Example 11 with Attribute
use of com.sun.identity.saml2.assertion.Attribute in project OpenAM by OpenRock.
the class AttributeQueryUtil method sendAttributeQuery.
/**
* Sends the <code>AttributeQuery</code> to specified
* attribute authority and returns <code>Response</code> coming
* from the attribute authority.
*
* @param attrQuery the <code>AttributeQuery</code> object
* @param attrAuthorityEntityID entity ID of attribute authority
* @param realm the realm of hosted entity
* @param attrQueryProfile the attribute query profile or null to ignore
* @param attrProfile the attribute profile
* @param binding the binding
*
* @return the <code>Response</code> object
* @exception SAML2Exception if the operation is not successful
*
* @supported.api
*/
public static Response sendAttributeQuery(AttributeQuery attrQuery, String attrAuthorityEntityID, String realm, String attrQueryProfile, String attrProfile, String binding) throws SAML2Exception {
AttributeAuthorityDescriptorElement aad = null;
try {
aad = metaManager.getAttributeAuthorityDescriptor(realm, attrAuthorityEntityID);
} catch (SAML2MetaException sme) {
SAML2Utils.debug.error("AttributeQueryUtil.sendAttributeQuery:", sme);
throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
}
if (aad == null) {
throw new SAML2Exception(SAML2Utils.bundle.getString("attrAuthorityNotFound"));
}
if (binding == null) {
throw new SAML2Exception(SAML2Utils.bundle.getString("unsupportedBinding"));
}
String location = findLocation(aad, binding, attrQueryProfile, attrProfile);
if (location == null) {
throw new SAML2Exception(SAML2Utils.bundle.getString("attrAuthorityNotFound"));
}
if (binding.equalsIgnoreCase(SAML2Constants.SOAP)) {
signAttributeQuery(attrQuery, realm, false);
return sendAttributeQuerySOAP(attrQuery, location, attrAuthorityEntityID, aad);
} else {
throw new SAML2Exception(SAML2Utils.bundle.getString("unsupportedBinding"));
}
}
Also used :
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
AttributeAuthorityDescriptorElement(com.sun.identity.saml2.jaxb.metadata.AttributeAuthorityDescriptorElement)
SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException)
Example 12 with Attribute
use of com.sun.identity.saml2.assertion.Attribute in project OpenAM by OpenRock.
the class DefaultLibraryIDPAttributeMapper method getSAMLAttribute.
/**
* Returns the SAML <code>Attribute</code> object.
*
* @param name attribute name.
* @param nameFormat Name format of the attribute
* @param values attribute values.
* @param hostEntityID Entity ID for hosted provider.
* @param remoteEntityID Entity ID for remote provider.
* @param realm the providers are in.
* @return SAML <code>Attribute</code> element.
* @exception SAML2Exception if any failure.
*/
protected Attribute getSAMLAttribute(String name, String nameFormat, Set<String> values, String hostEntityID, String remoteEntityID, String realm) throws SAML2Exception {
if (name == null) {
throw new SAML2Exception(bundle.getString("nullInput"));
}
AssertionFactory factory = AssertionFactory.getInstance();
Attribute attribute = factory.createAttribute();
attribute.setName(name);
if (nameFormat != null) {
attribute.setNameFormat(nameFormat);
}
if (values != null && !values.isEmpty()) {
boolean toEscape = needToEscapeXMLSpecialCharacters(hostEntityID, remoteEntityID, realm);
List<String> list = new ArrayList<String>();
for (String value : values) {
if (toEscape) {
list.add(XMLUtils.escapeSpecialCharacters(value));
} else {
list.add(value);
}
}
attribute.setAttributeValueString(list);
}
return attribute;
}
Also used :
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
AssertionFactory(com.sun.identity.saml2.assertion.AssertionFactory)
Attribute(com.sun.identity.saml2.assertion.Attribute)
ArrayList(java.util.ArrayList)
Example 13 with Attribute
use of com.sun.identity.saml2.assertion.Attribute in project OpenAM by OpenRock.
the class DefaultLibrarySPAccountMapper method getAutoFedUser.
/**
* Returns user for the auto federate attribute.
*
* @param realm Realm name.
* @param entityID Hosted <code>EntityID</code>.
* @param assertion <code>Assertion</code> from the identity provider.
* @return Auto federation mapped user from the assertion auto federation <code>AttributeStatement</code>. if the
* statement does not have the auto federation attribute then the NameID value will be used if use NameID as SP user
* ID is enabled, otherwise null.
*/
protected String getAutoFedUser(String realm, String entityID, Assertion assertion, String decryptedNameID, Set<PrivateKey> decryptionKeys) throws SAML2Exception {
if (!isAutoFedEnabled(realm, entityID)) {
if (debug.messageEnabled()) {
debug.message("DefaultLibrarySPAccountMapper.getAutoFedUser: Auto federation is disabled.");
}
return null;
}
String autoFedAttribute = getAttribute(realm, entityID, SAML2Constants.AUTO_FED_ATTRIBUTE);
if (autoFedAttribute == null || autoFedAttribute.isEmpty()) {
debug.error("DefaultLibrarySPAccountMapper.getAutoFedUser: " + "Auto federation is enabled but the auto federation attribute is not configured.");
return null;
}
if (debug.messageEnabled()) {
debug.message("DefaultLibrarySPAccountMapper.getAutoFedUser: Auto federation attribute is set to: " + autoFedAttribute);
}
Set<String> autoFedAttributeValue = null;
List<AttributeStatement> attributeStatements = assertion.getAttributeStatements();
if (attributeStatements == null || attributeStatements.isEmpty()) {
if (debug.messageEnabled()) {
debug.message("DefaultLibrarySPAccountMapper.getAutoFedUser: " + "Assertion does not have any attribute statements.");
}
} else {
for (AttributeStatement statement : attributeStatements) {
autoFedAttributeValue = getAttribute(statement, autoFedAttribute, decryptionKeys);
if (autoFedAttributeValue != null && !autoFedAttributeValue.isEmpty()) {
if (debug.messageEnabled()) {
debug.message("DefaultLibrarySPAccountMapper.getAutoFedUser: " + "Found auto federation attribute value in Assertion: " + autoFedAttributeValue);
}
break;
}
}
}
if (autoFedAttributeValue == null || autoFedAttributeValue.isEmpty()) {
if (debug.messageEnabled()) {
debug.message("DefaultLibrarySPAccountMapper.getAutoFedUser: Auto federation attribute is not specified" + " as an attribute.");
}
if (!useNameIDAsSPUserID(realm, entityID)) {
if (debug.messageEnabled()) {
debug.message("DefaultLibrarySPAccountMapper.getAutoFedUser: NameID as SP UserID was not enabled " + " and auto federation attribute " + autoFedAttribute + " was not found in the Assertion");
}
return null;
} else {
if (debug.messageEnabled()) {
debug.message("DefaultLibrarySPAccountMapper.getAutoFedUser: Trying now to autofederate with nameID" + ", nameID =" + decryptedNameID);
}
autoFedAttributeValue = CollectionUtils.asSet(decryptedNameID);
}
}
String autoFedMapAttribute = null;
DefaultSPAttributeMapper attributeMapper = new DefaultSPAttributeMapper();
Map<String, String> attributeMap = attributeMapper.getConfigAttributeMap(realm, entityID, SP);
if (attributeMap == null || attributeMap.isEmpty()) {
if (debug.messageEnabled()) {
debug.message("DefaultLibrarySPAccountMapper.getAutoFedUser: attribute map is not configured.");
}
} else {
autoFedMapAttribute = attributeMap.get(autoFedAttribute);
}
if (autoFedMapAttribute == null) {
if (debug.messageEnabled()) {
debug.message("DefaultLibrarySPAccountMapper.getAutoFedUser: " + "Auto federation attribute map is not specified in config.");
}
// assume it is the same as the auto fed attribute name
autoFedMapAttribute = autoFedAttribute;
}
try {
Map<String, Set<String>> map = new HashMap<>(1);
map.put(autoFedMapAttribute, autoFedAttributeValue);
if (debug.messageEnabled()) {
debug.message("DefaultLibrarySPAccountMapper.getAutoFedUser: Search map: " + map);
}
String userId = dsProvider.getUserID(realm, map);
if (userId != null && !userId.isEmpty()) {
return userId;
} else {
// return auto-federation attribute value as uid
if (isDynamicalOrIgnoredProfile(realm)) {
if (debug.messageEnabled()) {
debug.message("DefaultLibrarySPAccountMapper: dynamical user creation or ignore profile " + "enabled : uid=" + autoFedAttributeValue);
}
// return the first value as uid
return autoFedAttributeValue.iterator().next();
}
}
} catch (DataStoreProviderException dse) {
if (debug.warningEnabled()) {
debug.warning("DefaultLibrarySPAccountMapper.getAutoFedUser: Datastore provider exception", dse);
}
}
return null;
}
Also used :
DataStoreProviderException(com.sun.identity.plugin.datastore.DataStoreProviderException)
Set(java.util.Set)
HashSet(java.util.HashSet)
HashMap(java.util.HashMap)
AttributeStatement(com.sun.identity.saml2.assertion.AttributeStatement)
Example 14 with Attribute
use of com.sun.identity.saml2.assertion.Attribute in project OpenAM by OpenRock.
the class DefaultLibrarySPAccountMapper method getAttribute.
private Set<String> getAttribute(AttributeStatement statement, String attributeName, Set<PrivateKey> decryptionKeys) {
if (debug.messageEnabled()) {
debug.message("DefaultLibrarySPAccountMapper.getAttribute: attribute Name =" + attributeName);
}
// check it if the attribute needs to be encrypted?
List<Attribute> list = statement.getAttribute();
List<EncryptedAttribute> encList = statement.getEncryptedAttribute();
if (encList != null && !encList.isEmpty()) {
// a new list to hold the union of clear and encrypted attributes
List<Attribute> allList = new ArrayList<>();
if (list != null) {
allList.addAll(list);
}
list = allList;
for (EncryptedAttribute encryptedAttribute : encList) {
try {
list.add(encryptedAttribute.decrypt(decryptionKeys));
} catch (SAML2Exception se) {
debug.error("Decryption error:", se);
return null;
}
}
}
for (Attribute attribute : list) {
if (!attributeName.equalsIgnoreCase(attribute.getName())) {
continue;
}
List<String> values = attribute.getAttributeValueString();
if (values == null || values.isEmpty()) {
return null;
}
return new HashSet<>(values);
}
return null;
}
Also used :
EncryptedAttribute(com.sun.identity.saml2.assertion.EncryptedAttribute)
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
Attribute(com.sun.identity.saml2.assertion.Attribute)
EncryptedAttribute(com.sun.identity.saml2.assertion.EncryptedAttribute)
ArrayList(java.util.ArrayList)
HashSet(java.util.HashSet)
Example 15 with Attribute
use of com.sun.identity.saml2.assertion.Attribute in project OpenAM by OpenRock.
the class DefaultSPAuthnContextMapper method getAuthnCtxFromSPConfig.
/* parses the AuthContext attribute to get the Class Reference and
* authlevel
*/
private static Map getAuthnCtxFromSPConfig(String realm, String hostEntityID) {
List authContextClassRefConfig = SAML2Utils.getAllAttributeValueFromSSOConfig(realm, hostEntityID, SAML2Constants.SP_ROLE, SAML2Constants.SP_AUTH_CONTEXT_CLASS_REF_ATTR);
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("DefaultSPAuthnContextMapper: List:" + authContextClassRefConfig);
}
HashMap authRefMap = new LinkedHashMap();
if (authContextClassRefConfig != null && authContextClassRefConfig.size() != 0) {
Iterator i = authContextClassRefConfig.iterator();
while (i.hasNext()) {
boolean isDefault = false;
String authRefVal = (String) i.next();
if (authRefVal.endsWith("|" + DEFAULT)) {
authRefVal = authRefVal.substring(0, authRefVal.length() - DEFAULT.length());
isDefault = true;
}
StringTokenizer st = new StringTokenizer(authRefVal, "|");
String authClass = null;
try {
authClass = (String) st.nextToken();
} catch (Exception e) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("AuthnContextClassRef " + "not found");
}
}
if (st.hasMoreTokens()) {
Integer authLevel = null;
try {
authLevel = new Integer(st.nextToken());
} catch (NumberFormatException nfe) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("DefaultSPAuthnContextMapper." + "getAuthnCtxFromSPConfig:", nfe);
}
}
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("DefaultSPAuthnContextMapper." + "getAuthnCtxFromSPConfig: AuthLevel is " + authLevel);
}
if (authLevel != null) {
if (isDefault && (!authRefMap.containsKey(DEFAULT))) {
authRefMap.put(DEFAULT, authLevel);
}
if (authClass != null) {
authRefMap.put(prefixIfRequired(authClass), authLevel);
}
}
}
if (isDefault && (authClass != null) && (!authRefMap.containsKey(DEFAULT_CLASS_REF))) {
authRefMap.put(DEFAULT_CLASS_REF, prefixIfRequired(authClass));
}
}
}
return Collections.unmodifiableMap(authRefMap);
}
Also used :
StringTokenizer(java.util.StringTokenizer)
HashMap(java.util.HashMap)
LinkedHashMap(java.util.LinkedHashMap)
Iterator(java.util.Iterator)
ArrayList(java.util.ArrayList)
List(java.util.List)
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
LinkedHashMap(java.util.LinkedHashMap)
Aggregations
ArrayList (java.util.ArrayList)57
List (java.util.List)46
SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)40
SAML2MetaException (com.sun.identity.saml2.meta.SAML2MetaException)37
Iterator (java.util.Iterator)24
Attribute (com.sun.identity.saml2.assertion.Attribute)22
SAML2MetaManager (com.sun.identity.saml2.meta.SAML2MetaManager)22
AMConsoleException (com.sun.identity.console.base.model.AMConsoleException)21
HashMap (java.util.HashMap)21
Map (java.util.Map)18
JAXBException (javax.xml.bind.JAXBException)13
EntityConfigElement (com.sun.identity.saml2.jaxb.entityconfig.EntityConfigElement)12
EntityDescriptorElement (com.sun.identity.saml2.jaxb.metadata.EntityDescriptorElement)12
Set (java.util.Set)11
BaseConfigType (com.sun.identity.saml2.jaxb.entityconfig.BaseConfigType)9
HashSet (java.util.HashSet)9
Issuer (com.sun.identity.saml2.assertion.Issuer)8
Date (java.util.Date)8
Node (org.w3c.dom.Node)8
DataStoreProviderException (com.sun.identity.plugin.datastore.DataStoreProviderException)7
