Example 11 with EncryptedAssertion
use of com.sun.identity.saml2.assertion.EncryptedAssertion in project OpenAM by OpenRock.
the class KeyInfoConfirmationDataImpl method parseElement.
private void parseElement(Element element) throws SAML2Exception {
// make sure that the input xml block is not null
if (element == null) {
if (SAML2SDKUtils.debug.messageEnabled()) {
SAML2SDKUtils.debug.message("KeyInfoConfirmationDataImpl.parseElement: " + "Input is null.");
}
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("nullInput"));
}
// Make sure this is an EncryptedAssertion.
String tag = null;
tag = element.getLocalName();
if ((tag == null) || (!tag.equals(elementName))) {
if (SAML2SDKUtils.debug.messageEnabled()) {
SAML2SDKUtils.debug.message("KeyInfoConfirmationDataImpl.parseElement: " + "not EncryptedIDImpl.");
}
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("wrongInput"));
}
// handle the attributes of <KeyInfoConfirmationData> element
NamedNodeMap attrs = ((Node) element).getAttributes();
parseAttributes(attrs);
parseContent(element);
parseKeyInfo(element);
}
Also used :
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
NamedNodeMap(org.w3c.dom.NamedNodeMap)
Node(org.w3c.dom.Node)
Example 12 with EncryptedAssertion
use of com.sun.identity.saml2.assertion.EncryptedAssertion in project OpenAM by OpenRock.
the class AttributeQueryUtil method validateSAMLResponseForFedlet.
/**
* Validates the SAML response obtained from Attribute Authortity
*
* @param samlResp saml response
*
* @exception SAML2Exception if the operation is not successful
*
* @supported.api
*/
private static boolean validateSAMLResponseForFedlet(Response samlResp, String spEntityID, boolean wantNameIDEncrypted) throws SAML2Exception {
boolean resp = true;
if (samlResp != null && samlResp.isSigned()) {
List assertions = null;
if (wantNameIDEncrypted) {
assertions = samlResp.getEncryptedAssertion();
} else {
assertions = samlResp.getAssertion();
}
if (assertions == null) {
return false;
}
for (Iterator asserIter = assertions.iterator(); asserIter.hasNext(); ) {
Assertion assertion = null;
if (wantNameIDEncrypted) {
assertion = getDecryptedAssertion((EncryptedAssertion) asserIter.next(), spEntityID);
} else {
assertion = (Assertion) asserIter.next();
}
if (assertion != null) {
Conditions conditions = assertion.getConditions();
if (conditions != null) {
List audienceRes = conditions.getAudienceRestrictions();
if (audienceRes.size() > 1) {
resp = false;
break;
}
}
List statements = assertion.getAttributeStatements();
if (statements.size() > 1) {
resp = false;
break;
}
}
}
} else {
resp = false;
}
return resp;
}
Also used :
EncryptedAssertion(com.sun.identity.saml2.assertion.EncryptedAssertion)
Iterator(java.util.Iterator)
EncryptedAssertion(com.sun.identity.saml2.assertion.EncryptedAssertion)
Assertion(com.sun.identity.saml2.assertion.Assertion)
List(java.util.List)
ArrayList(java.util.ArrayList)
Conditions(com.sun.identity.saml2.assertion.Conditions)
Example 13 with EncryptedAssertion
use of com.sun.identity.saml2.assertion.EncryptedAssertion in project OpenAM by OpenRock.
the class AttributeQueryUtil method getAttributesForFedlet.
/**
* Sends the AttributeQuery to specified attribute authority,
* validates the response and returns the attribute map
* <code>Map<String, Set<String>></code> to the Fedlet
*
* @param spEntityID SP entity ID
* @param idpEntityID IDP entity ID
* @param nameIDValue NameID value
* @param attrsList The list of attributes whose values need to be
* fetched from IDP
* @param attrQueryProfileAlias Attribute Query Profile Alias
* @param subjectDN Attribute name which contains X.509 subject DN
*
* @return the <code>Map</code> object
* @exception SAML2Exception if the operation is not successful
*
* @supported.api
*/
public static Map<String, Set<String>> getAttributesForFedlet(String spEntityID, String idpEntityID, String nameIDValue, List<String> attrsList, String attrQueryProfileAlias, String subjectDN) throws SAML2Exception {
final String classMethod = "AttributeQueryUtil.getAttributesForFedlet: ";
AttributeQueryConfigElement attrQueryConfig = metaManager.getAttributeQueryConfig("/", spEntityID);
if (attrQueryConfig == null) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "Attribute Query Config is null");
}
return null;
}
String attrqMetaAlias = attrQueryConfig.getMetaAlias();
if (attrqMetaAlias == null) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "Attribute Query MetaAlias is null");
}
return null;
}
boolean wantNameIDEncrypted = SAML2Utils.getWantNameIDEncrypted("/", spEntityID, SAML2Constants.ATTR_QUERY_ROLE);
AttributeQuery attrQuery = constructAttrQueryForFedlet(spEntityID, idpEntityID, nameIDValue, attrsList, attrqMetaAlias, attrQueryProfileAlias, subjectDN, wantNameIDEncrypted);
String attrQueryProfile = null;
if (attrQueryProfileAlias.equals(SAML2Constants.DEFAULT_ATTR_QUERY_PROFILE_ALIAS)) {
attrQueryProfile = SAML2Constants.DEFAULT_ATTR_QUERY_PROFILE;
} else if (attrQueryProfileAlias.equals(SAML2Constants.X509_SUBJECT_ATTR_QUERY_PROFILE_ALIAS)) {
attrQueryProfile = SAML2Constants.X509_SUBJECT_ATTR_QUERY_PROFILE;
}
Response samlResp = sendAttributeQuery(attrQuery, idpEntityID, "/", attrQueryProfile, SAML2Constants.BASIC_ATTRIBUTE_PROFILE, SAML2Constants.SOAP);
// Validate the response
boolean validResp = validateSAMLResponseForFedlet(samlResp, spEntityID, wantNameIDEncrypted);
Map<String, Set<String>> attrMap = new HashMap<String, Set<String>>();
if (validResp) {
// Return back the AttributeMap
if (samlResp != null) {
List<Object> assertions;
if (wantNameIDEncrypted) {
assertions = samlResp.getEncryptedAssertion();
} else {
assertions = samlResp.getAssertion();
}
for (Object currentAssertion : assertions) {
Assertion assertion;
if (wantNameIDEncrypted) {
assertion = getDecryptedAssertion((EncryptedAssertion) currentAssertion, spEntityID);
} else {
assertion = (Assertion) currentAssertion;
}
if (assertion != null) {
List<AttributeStatement> statements = assertion.getAttributeStatements();
if (statements != null && statements.size() > 0) {
for (AttributeStatement statement : statements) {
List<Attribute> attributes = statement.getAttribute();
attrMap.putAll(mapAttributes("/", spEntityID, idpEntityID, nameIDValue, attributes));
}
} else {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "Empty Statement present in SAML response");
}
}
} else {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "Empty Assertion present in SAML response");
}
}
}
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "attributes received from Attribute Query: " + attrMap);
}
}
} else {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "Invalid response obtained from Attribute Authority");
}
}
// Return the attribute map and to the fedlet
return attrMap;
}
Also used :
Set(java.util.Set)
HashSet(java.util.HashSet)
HashMap(java.util.HashMap)
Attribute(com.sun.identity.saml2.assertion.Attribute)
EncryptedAssertion(com.sun.identity.saml2.assertion.EncryptedAssertion)
Assertion(com.sun.identity.saml2.assertion.Assertion)
AttributeQueryConfigElement(com.sun.identity.saml2.jaxb.entityconfig.AttributeQueryConfigElement)
Response(com.sun.identity.saml2.protocol.Response)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
AttributeQuery(com.sun.identity.saml2.protocol.AttributeQuery)
EncryptedAssertion(com.sun.identity.saml2.assertion.EncryptedAssertion)
AttributeStatement(com.sun.identity.saml2.assertion.AttributeStatement)
Example 14 with EncryptedAssertion
use of com.sun.identity.saml2.assertion.EncryptedAssertion in project OpenAM by OpenRock.
the class AttributeQueryUtil method processAttributeQuery.
/**
* Processes the <code>AttributeQuery</code> coming
* from a requester.
*
* @param attrQuery the <code>AttributeQuery</code> object
* @param request the <code>HttpServletRequest</code> object
* @param response the <code>HttpServletResponse</code> object
* @param attrAuthorityEntityID entity ID of attribute authority
* @param realm the realm of hosted entity
* @param attrQueryProfileAlias the attribute query profile alias
*
* @return the <code>Response</code> object
* @exception SAML2Exception if the operation is not successful
*/
public static Response processAttributeQuery(AttributeQuery attrQuery, HttpServletRequest request, HttpServletResponse response, String attrAuthorityEntityID, String realm, String attrQueryProfileAlias) throws SAML2Exception {
AttributeAuthorityMapper attrAuthorityMapper = getAttributeAuthorityMapper(realm, attrAuthorityEntityID, attrQueryProfileAlias);
String attrQueryProfile = AttributeQueryUtil.getAttributeQueryProfile(attrQueryProfileAlias);
try {
attrAuthorityMapper.authenticateRequester(request, response, attrQuery, attrAuthorityEntityID, realm);
} catch (SAML2Exception se) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("AttributeQueryUtil." + "processAttributeQuery: ", se);
}
return SAML2Utils.getErrorResponse(attrQuery, SAML2Constants.REQUESTER, null, se.getMessage(), null);
}
try {
attrAuthorityMapper.validateAttributeQuery(request, response, attrQuery, attrAuthorityEntityID, realm);
} catch (SAML2Exception se) {
SAML2Utils.debug.error("AttributeQueryUtil.processAttributeQuery:", se);
return SAML2Utils.getErrorResponse(attrQuery, SAML2Constants.REQUESTER, null, se.getMessage(), null);
}
Issuer issuer = attrQuery.getIssuer();
String requesterEntityID = issuer.getValue();
AttributeAuthorityDescriptorElement aad = null;
try {
aad = metaManager.getAttributeAuthorityDescriptor(realm, attrAuthorityEntityID);
} catch (SAML2MetaException sme) {
SAML2Utils.debug.error("AttributeQueryUtil.processAttributeQuery:", sme);
return SAML2Utils.getErrorResponse(attrQuery, SAML2Constants.RESPONDER, null, SAML2Utils.bundle.getString("metaDataError"), null);
}
if (aad == null) {
return SAML2Utils.getErrorResponse(attrQuery, SAML2Constants.REQUESTER, null, SAML2Utils.bundle.getString("attrAuthorityNotFound"), null);
}
Object identity = null;
try {
identity = attrAuthorityMapper.getIdentity(request, response, attrQuery, attrAuthorityEntityID, realm);
} catch (SAML2Exception se) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("AttributeQueryUtil." + "processAttributeQuery: ", se);
}
return SAML2Utils.getErrorResponse(attrQuery, SAML2Constants.REQUESTER, SAML2Constants.UNKNOWN_PRINCIPAL, se.getMessage(), null);
}
if (identity == null) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("AttributeQueryUtil." + "processAttributeQuery: unable to find identity.");
}
return SAML2Utils.getErrorResponse(attrQuery, SAML2Constants.REQUESTER, SAML2Constants.UNKNOWN_PRINCIPAL, null, null);
}
// Addition to support changing of desired attributes list
List desiredAttrs = (List) request.getAttribute("AttributeQueryUtil-desiredAttrs");
if (desiredAttrs == null) {
desiredAttrs = attrQuery.getAttributes();
}
try {
desiredAttrs = verifyDesiredAttributes(aad.getAttribute(), desiredAttrs);
} catch (SAML2Exception se) {
return SAML2Utils.getErrorResponse(attrQuery, SAML2Constants.REQUESTER, SAML2Constants.INVALID_ATTR_NAME_OR_VALUE, null, null);
}
List attributes = attrAuthorityMapper.getAttributes(identity, attrQuery, attrAuthorityEntityID, realm);
if (request.getAttribute("AttributeQueryUtil-storeAllAttributes") != null) {
request.setAttribute("AttributeQueryUtil-allAttributes", attributes);
}
attributes = filterAttributes(attributes, desiredAttrs);
ProtocolFactory protocolFactory = ProtocolFactory.getInstance();
Response samlResp = protocolFactory.createResponse();
List assertionList = new ArrayList();
Assertion assertion = null;
try {
assertion = getAssertion(attrQuery, attrAuthorityEntityID, requesterEntityID, realm, attrQueryProfileAlias, attributes);
} catch (SAML2Exception se) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("AttributeQueryUtil.processAttributeQuery:", se);
}
return SAML2Utils.getErrorResponse(attrQuery, SAML2Constants.RESPONDER, null, se.getMessage(), null);
}
EncryptedID encryptedID = attrQuery.getSubject().getEncryptedID();
if (encryptedID != null) {
EncryptedAssertion encryptedAssertion = null;
try {
signAssertion(assertion, realm, attrAuthorityEntityID, false);
encryptedAssertion = encryptAssertion(assertion, encryptedID, attrAuthorityEntityID, requesterEntityID, realm, attrQueryProfileAlias);
} catch (SAML2Exception se) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("AttributeQueryUtil.processAttributeQuery:", se);
}
return SAML2Utils.getErrorResponse(attrQuery, SAML2Constants.RESPONDER, null, se.getMessage(), null);
}
assertionList.add(encryptedAssertion);
samlResp.setEncryptedAssertion(assertionList);
} else {
assertionList.add(assertion);
samlResp.setAssertion(assertionList);
}
samlResp.setID(SAML2Utils.generateID());
samlResp.setInResponseTo(attrQuery.getID());
samlResp.setVersion(SAML2Constants.VERSION_2_0);
samlResp.setIssueInstant(new Date());
Status status = protocolFactory.createStatus();
StatusCode statusCode = protocolFactory.createStatusCode();
statusCode.setValue(SAML2Constants.SUCCESS);
status.setStatusCode(statusCode);
samlResp.setStatus(status);
Issuer respIssuer = AssertionFactory.getInstance().createIssuer();
respIssuer.setValue(attrAuthorityEntityID);
samlResp.setIssuer(respIssuer);
signResponse(samlResp, attrAuthorityEntityID, realm, false);
return samlResp;
}
Also used :
Status(com.sun.identity.saml2.protocol.Status)
Issuer(com.sun.identity.saml2.assertion.Issuer)
AttributeAuthorityDescriptorElement(com.sun.identity.saml2.jaxb.metadata.AttributeAuthorityDescriptorElement)
ArrayList(java.util.ArrayList)
EncryptedAssertion(com.sun.identity.saml2.assertion.EncryptedAssertion)
Assertion(com.sun.identity.saml2.assertion.Assertion)
EncryptedID(com.sun.identity.saml2.assertion.EncryptedID)
StatusCode(com.sun.identity.saml2.protocol.StatusCode)
Date(java.util.Date)
AttributeAuthorityMapper(com.sun.identity.saml2.plugins.AttributeAuthorityMapper)
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
ProtocolFactory(com.sun.identity.saml2.protocol.ProtocolFactory)
Response(com.sun.identity.saml2.protocol.Response)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
EncryptedAssertion(com.sun.identity.saml2.assertion.EncryptedAssertion)
List(java.util.List)
ArrayList(java.util.ArrayList)
SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException)
Example 15 with EncryptedAssertion
use of com.sun.identity.saml2.assertion.EncryptedAssertion in project OpenAM by OpenRock.
the class ManageNameIDRequestImpl method parseElement.
private void parseElement(Element element) throws SAML2Exception {
AssertionFactory assertionFactory = AssertionFactory.getInstance();
ProtocolFactory protocolFactory = ProtocolFactory.getInstance();
// make sure that the input xml block is not null
if (element == null) {
if (SAML2SDKUtils.debug.messageEnabled()) {
SAML2SDKUtils.debug.message("ManageNameIDRequestImpl.parseElement: " + "Input is null.");
}
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("nullInput"));
}
// Make sure this is an EncryptedAssertion.
String tag = null;
tag = element.getLocalName();
if ((tag == null) || (!tag.equals(elementName))) {
if (SAML2SDKUtils.debug.messageEnabled()) {
SAML2SDKUtils.debug.message("ManageNameIDRequestImpl.parseElement:" + "not ManageNameIDRequest.");
}
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("wrongInput"));
}
requestId = element.getAttribute("ID");
validateID(requestId);
version = element.getAttribute(SAML2Constants.VERSION);
validateVersion(version);
String issueInstantStr = element.getAttribute("IssueInstant");
validateIssueInstant(issueInstantStr);
destinationURI = element.getAttribute("Destination");
consent = element.getAttribute("Consent");
NodeList nList = element.getChildNodes();
if ((nList != null) && (nList.getLength() > 0)) {
for (int i = 0; i < nList.getLength(); i++) {
Node childNode = nList.item(i);
String cName = childNode.getLocalName();
if (cName != null) {
if (cName.equals("Issuer")) {
nameID = assertionFactory.createIssuer((Element) childNode);
} else if (cName.equals("Signature")) {
signatureString = XMLUtils.getElementString((Element) childNode);
isSigned = true;
} else if (cName.equals("Extensions")) {
extensions = protocolFactory.createExtensions((Element) childNode);
} else if (cName.equals("NameID")) {
nameid = assertionFactory.createNameID((Element) childNode);
} else if (cName.equals("EncryptedID")) {
encryptedID = assertionFactory.createEncryptedID((Element) childNode);
} else if (cName.equals("NewID")) {
newID = protocolFactory.createNewID((Element) childNode);
} else if (cName.equals("NewEncryptedID")) {
newEncryptedID = protocolFactory.createNewEncryptedID((Element) childNode);
} else if (cName.equals("Terminate")) {
terminate = true;
}
}
}
}
}
Also used :
ProtocolFactory(com.sun.identity.saml2.protocol.ProtocolFactory)
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
AssertionFactory(com.sun.identity.saml2.assertion.AssertionFactory)
NodeList(org.w3c.dom.NodeList)
Node(org.w3c.dom.Node)
Element(org.w3c.dom.Element)
Aggregations
Assertion (com.sun.identity.saml2.assertion.Assertion)11
EncryptedAssertion (com.sun.identity.saml2.assertion.EncryptedAssertion)11
SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)11
ArrayList (java.util.ArrayList)7
List (java.util.List)6
Issuer (com.sun.identity.saml2.assertion.Issuer)5
Element (org.w3c.dom.Element)5
Node (org.w3c.dom.Node)5
NodeList (org.w3c.dom.NodeList)5
ProtocolFactory (com.sun.identity.saml2.protocol.ProtocolFactory)4
X509Certificate (java.security.cert.X509Certificate)4
Date (java.util.Date)4
Iterator (java.util.Iterator)4
AssertionFactory (com.sun.identity.saml2.assertion.AssertionFactory)3
EncInfo (com.sun.identity.saml2.key.EncInfo)3
SAML2MetaException (com.sun.identity.saml2.meta.SAML2MetaException)3
Response (com.sun.identity.saml2.protocol.Response)3
PrivateKey (java.security.PrivateKey)3
Attribute (com.sun.identity.saml2.assertion.Attribute)2
AttributeStatement (com.sun.identity.saml2.assertion.AttributeStatement)2
