Search in sources :

Example 1 with SubjectConfirmation

use of com.sun.identity.saml.assertion.SubjectConfirmation in project OpenAM by OpenRock.

the class CDCServlet method createAssertion.

private FSAssertion createAssertion(String destID, String sourceID, String tokenID, String authType, String strAuthInst, String userDN, String inResponseTo) throws FSException, SAMLException {
    debug.message("Entering CDCServlet.createAssertion Method");
    if ((destID == null) || (sourceID == null) || (tokenID == null) || (authType == null) || (userDN == null) || (inResponseTo == null)) {
        debug.message("CDCServlet,createAssertion: null input");
        throw new FSException(FSUtils.bundle.getString("nullInput"));
    }
    String securityDomain = sourceID;
    NameIdentifier idpHandle = new NameIdentifier(URLEncDec.encode(tokenID), sourceID);
    NameIdentifier spHandle = idpHandle;
    String authMethod = authType;
    Date authInstant = convertAuthInstanceToDate(strAuthInst);
    if (debug.messageEnabled()) {
        debug.message("CDCServlet.createAssertion " + "Creating Authentication Assertion for user with opaqueHandle =" + spHandle.getName() + " and SecurityDomain = " + securityDomain);
    }
    SubjectConfirmation subConfirmation = new SubjectConfirmation(IFSConstants.CONFIRMATION_METHOD_BEARER);
    IDPProvidedNameIdentifier idpNi = new IDPProvidedNameIdentifier(idpHandle.getNameQualifier(), idpHandle.getName());
    FSSubject sub = new FSSubject(spHandle, subConfirmation, idpNi);
    SubjectLocality authLocality = new SubjectLocality(IPAddress, DNSAddress);
    AuthnContext authnContextStmt = new AuthnContext(null, null);
    FSAuthenticationStatement statement = new FSAuthenticationStatement(authMethod, authInstant, sub, authLocality, null, authnContextStmt);
    //setReauthenticateOnOrAfter date
    Date issueInstant = new Date();
    // get this period from the config
    Integer assertionTimeout = new Integer(IFSConstants.ASSERTION_TIMEOUT_DEFAULT);
    long period = (assertionTimeout.intValue()) * 1000;
    if (period < IFSConstants.ASSERTION_TIMEOUT_ALLOWED_DIFFERENCE) {
        period = IFSConstants.ASSERTION_TIMEOUT_ALLOWED_DIFFERENCE;
    }
    Date notAfter = new Date(issueInstant.getTime() + period);
    statement.setReauthenticateOnOrAfter(notAfter);
    if (debug.messageEnabled()) {
        debug.message("CDCServlet.createAssertion: " + "Authentication Statement: " + statement.toXMLString());
    }
    Conditions cond = new Conditions(issueInstant, notAfter);
    if ((destID != null) && (destID.length() != 0)) {
        List targets = new ArrayList(1);
        targets.add(destID);
        cond.addAudienceRestrictionCondition(new AudienceRestrictionCondition(targets));
    }
    if (debug.messageEnabled()) {
        debug.message("CDCServlet.createAssertion: " + "Condition: " + cond.toString());
    }
    AssertionIDReference aID = new AssertionIDReference();
    Set statements = new HashSet(2);
    statements.add(statement);
    FSAssertion assertion = new FSAssertion(aID.getAssertionIDReference(), sourceID, issueInstant, cond, statements, inResponseTo);
    assertion.setID(aID.getAssertionIDReference());
    String[] params = { FSUtils.bundle.getString("assertionCreated") + ":" + assertion.toString() };
    LogUtil.access(Level.INFO, "CREATE_ASSERTION", params);
    if (debug.messageEnabled()) {
        debug.message("CDCServlet.createAssertion:" + " Returning Assertion: " + assertion.toXMLString());
    }
    return assertion;
}
Also used : Set(java.util.Set) HashSet(java.util.HashSet) NameIdentifier(com.sun.identity.saml.assertion.NameIdentifier) IDPProvidedNameIdentifier(com.sun.identity.federation.message.common.IDPProvidedNameIdentifier) FSSubject(com.sun.identity.federation.message.FSSubject) FSAuthenticationStatement(com.sun.identity.federation.message.FSAuthenticationStatement) ArrayList(java.util.ArrayList) Date(java.util.Date) SubjectLocality(com.sun.identity.saml.assertion.SubjectLocality) Conditions(com.sun.identity.saml.assertion.Conditions) AuthnContext(com.sun.identity.federation.message.common.AuthnContext) SubjectConfirmation(com.sun.identity.saml.assertion.SubjectConfirmation) FSAssertion(com.sun.identity.federation.message.FSAssertion) FSException(com.sun.identity.federation.common.FSException) List(java.util.List) ArrayList(java.util.ArrayList) AudienceRestrictionCondition(com.sun.identity.saml.assertion.AudienceRestrictionCondition) IDPProvidedNameIdentifier(com.sun.identity.federation.message.common.IDPProvidedNameIdentifier) AssertionIDReference(com.sun.identity.saml.assertion.AssertionIDReference) HashSet(java.util.HashSet)

Example 2 with SubjectConfirmation

use of com.sun.identity.saml.assertion.SubjectConfirmation in project OpenAM by OpenRock.

the class DefaultAttributeMapper method getSSOAssertion.

/**
     * This method exams the SubjectConfirmationData of the Subject in the
     * AttributeQuery. It returns the first Assertion that contains at least
     * one AuthenticationStatement.
     * <p>
     * @see com.sun.identity.saml.plugins.AttributeMapper#getSSOAssertion
     */
public Assertion getSSOAssertion(AttributeQuery query) {
    if (query == null) {
        return null;
    }
    SubjectConfirmation sc = query.getSubject().getSubjectConfirmation();
    if (sc == null) {
        return null;
    }
    Element scData = sc.getSubjectConfirmationData();
    if (scData == null) {
        return null;
    }
    Assertion assertion = null;
    try {
        NodeList nl = scData.getChildNodes();
        Node child = null;
        for (int i = 0, length = nl.getLength(); i < length; i++) {
            child = nl.item(i);
            if (child.getNodeType() == Node.ELEMENT_NODE) {
                try {
                    assertion = new Assertion((Element) child);
                    if (SAMLUtils.isAuthNAssertion(assertion)) {
                        return assertion;
                    }
                } catch (SAMLException se) {
                    if (SAMLUtils.debug.messageEnabled()) {
                        SAMLUtils.debug.message("DefaultAttributeMapper: " + "SAMLException when trying to obtain Assertion:" + se);
                    }
                }
            }
        }
    } catch (Exception e) {
        SAMLUtils.debug.error("DefaultAttributeMapper: Exception when " + "parsing the SubjectConfirmationData:", e);
    }
    return null;
}
Also used : SubjectConfirmation(com.sun.identity.saml.assertion.SubjectConfirmation) Element(org.w3c.dom.Element) NodeList(org.w3c.dom.NodeList) Node(org.w3c.dom.Node) Assertion(com.sun.identity.saml.assertion.Assertion) SAMLException(com.sun.identity.saml.common.SAMLException) SessionException(com.sun.identity.plugin.session.SessionException) SAMLException(com.sun.identity.saml.common.SAMLException) DataStoreProviderException(com.sun.identity.plugin.datastore.DataStoreProviderException) MissingResourceException(java.util.MissingResourceException)

Example 3 with SubjectConfirmation

use of com.sun.identity.saml.assertion.SubjectConfirmation in project OpenAM by OpenRock.

the class SAMLUtils method examAssertions.

/**
     * Determines if there is a valid SSO Assertion
     * inside of SAML Response.
     *
     * @param assertions a List of <code>Assertion</code> objects
     * @return a Subject object
     * @exception IOException IOException
     */
public static com.sun.identity.saml.assertion.Subject examAssertions(List assertions) throws IOException {
    if (assertions == null) {
        return null;
    }
    boolean validation = false;
    com.sun.identity.saml.assertion.Subject subject = null;
    Iterator iter = assertions.iterator();
    while (iter.hasNext()) {
        Assertion assertion = (Assertion) iter.next();
        if (!checkCondition(assertion)) {
            return null;
        }
        debug.message("Passed checking Conditions!");
        // exam the Statement inside the Assertion
        Set statements = new HashSet();
        statements = assertion.getStatement();
        if (statements == null || statements.isEmpty()) {
            debug.error(bundle.getString("noStatement"));
            return null;
        }
        Iterator iterator = statements.iterator();
        while (iterator.hasNext()) {
            Statement statement = (Statement) iterator.next();
            subject = ((SubjectStatement) statement).getSubject();
            SubjectConfirmation sc = subject.getSubjectConfirmation();
            Set cm = new HashSet();
            cm = sc.getConfirmationMethod();
            if (cm == null || cm.isEmpty()) {
                debug.error("Subject confirmation method is null");
                return null;
            }
            String conMethod = (String) cm.iterator().next();
            // on Assertion version number
            if ((conMethod != null) && (assertion.getMajorVersion() == SAMLConstants.ASSERTION_MAJOR_VERSION) && (((assertion.getMinorVersion() == SAMLConstants.ASSERTION_MINOR_VERSION_ONE) && conMethod.equals(SAMLConstants.CONFIRMATION_METHOD_ARTIFACT)) || ((assertion.getMinorVersion() == SAMLConstants.ASSERTION_MINOR_VERSION_ZERO) && (conMethod.equals(SAMLConstants.DEPRECATED_CONFIRMATION_METHOD_ARTIFACT))))) {
                if (debug.messageEnabled()) {
                    debug.message("Correct Confirmation method");
                }
            } else {
                debug.error("Wrong Confirmation Method.");
                return null;
            }
            if (statement instanceof AuthenticationStatement) {
                //found an SSO Assertion
                validation = true;
            }
        }
    // end of  while (iterator.hasNext()) for Statements
    }
    if (!validation) {
        debug.error(bundle.getString("noSSOAssertion"));
        return null;
    }
    return subject;
}
Also used : Set(java.util.Set) HashSet(java.util.HashSet) Statement(com.sun.identity.saml.assertion.Statement) AuthenticationStatement(com.sun.identity.saml.assertion.AuthenticationStatement) AttributeStatement(com.sun.identity.saml.assertion.AttributeStatement) SubjectStatement(com.sun.identity.saml.assertion.SubjectStatement) Assertion(com.sun.identity.saml.assertion.Assertion) Subject(com.sun.identity.saml.assertion.Subject) AuthenticationStatement(com.sun.identity.saml.assertion.AuthenticationStatement) SubjectConfirmation(com.sun.identity.saml.assertion.SubjectConfirmation) CharacterIterator(java.text.CharacterIterator) Iterator(java.util.Iterator) StringCharacterIterator(java.text.StringCharacterIterator) HashSet(java.util.HashSet)

Example 4 with SubjectConfirmation

use of com.sun.identity.saml.assertion.SubjectConfirmation in project OpenAM by OpenRock.

the class DefaultActionMapper method getSSOTokenID.

/**
     * This method exams the SubjectConfirmation of the Subject in the
     * AuthorizationDecisionQuery. If the SubjectConfirmation has only one
     * ConfirmationMethod; and this ConfirmationMethod is equals to
     * "urn:com:sun:identity"; and its SubjectConfirmationData contains
     * TEXT node only, then the method returns the concatenated string of all
     * the TEXT nodes. Otherwise, it returns null.
     * <p>
     * @see com.sun.identity.saml.plugins.ActionMapper#getSSOTokenID
     */
public String getSSOTokenID(AuthorizationDecisionQuery query) {
    if (query == null) {
        return null;
    }
    SubjectConfirmation sc = query.getSubject().getSubjectConfirmation();
    if (sc == null) {
        return null;
    }
    if (!SAMLUtils.isCorrectConfirmationMethod(sc)) {
        return null;
    }
    Element scData = sc.getSubjectConfirmationData();
    return XMLUtils.getElementString(scData);
}
Also used : SubjectConfirmation(com.sun.identity.saml.assertion.SubjectConfirmation) Element(org.w3c.dom.Element)

Example 5 with SubjectConfirmation

use of com.sun.identity.saml.assertion.SubjectConfirmation in project OpenAM by OpenRock.

the class DefaultPartnerAccountMapper method getUser.

/**
     * Returns user account in OpenAM to which the
     * subject in the assertion is mapped. This method will be called in POST
     * profile, ARTIFACT profile, AttributeQuery and AuthorizationDecisionQuery.
     *
     * @param assertions a list of authentication assertions returned from
     *                   partner side, this will contains user's identity in
     *                   the partner side. The object in the list will be
     *                   <code>com.sun.identity.saml.assertion.Assertion</code>
     * @param sourceID source ID for the site from which the subject
     *                 originated.
     * @param targetURL value for TARGET query parameter when the user
     *                  accessing the SAML aware servlet or post profile
     *                  servlet
     * @return Map which contains NAME, ORG and ATTRIBUTE keys, value of the
     *             NAME key is the user DN, value of the ORG is the user
     *             organization  DN, value of the ATTRIBUTE is a Map
     *             containing key/value pairs which will be set as properties
     *             on the OpenAM SSO token, the key is the SSO
     *             property name, the value is a String value of the property.
     *             Returns empty map if the mapped user could not be obtained
     *             from the subject.
     */
public Map getUser(List assertions, String sourceID, String targetURL) {
    if (SAMLUtils.debug.messageEnabled()) {
        SAMLUtils.debug.message("DefaultPartnerAccountMapper:getUser(" + "List) targetURL = " + targetURL);
    }
    Map map = new HashMap();
    Subject subject = null;
    Assertion assertion = (Assertion) assertions.get(0);
    Iterator iter = assertion.getStatement().iterator();
    while (iter.hasNext()) {
        Statement statement = (Statement) iter.next();
        if (statement.getStatementType() != Statement.AUTHENTICATION_STATEMENT) {
            continue;
        }
        Subject sub = ((SubjectStatement) statement).getSubject();
        SubjectConfirmation subConf = sub.getSubjectConfirmation();
        if (subConf == null) {
            continue;
        }
        Set cms = subConf.getConfirmationMethod();
        if (cms == null || cms.isEmpty()) {
            continue;
        }
        String cm = (String) cms.iterator().next();
        if (cm != null && (cm.equals(SAMLConstants.CONFIRMATION_METHOD_ARTIFACT) || cm.equals(SAMLConstants.DEPRECATED_CONFIRMATION_METHOD_ARTIFACT) || cm.equals(SAMLConstants.CONFIRMATION_METHOD_BEARER))) {
            subject = sub;
            break;
        }
    }
    if (subject != null) {
        getUser(subject, sourceID, map);
        Map attrMap = new HashMap();
        SAMLUtils.addEnvParamsFromAssertion(attrMap, assertion, subject);
        if (!attrMap.isEmpty()) {
            map.put(ATTRIBUTE, attrMap);
        }
    }
    return map;
}
Also used : SubjectStatement(com.sun.identity.saml.assertion.SubjectStatement) Set(java.util.Set) SubjectConfirmation(com.sun.identity.saml.assertion.SubjectConfirmation) HashMap(java.util.HashMap) SubjectStatement(com.sun.identity.saml.assertion.SubjectStatement) Statement(com.sun.identity.saml.assertion.Statement) Assertion(com.sun.identity.saml.assertion.Assertion) Iterator(java.util.Iterator) HashMap(java.util.HashMap) Map(java.util.Map) Subject(com.sun.identity.saml.assertion.Subject)

Aggregations

SubjectConfirmation (com.sun.identity.saml.assertion.SubjectConfirmation)16 Subject (com.sun.identity.saml.assertion.Subject)9 Set (java.util.Set)9 HashSet (java.util.HashSet)8 Iterator (java.util.Iterator)8 SessionException (com.sun.identity.plugin.session.SessionException)5 AttributeStatement (com.sun.identity.saml.assertion.AttributeStatement)5 Statement (com.sun.identity.saml.assertion.Statement)5 SubjectStatement (com.sun.identity.saml.assertion.SubjectStatement)5 SAMLException (com.sun.identity.saml.common.SAMLException)5 Date (java.util.Date)5 Assertion (com.sun.identity.saml.assertion.Assertion)4 AuthenticationStatement (com.sun.identity.saml.assertion.AuthenticationStatement)4 Conditions (com.sun.identity.saml.assertion.Conditions)4 ArrayList (java.util.ArrayList)4 List (java.util.List)4 Element (org.w3c.dom.Element)4 FSException (com.sun.identity.federation.common.FSException)3 FSAssertion (com.sun.identity.federation.message.FSAssertion)3 FSAuthenticationStatement (com.sun.identity.federation.message.FSAuthenticationStatement)3