, data);
throw new FSException("missingNIofSubject", null);
}
}
} catch (Exception e) {
FSUtils.debug.error("FSBrowserArtifactConsumerHandler." + "processSAMLResponse: Exception occured: ", e);
return;
}
}
use of com.sun.identity.saml.assertion.NameIdentifier in project OpenAM by OpenRock.
the class CDCServlet method createAssertion.
private FSAssertion createAssertion(String destID, String sourceID, String tokenID, String authType, String strAuthInst, String userDN, String inResponseTo) throws FSException, SAMLException {
debug.message("Entering CDCServlet.createAssertion Method");
if ((destID == null) || (sourceID == null) || (tokenID == null) || (authType == null) || (userDN == null) || (inResponseTo == null)) {
debug.message("CDCServlet,createAssertion: null input");
throw new FSException(FSUtils.bundle.getString("nullInput"));
}
String securityDomain = sourceID;
NameIdentifier idpHandle = new NameIdentifier(URLEncDec.encode(tokenID), sourceID);
NameIdentifier spHandle = idpHandle;
String authMethod = authType;
Date authInstant = convertAuthInstanceToDate(strAuthInst);
if (debug.messageEnabled()) {
debug.message("CDCServlet.createAssertion " + "Creating Authentication Assertion for user with opaqueHandle =" + spHandle.getName() + " and SecurityDomain = " + securityDomain);
}
SubjectConfirmation subConfirmation = new SubjectConfirmation(IFSConstants.CONFIRMATION_METHOD_BEARER);
IDPProvidedNameIdentifier idpNi = new IDPProvidedNameIdentifier(idpHandle.getNameQualifier(), idpHandle.getName());
FSSubject sub = new FSSubject(spHandle, subConfirmation, idpNi);
SubjectLocality authLocality = new SubjectLocality(IPAddress, DNSAddress);
AuthnContext authnContextStmt = new AuthnContext(null, null);
FSAuthenticationStatement statement = new FSAuthenticationStatement(authMethod, authInstant, sub, authLocality, null, authnContextStmt);
//setReauthenticateOnOrAfter date
Date issueInstant = new Date();
// get this period from the config
Integer assertionTimeout = new Integer(IFSConstants.ASSERTION_TIMEOUT_DEFAULT);
long period = (assertionTimeout.intValue()) * 1000;
if (period < IFSConstants.ASSERTION_TIMEOUT_ALLOWED_DIFFERENCE) {
period = IFSConstants.ASSERTION_TIMEOUT_ALLOWED_DIFFERENCE;
}
Date notAfter = new Date(issueInstant.getTime() + period);
statement.setReauthenticateOnOrAfter(notAfter);
if (debug.messageEnabled()) {
debug.message("CDCServlet.createAssertion: " + "Authentication Statement: " + statement.toXMLString());
}
Conditions cond = new Conditions(issueInstant, notAfter);
if ((destID != null) && (destID.length() != 0)) {
List targets = new ArrayList(1);
targets.add(destID);
cond.addAudienceRestrictionCondition(new AudienceRestrictionCondition(targets));
}
if (debug.messageEnabled()) {
debug.message("CDCServlet.createAssertion: " + "Condition: " + cond.toString());
}
AssertionIDReference aID = new AssertionIDReference();
Set statements = new HashSet(2);
statements.add(statement);
FSAssertion assertion = new FSAssertion(aID.getAssertionIDReference(), sourceID, issueInstant, cond, statements, inResponseTo);
assertion.setID(aID.getAssertionIDReference());
String[] params = { FSUtils.bundle.getString("assertionCreated") + ":" + assertion.toString() };
LogUtil.access(Level.INFO, "CREATE_ASSERTION", params);
if (debug.messageEnabled()) {
debug.message("CDCServlet.createAssertion:" + " Returning Assertion: " + assertion.toXMLString());
}
return assertion;
}
use of com.sun.identity.saml.assertion.NameIdentifier in project OpenAM by OpenRock.
the class DefaultNameIdentifierMapper method getNameIdentifier.
/**
* Returns name identifier for assertion subject based on user account.
*
* @param session the session of the user performing the operation.
* @param sourceID source ID for the site from which the assertion
* originated.
* @param destID destination ID for the site for which the assertion will be
* created.
* @return a <code>NameIdentifier</code> for assertion subject.
* @exception SAMLException if an error occurs
*/
public NameIdentifier getNameIdentifier(Object session, String sourceID, String destID, String nameIDFormat) throws SAMLException {
if (SAMLUtils.debug.messageEnabled()) {
SAMLUtils.debug.message("DefaultNameIdentifierMapper." + "getNameIdentifier: sourceID = " + sourceID + ", destID = " + destID);
}
if (SAMLUtils.debug.messageEnabled()) {
SAMLUtils.debug.message("DefaultNameIdentifierMapper." + "getNameIdentifier: nameIDFormat = " + nameIDFormat);
}
try {
String nameQualifier = XMLUtils.escapeSpecialCharacters((SessionManager.getProvider().getProperty(session, "Organization")[0]));
String userID = SessionManager.getProvider().getPrincipalName(session);
String name = null;
if (nameIDFormat != null) {
Map nameIDFormatAttrMap = (Map) SAMLServiceManager.getAttribute(SAMLConstants.NAME_ID_FORMAT_MAP);
if ((nameIDFormatAttrMap != null) && (!nameIDFormatAttrMap.isEmpty()) && (nameIDFormatAttrMap.keySet().contains(nameIDFormat))) {
String attrName = (String) nameIDFormatAttrMap.get(nameIDFormat);
try {
DataStoreProvider dsProvider = DataStoreProviderManager.getInstance().getDataStoreProvider(SAMLConstants.SAML);
Set attrValues = dsProvider.getAttribute(userID, attrName);
if ((attrValues != null) && (!attrValues.isEmpty())) {
name = (String) attrValues.iterator().next();
}
} catch (DataStoreProviderException dspe) {
if (SAMLUtils.debug.warningEnabled()) {
SAMLUtils.debug.warning("DefaultNameIdentifierMapper." + "getNameIdentifier:", dspe);
}
}
}
}
if (name == null) {
name = XMLUtils.escapeSpecialCharacters(userID);
} else {
name = XMLUtils.escapeSpecialCharacters(name);
}
return new NameIdentifier(name, nameQualifier, nameIDFormat);
} catch (SessionException sx) {
SAMLUtils.debug.error("DefaultNameIdentifierMapper." + "getNameIdentifier: Invalid Session ", sx);
return null;
} catch (Exception ex) {
SAMLUtils.debug.error("DefaultNameIdentifierMapper." + "getNameIdentifier:", ex);
return null;
}
}
use of com.sun.identity.saml.assertion.NameIdentifier in project OpenAM by OpenRock.
the class DefaultIDPAccountMapper method getNameID.
/**
* Returns the user's <code>NameID</code>information that contains
* account federation with the corresponding remote and local entities.
*
* @param session Session object.
* @param realm Realm where user resides.
* @param hostEntityID <code>EntityID</code> of the hosted provider.
* @param remoteEntityID <code>EntityID</code> of the remote provider.
* @return the <code>NameID</code> corresponding to the authenticated user.
* null if the authenticated user does not container account
* federation information.
* @exception WSFederationException if any failure.
*/
public NameIdentifier getNameID(Object session, String realm, String hostEntityID, String remoteEntityID) throws WSFederationException {
String userID = null;
try {
SessionProvider sessionProv = SessionManager.getProvider();
userID = sessionProv.getPrincipalName(session);
} catch (SessionException se) {
throw new WSFederationException(WSFederationUtils.bundle.getString("invalidSSOToken"));
}
IDPSSOConfigElement idpConfig = WSFederationUtils.getMetaManager().getIDPSSOConfig(realm, hostEntityID);
String name2 = null;
String attrName = WSFederationMetaUtils.getAttribute(idpConfig, WSFederationConstants.NAMEID_ATTRIBUTE);
if (attrName == null || attrName.length() == 0) {
attrName = WSFederationConstants.UID;
}
try {
Set attrValues = dsProvider.getAttribute(userID, attrName);
if ((attrValues != null) && (!attrValues.isEmpty())) {
name2 = (String) attrValues.iterator().next();
} else {
String[] args = { attrName, userID };
throw new WSFederationException(WSFederationConstants.BUNDLE_NAME, "missingNameAttribute", args);
}
} catch (DataStoreProviderException dspe) {
throw new WSFederationException(dspe);
}
String nameIdFormat = WSFederationMetaUtils.getAttribute(idpConfig, WSFederationConstants.NAMEID_FORMAT);
if (nameIdFormat == null || nameIdFormat.length() == 0) {
nameIdFormat = WSFederationConstants.NAMED_CLAIM_TYPES[WSFederationConstants.NAMED_CLAIM_UPN];
}
String strNameIncludesDomain = WSFederationMetaUtils.getAttribute(idpConfig, WSFederationConstants.NAME_INCLUDES_DOMAIN);
boolean nameIncludesDomain = Boolean.valueOf(strNameIncludesDomain);
String name = null;
if (nameIdFormat.equals(WSFederationConstants.NAMED_CLAIM_TYPES[WSFederationConstants.NAMED_CLAIM_UPN]) && !nameIncludesDomain) {
// Need to get a domain from somewhere and append it to name2
// Try user profile first
String domainAttribute = WSFederationMetaUtils.getAttribute(idpConfig, WSFederationConstants.DOMAIN_ATTRIBUTE);
String upnDomain = null;
if (domainAttribute != null && domainAttribute.length() > 0) {
Set attrValues;
try {
attrValues = dsProvider.getAttribute(userID, domainAttribute);
} catch (DataStoreProviderException dspe) {
throw new WSFederationException(dspe);
}
if ((attrValues != null) && (!attrValues.isEmpty())) {
upnDomain = (String) attrValues.iterator().next();
}
}
if (upnDomain == null || upnDomain.length() == 0) {
// Nothing on the user profile - get from config
upnDomain = WSFederationMetaUtils.getAttribute(idpConfig, WSFederationConstants.UPN_DOMAIN);
}
if (upnDomain == null || upnDomain.length() == 0) {
// OK - now we have a problem
throw new WSFederationException(WSFederationConstants.BUNDLE_NAME, "noDomainConfigured", null);
}
name = name2 + "@" + upnDomain;
} else {
name = name2;
}
try {
return new NameIdentifier(name, null, nameIdFormat);
} catch (SAMLException se) {
throw new WSFederationException(se);
}
}
use of com.sun.identity.saml.assertion.NameIdentifier in project OpenAM by OpenRock.
the class FSNameMappingHandler method getNameIdentifier.
/**
* Returns <code>NameIdentifier</code> of a provider.
* @param userID user id.
* @param remoteEntityID the provider id whose
* <code>NameIdentifier</code> is to be returned.
* @param local <code>true</code> if <code>remoteProviderID</code> is
* a local provider; <code>false</code> otherwise.
* @return <code>NameIdentifier</code> of an user corresponding to
* <code>remoteProviderID</code>.
* @exception FSAccountMgmtException, SAMLException if an error occurred.
*/
public NameIdentifier getNameIdentifier(String userID, String remoteEntityID, boolean local) throws FSAccountMgmtException, SAMLException {
FSAccountFedInfo accountInfo = accountMgr.readAccountFedInfo(userID, remoteEntityID);
NameIdentifier nameIdentifier = null;
if (local) {
nameIdentifier = accountInfo.getLocalNameIdentifier();
if (nameIdentifier == null) {
NameIdentifier remoteNI = accountInfo.getRemoteNameIdentifier();
if (remoteNI != null) {
nameIdentifier = new NameIdentifier(remoteNI.getName(), hostedEntityID, remoteNI.getFormat());
}
}
} else {
nameIdentifier = accountInfo.getRemoteNameIdentifier();
if (nameIdentifier == null) {
NameIdentifier localNI = accountInfo.getLocalNameIdentifier();
if (localNI != null) {
nameIdentifier = new NameIdentifier(localNI.getName(), remoteEntityID, localNI.getFormat());
}
}
}
if (nameIdentifier != null && (nameIdentifier.getFormat().length() == 0 || nameIdentifier.getFormat() == null)) {
nameIdentifier.setFormat(IFSConstants.NI_FEDERATED_FORMAT_URI);
}
return nameIdentifier;
}
Aggregations