use of com.sun.identity.saml.assertion.Subject in project OpenAM by OpenRock.
the class SecurityUtils method getCertificate.
/**
* Gets the Certificate from the <code>Assertion</code>.
*
* @param assertion the SAML <code>Assertion</code>.
* @return <code>X509Certificate</code> object.
*/
public static java.security.cert.Certificate getCertificate(SecurityAssertion assertion) {
if (debug.messageEnabled()) {
debug.message("SecurityAssertion = " + assertion.toString());
}
try {
Set statements = assertion.getStatement();
if (statements != null && !(statements.isEmpty())) {
Iterator iterator = statements.iterator();
while (iterator.hasNext()) {
Statement statement = (Statement) iterator.next();
int stype = statement.getStatementType();
Subject subject = null;
if (stype == Statement.AUTHENTICATION_STATEMENT) {
subject = ((AuthenticationStatement) statement).getSubject();
} else if (stype == ResourceAccessStatement.RESOURCEACCESS_STATEMENT) {
ResourceAccessStatement raStatement = (ResourceAccessStatement) statement;
subject = raStatement.getProxySubject();
if (subject == null) {
subject = raStatement.getSubject();
}
} else if (stype == SessionContextStatement.SESSIONCONTEXT_STATEMENT) {
SessionContextStatement scStatement = (SessionContextStatement) statement;
subject = scStatement.getProxySubject();
if (subject == null) {
subject = scStatement.getSubject();
}
}
if (subject != null) {
SubjectConfirmation subConfirm = subject.getSubjectConfirmation();
if (subConfirm.getConfirmationMethod().contains(SAMLConstants.CONFIRMATION_METHOD_HOLDEROFKEY)) {
Element keyinfo = subConfirm.getKeyInfo();
return getCertificate(keyinfo);
}
}
}
} else {
debug.error("Assertion does not contain any Statement.");
}
} catch (Exception e) {
debug.error("getCertificate Exception: ", e);
}
return null;
}
use of com.sun.identity.saml.assertion.Subject in project OpenAM by OpenRock.
the class SAMLUtils method examAssertions.
/**
* Determines if there is a valid SSO Assertion
* inside of SAML Response.
*
* @param assertions a List of <code>Assertion</code> objects
* @return a Subject object
* @exception IOException IOException
*/
public static com.sun.identity.saml.assertion.Subject examAssertions(List assertions) throws IOException {
if (assertions == null) {
return null;
}
boolean validation = false;
com.sun.identity.saml.assertion.Subject subject = null;
Iterator iter = assertions.iterator();
while (iter.hasNext()) {
Assertion assertion = (Assertion) iter.next();
if (!checkCondition(assertion)) {
return null;
}
debug.message("Passed checking Conditions!");
// exam the Statement inside the Assertion
Set statements = new HashSet();
statements = assertion.getStatement();
if (statements == null || statements.isEmpty()) {
debug.error(bundle.getString("noStatement"));
return null;
}
Iterator iterator = statements.iterator();
while (iterator.hasNext()) {
Statement statement = (Statement) iterator.next();
subject = ((SubjectStatement) statement).getSubject();
SubjectConfirmation sc = subject.getSubjectConfirmation();
Set cm = new HashSet();
cm = sc.getConfirmationMethod();
if (cm == null || cm.isEmpty()) {
debug.error("Subject confirmation method is null");
return null;
}
String conMethod = (String) cm.iterator().next();
// on Assertion version number
if ((conMethod != null) && (assertion.getMajorVersion() == SAMLConstants.ASSERTION_MAJOR_VERSION) && (((assertion.getMinorVersion() == SAMLConstants.ASSERTION_MINOR_VERSION_ONE) && conMethod.equals(SAMLConstants.CONFIRMATION_METHOD_ARTIFACT)) || ((assertion.getMinorVersion() == SAMLConstants.ASSERTION_MINOR_VERSION_ZERO) && (conMethod.equals(SAMLConstants.DEPRECATED_CONFIRMATION_METHOD_ARTIFACT))))) {
if (debug.messageEnabled()) {
debug.message("Correct Confirmation method");
}
} else {
debug.error("Wrong Confirmation Method.");
return null;
}
if (statement instanceof AuthenticationStatement) {
//found an SSO Assertion
validation = true;
}
}
// end of while (iterator.hasNext()) for Statements
}
if (!validation) {
debug.error(bundle.getString("noSSOAssertion"));
return null;
}
return subject;
}
use of com.sun.identity.saml.assertion.Subject in project OpenAM by OpenRock.
the class SAMLUtils method processResponse.
/**
* Processes SAML Response
* @param samlResponse SAML Response object
* @param target Target URL
* @return Attribute Map
* @exception SAMLException if failed to get Attribute Map.
*/
public static Map processResponse(Response samlResponse, String target) throws SAMLException {
List assertions = null;
SAMLServiceManager.SOAPEntry partnerdest = null;
Subject assertionSubject = null;
if (samlResponse.isSigned()) {
// verify the signature
boolean isSignedandValid = verifySignature(samlResponse);
if (!isSignedandValid) {
throw new SAMLException(bundle.getString("invalidResponse"));
}
}
// check Assertion and get back a Map of relevant data including,
// Subject, SOAPEntry for the partner and the List of Assertions.
Map ssMap = verifyAssertionAndGetSSMap(samlResponse);
if (debug.messageEnabled()) {
debug.message("processResponse: ssMap = " + ssMap);
}
if (ssMap == null) {
throw new SAMLException(bundle.getString("invalidAssertion"));
}
assertionSubject = (com.sun.identity.saml.assertion.Subject) ssMap.get(SAMLConstants.SUBJECT);
if (assertionSubject == null) {
throw new SAMLException(bundle.getString("nullSubject"));
}
partnerdest = (SAMLServiceManager.SOAPEntry) ssMap.get(SAMLConstants.SOURCE_SITE_SOAP_ENTRY);
if (partnerdest == null) {
throw new SAMLException(bundle.getString("failedAccountMapping"));
}
assertions = (List) ssMap.get(SAMLConstants.POST_ASSERTION);
Map sessMap = null;
try {
sessMap = getAttributeMap(partnerdest, assertions, assertionSubject, target);
} catch (Exception se) {
debug.error("SAMLUtils.processResponse :", se);
throw new SAMLException(bundle.getString("failProcessResponse"));
}
return sessMap;
}
use of com.sun.identity.saml.assertion.Subject in project OpenAM by OpenRock.
the class SAMLUtils method processArtifact.
/**
* Processes SAML Artifact
* @param artifact SAML Artifact
* @param target Target URL
* @return Attribute Map
* @exception SAMLException if failed to get the Assertions or
* Attribute Map.
*/
public static Map processArtifact(String[] artifact, String target) throws SAMLException {
List assts = null;
Subject assertionSubject = null;
AssertionArtifact firstArtifact = null;
Map sessMap = null;
// Call SAMLClient to do the Single-sign-on
try {
assts = SAMLClient.artifactQueryHandler(artifact, (String) null);
//exam the SAML response
if ((assertionSubject = examAssertions(assts)) == null) {
return null;
}
firstArtifact = new AssertionArtifact(artifact[0]);
String sid = firstArtifact.getSourceID();
Map partner = (Map) SAMLServiceManager.getAttribute(SAMLConstants.PARTNER_URLS);
if (partner == null) {
throw new SAMLException(bundle.getString("nullPartnerUrl"));
}
SAMLServiceManager.SOAPEntry partnerdest = (SAMLServiceManager.SOAPEntry) partner.get(sid);
if (partnerdest == null) {
throw new SAMLException(bundle.getString("failedAccountMapping"));
}
sessMap = getAttributeMap(partnerdest, assts, assertionSubject, target);
} catch (Exception se) {
debug.error("SAMLUtils.processArtifact :", se);
throw new SAMLException(bundle.getString("failProcessArtifact"));
}
return sessMap;
}
use of com.sun.identity.saml.assertion.Subject in project OpenAM by OpenRock.
the class DefaultPartnerAccountMapper method getUser.
/**
* Returns user account in OpenAM to which the
* subject in the assertion is mapped. This method will be called in POST
* profile, ARTIFACT profile, AttributeQuery and AuthorizationDecisionQuery.
*
* @param assertions a list of authentication assertions returned from
* partner side, this will contains user's identity in
* the partner side. The object in the list will be
* <code>com.sun.identity.saml.assertion.Assertion</code>
* @param sourceID source ID for the site from which the subject
* originated.
* @param targetURL value for TARGET query parameter when the user
* accessing the SAML aware servlet or post profile
* servlet
* @return Map which contains NAME, ORG and ATTRIBUTE keys, value of the
* NAME key is the user DN, value of the ORG is the user
* organization DN, value of the ATTRIBUTE is a Map
* containing key/value pairs which will be set as properties
* on the OpenAM SSO token, the key is the SSO
* property name, the value is a String value of the property.
* Returns empty map if the mapped user could not be obtained
* from the subject.
*/
public Map getUser(List assertions, String sourceID, String targetURL) {
if (SAMLUtils.debug.messageEnabled()) {
SAMLUtils.debug.message("DefaultPartnerAccountMapper:getUser(" + "List) targetURL = " + targetURL);
}
Map map = new HashMap();
Subject subject = null;
Assertion assertion = (Assertion) assertions.get(0);
Iterator iter = assertion.getStatement().iterator();
while (iter.hasNext()) {
Statement statement = (Statement) iter.next();
if (statement.getStatementType() != Statement.AUTHENTICATION_STATEMENT) {
continue;
}
Subject sub = ((SubjectStatement) statement).getSubject();
SubjectConfirmation subConf = sub.getSubjectConfirmation();
if (subConf == null) {
continue;
}
Set cms = subConf.getConfirmationMethod();
if (cms == null || cms.isEmpty()) {
continue;
}
String cm = (String) cms.iterator().next();
if (cm != null && (cm.equals(SAMLConstants.CONFIRMATION_METHOD_ARTIFACT) || cm.equals(SAMLConstants.DEPRECATED_CONFIRMATION_METHOD_ARTIFACT) || cm.equals(SAMLConstants.CONFIRMATION_METHOD_BEARER))) {
subject = sub;
break;
}
}
if (subject != null) {
getUser(subject, sourceID, map);
Map attrMap = new HashMap();
SAMLUtils.addEnvParamsFromAssertion(attrMap, assertion, subject);
if (!attrMap.isEmpty()) {
map.put(ATTRIBUTE, attrMap);
}
}
return map;
}
Aggregations