Search in sources :

Example 6 with AuthnStatement

use of com.sun.identity.saml2.assertion.AuthnStatement in project OpenAM by OpenRock.

the class IDPSSOUtil method extractAuthenticatingAuthorities.

private static List<String> extractAuthenticatingAuthorities(Assertion assertion) {
    final List<String> authenticatingAuthorities = new ArrayList<String>();
    final List<AuthnStatement> authnStatements = assertion.getAuthnStatements();
    if (authnStatements != null) {
        for (AuthnStatement authnStatement : authnStatements) {
            final List<String> authorities = authnStatement.getAuthnContext().getAuthenticatingAuthority();
            if (authorities != null) {
                authenticatingAuthorities.addAll(authorities);
            }
        }
    }
    return authenticatingAuthorities;
}
Also used : ArrayList(java.util.ArrayList) AuthnStatement(com.sun.identity.saml2.assertion.AuthnStatement)

Example 7 with AuthnStatement

use of com.sun.identity.saml2.assertion.AuthnStatement in project OpenAM by OpenRock.

the class AssertionImpl method makeImmutable.

/**
    * Makes the object immutable
    */
@Override
public void makeImmutable() {
    if (isMutable) {
        if (authnStatements != null) {
            int length = authnStatements.size();
            for (int i = 0; i < length; i++) {
                AuthnStatement authn = (AuthnStatement) authnStatements.get(i);
                authn.makeImmutable();
            }
            authnStatements = Collections.unmodifiableList(authnStatements);
        }
        if (authzDecisionStatements != null) {
            int length = authzDecisionStatements.size();
            for (int i = 0; i < length; i++) {
                AuthzDecisionStatement authz = (AuthzDecisionStatement) authzDecisionStatements.get(i);
                authz.makeImmutable();
            }
            authzDecisionStatements = Collections.unmodifiableList(authzDecisionStatements);
        }
        if (attributeStatements != null) {
            int length = attributeStatements.size();
            for (int i = 0; i < length; i++) {
                AttributeStatement attr = (AttributeStatement) attributeStatements.get(i);
                attr.makeImmutable();
            }
            attributeStatements = Collections.unmodifiableList(attributeStatements);
        }
        if (statements != null) {
            statements = Collections.unmodifiableList(statements);
        }
        if (conditions != null) {
            conditions.makeImmutable();
        }
        if (issuer != null) {
            issuer.makeImmutable();
        }
        if (subject != null) {
            subject.makeImmutable();
        }
        if (advice != null) {
            advice.makeImmutable();
        }
        isMutable = false;
    }
}
Also used : AttributeStatement(com.sun.identity.saml2.assertion.AttributeStatement) AuthzDecisionStatement(com.sun.identity.saml2.assertion.AuthzDecisionStatement) AuthnStatement(com.sun.identity.saml2.assertion.AuthnStatement)

Example 8 with AuthnStatement

use of com.sun.identity.saml2.assertion.AuthnStatement in project OpenAM by OpenRock.

the class AuthnStatementImpl method parseElement.

// used by the constructors.
private void parseElement(Element element) throws SAML2Exception {
    // make sure that the input xml block is not null
    if (element == null) {
        if (SAML2SDKUtils.debug.messageEnabled()) {
            SAML2SDKUtils.debug.message("AuthnStatementImpl.parseElement: " + "Input is null.");
        }
        throw new SAML2Exception(SAML2SDKUtils.bundle.getString("nullInput"));
    }
    // Make sure this is an AuthnStatement.
    if (!SAML2SDKUtils.checkStatement(element, "AuthnStatement")) {
        if (SAML2SDKUtils.debug.messageEnabled()) {
            SAML2SDKUtils.debug.message("AuthnStatementImpl.parseElement: " + "not AuthnStatement.");
        }
        throw new SAML2Exception(SAML2SDKUtils.bundle.getString("wrongInput"));
    }
    // handle the attributes of <AuthnStatement> element
    NamedNodeMap atts = ((Node) element).getAttributes();
    if (atts != null) {
        Node att = atts.getNamedItem("AuthnInstant");
        if (att != null) {
            try {
                authnInstant = DateUtils.stringToDate(((Attr) att).getValue().trim());
            } catch (ParseException pe) {
                throw new SAML2Exception(pe.getMessage());
            }
        }
        att = atts.getNamedItem("SessionIndex");
        if (att != null) {
            sessionIndex = ((Attr) att).getValue().trim();
        }
        att = atts.getNamedItem("SessionNotOnOrAfter");
        if (att != null) {
            try {
                sessionNotOnOrAfter = DateUtils.stringToDate(((Attr) att).getValue().trim());
            } catch (ParseException pe) {
                throw new SAML2Exception(pe.getMessage());
            }
        }
    }
    // handle the sub elementsof the AuthnStatment
    NodeList nl = element.getChildNodes();
    Node child;
    String childName;
    int length = nl.getLength();
    for (int i = 0; i < length; i++) {
        child = nl.item(i);
        if ((childName = child.getLocalName()) != null) {
            if (childName.equals("SubjectLocality")) {
                if (subjectLocality != null) {
                    if (SAML2SDKUtils.debug.messageEnabled()) {
                        SAML2SDKUtils.debug.message("AuthnStatementImpl." + "parseElement: included more than one Subject" + "Locality.");
                    }
                    throw new SAML2Exception(SAML2SDKUtils.bundle.getString("moreElement"));
                }
                if (authnContext != null) {
                    if (SAML2SDKUtils.debug.messageEnabled()) {
                        SAML2SDKUtils.debug.message("AuthnStatementImpl." + "parseElement: SubjectLocality is out of " + "sequence.");
                    }
                    throw new SAML2Exception(SAML2SDKUtils.bundle.getString("schemaViolation"));
                }
                subjectLocality = AssertionFactory.getInstance().createSubjectLocality((Element) child);
            } else if (childName.equals("AuthnContext")) {
                if (authnContext != null) {
                    if (SAML2SDKUtils.debug.messageEnabled()) {
                        SAML2SDKUtils.debug.message("AuthnStatementImpl." + "parseElement: included more than one " + "AuthnContext.");
                    }
                    throw new SAML2Exception(SAML2SDKUtils.bundle.getString("moreElement"));
                }
                authnContext = AssertionFactory.getInstance().createAuthnContext((Element) child);
            } else {
                if (SAML2SDKUtils.debug.messageEnabled()) {
                    SAML2SDKUtils.debug.message("AuthnStatementImpl.parse" + "Element: Invalid element:" + childName);
                }
                throw new SAML2Exception(SAML2SDKUtils.bundle.getString("invalidElement"));
            }
        }
    }
    validateData();
    mutable = false;
}
Also used : SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) NamedNodeMap(org.w3c.dom.NamedNodeMap) Node(org.w3c.dom.Node) NodeList(org.w3c.dom.NodeList) Element(org.w3c.dom.Element) ParseException(java.text.ParseException) Attr(org.w3c.dom.Attr)

Example 9 with AuthnStatement

use of com.sun.identity.saml2.assertion.AuthnStatement in project OpenAM by OpenRock.

the class IDPSSOUtil method getAuthnStatement.

/**
     * Returns a <code>SAML AuthnStatement</code> object.
     *
     * @param request The HTTP request.
     * @param session The user's session.
     * @param isNewSessionIndex A returned flag from which the caller knows if the session index in the returned
     *                          <code>AuthnStatement</code> is a new session index.
     * @param authnReq The <code>AuthnRequest</code> object.
     * @param idpEntityID The entity ID of the identity provider.
     * @param realm The realm name.
     * @param matchingAuthnContext The <code>AuthnContext</code> used to find authentication type and scheme.
     * @return The <code>SAML AuthnStatement</code> object.
     * @throws SAML2Exception If the operation is not successful.
     */
private static AuthnStatement getAuthnStatement(HttpServletRequest request, Object session, NewBoolean isNewSessionIndex, AuthnRequest authnReq, String idpEntityID, String realm, AuthnContext matchingAuthnContext) throws SAML2Exception {
    String classMethod = "IDPSSOUtil.getAuthnStatement: ";
    AuthnStatement authnStatement = AssertionFactory.getInstance().createAuthnStatement();
    Date authInstant = null;
    // will be used when we add SubjectLocality to the statement
    try {
        String[] values = sessionProvider.getProperty(session, SessionProvider.AUTH_INSTANT);
        if (values != null && values.length != 0 && values[0] != null && values[0].length() != 0) {
            authInstant = DateUtils.stringToDate(values[0]);
        }
    } catch (Exception e) {
        SAML2Utils.debug.error(classMethod + "exception retrieving info from the session: ", e);
        throw new SAML2Exception(SAML2Utils.bundle.getString("errorGettingAuthnStatement"));
    }
    if (authInstant == null) {
        authInstant = new Date();
    }
    authnStatement.setAuthnInstant(authInstant);
    AuthnContext authnContext = matchingAuthnContext;
    if (authnContext == null) {
        String authLevel = null;
        try {
            String[] values = sessionProvider.getProperty(session, SessionProvider.AUTH_LEVEL);
            if (values != null && values.length != 0 && values[0] != null && values[0].length() != 0) {
                authLevel = values[0];
            }
        } catch (Exception e) {
            SAML2Utils.debug.error(classMethod + "exception retrieving auth level info from the session: ", e);
            throw new SAML2Exception(SAML2Utils.bundle.getString("errorGettingAuthnStatement"));
        }
        IDPAuthnContextMapper idpAuthnContextMapper = getIDPAuthnContextMapper(realm, idpEntityID);
        authnContext = idpAuthnContextMapper.getAuthnContextFromAuthLevel(authLevel, realm, idpEntityID);
    }
    final Response idpResponse = (Response) request.getAttribute(SAML2Constants.SAML_PROXY_IDP_RESPONSE_KEY);
    if (idpResponse != null) {
        // IdP proxy case: we already received an assertion from the remote IdP and now the IdP proxy is generating
        // a new SAML response for the SP.
        Set<String> authenticatingAuthorities = new LinkedHashSet<String>();
        final List<Assertion> assertions = idpResponse.getAssertion();
        for (Assertion assertion : assertions) {
            authenticatingAuthorities.addAll(extractAuthenticatingAuthorities(assertion));
        }
        // According to SAML profile 4.1.4.2 each assertion within the SAML Response MUST have the same issuer, so
        // this should suffice. We should have at least one assertion, since the IdP proxy's SP already accepted it.
        authenticatingAuthorities.add(assertions.iterator().next().getIssuer().getValue());
        authnContext.setAuthenticatingAuthority(new ArrayList<String>(authenticatingAuthorities));
    }
    authnStatement.setAuthnContext(authnContext);
    String sessionIndex = getSessionIndex(session);
    if (sessionIndex == null) {
        // new sessionIndex
        sessionIndex = SAML2Utils.generateIDWithServerID();
        try {
            String[] values = { sessionIndex };
            sessionProvider.setProperty(session, SAML2Constants.IDP_SESSION_INDEX, values);
        } catch (SessionException e) {
            SAML2Utils.debug.error(classMethod + "error setting session index into the session: ", e);
            throw new SAML2Exception(SAML2Utils.bundle.getString("errorGettingAuthnStatement"));
        }
        isNewSessionIndex.setValue(true);
    } else {
        isNewSessionIndex.setValue(false);
    }
    if (SAML2Utils.debug.messageEnabled()) {
        SAML2Utils.debug.message(classMethod + "SessionIndex (in AuthnStatement) =" + sessionIndex);
    }
    if (sessionIndex != null) {
        Set authContextSet = (HashSet) IDPCache.authnContextCache.get(sessionIndex);
        if (authContextSet == null || authContextSet.isEmpty()) {
            authContextSet = new HashSet();
        }
        authContextSet.add(authnContext);
        // cache the AuthContext to use in the case of session upgrade.
        IDPCache.authnContextCache.put(sessionIndex, authContextSet);
        authnStatement.setSessionIndex(sessionIndex);
    }
    return authnStatement;
}
Also used : LinkedHashSet(java.util.LinkedHashSet) IDPAuthnContextMapper(com.sun.identity.saml2.plugins.IDPAuthnContextMapper) Set(java.util.Set) HashSet(java.util.HashSet) LinkedHashSet(java.util.LinkedHashSet) EncryptedAssertion(com.sun.identity.saml2.assertion.EncryptedAssertion) Assertion(com.sun.identity.saml2.assertion.Assertion) SessionException(com.sun.identity.plugin.session.SessionException) Date(java.util.Date) SAML2InvalidNameIDPolicyException(com.sun.identity.saml2.common.SAML2InvalidNameIDPolicyException) SessionException(com.sun.identity.plugin.session.SessionException) COTException(com.sun.identity.cot.COTException) SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException) SAML2TokenRepositoryException(org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException) IOException(java.io.IOException) SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) AuthnContext(com.sun.identity.saml2.assertion.AuthnContext) SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) ECPResponse(com.sun.identity.saml2.ecp.ECPResponse) Response(com.sun.identity.saml2.protocol.Response) HttpServletResponse(javax.servlet.http.HttpServletResponse) AuthnStatement(com.sun.identity.saml2.assertion.AuthnStatement) HashSet(java.util.HashSet) LinkedHashSet(java.util.LinkedHashSet)

Example 10 with AuthnStatement

use of com.sun.identity.saml2.assertion.AuthnStatement in project OpenAM by OpenRock.

the class AuthnQueryUtil method processAuthnQuery.

/**
     * This method processes the <code>AuthnQuery</code> coming
     * from a requester.
     *
     * @param authnQuery the <code>AuthnQuery</code> object
     * @param request the <code>HttpServletRequest</code> object
     * @param response the <code>HttpServletResponse</code> object
     * @param authnAuthorityEntityID entity ID of authentication authority
     * @param realm the realm of hosted entity
     *
     * @return the <code>Response</code> object
     * @exception SAML2Exception if the operation is not successful
     */
public static Response processAuthnQuery(AuthnQuery authnQuery, HttpServletRequest request, HttpServletResponse response, String authnAuthorityEntityID, String realm) throws SAML2Exception {
    try {
        verifyAuthnQuery(authnQuery, authnAuthorityEntityID, realm);
    } catch (SAML2Exception se) {
        SAML2Utils.debug.error("AuthnQueryUtil.processAuthnQuery:", se);
        return SAML2Utils.getErrorResponse(authnQuery, SAML2Constants.REQUESTER, null, se.getMessage(), null);
    }
    Issuer issuer = authnQuery.getIssuer();
    String spEntityID = issuer.getValue();
    AuthnAuthorityDescriptorElement aad = null;
    SAML2MetaManager metaManager = SAML2Utils.getSAML2MetaManager();
    try {
        aad = metaManager.getAuthnAuthorityDescriptor(realm, authnAuthorityEntityID);
    } catch (SAML2MetaException sme) {
        SAML2Utils.debug.error("AuthnQueryUtil.processAuthnQuery:", sme);
        return SAML2Utils.getErrorResponse(authnQuery, SAML2Constants.RESPONDER, null, SAML2Utils.bundle.getString("metaDataError"), null);
    }
    if (aad == null) {
        return SAML2Utils.getErrorResponse(authnQuery, SAML2Constants.REQUESTER, null, SAML2Utils.bundle.getString("authnAuthorityNotFound"), null);
    }
    NameID nameID = getNameID(authnQuery.getSubject(), realm, authnAuthorityEntityID);
    if (nameID == null) {
        return SAML2Utils.getErrorResponse(authnQuery, SAML2Constants.REQUESTER, SAML2Constants.UNKNOWN_PRINCIPAL, null, null);
    }
    IDPAccountMapper idpAcctMapper = SAML2Utils.getIDPAccountMapper(realm, authnAuthorityEntityID);
    String userID = idpAcctMapper.getIdentity(nameID, authnAuthorityEntityID, spEntityID, realm);
    if (userID == null) {
        return SAML2Utils.getErrorResponse(authnQuery, SAML2Constants.REQUESTER, SAML2Constants.UNKNOWN_PRINCIPAL, null, null);
    }
    IDPAuthnContextMapper idpAuthnContextMapper = IDPSSOUtil.getIDPAuthnContextMapper(realm, authnAuthorityEntityID);
    // get assertion for matching authncontext using session
    List returnAssertions = new ArrayList();
    String qSessionIndex = authnQuery.getSessionIndex();
    RequestedAuthnContext requestedAC = authnQuery.getRequestedAuthnContext();
    List assertions = null;
    String cacheKey = userID.toLowerCase();
    AssertionFactory assertionFactory = AssertionFactory.getInstance();
    if (SAML2FailoverUtils.isSAML2FailoverEnabled()) {
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message("AuthnQueryUtil.processAuthnQuery: " + "getting user assertions from DB. user = " + cacheKey);
        }
        List list = null;
        try {
            list = SAML2FailoverUtils.retrieveSAML2TokensWithSecondaryKey(cacheKey);
        } catch (SAML2TokenRepositoryException se) {
            SAML2Utils.debug.error("AuthnQueryUtil.processAuthnQuery: " + "Unable to obtain user assertions from CTS Repository. user = " + cacheKey, se);
        }
        if (list != null && !list.isEmpty()) {
            assertions = new ArrayList();
            for (Iterator iter = list.iterator(); iter.hasNext(); ) {
                String assertionStr = (String) iter.next();
                assertions.add(assertionFactory.createAssertion(assertionStr));
            }
        }
    } else {
        assertions = (List) IDPCache.assertionCache.get(cacheKey);
    }
    if ((assertions != null) && (!assertions.isEmpty())) {
        synchronized (assertions) {
            for (Iterator aIter = assertions.iterator(); aIter.hasNext(); ) {
                Assertion assertion = (Assertion) aIter.next();
                if (!assertion.isTimeValid()) {
                    if (SAML2Utils.debug.messageEnabled()) {
                        SAML2Utils.debug.message("AuthnQueryUtil.processAuthnQuery: " + " assertion " + assertion.getID() + " expired.");
                    }
                    continue;
                }
                List authnStmts = assertion.getAuthnStatements();
                for (Iterator asIter = authnStmts.iterator(); asIter.hasNext(); ) {
                    AuthnStatement authnStmt = (AuthnStatement) asIter.next();
                    AuthnContext authnStmtAC = authnStmt.getAuthnContext();
                    String sessionIndex = authnStmt.getSessionIndex();
                    String authnStmtACClassRef = authnStmtAC.getAuthnContextClassRef();
                    if (SAML2Utils.debug.messageEnabled()) {
                        SAML2Utils.debug.message("AuthnQueryUtil.processAuthnQuery: " + "authnStmtACClassRef is " + authnStmtACClassRef + ", sessionIndex = " + sessionIndex);
                    }
                    if ((qSessionIndex != null) && (qSessionIndex.length() != 0) && (!qSessionIndex.equals(sessionIndex))) {
                        continue;
                    }
                    if (requestedAC != null) {
                        List requestedACClassRefs = requestedAC.getAuthnContextClassRef();
                        String comparison = requestedAC.getComparison();
                        if (idpAuthnContextMapper.isAuthnContextMatching(requestedACClassRefs, authnStmtACClassRef, comparison, realm, authnAuthorityEntityID)) {
                            returnAssertions.add(assertion);
                            break;
                        }
                    } else {
                        returnAssertions.add(assertion);
                        break;
                    }
                }
            }
        }
    // end assertion iterator while.
    }
    ProtocolFactory protocolFactory = ProtocolFactory.getInstance();
    Response samlResp = protocolFactory.createResponse();
    if (!returnAssertions.isEmpty()) {
        samlResp.setAssertion(returnAssertions);
    }
    samlResp.setID(SAML2Utils.generateID());
    samlResp.setInResponseTo(authnQuery.getID());
    samlResp.setVersion(SAML2Constants.VERSION_2_0);
    samlResp.setIssueInstant(new Date());
    Status status = protocolFactory.createStatus();
    StatusCode statusCode = protocolFactory.createStatusCode();
    statusCode.setValue(SAML2Constants.SUCCESS);
    status.setStatusCode(statusCode);
    samlResp.setStatus(status);
    Issuer respIssuer = assertionFactory.createIssuer();
    respIssuer.setValue(authnAuthorityEntityID);
    samlResp.setIssuer(respIssuer);
    signResponse(samlResp, authnAuthorityEntityID, realm, false);
    return samlResp;
}
Also used : Status(com.sun.identity.saml2.protocol.Status) AuthnAuthorityDescriptorElement(com.sun.identity.saml2.jaxb.metadata.AuthnAuthorityDescriptorElement) IDPAccountMapper(com.sun.identity.saml2.plugins.IDPAccountMapper) IDPAuthnContextMapper(com.sun.identity.saml2.plugins.IDPAuthnContextMapper) Issuer(com.sun.identity.saml2.assertion.Issuer) NameID(com.sun.identity.saml2.assertion.NameID) ArrayList(java.util.ArrayList) EncryptedAssertion(com.sun.identity.saml2.assertion.EncryptedAssertion) Assertion(com.sun.identity.saml2.assertion.Assertion) SAML2MetaManager(com.sun.identity.saml2.meta.SAML2MetaManager) StatusCode(com.sun.identity.saml2.protocol.StatusCode) Date(java.util.Date) RequestedAuthnContext(com.sun.identity.saml2.protocol.RequestedAuthnContext) AuthnContext(com.sun.identity.saml2.assertion.AuthnContext) SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) ProtocolFactory(com.sun.identity.saml2.protocol.ProtocolFactory) Response(com.sun.identity.saml2.protocol.Response) HttpServletResponse(javax.servlet.http.HttpServletResponse) RequestedAuthnContext(com.sun.identity.saml2.protocol.RequestedAuthnContext) AssertionFactory(com.sun.identity.saml2.assertion.AssertionFactory) Iterator(java.util.Iterator) AuthnStatement(com.sun.identity.saml2.assertion.AuthnStatement) ArrayList(java.util.ArrayList) List(java.util.List) SAML2TokenRepositoryException(org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException) SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException)

Aggregations

AuthnStatement (com.sun.identity.saml2.assertion.AuthnStatement)8 SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)7 Date (java.util.Date)6 ArrayList (java.util.ArrayList)5 Assertion (com.sun.identity.saml2.assertion.Assertion)3 AttributeStatement (com.sun.identity.saml2.assertion.AttributeStatement)3 AuthnContext (com.sun.identity.saml2.assertion.AuthnContext)3 EncryptedAssertion (com.sun.identity.saml2.assertion.EncryptedAssertion)3 List (java.util.List)3 SAML2TokenRepositoryException (org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException)3 SessionException (com.sun.identity.plugin.session.SessionException)2 AuthzDecisionStatement (com.sun.identity.saml2.assertion.AuthzDecisionStatement)2 Issuer (com.sun.identity.saml2.assertion.Issuer)2 SAML2MetaException (com.sun.identity.saml2.meta.SAML2MetaException)2 IDPAuthnContextMapper (com.sun.identity.saml2.plugins.IDPAuthnContextMapper)2 RequestedAuthnContext (com.sun.identity.saml2.protocol.RequestedAuthnContext)2 Response (com.sun.identity.saml2.protocol.Response)2 HttpServletResponse (javax.servlet.http.HttpServletResponse)2 COTException (com.sun.identity.cot.COTException)1 AssertionFactory (com.sun.identity.saml2.assertion.AssertionFactory)1