Search in sources :

Example 56 with Assertion

use of com.sun.identity.saml2.assertion.Assertion in project OpenAM by OpenRock.

the class AssertionIDRequestUtil method sendAssertionIDRequest.

/**
     * Sends the <code>AssertionIDRequest</code> to specifiied Assertion ID
     * Request Service and returns <code>Response</code> coming from the
     * Assertion ID Request Service.
     *
     * @param assertionIDRequest the <code>AssertionIDRequest</code> object
     * @param samlAuthorityEntityID entity ID of SAML authority
     * @param role SAML authority role, for example,
     * <code>SAML2Constants.ATTR_AUTH_ROLE</code>, 
     * <code>SAML2Constants.AUTHN_AUTH_ROLE</code> or
     * <code>SAML2Constants.IDP_ROLE</code>
     * @param realm the realm of hosted entity
     * @param binding the binding
     *
     * @return the <code>Response</code> object
     * @exception SAML2Exception if the operation is not successful
     *
     * @supported.api
     */
public static Response sendAssertionIDRequest(AssertionIDRequest assertionIDRequest, String samlAuthorityEntityID, String role, String realm, String binding) throws SAML2Exception {
    StringBuffer location = new StringBuffer();
    RoleDescriptorType roled = getRoleDescriptorAndLocation(samlAuthorityEntityID, role, realm, binding, location);
    if (binding.equalsIgnoreCase(SAML2Constants.SOAP)) {
        signAssertionIDRequest(assertionIDRequest, realm, false);
        return sendAssertionIDRequestBySOAP(assertionIDRequest, location.toString(), realm, samlAuthorityEntityID, role, roled);
    } else {
        throw new SAML2Exception(SAML2Utils.bundle.getString("unsupportedBinding"));
    }
}
Also used : SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) RoleDescriptorType(com.sun.identity.saml2.jaxb.metadata.RoleDescriptorType)

Example 57 with Assertion

use of com.sun.identity.saml2.assertion.Assertion in project OpenAM by OpenRock.

the class AssertionIDRequestUtil method processAssertionIDRequest.

/**
     * This method processes the <code>AssertionIDRequest</code> coming
     * from a requester.
     *
     * @param assertionIDRequest the <code>AssertionIDRequest</code> object
     * @param request the <code>HttpServletRequest</code> object
     * @param response the <code>HttpServletResponse</code> object
     * @param samlAuthorityEntityID entity ID of SAML authority
     * @param role the role of SAML authority
     * @param realm the realm of SAML authority
     * @return the <code>Response</code> object
     * @exception SAML2Exception if the operation is not successful
     */
public static Response processAssertionIDRequest(AssertionIDRequest assertionIDRequest, HttpServletRequest request, HttpServletResponse response, String samlAuthorityEntityID, String role, String realm) throws SAML2Exception {
    try {
        verifyAssertionIDRequest(assertionIDRequest, samlAuthorityEntityID, role, realm);
    } catch (SAML2Exception se) {
        SAML2Utils.debug.error("AssertionIDRequestUtil." + "processAssertionIDRequest:", se);
        return SAML2Utils.getErrorResponse(assertionIDRequest, SAML2Constants.REQUESTER, null, se.getMessage(), samlAuthorityEntityID);
    }
    Issuer issuer = assertionIDRequest.getIssuer();
    String spEntityID = issuer.getValue();
    RoleDescriptorType roled = null;
    try {
        if (SAML2Constants.IDP_ROLE.equals(role)) {
            roled = metaManager.getIDPSSODescriptor(realm, samlAuthorityEntityID);
        } else if (SAML2Constants.AUTHN_AUTH_ROLE.equals(role)) {
            roled = metaManager.getAuthnAuthorityDescriptor(realm, samlAuthorityEntityID);
        } else if (SAML2Constants.ATTR_AUTH_ROLE.equals(role)) {
            roled = metaManager.getAttributeAuthorityDescriptor(realm, samlAuthorityEntityID);
        }
    } catch (SAML2MetaException sme) {
        SAML2Utils.debug.error("AssertionIDRequestUtil." + "processAssertionIDRequest:", sme);
        return SAML2Utils.getErrorResponse(assertionIDRequest, SAML2Constants.RESPONDER, null, sme.getMessage(), samlAuthorityEntityID);
    }
    if (roled == null) {
        return SAML2Utils.getErrorResponse(assertionIDRequest, SAML2Constants.REQUESTER, null, SAML2Utils.bundle.getString("samlAuthorityNotFound"), samlAuthorityEntityID);
    }
    List returnAssertions = null;
    List assertionIDRefs = assertionIDRequest.getAssertionIDRefs();
    for (Iterator iter = assertionIDRefs.iterator(); iter.hasNext(); ) {
        AssertionIDRef assertionIDRef = (AssertionIDRef) iter.next();
        String assertionID = assertionIDRef.getValue();
        Assertion assertion = (Assertion) IDPCache.assertionByIDCache.get(assertionID);
        if ((assertion == null) && (SAML2FailoverUtils.isSAML2FailoverEnabled())) {
            if (SAML2Utils.debug.messageEnabled()) {
                SAML2Utils.debug.message("AssertionIDRequestUtil.processAssertionIDRequest: " + "reading assertion from the SAML2 Token Repository using assertionID:" + assertionID);
            }
            String assertionStr = null;
            try {
                assertionStr = (String) SAML2FailoverUtils.retrieveSAML2Token(assertionID);
            } catch (SAML2TokenRepositoryException se) {
                SAML2Utils.debug.error("AssertionIDRequestUtil.processAssertionIDRequest: " + "There was a problem reading assertion from the SAML2 Token Repository using assertionID:" + assertionID, se);
            }
            if (assertionStr != null) {
                assertion = AssertionFactory.getInstance().createAssertion(assertionStr);
            }
        }
        if ((assertion != null) && (assertion.isTimeValid())) {
            if (returnAssertions == null) {
                returnAssertions = new ArrayList();
            }
            returnAssertions.add(assertion);
        }
    }
    ProtocolFactory protocolFactory = ProtocolFactory.getInstance();
    Response samlResp = protocolFactory.createResponse();
    samlResp.setAssertion(returnAssertions);
    samlResp.setID(SAML2Utils.generateID());
    samlResp.setInResponseTo(assertionIDRequest.getID());
    samlResp.setVersion(SAML2Constants.VERSION_2_0);
    samlResp.setIssueInstant(new Date());
    Status status = protocolFactory.createStatus();
    StatusCode statusCode = protocolFactory.createStatusCode();
    statusCode.setValue(SAML2Constants.SUCCESS);
    status.setStatusCode(statusCode);
    samlResp.setStatus(status);
    Issuer respIssuer = AssertionFactory.getInstance().createIssuer();
    respIssuer.setValue(samlAuthorityEntityID);
    samlResp.setIssuer(respIssuer);
    signResponse(samlResp, samlAuthorityEntityID, role, realm, false);
    return samlResp;
}
Also used : Status(com.sun.identity.saml2.protocol.Status) Issuer(com.sun.identity.saml2.assertion.Issuer) AssertionIDRef(com.sun.identity.saml2.assertion.AssertionIDRef) Assertion(com.sun.identity.saml2.assertion.Assertion) ArrayList(java.util.ArrayList) StatusCode(com.sun.identity.saml2.protocol.StatusCode) Date(java.util.Date) SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) ProtocolFactory(com.sun.identity.saml2.protocol.ProtocolFactory) Response(com.sun.identity.saml2.protocol.Response) HttpServletResponse(javax.servlet.http.HttpServletResponse) RoleDescriptorType(com.sun.identity.saml2.jaxb.metadata.RoleDescriptorType) Iterator(java.util.Iterator) List(java.util.List) ArrayList(java.util.ArrayList) SAML2TokenRepositoryException(org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException) SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException)

Example 58 with Assertion

use of com.sun.identity.saml2.assertion.Assertion in project OpenAM by OpenRock.

the class AssertionIDRequestUtil method processAssertionIDRequestURI.

/**
     * Gets assertion ID from URI and returns assertion if found.
     *
     * @param request the <code>HttpServletRequest</code> object
     * @param response the <code>HttpServletResponse</code> object
     * @param samlAuthorityEntityID entity ID of SAML authority
     * @param role SAML authority role
     * @param realm the realm of hosted entity
     *
     * @exception IOException if response can't be sent
     */
public static void processAssertionIDRequestURI(HttpServletRequest request, HttpServletResponse response, String samlAuthorityEntityID, String role, String realm) throws IOException {
    String assertionID = request.getParameter("ID");
    if (assertionID == null) {
        SAMLUtils.sendError(request, response, HttpServletResponse.SC_BAD_REQUEST, "nullAssertionID", SAML2Utils.bundle.getString("nullAssertionID"));
        return;
    }
    AssertionIDRequestMapper aidReqMapper = null;
    try {
        aidReqMapper = getAssertionIDRequestMapper(realm, samlAuthorityEntityID, role);
    } catch (SAML2Exception ex) {
        SAMLUtils.sendError(request, response, HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "failedToGetAssertionIDRequestMapper", ex.getMessage());
        return;
    }
    try {
        aidReqMapper.authenticateRequesterURI(request, response, samlAuthorityEntityID, role, realm);
    } catch (SAML2Exception ex) {
        SAMLUtils.sendError(request, response, HttpServletResponse.SC_FORBIDDEN, "failedToAuthenticateRequesterURI", ex.getMessage());
        return;
    }
    Assertion assertion = (Assertion) IDPCache.assertionByIDCache.get(assertionID);
    if ((assertion == null) || (!assertion.isTimeValid())) {
        SAMLUtils.sendError(request, response, HttpServletResponse.SC_NOT_FOUND, "invalidAssertionID", SAML2Utils.bundle.getString("invalidAssertionID"));
        return;
    }
    response.setContentType(MIME_TYPE_ASSERTION);
    response.addHeader("Cache-Control", "no-cache, no-store");
    response.addHeader("Pragma", "no-cache");
    String content = null;
    try {
        content = assertion.toXMLString(true, true);
    } catch (SAML2Exception ex) {
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message("AssertionIDRequestUtil." + "processAssertionIDRequestURI:", ex);
        }
        SAMLUtils.sendError(request, response, HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "invalidAssertion", ex.getMessage());
        return;
    }
    byte[] bytes = null;
    try {
        bytes = content.getBytes("UTF-8");
    } catch (UnsupportedEncodingException ueex) {
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message("AssertionIDRequestUtil." + "processAssertionIDRequestURI:", ueex);
        }
        SAMLUtils.sendError(request, response, HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "unsupportedEncoding", ueex.getMessage());
        return;
    }
    response.setContentLength(bytes.length);
    BufferedOutputStream bos = null;
    try {
        bos = new BufferedOutputStream(response.getOutputStream());
        bos.write(bytes, 0, bytes.length);
    } catch (IOException ioex) {
        SAML2Utils.debug.error("AssertionIDRequestUtil." + "processAssertionIDRequestURI:", ioex);
    } finally {
        if (bos != null) {
            try {
                bos.close();
            } catch (IOException ioex) {
                SAML2Utils.debug.error("AssertionIDRequestUtil." + "processAssertionIDRequestURI:", ioex);
            }
        }
    }
}
Also used : SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) AssertionIDRequestMapper(com.sun.identity.saml2.plugins.AssertionIDRequestMapper) Assertion(com.sun.identity.saml2.assertion.Assertion) UnsupportedEncodingException(java.io.UnsupportedEncodingException) IOException(java.io.IOException) BufferedOutputStream(java.io.BufferedOutputStream)

Example 59 with Assertion

use of com.sun.identity.saml2.assertion.Assertion in project OpenAM by OpenRock.

the class DefaultLibraryIDPAttributeMapper method getAttributes.

/**
     * Returns list of SAML <code>Attribute</code> objects for the 
     * IDP framework to insert into the generated <code>Assertion</code>.
     * 
     * @param session Single sign-on session.
     * @param hostEntityID <code>EntityID</code> of the hosted entity.
     * @param remoteEntityID <code>EntityID</code> of the remote entity.
     * @param realm name of the realm.
     * @exception SAML2Exception if any failure.
     */
public List getAttributes(Object session, String hostEntityID, String remoteEntityID, String realm) throws SAML2Exception {
    if (hostEntityID == null) {
        throw new SAML2Exception(bundle.getString("nullHostEntityID"));
    }
    if (realm == null) {
        throw new SAML2Exception(bundle.getString("nullHostEntityID"));
    }
    if (session == null) {
        throw new SAML2Exception(bundle.getString("nullSSOToken"));
    }
    try {
        if (!SessionManager.getProvider().isValid(session)) {
            if (debug.warningEnabled()) {
                debug.warning("DefaultLibraryIDPAttributeMapper." + "getAttributes: Invalid session");
            }
            return null;
        }
        Map<String, String> configMap = getConfigAttributeMap(realm, remoteEntityID, SP);
        if (debug.messageEnabled()) {
            debug.message("DefaultLibraryIDPAttributeMapper." + "getAttributes: remote SP attribute map = " + configMap);
        }
        if (configMap == null || configMap.isEmpty()) {
            configMap = getConfigAttributeMap(realm, hostEntityID, IDP);
            if (configMap == null || configMap.isEmpty()) {
                if (debug.messageEnabled()) {
                    debug.message("DefaultLibraryIDPAttributeMapper." + "getAttributes: Configuration map is not defined.");
                }
                return null;
            }
            if (debug.messageEnabled()) {
                debug.message("DefaultLibraryIDPAttributeMapper." + "getAttributes: hosted IDP attribute map=" + configMap);
            }
        }
        List<Attribute> attributes = new ArrayList<Attribute>();
        Map<String, Set<String>> stringValueMap = null;
        Map<String, byte[][]> binaryValueMap = null;
        if (!isDynamicalOrIgnoredProfile(realm)) {
            try {
                // Resolve attributes to be read from the datastore.
                Set<String> stringAttributes = new HashSet<String>(configMap.size());
                Set<String> binaryAttributes = new HashSet<String>(configMap.size());
                for (String localAttribute : configMap.values()) {
                    if (isStaticAttributeValue(localAttribute)) {
                    // skip over, handled directly in next step
                    } else if (isBinaryAttributeValue(localAttribute)) {
                        // add it to the list of attributes to treat as being binary
                        binaryAttributes.add(removeBinaryFlag(localAttribute));
                    } else {
                        stringAttributes.add(localAttribute);
                    }
                }
                if (!stringAttributes.isEmpty()) {
                    stringValueMap = dsProvider.getAttributes(SessionManager.getProvider().getPrincipalName(session), stringAttributes);
                }
                if (!binaryAttributes.isEmpty()) {
                    binaryValueMap = dsProvider.getBinaryAttributes(SessionManager.getProvider().getPrincipalName(session), binaryAttributes);
                }
            } catch (DataStoreProviderException dse) {
                if (debug.warningEnabled()) {
                    debug.warning("DefaultLibraryIDPAttributeMapper." + "getAttributes:", dse);
                }
            //continue to check in ssotoken.
            }
        }
        for (Map.Entry<String, String> entry : configMap.entrySet()) {
            String samlAttribute = entry.getKey();
            String localAttribute = entry.getValue();
            String nameFormat = null;
            // check if samlAttribute has format nameFormat|samlAttribute
            StringTokenizer tokenizer = new StringTokenizer(samlAttribute, "|");
            if (tokenizer.countTokens() > 1) {
                nameFormat = tokenizer.nextToken();
                samlAttribute = tokenizer.nextToken();
            }
            Set<String> attributeValues = null;
            if (isStaticAttributeValue(localAttribute)) {
                localAttribute = removeStaticFlag(localAttribute);
                // Remove the static flag before using it as the static value
                attributeValues = CollectionUtils.asSet(localAttribute);
                if (debug.messageEnabled()) {
                    debug.message("DefaultLibraryIDPAttributeMapper." + "getAttribute: adding static " + "value " + localAttribute + " for attribute named " + samlAttribute);
                }
            } else {
                if (isBinaryAttributeValue(localAttribute)) {
                    // Remove the flag as not used for lookup
                    localAttribute = removeBinaryFlag(localAttribute);
                    attributeValues = getBinaryAttributeValues(samlAttribute, localAttribute, binaryValueMap);
                } else {
                    if (stringValueMap != null && !stringValueMap.isEmpty()) {
                        attributeValues = stringValueMap.get(localAttribute);
                    } else {
                        if (debug.messageEnabled()) {
                            debug.message("DefaultLibraryIDPAttributeMapper." + "getAttribute: " + localAttribute + " string value map was empty or null");
                        }
                    }
                }
                // If all else fails, try to get the value from the users ssoToken
                if (attributeValues == null || attributeValues.isEmpty()) {
                    if (debug.messageEnabled()) {
                        debug.message("DefaultLibraryIDPAttributeMapper." + "getAttribute: user profile does not have " + "value for " + localAttribute + ", checking SSOToken");
                    }
                    attributeValues = CollectionUtils.asSet(SessionManager.getProvider().getProperty(session, localAttribute));
                }
            }
            if (attributeValues == null || attributeValues.isEmpty()) {
                if (debug.messageEnabled()) {
                    debug.message("DefaultLibraryIDPAttributeMapper.getAttribute: " + "user profile does not have a value for " + localAttribute);
                }
            } else {
                attributes.add(getSAMLAttribute(samlAttribute, nameFormat, attributeValues, hostEntityID, remoteEntityID, realm));
            }
        }
        return attributes;
    } catch (SessionException se) {
        debug.error("DefaultLibraryIDPAttribute.getAttributes: ", se);
        throw new SAML2Exception(se);
    }
}
Also used : DataStoreProviderException(com.sun.identity.plugin.datastore.DataStoreProviderException) Set(java.util.Set) HashSet(java.util.HashSet) Attribute(com.sun.identity.saml2.assertion.Attribute) ArrayList(java.util.ArrayList) SessionException(com.sun.identity.plugin.session.SessionException) SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) StringTokenizer(java.util.StringTokenizer) Map(java.util.Map) HashSet(java.util.HashSet)

Example 60 with Assertion

use of com.sun.identity.saml2.assertion.Assertion in project OpenAM by OpenRock.

the class DefaultLibrarySPAccountMapper method getIdentity.

/**
     * Returns the user's distinguished name or the universal ID for the corresponding <code>SAML Assertion</code>. This
     * method will be invoked by the <code>SAML</code> framework while processing the <code>Assertion</code> and
     * retrieves the identity information.
     * The implementation of this method first checks if the NameID-Format is transient and returns the transient user.
     * Otherwise it checks for the user for the corresponding name identifier in the assertion.
     * If not found, then it will check if this is an auto federation case. 
     *
     * @param assertion <code>SAML Assertion</code> that needs to be mapped to the user.
     * @param hostEntityID <code>EntityID</code> of the hosted provider.
     * @param realm Realm or the organization name that may be used to find the user information.
     * @return User's distinguished name or the universal ID.
     * @throws SAML2Exception If there was any failure.
     */
@Override
public String getIdentity(Assertion assertion, String hostEntityID, String realm) throws SAML2Exception {
    if (assertion == null) {
        throw new SAML2Exception(bundle.getString("nullAssertion"));
    }
    if (hostEntityID == null) {
        throw new SAML2Exception(bundle.getString("nullHostEntityID"));
    }
    if (realm == null) {
        throw new SAML2Exception(bundle.getString("nullRealm"));
    }
    NameID nameID;
    EncryptedID encryptedID = assertion.getSubject().getEncryptedID();
    Set<PrivateKey> decryptionKeys = null;
    if (encryptedID != null) {
        decryptionKeys = KeyUtil.getDecryptionKeys(getSSOConfig(realm, hostEntityID));
        nameID = encryptedID.decrypt(decryptionKeys);
    } else {
        nameID = assertion.getSubject().getNameID();
    }
    String userID = null;
    String format = nameID.getFormat();
    boolean isTransient = SAML2Constants.NAMEID_TRANSIENT_FORMAT.equals(format);
    if (isTransient) {
        userID = getTransientUser(realm, hostEntityID);
    }
    if (StringUtils.isNotEmpty(userID)) {
        return userID;
    }
    // Check if this is an auto federation case.
    userID = getAutoFedUser(realm, hostEntityID, assertion, nameID.getValue(), decryptionKeys);
    if (StringUtils.isNotEmpty(userID)) {
        return userID;
    } else {
        if (useNameIDAsSPUserID(realm, hostEntityID) && !isAutoFedEnabled(realm, hostEntityID)) {
            if (debug.messageEnabled()) {
                debug.message("DefaultLibrarySPAccountMapper.getIdentity: use NameID value as userID: " + nameID.getValue());
            }
            return nameID.getValue();
        } else {
            return null;
        }
    }
}
Also used : SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) PrivateKey(java.security.PrivateKey) NameID(com.sun.identity.saml2.assertion.NameID) EncryptedID(com.sun.identity.saml2.assertion.EncryptedID)

Aggregations

SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)53 ArrayList (java.util.ArrayList)42 List (java.util.List)42 Assertion (com.sun.identity.saml2.assertion.Assertion)30 SAML2MetaException (com.sun.identity.saml2.meta.SAML2MetaException)24 Date (java.util.Date)24 EncryptedAssertion (com.sun.identity.saml2.assertion.EncryptedAssertion)20 Issuer (com.sun.identity.saml2.assertion.Issuer)16 SPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)16 Response (com.sun.identity.saml2.protocol.Response)16 Iterator (java.util.Iterator)15 HttpServletResponse (javax.servlet.http.HttpServletResponse)13 SessionException (com.sun.identity.plugin.session.SessionException)12 IOException (java.io.IOException)12 SAML2TokenRepositoryException (org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException)11 NameID (com.sun.identity.saml2.assertion.NameID)10 PrivateKey (java.security.PrivateKey)10 AttributeStatement (com.sun.identity.saml2.assertion.AttributeStatement)8 Subject (com.sun.identity.saml2.assertion.Subject)8 SAML2MetaManager (com.sun.identity.saml2.meta.SAML2MetaManager)8