use of com.sun.identity.saml.common.SAMLException in project OpenAM by OpenRock.
the class LibertyManager method getMappedNameIdentifier.
/**
* Returns <code>NameIdentifier</code> between the IDP and
* the other SP for the same principal. This method should
* be used by the code on the hosted SP, where the user
* has logged in, and has an account linking with the IDP.
* Futhermore, the same principal has an account linking
* between his/her other (remote) SP account and the IDP
* account.
*
* @param hostedSPMetaAlias The <code>metaAlias</code> of
* the local service provider.
* @param ssoToken The session token of the logged-
* in user on the local service provider.
* @param remoteSPEntityID The entity ID of the remote
* service provider. In other words, it is the targeted
* name space for the returned name identifier.
* @return <code>NameIdentifier</code> of the same principal
* but original established between the remote SP and
* the IDP
*/
public static NameIdentifier getMappedNameIdentifier(String hostedSPMetaAlias, Object ssoToken, String remoteSPEntityID) {
String classMethod = "LibertyManager.getMappedNameIdentifier: ";
String hostedEntityID = getEntityID(hostedSPMetaAlias);
String realm = IDFFMetaUtils.getRealmByMetaAlias(hostedSPMetaAlias);
if (debug.messageEnabled()) {
debug.message("NameMappingRequester: hostedEntityID=" + hostedEntityID);
}
SPDescriptorType hostedDescriptor = null;
BaseConfigType hostedConfig = null;
try {
hostedDescriptor = metaManager.getSPDescriptor(realm, hostedEntityID);
hostedConfig = metaManager.getSPDescriptorConfig(realm, hostedEntityID);
} catch (IDFFMetaException ie) {
debug.error(classMethod + "couldn't obtain hosted meta:", ie);
return null;
}
String userID = null;
try {
userID = SessionManager.getProvider().getPrincipalName(ssoToken);
} catch (SessionException ssoe) {
debug.error("SessionException caught when trying to " + "get user DN from session token:", ssoe);
return null;
}
if (debug.messageEnabled()) {
debug.message(classMethod + "userID=" + userID);
}
FSNameMappingHandler handler = new FSNameMappingHandler(hostedEntityID, hostedDescriptor, hostedConfig, hostedSPMetaAlias);
NameIdentifier ni = null;
if (debug.messageEnabled()) {
debug.message(classMethod + "targetNamespace (remoteSPEntityID)=" + remoteSPEntityID);
}
FSSessionManager sMgr = FSSessionManager.getInstance(hostedSPMetaAlias);
FSSession sess = null;
if (sMgr != null) {
sess = sMgr.getSession(ssoToken);
}
FSSessionPartner partner = null;
if (sess != null) {
partner = sess.getCurrentSessionPartner();
} else {
debug.error(classMethod + "session is null");
return null;
}
String remoteIDPEntityID = null;
if (partner != null) {
remoteIDPEntityID = partner.getPartner();
}
if (debug.messageEnabled()) {
debug.message(classMethod + "Remote IDP EntityID = " + remoteIDPEntityID);
}
try {
ni = handler.getNameIdentifier(userID, remoteIDPEntityID, true);
} catch (Exception e) {
debug.error(classMethod + "Exception caught when trying to get Name " + "Identifier between local SP and remote IDP: ", e);
return null;
}
if (debug.messageEnabled()) {
debug.message(classMethod + "Name Identifier between local SP and " + " remote IDP: " + ni.toString());
}
FSNameIdentifierMappingRequest mappingRequest = null;
try {
mappingRequest = new FSNameIdentifierMappingRequest(hostedEntityID, ni, remoteSPEntityID);
} catch (com.sun.identity.federation.message.common.FSMsgException fe) {
debug.error(classMethod, fe);
return null;
}
if (FSServiceUtils.isSigningOn()) {
try {
mappingRequest.signXML(IDFFMetaUtils.getFirstAttributeValueFromConfig(hostedConfig, IFSConstants.SIGNING_CERT_ALIAS));
} catch (SAMLException se) {
debug.error(classMethod, se);
return null;
}
}
IDPDescriptorType remoteProviderDesc = null;
try {
remoteProviderDesc = metaManager.getIDPDescriptor(realm, remoteIDPEntityID);
} catch (IDFFMetaException fme1) {
debug.error(classMethod, fme1);
return null;
}
String remoteSOAPEndPoint = remoteProviderDesc.getSoapEndpoint();
if (debug.messageEnabled()) {
debug.message(classMethod + "IDP's soap end point=" + remoteSOAPEndPoint);
}
FSSOAPService soapService = FSSOAPService.getInstance();
SOAPMessage returnMsg = null;
try {
SOAPMessage msg = soapService.bind(mappingRequest.toXMLString(true, true));
returnMsg = soapService.sendMessage(msg, remoteSOAPEndPoint);
} catch (FSMsgException mex) {
debug.error(classMethod, mex);
return null;
} catch (java.io.IOException ioe) {
debug.error(classMethod, ioe);
return null;
} catch (javax.xml.soap.SOAPException soape) {
debug.error(classMethod, soape);
return null;
}
Element elt = soapService.parseSOAPMessage(returnMsg);
FSNameIdentifierMappingResponse mappingResponse = null;
try {
mappingResponse = new FSNameIdentifierMappingResponse(elt);
} catch (FSMsgException fme2) {
debug.error(classMethod, fme2);
return null;
}
if (debug.messageEnabled()) {
String resStr = null;
try {
resStr = mappingResponse.toXMLString();
} catch (FSMsgException fme3) {
debug.error(classMethod, fme3);
return null;
}
debug.message(classMethod + "NameIdentifierMappingResponse: " + resStr);
}
if (FSServiceUtils.isSigningOn()) {
if (FSNameMappingHandler.verifyNameIdMappingResponseSignature(elt, returnMsg, realm)) {
if (debug.messageEnabled()) {
debug.message(classMethod + "Success in verifying Name Identifier Mapping" + " Response Signature");
}
} else {
debug.error(classMethod + "Failed verifying Name Identifier Mapping " + "Response");
return null;
}
}
return mappingResponse.getNameIdentifier();
}
use of com.sun.identity.saml.common.SAMLException in project OpenAM by OpenRock.
the class FSProcessLogoutServlet method doRequestProcessing.
/**
* Initiates logout request processing. It is called when a logout request
* is received from a remote provider.
* @param request <code>HTTPServletRequest</code> object received via a
* HTTP Redirect
* @param response <code>HTTPServletResponse</code> object to be sent back
* to user agent
* @param hostedDescriptor the provider for whom request is received
* @param hostedConfig hosted provider's extended meta config
* @param hostedRole hosted provider's role
* @param realm the realm in which the entity resides
* @param hostedEntityId hosted provider's entity id
* @param metaAlias hosted provider's meta alias
* @param reqLogout the single logout request
* @param commonErrorPage where to go if an error occurred
* @param userID user id
* @param ssoToken user session object
*/
private void doRequestProcessing(HttpServletRequest request, HttpServletResponse response, ProviderDescriptorType hostedDescriptor, BaseConfigType hostedConfig, String hostedRole, String realm, String hostedEntityId, String metaAlias, FSLogoutNotification reqLogout, String commonErrorPage, String userID, Object ssoToken) {
FSUtils.debug.message("Entered FSProcessLogoutServlet::doRequestProcessing");
int minorVersion = reqLogout.getMinorVersion();
String remoteEntityId = reqLogout.getProviderId();
ProviderDescriptorType remoteDesc = null;
boolean isIDP = false;
try {
if (hostedRole != null) {
if (hostedRole.equalsIgnoreCase(IFSConstants.IDP)) {
remoteDesc = metaManager.getSPDescriptor(realm, remoteEntityId);
} else if (hostedRole.equalsIgnoreCase(IFSConstants.SP)) {
remoteDesc = metaManager.getIDPDescriptor(realm, remoteEntityId);
isIDP = true;
}
}
if (remoteDesc == null) {
throw new IDFFMetaException((String) null);
}
} catch (IDFFMetaException e) {
FSUtils.debug.error("Remote provider metadata not found.");
String[] data = { remoteEntityId, realm };
LogUtil.error(Level.INFO, LogUtil.INVALID_PROVIDER, data, ssoToken);
FSLogoutUtil.returnToSource(response, remoteDesc, IFSConstants.SAML_RESPONDER, commonErrorPage, minorVersion, hostedConfig, hostedEntityId, userID);
return;
}
boolean bVerify = true;
if (FSServiceUtils.isSigningOn()) {
try {
FSUtils.debug.message("Calling verifyLogoutSignature");
bVerify = verifyLogoutSignature(request, remoteDesc, remoteEntityId, isIDP);
} catch (FSException e) {
FSUtils.debug.error("FSProcessLogoutServlet::doRequestProcessing " + "Signature on Logout request is invalid" + "Cannot proceed federation Logout");
String[] data = { userID };
LogUtil.error(Level.INFO, LogUtil.INVALID_SIGNATURE, data, ssoToken);
FSLogoutUtil.returnToSource(response, remoteDesc, IFSConstants.SAML_REQUESTER, commonErrorPage, minorVersion, hostedConfig, hostedEntityId, userID);
return;
} catch (SAMLException e) {
FSUtils.debug.error("FSProcessLogoutServlet::doRequestProcessing(SAML) " + "Signature on Logout request is invalid" + "Cannot proceed federation Logout");
String[] data = { userID };
LogUtil.error(Level.INFO, LogUtil.INVALID_SIGNATURE, data, ssoToken);
FSLogoutUtil.returnToSource(response, remoteDesc, IFSConstants.SAML_REQUESTER, commonErrorPage, minorVersion, hostedConfig, hostedEntityId, userID);
return;
}
}
String errorStatus = IFSConstants.SAML_RESPONDER;
if (bVerify) {
// Check if trusted provider
if (metaManager.isTrustedProvider(realm, hostedEntityId, remoteEntityId)) {
//Object ssoToken = getValidToken(request);
if (ssoToken != null) {
// session is valid, start single logout
// Invoke Messaging APIs to get providerid from request
FSServiceManager instSManager = FSServiceManager.getInstance();
if (instSManager != null) {
FSUtils.debug.message("FSServiceManager Instance not null");
// Call SP Adapter preSingleLogoutProcess
// for IDP/HTTP case
callPreSingleLogoutProcess(request, response, hostedRole, hostedConfig, hostedEntityId, userID, reqLogout);
FSPreLogoutHandler handlerObj = instSManager.getPreLogoutHandler();
if (handlerObj != null) {
handlerObj.setLogoutRequest(reqLogout);
handlerObj.setHostedDescriptor(hostedDescriptor);
handlerObj.setHostedDescriptorConfig(hostedConfig);
handlerObj.setRealm(realm);
handlerObj.setHostedEntityId(hostedEntityId);
handlerObj.setHostedProviderRole(hostedRole);
handlerObj.setMetaAlias(metaAlias);
handlerObj.setRemoteEntityId(remoteEntityId);
handlerObj.setRemoteDescriptor(remoteDesc);
handlerObj.processHttpSingleLogoutRequest(request, response, ssoToken);
return;
}
} else {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSServiceManager Instance null. Cannot" + " continue logout");
}
String[] data = { userID };
LogUtil.error(Level.INFO, LogUtil.LOGOUT_FAILED, data, ssoToken);
FSLogoutUtil.returnToSource(response, remoteDesc, IFSConstants.SAML_RESPONDER, commonErrorPage, minorVersion, hostedConfig, hostedEntityId, userID);
return;
}
} else {
// ssoToken is null
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("Invalid session in request processing. " + "Nothing to logout");
}
//Verify request,getUserDNcall destroyPrincipalSession
userID = FSLogoutUtil.getUserFromRequest(reqLogout, realm, hostedEntityId, hostedRole, hostedConfig, metaAlias);
if (userID != null) {
FSLogoutUtil.destroyPrincipalSession(userID, metaAlias, reqLogout.getSessionIndex(), request, response);
// Here we need to send back to source
// provider's return URL
FSLogoutUtil.returnToSource(response, remoteDesc, IFSConstants.SAML_RESPONDER, commonErrorPage, minorVersion, hostedConfig, hostedEntityId, userID);
return;
}
}
} else {
FSUtils.debug.error("Remote provider not in trusted list");
}
} else {
FSUtils.debug.error("FSProcessLogoutServlet::doRequestProcesing " + "Signature on Logout request is invalid" + "Cannot proceed federation Logout");
String[] data = { userID };
LogUtil.error(Level.INFO, LogUtil.INVALID_SIGNATURE, data, ssoToken);
errorStatus = IFSConstants.SAML_REQUESTER;
}
FSLogoutUtil.returnToSource(response, remoteDesc, errorStatus, commonErrorPage, minorVersion, hostedConfig, hostedEntityId, userID);
return;
}
use of com.sun.identity.saml.common.SAMLException in project OpenAM by OpenRock.
the class FSReturnLogoutServlet method doGetPost.
/**
* Processes logout response.
* @param request an <code>HttpServletRequest</code> object that contains
* the request the client has made of the servlet.
* @param response an <code>HttpServletResponse</code> object that contains
* the response the servlet sends to the client.
* @exception ServletException if an input or output error is detected when
* the servlet handles the request
* @exception IOException if the request could not be handled
*/
private void doGetPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
FSUtils.debug.message("FSReturnLogoutServlet doGetPost...");
// Alias processing
String providerAlias = request.getParameter(IFSConstants.META_ALIAS);
if (providerAlias == null || providerAlias.length() < 1) {
providerAlias = FSServiceUtils.getMetaAlias(request);
}
if (providerAlias == null || providerAlias.length() < 1) {
FSUtils.debug.message("Unable to retrieve alias, Hosted" + " Provider. Cannot process request");
response.sendError(response.SC_INTERNAL_SERVER_ERROR, FSUtils.bundle.getString("aliasNotFound"));
return;
}
Object ssoToken = null;
try {
SessionProvider sessionProvider = SessionManager.getProvider();
ssoToken = sessionProvider.getSession(request);
if ((ssoToken == null) || (!sessionProvider.isValid(ssoToken))) {
FSUtils.debug.message("FSReturnLogoutRequest: Unable to get principal");
response.sendError(response.SC_INTERNAL_SERVER_ERROR, FSUtils.bundle.getString("nullSSOToken"));
return;
}
univId = sessionProvider.getPrincipalName(ssoToken);
} catch (SessionException ssoExp) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSReturnLogoutRequest: Unable to get principal", ssoExp);
}
response.sendError(response.SC_INTERNAL_SERVER_ERROR, FSUtils.bundle.getString("nullSSOToken"));
return;
}
if (metaManager == null) {
FSUtils.debug.error("Failed to get meta manager");
response.sendError(response.SC_INTERNAL_SERVER_ERROR, FSUtils.bundle.getString(IFSConstants.FEDERATION_FAILED_META_INSTANCE));
return;
}
String realm = IDFFMetaUtils.getRealmByMetaAlias(providerAlias);
String hostedRole = null;
String hostedEntityId = null;
BaseConfigType hostedConfig = null;
try {
hostedRole = metaManager.getProviderRoleByMetaAlias(providerAlias);
hostedEntityId = metaManager.getEntityIDByMetaAlias(providerAlias);
if (hostedRole != null) {
if (hostedRole.equalsIgnoreCase(IFSConstants.IDP)) {
hostedConfig = metaManager.getIDPDescriptorConfig(realm, hostedEntityId);
} else if (hostedRole.equalsIgnoreCase(IFSConstants.SP)) {
hostedConfig = metaManager.getSPDescriptorConfig(realm, hostedEntityId);
}
}
if (hostedConfig == null) {
throw new IDFFMetaException((String) null);
}
} catch (IDFFMetaException e) {
FSUtils.debug.error("Failed to get Hosted Provider");
response.sendError(response.SC_INTERNAL_SERVER_ERROR, FSUtils.bundle.getString(IFSConstants.FAILED_HOSTED_DESCRIPTOR));
return;
}
setLogoutURL(request, hostedConfig, providerAlias);
// Here we will need to
// 1. verify response signature
// 2. verify response status
// 3. retrieve registration request Id from Map
// 4. if status success then do locally else not do locally and
// 5. show status page or LRURL if found in MAP (eg intersiteTransfer)
FSLogoutResponse logoutResponse = null;
try {
logoutResponse = FSLogoutResponse.parseURLEncodedRequest(request);
} catch (FSMsgException e) {
FSServiceUtils.showErrorPage(response, COMMON_ERROR_PAGE, IFSConstants.LOGOUT_REQUEST_IMPROPER, IFSConstants.LOGOUT_FAILED);
return;
} catch (SAMLException e) {
FSServiceUtils.showErrorPage(response, COMMON_ERROR_PAGE, IFSConstants.LOGOUT_REQUEST_IMPROPER, IFSConstants.LOGOUT_FAILED);
return;
}
String remoteEntityId = logoutResponse.getProviderId();
ProviderDescriptorType remoteDesc = null;
boolean isRemoteIDP = false;
try {
if (hostedRole.equalsIgnoreCase(IFSConstants.IDP)) {
remoteDesc = metaManager.getSPDescriptor(realm, remoteEntityId);
} else if (hostedRole.equalsIgnoreCase(IFSConstants.SP)) {
remoteDesc = metaManager.getIDPDescriptor(realm, remoteEntityId);
isRemoteIDP = true;
}
} catch (IDFFMetaException e) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSLogoutReturnServlet.doGetPost:", e);
}
}
if (remoteDesc == null) {
FSServiceUtils.showErrorPage(response, COMMON_ERROR_PAGE, IFSConstants.LOGOUT_REQUEST_IMPROPER, IFSConstants.LOGOUT_FAILED);
return;
}
boolean bVerify = true;
if (FSServiceUtils.isSigningOn()) {
try {
bVerify = verifyResponseSignature(request, remoteDesc, remoteEntityId, isRemoteIDP);
} catch (SAMLException e) {
bVerify = false;
} catch (FSException e) {
bVerify = false;
}
}
Status status = logoutResponse.getStatus();
String logoutStatus = status.getStatusCode().getValue();
// remove session partner in case of logout success or this is IDP
if (logoutStatus.equalsIgnoreCase(IFSConstants.SAML_SUCCESS) || !isRemoteIDP) {
FSLogoutUtil.removeCurrentSessionPartner(providerAlias, remoteEntityId, ssoToken, univId);
}
if (bVerify) {
// in ReturnSessionManager only if it is failure
if (!logoutStatus.equalsIgnoreCase(IFSConstants.SAML_SUCCESS)) {
FSReturnSessionManager localManager = FSReturnSessionManager.getInstance(providerAlias);
if (localManager != null) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("update status of logout to failure " + " in session manager");
}
localManager.setLogoutStatus(logoutStatus, univId);
} else {
FSUtils.debug.message("Cannot get FSReturnSessionManager");
}
FSUtils.debug.error("FSReturnLogoutServlet, failed logout response " + logoutStatus);
String[] data = { univId };
LogUtil.error(Level.INFO, LogUtil.LOGOUT_FAILED, data, ssoToken);
FSLogoutUtil.sendErrorPage(request, response, providerAlias);
return;
}
} else {
FSUtils.debug.error("FSReturnLogoutServlet " + "Signature on logout response is invalid" + "Cannot proceed logout");
String[] data = { univId };
LogUtil.error(Level.INFO, LogUtil.INVALID_SIGNATURE, data, ssoToken);
FSServiceUtils.showErrorPage(response, COMMON_ERROR_PAGE, IFSConstants.LOGOUT_REQUEST_IMPROPER, IFSConstants.LOGOUT_FAILED);
return;
}
StringBuffer processLogout = new StringBuffer();
request.setAttribute("logoutSource", "remote");
processLogout.append(IFSConstants.SLO_VALUE).append("/").append(IFSConstants.META_ALIAS).append(providerAlias);
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("About to get RequestDispatcher for " + processLogout.toString());
}
RequestDispatcher dispatcher = getServletConfig().getServletContext().getRequestDispatcher(processLogout.toString());
if (dispatcher == null) {
FSUtils.debug.message("RequestDispatcher is null");
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("Unable to find " + processLogout + "\ncalling sendErrorPage ");
}
FSLogoutUtil.sendErrorPage(request, response, providerAlias);
return;
}
dispatcher.forward(request, response);
return;
}
use of com.sun.identity.saml.common.SAMLException in project OpenAM by OpenRock.
the class FSSSOAndFedHandler method createAuthnResponse.
protected FSAuthnResponse createAuthnResponse(Object ssoToken, String inResponseTo, NameIdentifier userHandle, NameIdentifier idpHandle) {
FSUtils.debug.message("FSSSOAndFedHandler.createAuthnResponse: Called");
FSAuthnResponse authnResponse = null;
try {
String requestID = authnRequest.getRequestID();
FSAssertionManager am = FSAssertionManager.getInstance(metaAlias);
FSAssertion assertion = null;
SessionProvider sessionProvider = SessionManager.getProvider();
assertion = am.createFSAssertion(sessionProvider.getSessionID(ssoToken), null, realm, spEntityId, userHandle, idpHandle, inResponseTo, authnRequest.getMinorVersion());
StatusCode statusCode = new StatusCode(IFSConstants.STATUS_CODE_SUCCESS);
Status status = new Status(statusCode);
List contents = new ArrayList();
contents.add(assertion);
authnResponse = new FSAuthnResponse(null, requestID, status, contents, relayState);
authnResponse.setMinorVersion(authnRequest.getMinorVersion());
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSSSOAndFedHandler.createAuthnResponse: " + "CHECK1: " + hostedEntityId);
}
authnResponse.setProviderId(hostedEntityId);
} catch (FSException se) {
FSUtils.debug.error("FSSSOAndFedHandler.createAuthnResponse: FSException: ", se);
return null;
} catch (SAMLException se) {
FSUtils.debug.error("FSSSOAndFedHandler.createAuthnResponse: " + "SAMLException: ", se);
return null;
} catch (SessionException se) {
FSUtils.debug.error("FSSSOAndFedHandler.createAuthnResponse: " + "SessionException: ", se);
return null;
}
// sign AuthnResponse
return authnResponse;
}
use of com.sun.identity.saml.common.SAMLException in project OpenAM by OpenRock.
the class FSBrowserArtifactConsumerHandler method signSAMLRequest.
protected FSRequest signSAMLRequest(FSRequest samlRequest) throws SAMLException {
FSUtils.debug.message("FSBrowserArtifactConsumerHandler.signSAMLRequest: Called");
if (samlRequest.isSigned()) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSBrowserArtifactConsumerHandler." + "signSAMLRequest: the request is already signed.");
}
throw new SAMLException(FSUtils.bundle.getString("alreadySigned"));
}
String certAlias = IDFFMetaUtils.getFirstAttributeValueFromConfig(hostConfig, IFSConstants.SIGNING_CERT_ALIAS);
if (certAlias == null || certAlias.length() == 0) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSBrowserArtifactConsumerHandler." + "signSAMLRequest: couldn't obtain this site's cert alias.");
}
throw new SAMLResponderException(FSUtils.bundle.getString("cannotFindCertAlias"));
}
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSBrowserArtifactConsumerHandler." + "signSAMLRequest: Provider's certAlias is found: " + certAlias);
}
XMLSignatureManager manager = XMLSignatureManager.getInstance();
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSBrowserArtifactConsumerHandler." + "signSAMLRequest: XMLString to be signed: " + samlRequest.toString(true, true));
}
String signatureString = manager.signXML(samlRequest.toString(true, true), certAlias);
Element signature = XMLUtils.toDOMDocument(signatureString, FSUtils.debug).getDocumentElement();
samlRequest.setSignature(signature);
return samlRequest;
}
Aggregations