use of com.sun.identity.saml2.assertion.Issuer in project OpenAM by OpenRock.
the class IDPProxyUtil method getNewAuthnRequest.
/**
* Constructs new authentication request by using the original request
* that is sent by the service provider to the proxying IDP.
* @param hostedEntityId hosted provider ID
* @param destination The destination where the new AuthnRequest will be sent to.
* @param realm Realm
* @param origRequest Original Authn Request
* @return AuthnRequest new authn request.
* @exception SAML2Exception for failure in creating new authn request.
* @return AuthnRequest object
*/
private static AuthnRequest getNewAuthnRequest(String hostedEntityId, String destination, String realm, AuthnRequest origRequest) throws SAML2Exception {
String classMethod = "IDPProxyUtil.getNewAuthnRequest: ";
// New Authentication request should only be a single sign-on request.
try {
AuthnRequest newRequest = ProtocolFactory.getInstance().createAuthnRequest();
String requestID = SAML2Utils.generateID();
if (requestID == null || requestID.isEmpty()) {
throw new SAML2Exception(SAML2Utils.bundle.getString("cannotGenerateID"));
}
newRequest.setID(requestID);
SPSSODescriptorElement localDescriptor = IDPSSOUtil.metaManager.getSPSSODescriptor(realm, hostedEntityId);
newRequest.setDestination(XMLUtils.escapeSpecialCharacters(destination));
newRequest.setConsent(origRequest.getConsent());
newRequest.setIsPassive(origRequest.isPassive());
newRequest.setForceAuthn(origRequest.isForceAuthn());
newRequest.setAttributeConsumingServiceIndex(origRequest.getAttributeConsumingServiceIndex());
newRequest.setAssertionConsumerServiceIndex(origRequest.getAssertionConsumerServiceIndex());
String protocolBinding = origRequest.getProtocolBinding();
newRequest.setProtocolBinding(protocolBinding);
OrderedSet acsSet = SPSSOFederate.getACSUrl(localDescriptor, protocolBinding);
String acsURL = (String) acsSet.get(0);
newRequest.setAssertionConsumerServiceURL(acsURL);
Issuer issuer = AssertionFactory.getInstance().createIssuer();
issuer.setValue(hostedEntityId);
newRequest.setIssuer(issuer);
NameIDPolicy origNameIDPolicy = origRequest.getNameIDPolicy();
if (origNameIDPolicy != null) {
NameIDPolicy newNameIDPolicy = ProtocolFactory.getInstance().createNameIDPolicy();
newNameIDPolicy.setFormat(origNameIDPolicy.getFormat());
newNameIDPolicy.setSPNameQualifier(hostedEntityId);
newNameIDPolicy.setAllowCreate(origNameIDPolicy.isAllowCreate());
newRequest.setNameIDPolicy(newNameIDPolicy);
}
newRequest.setRequestedAuthnContext(origRequest.getRequestedAuthnContext());
newRequest.setExtensions(origRequest.getExtensions());
newRequest.setIssueInstant(new Date());
newRequest.setVersion(SAML2Constants.VERSION_2_0);
Scoping scoping = origRequest.getScoping();
if (scoping != null) {
Scoping newScoping = ProtocolFactory.getInstance().createScoping();
Integer proxyCountInt = scoping.getProxyCount();
int proxyCount = 1;
if (proxyCountInt != null) {
proxyCount = scoping.getProxyCount().intValue();
newScoping.setProxyCount(new Integer(proxyCount - 1));
}
newScoping.setIDPList(scoping.getIDPList());
newRequest.setScoping(newScoping);
} else {
//handling the alwaysIdpProxy case -> the incoming request
//did not contained a Scoping field
SPSSOConfigElement spConfig = getSPSSOConfigByAuthnRequest(realm, origRequest);
Map<String, List<String>> spConfigAttrMap = SAML2MetaUtils.getAttributes(spConfig);
scoping = ProtocolFactory.getInstance().createScoping();
String proxyCountParam = SPSSOFederate.getParameter(spConfigAttrMap, SAML2Constants.IDP_PROXY_COUNT);
if (proxyCountParam != null && (!proxyCountParam.equals(""))) {
int proxyCount = Integer.valueOf(proxyCountParam);
if (proxyCount <= 0) {
scoping.setProxyCount(0);
} else {
//since this is a remote SP configuration, we should
//decrement the proxycount by one
scoping.setProxyCount(proxyCount - 1);
}
}
List<String> proxyIdPs = spConfigAttrMap.get(SAML2Constants.IDP_PROXY_LIST);
if (proxyIdPs != null && !proxyIdPs.isEmpty()) {
List<IDPEntry> list = new ArrayList<IDPEntry>();
for (String proxyIdP : proxyIdPs) {
IDPEntry entry = ProtocolFactory.getInstance().createIDPEntry();
entry.setProviderID(proxyIdP);
list.add(entry);
}
IDPList idpList = ProtocolFactory.getInstance().createIDPList();
idpList.setIDPEntries(list);
scoping.setIDPList(idpList);
newRequest.setScoping(scoping);
}
}
return newRequest;
} catch (Exception ex) {
SAML2Utils.debug.error(classMethod + "Error in creating new authn request.", ex);
throw new SAML2Exception(ex);
}
}
use of com.sun.identity.saml2.assertion.Issuer in project OpenAM by OpenRock.
the class AuthnQueryUtil method verifyAuthnQuery.
private static void verifyAuthnQuery(AuthnQuery authnQuery, String authnAuthorityEntityID, String realm) throws SAML2Exception {
if (!authnQuery.isSigned()) {
throw new SAML2Exception(SAML2Utils.bundle.getString("authnQueryNotSigned"));
}
Issuer issuer = authnQuery.getIssuer();
String spEntityID = issuer.getValue();
if (!SAML2Utils.isSourceSiteValid(issuer, realm, authnAuthorityEntityID)) {
throw new SAML2Exception(SAML2Utils.bundle.getString("authnQueryIssuerInvalid"));
}
SPSSODescriptorElement spSSODesc = SAML2Utils.getSAML2MetaManager().getSPSSODescriptor(realm, spEntityID);
if (spSSODesc == null) {
throw new SAML2Exception(SAML2Utils.bundle.getString("authnQueryIssuerNotFound"));
}
Set<X509Certificate> signingCerts = KeyUtil.getVerificationCerts(spSSODesc, spEntityID, SAML2Constants.SP_ROLE);
if (!signingCerts.isEmpty()) {
boolean valid = authnQuery.isSignatureValid(signingCerts);
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("AuthnQueryUtil.verifyAuthnQuery: " + "Signature validity is : " + valid);
}
if (!valid) {
throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSignatureAuthnQuery"));
}
} else {
throw new SAML2Exception(SAML2Utils.bundle.getString("missingSigningCertAlias"));
}
}
use of com.sun.identity.saml2.assertion.Issuer in project OpenAM by OpenRock.
the class AuthnQueryUtil method processAuthnQuery.
/**
* This method processes the <code>AuthnQuery</code> coming
* from a requester.
*
* @param authnQuery the <code>AuthnQuery</code> object
* @param request the <code>HttpServletRequest</code> object
* @param response the <code>HttpServletResponse</code> object
* @param authnAuthorityEntityID entity ID of authentication authority
* @param realm the realm of hosted entity
*
* @return the <code>Response</code> object
* @exception SAML2Exception if the operation is not successful
*/
public static Response processAuthnQuery(AuthnQuery authnQuery, HttpServletRequest request, HttpServletResponse response, String authnAuthorityEntityID, String realm) throws SAML2Exception {
try {
verifyAuthnQuery(authnQuery, authnAuthorityEntityID, realm);
} catch (SAML2Exception se) {
SAML2Utils.debug.error("AuthnQueryUtil.processAuthnQuery:", se);
return SAML2Utils.getErrorResponse(authnQuery, SAML2Constants.REQUESTER, null, se.getMessage(), null);
}
Issuer issuer = authnQuery.getIssuer();
String spEntityID = issuer.getValue();
AuthnAuthorityDescriptorElement aad = null;
SAML2MetaManager metaManager = SAML2Utils.getSAML2MetaManager();
try {
aad = metaManager.getAuthnAuthorityDescriptor(realm, authnAuthorityEntityID);
} catch (SAML2MetaException sme) {
SAML2Utils.debug.error("AuthnQueryUtil.processAuthnQuery:", sme);
return SAML2Utils.getErrorResponse(authnQuery, SAML2Constants.RESPONDER, null, SAML2Utils.bundle.getString("metaDataError"), null);
}
if (aad == null) {
return SAML2Utils.getErrorResponse(authnQuery, SAML2Constants.REQUESTER, null, SAML2Utils.bundle.getString("authnAuthorityNotFound"), null);
}
NameID nameID = getNameID(authnQuery.getSubject(), realm, authnAuthorityEntityID);
if (nameID == null) {
return SAML2Utils.getErrorResponse(authnQuery, SAML2Constants.REQUESTER, SAML2Constants.UNKNOWN_PRINCIPAL, null, null);
}
IDPAccountMapper idpAcctMapper = SAML2Utils.getIDPAccountMapper(realm, authnAuthorityEntityID);
String userID = idpAcctMapper.getIdentity(nameID, authnAuthorityEntityID, spEntityID, realm);
if (userID == null) {
return SAML2Utils.getErrorResponse(authnQuery, SAML2Constants.REQUESTER, SAML2Constants.UNKNOWN_PRINCIPAL, null, null);
}
IDPAuthnContextMapper idpAuthnContextMapper = IDPSSOUtil.getIDPAuthnContextMapper(realm, authnAuthorityEntityID);
// get assertion for matching authncontext using session
List returnAssertions = new ArrayList();
String qSessionIndex = authnQuery.getSessionIndex();
RequestedAuthnContext requestedAC = authnQuery.getRequestedAuthnContext();
List assertions = null;
String cacheKey = userID.toLowerCase();
AssertionFactory assertionFactory = AssertionFactory.getInstance();
if (SAML2FailoverUtils.isSAML2FailoverEnabled()) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("AuthnQueryUtil.processAuthnQuery: " + "getting user assertions from DB. user = " + cacheKey);
}
List list = null;
try {
list = SAML2FailoverUtils.retrieveSAML2TokensWithSecondaryKey(cacheKey);
} catch (SAML2TokenRepositoryException se) {
SAML2Utils.debug.error("AuthnQueryUtil.processAuthnQuery: " + "Unable to obtain user assertions from CTS Repository. user = " + cacheKey, se);
}
if (list != null && !list.isEmpty()) {
assertions = new ArrayList();
for (Iterator iter = list.iterator(); iter.hasNext(); ) {
String assertionStr = (String) iter.next();
assertions.add(assertionFactory.createAssertion(assertionStr));
}
}
} else {
assertions = (List) IDPCache.assertionCache.get(cacheKey);
}
if ((assertions != null) && (!assertions.isEmpty())) {
synchronized (assertions) {
for (Iterator aIter = assertions.iterator(); aIter.hasNext(); ) {
Assertion assertion = (Assertion) aIter.next();
if (!assertion.isTimeValid()) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("AuthnQueryUtil.processAuthnQuery: " + " assertion " + assertion.getID() + " expired.");
}
continue;
}
List authnStmts = assertion.getAuthnStatements();
for (Iterator asIter = authnStmts.iterator(); asIter.hasNext(); ) {
AuthnStatement authnStmt = (AuthnStatement) asIter.next();
AuthnContext authnStmtAC = authnStmt.getAuthnContext();
String sessionIndex = authnStmt.getSessionIndex();
String authnStmtACClassRef = authnStmtAC.getAuthnContextClassRef();
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("AuthnQueryUtil.processAuthnQuery: " + "authnStmtACClassRef is " + authnStmtACClassRef + ", sessionIndex = " + sessionIndex);
}
if ((qSessionIndex != null) && (qSessionIndex.length() != 0) && (!qSessionIndex.equals(sessionIndex))) {
continue;
}
if (requestedAC != null) {
List requestedACClassRefs = requestedAC.getAuthnContextClassRef();
String comparison = requestedAC.getComparison();
if (idpAuthnContextMapper.isAuthnContextMatching(requestedACClassRefs, authnStmtACClassRef, comparison, realm, authnAuthorityEntityID)) {
returnAssertions.add(assertion);
break;
}
} else {
returnAssertions.add(assertion);
break;
}
}
}
}
// end assertion iterator while.
}
ProtocolFactory protocolFactory = ProtocolFactory.getInstance();
Response samlResp = protocolFactory.createResponse();
if (!returnAssertions.isEmpty()) {
samlResp.setAssertion(returnAssertions);
}
samlResp.setID(SAML2Utils.generateID());
samlResp.setInResponseTo(authnQuery.getID());
samlResp.setVersion(SAML2Constants.VERSION_2_0);
samlResp.setIssueInstant(new Date());
Status status = protocolFactory.createStatus();
StatusCode statusCode = protocolFactory.createStatusCode();
statusCode.setValue(SAML2Constants.SUCCESS);
status.setStatusCode(statusCode);
samlResp.setStatus(status);
Issuer respIssuer = assertionFactory.createIssuer();
respIssuer.setValue(authnAuthorityEntityID);
samlResp.setIssuer(respIssuer);
signResponse(samlResp, authnAuthorityEntityID, realm, false);
return samlResp;
}
use of com.sun.identity.saml2.assertion.Issuer in project OpenAM by OpenRock.
the class DoManageNameID method processManageNameIDResponse.
/**
* Parses the request parameters and builds the Authentication
* Request to sent to the IDP.
*
* @param request the HttpServletRequest.
* @param response the HttpServletResponse.
* @param paramsMap Map of all other parameters.
* @return return true if the processing is successful.
* @throws SAML2Exception if error initiating request to IDP.
*/
public static boolean processManageNameIDResponse(HttpServletRequest request, HttpServletResponse response, Map paramsMap) throws SAML2Exception {
String method = "processManageNameIDResponse: ";
boolean success = false;
String requestURL = request.getRequestURI();
String metaAlias = SAML2MetaUtils.getMetaAliasByUri(requestURL);
if (metaAlias == null) {
logError("MetaAliasNotFound", LogUtil.MISSING_META_ALIAS, null);
throw new SAML2Exception(SAML2Utils.bundle.getString("MetaAliasNotFound"));
}
String realm = SAML2MetaUtils.getRealmByMetaAlias(metaAlias);
String hostEntityID = metaManager.getEntityByMetaAlias(metaAlias);
String hostRole = SAML2Utils.getHostEntityRole(paramsMap);
boolean isSupported = false;
if (SAML2Constants.IDP_ROLE.equals(hostRole)) {
isSupported = SAML2Utils.isIDPProfileBindingSupported(realm, hostEntityID, SAML2Constants.MNI_SERVICE, SAML2Constants.HTTP_REDIRECT);
} else {
isSupported = SAML2Utils.isSPProfileBindingSupported(realm, hostEntityID, SAML2Constants.MNI_SERVICE, SAML2Constants.HTTP_REDIRECT);
}
if (!isSupported) {
debug.error(method + "MNI binding: Redirect is not supported for " + hostEntityID);
String[] data = { hostEntityID, SAML2Constants.HTTP_REDIRECT };
LogUtil.error(Level.INFO, LogUtil.BINDING_NOT_SUPPORTED, data, null);
throw new SAML2Exception(SAML2Utils.bundle.getString("unsupportedBinding"));
}
String relayState = request.getParameter(SAML2Constants.RELAY_STATE);
String mniRes = request.getParameter(SAML2Constants.SAML_RESPONSE);
String mniResStr = SAML2Utils.decodeFromRedirect(mniRes);
if (mniResStr == null) {
logError("nullDecodedStrFromSamlResponse", LogUtil.CANNOT_DECODE_RESPONSE, null);
throw new SAML2Exception(SAML2Utils.bundle.getString("nullDecodedStrFromSamlResponse"));
}
if (debug.messageEnabled()) {
debug.message(method + "Meta Alias is : " + metaAlias);
debug.message(method + "Host role is : " + hostRole);
debug.message(method + "Relay state is : " + relayState);
debug.message(method + "MNI Response : " + mniResStr);
}
// Validate the RelayState URL.
SAML2Utils.validateRelayStateURL(realm, hostEntityID, relayState, hostRole);
ManageNameIDResponse mniResponse = null;
try {
mniResponse = pf.createManageNameIDResponse(mniResStr);
String remoteEntityID = mniResponse.getIssuer().getValue();
Issuer resIssuer = mniResponse.getIssuer();
String requestId = mniResponse.getInResponseTo();
SAML2Utils.verifyResponseIssuer(realm, hostEntityID, resIssuer, requestId);
boolean needToVerify = SAML2Utils.getWantMNIResponseSigned(realm, hostEntityID, hostRole);
if (needToVerify) {
String queryString = request.getQueryString();
boolean valid = SAML2Utils.verifyQueryString(queryString, realm, hostRole, remoteEntityID);
if (!valid) {
logError("invalidSignInResponse", LogUtil.MNI_RESPONSE_INVALID_SIGNATURE, null);
throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSignInResponse"));
}
}
StringBuffer mniUserId = new StringBuffer();
success = checkMNIResponse(mniResponse, realm, hostEntityID, hostRole, mniUserId);
if (success && (hostRole != null) && hostRole.equals(SAML2Constants.SP_ROLE)) {
// invoke SPAdapter for termination success
postTerminationSuccess(hostEntityID, realm, request, response, mniUserId.toString(), null, mniResponse, SAML2Constants.HTTP_REDIRECT);
}
} catch (SessionException e) {
logError("invalidSSOToken", LogUtil.INVALID_SSOTOKEN, null);
throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSSOToken"));
}
if (debug.messageEnabled()) {
debug.message(method + "Request success : " + success);
}
return success;
}
use of com.sun.identity.saml2.assertion.Issuer in project OpenAM by OpenRock.
the class ArtifactResolveImpl method parseElement.
private void parseElement(Element element) throws SAML2Exception {
// make sure that the input xml block is not null
if (element == null) {
if (SAML2SDKUtils.debug.messageEnabled()) {
SAML2SDKUtils.debug.message("ArtifactResolveImpl.parseElement: " + "element input is null.");
}
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("nullInput"));
}
// Make sure this is an ArtifactResolve.
String tag = null;
tag = element.getLocalName();
if ((tag == null) || (!tag.equals("ArtifactResolve"))) {
if (SAML2SDKUtils.debug.messageEnabled()) {
SAML2SDKUtils.debug.message("ArtifactResolveImpl.parseElement: " + "not ArtifactResolve.");
}
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("wrongInput"));
}
// handle the attributes of <ArtifactResolve> element
NamedNodeMap atts = ((Node) element).getAttributes();
if (atts != null) {
int length = atts.getLength();
for (int i = 0; i < length; i++) {
Attr attr = (Attr) atts.item(i);
String attrName = attr.getName();
String attrValue = attr.getValue().trim();
if (attrName.equals("ID")) {
requestId = attrValue;
} else if (attrName.equals("Version")) {
version = attrValue;
} else if (attrName.equals("IssueInstant")) {
try {
issueInstant = DateUtils.stringToDate(attrValue);
} catch (ParseException pe) {
throw new SAML2Exception(pe.getMessage());
}
} else if (attrName.equals("Destination")) {
destinationURI = attrValue;
} else if (attrName.equals("Consent")) {
consent = attrValue;
}
}
}
// handle child elements
NodeList nl = element.getChildNodes();
Node child;
String childName;
int length = nl.getLength();
for (int i = 0; i < length; i++) {
child = nl.item(i);
if ((childName = child.getLocalName()) != null) {
if (childName.equals("Issuer")) {
if (nameID != null) {
if (SAML2SDKUtils.debug.messageEnabled()) {
SAML2SDKUtils.debug.message("ArtifactResolveImpl.parse" + "Element: included more than one Issuer.");
}
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("moreElement"));
}
if (signatureString != null || extensions != null || artifact != null) {
if (SAML2SDKUtils.debug.messageEnabled()) {
SAML2SDKUtils.debug.message("ArtifactResolveImpl.parse" + "Element:wrong sequence.");
}
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("schemaViolation"));
}
nameID = AssertionFactory.getInstance().createIssuer((Element) child);
} else if (childName.equals("Signature")) {
if (signatureString != null) {
if (SAML2SDKUtils.debug.messageEnabled()) {
SAML2SDKUtils.debug.message("ArtifactResolveImpl.parse" + "Element:included more than one Signature.");
}
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("moreElement"));
}
if (extensions != null || artifact != null) {
if (SAML2SDKUtils.debug.messageEnabled()) {
SAML2SDKUtils.debug.message("ArtifactResolveImpl.parse" + "Element:wrong sequence.");
}
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("schemaViolation"));
}
signatureString = XMLUtils.print((Element) child);
isSigned = true;
} else if (childName.equals("Extensions")) {
if (extensions != null) {
if (SAML2SDKUtils.debug.messageEnabled()) {
SAML2SDKUtils.debug.message("ArtifactResolveImpl.parse" + "Element:included more than one Extensions.");
}
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("moreElement"));
}
if (artifact != null) {
if (SAML2SDKUtils.debug.messageEnabled()) {
SAML2SDKUtils.debug.message("ArtifactResolveImpl.parse" + "Element:wrong sequence.");
}
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("schemaViolation"));
}
extensions = ProtocolFactory.getInstance().createExtensions((Element) child);
} else if (childName.equals("Artifact")) {
if (artifact != null) {
if (SAML2SDKUtils.debug.messageEnabled()) {
SAML2SDKUtils.debug.message("ArtifactResolveImpl.parse" + "Element: included more than one Artifact.");
}
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("moreElement"));
}
artifact = ProtocolFactory.getInstance().createArtifact((Element) child);
} else {
if (SAML2SDKUtils.debug.messageEnabled()) {
SAML2SDKUtils.debug.message("ArtifactResolveImpl.parse" + "Element: Invalid element:" + childName);
}
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("invalidElement"));
}
}
}
validateData();
}
Aggregations