use of com.sun.identity.saml2.assertion.EncryptedID in project OpenAM by OpenRock.
the class DefaultLibrarySPAccountMapper method getIdentity.
/**
* Returns the user's distinguished name or the universal ID for the corresponding <code>SAML Assertion</code>. This
* method will be invoked by the <code>SAML</code> framework while processing the <code>Assertion</code> and
* retrieves the identity information.
* The implementation of this method first checks if the NameID-Format is transient and returns the transient user.
* Otherwise it checks for the user for the corresponding name identifier in the assertion.
* If not found, then it will check if this is an auto federation case.
*
* @param assertion <code>SAML Assertion</code> that needs to be mapped to the user.
* @param hostEntityID <code>EntityID</code> of the hosted provider.
* @param realm Realm or the organization name that may be used to find the user information.
* @return User's distinguished name or the universal ID.
* @throws SAML2Exception If there was any failure.
*/
@Override
public String getIdentity(Assertion assertion, String hostEntityID, String realm) throws SAML2Exception {
if (assertion == null) {
throw new SAML2Exception(bundle.getString("nullAssertion"));
}
if (hostEntityID == null) {
throw new SAML2Exception(bundle.getString("nullHostEntityID"));
}
if (realm == null) {
throw new SAML2Exception(bundle.getString("nullRealm"));
}
NameID nameID;
EncryptedID encryptedID = assertion.getSubject().getEncryptedID();
Set<PrivateKey> decryptionKeys = null;
if (encryptedID != null) {
decryptionKeys = KeyUtil.getDecryptionKeys(getSSOConfig(realm, hostEntityID));
nameID = encryptedID.decrypt(decryptionKeys);
} else {
nameID = assertion.getSubject().getNameID();
}
String userID = null;
String format = nameID.getFormat();
boolean isTransient = SAML2Constants.NAMEID_TRANSIENT_FORMAT.equals(format);
if (isTransient) {
userID = getTransientUser(realm, hostEntityID);
}
if (StringUtils.isNotEmpty(userID)) {
return userID;
}
// Check if this is an auto federation case.
userID = getAutoFedUser(realm, hostEntityID, assertion, nameID.getValue(), decryptionKeys);
if (StringUtils.isNotEmpty(userID)) {
return userID;
} else {
if (useNameIDAsSPUserID(realm, hostEntityID) && !isAutoFedEnabled(realm, hostEntityID)) {
if (debug.messageEnabled()) {
debug.message("DefaultLibrarySPAccountMapper.getIdentity: use NameID value as userID: " + nameID.getValue());
}
return nameID.getValue();
} else {
return null;
}
}
}
use of com.sun.identity.saml2.assertion.EncryptedID in project OpenAM by OpenRock.
the class AttributeQueryUtil method getIdentityFromDataStoreX509Subject.
public static String getIdentityFromDataStoreX509Subject(AttributeQuery attrQuery, String attrAuthorityEntityID, String realm) throws SAML2Exception {
Subject subject = attrQuery.getSubject();
NameID nameID = null;
EncryptedID encryptedID = subject.getEncryptedID();
if (encryptedID != null) {
nameID = encryptedID.decrypt(KeyUtil.getDecryptionKeys(realm, attrAuthorityEntityID, SAML2Constants.ATTR_AUTH_ROLE));
} else {
nameID = subject.getNameID();
}
if (!SAML2Constants.X509_SUBJECT_NAME.equals(nameID.getFormat())) {
throw new SAML2Exception(SAML2Utils.bundle.getString("unsupportedAttrQuerySubjectNameID"));
}
String mappingAttrName = getAttributeValueFromAttrAuthorityConfig(realm, attrAuthorityEntityID, SAML2Constants.X509_SUBJECT_DATA_STORE_ATTR_NAME);
if ((mappingAttrName == null) || (mappingAttrName.length() == 0)) {
throw new SAML2Exception(SAML2Utils.bundle.getString("x509SubjectMappingNotConfigured"));
}
String x509SubjectDN = nameID.getValue();
Map attrMap = new HashMap();
Set values = new HashSet();
values.add(x509SubjectDN);
attrMap.put(mappingAttrName, values);
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("AttributeQueryUtil.getIdentityFromDataStoreX509Subject: " + "mappingAttrName = " + mappingAttrName + ", X509 subject DN = " + x509SubjectDN);
}
try {
return dsProvider.getUserID(realm, attrMap);
} catch (DataStoreProviderException dse) {
SAML2Utils.debug.error("AttributeQueryUtil.getIdentityFromDataStoreX509Subject:", dse);
throw new SAML2Exception(dse.getMessage());
}
}
use of com.sun.identity.saml2.assertion.EncryptedID in project OpenAM by OpenRock.
the class AttributeQueryUtil method getIdentity.
public static String getIdentity(AttributeQuery attrQuery, String attrAuthorityEntityID, String realm) throws SAML2Exception {
Subject subject = attrQuery.getSubject();
NameID nameID = null;
EncryptedID encryptedID = subject.getEncryptedID();
if (encryptedID != null) {
nameID = encryptedID.decrypt(KeyUtil.getDecryptionKeys(realm, attrAuthorityEntityID, SAML2Constants.ATTR_AUTH_ROLE));
} else {
nameID = subject.getNameID();
}
String nameIDFormat = nameID.getFormat();
// NameIDFormat is "transient"
if (SAML2Constants.NAMEID_TRANSIENT_FORMAT.equals(nameIDFormat)) {
return (String) IDPCache.userIDByTransientNameIDValue.get(nameID.getValue());
} else // NameIDFormat is "unspecified"
if (SAML2Constants.UNSPECIFIED.equals(nameIDFormat)) {
Map userIDsSearchMap = new HashMap();
Set userIDValuesSet = new HashSet();
userIDValuesSet.add(nameID.getValue());
String userId = "uid";
IDPSSOConfigElement config = SAML2Utils.getSAML2MetaManager().getIDPSSOConfig(realm, attrAuthorityEntityID);
Map attrs = SAML2MetaUtils.getAttributes(config);
List nimAttrs = (List) attrs.get(SAML2Constants.NAME_ID_FORMAT_MAP);
for (Iterator i = nimAttrs.iterator(); i.hasNext(); ) {
String attrName = (String) i.next();
if (attrName != null && attrName.length() > 2 && attrName.startsWith(nameIDFormat)) {
int eqPos = attrName.indexOf('=');
if (eqPos != -1 && eqPos < attrName.length() - 2) {
userId = attrName.substring(eqPos + 1);
SAML2Utils.debug.message("AttributeQueryUtil.getIdentity: NameID attribute from map: " + userId);
break;
}
}
}
userIDsSearchMap.put(userId, userIDValuesSet);
try {
return dsProvider.getUserID(realm, userIDsSearchMap);
} catch (DataStoreProviderException dse) {
SAML2Utils.debug.error("AttributeQueryUtil.getIdentityFromDataStore1:", dse);
throw new SAML2Exception(dse.getMessage());
}
} else {
String requestedEntityID = attrQuery.getIssuer().getValue();
try {
return dsProvider.getUserID(realm, SAML2Utils.getNameIDKeyMap(nameID, attrAuthorityEntityID, requestedEntityID, realm, SAML2Constants.IDP_ROLE));
} catch (DataStoreProviderException dse) {
SAML2Utils.debug.error("AttributeQueryUtil.getIdentityFromDataStore:", dse);
throw new SAML2Exception(dse.getMessage());
}
}
}
use of com.sun.identity.saml2.assertion.EncryptedID in project OpenAM by OpenRock.
the class LogoutUtil method setNameIDForSLORequest.
public static void setNameIDForSLORequest(LogoutRequest request, NameID nameID, String realm, String hostEntity, String hostEntityRole, String remoteEntity) throws SAML2Exception, SessionException {
String method = "setNameIDForSLORequest: ";
boolean needEncryptIt = false;
if (hostEntityRole.equalsIgnoreCase(SAML2Constants.IDP_ROLE)) {
needEncryptIt = SAML2Utils.getWantNameIDEncrypted(realm, remoteEntity, SAML2Constants.SP_ROLE);
} else {
needEncryptIt = SAML2Utils.getWantNameIDEncrypted(realm, remoteEntity, SAML2Constants.IDP_ROLE);
}
if (needEncryptIt == false) {
if (debug.messageEnabled()) {
debug.message(method + "NamID doesn't need to be encrypted.");
}
request.setNameID(nameID);
return;
}
EncInfo encryptInfo = null;
KeyDescriptorType keyDescriptor = null;
if (hostEntityRole.equalsIgnoreCase(SAML2Constants.IDP_ROLE)) {
SPSSODescriptorElement spSSODesc = metaManager.getSPSSODescriptor(realm, remoteEntity);
keyDescriptor = KeyUtil.getKeyDescriptor(spSSODesc, "encryption");
encryptInfo = KeyUtil.getEncInfo(spSSODesc, remoteEntity, SAML2Constants.SP_ROLE);
} else {
IDPSSODescriptorElement idpSSODesc = metaManager.getIDPSSODescriptor(realm, remoteEntity);
keyDescriptor = KeyUtil.getKeyDescriptor(idpSSODesc, "encryption");
encryptInfo = KeyUtil.getEncInfo(idpSSODesc, remoteEntity, SAML2Constants.IDP_ROLE);
}
if (debug.messageEnabled()) {
debug.message(method + "realm is : " + realm);
debug.message(method + "hostEntity is : " + hostEntity);
debug.message(method + "Host Entity role is : " + hostEntityRole);
debug.message(method + "remoteEntity is : " + remoteEntity);
}
if (encryptInfo == null) {
debug.error("NO meta data for encrypt Info.");
throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
}
X509Certificate certificate = KeyUtil.getCert(keyDescriptor);
PublicKey recipientPublicKey = certificate.getPublicKey();
EncryptedID encryptedID = nameID.encrypt(recipientPublicKey, encryptInfo.getDataEncAlgorithm(), encryptInfo.getDataEncStrength(), remoteEntity);
request.setEncryptedID(encryptedID);
}
use of com.sun.identity.saml2.assertion.EncryptedID in project OpenAM by OpenRock.
the class NameIDMapping method setNameIDForNIMRequest.
private static void setNameIDForNIMRequest(NameIDMappingRequest nimRequest, String realm, String spEntityID, String idpEntityID, String targetSPEntityID, String targetNameIDFormat, String userID) throws SAML2Exception {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("NameIDMapping.setNameIDForNIMRequest: " + "user ID = " + userID);
}
NameID nameID = AssertionFactory.getInstance().createNameID();
NameIDInfo info = AccountUtils.getAccountFederation(userID, spEntityID, idpEntityID);
nameID.setValue(info.getNameIDValue());
nameID.setFormat(info.getFormat());
nameID.setNameQualifier(idpEntityID);
nameID.setSPNameQualifier(spEntityID);
NameIDPolicy nameIDPolicy = ProtocolFactory.getInstance().createNameIDPolicy();
nameIDPolicy.setSPNameQualifier(targetSPEntityID);
nameIDPolicy.setFormat(targetNameIDFormat);
nimRequest.setNameIDPolicy(nameIDPolicy);
boolean needEncryptIt = SAML2Utils.getWantNameIDEncrypted(realm, idpEntityID, SAML2Constants.IDP_ROLE);
if (!needEncryptIt) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("NameIDMapping.setNameIDForNIMRequest: " + "NamID doesn't need to be encrypted.");
}
nimRequest.setNameID(nameID);
return;
}
EncryptedID encryptedID = getEncryptedID(nameID, realm, idpEntityID, SAML2Constants.IDP_ROLE);
nimRequest.setEncryptedID(encryptedID);
}
Aggregations