Example 11 with NameID
use of com.sun.identity.saml2.assertion.NameID in project OpenAM by OpenRock.
the class DefaultLibrarySPAccountMapper method getAutoFedUser.
/**
* Returns user for the auto federate attribute.
*
* @param realm Realm name.
* @param entityID Hosted <code>EntityID</code>.
* @param assertion <code>Assertion</code> from the identity provider.
* @return Auto federation mapped user from the assertion auto federation <code>AttributeStatement</code>. if the
* statement does not have the auto federation attribute then the NameID value will be used if use NameID as SP user
* ID is enabled, otherwise null.
*/
protected String getAutoFedUser(String realm, String entityID, Assertion assertion, String decryptedNameID, Set<PrivateKey> decryptionKeys) throws SAML2Exception {
if (!isAutoFedEnabled(realm, entityID)) {
if (debug.messageEnabled()) {
debug.message("DefaultLibrarySPAccountMapper.getAutoFedUser: Auto federation is disabled.");
}
return null;
}
String autoFedAttribute = getAttribute(realm, entityID, SAML2Constants.AUTO_FED_ATTRIBUTE);
if (autoFedAttribute == null || autoFedAttribute.isEmpty()) {
debug.error("DefaultLibrarySPAccountMapper.getAutoFedUser: " + "Auto federation is enabled but the auto federation attribute is not configured.");
return null;
}
if (debug.messageEnabled()) {
debug.message("DefaultLibrarySPAccountMapper.getAutoFedUser: Auto federation attribute is set to: " + autoFedAttribute);
}
Set<String> autoFedAttributeValue = null;
List<AttributeStatement> attributeStatements = assertion.getAttributeStatements();
if (attributeStatements == null || attributeStatements.isEmpty()) {
if (debug.messageEnabled()) {
debug.message("DefaultLibrarySPAccountMapper.getAutoFedUser: " + "Assertion does not have any attribute statements.");
}
} else {
for (AttributeStatement statement : attributeStatements) {
autoFedAttributeValue = getAttribute(statement, autoFedAttribute, decryptionKeys);
if (autoFedAttributeValue != null && !autoFedAttributeValue.isEmpty()) {
if (debug.messageEnabled()) {
debug.message("DefaultLibrarySPAccountMapper.getAutoFedUser: " + "Found auto federation attribute value in Assertion: " + autoFedAttributeValue);
}
break;
}
}
}
if (autoFedAttributeValue == null || autoFedAttributeValue.isEmpty()) {
if (debug.messageEnabled()) {
debug.message("DefaultLibrarySPAccountMapper.getAutoFedUser: Auto federation attribute is not specified" + " as an attribute.");
}
if (!useNameIDAsSPUserID(realm, entityID)) {
if (debug.messageEnabled()) {
debug.message("DefaultLibrarySPAccountMapper.getAutoFedUser: NameID as SP UserID was not enabled " + " and auto federation attribute " + autoFedAttribute + " was not found in the Assertion");
}
return null;
} else {
if (debug.messageEnabled()) {
debug.message("DefaultLibrarySPAccountMapper.getAutoFedUser: Trying now to autofederate with nameID" + ", nameID =" + decryptedNameID);
}
autoFedAttributeValue = CollectionUtils.asSet(decryptedNameID);
}
}
String autoFedMapAttribute = null;
DefaultSPAttributeMapper attributeMapper = new DefaultSPAttributeMapper();
Map<String, String> attributeMap = attributeMapper.getConfigAttributeMap(realm, entityID, SP);
if (attributeMap == null || attributeMap.isEmpty()) {
if (debug.messageEnabled()) {
debug.message("DefaultLibrarySPAccountMapper.getAutoFedUser: attribute map is not configured.");
}
} else {
autoFedMapAttribute = attributeMap.get(autoFedAttribute);
}
if (autoFedMapAttribute == null) {
if (debug.messageEnabled()) {
debug.message("DefaultLibrarySPAccountMapper.getAutoFedUser: " + "Auto federation attribute map is not specified in config.");
}
// assume it is the same as the auto fed attribute name
autoFedMapAttribute = autoFedAttribute;
}
try {
Map<String, Set<String>> map = new HashMap<>(1);
map.put(autoFedMapAttribute, autoFedAttributeValue);
if (debug.messageEnabled()) {
debug.message("DefaultLibrarySPAccountMapper.getAutoFedUser: Search map: " + map);
}
String userId = dsProvider.getUserID(realm, map);
if (userId != null && !userId.isEmpty()) {
return userId;
} else {
// return auto-federation attribute value as uid
if (isDynamicalOrIgnoredProfile(realm)) {
if (debug.messageEnabled()) {
debug.message("DefaultLibrarySPAccountMapper: dynamical user creation or ignore profile " + "enabled : uid=" + autoFedAttributeValue);
}
// return the first value as uid
return autoFedAttributeValue.iterator().next();
}
}
} catch (DataStoreProviderException dse) {
if (debug.warningEnabled()) {
debug.warning("DefaultLibrarySPAccountMapper.getAutoFedUser: Datastore provider exception", dse);
}
}
return null;
}
Also used :
DataStoreProviderException(com.sun.identity.plugin.datastore.DataStoreProviderException)
Set(java.util.Set)
HashSet(java.util.HashSet)
HashMap(java.util.HashMap)
AttributeStatement(com.sun.identity.saml2.assertion.AttributeStatement)
Example 12 with NameID
use of com.sun.identity.saml2.assertion.NameID in project OpenAM by OpenRock.
the class DoManageNameID method setNameIDForMNIRequest.
private static void setNameIDForMNIRequest(ManageNameIDRequest mniRequest, NameID nameID, boolean changeID, String realm, String hostEntity, String hostEntityRole, String remoteEntity) throws SAML2Exception {
String method = "DoManageNameID.setNameIDForMNIRequest: ";
boolean needEncryptIt = false;
if (hostEntityRole.equalsIgnoreCase(SAML2Constants.IDP_ROLE)) {
needEncryptIt = SAML2Utils.getWantNameIDEncrypted(realm, remoteEntity, SAML2Constants.SP_ROLE);
} else {
needEncryptIt = SAML2Utils.getWantNameIDEncrypted(realm, remoteEntity, SAML2Constants.IDP_ROLE);
}
NewID newID = null;
if (changeID) {
String newIDValue = SAML2Utils.createNameIdentifier();
newID = ProtocolFactory.getInstance().createNewID(newIDValue);
mniRequest.setNewID(newID);
}
mniRequest.setNameID(nameID);
if (!needEncryptIt) {
if (debug.messageEnabled()) {
debug.message(method + "NamID doesn't need to be encrypted.");
}
return;
}
EncInfo encInfo = null;
if (hostEntityRole.equalsIgnoreCase(SAML2Constants.IDP_ROLE)) {
SPSSODescriptorElement spSSODesc = metaManager.getSPSSODescriptor(realm, remoteEntity);
encInfo = KeyUtil.getEncInfo(spSSODesc, remoteEntity, SAML2Constants.SP_ROLE);
} else {
IDPSSODescriptorElement idpSSODesc = metaManager.getIDPSSODescriptor(realm, remoteEntity);
encInfo = KeyUtil.getEncInfo(idpSSODesc, remoteEntity, SAML2Constants.IDP_ROLE);
}
if (debug.messageEnabled()) {
debug.message(method + "realm is : " + realm);
debug.message(method + "hostEntity is : " + hostEntity);
debug.message(method + "Host Entity role is : " + hostEntityRole);
debug.message(method + "remoteEntity is : " + remoteEntity);
}
if (encInfo == null) {
logError("UnableToFindEncryptKeyInfo", LogUtil.METADATA_ERROR, null);
throw new SAML2Exception(SAML2Utils.bundle.getString("UnableToFindEncryptKeyInfo"));
}
EncryptedID encryptedID = nameID.encrypt(encInfo.getWrappingKey(), encInfo.getDataEncAlgorithm(), encInfo.getDataEncStrength(), remoteEntity);
// This non-encrypted NameID will be removed just
// after saveMNIRequestInfo and just before it send to
mniRequest.setEncryptedID(encryptedID);
if (newID != null) {
NewEncryptedID newEncID = newID.encrypt(encInfo.getWrappingKey(), encInfo.getDataEncAlgorithm(), encInfo.getDataEncStrength(), remoteEntity);
// This non-encrypted newID will be removed just
// after saveMNIRequestInfo and just before it send to
mniRequest.setNewEncryptedID(newEncID);
}
}
Also used :
EncInfo(com.sun.identity.saml2.key.EncInfo)
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
NewID(com.sun.identity.saml2.protocol.NewID)
NewEncryptedID(com.sun.identity.saml2.protocol.NewEncryptedID)
SPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)
NewEncryptedID(com.sun.identity.saml2.protocol.NewEncryptedID)
EncryptedID(com.sun.identity.saml2.assertion.EncryptedID)
IDPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)
Example 13 with NameID
use of com.sun.identity.saml2.assertion.NameID in project OpenAM by OpenRock.
the class DoManageNameID method getNameIDFromMNIRequest.
private static NameID getNameIDFromMNIRequest(ManageNameIDRequest request, String realm, String hostEntity, String hostEntityRole) throws SAML2Exception {
String method = "DoManageNameID.getNameIDFromMNIRequest: ";
boolean needDecryptIt = SAML2Utils.getWantNameIDEncrypted(realm, hostEntity, hostEntityRole);
if (!needDecryptIt) {
if (debug.messageEnabled()) {
debug.message(method + "NamID doesn't need to be decrypted.");
}
return request.getNameID();
}
if (debug.messageEnabled()) {
debug.message(method + "realm is : " + realm);
debug.message(method + "hostEntity is : " + hostEntity);
debug.message(method + "Host Entity role is : " + hostEntityRole);
}
EncryptedID encryptedID = request.getEncryptedID();
return encryptedID.decrypt(KeyUtil.getDecryptionKeys(realm, hostEntity, hostEntityRole));
}
Also used :
NewEncryptedID(com.sun.identity.saml2.protocol.NewEncryptedID)
EncryptedID(com.sun.identity.saml2.assertion.EncryptedID)
Example 14 with NameID
use of com.sun.identity.saml2.assertion.NameID in project OpenAM by OpenRock.
the class ConfigureGoogleApps method updateSPMeta.
private void updateSPMeta(String realm, String cot, String domainId) throws WorkflowException {
String metadata = "<EntityDescriptor entityID=\"google.com/a/" + domainId + "\"" + " xmlns=\"urn" + ":oasis:names:tc:SAML:2.0:metadata\">" + "<SPSSODescriptor protocolSupportEnumeration=\"urn:oasis:nam" + "es:tc:SAML:2.0:protocol\"> <NameIDFormat>urn:oasis:names:t" + "c:SAML:1.1:nameid-format:unspecified</NameIDFormat>" + "<AssertionConsumerService index=\"1\" Binding=\"urn:oasis:na" + "mes:tc:SAML:2.0:bindings:HTTP-POST\"" + " Location=\"https://www.google.com/a/" + domainId + "/acs\" />" + "</SPSSODescriptor></EntityDescriptor>";
String extendedMeta = null;
try {
EntityDescriptorElement e = SAML2MetaUtils.getEntityDescriptorElement(metadata);
String eId = e.getEntityID();
String metaAlias = generateMetaAliasForSP(realm);
Map map = new HashMap();
map.put(MetaTemplateParameters.P_SP, metaAlias);
extendedMeta = CreateSAML2HostedProviderTemplate.createExtendedDataTemplate(eId, map, null, false);
} catch (SAML2MetaException ex) {
throw new WorkflowException(ex.getMessage());
} catch (JAXBException ex) {
throw new WorkflowException(ex.getMessage());
}
String[] results = ImportSAML2MetaData.importData(realm, metadata, extendedMeta);
String entityId = results[1];
if ((cot != null) && (cot.length() > 0)) {
try {
AddProviderToCOT.addToCOT(realm, cot, entityId);
} catch (COTException e) {
throw new WorkflowException(e.getMessage());
}
}
}
Also used :
HashMap(java.util.HashMap)
JAXBException(javax.xml.bind.JAXBException)
COTException(com.sun.identity.cot.COTException)
EntityDescriptorElement(com.sun.identity.saml2.jaxb.metadata.EntityDescriptorElement)
HashMap(java.util.HashMap)
Map(java.util.Map)
SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException)
Example 15 with NameID
use of com.sun.identity.saml2.assertion.NameID in project OpenAM by OpenRock.
the class RequestAbstractImpl method parseDOMChileElements.
/**
* Parses child elements of the Docuemnt Element for this object.
*
* @param iter the child elements iterator.
* @throws SAML2Exception if error parsing the Document Element.
*/
protected void parseDOMChileElements(ListIterator iter) throws SAML2Exception {
AssertionFactory assertionFactory = AssertionFactory.getInstance();
ProtocolFactory protoFactory = ProtocolFactory.getInstance();
while (iter.hasNext()) {
Element childElement = (Element) iter.next();
String localName = childElement.getLocalName();
if (SAML2Constants.ISSUER.equals(localName)) {
validateIssuer();
nameID = assertionFactory.createIssuer(childElement);
} else if (SAML2Constants.SIGNATURE.equals(localName)) {
validateSignature();
signatureString = XMLUtils.print(childElement);
isSigned = true;
} else if (SAML2Constants.EXTENSIONS.equals(localName)) {
validateExtensions();
extensions = protoFactory.createExtensions(childElement);
} else {
iter.previous();
break;
}
}
}
Also used :
ProtocolFactory(com.sun.identity.saml2.protocol.ProtocolFactory)
AssertionFactory(com.sun.identity.saml2.assertion.AssertionFactory)
Element(org.w3c.dom.Element)
Aggregations
SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)46
NameID (com.sun.identity.saml2.assertion.NameID)33
List (java.util.List)25
ArrayList (java.util.ArrayList)22
EncryptedID (com.sun.identity.saml2.assertion.EncryptedID)18
SAML2MetaException (com.sun.identity.saml2.meta.SAML2MetaException)15
HashMap (java.util.HashMap)14
SessionException (com.sun.identity.plugin.session.SessionException)12
NameIDInfo (com.sun.identity.saml2.common.NameIDInfo)12
Map (java.util.Map)11
Subject (com.sun.identity.saml2.assertion.Subject)10
SPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)10
Element (org.w3c.dom.Element)10
Date (java.util.Date)9
Iterator (java.util.Iterator)9
AssertionFactory (com.sun.identity.saml2.assertion.AssertionFactory)8
SAML2MetaManager (com.sun.identity.saml2.meta.SAML2MetaManager)8
Assertion (com.sun.identity.saml2.assertion.Assertion)7
Issuer (com.sun.identity.saml2.assertion.Issuer)7
IDPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)7
