Example 41 with NameID
use of com.sun.identity.saml2.assertion.NameID in project OpenAM by OpenRock.
the class AttributeQueryUtil method getAttributesForFedlet.
/**
* Sends the AttributeQuery to specified attribute authority,
* validates the response and returns the attribute map
* <code>Map<String, Set<String>></code> to the Fedlet
*
* @param spEntityID SP entity ID
* @param idpEntityID IDP entity ID
* @param nameIDValue NameID value
* @param attrsList The list of attributes whose values need to be
* fetched from IDP
* @param attrQueryProfileAlias Attribute Query Profile Alias
* @param subjectDN Attribute name which contains X.509 subject DN
*
* @return the <code>Map</code> object
* @exception SAML2Exception if the operation is not successful
*
* @supported.api
*/
public static Map<String, Set<String>> getAttributesForFedlet(String spEntityID, String idpEntityID, String nameIDValue, List<String> attrsList, String attrQueryProfileAlias, String subjectDN) throws SAML2Exception {
final String classMethod = "AttributeQueryUtil.getAttributesForFedlet: ";
AttributeQueryConfigElement attrQueryConfig = metaManager.getAttributeQueryConfig("/", spEntityID);
if (attrQueryConfig == null) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "Attribute Query Config is null");
}
return null;
}
String attrqMetaAlias = attrQueryConfig.getMetaAlias();
if (attrqMetaAlias == null) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "Attribute Query MetaAlias is null");
}
return null;
}
boolean wantNameIDEncrypted = SAML2Utils.getWantNameIDEncrypted("/", spEntityID, SAML2Constants.ATTR_QUERY_ROLE);
AttributeQuery attrQuery = constructAttrQueryForFedlet(spEntityID, idpEntityID, nameIDValue, attrsList, attrqMetaAlias, attrQueryProfileAlias, subjectDN, wantNameIDEncrypted);
String attrQueryProfile = null;
if (attrQueryProfileAlias.equals(SAML2Constants.DEFAULT_ATTR_QUERY_PROFILE_ALIAS)) {
attrQueryProfile = SAML2Constants.DEFAULT_ATTR_QUERY_PROFILE;
} else if (attrQueryProfileAlias.equals(SAML2Constants.X509_SUBJECT_ATTR_QUERY_PROFILE_ALIAS)) {
attrQueryProfile = SAML2Constants.X509_SUBJECT_ATTR_QUERY_PROFILE;
}
Response samlResp = sendAttributeQuery(attrQuery, idpEntityID, "/", attrQueryProfile, SAML2Constants.BASIC_ATTRIBUTE_PROFILE, SAML2Constants.SOAP);
// Validate the response
boolean validResp = validateSAMLResponseForFedlet(samlResp, spEntityID, wantNameIDEncrypted);
Map<String, Set<String>> attrMap = new HashMap<String, Set<String>>();
if (validResp) {
// Return back the AttributeMap
if (samlResp != null) {
List<Object> assertions;
if (wantNameIDEncrypted) {
assertions = samlResp.getEncryptedAssertion();
} else {
assertions = samlResp.getAssertion();
}
for (Object currentAssertion : assertions) {
Assertion assertion;
if (wantNameIDEncrypted) {
assertion = getDecryptedAssertion((EncryptedAssertion) currentAssertion, spEntityID);
} else {
assertion = (Assertion) currentAssertion;
}
if (assertion != null) {
List<AttributeStatement> statements = assertion.getAttributeStatements();
if (statements != null && statements.size() > 0) {
for (AttributeStatement statement : statements) {
List<Attribute> attributes = statement.getAttribute();
attrMap.putAll(mapAttributes("/", spEntityID, idpEntityID, nameIDValue, attributes));
}
} else {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "Empty Statement present in SAML response");
}
}
} else {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "Empty Assertion present in SAML response");
}
}
}
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "attributes received from Attribute Query: " + attrMap);
}
}
} else {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "Invalid response obtained from Attribute Authority");
}
}
// Return the attribute map and to the fedlet
return attrMap;
}
Also used :
Set(java.util.Set)
HashSet(java.util.HashSet)
HashMap(java.util.HashMap)
Attribute(com.sun.identity.saml2.assertion.Attribute)
EncryptedAssertion(com.sun.identity.saml2.assertion.EncryptedAssertion)
Assertion(com.sun.identity.saml2.assertion.Assertion)
AttributeQueryConfigElement(com.sun.identity.saml2.jaxb.entityconfig.AttributeQueryConfigElement)
Response(com.sun.identity.saml2.protocol.Response)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
AttributeQuery(com.sun.identity.saml2.protocol.AttributeQuery)
EncryptedAssertion(com.sun.identity.saml2.assertion.EncryptedAssertion)
AttributeStatement(com.sun.identity.saml2.assertion.AttributeStatement)
Example 42 with NameID
use of com.sun.identity.saml2.assertion.NameID in project OpenAM by OpenRock.
the class AuthnQueryUtil method processAuthnQuery.
/**
* This method processes the <code>AuthnQuery</code> coming
* from a requester.
*
* @param authnQuery the <code>AuthnQuery</code> object
* @param request the <code>HttpServletRequest</code> object
* @param response the <code>HttpServletResponse</code> object
* @param authnAuthorityEntityID entity ID of authentication authority
* @param realm the realm of hosted entity
*
* @return the <code>Response</code> object
* @exception SAML2Exception if the operation is not successful
*/
public static Response processAuthnQuery(AuthnQuery authnQuery, HttpServletRequest request, HttpServletResponse response, String authnAuthorityEntityID, String realm) throws SAML2Exception {
try {
verifyAuthnQuery(authnQuery, authnAuthorityEntityID, realm);
} catch (SAML2Exception se) {
SAML2Utils.debug.error("AuthnQueryUtil.processAuthnQuery:", se);
return SAML2Utils.getErrorResponse(authnQuery, SAML2Constants.REQUESTER, null, se.getMessage(), null);
}
Issuer issuer = authnQuery.getIssuer();
String spEntityID = issuer.getValue();
AuthnAuthorityDescriptorElement aad = null;
SAML2MetaManager metaManager = SAML2Utils.getSAML2MetaManager();
try {
aad = metaManager.getAuthnAuthorityDescriptor(realm, authnAuthorityEntityID);
} catch (SAML2MetaException sme) {
SAML2Utils.debug.error("AuthnQueryUtil.processAuthnQuery:", sme);
return SAML2Utils.getErrorResponse(authnQuery, SAML2Constants.RESPONDER, null, SAML2Utils.bundle.getString("metaDataError"), null);
}
if (aad == null) {
return SAML2Utils.getErrorResponse(authnQuery, SAML2Constants.REQUESTER, null, SAML2Utils.bundle.getString("authnAuthorityNotFound"), null);
}
NameID nameID = getNameID(authnQuery.getSubject(), realm, authnAuthorityEntityID);
if (nameID == null) {
return SAML2Utils.getErrorResponse(authnQuery, SAML2Constants.REQUESTER, SAML2Constants.UNKNOWN_PRINCIPAL, null, null);
}
IDPAccountMapper idpAcctMapper = SAML2Utils.getIDPAccountMapper(realm, authnAuthorityEntityID);
String userID = idpAcctMapper.getIdentity(nameID, authnAuthorityEntityID, spEntityID, realm);
if (userID == null) {
return SAML2Utils.getErrorResponse(authnQuery, SAML2Constants.REQUESTER, SAML2Constants.UNKNOWN_PRINCIPAL, null, null);
}
IDPAuthnContextMapper idpAuthnContextMapper = IDPSSOUtil.getIDPAuthnContextMapper(realm, authnAuthorityEntityID);
// get assertion for matching authncontext using session
List returnAssertions = new ArrayList();
String qSessionIndex = authnQuery.getSessionIndex();
RequestedAuthnContext requestedAC = authnQuery.getRequestedAuthnContext();
List assertions = null;
String cacheKey = userID.toLowerCase();
AssertionFactory assertionFactory = AssertionFactory.getInstance();
if (SAML2FailoverUtils.isSAML2FailoverEnabled()) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("AuthnQueryUtil.processAuthnQuery: " + "getting user assertions from DB. user = " + cacheKey);
}
List list = null;
try {
list = SAML2FailoverUtils.retrieveSAML2TokensWithSecondaryKey(cacheKey);
} catch (SAML2TokenRepositoryException se) {
SAML2Utils.debug.error("AuthnQueryUtil.processAuthnQuery: " + "Unable to obtain user assertions from CTS Repository. user = " + cacheKey, se);
}
if (list != null && !list.isEmpty()) {
assertions = new ArrayList();
for (Iterator iter = list.iterator(); iter.hasNext(); ) {
String assertionStr = (String) iter.next();
assertions.add(assertionFactory.createAssertion(assertionStr));
}
}
} else {
assertions = (List) IDPCache.assertionCache.get(cacheKey);
}
if ((assertions != null) && (!assertions.isEmpty())) {
synchronized (assertions) {
for (Iterator aIter = assertions.iterator(); aIter.hasNext(); ) {
Assertion assertion = (Assertion) aIter.next();
if (!assertion.isTimeValid()) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("AuthnQueryUtil.processAuthnQuery: " + " assertion " + assertion.getID() + " expired.");
}
continue;
}
List authnStmts = assertion.getAuthnStatements();
for (Iterator asIter = authnStmts.iterator(); asIter.hasNext(); ) {
AuthnStatement authnStmt = (AuthnStatement) asIter.next();
AuthnContext authnStmtAC = authnStmt.getAuthnContext();
String sessionIndex = authnStmt.getSessionIndex();
String authnStmtACClassRef = authnStmtAC.getAuthnContextClassRef();
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("AuthnQueryUtil.processAuthnQuery: " + "authnStmtACClassRef is " + authnStmtACClassRef + ", sessionIndex = " + sessionIndex);
}
if ((qSessionIndex != null) && (qSessionIndex.length() != 0) && (!qSessionIndex.equals(sessionIndex))) {
continue;
}
if (requestedAC != null) {
List requestedACClassRefs = requestedAC.getAuthnContextClassRef();
String comparison = requestedAC.getComparison();
if (idpAuthnContextMapper.isAuthnContextMatching(requestedACClassRefs, authnStmtACClassRef, comparison, realm, authnAuthorityEntityID)) {
returnAssertions.add(assertion);
break;
}
} else {
returnAssertions.add(assertion);
break;
}
}
}
}
// end assertion iterator while.
}
ProtocolFactory protocolFactory = ProtocolFactory.getInstance();
Response samlResp = protocolFactory.createResponse();
if (!returnAssertions.isEmpty()) {
samlResp.setAssertion(returnAssertions);
}
samlResp.setID(SAML2Utils.generateID());
samlResp.setInResponseTo(authnQuery.getID());
samlResp.setVersion(SAML2Constants.VERSION_2_0);
samlResp.setIssueInstant(new Date());
Status status = protocolFactory.createStatus();
StatusCode statusCode = protocolFactory.createStatusCode();
statusCode.setValue(SAML2Constants.SUCCESS);
status.setStatusCode(statusCode);
samlResp.setStatus(status);
Issuer respIssuer = assertionFactory.createIssuer();
respIssuer.setValue(authnAuthorityEntityID);
samlResp.setIssuer(respIssuer);
signResponse(samlResp, authnAuthorityEntityID, realm, false);
return samlResp;
}
Also used :
Status(com.sun.identity.saml2.protocol.Status)
AuthnAuthorityDescriptorElement(com.sun.identity.saml2.jaxb.metadata.AuthnAuthorityDescriptorElement)
IDPAccountMapper(com.sun.identity.saml2.plugins.IDPAccountMapper)
IDPAuthnContextMapper(com.sun.identity.saml2.plugins.IDPAuthnContextMapper)
Issuer(com.sun.identity.saml2.assertion.Issuer)
NameID(com.sun.identity.saml2.assertion.NameID)
ArrayList(java.util.ArrayList)
EncryptedAssertion(com.sun.identity.saml2.assertion.EncryptedAssertion)
Assertion(com.sun.identity.saml2.assertion.Assertion)
SAML2MetaManager(com.sun.identity.saml2.meta.SAML2MetaManager)
StatusCode(com.sun.identity.saml2.protocol.StatusCode)
Date(java.util.Date)
RequestedAuthnContext(com.sun.identity.saml2.protocol.RequestedAuthnContext)
AuthnContext(com.sun.identity.saml2.assertion.AuthnContext)
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
ProtocolFactory(com.sun.identity.saml2.protocol.ProtocolFactory)
Response(com.sun.identity.saml2.protocol.Response)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
RequestedAuthnContext(com.sun.identity.saml2.protocol.RequestedAuthnContext)
AssertionFactory(com.sun.identity.saml2.assertion.AssertionFactory)
Iterator(java.util.Iterator)
AuthnStatement(com.sun.identity.saml2.assertion.AuthnStatement)
ArrayList(java.util.ArrayList)
List(java.util.List)
SAML2TokenRepositoryException(org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException)
SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException)
Example 43 with NameID
use of com.sun.identity.saml2.assertion.NameID in project OpenAM by OpenRock.
the class DoManageNameID method createManageNameIDRequest.
private static ManageNameIDRequest createManageNameIDRequest(Object session, String realm, String hostEntityID, String hostEntityRole, String remoteEntityID, String destination, boolean changeID, String affiliationID) throws SAML2Exception {
String method = "DoManageNameID.createManageNameIDRequest: ";
NameID nameID = null;
String userID = null;
try {
userID = sessionProvider.getPrincipalName(session);
nameID = getNameID(userID, hostEntityID, remoteEntityID, hostEntityRole, affiliationID, realm);
} catch (SessionException e) {
logError("invalidSSOToken", LogUtil.INVALID_SSOTOKEN, null);
throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSSOToken"));
}
if (debug.messageEnabled()) {
debug.message(method + "User ID : " + userID);
debug.message(method + "NameID : " + nameID.toXMLString());
}
ManageNameIDRequest mniRequest = pf.createManageNameIDRequest();
mniRequest.setID(SAML2Utils.generateID());
mniRequest.setVersion(SAML2Constants.VERSION_2_0);
mniRequest.setDestination(XMLUtils.escapeSpecialCharacters(destination));
mniRequest.setIssuer(SAML2Utils.createIssuer(hostEntityID));
mniRequest.setIssueInstant(new Date());
setNameIDForMNIRequest(mniRequest, nameID, changeID, realm, hostEntityID, hostEntityRole, remoteEntityID);
if (!changeID) {
mniRequest.setTerminate(true);
}
return mniRequest;
}
Also used :
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
NameID(com.sun.identity.saml2.assertion.NameID)
ManageNameIDRequest(com.sun.identity.saml2.protocol.ManageNameIDRequest)
SessionException(com.sun.identity.plugin.session.SessionException)
Date(java.util.Date)
Example 44 with NameID
use of com.sun.identity.saml2.assertion.NameID in project OpenAM by OpenRock.
the class DoManageNameID method saveMNIRequestInfo.
private static void saveMNIRequestInfo(HttpServletRequest request, HttpServletResponse response, Map paramsMap, ManageNameIDRequest mniRequest, String relayState, String hostEntityRole, Object session) throws SAML2Exception {
String method = "saveMNIRequestInfo: ";
if (debug.messageEnabled()) {
debug.message(method + "hostEntityRole : " + hostEntityRole);
}
ManageNameIDRequest reqForSave = mniRequest;
NameID nameID = mniRequest.getNameID();
EncryptedID encryptedID = mniRequest.getEncryptedID();
if (encryptedID != null) {
NewEncryptedID newEncryptedID = mniRequest.getNewEncryptedID();
mniRequest.setEncryptedID(null);
mniRequest.setNewEncryptedID(null);
reqForSave = (ManageNameIDRequest) pf.createManageNameIDRequest(mniRequest.toXMLString(true, true));
mniRequest.setNameID(null);
mniRequest.setNewID(null);
mniRequest.setEncryptedID(encryptedID);
mniRequest.setNewEncryptedID(newEncryptedID);
}
paramsMap.put(SAML2Constants.SESSION, session);
ManageNameIDRequestInfo reqInfo = new ManageNameIDRequestInfo(request, response, reqForSave, relayState, paramsMap, session);
reqInfo.setNameID(nameID);
if (hostEntityRole.equalsIgnoreCase(SAML2Constants.SP_ROLE)) {
SPCache.mniRequestHash.put(mniRequest.getID(), reqInfo);
} else {
IDPCache.mniRequestHash.put(mniRequest.getID(), reqInfo);
}
}
Also used :
NewEncryptedID(com.sun.identity.saml2.protocol.NewEncryptedID)
ManageNameIDRequest(com.sun.identity.saml2.protocol.ManageNameIDRequest)
NameID(com.sun.identity.saml2.assertion.NameID)
NewEncryptedID(com.sun.identity.saml2.protocol.NewEncryptedID)
EncryptedID(com.sun.identity.saml2.assertion.EncryptedID)
Example 45 with NameID
use of com.sun.identity.saml2.assertion.NameID in project OpenAM by OpenRock.
the class SPACSUtils method getPrincipalWithoutLogin.
/**
* Returns the username if there was one from the Assertion we were able to map into a local user account. Returns
* null if not. Should only be used from the SP side. Should only be called in conjuncture with the Auth Module.
* In addition, it performs what attribute federation it can.
*
* This method is a picked apart version of the "processResponse" function.
*/
public static String getPrincipalWithoutLogin(Subject assertionSubject, Assertion authnAssertion, String realm, String spEntityId, SAML2MetaManager metaManager, String idpEntityId, String storageKey) throws SAML2Exception {
final EncryptedID encId = assertionSubject.getEncryptedID();
final SPSSOConfigElement spssoconfig = metaManager.getSPSSOConfig(realm, spEntityId);
final Set<PrivateKey> decryptionKeys = KeyUtil.getDecryptionKeys(spssoconfig);
final SPAccountMapper acctMapper = SAML2Utils.getSPAccountMapper(realm, spEntityId);
boolean needNameIDEncrypted = false;
NameID nameId = assertionSubject.getNameID();
String assertionEncryptedAttr = SAML2Utils.getAttributeValueFromSPSSOConfig(spssoconfig, SAML2Constants.WANT_ASSERTION_ENCRYPTED);
if (assertionEncryptedAttr == null || !Boolean.parseBoolean(assertionEncryptedAttr)) {
String idEncryptedStr = SAML2Utils.getAttributeValueFromSPSSOConfig(spssoconfig, SAML2Constants.WANT_NAMEID_ENCRYPTED);
if (idEncryptedStr != null && Boolean.parseBoolean(idEncryptedStr)) {
needNameIDEncrypted = true;
}
}
if (needNameIDEncrypted && encId == null) {
throw new SAML2Exception(SAML2Utils.bundle.getString("nameIDNotEncrypted"));
}
if (encId != null) {
nameId = encId.decrypt(decryptionKeys);
}
SPSSODescriptorElement spDesc = null;
try {
spDesc = metaManager.getSPSSODescriptor(realm, spEntityId);
} catch (SAML2MetaException ex) {
SAML2Utils.debug.error("Unable to read SPSSODescription", ex);
}
if (spDesc == null) {
throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
}
final String nameIDFormat = nameId.getFormat();
if (nameIDFormat != null) {
List spNameIDFormatList = spDesc.getNameIDFormat();
if (CollectionUtils.isNotEmpty(spNameIDFormatList) && !spNameIDFormatList.contains(nameIDFormat)) {
Object[] args = { nameIDFormat };
throw new SAML2Exception(SAML2Utils.BUNDLE_NAME, "unsupportedNameIDFormatSP", args);
}
}
final boolean isTransient = SAML2Constants.NAMEID_TRANSIENT_FORMAT.equals(nameIDFormat);
final boolean isPersistent = SAML2Constants.PERSISTENT.equals(nameIDFormat);
final boolean ignoreProfile = SAML2PluginsUtils.isIgnoredProfile(realm);
final boolean shouldPersistNameID = isPersistent || (!isTransient && !ignoreProfile && acctMapper.shouldPersistNameIDFormat(realm, spEntityId, idpEntityId, nameIDFormat));
String userName = null;
boolean isNewAccountLink = false;
try {
if (shouldPersistNameID) {
try {
userName = SAML2Utils.getDataStoreProvider().getUserID(realm, SAML2Utils.getNameIDKeyMap(nameId, spEntityId, idpEntityId, realm, SAML2Constants.SP_ROLE));
} catch (DataStoreProviderException dse) {
throw new SAML2Exception(dse.getMessage());
}
}
//if we can't get an already linked account, see if we'll be generating a new one based on federated data
if (userName == null) {
userName = acctMapper.getIdentity(authnAssertion, spEntityId, realm);
//we'll use this later to inform us
isNewAccountLink = true;
}
} catch (SAML2Exception se) {
return null;
}
//if we're new and we're persistent, store the federation data in the user pref
if (isNewAccountLink && isPersistent) {
try {
writeFedData(nameId, spEntityId, realm, metaManager, idpEntityId, userName, storageKey);
} catch (SAML2Exception se) {
return userName;
}
}
return userName;
}
Also used :
DataStoreProviderException(com.sun.identity.plugin.datastore.DataStoreProviderException)
PrivateKey(java.security.PrivateKey)
NameID(com.sun.identity.saml2.assertion.NameID)
SPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)
SPSSOConfigElement(com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement)
EncryptedID(com.sun.identity.saml2.assertion.EncryptedID)
SPAccountMapper(com.sun.identity.saml2.plugins.SPAccountMapper)
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
List(java.util.List)
ArrayList(java.util.ArrayList)
SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException)
Aggregations
SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)46
NameID (com.sun.identity.saml2.assertion.NameID)33
List (java.util.List)25
ArrayList (java.util.ArrayList)22
EncryptedID (com.sun.identity.saml2.assertion.EncryptedID)18
SAML2MetaException (com.sun.identity.saml2.meta.SAML2MetaException)15
HashMap (java.util.HashMap)14
SessionException (com.sun.identity.plugin.session.SessionException)12
NameIDInfo (com.sun.identity.saml2.common.NameIDInfo)12
Map (java.util.Map)11
Subject (com.sun.identity.saml2.assertion.Subject)10
SPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)10
Element (org.w3c.dom.Element)10
Date (java.util.Date)9
Iterator (java.util.Iterator)9
AssertionFactory (com.sun.identity.saml2.assertion.AssertionFactory)8
SAML2MetaManager (com.sun.identity.saml2.meta.SAML2MetaManager)8
Assertion (com.sun.identity.saml2.assertion.Assertion)7
Issuer (com.sun.identity.saml2.assertion.Issuer)7
IDPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)7
