Search in sources :

Example 11 with EncryptedID

use of com.sun.identity.saml2.assertion.EncryptedID in project OpenAM by OpenRock.

the class SubjectImpl method processElement.

private void processElement(Element element) throws SAML2Exception {
    if (element == null) {
        SAML2SDKUtils.debug.error("SubjectImpl.processElement(): invalid root element");
        throw new SAML2Exception(SAML2SDKUtils.bundle.getString("invalid_element"));
    }
    String elemName = element.getLocalName();
    if (elemName == null) {
        SAML2SDKUtils.debug.error("SubjectImpl.processElement(): local name missing");
        throw new SAML2Exception(SAML2SDKUtils.bundle.getString("missing_local_name"));
    }
    if (!elemName.equals(SUBJECT_ELEMENT)) {
        SAML2SDKUtils.debug.error("SubjectImpl.processElement(): invalid local name " + elemName);
        throw new SAML2Exception(SAML2SDKUtils.bundle.getString("invalid_local_name"));
    }
    // starts processing subelements
    NodeList nodes = element.getChildNodes();
    int numOfNodes = nodes.getLength();
    if (numOfNodes < 1) {
        SAML2SDKUtils.debug.error("SubjectImpl.processElement(): subject has no subelements");
        throw new SAML2Exception(SAML2SDKUtils.bundle.getString("missing_subelements"));
    }
    int nextElem = 0;
    Node child = (Node) nodes.item(nextElem);
    while (child.getNodeType() != Node.ELEMENT_NODE) {
        if (++nextElem >= numOfNodes) {
            SAML2SDKUtils.debug.error("SubjectImpl.processElement():" + " subject has no subelements");
            throw new SAML2Exception(SAML2SDKUtils.bundle.getString("missing_subelements"));
        }
        child = (Node) nodes.item(nextElem);
    }
    String childName = child.getLocalName();
    if (childName != null) {
        if (childName.equals(SUBJECT_CONFIRMATION_ELEMENT)) {
            subjectConfirmations.add(AssertionFactory.getInstance().createSubjectConfirmation((Element) child));
        } else if (childName.equals(BASE_ID_ELEMENT)) {
            baseId = AssertionFactory.getInstance().createBaseID((Element) child);
        } else if (childName.equals(NAME_ID_ELEMENT)) {
            nameId = AssertionFactory.getInstance().createNameID((Element) child);
        } else if (childName.equals(ENCRYPTED_ID_ELEMENT)) {
            encryptedId = AssertionFactory.getInstance().createEncryptedID((Element) child);
        } else {
            SAML2SDKUtils.debug.error("SubjectImpl.processElement(): " + "unexpected subelement " + childName);
            throw new SAML2Exception(SAML2SDKUtils.bundle.getString("unexpected_subelement"));
        }
    }
    if (++nextElem >= numOfNodes) {
        return;
    }
    // The next subelements are all <SubjectConfirmation>    
    while (nextElem < numOfNodes) {
        child = (Node) nodes.item(nextElem);
        if (child.getNodeType() == Node.ELEMENT_NODE) {
            childName = child.getLocalName();
            if (childName != null) {
                if (childName.equals(SUBJECT_CONFIRMATION_ELEMENT)) {
                    subjectConfirmations.add(AssertionFactory.getInstance().createSubjectConfirmation((Element) child));
                } else {
                    SAML2SDKUtils.debug.error("SubjectImpl." + "processElement(): unexpected subelement " + childName);
                    throw new SAML2Exception(SAML2SDKUtils.bundle.getString("unexpected_subelement"));
                }
            }
        }
        nextElem++;
    }
}
Also used : SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) NodeList(org.w3c.dom.NodeList) Node(org.w3c.dom.Node) Element(org.w3c.dom.Element)

Example 12 with EncryptedID

use of com.sun.identity.saml2.assertion.EncryptedID in project OpenAM by OpenRock.

the class SubjectImpl method toXMLString.

/**
    * Returns a String representation
    * @param includeNSPrefix Determines whether or not the namespace 
    *        qualifier is prepended to the Element when converted
    * @param declareNS Determines whether or not the namespace is 
    *        declared within the Element.
    * @return A String representation
    * @exception SAML2Exception if something is wrong during conversion
    */
public String toXMLString(boolean includeNSPrefix, boolean declareNS) throws SAML2Exception {
    StringBuffer sb = new StringBuffer(2000);
    String NS = "";
    String appendNS = "";
    if (declareNS) {
        NS = SAML2Constants.ASSERTION_DECLARE_STR;
    }
    if (includeNSPrefix) {
        appendNS = SAML2Constants.ASSERTION_PREFIX;
    }
    sb.append("<").append(appendNS).append(SUBJECT_ELEMENT).append(NS).append(">\n");
    boolean idFound = false;
    if (baseId != null) {
        sb.append(baseId.toXMLString(includeNSPrefix, false));
        idFound = true;
    }
    if (nameId != null) {
        if (idFound) {
            SAML2SDKUtils.debug.error("SubjectImpl.toXMLString(): " + "more than one types of id specified");
            throw new SAML2Exception(SAML2SDKUtils.bundle.getString("too_many_ids_specified"));
        } else {
            sb.append(nameId.toXMLString(includeNSPrefix, false));
            idFound = true;
        }
    }
    if (encryptedId != null) {
        if (idFound) {
            SAML2SDKUtils.debug.error("SubjectImpl.toXMLString(): " + "more than one types of id specified");
            throw new SAML2Exception(SAML2SDKUtils.bundle.getString("too_many_ids_specified"));
        } else {
            sb.append(encryptedId.toXMLString(includeNSPrefix, false));
            idFound = true;
        }
    }
    int length = subjectConfirmations.size();
    if (length == 0) {
        if (!idFound) {
            SAML2SDKUtils.debug.error("SubjectImpl.toXMLString(): Need at " + "least one id or one subject confirmation in a subject");
            throw new SAML2Exception(SAML2SDKUtils.bundle.getString("need_at_least_one_id_or_on_SubjectConfirmation"));
        }
    } else {
        for (int i = 0; i < length; i++) {
            SubjectConfirmation sc = (SubjectConfirmation) subjectConfirmations.get(i);
            sb.append(sc.toXMLString(includeNSPrefix, false));
        }
    }
    sb.append("</").append(appendNS).append(SUBJECT_ELEMENT).append(">");
    return sb.toString();
}
Also used : SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) SubjectConfirmation(com.sun.identity.saml2.assertion.SubjectConfirmation)

Example 13 with EncryptedID

use of com.sun.identity.saml2.assertion.EncryptedID in project OpenAM by OpenRock.

the class AttributeQueryUtil method processAttributeQuery.

/**
     * Processes the <code>AttributeQuery</code> coming
     * from a requester.
     *
     * @param attrQuery the <code>AttributeQuery</code> object
     * @param request the <code>HttpServletRequest</code> object
     * @param response the <code>HttpServletResponse</code> object
     * @param attrAuthorityEntityID entity ID of attribute authority
     * @param realm the realm of hosted entity
     * @param attrQueryProfileAlias the attribute query profile alias
     *
     * @return the <code>Response</code> object
     * @exception SAML2Exception if the operation is not successful
     */
public static Response processAttributeQuery(AttributeQuery attrQuery, HttpServletRequest request, HttpServletResponse response, String attrAuthorityEntityID, String realm, String attrQueryProfileAlias) throws SAML2Exception {
    AttributeAuthorityMapper attrAuthorityMapper = getAttributeAuthorityMapper(realm, attrAuthorityEntityID, attrQueryProfileAlias);
    String attrQueryProfile = AttributeQueryUtil.getAttributeQueryProfile(attrQueryProfileAlias);
    try {
        attrAuthorityMapper.authenticateRequester(request, response, attrQuery, attrAuthorityEntityID, realm);
    } catch (SAML2Exception se) {
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message("AttributeQueryUtil." + "processAttributeQuery: ", se);
        }
        return SAML2Utils.getErrorResponse(attrQuery, SAML2Constants.REQUESTER, null, se.getMessage(), null);
    }
    try {
        attrAuthorityMapper.validateAttributeQuery(request, response, attrQuery, attrAuthorityEntityID, realm);
    } catch (SAML2Exception se) {
        SAML2Utils.debug.error("AttributeQueryUtil.processAttributeQuery:", se);
        return SAML2Utils.getErrorResponse(attrQuery, SAML2Constants.REQUESTER, null, se.getMessage(), null);
    }
    Issuer issuer = attrQuery.getIssuer();
    String requesterEntityID = issuer.getValue();
    AttributeAuthorityDescriptorElement aad = null;
    try {
        aad = metaManager.getAttributeAuthorityDescriptor(realm, attrAuthorityEntityID);
    } catch (SAML2MetaException sme) {
        SAML2Utils.debug.error("AttributeQueryUtil.processAttributeQuery:", sme);
        return SAML2Utils.getErrorResponse(attrQuery, SAML2Constants.RESPONDER, null, SAML2Utils.bundle.getString("metaDataError"), null);
    }
    if (aad == null) {
        return SAML2Utils.getErrorResponse(attrQuery, SAML2Constants.REQUESTER, null, SAML2Utils.bundle.getString("attrAuthorityNotFound"), null);
    }
    Object identity = null;
    try {
        identity = attrAuthorityMapper.getIdentity(request, response, attrQuery, attrAuthorityEntityID, realm);
    } catch (SAML2Exception se) {
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message("AttributeQueryUtil." + "processAttributeQuery: ", se);
        }
        return SAML2Utils.getErrorResponse(attrQuery, SAML2Constants.REQUESTER, SAML2Constants.UNKNOWN_PRINCIPAL, se.getMessage(), null);
    }
    if (identity == null) {
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message("AttributeQueryUtil." + "processAttributeQuery: unable to find identity.");
        }
        return SAML2Utils.getErrorResponse(attrQuery, SAML2Constants.REQUESTER, SAML2Constants.UNKNOWN_PRINCIPAL, null, null);
    }
    // Addition to support changing of desired attributes list
    List desiredAttrs = (List) request.getAttribute("AttributeQueryUtil-desiredAttrs");
    if (desiredAttrs == null) {
        desiredAttrs = attrQuery.getAttributes();
    }
    try {
        desiredAttrs = verifyDesiredAttributes(aad.getAttribute(), desiredAttrs);
    } catch (SAML2Exception se) {
        return SAML2Utils.getErrorResponse(attrQuery, SAML2Constants.REQUESTER, SAML2Constants.INVALID_ATTR_NAME_OR_VALUE, null, null);
    }
    List attributes = attrAuthorityMapper.getAttributes(identity, attrQuery, attrAuthorityEntityID, realm);
    if (request.getAttribute("AttributeQueryUtil-storeAllAttributes") != null) {
        request.setAttribute("AttributeQueryUtil-allAttributes", attributes);
    }
    attributes = filterAttributes(attributes, desiredAttrs);
    ProtocolFactory protocolFactory = ProtocolFactory.getInstance();
    Response samlResp = protocolFactory.createResponse();
    List assertionList = new ArrayList();
    Assertion assertion = null;
    try {
        assertion = getAssertion(attrQuery, attrAuthorityEntityID, requesterEntityID, realm, attrQueryProfileAlias, attributes);
    } catch (SAML2Exception se) {
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message("AttributeQueryUtil.processAttributeQuery:", se);
        }
        return SAML2Utils.getErrorResponse(attrQuery, SAML2Constants.RESPONDER, null, se.getMessage(), null);
    }
    EncryptedID encryptedID = attrQuery.getSubject().getEncryptedID();
    if (encryptedID != null) {
        EncryptedAssertion encryptedAssertion = null;
        try {
            signAssertion(assertion, realm, attrAuthorityEntityID, false);
            encryptedAssertion = encryptAssertion(assertion, encryptedID, attrAuthorityEntityID, requesterEntityID, realm, attrQueryProfileAlias);
        } catch (SAML2Exception se) {
            if (SAML2Utils.debug.messageEnabled()) {
                SAML2Utils.debug.message("AttributeQueryUtil.processAttributeQuery:", se);
            }
            return SAML2Utils.getErrorResponse(attrQuery, SAML2Constants.RESPONDER, null, se.getMessage(), null);
        }
        assertionList.add(encryptedAssertion);
        samlResp.setEncryptedAssertion(assertionList);
    } else {
        assertionList.add(assertion);
        samlResp.setAssertion(assertionList);
    }
    samlResp.setID(SAML2Utils.generateID());
    samlResp.setInResponseTo(attrQuery.getID());
    samlResp.setVersion(SAML2Constants.VERSION_2_0);
    samlResp.setIssueInstant(new Date());
    Status status = protocolFactory.createStatus();
    StatusCode statusCode = protocolFactory.createStatusCode();
    statusCode.setValue(SAML2Constants.SUCCESS);
    status.setStatusCode(statusCode);
    samlResp.setStatus(status);
    Issuer respIssuer = AssertionFactory.getInstance().createIssuer();
    respIssuer.setValue(attrAuthorityEntityID);
    samlResp.setIssuer(respIssuer);
    signResponse(samlResp, attrAuthorityEntityID, realm, false);
    return samlResp;
}
Also used : Status(com.sun.identity.saml2.protocol.Status) Issuer(com.sun.identity.saml2.assertion.Issuer) AttributeAuthorityDescriptorElement(com.sun.identity.saml2.jaxb.metadata.AttributeAuthorityDescriptorElement) ArrayList(java.util.ArrayList) EncryptedAssertion(com.sun.identity.saml2.assertion.EncryptedAssertion) Assertion(com.sun.identity.saml2.assertion.Assertion) EncryptedID(com.sun.identity.saml2.assertion.EncryptedID) StatusCode(com.sun.identity.saml2.protocol.StatusCode) Date(java.util.Date) AttributeAuthorityMapper(com.sun.identity.saml2.plugins.AttributeAuthorityMapper) SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) ProtocolFactory(com.sun.identity.saml2.protocol.ProtocolFactory) Response(com.sun.identity.saml2.protocol.Response) HttpServletResponse(javax.servlet.http.HttpServletResponse) EncryptedAssertion(com.sun.identity.saml2.assertion.EncryptedAssertion) List(java.util.List) ArrayList(java.util.ArrayList) SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException)

Example 14 with EncryptedID

use of com.sun.identity.saml2.assertion.EncryptedID in project OpenAM by OpenRock.

the class DoManageNameID method saveMNIRequestInfo.

private static void saveMNIRequestInfo(HttpServletRequest request, HttpServletResponse response, Map paramsMap, ManageNameIDRequest mniRequest, String relayState, String hostEntityRole, Object session) throws SAML2Exception {
    String method = "saveMNIRequestInfo: ";
    if (debug.messageEnabled()) {
        debug.message(method + "hostEntityRole : " + hostEntityRole);
    }
    ManageNameIDRequest reqForSave = mniRequest;
    NameID nameID = mniRequest.getNameID();
    EncryptedID encryptedID = mniRequest.getEncryptedID();
    if (encryptedID != null) {
        NewEncryptedID newEncryptedID = mniRequest.getNewEncryptedID();
        mniRequest.setEncryptedID(null);
        mniRequest.setNewEncryptedID(null);
        reqForSave = (ManageNameIDRequest) pf.createManageNameIDRequest(mniRequest.toXMLString(true, true));
        mniRequest.setNameID(null);
        mniRequest.setNewID(null);
        mniRequest.setEncryptedID(encryptedID);
        mniRequest.setNewEncryptedID(newEncryptedID);
    }
    paramsMap.put(SAML2Constants.SESSION, session);
    ManageNameIDRequestInfo reqInfo = new ManageNameIDRequestInfo(request, response, reqForSave, relayState, paramsMap, session);
    reqInfo.setNameID(nameID);
    if (hostEntityRole.equalsIgnoreCase(SAML2Constants.SP_ROLE)) {
        SPCache.mniRequestHash.put(mniRequest.getID(), reqInfo);
    } else {
        IDPCache.mniRequestHash.put(mniRequest.getID(), reqInfo);
    }
}
Also used : NewEncryptedID(com.sun.identity.saml2.protocol.NewEncryptedID) ManageNameIDRequest(com.sun.identity.saml2.protocol.ManageNameIDRequest) NameID(com.sun.identity.saml2.assertion.NameID) NewEncryptedID(com.sun.identity.saml2.protocol.NewEncryptedID) EncryptedID(com.sun.identity.saml2.assertion.EncryptedID)

Example 15 with EncryptedID

use of com.sun.identity.saml2.assertion.EncryptedID in project OpenAM by OpenRock.

the class SPACSUtils method getPrincipalWithoutLogin.

/**
     * Returns the username if there was one from the Assertion we were able to map into a local user account. Returns
     * null if not. Should only be used from the SP side. Should only be called in conjuncture with the Auth Module.
     * In addition, it performs what attribute federation it can.
     *
     * This method is a picked apart version of the "processResponse" function.
     */
public static String getPrincipalWithoutLogin(Subject assertionSubject, Assertion authnAssertion, String realm, String spEntityId, SAML2MetaManager metaManager, String idpEntityId, String storageKey) throws SAML2Exception {
    final EncryptedID encId = assertionSubject.getEncryptedID();
    final SPSSOConfigElement spssoconfig = metaManager.getSPSSOConfig(realm, spEntityId);
    final Set<PrivateKey> decryptionKeys = KeyUtil.getDecryptionKeys(spssoconfig);
    final SPAccountMapper acctMapper = SAML2Utils.getSPAccountMapper(realm, spEntityId);
    boolean needNameIDEncrypted = false;
    NameID nameId = assertionSubject.getNameID();
    String assertionEncryptedAttr = SAML2Utils.getAttributeValueFromSPSSOConfig(spssoconfig, SAML2Constants.WANT_ASSERTION_ENCRYPTED);
    if (assertionEncryptedAttr == null || !Boolean.parseBoolean(assertionEncryptedAttr)) {
        String idEncryptedStr = SAML2Utils.getAttributeValueFromSPSSOConfig(spssoconfig, SAML2Constants.WANT_NAMEID_ENCRYPTED);
        if (idEncryptedStr != null && Boolean.parseBoolean(idEncryptedStr)) {
            needNameIDEncrypted = true;
        }
    }
    if (needNameIDEncrypted && encId == null) {
        throw new SAML2Exception(SAML2Utils.bundle.getString("nameIDNotEncrypted"));
    }
    if (encId != null) {
        nameId = encId.decrypt(decryptionKeys);
    }
    SPSSODescriptorElement spDesc = null;
    try {
        spDesc = metaManager.getSPSSODescriptor(realm, spEntityId);
    } catch (SAML2MetaException ex) {
        SAML2Utils.debug.error("Unable to read SPSSODescription", ex);
    }
    if (spDesc == null) {
        throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
    }
    final String nameIDFormat = nameId.getFormat();
    if (nameIDFormat != null) {
        List spNameIDFormatList = spDesc.getNameIDFormat();
        if (CollectionUtils.isNotEmpty(spNameIDFormatList) && !spNameIDFormatList.contains(nameIDFormat)) {
            Object[] args = { nameIDFormat };
            throw new SAML2Exception(SAML2Utils.BUNDLE_NAME, "unsupportedNameIDFormatSP", args);
        }
    }
    final boolean isTransient = SAML2Constants.NAMEID_TRANSIENT_FORMAT.equals(nameIDFormat);
    final boolean isPersistent = SAML2Constants.PERSISTENT.equals(nameIDFormat);
    final boolean ignoreProfile = SAML2PluginsUtils.isIgnoredProfile(realm);
    final boolean shouldPersistNameID = isPersistent || (!isTransient && !ignoreProfile && acctMapper.shouldPersistNameIDFormat(realm, spEntityId, idpEntityId, nameIDFormat));
    String userName = null;
    boolean isNewAccountLink = false;
    try {
        if (shouldPersistNameID) {
            try {
                userName = SAML2Utils.getDataStoreProvider().getUserID(realm, SAML2Utils.getNameIDKeyMap(nameId, spEntityId, idpEntityId, realm, SAML2Constants.SP_ROLE));
            } catch (DataStoreProviderException dse) {
                throw new SAML2Exception(dse.getMessage());
            }
        }
        //if we can't get an already linked account, see if we'll be generating a new one based on federated data
        if (userName == null) {
            userName = acctMapper.getIdentity(authnAssertion, spEntityId, realm);
            //we'll use this later to inform us
            isNewAccountLink = true;
        }
    } catch (SAML2Exception se) {
        return null;
    }
    //if we're new and we're persistent, store the federation data in the user pref
    if (isNewAccountLink && isPersistent) {
        try {
            writeFedData(nameId, spEntityId, realm, metaManager, idpEntityId, userName, storageKey);
        } catch (SAML2Exception se) {
            return userName;
        }
    }
    return userName;
}
Also used : DataStoreProviderException(com.sun.identity.plugin.datastore.DataStoreProviderException) PrivateKey(java.security.PrivateKey) NameID(com.sun.identity.saml2.assertion.NameID) SPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement) SPSSOConfigElement(com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement) EncryptedID(com.sun.identity.saml2.assertion.EncryptedID) SPAccountMapper(com.sun.identity.saml2.plugins.SPAccountMapper) SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) List(java.util.List) ArrayList(java.util.ArrayList) SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException)

Aggregations

EncryptedID (com.sun.identity.saml2.assertion.EncryptedID)19 SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)19 NameID (com.sun.identity.saml2.assertion.NameID)13 ArrayList (java.util.ArrayList)7 Element (org.w3c.dom.Element)7 Subject (com.sun.identity.saml2.assertion.Subject)6 EncInfo (com.sun.identity.saml2.key.EncInfo)6 List (java.util.List)6 DataStoreProviderException (com.sun.identity.plugin.datastore.DataStoreProviderException)5 AssertionFactory (com.sun.identity.saml2.assertion.AssertionFactory)5 SPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)5 ProtocolFactory (com.sun.identity.saml2.protocol.ProtocolFactory)5 Node (org.w3c.dom.Node)5 NodeList (org.w3c.dom.NodeList)5 SAML2MetaException (com.sun.identity.saml2.meta.SAML2MetaException)4 NewEncryptedID (com.sun.identity.saml2.protocol.NewEncryptedID)4 PrivateKey (java.security.PrivateKey)4 Assertion (com.sun.identity.saml2.assertion.Assertion)3 IDPSSOConfigElement (com.sun.identity.saml2.jaxb.entityconfig.IDPSSOConfigElement)3 SPSSOConfigElement (com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement)3