Example 51 with Issuer
use of com.sun.identity.saml2.assertion.Issuer in project OpenAM by OpenRock.
the class AttributeQueryUtil method verifyResponse.
private static void verifyResponse(Response response, AttributeQuery attrQuery, String attrAuthorityEntityID, AttributeAuthorityDescriptorElement aad) throws SAML2Exception {
String attrQueryID = attrQuery.getID();
if ((attrQueryID != null) && (!attrQueryID.equals(response.getInResponseTo()))) {
throw new SAML2Exception(SAML2Utils.bundle.getString("invalidInResponseToAttrQuery"));
}
Issuer respIssuer = response.getIssuer();
if (respIssuer == null) {
return;
}
if (!attrAuthorityEntityID.equals(respIssuer.getValue())) {
throw new SAML2Exception(SAML2Utils.bundle.getString("responseIssuerMismatch"));
}
if (!response.isSigned()) {
throw new SAML2Exception(SAML2Utils.bundle.getString("responseNotSigned"));
}
Set<X509Certificate> signingCerts = KeyUtil.getVerificationCerts(aad, attrAuthorityEntityID, SAML2Constants.ATTR_AUTH_ROLE);
if (!signingCerts.isEmpty()) {
boolean valid = response.isSignatureValid(signingCerts);
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("AttributeQueryUtil.verifyResponse: " + "Signature validity is : " + valid);
}
if (!valid) {
throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSignatureOnResponse"));
}
} else {
throw new SAML2Exception(SAML2Utils.bundle.getString("missingSigningCertAlias"));
}
}
Also used :
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
Issuer(com.sun.identity.saml2.assertion.Issuer)
X509Certificate(java.security.cert.X509Certificate)
Example 52 with Issuer
use of com.sun.identity.saml2.assertion.Issuer in project OpenAM by OpenRock.
the class SPACSUtils method getResponseFromSOAP.
/**
* Obtains <code>SAML Response</code> from <code>SOAPBody</code>.
* Used by Artifact profile.
*/
private static Response getResponseFromSOAP(SOAPMessage resMsg, ArtifactResolve resolve, HttpServletRequest request, HttpServletResponse response, String idpEntityID, IDPSSODescriptorElement idp, String orgName, String hostEntityId, SAML2MetaManager sm) throws SAML2Exception, IOException {
String method = "SPACSUtils.getResponseFromSOAP:";
Element resElem = null;
try {
resElem = SOAPCommunicator.getInstance().getSamlpElement(resMsg, "ArtifactResponse");
} catch (SAML2Exception se) {
String[] data = { idpEntityID };
LogUtil.error(Level.INFO, LogUtil.SOAP_ERROR, data, null);
SAMLUtils.sendError(request, response, response.SC_INTERNAL_SERVER_ERROR, "soapError", se.getMessage());
throw se;
}
ArtifactResponse artiResp = null;
try {
artiResp = ProtocolFactory.getInstance().createArtifactResponse(resElem);
} catch (SAML2Exception se) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(method + "Couldn't create " + "ArtifactResponse:", se);
}
String[] data = { idpEntityID };
LogUtil.error(Level.INFO, LogUtil.CANNOT_INSTANTIATE_ARTIFACT_RESPONSE, data, null);
SAMLUtils.sendError(request, response, response.SC_INTERNAL_SERVER_ERROR, "failedToCreateArtifactResponse", se.getMessage());
throw se;
}
if (artiResp == null) {
String[] data = { idpEntityID };
LogUtil.error(Level.INFO, LogUtil.MISSING_ARTIFACT_RESPONSE, data, null);
SAMLUtils.sendError(request, response, response.SC_INTERNAL_SERVER_ERROR, "missingArtifactResponse", SAML2Utils.bundle.getString("missingArtifactResponse"));
throw new SAML2Exception(SAML2Utils.bundle.getString("missingArtifactResponse"));
} else {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(method + "Received ArtifactResponse:" + artiResp.toXMLString(true, true));
}
}
// verify ArtifactResponse
String wantArtiRespSigned = getAttributeValueFromSPSSOConfig(orgName, hostEntityId, sm, SAML2Constants.WANT_ARTIFACT_RESPONSE_SIGNED);
if (wantArtiRespSigned != null && wantArtiRespSigned.equals("true")) {
Set<X509Certificate> verificationCerts = KeyUtil.getVerificationCerts(idp, idpEntityID, SAML2Constants.IDP_ROLE);
if (!artiResp.isSigned() || !artiResp.isSignatureValid(verificationCerts)) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(method + "ArtifactResponse's signature is invalid.");
}
String[] data = { idpEntityID };
LogUtil.error(Level.INFO, LogUtil.ARTIFACT_RESPONSE_INVALID_SIGNATURE, data, null);
SAMLUtils.sendError(request, response, response.SC_INTERNAL_SERVER_ERROR, "invalidSignature", SAML2Utils.bundle.getString("invalidSignature"));
throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSignature"));
}
}
String inResponseTo = artiResp.getInResponseTo();
if (inResponseTo == null || !inResponseTo.equals(resolve.getID())) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(method + "ArtifactResponse's InResponseTo is invalid.");
}
String[] data = { idpEntityID };
LogUtil.error(Level.INFO, LogUtil.ARTIFACT_RESPONSE_INVALID_INRESPONSETO, data, null);
SAMLUtils.sendError(request, response, response.SC_INTERNAL_SERVER_ERROR, "invalidInResponseTo", SAML2Utils.bundle.getString("invalidInResponseTo"));
throw new SAML2Exception(SAML2Utils.bundle.getString("invalidInResponseTo"));
}
Issuer idpIssuer = artiResp.getIssuer();
if (idpIssuer == null || !idpIssuer.getValue().equals(idpEntityID)) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(method + "ArtifactResponse's Issuer is invalid.");
}
String[] data = { idpEntityID };
LogUtil.error(Level.INFO, LogUtil.ARTIFACT_RESPONSE_INVALID_ISSUER, data, null);
SAMLUtils.sendError(request, response, response.SC_INTERNAL_SERVER_ERROR, "invalidIssuer", SAML2Utils.bundle.getString("invalidIssuer"));
throw new SAML2Exception(SAML2Utils.bundle.getString("invalidIssuer"));
}
// check time?
Status status = artiResp.getStatus();
if (status == null || !status.getStatusCode().getValue().equals(SAML2Constants.SUCCESS)) {
String statusCode = (status == null) ? "" : status.getStatusCode().getValue();
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(method + "ArtifactResponse's status code is not success." + statusCode);
}
String[] data = { idpEntityID, "" };
if (LogUtil.isErrorLoggable(Level.FINE)) {
data[1] = statusCode;
}
LogUtil.error(Level.INFO, LogUtil.ARTIFACT_RESPONSE_INVALID_STATUS_CODE, data, null);
SAMLUtils.sendError(request, response, response.SC_INTERNAL_SERVER_ERROR, "invalidStatusCode", SAML2Utils.bundle.getString("invalidStatusCode"));
throw new SAML2Exception(SAML2Utils.bundle.getString("invalidStatusCode"));
}
try {
return ProtocolFactory.getInstance().createResponse(artiResp.getAny());
} catch (SAML2Exception se) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(method + "couldn't instantiate Response:", se);
}
String[] data = { idpEntityID };
LogUtil.error(Level.INFO, LogUtil.CANNOT_INSTANTIATE_RESPONSE_ARTIFACT, data, null);
SAMLUtils.sendError(request, response, response.SC_INTERNAL_SERVER_ERROR, "failedToCreateResponse", se.getMessage());
throw se;
}
}
Also used :
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
Status(com.sun.identity.saml2.protocol.Status)
Issuer(com.sun.identity.saml2.assertion.Issuer)
ArtifactResponse(com.sun.identity.saml2.protocol.ArtifactResponse)
SPSSOConfigElement(com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement)
SPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)
IDPSSOConfigElement(com.sun.identity.saml2.jaxb.entityconfig.IDPSSOConfigElement)
ArtifactResolutionServiceElement(com.sun.identity.saml2.jaxb.metadata.ArtifactResolutionServiceElement)
Element(org.w3c.dom.Element)
IDPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)
X509Certificate(java.security.cert.X509Certificate)
Example 53 with Issuer
use of com.sun.identity.saml2.assertion.Issuer in project OpenAM by OpenRock.
the class LogoutUtil method generateResponse.
/**
* Builds the <code>LogoutResponse</code> to be sent to IDP.
*
* @param status status of the response.
* @param inResponseTo inResponseTo.
* @param issuer issuer of the response, which is SP.
* @param realm inResponseTo.
* @param hostRole issuer of the response, which is SP.
* @param remoteEntity will get this response.
*
* @return <code>LogoutResponse</code>
*
*/
public static LogoutResponse generateResponse(Status status, String inResponseTo, Issuer issuer, String realm, String hostRole, String remoteEntity) {
if (status == null) {
status = SAML2Utils.generateStatus(SAML2Constants.SUCCESS, SAML2Utils.bundle.getString("requestSuccess"));
}
LogoutResponse logoutResponse = ProtocolFactory.getInstance().createLogoutResponse();
String responseID = SAMLUtils.generateID();
try {
logoutResponse.setStatus(status);
logoutResponse.setID(responseID);
logoutResponse.setInResponseTo(inResponseTo);
logoutResponse.setVersion(SAML2Constants.VERSION_2_0);
logoutResponse.setIssueInstant(new Date());
logoutResponse.setIssuer(issuer);
} catch (SAML2Exception e) {
debug.error("Error in generating LogoutResponse.", e);
}
return logoutResponse;
}
Also used :
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
LogoutResponse(com.sun.identity.saml2.protocol.LogoutResponse)
Date(java.util.Date)
Example 54 with Issuer
use of com.sun.identity.saml2.assertion.Issuer in project OpenAM by OpenRock.
the class NameIDMapping method doNIMBySOAP.
private static NameIDMappingResponse doNIMBySOAP(String nimRequestXMLString, String nimURL, String realm, String spEntityID) throws SAML2Exception {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("NameIDMapping.doNIMBySOAP: " + "NIMRequestXMLString : " + nimRequestXMLString);
SAML2Utils.debug.message("NameIDMapping.doNIMBySOAP: " + "NIMRedirectURL : " + nimURL);
}
SOAPMessage resMsg = null;
try {
resMsg = SOAPCommunicator.getInstance().sendSOAPMessage(nimRequestXMLString, nimURL, true);
} catch (SOAPException se) {
SAML2Utils.debug.error("NameIDMapping.doNIMBySOAP: ", se);
throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSOAPMessge"));
}
Element nimRespElem = SOAPCommunicator.getInstance().getSamlpElement(resMsg, SAML2Constants.NAME_ID_MAPPING_RESPONSE);
NameIDMappingResponse nimResponse = pf.createNameIDMappingResponse(nimRespElem);
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("NameIDMapping.doNIMBySOAP: " + "NameIDMappingResponse without SOAP envelope:\n" + nimResponse.toXMLString(true, true));
}
String idpEntityID = nimResponse.getIssuer().getValue();
Issuer resIssuer = nimResponse.getIssuer();
String requestId = nimResponse.getInResponseTo();
SAML2Utils.verifyResponseIssuer(realm, spEntityID, resIssuer, requestId);
if (!verifyNIMResponse(nimResponse, realm, idpEntityID)) {
throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSignInResponse"));
}
return nimResponse;
}
Also used :
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
Issuer(com.sun.identity.saml2.assertion.Issuer)
NameIDMappingResponse(com.sun.identity.saml2.protocol.NameIDMappingResponse)
SOAPException(javax.xml.soap.SOAPException)
NameIDMappingServiceElement(com.sun.identity.saml2.jaxb.metadata.NameIDMappingServiceElement)
SPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)
Element(org.w3c.dom.Element)
IDPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)
IDPSSOConfigElement(com.sun.identity.saml2.jaxb.entityconfig.IDPSSOConfigElement)
SOAPMessage(javax.xml.soap.SOAPMessage)
Example 55 with Issuer
use of com.sun.identity.saml2.assertion.Issuer in project OpenAM by OpenRock.
the class IDPSSOUtil method doSSOFederate.
/**
* Does SSO with existing federation or new federation
*
* @param request the <code>HttpServletRequest</code> object
* @param response the <code>HttpServletResponse</code> object
* @param out the print writer for writing out presentation
* @param authnReq the <code>AuthnRequest</code> object
* @param spEntityID the entity id of the service provider
* @param idpMetaAlias the meta alias of the identity provider
* @param nameIDFormat the <code>NameIDFormat</code>
* @param relayState the relay state
* @param newSession Session used in IDP Proxy Case
* @param auditor the auditor for logging SAML2 Events - may be null
* @throws SAML2Exception if the operation is not successful
*/
public static void doSSOFederate(HttpServletRequest request, HttpServletResponse response, PrintWriter out, AuthnRequest authnReq, String spEntityID, String idpMetaAlias, String nameIDFormat, String relayState, Object newSession, SAML2EventLogger auditor) throws SAML2Exception {
String classMethod = "IDPSSOUtil.doSSOFederate: ";
Object session = null;
if (newSession != null) {
session = newSession;
auditor.setSSOTokenId(session);
} else {
try {
session = sessionProvider.getSession(request);
if (null != auditor) {
auditor.setAuthTokenId(session);
}
} catch (SessionException se) {
if (SAML2Utils.debug.warningEnabled()) {
SAML2Utils.debug.warning(classMethod + "No session yet.");
}
}
}
// log the authnRequest
String authnRequestStr = null;
if (authnReq != null) {
authnRequestStr = authnReq.toXMLString();
auditor.setRequestId(authnReq.getID());
}
String[] logdata = { spEntityID, idpMetaAlias, authnRequestStr };
LogUtil.access(Level.INFO, LogUtil.RECEIVED_AUTHN_REQUEST, logdata, session);
// retrieve IDP entity id from meta alias
String idpEntityID = null;
String realm = null;
try {
if (metaManager == null) {
SAML2Utils.debug.error(classMethod + "Unable to get meta manager.");
throw new SAML2Exception(SAML2Utils.bundle.getString("errorMetaManager"));
}
idpEntityID = metaManager.getEntityByMetaAlias(idpMetaAlias);
if ((idpEntityID == null) || (idpEntityID.trim().length() == 0)) {
SAML2Utils.debug.error(classMethod + "Unable to get IDP Entity ID from meta.");
String[] data = { idpEntityID };
LogUtil.error(Level.INFO, LogUtil.INVALID_IDP, data, session);
throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
}
realm = SAML2MetaUtils.getRealmByMetaAlias(idpMetaAlias);
} catch (SAML2MetaException sme) {
SAML2Utils.debug.error(classMethod + "Unable to get IDP Entity ID from meta.");
String[] data = { idpMetaAlias };
LogUtil.error(Level.INFO, LogUtil.IDP_METADATA_ERROR, data, session);
throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
}
// check if the remote provider is valid
if (authnReq == null) {
Issuer issuer = AssertionFactory.getInstance().createIssuer();
issuer.setValue(spEntityID);
if (!SAML2Utils.isSourceSiteValid(issuer, realm, idpEntityID)) {
if (SAML2Utils.debug.warningEnabled()) {
SAML2Utils.debug.warning(classMethod + "The remote provider is not valid.");
}
throw new SAML2Exception(SAML2Utils.bundle.getString("invalidReceiver"));
}
}
// Validate the RelayState URL.
SAML2Utils.validateRelayStateURL(realm, idpEntityID, relayState, SAML2Constants.IDP_ROLE);
if (authnReq == null && (session == null || !isValidSessionInRealm(realm, session))) {
// idp initiated and not logged in yet, need to authenticate
try {
if (Boolean.parseBoolean(request.getParameter(REDIRECTED))) {
if (session == null) {
String[] data = { idpEntityID };
SAML2Utils.debug.error(classMethod + "The IdP was not able to create a session");
LogUtil.error(Level.INFO, LogUtil.SSO_NOT_FOUND, data, session, null);
} else {
try {
String ipAddress = ClientUtils.getClientIPAddress(request);
String sessionRealm = SAML2Utils.getSingleValuedSessionProperty(session, SAML2Constants.ORGANIZATION);
String[] data = { sessionRealm, realm, spEntityID, ipAddress, null };
SAML2Utils.debug.error(classMethod + "The realm of the session (" + sessionRealm + ") does not correspond to that of the IdP (" + realm + ")");
LogUtil.error(Level.INFO, LogUtil.INVALID_REALM_FOR_SESSION, data, session, null);
} catch (SessionException se) {
SAML2Utils.debug.error(classMethod + "Failed to retrieve realm from session", se);
}
}
String rbKey = "UnableToDOSSOOrFederation";
SAMLUtils.sendError(request, response, HttpServletResponse.SC_INTERNAL_SERVER_ERROR, rbKey, SAML2Utils.bundle.getString(rbKey));
} else {
redirectAuthentication(request, response, authnReq, null, realm, idpEntityID, spEntityID);
}
} catch (IOException ioe) {
SAML2Utils.debug.error(classMethod + "Unable to redirect to authentication.", ioe);
SAMLUtils.sendError(request, response, response.SC_INTERNAL_SERVER_ERROR, "UnableToRedirectToAuth", SAML2Utils.bundle.getString("UnableToRedirectToAuth"));
}
return;
}
// Invoke the IDP Adapter
try {
SAML2Utils.debug.message(classMethod + " Invoking the " + "IDP Adapter");
SAML2IdentityProviderAdapter idpAdapter = IDPSSOUtil.getIDPAdapterClass(realm, idpEntityID);
if (idpAdapter != null) {
// If the preSendResponse returns true we end here
if (idpAdapter.preSendResponse(authnReq, idpEntityID, realm, request, response, session, null, relayState)) {
return;
}
// else we continue with the logic. Beware of loops
}
} catch (SAML2Exception se2) {
SAML2Utils.debug.error(classMethod + " There was a problem when invoking" + "the preSendResponse of the IDP Adapter: ", se2);
}
// End of invocation
sendResponseToACS(request, response, out, session, authnReq, spEntityID, idpEntityID, idpMetaAlias, realm, nameIDFormat, relayState, null);
}
Also used :
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
Issuer(com.sun.identity.saml2.assertion.Issuer)
SessionException(com.sun.identity.plugin.session.SessionException)
IOException(java.io.IOException)
SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException)
SAML2IdentityProviderAdapter(com.sun.identity.saml2.plugins.SAML2IdentityProviderAdapter)
Aggregations
SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)48
Issuer (com.sun.identity.saml2.assertion.Issuer)42
Date (java.util.Date)24
List (java.util.List)20
ArrayList (java.util.ArrayList)19
SAML2MetaException (com.sun.identity.saml2.meta.SAML2MetaException)15
Element (org.w3c.dom.Element)15
Assertion (com.sun.identity.saml2.assertion.Assertion)13
Response (com.sun.identity.saml2.protocol.Response)13
SessionException (com.sun.identity.plugin.session.SessionException)12
X509Certificate (java.security.cert.X509Certificate)12
EncryptedAssertion (com.sun.identity.saml2.assertion.EncryptedAssertion)11
SPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)11
HttpServletResponse (javax.servlet.http.HttpServletResponse)11
Node (org.w3c.dom.Node)10
NodeList (org.w3c.dom.NodeList)10
AssertionFactory (com.sun.identity.saml2.assertion.AssertionFactory)8
IDPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)8
ProtocolFactory (com.sun.identity.saml2.protocol.ProtocolFactory)8
Status (com.sun.identity.saml2.protocol.Status)8
