Example 56 with Assertion
use of com.sun.identity.saml2.assertion.Assertion in project OpenAM by OpenRock.
the class AssertionIDRequestUtil method sendAssertionIDRequest.
/**
* Sends the <code>AssertionIDRequest</code> to specifiied Assertion ID
* Request Service and returns <code>Response</code> coming from the
* Assertion ID Request Service.
*
* @param assertionIDRequest the <code>AssertionIDRequest</code> object
* @param samlAuthorityEntityID entity ID of SAML authority
* @param role SAML authority role, for example,
* <code>SAML2Constants.ATTR_AUTH_ROLE</code>,
* <code>SAML2Constants.AUTHN_AUTH_ROLE</code> or
* <code>SAML2Constants.IDP_ROLE</code>
* @param realm the realm of hosted entity
* @param binding the binding
*
* @return the <code>Response</code> object
* @exception SAML2Exception if the operation is not successful
*
* @supported.api
*/
public static Response sendAssertionIDRequest(AssertionIDRequest assertionIDRequest, String samlAuthorityEntityID, String role, String realm, String binding) throws SAML2Exception {
StringBuffer location = new StringBuffer();
RoleDescriptorType roled = getRoleDescriptorAndLocation(samlAuthorityEntityID, role, realm, binding, location);
if (binding.equalsIgnoreCase(SAML2Constants.SOAP)) {
signAssertionIDRequest(assertionIDRequest, realm, false);
return sendAssertionIDRequestBySOAP(assertionIDRequest, location.toString(), realm, samlAuthorityEntityID, role, roled);
} else {
throw new SAML2Exception(SAML2Utils.bundle.getString("unsupportedBinding"));
}
}
Also used :
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
RoleDescriptorType(com.sun.identity.saml2.jaxb.metadata.RoleDescriptorType)
Example 57 with Assertion
use of com.sun.identity.saml2.assertion.Assertion in project OpenAM by OpenRock.
the class AssertionIDRequestUtil method processAssertionIDRequest.
/**
* This method processes the <code>AssertionIDRequest</code> coming
* from a requester.
*
* @param assertionIDRequest the <code>AssertionIDRequest</code> object
* @param request the <code>HttpServletRequest</code> object
* @param response the <code>HttpServletResponse</code> object
* @param samlAuthorityEntityID entity ID of SAML authority
* @param role the role of SAML authority
* @param realm the realm of SAML authority
* @return the <code>Response</code> object
* @exception SAML2Exception if the operation is not successful
*/
public static Response processAssertionIDRequest(AssertionIDRequest assertionIDRequest, HttpServletRequest request, HttpServletResponse response, String samlAuthorityEntityID, String role, String realm) throws SAML2Exception {
try {
verifyAssertionIDRequest(assertionIDRequest, samlAuthorityEntityID, role, realm);
} catch (SAML2Exception se) {
SAML2Utils.debug.error("AssertionIDRequestUtil." + "processAssertionIDRequest:", se);
return SAML2Utils.getErrorResponse(assertionIDRequest, SAML2Constants.REQUESTER, null, se.getMessage(), samlAuthorityEntityID);
}
Issuer issuer = assertionIDRequest.getIssuer();
String spEntityID = issuer.getValue();
RoleDescriptorType roled = null;
try {
if (SAML2Constants.IDP_ROLE.equals(role)) {
roled = metaManager.getIDPSSODescriptor(realm, samlAuthorityEntityID);
} else if (SAML2Constants.AUTHN_AUTH_ROLE.equals(role)) {
roled = metaManager.getAuthnAuthorityDescriptor(realm, samlAuthorityEntityID);
} else if (SAML2Constants.ATTR_AUTH_ROLE.equals(role)) {
roled = metaManager.getAttributeAuthorityDescriptor(realm, samlAuthorityEntityID);
}
} catch (SAML2MetaException sme) {
SAML2Utils.debug.error("AssertionIDRequestUtil." + "processAssertionIDRequest:", sme);
return SAML2Utils.getErrorResponse(assertionIDRequest, SAML2Constants.RESPONDER, null, sme.getMessage(), samlAuthorityEntityID);
}
if (roled == null) {
return SAML2Utils.getErrorResponse(assertionIDRequest, SAML2Constants.REQUESTER, null, SAML2Utils.bundle.getString("samlAuthorityNotFound"), samlAuthorityEntityID);
}
List returnAssertions = null;
List assertionIDRefs = assertionIDRequest.getAssertionIDRefs();
for (Iterator iter = assertionIDRefs.iterator(); iter.hasNext(); ) {
AssertionIDRef assertionIDRef = (AssertionIDRef) iter.next();
String assertionID = assertionIDRef.getValue();
Assertion assertion = (Assertion) IDPCache.assertionByIDCache.get(assertionID);
if ((assertion == null) && (SAML2FailoverUtils.isSAML2FailoverEnabled())) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("AssertionIDRequestUtil.processAssertionIDRequest: " + "reading assertion from the SAML2 Token Repository using assertionID:" + assertionID);
}
String assertionStr = null;
try {
assertionStr = (String) SAML2FailoverUtils.retrieveSAML2Token(assertionID);
} catch (SAML2TokenRepositoryException se) {
SAML2Utils.debug.error("AssertionIDRequestUtil.processAssertionIDRequest: " + "There was a problem reading assertion from the SAML2 Token Repository using assertionID:" + assertionID, se);
}
if (assertionStr != null) {
assertion = AssertionFactory.getInstance().createAssertion(assertionStr);
}
}
if ((assertion != null) && (assertion.isTimeValid())) {
if (returnAssertions == null) {
returnAssertions = new ArrayList();
}
returnAssertions.add(assertion);
}
}
ProtocolFactory protocolFactory = ProtocolFactory.getInstance();
Response samlResp = protocolFactory.createResponse();
samlResp.setAssertion(returnAssertions);
samlResp.setID(SAML2Utils.generateID());
samlResp.setInResponseTo(assertionIDRequest.getID());
samlResp.setVersion(SAML2Constants.VERSION_2_0);
samlResp.setIssueInstant(new Date());
Status status = protocolFactory.createStatus();
StatusCode statusCode = protocolFactory.createStatusCode();
statusCode.setValue(SAML2Constants.SUCCESS);
status.setStatusCode(statusCode);
samlResp.setStatus(status);
Issuer respIssuer = AssertionFactory.getInstance().createIssuer();
respIssuer.setValue(samlAuthorityEntityID);
samlResp.setIssuer(respIssuer);
signResponse(samlResp, samlAuthorityEntityID, role, realm, false);
return samlResp;
}
Also used :
Status(com.sun.identity.saml2.protocol.Status)
Issuer(com.sun.identity.saml2.assertion.Issuer)
AssertionIDRef(com.sun.identity.saml2.assertion.AssertionIDRef)
Assertion(com.sun.identity.saml2.assertion.Assertion)
ArrayList(java.util.ArrayList)
StatusCode(com.sun.identity.saml2.protocol.StatusCode)
Date(java.util.Date)
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
ProtocolFactory(com.sun.identity.saml2.protocol.ProtocolFactory)
Response(com.sun.identity.saml2.protocol.Response)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
RoleDescriptorType(com.sun.identity.saml2.jaxb.metadata.RoleDescriptorType)
Iterator(java.util.Iterator)
List(java.util.List)
ArrayList(java.util.ArrayList)
SAML2TokenRepositoryException(org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException)
SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException)
Example 58 with Assertion
use of com.sun.identity.saml2.assertion.Assertion in project OpenAM by OpenRock.
the class AssertionIDRequestUtil method processAssertionIDRequestURI.
/**
* Gets assertion ID from URI and returns assertion if found.
*
* @param request the <code>HttpServletRequest</code> object
* @param response the <code>HttpServletResponse</code> object
* @param samlAuthorityEntityID entity ID of SAML authority
* @param role SAML authority role
* @param realm the realm of hosted entity
*
* @exception IOException if response can't be sent
*/
public static void processAssertionIDRequestURI(HttpServletRequest request, HttpServletResponse response, String samlAuthorityEntityID, String role, String realm) throws IOException {
String assertionID = request.getParameter("ID");
if (assertionID == null) {
SAMLUtils.sendError(request, response, HttpServletResponse.SC_BAD_REQUEST, "nullAssertionID", SAML2Utils.bundle.getString("nullAssertionID"));
return;
}
AssertionIDRequestMapper aidReqMapper = null;
try {
aidReqMapper = getAssertionIDRequestMapper(realm, samlAuthorityEntityID, role);
} catch (SAML2Exception ex) {
SAMLUtils.sendError(request, response, HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "failedToGetAssertionIDRequestMapper", ex.getMessage());
return;
}
try {
aidReqMapper.authenticateRequesterURI(request, response, samlAuthorityEntityID, role, realm);
} catch (SAML2Exception ex) {
SAMLUtils.sendError(request, response, HttpServletResponse.SC_FORBIDDEN, "failedToAuthenticateRequesterURI", ex.getMessage());
return;
}
Assertion assertion = (Assertion) IDPCache.assertionByIDCache.get(assertionID);
if ((assertion == null) || (!assertion.isTimeValid())) {
SAMLUtils.sendError(request, response, HttpServletResponse.SC_NOT_FOUND, "invalidAssertionID", SAML2Utils.bundle.getString("invalidAssertionID"));
return;
}
response.setContentType(MIME_TYPE_ASSERTION);
response.addHeader("Cache-Control", "no-cache, no-store");
response.addHeader("Pragma", "no-cache");
String content = null;
try {
content = assertion.toXMLString(true, true);
} catch (SAML2Exception ex) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("AssertionIDRequestUtil." + "processAssertionIDRequestURI:", ex);
}
SAMLUtils.sendError(request, response, HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "invalidAssertion", ex.getMessage());
return;
}
byte[] bytes = null;
try {
bytes = content.getBytes("UTF-8");
} catch (UnsupportedEncodingException ueex) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("AssertionIDRequestUtil." + "processAssertionIDRequestURI:", ueex);
}
SAMLUtils.sendError(request, response, HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "unsupportedEncoding", ueex.getMessage());
return;
}
response.setContentLength(bytes.length);
BufferedOutputStream bos = null;
try {
bos = new BufferedOutputStream(response.getOutputStream());
bos.write(bytes, 0, bytes.length);
} catch (IOException ioex) {
SAML2Utils.debug.error("AssertionIDRequestUtil." + "processAssertionIDRequestURI:", ioex);
} finally {
if (bos != null) {
try {
bos.close();
} catch (IOException ioex) {
SAML2Utils.debug.error("AssertionIDRequestUtil." + "processAssertionIDRequestURI:", ioex);
}
}
}
}
Also used :
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
AssertionIDRequestMapper(com.sun.identity.saml2.plugins.AssertionIDRequestMapper)
Assertion(com.sun.identity.saml2.assertion.Assertion)
UnsupportedEncodingException(java.io.UnsupportedEncodingException)
IOException(java.io.IOException)
BufferedOutputStream(java.io.BufferedOutputStream)
Example 59 with Assertion
use of com.sun.identity.saml2.assertion.Assertion in project OpenAM by OpenRock.
the class DefaultLibraryIDPAttributeMapper method getAttributes.
/**
* Returns list of SAML <code>Attribute</code> objects for the
* IDP framework to insert into the generated <code>Assertion</code>.
*
* @param session Single sign-on session.
* @param hostEntityID <code>EntityID</code> of the hosted entity.
* @param remoteEntityID <code>EntityID</code> of the remote entity.
* @param realm name of the realm.
* @exception SAML2Exception if any failure.
*/
public List getAttributes(Object session, String hostEntityID, String remoteEntityID, String realm) throws SAML2Exception {
if (hostEntityID == null) {
throw new SAML2Exception(bundle.getString("nullHostEntityID"));
}
if (realm == null) {
throw new SAML2Exception(bundle.getString("nullHostEntityID"));
}
if (session == null) {
throw new SAML2Exception(bundle.getString("nullSSOToken"));
}
try {
if (!SessionManager.getProvider().isValid(session)) {
if (debug.warningEnabled()) {
debug.warning("DefaultLibraryIDPAttributeMapper." + "getAttributes: Invalid session");
}
return null;
}
Map<String, String> configMap = getConfigAttributeMap(realm, remoteEntityID, SP);
if (debug.messageEnabled()) {
debug.message("DefaultLibraryIDPAttributeMapper." + "getAttributes: remote SP attribute map = " + configMap);
}
if (configMap == null || configMap.isEmpty()) {
configMap = getConfigAttributeMap(realm, hostEntityID, IDP);
if (configMap == null || configMap.isEmpty()) {
if (debug.messageEnabled()) {
debug.message("DefaultLibraryIDPAttributeMapper." + "getAttributes: Configuration map is not defined.");
}
return null;
}
if (debug.messageEnabled()) {
debug.message("DefaultLibraryIDPAttributeMapper." + "getAttributes: hosted IDP attribute map=" + configMap);
}
}
List<Attribute> attributes = new ArrayList<Attribute>();
Map<String, Set<String>> stringValueMap = null;
Map<String, byte[][]> binaryValueMap = null;
if (!isDynamicalOrIgnoredProfile(realm)) {
try {
// Resolve attributes to be read from the datastore.
Set<String> stringAttributes = new HashSet<String>(configMap.size());
Set<String> binaryAttributes = new HashSet<String>(configMap.size());
for (String localAttribute : configMap.values()) {
if (isStaticAttributeValue(localAttribute)) {
// skip over, handled directly in next step
} else if (isBinaryAttributeValue(localAttribute)) {
// add it to the list of attributes to treat as being binary
binaryAttributes.add(removeBinaryFlag(localAttribute));
} else {
stringAttributes.add(localAttribute);
}
}
if (!stringAttributes.isEmpty()) {
stringValueMap = dsProvider.getAttributes(SessionManager.getProvider().getPrincipalName(session), stringAttributes);
}
if (!binaryAttributes.isEmpty()) {
binaryValueMap = dsProvider.getBinaryAttributes(SessionManager.getProvider().getPrincipalName(session), binaryAttributes);
}
} catch (DataStoreProviderException dse) {
if (debug.warningEnabled()) {
debug.warning("DefaultLibraryIDPAttributeMapper." + "getAttributes:", dse);
}
//continue to check in ssotoken.
}
}
for (Map.Entry<String, String> entry : configMap.entrySet()) {
String samlAttribute = entry.getKey();
String localAttribute = entry.getValue();
String nameFormat = null;
// check if samlAttribute has format nameFormat|samlAttribute
StringTokenizer tokenizer = new StringTokenizer(samlAttribute, "|");
if (tokenizer.countTokens() > 1) {
nameFormat = tokenizer.nextToken();
samlAttribute = tokenizer.nextToken();
}
Set<String> attributeValues = null;
if (isStaticAttributeValue(localAttribute)) {
localAttribute = removeStaticFlag(localAttribute);
// Remove the static flag before using it as the static value
attributeValues = CollectionUtils.asSet(localAttribute);
if (debug.messageEnabled()) {
debug.message("DefaultLibraryIDPAttributeMapper." + "getAttribute: adding static " + "value " + localAttribute + " for attribute named " + samlAttribute);
}
} else {
if (isBinaryAttributeValue(localAttribute)) {
// Remove the flag as not used for lookup
localAttribute = removeBinaryFlag(localAttribute);
attributeValues = getBinaryAttributeValues(samlAttribute, localAttribute, binaryValueMap);
} else {
if (stringValueMap != null && !stringValueMap.isEmpty()) {
attributeValues = stringValueMap.get(localAttribute);
} else {
if (debug.messageEnabled()) {
debug.message("DefaultLibraryIDPAttributeMapper." + "getAttribute: " + localAttribute + " string value map was empty or null");
}
}
}
// If all else fails, try to get the value from the users ssoToken
if (attributeValues == null || attributeValues.isEmpty()) {
if (debug.messageEnabled()) {
debug.message("DefaultLibraryIDPAttributeMapper." + "getAttribute: user profile does not have " + "value for " + localAttribute + ", checking SSOToken");
}
attributeValues = CollectionUtils.asSet(SessionManager.getProvider().getProperty(session, localAttribute));
}
}
if (attributeValues == null || attributeValues.isEmpty()) {
if (debug.messageEnabled()) {
debug.message("DefaultLibraryIDPAttributeMapper.getAttribute: " + "user profile does not have a value for " + localAttribute);
}
} else {
attributes.add(getSAMLAttribute(samlAttribute, nameFormat, attributeValues, hostEntityID, remoteEntityID, realm));
}
}
return attributes;
} catch (SessionException se) {
debug.error("DefaultLibraryIDPAttribute.getAttributes: ", se);
throw new SAML2Exception(se);
}
}
Also used :
DataStoreProviderException(com.sun.identity.plugin.datastore.DataStoreProviderException)
Set(java.util.Set)
HashSet(java.util.HashSet)
Attribute(com.sun.identity.saml2.assertion.Attribute)
ArrayList(java.util.ArrayList)
SessionException(com.sun.identity.plugin.session.SessionException)
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
StringTokenizer(java.util.StringTokenizer)
Map(java.util.Map)
HashSet(java.util.HashSet)
Example 60 with Assertion
use of com.sun.identity.saml2.assertion.Assertion in project OpenAM by OpenRock.
the class DefaultLibrarySPAccountMapper method getIdentity.
/**
* Returns the user's distinguished name or the universal ID for the corresponding <code>SAML Assertion</code>. This
* method will be invoked by the <code>SAML</code> framework while processing the <code>Assertion</code> and
* retrieves the identity information.
* The implementation of this method first checks if the NameID-Format is transient and returns the transient user.
* Otherwise it checks for the user for the corresponding name identifier in the assertion.
* If not found, then it will check if this is an auto federation case.
*
* @param assertion <code>SAML Assertion</code> that needs to be mapped to the user.
* @param hostEntityID <code>EntityID</code> of the hosted provider.
* @param realm Realm or the organization name that may be used to find the user information.
* @return User's distinguished name or the universal ID.
* @throws SAML2Exception If there was any failure.
*/
@Override
public String getIdentity(Assertion assertion, String hostEntityID, String realm) throws SAML2Exception {
if (assertion == null) {
throw new SAML2Exception(bundle.getString("nullAssertion"));
}
if (hostEntityID == null) {
throw new SAML2Exception(bundle.getString("nullHostEntityID"));
}
if (realm == null) {
throw new SAML2Exception(bundle.getString("nullRealm"));
}
NameID nameID;
EncryptedID encryptedID = assertion.getSubject().getEncryptedID();
Set<PrivateKey> decryptionKeys = null;
if (encryptedID != null) {
decryptionKeys = KeyUtil.getDecryptionKeys(getSSOConfig(realm, hostEntityID));
nameID = encryptedID.decrypt(decryptionKeys);
} else {
nameID = assertion.getSubject().getNameID();
}
String userID = null;
String format = nameID.getFormat();
boolean isTransient = SAML2Constants.NAMEID_TRANSIENT_FORMAT.equals(format);
if (isTransient) {
userID = getTransientUser(realm, hostEntityID);
}
if (StringUtils.isNotEmpty(userID)) {
return userID;
}
// Check if this is an auto federation case.
userID = getAutoFedUser(realm, hostEntityID, assertion, nameID.getValue(), decryptionKeys);
if (StringUtils.isNotEmpty(userID)) {
return userID;
} else {
if (useNameIDAsSPUserID(realm, hostEntityID) && !isAutoFedEnabled(realm, hostEntityID)) {
if (debug.messageEnabled()) {
debug.message("DefaultLibrarySPAccountMapper.getIdentity: use NameID value as userID: " + nameID.getValue());
}
return nameID.getValue();
} else {
return null;
}
}
}
Also used :
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
PrivateKey(java.security.PrivateKey)
NameID(com.sun.identity.saml2.assertion.NameID)
EncryptedID(com.sun.identity.saml2.assertion.EncryptedID)
Aggregations
SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)53
ArrayList (java.util.ArrayList)42
List (java.util.List)42
Assertion (com.sun.identity.saml2.assertion.Assertion)30
SAML2MetaException (com.sun.identity.saml2.meta.SAML2MetaException)24
Date (java.util.Date)24
EncryptedAssertion (com.sun.identity.saml2.assertion.EncryptedAssertion)20
Issuer (com.sun.identity.saml2.assertion.Issuer)16
SPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)16
Response (com.sun.identity.saml2.protocol.Response)16
Iterator (java.util.Iterator)15
HttpServletResponse (javax.servlet.http.HttpServletResponse)13
SessionException (com.sun.identity.plugin.session.SessionException)12
IOException (java.io.IOException)12
SAML2TokenRepositoryException (org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException)11
NameID (com.sun.identity.saml2.assertion.NameID)10
PrivateKey (java.security.PrivateKey)10
AttributeStatement (com.sun.identity.saml2.assertion.AttributeStatement)8
Subject (com.sun.identity.saml2.assertion.Subject)8
SAML2MetaManager (com.sun.identity.saml2.meta.SAML2MetaManager)8
