Search in sources :

Example 6 with Subject

use of com.sun.identity.saml.assertion.Subject in project OpenAM by OpenRock.

the class SecurityUtils method getCertificate.

/**
     * Gets the  Certificate from the <code>Assertion</code>.
     *
     * @param assertion the SAML <code>Assertion</code>.
     * @return <code>X509Certificate</code> object.
     */
public static java.security.cert.Certificate getCertificate(SecurityAssertion assertion) {
    if (debug.messageEnabled()) {
        debug.message("SecurityAssertion = " + assertion.toString());
    }
    try {
        Set statements = assertion.getStatement();
        if (statements != null && !(statements.isEmpty())) {
            Iterator iterator = statements.iterator();
            while (iterator.hasNext()) {
                Statement statement = (Statement) iterator.next();
                int stype = statement.getStatementType();
                Subject subject = null;
                if (stype == Statement.AUTHENTICATION_STATEMENT) {
                    subject = ((AuthenticationStatement) statement).getSubject();
                } else if (stype == ResourceAccessStatement.RESOURCEACCESS_STATEMENT) {
                    ResourceAccessStatement raStatement = (ResourceAccessStatement) statement;
                    subject = raStatement.getProxySubject();
                    if (subject == null) {
                        subject = raStatement.getSubject();
                    }
                } else if (stype == SessionContextStatement.SESSIONCONTEXT_STATEMENT) {
                    SessionContextStatement scStatement = (SessionContextStatement) statement;
                    subject = scStatement.getProxySubject();
                    if (subject == null) {
                        subject = scStatement.getSubject();
                    }
                }
                if (subject != null) {
                    SubjectConfirmation subConfirm = subject.getSubjectConfirmation();
                    if (subConfirm.getConfirmationMethod().contains(SAMLConstants.CONFIRMATION_METHOD_HOLDEROFKEY)) {
                        Element keyinfo = subConfirm.getKeyInfo();
                        return getCertificate(keyinfo);
                    }
                }
            }
        } else {
            debug.error("Assertion does not contain any Statement.");
        }
    } catch (Exception e) {
        debug.error("getCertificate Exception: ", e);
    }
    return null;
}
Also used : HashSet(java.util.HashSet) Set(java.util.Set) SubjectConfirmation(com.sun.identity.saml.assertion.SubjectConfirmation) Statement(com.sun.identity.saml.assertion.Statement) AuthenticationStatement(com.sun.identity.saml.assertion.AuthenticationStatement) Element(org.w3c.dom.Element) Iterator(java.util.Iterator) Subject(com.sun.identity.saml.assertion.Subject) XMLSignatureException(com.sun.identity.saml.xmlsig.XMLSignatureException) XMLSecurityException(org.apache.xml.security.exceptions.XMLSecurityException)

Example 7 with Subject

use of com.sun.identity.saml.assertion.Subject in project OpenAM by OpenRock.

the class SAMLUtils method examAssertions.

/**
     * Determines if there is a valid SSO Assertion
     * inside of SAML Response.
     *
     * @param assertions a List of <code>Assertion</code> objects
     * @return a Subject object
     * @exception IOException IOException
     */
public static com.sun.identity.saml.assertion.Subject examAssertions(List assertions) throws IOException {
    if (assertions == null) {
        return null;
    }
    boolean validation = false;
    com.sun.identity.saml.assertion.Subject subject = null;
    Iterator iter = assertions.iterator();
    while (iter.hasNext()) {
        Assertion assertion = (Assertion) iter.next();
        if (!checkCondition(assertion)) {
            return null;
        }
        debug.message("Passed checking Conditions!");
        // exam the Statement inside the Assertion
        Set statements = new HashSet();
        statements = assertion.getStatement();
        if (statements == null || statements.isEmpty()) {
            debug.error(bundle.getString("noStatement"));
            return null;
        }
        Iterator iterator = statements.iterator();
        while (iterator.hasNext()) {
            Statement statement = (Statement) iterator.next();
            subject = ((SubjectStatement) statement).getSubject();
            SubjectConfirmation sc = subject.getSubjectConfirmation();
            Set cm = new HashSet();
            cm = sc.getConfirmationMethod();
            if (cm == null || cm.isEmpty()) {
                debug.error("Subject confirmation method is null");
                return null;
            }
            String conMethod = (String) cm.iterator().next();
            // on Assertion version number
            if ((conMethod != null) && (assertion.getMajorVersion() == SAMLConstants.ASSERTION_MAJOR_VERSION) && (((assertion.getMinorVersion() == SAMLConstants.ASSERTION_MINOR_VERSION_ONE) && conMethod.equals(SAMLConstants.CONFIRMATION_METHOD_ARTIFACT)) || ((assertion.getMinorVersion() == SAMLConstants.ASSERTION_MINOR_VERSION_ZERO) && (conMethod.equals(SAMLConstants.DEPRECATED_CONFIRMATION_METHOD_ARTIFACT))))) {
                if (debug.messageEnabled()) {
                    debug.message("Correct Confirmation method");
                }
            } else {
                debug.error("Wrong Confirmation Method.");
                return null;
            }
            if (statement instanceof AuthenticationStatement) {
                //found an SSO Assertion
                validation = true;
            }
        }
    // end of  while (iterator.hasNext()) for Statements
    }
    if (!validation) {
        debug.error(bundle.getString("noSSOAssertion"));
        return null;
    }
    return subject;
}
Also used : Set(java.util.Set) HashSet(java.util.HashSet) Statement(com.sun.identity.saml.assertion.Statement) AuthenticationStatement(com.sun.identity.saml.assertion.AuthenticationStatement) AttributeStatement(com.sun.identity.saml.assertion.AttributeStatement) SubjectStatement(com.sun.identity.saml.assertion.SubjectStatement) Assertion(com.sun.identity.saml.assertion.Assertion) Subject(com.sun.identity.saml.assertion.Subject) AuthenticationStatement(com.sun.identity.saml.assertion.AuthenticationStatement) SubjectConfirmation(com.sun.identity.saml.assertion.SubjectConfirmation) CharacterIterator(java.text.CharacterIterator) Iterator(java.util.Iterator) StringCharacterIterator(java.text.StringCharacterIterator) HashSet(java.util.HashSet)

Example 8 with Subject

use of com.sun.identity.saml.assertion.Subject in project OpenAM by OpenRock.

the class SAMLUtils method processResponse.

/**
     * Processes SAML Response
     * @param samlResponse SAML Response object
     * @param target Target URL 
     * @return Attribute Map
     * @exception SAMLException if failed to get Attribute Map.
     */
public static Map processResponse(Response samlResponse, String target) throws SAMLException {
    List assertions = null;
    SAMLServiceManager.SOAPEntry partnerdest = null;
    Subject assertionSubject = null;
    if (samlResponse.isSigned()) {
        // verify the signature
        boolean isSignedandValid = verifySignature(samlResponse);
        if (!isSignedandValid) {
            throw new SAMLException(bundle.getString("invalidResponse"));
        }
    }
    // check Assertion and get back a Map of relevant data including,
    // Subject, SOAPEntry for the partner and the List of Assertions.
    Map ssMap = verifyAssertionAndGetSSMap(samlResponse);
    if (debug.messageEnabled()) {
        debug.message("processResponse: ssMap = " + ssMap);
    }
    if (ssMap == null) {
        throw new SAMLException(bundle.getString("invalidAssertion"));
    }
    assertionSubject = (com.sun.identity.saml.assertion.Subject) ssMap.get(SAMLConstants.SUBJECT);
    if (assertionSubject == null) {
        throw new SAMLException(bundle.getString("nullSubject"));
    }
    partnerdest = (SAMLServiceManager.SOAPEntry) ssMap.get(SAMLConstants.SOURCE_SITE_SOAP_ENTRY);
    if (partnerdest == null) {
        throw new SAMLException(bundle.getString("failedAccountMapping"));
    }
    assertions = (List) ssMap.get(SAMLConstants.POST_ASSERTION);
    Map sessMap = null;
    try {
        sessMap = getAttributeMap(partnerdest, assertions, assertionSubject, target);
    } catch (Exception se) {
        debug.error("SAMLUtils.processResponse :", se);
        throw new SAMLException(bundle.getString("failProcessResponse"));
    }
    return sessMap;
}
Also used : List(java.util.List) ArrayList(java.util.ArrayList) Map(java.util.Map) HashMap(java.util.HashMap) Subject(com.sun.identity.saml.assertion.Subject) ServletException(javax.servlet.ServletException) SystemConfigurationException(com.sun.identity.common.SystemConfigurationException) SessionException(com.sun.identity.plugin.session.SessionException) UnsupportedEncodingException(java.io.UnsupportedEncodingException) MalformedURLException(java.net.MalformedURLException) IOException(java.io.IOException)

Example 9 with Subject

use of com.sun.identity.saml.assertion.Subject in project OpenAM by OpenRock.

the class SAMLUtils method processArtifact.

/** 
     * Processes SAML Artifact
     * @param artifact SAML Artifact
     * @param target Target URL 
     * @return Attribute Map
     * @exception SAMLException if failed to get the Assertions or
     *     Attribute Map.
     */
public static Map processArtifact(String[] artifact, String target) throws SAMLException {
    List assts = null;
    Subject assertionSubject = null;
    AssertionArtifact firstArtifact = null;
    Map sessMap = null;
    // Call SAMLClient to do the Single-sign-on
    try {
        assts = SAMLClient.artifactQueryHandler(artifact, (String) null);
        //exam the SAML response
        if ((assertionSubject = examAssertions(assts)) == null) {
            return null;
        }
        firstArtifact = new AssertionArtifact(artifact[0]);
        String sid = firstArtifact.getSourceID();
        Map partner = (Map) SAMLServiceManager.getAttribute(SAMLConstants.PARTNER_URLS);
        if (partner == null) {
            throw new SAMLException(bundle.getString("nullPartnerUrl"));
        }
        SAMLServiceManager.SOAPEntry partnerdest = (SAMLServiceManager.SOAPEntry) partner.get(sid);
        if (partnerdest == null) {
            throw new SAMLException(bundle.getString("failedAccountMapping"));
        }
        sessMap = getAttributeMap(partnerdest, assts, assertionSubject, target);
    } catch (Exception se) {
        debug.error("SAMLUtils.processArtifact :", se);
        throw new SAMLException(bundle.getString("failProcessArtifact"));
    }
    return sessMap;
}
Also used : List(java.util.List) ArrayList(java.util.ArrayList) Map(java.util.Map) HashMap(java.util.HashMap) Subject(com.sun.identity.saml.assertion.Subject) ServletException(javax.servlet.ServletException) SystemConfigurationException(com.sun.identity.common.SystemConfigurationException) SessionException(com.sun.identity.plugin.session.SessionException) UnsupportedEncodingException(java.io.UnsupportedEncodingException) MalformedURLException(java.net.MalformedURLException) IOException(java.io.IOException)

Example 10 with Subject

use of com.sun.identity.saml.assertion.Subject in project OpenAM by OpenRock.

the class DefaultPartnerAccountMapper method getUser.

/**
     * Returns user account in OpenAM to which the
     * subject in the assertion is mapped. This method will be called in POST
     * profile, ARTIFACT profile, AttributeQuery and AuthorizationDecisionQuery.
     *
     * @param assertions a list of authentication assertions returned from
     *                   partner side, this will contains user's identity in
     *                   the partner side. The object in the list will be
     *                   <code>com.sun.identity.saml.assertion.Assertion</code>
     * @param sourceID source ID for the site from which the subject
     *                 originated.
     * @param targetURL value for TARGET query parameter when the user
     *                  accessing the SAML aware servlet or post profile
     *                  servlet
     * @return Map which contains NAME, ORG and ATTRIBUTE keys, value of the
     *             NAME key is the user DN, value of the ORG is the user
     *             organization  DN, value of the ATTRIBUTE is a Map
     *             containing key/value pairs which will be set as properties
     *             on the OpenAM SSO token, the key is the SSO
     *             property name, the value is a String value of the property.
     *             Returns empty map if the mapped user could not be obtained
     *             from the subject.
     */
public Map getUser(List assertions, String sourceID, String targetURL) {
    if (SAMLUtils.debug.messageEnabled()) {
        SAMLUtils.debug.message("DefaultPartnerAccountMapper:getUser(" + "List) targetURL = " + targetURL);
    }
    Map map = new HashMap();
    Subject subject = null;
    Assertion assertion = (Assertion) assertions.get(0);
    Iterator iter = assertion.getStatement().iterator();
    while (iter.hasNext()) {
        Statement statement = (Statement) iter.next();
        if (statement.getStatementType() != Statement.AUTHENTICATION_STATEMENT) {
            continue;
        }
        Subject sub = ((SubjectStatement) statement).getSubject();
        SubjectConfirmation subConf = sub.getSubjectConfirmation();
        if (subConf == null) {
            continue;
        }
        Set cms = subConf.getConfirmationMethod();
        if (cms == null || cms.isEmpty()) {
            continue;
        }
        String cm = (String) cms.iterator().next();
        if (cm != null && (cm.equals(SAMLConstants.CONFIRMATION_METHOD_ARTIFACT) || cm.equals(SAMLConstants.DEPRECATED_CONFIRMATION_METHOD_ARTIFACT) || cm.equals(SAMLConstants.CONFIRMATION_METHOD_BEARER))) {
            subject = sub;
            break;
        }
    }
    if (subject != null) {
        getUser(subject, sourceID, map);
        Map attrMap = new HashMap();
        SAMLUtils.addEnvParamsFromAssertion(attrMap, assertion, subject);
        if (!attrMap.isEmpty()) {
            map.put(ATTRIBUTE, attrMap);
        }
    }
    return map;
}
Also used : SubjectStatement(com.sun.identity.saml.assertion.SubjectStatement) Set(java.util.Set) SubjectConfirmation(com.sun.identity.saml.assertion.SubjectConfirmation) HashMap(java.util.HashMap) SubjectStatement(com.sun.identity.saml.assertion.SubjectStatement) Statement(com.sun.identity.saml.assertion.Statement) Assertion(com.sun.identity.saml.assertion.Assertion) Iterator(java.util.Iterator) HashMap(java.util.HashMap) Map(java.util.Map) Subject(com.sun.identity.saml.assertion.Subject)

Aggregations

Subject (com.sun.identity.saml.assertion.Subject)18 SubjectConfirmation (com.sun.identity.saml.assertion.SubjectConfirmation)9 Iterator (java.util.Iterator)9 ArrayList (java.util.ArrayList)8 List (java.util.List)8 SubjectStatement (com.sun.identity.saml.assertion.SubjectStatement)7 SessionException (com.sun.identity.plugin.session.SessionException)6 Statement (com.sun.identity.saml.assertion.Statement)6 HashMap (java.util.HashMap)6 Set (java.util.Set)6 AttributeStatement (com.sun.identity.saml.assertion.AttributeStatement)5 AuthenticationStatement (com.sun.identity.saml.assertion.AuthenticationStatement)5 SAMLException (com.sun.identity.saml.common.SAMLException)5 HashSet (java.util.HashSet)5 Map (java.util.Map)5 Assertion (com.sun.identity.saml.assertion.Assertion)4 NameIdentifier (com.sun.identity.saml.assertion.NameIdentifier)4 Date (java.util.Date)3 SystemConfigurationException (com.sun.identity.common.SystemConfigurationException)2 SecurityAssertion (com.sun.identity.liberty.ws.security.SecurityAssertion)2