Example 31 with Issuer
use of com.sun.identity.saml2.assertion.Issuer in project OpenAM by OpenRock.
the class DoManageNameID method processMNIResponsePOST.
public static boolean processMNIResponsePOST(HttpServletRequest request, HttpServletResponse response, Map paramsMap) throws SAML2Exception {
String method = "processMNIResponsePOST: ";
boolean success = false;
String requestURL = request.getRequestURI();
String metaAlias = SAML2MetaUtils.getMetaAliasByUri(requestURL);
if (metaAlias == null) {
logError("MetaAliasNotFound", LogUtil.MISSING_META_ALIAS, null);
throw new SAML2Exception(SAML2Utils.bundle.getString("MetaAliasNotFound"));
}
String realm = SAML2MetaUtils.getRealmByMetaAlias(metaAlias);
String hostEntityID = metaManager.getEntityByMetaAlias(metaAlias);
String hostRole = SAML2Utils.getHostEntityRole(paramsMap);
boolean isSupported = false;
if (SAML2Constants.IDP_ROLE.equals(hostRole)) {
isSupported = SAML2Utils.isIDPProfileBindingSupported(realm, hostEntityID, SAML2Constants.MNI_SERVICE, SAML2Constants.HTTP_POST);
} else {
isSupported = SAML2Utils.isSPProfileBindingSupported(realm, hostEntityID, SAML2Constants.MNI_SERVICE, SAML2Constants.HTTP_POST);
}
if (!isSupported) {
debug.error(method + "MNI binding: POST is not supported for " + hostEntityID);
String[] data = { hostEntityID, SAML2Constants.HTTP_POST };
LogUtil.error(Level.INFO, LogUtil.BINDING_NOT_SUPPORTED, data, null);
throw new SAML2Exception(SAML2Utils.bundle.getString("unsupportedBinding"));
}
String relayState = request.getParameter(SAML2Constants.RELAY_STATE);
String mniRes = request.getParameter(SAML2Constants.SAML_RESPONSE);
String mniResStr = getMNIResponseFromPost(mniRes, response);
if (mniResStr == null) {
logError("nullDecodedStrFromSamlResponse", LogUtil.CANNOT_DECODE_RESPONSE, null);
throw new SAML2Exception(SAML2Utils.bundle.getString("nullDecodedStrFromSamlResponse"));
}
if (debug.messageEnabled()) {
debug.message("DoManageNameID.processMNIResponsePOST: " + "Meta Alias is : " + metaAlias);
debug.message("DoManageNameID.processMNIResponsePOST: " + "Host role is : " + hostRole);
debug.message("DoManageNameID.processMNIResponsePOST: " + "Relay state is : " + relayState);
debug.message("DoManageNameID.processMNIResponsePOST: " + "MNI Response : " + mniResStr);
}
// Validate the RelayState URL.
SAML2Utils.validateRelayStateURL(realm, hostEntityID, relayState, hostRole);
ManageNameIDResponse mniResponse = null;
try {
mniResponse = pf.createManageNameIDResponse(mniResStr);
String remoteEntityID = mniResponse.getIssuer().getValue();
Issuer resIssuer = mniResponse.getIssuer();
String requestId = mniResponse.getInResponseTo();
SAML2Utils.verifyResponseIssuer(realm, hostEntityID, resIssuer, requestId);
boolean needToVerify = SAML2Utils.getWantMNIResponseSigned(realm, hostEntityID, hostRole);
if (needToVerify) {
boolean valid = verifyMNIResponse(mniResponse, realm, remoteEntityID, hostEntityID, hostRole, mniResponse.getDestination());
if (!valid) {
logError("invalidSignInResponse", LogUtil.MNI_RESPONSE_INVALID_SIGNATURE, null);
throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSignInResponse"));
}
}
success = checkMNIResponse(mniResponse, realm, hostEntityID, hostRole, new StringBuffer());
} catch (SessionException e) {
logError("invalidSSOToken", LogUtil.INVALID_SSOTOKEN, null);
throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSSOToken"));
}
if (debug.messageEnabled()) {
debug.message("DoManageNameID.processMNIResponsePOST: " + "Request success : " + success);
}
return success;
}
Also used :
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
Issuer(com.sun.identity.saml2.assertion.Issuer)
SessionException(com.sun.identity.plugin.session.SessionException)
ManageNameIDResponse(com.sun.identity.saml2.protocol.ManageNameIDResponse)
Example 32 with Issuer
use of com.sun.identity.saml2.assertion.Issuer in project OpenAM by OpenRock.
the class AttributeQueryUtil method getAssertion.
private static Assertion getAssertion(AttributeQuery attrQuery, String attrAuthorityEntityID, String requesterEntityID, String realm, String attrQueryProfileAlias, List attributes) throws SAML2Exception {
AssertionFactory assertionFactory = AssertionFactory.getInstance();
Assertion assertion = assertionFactory.createAssertion();
assertion.setID(SAML2Utils.generateID());
assertion.setVersion(SAML2Constants.VERSION_2_0);
assertion.setIssueInstant(new Date());
Issuer issuer = assertionFactory.createIssuer();
issuer.setValue(attrAuthorityEntityID);
assertion.setIssuer(issuer);
Subject subjectQ = attrQuery.getSubject();
Subject subject = assertionFactory.createSubject();
subject.setEncryptedID(subjectQ.getEncryptedID());
subject.setNameID(subjectQ.getNameID());
subject.setBaseID(subjectQ.getBaseID());
subject.setSubjectConfirmation(subjectQ.getSubjectConfirmation());
assertion.setSubject(subject);
if ((attributes != null) && (!attributes.isEmpty())) {
AttributeStatement attrStatement = assertionFactory.createAttributeStatement();
attrStatement.setAttribute(attributes);
List attrStatementList = new ArrayList();
attrStatementList.add(attrStatement);
assertion.setAttributeStatements(attrStatementList);
}
int effectiveTime = IDPSSOUtil.getEffectiveTime(realm, attrAuthorityEntityID);
int notBeforeSkewTime = IDPSSOUtil.getNotBeforeSkewTime(realm, attrAuthorityEntityID);
Conditions conditions = IDPSSOUtil.getConditions(requesterEntityID, notBeforeSkewTime, effectiveTime);
assertion.setConditions(conditions);
return assertion;
}
Also used :
AssertionFactory(com.sun.identity.saml2.assertion.AssertionFactory)
Issuer(com.sun.identity.saml2.assertion.Issuer)
AttributeStatement(com.sun.identity.saml2.assertion.AttributeStatement)
EncryptedAssertion(com.sun.identity.saml2.assertion.EncryptedAssertion)
Assertion(com.sun.identity.saml2.assertion.Assertion)
ArrayList(java.util.ArrayList)
List(java.util.List)
ArrayList(java.util.ArrayList)
Date(java.util.Date)
Subject(com.sun.identity.saml2.assertion.Subject)
Conditions(com.sun.identity.saml2.assertion.Conditions)
Example 33 with Issuer
use of com.sun.identity.saml2.assertion.Issuer in project OpenAM by OpenRock.
the class AttributeQueryUtil method validateEntityRequester.
public static void validateEntityRequester(AttributeQuery attrQuery, String attrAuthorityEntityID, String realm) throws SAML2Exception {
Issuer issuer = attrQuery.getIssuer();
String format = issuer.getFormat();
if ((format == null) || (format.length() == 0) || (format.equals(SAML2Constants.UNSPECIFIED)) || (format.equals(SAML2Constants.ENTITY))) {
String requestedEntityID = issuer.getValue();
if (!SAML2Utils.isSourceSiteValid(issuer, realm, attrAuthorityEntityID)) {
throw new SAML2Exception(SAML2Utils.bundle.getString("attrQueryIssuerInvalid"));
}
} else {
throw new SAML2Exception(SAML2Utils.bundle.getString("attrQueryIssuerInvalid"));
}
}
Also used :
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
Issuer(com.sun.identity.saml2.assertion.Issuer)
Example 34 with Issuer
use of com.sun.identity.saml2.assertion.Issuer in project OpenAM by OpenRock.
the class AttributeQueryUtil method processAttributeQuery.
/**
* Processes the <code>AttributeQuery</code> coming
* from a requester.
*
* @param attrQuery the <code>AttributeQuery</code> object
* @param request the <code>HttpServletRequest</code> object
* @param response the <code>HttpServletResponse</code> object
* @param attrAuthorityEntityID entity ID of attribute authority
* @param realm the realm of hosted entity
* @param attrQueryProfileAlias the attribute query profile alias
*
* @return the <code>Response</code> object
* @exception SAML2Exception if the operation is not successful
*/
public static Response processAttributeQuery(AttributeQuery attrQuery, HttpServletRequest request, HttpServletResponse response, String attrAuthorityEntityID, String realm, String attrQueryProfileAlias) throws SAML2Exception {
AttributeAuthorityMapper attrAuthorityMapper = getAttributeAuthorityMapper(realm, attrAuthorityEntityID, attrQueryProfileAlias);
String attrQueryProfile = AttributeQueryUtil.getAttributeQueryProfile(attrQueryProfileAlias);
try {
attrAuthorityMapper.authenticateRequester(request, response, attrQuery, attrAuthorityEntityID, realm);
} catch (SAML2Exception se) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("AttributeQueryUtil." + "processAttributeQuery: ", se);
}
return SAML2Utils.getErrorResponse(attrQuery, SAML2Constants.REQUESTER, null, se.getMessage(), null);
}
try {
attrAuthorityMapper.validateAttributeQuery(request, response, attrQuery, attrAuthorityEntityID, realm);
} catch (SAML2Exception se) {
SAML2Utils.debug.error("AttributeQueryUtil.processAttributeQuery:", se);
return SAML2Utils.getErrorResponse(attrQuery, SAML2Constants.REQUESTER, null, se.getMessage(), null);
}
Issuer issuer = attrQuery.getIssuer();
String requesterEntityID = issuer.getValue();
AttributeAuthorityDescriptorElement aad = null;
try {
aad = metaManager.getAttributeAuthorityDescriptor(realm, attrAuthorityEntityID);
} catch (SAML2MetaException sme) {
SAML2Utils.debug.error("AttributeQueryUtil.processAttributeQuery:", sme);
return SAML2Utils.getErrorResponse(attrQuery, SAML2Constants.RESPONDER, null, SAML2Utils.bundle.getString("metaDataError"), null);
}
if (aad == null) {
return SAML2Utils.getErrorResponse(attrQuery, SAML2Constants.REQUESTER, null, SAML2Utils.bundle.getString("attrAuthorityNotFound"), null);
}
Object identity = null;
try {
identity = attrAuthorityMapper.getIdentity(request, response, attrQuery, attrAuthorityEntityID, realm);
} catch (SAML2Exception se) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("AttributeQueryUtil." + "processAttributeQuery: ", se);
}
return SAML2Utils.getErrorResponse(attrQuery, SAML2Constants.REQUESTER, SAML2Constants.UNKNOWN_PRINCIPAL, se.getMessage(), null);
}
if (identity == null) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("AttributeQueryUtil." + "processAttributeQuery: unable to find identity.");
}
return SAML2Utils.getErrorResponse(attrQuery, SAML2Constants.REQUESTER, SAML2Constants.UNKNOWN_PRINCIPAL, null, null);
}
// Addition to support changing of desired attributes list
List desiredAttrs = (List) request.getAttribute("AttributeQueryUtil-desiredAttrs");
if (desiredAttrs == null) {
desiredAttrs = attrQuery.getAttributes();
}
try {
desiredAttrs = verifyDesiredAttributes(aad.getAttribute(), desiredAttrs);
} catch (SAML2Exception se) {
return SAML2Utils.getErrorResponse(attrQuery, SAML2Constants.REQUESTER, SAML2Constants.INVALID_ATTR_NAME_OR_VALUE, null, null);
}
List attributes = attrAuthorityMapper.getAttributes(identity, attrQuery, attrAuthorityEntityID, realm);
if (request.getAttribute("AttributeQueryUtil-storeAllAttributes") != null) {
request.setAttribute("AttributeQueryUtil-allAttributes", attributes);
}
attributes = filterAttributes(attributes, desiredAttrs);
ProtocolFactory protocolFactory = ProtocolFactory.getInstance();
Response samlResp = protocolFactory.createResponse();
List assertionList = new ArrayList();
Assertion assertion = null;
try {
assertion = getAssertion(attrQuery, attrAuthorityEntityID, requesterEntityID, realm, attrQueryProfileAlias, attributes);
} catch (SAML2Exception se) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("AttributeQueryUtil.processAttributeQuery:", se);
}
return SAML2Utils.getErrorResponse(attrQuery, SAML2Constants.RESPONDER, null, se.getMessage(), null);
}
EncryptedID encryptedID = attrQuery.getSubject().getEncryptedID();
if (encryptedID != null) {
EncryptedAssertion encryptedAssertion = null;
try {
signAssertion(assertion, realm, attrAuthorityEntityID, false);
encryptedAssertion = encryptAssertion(assertion, encryptedID, attrAuthorityEntityID, requesterEntityID, realm, attrQueryProfileAlias);
} catch (SAML2Exception se) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("AttributeQueryUtil.processAttributeQuery:", se);
}
return SAML2Utils.getErrorResponse(attrQuery, SAML2Constants.RESPONDER, null, se.getMessage(), null);
}
assertionList.add(encryptedAssertion);
samlResp.setEncryptedAssertion(assertionList);
} else {
assertionList.add(assertion);
samlResp.setAssertion(assertionList);
}
samlResp.setID(SAML2Utils.generateID());
samlResp.setInResponseTo(attrQuery.getID());
samlResp.setVersion(SAML2Constants.VERSION_2_0);
samlResp.setIssueInstant(new Date());
Status status = protocolFactory.createStatus();
StatusCode statusCode = protocolFactory.createStatusCode();
statusCode.setValue(SAML2Constants.SUCCESS);
status.setStatusCode(statusCode);
samlResp.setStatus(status);
Issuer respIssuer = AssertionFactory.getInstance().createIssuer();
respIssuer.setValue(attrAuthorityEntityID);
samlResp.setIssuer(respIssuer);
signResponse(samlResp, attrAuthorityEntityID, realm, false);
return samlResp;
}
Also used :
Status(com.sun.identity.saml2.protocol.Status)
Issuer(com.sun.identity.saml2.assertion.Issuer)
AttributeAuthorityDescriptorElement(com.sun.identity.saml2.jaxb.metadata.AttributeAuthorityDescriptorElement)
ArrayList(java.util.ArrayList)
EncryptedAssertion(com.sun.identity.saml2.assertion.EncryptedAssertion)
Assertion(com.sun.identity.saml2.assertion.Assertion)
EncryptedID(com.sun.identity.saml2.assertion.EncryptedID)
StatusCode(com.sun.identity.saml2.protocol.StatusCode)
Date(java.util.Date)
AttributeAuthorityMapper(com.sun.identity.saml2.plugins.AttributeAuthorityMapper)
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
ProtocolFactory(com.sun.identity.saml2.protocol.ProtocolFactory)
Response(com.sun.identity.saml2.protocol.Response)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
EncryptedAssertion(com.sun.identity.saml2.assertion.EncryptedAssertion)
List(java.util.List)
ArrayList(java.util.ArrayList)
SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException)
Example 35 with Issuer
use of com.sun.identity.saml2.assertion.Issuer in project OpenAM by OpenRock.
the class IDPSSOUtil method getAuthnStatement.
/**
* Returns a <code>SAML AuthnStatement</code> object.
*
* @param request The HTTP request.
* @param session The user's session.
* @param isNewSessionIndex A returned flag from which the caller knows if the session index in the returned
* <code>AuthnStatement</code> is a new session index.
* @param authnReq The <code>AuthnRequest</code> object.
* @param idpEntityID The entity ID of the identity provider.
* @param realm The realm name.
* @param matchingAuthnContext The <code>AuthnContext</code> used to find authentication type and scheme.
* @return The <code>SAML AuthnStatement</code> object.
* @throws SAML2Exception If the operation is not successful.
*/
private static AuthnStatement getAuthnStatement(HttpServletRequest request, Object session, NewBoolean isNewSessionIndex, AuthnRequest authnReq, String idpEntityID, String realm, AuthnContext matchingAuthnContext) throws SAML2Exception {
String classMethod = "IDPSSOUtil.getAuthnStatement: ";
AuthnStatement authnStatement = AssertionFactory.getInstance().createAuthnStatement();
Date authInstant = null;
// will be used when we add SubjectLocality to the statement
try {
String[] values = sessionProvider.getProperty(session, SessionProvider.AUTH_INSTANT);
if (values != null && values.length != 0 && values[0] != null && values[0].length() != 0) {
authInstant = DateUtils.stringToDate(values[0]);
}
} catch (Exception e) {
SAML2Utils.debug.error(classMethod + "exception retrieving info from the session: ", e);
throw new SAML2Exception(SAML2Utils.bundle.getString("errorGettingAuthnStatement"));
}
if (authInstant == null) {
authInstant = new Date();
}
authnStatement.setAuthnInstant(authInstant);
AuthnContext authnContext = matchingAuthnContext;
if (authnContext == null) {
String authLevel = null;
try {
String[] values = sessionProvider.getProperty(session, SessionProvider.AUTH_LEVEL);
if (values != null && values.length != 0 && values[0] != null && values[0].length() != 0) {
authLevel = values[0];
}
} catch (Exception e) {
SAML2Utils.debug.error(classMethod + "exception retrieving auth level info from the session: ", e);
throw new SAML2Exception(SAML2Utils.bundle.getString("errorGettingAuthnStatement"));
}
IDPAuthnContextMapper idpAuthnContextMapper = getIDPAuthnContextMapper(realm, idpEntityID);
authnContext = idpAuthnContextMapper.getAuthnContextFromAuthLevel(authLevel, realm, idpEntityID);
}
final Response idpResponse = (Response) request.getAttribute(SAML2Constants.SAML_PROXY_IDP_RESPONSE_KEY);
if (idpResponse != null) {
// IdP proxy case: we already received an assertion from the remote IdP and now the IdP proxy is generating
// a new SAML response for the SP.
Set<String> authenticatingAuthorities = new LinkedHashSet<String>();
final List<Assertion> assertions = idpResponse.getAssertion();
for (Assertion assertion : assertions) {
authenticatingAuthorities.addAll(extractAuthenticatingAuthorities(assertion));
}
// According to SAML profile 4.1.4.2 each assertion within the SAML Response MUST have the same issuer, so
// this should suffice. We should have at least one assertion, since the IdP proxy's SP already accepted it.
authenticatingAuthorities.add(assertions.iterator().next().getIssuer().getValue());
authnContext.setAuthenticatingAuthority(new ArrayList<String>(authenticatingAuthorities));
}
authnStatement.setAuthnContext(authnContext);
String sessionIndex = getSessionIndex(session);
if (sessionIndex == null) {
// new sessionIndex
sessionIndex = SAML2Utils.generateIDWithServerID();
try {
String[] values = { sessionIndex };
sessionProvider.setProperty(session, SAML2Constants.IDP_SESSION_INDEX, values);
} catch (SessionException e) {
SAML2Utils.debug.error(classMethod + "error setting session index into the session: ", e);
throw new SAML2Exception(SAML2Utils.bundle.getString("errorGettingAuthnStatement"));
}
isNewSessionIndex.setValue(true);
} else {
isNewSessionIndex.setValue(false);
}
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "SessionIndex (in AuthnStatement) =" + sessionIndex);
}
if (sessionIndex != null) {
Set authContextSet = (HashSet) IDPCache.authnContextCache.get(sessionIndex);
if (authContextSet == null || authContextSet.isEmpty()) {
authContextSet = new HashSet();
}
authContextSet.add(authnContext);
// cache the AuthContext to use in the case of session upgrade.
IDPCache.authnContextCache.put(sessionIndex, authContextSet);
authnStatement.setSessionIndex(sessionIndex);
}
return authnStatement;
}
Also used :
LinkedHashSet(java.util.LinkedHashSet)
IDPAuthnContextMapper(com.sun.identity.saml2.plugins.IDPAuthnContextMapper)
Set(java.util.Set)
HashSet(java.util.HashSet)
LinkedHashSet(java.util.LinkedHashSet)
EncryptedAssertion(com.sun.identity.saml2.assertion.EncryptedAssertion)
Assertion(com.sun.identity.saml2.assertion.Assertion)
SessionException(com.sun.identity.plugin.session.SessionException)
Date(java.util.Date)
SAML2InvalidNameIDPolicyException(com.sun.identity.saml2.common.SAML2InvalidNameIDPolicyException)
SessionException(com.sun.identity.plugin.session.SessionException)
COTException(com.sun.identity.cot.COTException)
SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException)
SAML2TokenRepositoryException(org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException)
IOException(java.io.IOException)
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
AuthnContext(com.sun.identity.saml2.assertion.AuthnContext)
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
ECPResponse(com.sun.identity.saml2.ecp.ECPResponse)
Response(com.sun.identity.saml2.protocol.Response)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
AuthnStatement(com.sun.identity.saml2.assertion.AuthnStatement)
HashSet(java.util.HashSet)
LinkedHashSet(java.util.LinkedHashSet)
Aggregations
SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)48
Issuer (com.sun.identity.saml2.assertion.Issuer)42
Date (java.util.Date)24
List (java.util.List)20
ArrayList (java.util.ArrayList)19
SAML2MetaException (com.sun.identity.saml2.meta.SAML2MetaException)15
Element (org.w3c.dom.Element)15
Assertion (com.sun.identity.saml2.assertion.Assertion)13
Response (com.sun.identity.saml2.protocol.Response)13
SessionException (com.sun.identity.plugin.session.SessionException)12
X509Certificate (java.security.cert.X509Certificate)12
EncryptedAssertion (com.sun.identity.saml2.assertion.EncryptedAssertion)11
SPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)11
HttpServletResponse (javax.servlet.http.HttpServletResponse)11
Node (org.w3c.dom.Node)10
NodeList (org.w3c.dom.NodeList)10
AssertionFactory (com.sun.identity.saml2.assertion.AssertionFactory)8
IDPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)8
ProtocolFactory (com.sun.identity.saml2.protocol.ProtocolFactory)8
Status (com.sun.identity.saml2.protocol.Status)8
