use of com.sun.identity.saml2.assertion.Attribute in project OpenAM by OpenRock.
the class SPSingleLogout method processLogoutRequest.
/**
* Gets and processes the Single <code>LogoutRequest</code> from IDP
* and return <code>LogoutResponse</code>.
*
* @param logoutReq <code>LogoutRequest</code> from IDP
* @param spEntityID name of host entity ID.
* @param realm name of host entity.
* @param request HTTP servlet request.
* @param response HTTP servlet response.
* @param isLBReq true if the request is for load balancing.
* @param binding value of <code>SAML2Constants.HTTP_REDIRECT</code> or
* <code>SAML2Constants.SOAP</code>.
* @param isVerified true if the request is verified already.
* @return LogoutResponse the target URL on successful
* <code>LogoutRequest</code>.
*/
public static LogoutResponse processLogoutRequest(LogoutRequest logoutReq, String spEntityID, String realm, HttpServletRequest request, HttpServletResponse response, boolean isLBReq, boolean destroySession, String binding, boolean isVerified) {
final String method = "processLogoutRequest : ";
NameID nameID = null;
Status status = null;
Issuer issuer = null;
String idpEntity = logoutReq.getIssuer().getValue();
String userId = null;
try {
do {
// TODO: check the NotOnOrAfter attribute of LogoutRequest
issuer = logoutReq.getIssuer();
String requestId = logoutReq.getID();
SAML2Utils.verifyRequestIssuer(realm, spEntityID, issuer, requestId);
issuer = SAML2Utils.createIssuer(spEntityID);
// get SessionIndex and NameID form LogoutRequest
List siList = logoutReq.getSessionIndex();
int numSI = 0;
if (siList != null) {
numSI = siList.size();
if (debug.messageEnabled()) {
debug.message(method + "Number of session indices in the logout request is " + numSI);
}
}
nameID = LogoutUtil.getNameIDFromSLORequest(logoutReq, realm, spEntityID, SAML2Constants.SP_ROLE);
if (nameID == null) {
debug.error(method + "LogoutRequest does not contain Name ID");
status = SAML2Utils.generateStatus(SAML2Constants.RESPONDER, SAML2Utils.bundle.getString("missing_name_identifier"));
break;
}
String infoKeyString = null;
infoKeyString = (new NameIDInfoKey(nameID.getValue(), spEntityID, idpEntity)).toValueString();
if (debug.messageEnabled()) {
debug.message(method + "infokey=" + infoKeyString);
}
if (SPCache.isFedlet) {
// verify request
if (!isVerified && !LogoutUtil.verifySLORequest(logoutReq, realm, idpEntity, spEntityID, SAML2Constants.SP_ROLE)) {
throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSignInRequest"));
}
// obtain fedlet adapter
FedletAdapter fedletAdapter = SAML2Utils.getFedletAdapterClass(spEntityID, realm);
boolean result = false;
if (fedletAdapter != null) {
// call adapter to do real logout
result = fedletAdapter.doFedletSLO(request, response, logoutReq, spEntityID, idpEntity, siList, nameID.getValue(), binding);
}
if (result) {
status = SUCCESS_STATUS;
} else {
status = SAML2Utils.generateStatus(SAML2Constants.RESPONDER, SAML2Utils.bundle.getString("appLogoutFailed"));
}
break;
}
List list = (List) SPCache.fedSessionListsByNameIDInfoKey.get(infoKeyString);
if (debug.messageEnabled()) {
debug.message(method + "SPFedsessions=" + list);
}
if ((list == null) || list.isEmpty()) {
String spQ = nameID.getSPNameQualifier();
if ((spQ == null) || (spQ.length() == 0)) {
infoKeyString = (new NameIDInfoKey(nameID.getValue(), spEntityID, nameID.getNameQualifier())).toValueString();
list = (List) SPCache.fedSessionListsByNameIDInfoKey.get(infoKeyString);
}
}
boolean foundPeer = false;
List remoteServiceURLs = null;
if (isLBReq) {
remoteServiceURLs = FSUtils.getRemoteServiceURLs(request);
foundPeer = remoteServiceURLs != null && !remoteServiceURLs.isEmpty();
}
if (debug.messageEnabled()) {
debug.message(method + "isLBReq = " + isLBReq + ", foundPeer = " + foundPeer);
}
if (list == null || list.isEmpty()) {
if (foundPeer) {
boolean peerError = false;
for (Iterator iter = remoteServiceURLs.iterator(); iter.hasNext(); ) {
String remoteLogoutURL = getRemoteLogoutURL((String) iter.next(), request);
LogoutResponse logoutRes = LogoutUtil.forwardToRemoteServer(logoutReq, remoteLogoutURL);
if ((logoutRes != null) && !isNameNotFound(logoutRes)) {
if (isSuccess(logoutRes)) {
if (numSI > 0) {
siList = LogoutUtil.getSessionIndex(logoutRes);
if (siList == null || siList.isEmpty()) {
peerError = false;
break;
}
}
} else {
peerError = true;
}
}
}
if (peerError || (siList != null && siList.size() > 0)) {
status = PARTIAL_LOGOUT_STATUS;
} else {
status = SUCCESS_STATUS;
}
} else {
debug.error(method + "invalid Name ID received");
status = SAML2Utils.generateStatus(SAML2Constants.RESPONDER, SAML2Utils.bundle.getString("invalid_name_identifier"));
}
break;
} else {
// find the session, do signature validation
if (!isVerified && !LogoutUtil.verifySLORequest(logoutReq, realm, logoutReq.getIssuer().getValue(), spEntityID, SAML2Constants.SP_ROLE)) {
throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSignInRequest"));
}
// invoke SPAdapter for preSingleLogoutProcess
try {
String tokenId = ((SPFedSession) list.iterator().next()).spTokenID;
Object token = sessionProvider.getSession(tokenId);
userId = sessionProvider.getPrincipalName(token);
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("SPSingleLogout." + "processLogoutRequest, user = " + userId);
}
} catch (SessionException ex) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("SPSingleLogout." + "processLogoutRequest", ex);
}
}
userId = preSingleLogoutProcess(spEntityID, realm, request, response, userId, logoutReq, null, binding);
}
// get application logout URL
BaseConfigType spConfig = SAML2Utils.getSAML2MetaManager().getSPSSOConfig(realm, spEntityID);
List appLogoutURL = (List) SAML2MetaUtils.getAttributes(spConfig).get(SAML2Constants.APP_LOGOUT_URL);
if (debug.messageEnabled()) {
debug.message("IDPLogoutUtil.processLogoutRequest: " + "external app logout URL= " + appLogoutURL);
}
if (numSI == 0) {
// logout all fed sessions for this user
// between this SP and the IDP
List tokenIDsToBeDestroyed = new ArrayList();
synchronized (list) {
Iterator iter = list.listIterator();
while (iter.hasNext()) {
SPFedSession fedSession = (SPFedSession) iter.next();
tokenIDsToBeDestroyed.add(fedSession.spTokenID);
iter.remove();
if ((agent != null) && agent.isRunning() && (saml2Svc != null)) {
saml2Svc.setFedSessionCount((long) SPCache.fedSessionListsByNameIDInfoKey.size());
}
}
}
for (Iterator iter = tokenIDsToBeDestroyed.listIterator(); iter.hasNext(); ) {
String tokenID = (String) iter.next();
Object token = null;
try {
token = sessionProvider.getSession(tokenID);
} catch (SessionException se) {
debug.error(method + "Could not create session from token ID = " + tokenID);
continue;
}
if (debug.messageEnabled()) {
debug.message(method + "destroy token " + tokenID);
}
// handle external application logout if configured
if ((appLogoutURL != null) && (appLogoutURL.size() != 0)) {
SAML2Utils.postToAppLogout(request, (String) appLogoutURL.get(0), token);
}
if (destroySession) {
sessionProvider.invalidateSession(token, request, response);
}
}
if (foundPeer) {
boolean peerError = false;
for (Iterator iter = remoteServiceURLs.iterator(); iter.hasNext(); ) {
String remoteLogoutURL = getRemoteLogoutURL((String) iter.next(), request);
LogoutResponse logoutRes = LogoutUtil.forwardToRemoteServer(logoutReq, remoteLogoutURL);
if ((logoutRes == null) || !(isSuccess(logoutRes) || isNameNotFound(logoutRes))) {
peerError = true;
}
}
if (peerError) {
status = PARTIAL_LOGOUT_STATUS;
} else {
status = SUCCESS_STATUS;
}
}
} else {
// logout only those fed sessions specified
// in logout request session list
String sessionIndex = null;
List siNotFound = new ArrayList();
for (int i = 0; i < numSI; i++) {
sessionIndex = (String) siList.get(i);
String tokenIDToBeDestroyed = null;
synchronized (list) {
Iterator iter = list.listIterator();
while (iter.hasNext()) {
SPFedSession fedSession = (SPFedSession) iter.next();
if (sessionIndex.equals(fedSession.idpSessionIndex)) {
if (debug.messageEnabled()) {
debug.message(method + " found si + " + sessionIndex);
}
tokenIDToBeDestroyed = fedSession.spTokenID;
iter.remove();
if ((agent != null) && agent.isRunning() && (saml2Svc != null)) {
saml2Svc.setFedSessionCount((long) SPCache.fedSessionListsByNameIDInfoKey.size());
}
break;
}
}
}
if (tokenIDToBeDestroyed != null) {
try {
Object token = sessionProvider.getSession(tokenIDToBeDestroyed);
if (debug.messageEnabled()) {
debug.message(method + "destroy token (2) " + tokenIDToBeDestroyed);
}
// handle external application logout
if ((appLogoutURL != null) && (appLogoutURL.size() != 0)) {
SAML2Utils.postToAppLogout(request, (String) appLogoutURL.get(0), token);
}
if (destroySession) {
sessionProvider.invalidateSession(token, request, response);
}
} catch (SessionException se) {
debug.error(method + "Could not create " + "session from token ID = " + tokenIDToBeDestroyed);
}
} else {
siNotFound.add(sessionIndex);
}
}
if (isLBReq) {
if (foundPeer && !siNotFound.isEmpty()) {
boolean peerError = false;
LogoutRequest lReq = copyAndMakeMutable(logoutReq);
for (Iterator iter = remoteServiceURLs.iterator(); iter.hasNext(); ) {
lReq.setSessionIndex(siNotFound);
String remoteLogoutURL = getRemoteLogoutURL((String) iter.next(), request);
LogoutResponse logoutRes = LogoutUtil.forwardToRemoteServer(lReq, remoteLogoutURL);
if ((logoutRes != null) && !isNameNotFound(logoutRes)) {
if (isSuccess(logoutRes)) {
siNotFound = LogoutUtil.getSessionIndex(logoutRes);
} else {
peerError = true;
}
}
if (debug.messageEnabled()) {
debug.message(method + "siNotFound = " + siNotFound);
}
if (siNotFound == null || siNotFound.isEmpty()) {
peerError = false;
break;
}
}
if (peerError || (siNotFound != null && !siNotFound.isEmpty())) {
status = PARTIAL_LOGOUT_STATUS;
} else {
status = SUCCESS_STATUS;
}
} else {
status = SUCCESS_STATUS;
}
} else {
if (siNotFound.isEmpty()) {
status = SUCCESS_STATUS;
} else {
status = SAML2Utils.generateStatus(SAML2Constants.SUCCESS, SAML2Utils.bundle.getString("requestSuccess"));
LogoutUtil.setSessionIndex(status, siNotFound);
}
}
}
} while (false);
} catch (SessionException se) {
debug.error("processLogoutRequest: ", se);
status = SAML2Utils.generateStatus(SAML2Constants.RESPONDER, se.toString());
} catch (SAML2Exception e) {
debug.error("processLogoutRequest: " + "failed to create response", e);
status = SAML2Utils.generateStatus(SAML2Constants.RESPONDER, e.toString());
}
// create LogoutResponse
if (spEntityID == null) {
spEntityID = nameID.getSPNameQualifier();
}
LogoutResponse logResponse = LogoutUtil.generateResponse(status, logoutReq.getID(), issuer, realm, SAML2Constants.SP_ROLE, idpEntity);
if (isSuccess(logResponse)) {
// invoke SPAdapter for postSingleLogoutSuccess
postSingleLogoutSuccess(spEntityID, realm, request, response, userId, logoutReq, logResponse, binding);
}
return logResponse;
}
use of com.sun.identity.saml2.assertion.Attribute in project OpenAM by OpenRock.
the class AttributeQueryUtil method getAttributeAuthorityMapper.
/**
* Returns an <code>AttributeAuthorityMapper</code>
*
* @param realm the realm name
* @param attrAuthorityEntityID the entity id of the attribute authority
* @param attrQueryProfileAlias attribute profile alias
*
* @return the <code>AttributeAuthorityMapper</code>
* @exception SAML2Exception if the operation is not successful
*/
static AttributeAuthorityMapper getAttributeAuthorityMapper(String realm, String attrAuthorityEntityID, String attrQueryProfileAlias) throws SAML2Exception {
String attrAuthorityMapperName = null;
AttributeAuthorityMapper attrAuthorityMapper = null;
try {
attrAuthorityMapperName = getAttributeValueFromAttrAuthorityConfig(realm, attrAuthorityEntityID, attrQueryProfileAlias + "_" + SAML2Constants.ATTRIBUTE_AUTHORITY_MAPPER);
if (attrAuthorityMapperName == null) {
attrAuthorityMapperName = SAML2Constants.DEFAULT_ATTRIBUTE_AUTHORITY_MAPPER_CLASS;
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("AttributeQueryUtil.getAttributeAuthorityMapper: use " + attrAuthorityMapperName);
}
}
attrAuthorityMapper = (AttributeAuthorityMapper) attrAuthorityMapperCache.get(attrAuthorityMapperName);
if (attrAuthorityMapper == null) {
attrAuthorityMapper = (AttributeAuthorityMapper) Class.forName(attrAuthorityMapperName).newInstance();
attrAuthorityMapperCache.put(attrAuthorityMapperName, attrAuthorityMapper);
} else {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("AttributeQueryUtil.getAttributeAuthorityMapper: " + "got the AttributeAuthorityMapper from cache");
}
}
} catch (Exception ex) {
SAML2Utils.debug.error("AttributeQueryUtil.getAttributeAuthorityMapper: " + "Unable to get IDP Attribute Mapper.", ex);
throw new SAML2Exception(ex);
}
return attrAuthorityMapper;
}
use of com.sun.identity.saml2.assertion.Attribute in project OpenAM by OpenRock.
the class AttributeQueryUtil method constructAttrQueryForFedlet.
/**
* Constructs the Attribute Query used by the Fedlet to retrieve the
* values from IDP
*
* @param samlResp saml response
*
* @exception SAML2Exception if the operation is not successful
*
* @supported.api
*/
private static AttributeQuery constructAttrQueryForFedlet(String spEntityID, String idpEntityID, String nameIDValue, List<String> attrsList, String attrqMetaAlias, String attrProfileNameAlias, String subjectDN, boolean wantNameIDEncrypted) throws SAML2Exception {
String attrqEntityID = SAML2Utils.getSAML2MetaManager().getEntityByMetaAlias(attrqMetaAlias);
ProtocolFactory protocolFactory = ProtocolFactory.getInstance();
AssertionFactory assertionFactory = AssertionFactory.getInstance();
AttributeQuery attrQuery = protocolFactory.createAttributeQuery();
Issuer issuer = assertionFactory.createIssuer();
issuer.setValue(attrqEntityID);
attrQuery.setIssuer(issuer);
attrQuery.setID(SAML2Utils.generateID());
attrQuery.setVersion(SAML2Constants.VERSION_2_0);
attrQuery.setIssueInstant(new Date());
List attrs = new ArrayList();
for (String attributeName : attrsList) {
Attribute attr = assertionFactory.createAttribute();
attr.setName(attributeName);
attr.setNameFormat(SAML2Constants.BASIC_NAME_FORMAT);
attrs.add(attr);
}
attrQuery.setAttributes(attrs);
Subject subject = assertionFactory.createSubject();
NameID nameID = assertionFactory.createNameID();
nameID.setNameQualifier(idpEntityID);
nameID.setSPNameQualifier(spEntityID);
if (attrProfileNameAlias.equals(SAML2Constants.DEFAULT_ATTR_QUERY_PROFILE_ALIAS)) {
nameID.setFormat(SAML2Constants.NAMEID_TRANSIENT_FORMAT);
nameID.setValue(nameIDValue);
}
if (attrProfileNameAlias.equals(SAML2Constants.X509_SUBJECT_ATTR_QUERY_PROFILE_ALIAS)) {
nameID.setFormat(SAML2Constants.X509_SUBJECT_NAME);
nameID.setValue(subjectDN);
}
if (!wantNameIDEncrypted) {
subject.setNameID(nameID);
} else {
AttributeAuthorityDescriptorElement aad = metaManager.getAttributeAuthorityDescriptor("/", idpEntityID);
EncInfo encInfo = KeyUtil.getEncInfo(aad, idpEntityID, SAML2Constants.ATTR_AUTH_ROLE);
EncryptedID encryptedID = nameID.encrypt(encInfo.getWrappingKey(), encInfo.getDataEncAlgorithm(), encInfo.getDataEncStrength(), idpEntityID);
subject.setEncryptedID(encryptedID);
}
attrQuery.setSubject(subject);
return attrQuery;
}
use of com.sun.identity.saml2.assertion.Attribute in project OpenAM by OpenRock.
the class AttributeQueryUtil method isValueValid.
private static boolean isValueValid(Attribute desiredAttr, AttributeElement supportedAttr) {
List valuesD = desiredAttr.getAttributeValueString();
if ((valuesD == null) || (valuesD.isEmpty())) {
return true;
}
List attrValuesS = supportedAttr.getAttributeValue();
if ((attrValuesS == null) || (attrValuesS.isEmpty())) {
return true;
}
List valuesS = new ArrayList();
for (Iterator iter = attrValuesS.iterator(); iter.hasNext(); ) {
AttributeValueElement attrValueElem = (AttributeValueElement) iter.next();
valuesS.addAll(attrValueElem.getContent());
}
try {
return valuesS.containsAll(valuesD);
} catch (Exception ex) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("AttributeQueryUtil.isValueValid:", ex);
}
return false;
}
}
use of com.sun.identity.saml2.assertion.Attribute in project OpenAM by OpenRock.
the class AttributeQueryUtil method sendAttributeQuery.
/**
* Sends the <code>AttributeQuery</code> to specified
* attribute authority and returns <code>Response</code> coming
* from the attribute authority.
*
* @param attrQuery the <code>AttributeQuery</code> object
* @param request the HTTP Request
* @param response the HTTP Response
* @param attrAuthorityEntityID entity ID of attribute authority
* @param realm the realm of hosted entity
* @param attrQueryProfile the attribute query profile or null to ignore
* @param attrProfile the attribute profile
* @param binding the binding
*
* @exception SAML2Exception if the operation is not successful
*
* @supported.api
*/
public static void sendAttributeQuery(AttributeQuery attrQuery, HttpServletRequest request, HttpServletResponse response, String attrAuthorityEntityID, String realm, String attrQueryProfile, String attrProfile, String binding) throws SAML2Exception {
AttributeAuthorityDescriptorElement aad = null;
try {
aad = metaManager.getAttributeAuthorityDescriptor(realm, attrAuthorityEntityID);
} catch (SAML2MetaException sme) {
SAML2Utils.debug.error("AttributeQueryUtil.sendAttributeQuery:", sme);
throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
}
if (aad == null) {
throw new SAML2Exception(SAML2Utils.bundle.getString("attrAuthorityNotFound"));
}
if (binding == null) {
throw new SAML2Exception(SAML2Utils.bundle.getString("unsupportedBinding"));
}
String location = findLocation(aad, binding, attrQueryProfile, attrProfile);
if (location == null) {
throw new SAML2Exception(SAML2Utils.bundle.getString("attrAuthorityNotFound"));
}
if (binding.equalsIgnoreCase(SAML2Constants.HTTP_POST)) {
signAttributeQuery(attrQuery, realm, false);
String encodedReqMsg = SAML2Utils.encodeForPOST(attrQuery.toXMLString(true, true));
SAML2Utils.postToTarget(request, response, "SAMLRequest", encodedReqMsg, null, null, location);
} else {
throw new SAML2Exception(SAML2Utils.bundle.getString("unsupportedBinding"));
}
}
Aggregations