Examples with AuthnContext com.sun.identity.saml2.assertion.AuthnContext used on opensource projects

Example 11 with AuthnContext

use of com.sun.identity.saml2.assertion.AuthnContext in project OpenAM by OpenRock.

the class SAML2Utils method getSPAuthnContextMapper.

/**
     * Returns the Service Provider AuthnContext Mapper Object.
     *
     * @param authnCtxClassName Service Provider AuthnContext Mapper Class Name.
     * @return SPAuthnContextMapper Object.
     */
public static SPAuthnContextMapper getSPAuthnContextMapper(String realm, String hostEntityID, String authnCtxClassName) {
    SPAuthnContextMapper spAuthnCtx = (SPAuthnContextMapper) SPCache.authCtxObjHash.get(hostEntityID + "|" + realm);
    if (debug.messageEnabled()) {
        debug.message("AuthContext Class Name is :" + authnCtxClassName);
    }
    if ((spAuthnCtx == null) && ((authnCtxClassName != null) && (authnCtxClassName.length() != 0))) {
        try {
            spAuthnCtx = (SPAuthnContextMapper) Class.forName(authnCtxClassName).newInstance();
            SPCache.authCtxObjHash.put(hostEntityID + "|" + realm, spAuthnCtx);
        } catch (ClassNotFoundException ce) {
            if (debug.messageEnabled()) {
                debug.message("SAML2Utils: Mapper not configured" + " using Default AuthnContext Mapper");
            }
        } catch (InstantiationException ie) {
            if (debug.messageEnabled()) {
                debug.message("SAML2Utils: Instantiation ");
                debug.message("SAML2Utils:Error instantiating : " + " using Default AuthnContext Mapper");
            }
        } catch (IllegalAccessException iae) {
            if (debug.messageEnabled()) {
                debug.message("SAML2Utils: illegalaccess");
                debug.message("SAML2Utils:Error : " + " using Default AuthnContext Mapper");
            }
        } catch (Exception e) {
            if (debug.messageEnabled()) {
                debug.message("SAML2Utils:Error : " + " using Default AuthnContext Mapper");
            }
        }
    }
    if (spAuthnCtx == null) {
        spAuthnCtx = new DefaultSPAuthnContextMapper();
        SPCache.authCtxObjHash.put(hostEntityID + "|" + realm, spAuthnCtx);
    }
    return spAuthnCtx;
}

Example 12 with AuthnContext

use of com.sun.identity.saml2.assertion.AuthnContext in project OpenAM by OpenRock.

the class IDPSSOUtil method getAuthnStatement.

/**
     * Returns a <code>SAML AuthnStatement</code> object.
     *
     * @param request The HTTP request.
     * @param session The user's session.
     * @param isNewSessionIndex A returned flag from which the caller knows if the session index in the returned
     *                          <code>AuthnStatement</code> is a new session index.
     * @param authnReq The <code>AuthnRequest</code> object.
     * @param idpEntityID The entity ID of the identity provider.
     * @param realm The realm name.
     * @param matchingAuthnContext The <code>AuthnContext</code> used to find authentication type and scheme.
     * @return The <code>SAML AuthnStatement</code> object.
     * @throws SAML2Exception If the operation is not successful.
     */
private static AuthnStatement getAuthnStatement(HttpServletRequest request, Object session, NewBoolean isNewSessionIndex, AuthnRequest authnReq, String idpEntityID, String realm, AuthnContext matchingAuthnContext) throws SAML2Exception {
    String classMethod = "IDPSSOUtil.getAuthnStatement: ";
    AuthnStatement authnStatement = AssertionFactory.getInstance().createAuthnStatement();
    Date authInstant = null;
    // will be used when we add SubjectLocality to the statement
    try {
        String[] values = sessionProvider.getProperty(session, SessionProvider.AUTH_INSTANT);
        if (values != null && values.length != 0 && values[0] != null && values[0].length() != 0) {
            authInstant = DateUtils.stringToDate(values[0]);
        }
    } catch (Exception e) {
        SAML2Utils.debug.error(classMethod + "exception retrieving info from the session: ", e);
        throw new SAML2Exception(SAML2Utils.bundle.getString("errorGettingAuthnStatement"));
    }
    if (authInstant == null) {
        authInstant = new Date();
    }
    authnStatement.setAuthnInstant(authInstant);
    AuthnContext authnContext = matchingAuthnContext;
    if (authnContext == null) {
        String authLevel = null;
        try {
            String[] values = sessionProvider.getProperty(session, SessionProvider.AUTH_LEVEL);
            if (values != null && values.length != 0 && values[0] != null && values[0].length() != 0) {
                authLevel = values[0];
            }
        } catch (Exception e) {
            SAML2Utils.debug.error(classMethod + "exception retrieving auth level info from the session: ", e);
            throw new SAML2Exception(SAML2Utils.bundle.getString("errorGettingAuthnStatement"));
        }
        IDPAuthnContextMapper idpAuthnContextMapper = getIDPAuthnContextMapper(realm, idpEntityID);
        authnContext = idpAuthnContextMapper.getAuthnContextFromAuthLevel(authLevel, realm, idpEntityID);
    }
    final Response idpResponse = (Response) request.getAttribute(SAML2Constants.SAML_PROXY_IDP_RESPONSE_KEY);
    if (idpResponse != null) {
        // IdP proxy case: we already received an assertion from the remote IdP and now the IdP proxy is generating
        // a new SAML response for the SP.
        Set<String> authenticatingAuthorities = new LinkedHashSet<String>();
        final List<Assertion> assertions = idpResponse.getAssertion();
        for (Assertion assertion : assertions) {
            authenticatingAuthorities.addAll(extractAuthenticatingAuthorities(assertion));
        }
        // According to SAML profile 4.1.4.2 each assertion within the SAML Response MUST have the same issuer, so
        // this should suffice. We should have at least one assertion, since the IdP proxy's SP already accepted it.
        authenticatingAuthorities.add(assertions.iterator().next().getIssuer().getValue());
        authnContext.setAuthenticatingAuthority(new ArrayList<String>(authenticatingAuthorities));
    }
    authnStatement.setAuthnContext(authnContext);
    String sessionIndex = getSessionIndex(session);
    if (sessionIndex == null) {
        // new sessionIndex
        sessionIndex = SAML2Utils.generateIDWithServerID();
        try {
            String[] values = { sessionIndex };
            sessionProvider.setProperty(session, SAML2Constants.IDP_SESSION_INDEX, values);
        } catch (SessionException e) {
            SAML2Utils.debug.error(classMethod + "error setting session index into the session: ", e);
            throw new SAML2Exception(SAML2Utils.bundle.getString("errorGettingAuthnStatement"));
        }
        isNewSessionIndex.setValue(true);
    } else {
        isNewSessionIndex.setValue(false);
    }
    if (SAML2Utils.debug.messageEnabled()) {
        SAML2Utils.debug.message(classMethod + "SessionIndex (in AuthnStatement) =" + sessionIndex);
    }
    if (sessionIndex != null) {
        Set authContextSet = (HashSet) IDPCache.authnContextCache.get(sessionIndex);
        if (authContextSet == null || authContextSet.isEmpty()) {
            authContextSet = new HashSet();
        }
        authContextSet.add(authnContext);
        // cache the AuthContext to use in the case of session upgrade.
        IDPCache.authnContextCache.put(sessionIndex, authContextSet);
        authnStatement.setSessionIndex(sessionIndex);
    }
    return authnStatement;
}

Example 13 with AuthnContext

use of com.sun.identity.saml2.assertion.AuthnContext in project OpenAM by OpenRock.

the class DiscoveryBootstrap method getResourceOffering.

/**
     * Gets the discovery bootstrap resource offering for the user.
     * @return Discovery Resource Offering String
     * @exception  SAML2Exception if there's any failure.
     */
private String getResourceOffering(String authnContextClassRef, Subject subject, String wscID, String realm) throws SAML2Exception {
    if (SAML2Utils.debug.messageEnabled()) {
        SAML2Utils.debug.message("DiscoveryBootstrap.getResourceOffering:Init");
    }
    DiscoEntryElement discoEntry = DiscoServiceManager.getBootstrappingDiscoEntry();
    if (discoEntry == null) {
        throw new SAML2Exception(SAML2Utils.bundle.getString("missingUnivID"));
    }
    String[] values = null;
    try {
        values = SessionManager.getProvider().getProperty(session, Constants.UNIVERSAL_IDENTIFIER);
    } catch (SessionException se) {
        throw new SAML2Exception(se);
    }
    if ((values == null) || (values.length == 0)) {
        throw new SAML2Exception(SAML2Utils.bundle.getString("missingDiscoOffering"));
    }
    String univID = values[0];
    try {
        ResourceOfferingType offering = discoEntry.getResourceOffering();
        ServiceInstanceType serviceInstance = offering.getServiceInstance();
        String providerID = serviceInstance.getProviderID();
        if (!DiscoServiceManager.useImpliedResource()) {
            ResourceIDMapper idMapper = DiscoServiceManager.getResourceIDMapper(providerID);
            if (idMapper == null) {
                idMapper = DiscoServiceManager.getDefaultResourceIDMapper();
            }
            ObjectFactory fac = new ObjectFactory();
            ResourceIDType resourceID = fac.createResourceIDType();
            String resourceIDValue = idMapper.getResourceID(providerID, univID);
            if (SAML2Utils.debug.messageEnabled()) {
                SAML2Utils.debug.message("DiscoveryBootstrap.getResourceOffering: " + "ResourceID Value:" + resourceIDValue);
            }
            resourceID.setValue(resourceIDValue);
            offering.setResourceID(resourceID);
        } else {
            ObjectFactory fac = new com.sun.identity.liberty.ws.disco.jaxb.ObjectFactory();
            ResourceIDType resourceID = fac.createResourceIDType();
            resourceID.setValue(DiscoConstants.IMPLIED_RESOURCE);
            offering.setResourceID(resourceID);
        }
        List discoEntryList = new ArrayList();
        discoEntryList.add(discoEntry);
        SessionSubject sessionSubject = null;
        if (DiscoServiceManager.encryptNIinSessionContext()) {
            IDPSSODescriptorElement idpSSODesc = SAML2Utils.getSAML2MetaManager().getIDPSSODescriptor(realm, providerID);
            EncInfo encInfo = KeyUtil.getEncInfo(idpSSODesc, wscID, SAML2Constants.IDP_ROLE);
            NameIdentifier ni = EncryptedNameIdentifier.getEncryptedNameIdentifier(convertSPNameID(subject.getNameID()), providerID, encInfo.getWrappingKey(), encInfo.getDataEncAlgorithm(), encInfo.getDataEncStrength());
            sessionSubject = new SessionSubject(ni, convertSC(subject.getSubjectConfirmation()), convertIDPNameID(subject.getNameID()));
        } else {
            sessionSubject = new SessionSubject(convertSPNameID(subject.getNameID()), convertSC(subject.getSubjectConfirmation()), convertIDPNameID(subject.getNameID()));
        }
        AuthnContext authnContext = new AuthnContext(authnContextClassRef, null);
        authnContext.setMinorVersion(IFSConstants.FF_12_PROTOCOL_MINOR_VERSION);
        SessionContext invocatorSession = new SessionContext(sessionSubject, authnContext, providerID);
        Map map = DiscoUtils.checkPolicyAndHandleDirectives(univID, null, discoEntryList, null, invocatorSession, wscID, session);
        List offerings = (List) map.get(DiscoUtils.OFFERINGS);
        if (offerings.isEmpty()) {
            if (SAML2Utils.debug.messageEnabled()) {
                SAML2Utils.debug.message("DiscoveryBootstrap.getResourceOffering:" + "no ResourceOffering");
            }
            throw new SAML2Exception(SAML2Utils.bundle.getString("missingDiscoOffering"));
        }
        ResourceOffering resourceOffering = (ResourceOffering) offerings.get(0);
        assertions = (List) map.get(DiscoUtils.CREDENTIALS);
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message("DiscoveryBootstrap.getResourceOffering: " + "Resource Offering:" + resourceOffering);
        }
        return resourceOffering.toString();
    } catch (Exception ex) {
        SAML2Utils.debug.error("DiscoveryBootstrap.getResourceOffering:" + "Exception while creating resource offering.", ex);
        throw new SAML2Exception(ex);
    }
}

Example 14 with AuthnContext

use of com.sun.identity.saml2.assertion.AuthnContext in project OpenAM by OpenRock.

the class IDPProxyUtil method sendProxyResponse.

/**
     * Sends the proxy authentication response to the proxying service
     * provider which has originally requested for the authentication.
     * @param request HttpServletRequest 
     * @param response HttpServletResponse
     * @param out the print writer for writing out presentation
     * @param requestID request ID 
     * @param idpMetaAlias meta Alias 
     * @param newSession Session object
     * @throws SAML2Exception for any SAML2 failure.
     */
private static void sendProxyResponse(HttpServletRequest request, HttpServletResponse response, PrintWriter out, String requestID, String idpMetaAlias, Object newSession, String nameIDFormat) throws SAML2Exception {
    String classMethod = "IDPProxyUtil.sendProxyResponse: ";
    AuthnRequest origRequest = null;
    origRequest = (AuthnRequest) IDPCache.proxySPAuthnReqCache.get(requestID);
    if (SAML2Utils.debug.messageEnabled()) {
        try {
            SAML2Utils.debug.message(classMethod + origRequest.toXMLString());
        } catch (Exception ex) {
            SAML2Utils.debug.error(classMethod + "toString(): Failed.", ex);
        }
    }
    IDPCache.proxySPAuthnReqCache.remove(requestID);
    String proxySPEntityId = origRequest.getIssuer().getValue();
    if (SAML2Utils.debug.messageEnabled()) {
        SAML2Utils.debug.message(classMethod + ":Original requesting service provider id:" + proxySPEntityId);
    }
    // Save the SP provider id based on the token id
    IDPCache.spSessionPartnerBySessionID.put(sessionProvider.getSessionID(newSession), proxySPEntityId);
    //TODO: set AuthnContext
    /*AuthnContext authnContextStm;
        if (authnContextStmt != null) {
            String authnContext = authnContextStmt.getAuthnContextClassRef();
            session.setAuthnContext(authnContext);
        }*/
    String relayState = (String) IDPCache.relayStateCache.get(origRequest.getID());
    IDPSSOUtil.doSSOFederate(request, response, out, origRequest, origRequest.getIssuer().getValue(), idpMetaAlias, nameIDFormat, relayState, newSession, null);
}

Example 15 with AuthnContext

use of com.sun.identity.saml2.assertion.AuthnContext in project OpenAM by OpenRock.

the class AuthnQueryUtil method processAuthnQuery.

/**
     * This method processes the <code>AuthnQuery</code> coming
     * from a requester.
     *
     * @param authnQuery the <code>AuthnQuery</code> object
     * @param request the <code>HttpServletRequest</code> object
     * @param response the <code>HttpServletResponse</code> object
     * @param authnAuthorityEntityID entity ID of authentication authority
     * @param realm the realm of hosted entity
     *
     * @return the <code>Response</code> object
     * @exception SAML2Exception if the operation is not successful
     */
public static Response processAuthnQuery(AuthnQuery authnQuery, HttpServletRequest request, HttpServletResponse response, String authnAuthorityEntityID, String realm) throws SAML2Exception {
    try {
        verifyAuthnQuery(authnQuery, authnAuthorityEntityID, realm);
    } catch (SAML2Exception se) {
        SAML2Utils.debug.error("AuthnQueryUtil.processAuthnQuery:", se);
        return SAML2Utils.getErrorResponse(authnQuery, SAML2Constants.REQUESTER, null, se.getMessage(), null);
    }
    Issuer issuer = authnQuery.getIssuer();
    String spEntityID = issuer.getValue();
    AuthnAuthorityDescriptorElement aad = null;
    SAML2MetaManager metaManager = SAML2Utils.getSAML2MetaManager();
    try {
        aad = metaManager.getAuthnAuthorityDescriptor(realm, authnAuthorityEntityID);
    } catch (SAML2MetaException sme) {
        SAML2Utils.debug.error("AuthnQueryUtil.processAuthnQuery:", sme);
        return SAML2Utils.getErrorResponse(authnQuery, SAML2Constants.RESPONDER, null, SAML2Utils.bundle.getString("metaDataError"), null);
    }
    if (aad == null) {
        return SAML2Utils.getErrorResponse(authnQuery, SAML2Constants.REQUESTER, null, SAML2Utils.bundle.getString("authnAuthorityNotFound"), null);
    }
    NameID nameID = getNameID(authnQuery.getSubject(), realm, authnAuthorityEntityID);
    if (nameID == null) {
        return SAML2Utils.getErrorResponse(authnQuery, SAML2Constants.REQUESTER, SAML2Constants.UNKNOWN_PRINCIPAL, null, null);
    }
    IDPAccountMapper idpAcctMapper = SAML2Utils.getIDPAccountMapper(realm, authnAuthorityEntityID);
    String userID = idpAcctMapper.getIdentity(nameID, authnAuthorityEntityID, spEntityID, realm);
    if (userID == null) {
        return SAML2Utils.getErrorResponse(authnQuery, SAML2Constants.REQUESTER, SAML2Constants.UNKNOWN_PRINCIPAL, null, null);
    }
    IDPAuthnContextMapper idpAuthnContextMapper = IDPSSOUtil.getIDPAuthnContextMapper(realm, authnAuthorityEntityID);
    // get assertion for matching authncontext using session
    List returnAssertions = new ArrayList();
    String qSessionIndex = authnQuery.getSessionIndex();
    RequestedAuthnContext requestedAC = authnQuery.getRequestedAuthnContext();
    List assertions = null;
    String cacheKey = userID.toLowerCase();
    AssertionFactory assertionFactory = AssertionFactory.getInstance();
    if (SAML2FailoverUtils.isSAML2FailoverEnabled()) {
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message("AuthnQueryUtil.processAuthnQuery: " + "getting user assertions from DB. user = " + cacheKey);
        }
        List list = null;
        try {
            list = SAML2FailoverUtils.retrieveSAML2TokensWithSecondaryKey(cacheKey);
        } catch (SAML2TokenRepositoryException se) {
            SAML2Utils.debug.error("AuthnQueryUtil.processAuthnQuery: " + "Unable to obtain user assertions from CTS Repository. user = " + cacheKey, se);
        }
        if (list != null && !list.isEmpty()) {
            assertions = new ArrayList();
            for (Iterator iter = list.iterator(); iter.hasNext(); ) {
                String assertionStr = (String) iter.next();
                assertions.add(assertionFactory.createAssertion(assertionStr));
            }
        }
    } else {
        assertions = (List) IDPCache.assertionCache.get(cacheKey);
    }
    if ((assertions != null) && (!assertions.isEmpty())) {
        synchronized (assertions) {
            for (Iterator aIter = assertions.iterator(); aIter.hasNext(); ) {
                Assertion assertion = (Assertion) aIter.next();
                if (!assertion.isTimeValid()) {
                    if (SAML2Utils.debug.messageEnabled()) {
                        SAML2Utils.debug.message("AuthnQueryUtil.processAuthnQuery: " + " assertion " + assertion.getID() + " expired.");
                    }
                    continue;
                }
                List authnStmts = assertion.getAuthnStatements();
                for (Iterator asIter = authnStmts.iterator(); asIter.hasNext(); ) {
                    AuthnStatement authnStmt = (AuthnStatement) asIter.next();
                    AuthnContext authnStmtAC = authnStmt.getAuthnContext();
                    String sessionIndex = authnStmt.getSessionIndex();
                    String authnStmtACClassRef = authnStmtAC.getAuthnContextClassRef();
                    if (SAML2Utils.debug.messageEnabled()) {
                        SAML2Utils.debug.message("AuthnQueryUtil.processAuthnQuery: " + "authnStmtACClassRef is " + authnStmtACClassRef + ", sessionIndex = " + sessionIndex);
                    }
                    if ((qSessionIndex != null) && (qSessionIndex.length() != 0) && (!qSessionIndex.equals(sessionIndex))) {
                        continue;
                    }
                    if (requestedAC != null) {
                        List requestedACClassRefs = requestedAC.getAuthnContextClassRef();
                        String comparison = requestedAC.getComparison();
                        if (idpAuthnContextMapper.isAuthnContextMatching(requestedACClassRefs, authnStmtACClassRef, comparison, realm, authnAuthorityEntityID)) {
                            returnAssertions.add(assertion);
                            break;
                        }
                    } else {
                        returnAssertions.add(assertion);
                        break;
                    }
                }
            }
        }
    // end assertion iterator while.
    }
    ProtocolFactory protocolFactory = ProtocolFactory.getInstance();
    Response samlResp = protocolFactory.createResponse();
    if (!returnAssertions.isEmpty()) {
        samlResp.setAssertion(returnAssertions);
    }
    samlResp.setID(SAML2Utils.generateID());
    samlResp.setInResponseTo(authnQuery.getID());
    samlResp.setVersion(SAML2Constants.VERSION_2_0);
    samlResp.setIssueInstant(new Date());
    Status status = protocolFactory.createStatus();
    StatusCode statusCode = protocolFactory.createStatusCode();
    statusCode.setValue(SAML2Constants.SUCCESS);
    status.setStatusCode(statusCode);
    samlResp.setStatus(status);
    Issuer respIssuer = assertionFactory.createIssuer();
    respIssuer.setValue(authnAuthorityEntityID);
    samlResp.setIssuer(respIssuer);
    signResponse(samlResp, authnAuthorityEntityID, realm, false);
    return samlResp;
}