use of com.sun.identity.saml.assertion.SubjectConfirmation in project OpenAM by OpenRock.
the class CDCServlet method createAssertion.
private FSAssertion createAssertion(String destID, String sourceID, String tokenID, String authType, String strAuthInst, String userDN, String inResponseTo) throws FSException, SAMLException {
debug.message("Entering CDCServlet.createAssertion Method");
if ((destID == null) || (sourceID == null) || (tokenID == null) || (authType == null) || (userDN == null) || (inResponseTo == null)) {
debug.message("CDCServlet,createAssertion: null input");
throw new FSException(FSUtils.bundle.getString("nullInput"));
}
String securityDomain = sourceID;
NameIdentifier idpHandle = new NameIdentifier(URLEncDec.encode(tokenID), sourceID);
NameIdentifier spHandle = idpHandle;
String authMethod = authType;
Date authInstant = convertAuthInstanceToDate(strAuthInst);
if (debug.messageEnabled()) {
debug.message("CDCServlet.createAssertion " + "Creating Authentication Assertion for user with opaqueHandle =" + spHandle.getName() + " and SecurityDomain = " + securityDomain);
}
SubjectConfirmation subConfirmation = new SubjectConfirmation(IFSConstants.CONFIRMATION_METHOD_BEARER);
IDPProvidedNameIdentifier idpNi = new IDPProvidedNameIdentifier(idpHandle.getNameQualifier(), idpHandle.getName());
FSSubject sub = new FSSubject(spHandle, subConfirmation, idpNi);
SubjectLocality authLocality = new SubjectLocality(IPAddress, DNSAddress);
AuthnContext authnContextStmt = new AuthnContext(null, null);
FSAuthenticationStatement statement = new FSAuthenticationStatement(authMethod, authInstant, sub, authLocality, null, authnContextStmt);
//setReauthenticateOnOrAfter date
Date issueInstant = new Date();
// get this period from the config
Integer assertionTimeout = new Integer(IFSConstants.ASSERTION_TIMEOUT_DEFAULT);
long period = (assertionTimeout.intValue()) * 1000;
if (period < IFSConstants.ASSERTION_TIMEOUT_ALLOWED_DIFFERENCE) {
period = IFSConstants.ASSERTION_TIMEOUT_ALLOWED_DIFFERENCE;
}
Date notAfter = new Date(issueInstant.getTime() + period);
statement.setReauthenticateOnOrAfter(notAfter);
if (debug.messageEnabled()) {
debug.message("CDCServlet.createAssertion: " + "Authentication Statement: " + statement.toXMLString());
}
Conditions cond = new Conditions(issueInstant, notAfter);
if ((destID != null) && (destID.length() != 0)) {
List targets = new ArrayList(1);
targets.add(destID);
cond.addAudienceRestrictionCondition(new AudienceRestrictionCondition(targets));
}
if (debug.messageEnabled()) {
debug.message("CDCServlet.createAssertion: " + "Condition: " + cond.toString());
}
AssertionIDReference aID = new AssertionIDReference();
Set statements = new HashSet(2);
statements.add(statement);
FSAssertion assertion = new FSAssertion(aID.getAssertionIDReference(), sourceID, issueInstant, cond, statements, inResponseTo);
assertion.setID(aID.getAssertionIDReference());
String[] params = { FSUtils.bundle.getString("assertionCreated") + ":" + assertion.toString() };
LogUtil.access(Level.INFO, "CREATE_ASSERTION", params);
if (debug.messageEnabled()) {
debug.message("CDCServlet.createAssertion:" + " Returning Assertion: " + assertion.toXMLString());
}
return assertion;
}
use of com.sun.identity.saml.assertion.SubjectConfirmation in project OpenAM by OpenRock.
the class DefaultAttributeMapper method getSSOAssertion.
/**
* This method exams the SubjectConfirmationData of the Subject in the
* AttributeQuery. It returns the first Assertion that contains at least
* one AuthenticationStatement.
* <p>
* @see com.sun.identity.saml.plugins.AttributeMapper#getSSOAssertion
*/
public Assertion getSSOAssertion(AttributeQuery query) {
if (query == null) {
return null;
}
SubjectConfirmation sc = query.getSubject().getSubjectConfirmation();
if (sc == null) {
return null;
}
Element scData = sc.getSubjectConfirmationData();
if (scData == null) {
return null;
}
Assertion assertion = null;
try {
NodeList nl = scData.getChildNodes();
Node child = null;
for (int i = 0, length = nl.getLength(); i < length; i++) {
child = nl.item(i);
if (child.getNodeType() == Node.ELEMENT_NODE) {
try {
assertion = new Assertion((Element) child);
if (SAMLUtils.isAuthNAssertion(assertion)) {
return assertion;
}
} catch (SAMLException se) {
if (SAMLUtils.debug.messageEnabled()) {
SAMLUtils.debug.message("DefaultAttributeMapper: " + "SAMLException when trying to obtain Assertion:" + se);
}
}
}
}
} catch (Exception e) {
SAMLUtils.debug.error("DefaultAttributeMapper: Exception when " + "parsing the SubjectConfirmationData:", e);
}
return null;
}
use of com.sun.identity.saml.assertion.SubjectConfirmation in project OpenAM by OpenRock.
the class SAMLUtils method examAssertions.
/**
* Determines if there is a valid SSO Assertion
* inside of SAML Response.
*
* @param assertions a List of <code>Assertion</code> objects
* @return a Subject object
* @exception IOException IOException
*/
public static com.sun.identity.saml.assertion.Subject examAssertions(List assertions) throws IOException {
if (assertions == null) {
return null;
}
boolean validation = false;
com.sun.identity.saml.assertion.Subject subject = null;
Iterator iter = assertions.iterator();
while (iter.hasNext()) {
Assertion assertion = (Assertion) iter.next();
if (!checkCondition(assertion)) {
return null;
}
debug.message("Passed checking Conditions!");
// exam the Statement inside the Assertion
Set statements = new HashSet();
statements = assertion.getStatement();
if (statements == null || statements.isEmpty()) {
debug.error(bundle.getString("noStatement"));
return null;
}
Iterator iterator = statements.iterator();
while (iterator.hasNext()) {
Statement statement = (Statement) iterator.next();
subject = ((SubjectStatement) statement).getSubject();
SubjectConfirmation sc = subject.getSubjectConfirmation();
Set cm = new HashSet();
cm = sc.getConfirmationMethod();
if (cm == null || cm.isEmpty()) {
debug.error("Subject confirmation method is null");
return null;
}
String conMethod = (String) cm.iterator().next();
// on Assertion version number
if ((conMethod != null) && (assertion.getMajorVersion() == SAMLConstants.ASSERTION_MAJOR_VERSION) && (((assertion.getMinorVersion() == SAMLConstants.ASSERTION_MINOR_VERSION_ONE) && conMethod.equals(SAMLConstants.CONFIRMATION_METHOD_ARTIFACT)) || ((assertion.getMinorVersion() == SAMLConstants.ASSERTION_MINOR_VERSION_ZERO) && (conMethod.equals(SAMLConstants.DEPRECATED_CONFIRMATION_METHOD_ARTIFACT))))) {
if (debug.messageEnabled()) {
debug.message("Correct Confirmation method");
}
} else {
debug.error("Wrong Confirmation Method.");
return null;
}
if (statement instanceof AuthenticationStatement) {
//found an SSO Assertion
validation = true;
}
}
// end of while (iterator.hasNext()) for Statements
}
if (!validation) {
debug.error(bundle.getString("noSSOAssertion"));
return null;
}
return subject;
}
use of com.sun.identity.saml.assertion.SubjectConfirmation in project OpenAM by OpenRock.
the class DefaultActionMapper method getSSOTokenID.
/**
* This method exams the SubjectConfirmation of the Subject in the
* AuthorizationDecisionQuery. If the SubjectConfirmation has only one
* ConfirmationMethod; and this ConfirmationMethod is equals to
* "urn:com:sun:identity"; and its SubjectConfirmationData contains
* TEXT node only, then the method returns the concatenated string of all
* the TEXT nodes. Otherwise, it returns null.
* <p>
* @see com.sun.identity.saml.plugins.ActionMapper#getSSOTokenID
*/
public String getSSOTokenID(AuthorizationDecisionQuery query) {
if (query == null) {
return null;
}
SubjectConfirmation sc = query.getSubject().getSubjectConfirmation();
if (sc == null) {
return null;
}
if (!SAMLUtils.isCorrectConfirmationMethod(sc)) {
return null;
}
Element scData = sc.getSubjectConfirmationData();
return XMLUtils.getElementString(scData);
}
use of com.sun.identity.saml.assertion.SubjectConfirmation in project OpenAM by OpenRock.
the class DefaultPartnerAccountMapper method getUser.
/**
* Returns user account in OpenAM to which the
* subject in the assertion is mapped. This method will be called in POST
* profile, ARTIFACT profile, AttributeQuery and AuthorizationDecisionQuery.
*
* @param assertions a list of authentication assertions returned from
* partner side, this will contains user's identity in
* the partner side. The object in the list will be
* <code>com.sun.identity.saml.assertion.Assertion</code>
* @param sourceID source ID for the site from which the subject
* originated.
* @param targetURL value for TARGET query parameter when the user
* accessing the SAML aware servlet or post profile
* servlet
* @return Map which contains NAME, ORG and ATTRIBUTE keys, value of the
* NAME key is the user DN, value of the ORG is the user
* organization DN, value of the ATTRIBUTE is a Map
* containing key/value pairs which will be set as properties
* on the OpenAM SSO token, the key is the SSO
* property name, the value is a String value of the property.
* Returns empty map if the mapped user could not be obtained
* from the subject.
*/
public Map getUser(List assertions, String sourceID, String targetURL) {
if (SAMLUtils.debug.messageEnabled()) {
SAMLUtils.debug.message("DefaultPartnerAccountMapper:getUser(" + "List) targetURL = " + targetURL);
}
Map map = new HashMap();
Subject subject = null;
Assertion assertion = (Assertion) assertions.get(0);
Iterator iter = assertion.getStatement().iterator();
while (iter.hasNext()) {
Statement statement = (Statement) iter.next();
if (statement.getStatementType() != Statement.AUTHENTICATION_STATEMENT) {
continue;
}
Subject sub = ((SubjectStatement) statement).getSubject();
SubjectConfirmation subConf = sub.getSubjectConfirmation();
if (subConf == null) {
continue;
}
Set cms = subConf.getConfirmationMethod();
if (cms == null || cms.isEmpty()) {
continue;
}
String cm = (String) cms.iterator().next();
if (cm != null && (cm.equals(SAMLConstants.CONFIRMATION_METHOD_ARTIFACT) || cm.equals(SAMLConstants.DEPRECATED_CONFIRMATION_METHOD_ARTIFACT) || cm.equals(SAMLConstants.CONFIRMATION_METHOD_BEARER))) {
subject = sub;
break;
}
}
if (subject != null) {
getUser(subject, sourceID, map);
Map attrMap = new HashMap();
SAMLUtils.addEnvParamsFromAssertion(attrMap, assertion, subject);
if (!attrMap.isEmpty()) {
map.put(ATTRIBUTE, attrMap);
}
}
return map;
}
Aggregations