Example 61 with NameID
use of com.sun.identity.saml2.assertion.NameID in project OpenAM by OpenRock.
the class IDPSessionListener method sessionInvalidated.
/**
* Callback for SessionListener.
* It is used for cleaning up the IDP session cache.
*
* @param session The session object
*/
public void sessionInvalidated(Object session) {
String classMethod = "IDPSessionListener.sessionInvalidated: ";
HashMap paramsMap = new HashMap();
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "Entering ...");
}
if (session == null) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "Session is null.");
}
return;
}
try {
SessionProvider sessionProvider = SessionManager.getProvider();
String[] values = sessionProvider.getProperty(session, SAML2Constants.IDP_SESSION_INDEX);
if (values == null || values.length == 0) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "No sessionIndex stored in session.");
}
return;
}
String sessionIndex = values[0];
if (sessionIndex == null || sessionIndex.length() == 0) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "No sessionIndex stored in session.");
}
return;
}
IDPSession idpSession = (IDPSession) IDPCache.idpSessionsByIndices.get(sessionIndex);
if (idpSession != null) {
paramsMap.put(SAML2Constants.ROLE, SAML2Constants.IDP_ROLE);
String metaAlias = idpSession.getMetaAlias();
String realm = SAML2Utils.getRealm(SAML2MetaUtils.getRealmByMetaAlias(metaAlias));
String idpEntityID = sm.getEntityByMetaAlias(metaAlias);
try {
List list = (List) idpSession.getNameIDandSPpairs();
for (Iterator iter = list.iterator(); iter.hasNext(); ) {
NameIDandSPpair pair = (NameIDandSPpair) iter.next();
String spEntityID = pair.getSPEntityID();
NameID nameID = pair.getNameID();
BaseConfigType idpConfig = sm.getIDPSSOConfig(realm, idpEntityID);
if (idpConfig != null) {
List idpSessionSyncList = (List) SAML2MetaUtils.getAttributes(idpConfig).get(SAML2Constants.IDP_SESSION_SYNC_ENABLED);
if ((idpEntityID != null && spEntityID != null && idpSessionSyncList != null && idpSessionSyncList.size() != 0)) {
boolean idpSessionSyncEnabled = ((String) idpSessionSyncList.get(0)).equals(SAML2Constants.TRUE) ? true : false;
// Sync flag is enabled
if (idpSessionSyncEnabled) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "IDP Session Synchronization flag " + "is enabled, initiating SLO to SP");
}
initiateIDPSingleLogout(sessionIndex, metaAlias, realm, SAML2Constants.SOAP, nameID, spEntityID, paramsMap);
}
}
} else {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "Unable to retrieve the IDP " + "config data, idpConfig is null");
}
}
}
} catch (SAML2MetaException sme) {
SAML2Utils.debug.error("IDPSessionListener.sessionInvalidated:", sme);
} catch (SAML2Exception se) {
SAML2Utils.debug.error("IDPSessionListener.sessionInvalidated:", se);
} catch (SessionException s) {
SAML2Utils.debug.error("IDPSessionListener.sessionInvalidated:", s);
}
synchronized (IDPCache.idpSessionsByIndices) {
List list = (List) idpSession.getNameIDandSPpairs();
for (Iterator iter = list.iterator(); iter.hasNext(); ) {
NameIDandSPpair pair = (NameIDandSPpair) iter.next();
NameID nameID = pair.getNameID();
if (SAML2Constants.NAMEID_TRANSIENT_FORMAT.equals(nameID.getFormat())) {
IDPCache.userIDByTransientNameIDValue.remove(nameID.getValue());
}
}
}
} else {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "IDP Session with session index " + sessionIndex + " already removed.");
}
}
IDPCache.idpSessionsByIndices.remove(sessionIndex);
IDPCache.authnContextCache.remove(sessionIndex);
String sessID = sessionProvider.getSessionID(session);
if (IDPCache.idpSessionsBySessionID.get(sessID) != null) {
IDPCache.idpSessionsBySessionID.remove(sessID);
if ((agent != null) && agent.isRunning() && (saml2Svc != null)) {
saml2Svc.setIdpSessionCount((long) IDPCache.idpSessionsBySessionID.size());
}
}
if (IDPCache.spSessionPartnerBySessionID.get(sessID) != null) {
IDPCache.spSessionPartnerBySessionID.remove(sessID);
}
// This failing should not cause the whole process to fail
try {
if (SAML2FailoverUtils.isSAML2FailoverEnabled()) {
SAML2FailoverUtils.deleteSAML2Token(sessionIndex);
}
} catch (SAML2TokenRepositoryException se) {
SAML2Utils.debug.error(classMethod + "SAML2 Token Repository error, sessionIndex:" + sessionIndex, se);
}
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "cleaned up the IDP session cache for a session expiring or being destroyed: sessionIndex=" + sessionIndex);
}
} catch (SessionException e) {
if (SAML2Utils.debug.warningEnabled()) {
SAML2Utils.debug.warning(classMethod + "invalid or expired session.", e);
}
} catch (SAML2MetaException samlme) {
if (SAML2Utils.debug.warningEnabled()) {
SAML2Utils.debug.warning(classMethod + "unable to retrieve idp entity id.", samlme);
}
}
}
Also used :
HashMap(java.util.HashMap)
NameID(com.sun.identity.saml2.assertion.NameID)
SessionException(com.sun.identity.plugin.session.SessionException)
BaseConfigType(com.sun.identity.saml2.jaxb.entityconfig.BaseConfigType)
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
Iterator(java.util.Iterator)
List(java.util.List)
SAML2TokenRepositoryException(org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException)
SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException)
SessionProvider(com.sun.identity.plugin.session.SessionProvider)
Example 62 with NameID
use of com.sun.identity.saml2.assertion.NameID in project OpenAM by OpenRock.
the class LogoutUtil method setNameIDForSLORequest.
public static void setNameIDForSLORequest(LogoutRequest request, NameID nameID, String realm, String hostEntity, String hostEntityRole, String remoteEntity) throws SAML2Exception, SessionException {
String method = "setNameIDForSLORequest: ";
boolean needEncryptIt = false;
if (hostEntityRole.equalsIgnoreCase(SAML2Constants.IDP_ROLE)) {
needEncryptIt = SAML2Utils.getWantNameIDEncrypted(realm, remoteEntity, SAML2Constants.SP_ROLE);
} else {
needEncryptIt = SAML2Utils.getWantNameIDEncrypted(realm, remoteEntity, SAML2Constants.IDP_ROLE);
}
if (needEncryptIt == false) {
if (debug.messageEnabled()) {
debug.message(method + "NamID doesn't need to be encrypted.");
}
request.setNameID(nameID);
return;
}
EncInfo encryptInfo = null;
KeyDescriptorType keyDescriptor = null;
if (hostEntityRole.equalsIgnoreCase(SAML2Constants.IDP_ROLE)) {
SPSSODescriptorElement spSSODesc = metaManager.getSPSSODescriptor(realm, remoteEntity);
keyDescriptor = KeyUtil.getKeyDescriptor(spSSODesc, "encryption");
encryptInfo = KeyUtil.getEncInfo(spSSODesc, remoteEntity, SAML2Constants.SP_ROLE);
} else {
IDPSSODescriptorElement idpSSODesc = metaManager.getIDPSSODescriptor(realm, remoteEntity);
keyDescriptor = KeyUtil.getKeyDescriptor(idpSSODesc, "encryption");
encryptInfo = KeyUtil.getEncInfo(idpSSODesc, remoteEntity, SAML2Constants.IDP_ROLE);
}
if (debug.messageEnabled()) {
debug.message(method + "realm is : " + realm);
debug.message(method + "hostEntity is : " + hostEntity);
debug.message(method + "Host Entity role is : " + hostEntityRole);
debug.message(method + "remoteEntity is : " + remoteEntity);
}
if (encryptInfo == null) {
debug.error("NO meta data for encrypt Info.");
throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
}
X509Certificate certificate = KeyUtil.getCert(keyDescriptor);
PublicKey recipientPublicKey = certificate.getPublicKey();
EncryptedID encryptedID = nameID.encrypt(recipientPublicKey, encryptInfo.getDataEncAlgorithm(), encryptInfo.getDataEncStrength(), remoteEntity);
request.setEncryptedID(encryptedID);
}
Also used :
EncInfo(com.sun.identity.saml2.key.EncInfo)
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
SPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)
PublicKey(java.security.PublicKey)
KeyDescriptorType(com.sun.identity.saml2.jaxb.metadata.KeyDescriptorType)
EncryptedID(com.sun.identity.saml2.assertion.EncryptedID)
X509Certificate(java.security.cert.X509Certificate)
IDPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)
Example 63 with NameID
use of com.sun.identity.saml2.assertion.NameID in project OpenAM by OpenRock.
the class NameIDMapping method setNameIDForNIMRequest.
private static void setNameIDForNIMRequest(NameIDMappingRequest nimRequest, String realm, String spEntityID, String idpEntityID, String targetSPEntityID, String targetNameIDFormat, String userID) throws SAML2Exception {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("NameIDMapping.setNameIDForNIMRequest: " + "user ID = " + userID);
}
NameID nameID = AssertionFactory.getInstance().createNameID();
NameIDInfo info = AccountUtils.getAccountFederation(userID, spEntityID, idpEntityID);
nameID.setValue(info.getNameIDValue());
nameID.setFormat(info.getFormat());
nameID.setNameQualifier(idpEntityID);
nameID.setSPNameQualifier(spEntityID);
NameIDPolicy nameIDPolicy = ProtocolFactory.getInstance().createNameIDPolicy();
nameIDPolicy.setSPNameQualifier(targetSPEntityID);
nameIDPolicy.setFormat(targetNameIDFormat);
nimRequest.setNameIDPolicy(nameIDPolicy);
boolean needEncryptIt = SAML2Utils.getWantNameIDEncrypted(realm, idpEntityID, SAML2Constants.IDP_ROLE);
if (!needEncryptIt) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("NameIDMapping.setNameIDForNIMRequest: " + "NamID doesn't need to be encrypted.");
}
nimRequest.setNameID(nameID);
return;
}
EncryptedID encryptedID = getEncryptedID(nameID, realm, idpEntityID, SAML2Constants.IDP_ROLE);
nimRequest.setEncryptedID(encryptedID);
}
Also used :
NameIDInfo(com.sun.identity.saml2.common.NameIDInfo)
NameID(com.sun.identity.saml2.assertion.NameID)
NameIDPolicy(com.sun.identity.saml2.protocol.NameIDPolicy)
EncryptedID(com.sun.identity.saml2.assertion.EncryptedID)
Example 64 with NameID
use of com.sun.identity.saml2.assertion.NameID in project OpenAM by OpenRock.
the class NameIDMapping method getEncryptedID.
static EncryptedID getEncryptedID(NameID nameID, String realm, String entityID, String role) throws SAML2Exception {
RoleDescriptorType roled = null;
if (role.equals(SAML2Constants.SP_ROLE)) {
roled = metaManager.getSPSSODescriptor(realm, entityID);
} else {
roled = metaManager.getIDPSSODescriptor(realm, entityID);
}
EncInfo encInfo = KeyUtil.getEncInfo(roled, entityID, role);
if (encInfo == null) {
throw new SAML2Exception(SAML2Utils.bundle.getString("UnableToFindEncryptKeyInfo"));
}
EncryptedID encryptedID = nameID.encrypt(encInfo.getWrappingKey(), encInfo.getDataEncAlgorithm(), encInfo.getDataEncStrength(), entityID);
return encryptedID;
}
Also used :
EncInfo(com.sun.identity.saml2.key.EncInfo)
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
RoleDescriptorType(com.sun.identity.saml2.jaxb.metadata.RoleDescriptorType)
EncryptedID(com.sun.identity.saml2.assertion.EncryptedID)
Example 65 with NameID
use of com.sun.identity.saml2.assertion.NameID in project OpenAM by OpenRock.
the class NameIDMapping method processNameIDMappingRequest.
public static NameIDMappingResponse processNameIDMappingRequest(NameIDMappingRequest nimRequest, String realm, String idpEntityID) throws SAML2Exception {
NameIDMappingResponse nimResponse = null;
String spEntityID = nimRequest.getIssuer().getValue();
if (spEntityID == null) {
throw new SAML2Exception(SAML2Utils.bundle.getString("nullSPEntityID"));
}
String responseID = SAML2Utils.generateID();
if (responseID == null) {
SAML2Utils.debug.error(SAML2Utils.bundle.getString("failedToGenResponseID"));
}
nimResponse = pf.createNameIDMappingResponse();
nimResponse.setID(responseID);
nimResponse.setInResponseTo(nimRequest.getID());
nimResponse.setVersion(SAML2Constants.VERSION_2_0);
nimResponse.setIssueInstant(new Date());
nimResponse.setIssuer(SAML2Utils.createIssuer(idpEntityID));
SAML2Utils.verifyRequestIssuer(realm, idpEntityID, nimRequest.getIssuer(), nimRequest.getID());
NameIDPolicy nameIDPolicy = nimRequest.getNameIDPolicy();
String targetSPEntityID = nameIDPolicy.getSPNameQualifier();
String format = nameIDPolicy.getFormat();
Status status = null;
if ((format != null) && (format.length() != 0) && (!format.equals(SAML2Constants.PERSISTENT)) && (!format.equals(SAML2Constants.UNSPECIFIED))) {
nimResponse.setNameID(nimRequest.getNameID());
nimResponse.setEncryptedID(nimRequest.getEncryptedID());
status = SAML2Utils.generateStatus(SAML2Constants.INVALID_NAME_ID_POLICY, SAML2Utils.bundle.getString("targetNameIDFormatUnsupported"));
} else if ((targetSPEntityID == null) || (targetSPEntityID.length() == 0) || targetSPEntityID.equals(spEntityID)) {
nimResponse.setNameID(nimRequest.getNameID());
nimResponse.setEncryptedID(nimRequest.getEncryptedID());
status = SAML2Utils.generateStatus(SAML2Constants.INVALID_NAME_ID_POLICY, SAML2Utils.bundle.getString("targetNameIDNoChange"));
} else {
// check if source SP has account fed
// if yes then get nameid of targetSP
IDPAccountMapper idpAcctMapper = SAML2Utils.getIDPAccountMapper(realm, idpEntityID);
NameID nameID = getNameID(nimRequest, realm, idpEntityID);
String userID = idpAcctMapper.getIdentity(nameID, idpEntityID, spEntityID, realm);
NameIDInfo targetNameIDInfo = null;
if (userID != null) {
targetNameIDInfo = AccountUtils.getAccountFederation(userID, idpEntityID, targetSPEntityID);
}
if (targetNameIDInfo == null) {
nimResponse.setNameID(nimRequest.getNameID());
nimResponse.setEncryptedID(nimRequest.getEncryptedID());
status = SAML2Utils.generateStatus(SAML2Constants.INVALID_NAME_ID_POLICY, SAML2Utils.bundle.getString("targetNameIDNotFound"));
} else {
NameID targetSPNameID = targetNameIDInfo.getNameID();
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("NameIDMapping.processNameIDMappingRequest: " + "User ID = " + userID + ", name ID = " + targetSPNameID.toXMLString(true, true));
}
nimResponse.setEncryptedID(getEncryptedID(targetSPNameID, realm, spEntityID, SAML2Constants.SP_ROLE));
status = SAML2Utils.generateStatus(SAML2Constants.SUCCESS, null);
}
}
nimResponse.setStatus(status);
signNIMResponse(nimResponse, realm, idpEntityID, false);
return nimResponse;
}
Also used :
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
Status(com.sun.identity.saml2.protocol.Status)
IDPAccountMapper(com.sun.identity.saml2.plugins.IDPAccountMapper)
NameIDInfo(com.sun.identity.saml2.common.NameIDInfo)
NameIDPolicy(com.sun.identity.saml2.protocol.NameIDPolicy)
NameID(com.sun.identity.saml2.assertion.NameID)
NameIDMappingResponse(com.sun.identity.saml2.protocol.NameIDMappingResponse)
Date(java.util.Date)
Aggregations
SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)46
NameID (com.sun.identity.saml2.assertion.NameID)33
List (java.util.List)25
ArrayList (java.util.ArrayList)22
EncryptedID (com.sun.identity.saml2.assertion.EncryptedID)18
SAML2MetaException (com.sun.identity.saml2.meta.SAML2MetaException)15
HashMap (java.util.HashMap)14
SessionException (com.sun.identity.plugin.session.SessionException)12
NameIDInfo (com.sun.identity.saml2.common.NameIDInfo)12
Map (java.util.Map)11
Subject (com.sun.identity.saml2.assertion.Subject)10
SPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)10
Element (org.w3c.dom.Element)10
Date (java.util.Date)9
Iterator (java.util.Iterator)9
AssertionFactory (com.sun.identity.saml2.assertion.AssertionFactory)8
SAML2MetaManager (com.sun.identity.saml2.meta.SAML2MetaManager)8
Assertion (com.sun.identity.saml2.assertion.Assertion)7
Issuer (com.sun.identity.saml2.assertion.Issuer)7
IDPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)7
