Search in sources :

Example 1 with SubjectConfirmation

use of com.sun.identity.saml2.assertion.SubjectConfirmation in project OpenAM by OpenRock.

the class DiscoveryBootstrap method convertSC.

private static com.sun.identity.saml.assertion.SubjectConfirmation convertSC(List subjectConfirmations) throws SAMLException {
    if ((subjectConfirmations == null) || subjectConfirmations.isEmpty()) {
        return null;
    }
    SubjectConfirmation subjectConfirmation = (SubjectConfirmation) subjectConfirmations.get(0);
    com.sun.identity.saml.assertion.SubjectConfirmation samlSC = new com.sun.identity.saml.assertion.SubjectConfirmation(subjectConfirmation.getMethod());
    SubjectConfirmationData scData = subjectConfirmation.getSubjectConfirmationData();
    if (scData != null) {
        List content = scData.getContent();
        if ((content != null) && (!content.isEmpty())) {
            samlSC.setSubjectConfirmationData((String) content.get(0));
        }
    }
    return samlSC;
}
Also used : SubjectConfirmation(com.sun.identity.saml2.assertion.SubjectConfirmation) ArrayList(java.util.ArrayList) List(java.util.List) SubjectConfirmationData(com.sun.identity.saml2.assertion.SubjectConfirmationData)

Example 2 with SubjectConfirmation

use of com.sun.identity.saml2.assertion.SubjectConfirmation in project OpenAM by OpenRock.

the class IDPSSOUtil method getSubjectConfirmation.

/**
     * Returns a <code>SAML SubjectConfirmation</code> object
     *
     * @param inResponseTo  the request id of the <code>AuthnRequest</code>
     * @param acsURL        the <code>ACS</code> service <code>url</code>
     * @param effectiveTime the effective time of the assertion
     * @return the <code>SAML SubjectConfirmation</code> object
     * @throws SAML2Exception if the operation is not successful
     */
private static SubjectConfirmation getSubjectConfirmation(String inResponseTo, String acsURL, int effectiveTime) throws SAML2Exception {
    SubjectConfirmation sc = AssertionFactory.getInstance().createSubjectConfirmation();
    sc.setMethod(SAML2Constants.SUBJECT_CONFIRMATION_METHOD_BEARER);
    SubjectConfirmationData scd = AssertionFactory.getInstance().createSubjectConfirmationData();
    scd.setRecipient(XMLUtils.escapeSpecialCharacters(acsURL));
    if (inResponseTo != null) {
        scd.setInResponseTo(inResponseTo);
    }
    Date date = new Date();
    date.setTime(date.getTime() + effectiveTime * 1000);
    scd.setNotOnOrAfter(date);
    sc.setSubjectConfirmationData(scd);
    return sc;
}
Also used : SubjectConfirmation(com.sun.identity.saml2.assertion.SubjectConfirmation) SubjectConfirmationData(com.sun.identity.saml2.assertion.SubjectConfirmationData) Date(java.util.Date)

Example 3 with SubjectConfirmation

use of com.sun.identity.saml2.assertion.SubjectConfirmation in project OpenAM by OpenRock.

the class IDPSSOUtil method getSubject.

/**
     * Returns a <code>SAML Subject</code> object
     *
     * @param session           the user's session
     * @param authnReq          the <code>AuthnRequest</code> object
     * @param acsURL            the <code>ACS</code> service <code>url</code>
     * @param nameIDFormat      the <code>NameIDFormat</code>
     * @param realm             The realm name
     * @param idpEntityID       the entity id of the identity provider
     * @param recipientEntityID the entity id of the response recipient
     * @param effectiveTime     the effective time of the assertion
     * @param affiliationID     affiliationID for IDP initiated SSO
     * @return the <code>SAML Subject</code> object
     * @throws SAML2Exception if the operation is not successful
     */
private static Subject getSubject(Object session, AuthnRequest authnReq, String acsURL, String nameIDFormat, String realm, String idpEntityID, String recipientEntityID, int effectiveTime, String affiliationID) throws SAML2Exception {
    String classMethod = "IDPSSOUtil.getSubject: ";
    Subject subject = AssertionFactory.getInstance().createSubject();
    boolean ignoreProfile = false;
    String userName = null;
    try {
        userName = sessionProvider.getPrincipalName(session);
        ignoreProfile = SAML2Utils.isIgnoreProfileSet(session);
    } catch (SessionException se) {
        SAML2Utils.debug.error(classMethod + "There was a problem with the session.", se);
        throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSSOToken"));
    }
    // allow create is the default
    boolean allowCreate = true;
    String remoteEntityID = null;
    String spNameQualifier = null;
    boolean isAffiliation = false;
    if (authnReq != null) {
        remoteEntityID = authnReq.getIssuer().getValue();
        NameIDPolicy nameIDPolicy = authnReq.getNameIDPolicy();
        if (nameIDPolicy != null) {
            // this will take care of affiliation
            allowCreate = nameIDPolicy.isAllowCreate();
            spNameQualifier = nameIDPolicy.getSPNameQualifier();
            if (spNameQualifier != null && !spNameQualifier.isEmpty()) {
                AffiliationDescriptorType affiDesc = metaManager.getAffiliationDescriptor(realm, spNameQualifier);
                if (affiDesc != null) {
                    if (affiDesc.getAffiliateMember().contains(remoteEntityID)) {
                        isAffiliation = true;
                        remoteEntityID = spNameQualifier;
                    } else {
                        throw new SAML2Exception(SAML2Utils.bundle.getString("spNotAffiliationMember"));
                    }
                }
            } else {
                spNameQualifier = recipientEntityID;
            }
        }
    } else {
        // IDP initialted SSO
        if (affiliationID != null) {
            AffiliationDescriptorType affiDesc = metaManager.getAffiliationDescriptor(realm, affiliationID);
            if (affiDesc == null) {
                throw new SAML2Exception(SAML2Utils.bundle.getString("affiliationNotFound"));
            }
            if (affiDesc.getAffiliateMember().contains(recipientEntityID)) {
                isAffiliation = true;
                remoteEntityID = affiliationID;
                spNameQualifier = affiliationID;
            } else {
                throw new SAML2Exception(SAML2Utils.bundle.getString("spNotAffiliationMember"));
            }
        } else {
            remoteEntityID = recipientEntityID;
            spNameQualifier = recipientEntityID;
        }
    }
    SPSSODescriptorElement spsso = getSPSSODescriptor(realm, recipientEntityID, classMethod);
    if (spsso == null) {
        String[] data = { recipientEntityID };
        LogUtil.error(Level.INFO, LogUtil.SP_METADATA_ERROR, data, null);
        throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
    }
    IDPSSODescriptorElement idpsso = metaManager.getIDPSSODescriptor(realm, idpEntityID);
    if (idpsso == null) {
        String[] data = { idpEntityID };
        LogUtil.error(Level.INFO, LogUtil.IDP_METADATA_ERROR, data, null);
        throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
    }
    nameIDFormat = SAML2Utils.verifyNameIDFormat(nameIDFormat, spsso, idpsso);
    boolean isTransient = SAML2Constants.NAMEID_TRANSIENT_FORMAT.equals(nameIDFormat);
    boolean isPersistent = SAML2Constants.PERSISTENT.equals(nameIDFormat);
    NameIDInfo nameIDInfo;
    NameID nameID = null;
    IDPAccountMapper idpAccountMapper = SAML2Utils.getIDPAccountMapper(realm, idpEntityID);
    //Use-cases for NameID persistence:
    //* persistent NameID -> The NameID MUST be stored
    //* transient NameID -> The NameID MUST NOT be stored
    //* ignored user profile mode -> The NameID CANNOT be stored
    //* for any other cases -> The NameID MAY be stored based on customizable logic
    boolean shouldPersistNameID = isPersistent || (!isTransient && !ignoreProfile && idpAccountMapper.shouldPersistNameIDFormat(realm, idpEntityID, remoteEntityID, nameIDFormat));
    if (!isTransient) {
        String userID;
        try {
            userID = sessionProvider.getPrincipalName(session);
        } catch (SessionException se) {
            SAML2Utils.debug.error(classMethod + "Unable to get principal name from the session.", se);
            throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSSOToken"));
        }
        if (isPersistent || shouldPersistNameID) {
            nameIDInfo = AccountUtils.getAccountFederation(userID, idpEntityID, remoteEntityID);
            if (nameIDInfo != null) {
                nameID = nameIDInfo.getNameID();
                if (!nameIDFormat.equals(nameID.getFormat())) {
                    AccountUtils.removeAccountFederation(nameIDInfo, userID);
                    DoManageNameID.removeIDPFedSession(remoteEntityID, nameID.getValue());
                    nameID = null;
                }
            }
        }
    }
    if (nameID == null) {
        if (!allowCreate && isPersistent) {
            throw new SAML2InvalidNameIDPolicyException(SAML2Utils.bundle.getString("cannotCreateNameID"));
        }
        nameID = idpAccountMapper.getNameID(session, idpEntityID, spNameQualifier, realm, nameIDFormat);
        SAML2Utils.debug.message(classMethod + " shouldPersistNameID = " + shouldPersistNameID);
        if (shouldPersistNameID && allowCreate) {
            // write federation info into the persistent datastore
            if (SAML2Utils.isDualRole(idpEntityID, realm)) {
                nameIDInfo = new NameIDInfo(idpEntityID, remoteEntityID, nameID, SAML2Constants.DUAL_ROLE, false);
            } else {
                nameIDInfo = new NameIDInfo(idpEntityID, remoteEntityID, nameID, SAML2Constants.IDP_ROLE, isAffiliation);
            }
            AccountUtils.setAccountFederation(nameIDInfo, userName);
        }
    }
    subject.setNameID(nameID);
    if (isTransient) {
        IDPCache.userIDByTransientNameIDValue.put(nameID.getValue(), userName);
    }
    String inResponseTo = null;
    if (authnReq != null) {
        inResponseTo = authnReq.getID();
    }
    SubjectConfirmation sc = getSubjectConfirmation(inResponseTo, acsURL, effectiveTime);
    if (sc == null) {
        SAML2Utils.debug.error(classMethod + "Unable to get subject confirmation");
        throw new SAML2Exception(SAML2Utils.bundle.getString("noSubjectConfirmation"));
    }
    List list = new ArrayList();
    list.add(sc);
    subject.setSubjectConfirmation(list);
    return subject;
}
Also used : NameIDInfo(com.sun.identity.saml2.common.NameIDInfo) IDPAccountMapper(com.sun.identity.saml2.plugins.IDPAccountMapper) NameIDPolicy(com.sun.identity.saml2.protocol.NameIDPolicy) NameID(com.sun.identity.saml2.assertion.NameID) SPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement) ArrayList(java.util.ArrayList) SessionException(com.sun.identity.plugin.session.SessionException) AffiliationDescriptorType(com.sun.identity.saml2.jaxb.metadata.AffiliationDescriptorType) Subject(com.sun.identity.saml2.assertion.Subject) SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) SubjectConfirmation(com.sun.identity.saml2.assertion.SubjectConfirmation) List(java.util.List) ArrayList(java.util.ArrayList) SAML2InvalidNameIDPolicyException(com.sun.identity.saml2.common.SAML2InvalidNameIDPolicyException) IDPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)

Example 4 with SubjectConfirmation

use of com.sun.identity.saml2.assertion.SubjectConfirmation in project OpenAM by OpenRock.

the class SubjectImpl method makeImmutable.

/**
    * Makes the object immutable
    */
public void makeImmutable() {
    if (isMutable) {
        if (subjectConfirmations != null) {
            int length = subjectConfirmations.size();
            for (int i = 0; i < length; i++) {
                SubjectConfirmation subjectConfirmation = (SubjectConfirmation) subjectConfirmations.get(i);
                subjectConfirmation.makeImmutable();
            }
            subjectConfirmations = Collections.unmodifiableList(subjectConfirmations);
        }
        if (baseId != null) {
            baseId.makeImmutable();
        }
        if (nameId != null) {
            nameId.makeImmutable();
        }
        isMutable = false;
    }
}
Also used : SubjectConfirmation(com.sun.identity.saml2.assertion.SubjectConfirmation)

Example 5 with SubjectConfirmation

use of com.sun.identity.saml2.assertion.SubjectConfirmation in project OpenAM by OpenRock.

the class SubjectImpl method processElement.

private void processElement(Element element) throws SAML2Exception {
    if (element == null) {
        SAML2SDKUtils.debug.error("SubjectImpl.processElement(): invalid root element");
        throw new SAML2Exception(SAML2SDKUtils.bundle.getString("invalid_element"));
    }
    String elemName = element.getLocalName();
    if (elemName == null) {
        SAML2SDKUtils.debug.error("SubjectImpl.processElement(): local name missing");
        throw new SAML2Exception(SAML2SDKUtils.bundle.getString("missing_local_name"));
    }
    if (!elemName.equals(SUBJECT_ELEMENT)) {
        SAML2SDKUtils.debug.error("SubjectImpl.processElement(): invalid local name " + elemName);
        throw new SAML2Exception(SAML2SDKUtils.bundle.getString("invalid_local_name"));
    }
    // starts processing subelements
    NodeList nodes = element.getChildNodes();
    int numOfNodes = nodes.getLength();
    if (numOfNodes < 1) {
        SAML2SDKUtils.debug.error("SubjectImpl.processElement(): subject has no subelements");
        throw new SAML2Exception(SAML2SDKUtils.bundle.getString("missing_subelements"));
    }
    int nextElem = 0;
    Node child = (Node) nodes.item(nextElem);
    while (child.getNodeType() != Node.ELEMENT_NODE) {
        if (++nextElem >= numOfNodes) {
            SAML2SDKUtils.debug.error("SubjectImpl.processElement():" + " subject has no subelements");
            throw new SAML2Exception(SAML2SDKUtils.bundle.getString("missing_subelements"));
        }
        child = (Node) nodes.item(nextElem);
    }
    String childName = child.getLocalName();
    if (childName != null) {
        if (childName.equals(SUBJECT_CONFIRMATION_ELEMENT)) {
            subjectConfirmations.add(AssertionFactory.getInstance().createSubjectConfirmation((Element) child));
        } else if (childName.equals(BASE_ID_ELEMENT)) {
            baseId = AssertionFactory.getInstance().createBaseID((Element) child);
        } else if (childName.equals(NAME_ID_ELEMENT)) {
            nameId = AssertionFactory.getInstance().createNameID((Element) child);
        } else if (childName.equals(ENCRYPTED_ID_ELEMENT)) {
            encryptedId = AssertionFactory.getInstance().createEncryptedID((Element) child);
        } else {
            SAML2SDKUtils.debug.error("SubjectImpl.processElement(): " + "unexpected subelement " + childName);
            throw new SAML2Exception(SAML2SDKUtils.bundle.getString("unexpected_subelement"));
        }
    }
    if (++nextElem >= numOfNodes) {
        return;
    }
    // The next subelements are all <SubjectConfirmation>    
    while (nextElem < numOfNodes) {
        child = (Node) nodes.item(nextElem);
        if (child.getNodeType() == Node.ELEMENT_NODE) {
            childName = child.getLocalName();
            if (childName != null) {
                if (childName.equals(SUBJECT_CONFIRMATION_ELEMENT)) {
                    subjectConfirmations.add(AssertionFactory.getInstance().createSubjectConfirmation((Element) child));
                } else {
                    SAML2SDKUtils.debug.error("SubjectImpl." + "processElement(): unexpected subelement " + childName);
                    throw new SAML2Exception(SAML2SDKUtils.bundle.getString("unexpected_subelement"));
                }
            }
        }
        nextElem++;
    }
}
Also used : SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) NodeList(org.w3c.dom.NodeList) Node(org.w3c.dom.Node) Element(org.w3c.dom.Element)

Aggregations

SubjectConfirmation (com.sun.identity.saml2.assertion.SubjectConfirmation)10 SubjectConfirmationData (com.sun.identity.saml2.assertion.SubjectConfirmationData)8 Date (java.util.Date)8 SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)7 ArrayList (java.util.ArrayList)6 Subject (com.sun.identity.saml2.assertion.Subject)5 List (java.util.List)3 TokenCreationException (org.forgerock.openam.sts.TokenCreationException)3 SAML2SubjectConfirmation (org.forgerock.openam.sts.token.SAML2SubjectConfirmation)3 AudienceRestriction (com.sun.identity.saml2.assertion.AudienceRestriction)2 Conditions (com.sun.identity.saml2.assertion.Conditions)2 KeyInfoFactory (org.forgerock.openam.sts.tokengeneration.saml2.xmlsig.KeyInfoFactory)2 Test (org.testng.annotations.Test)2 Element (org.w3c.dom.Element)2 SessionException (com.sun.identity.plugin.session.SessionException)1 Issuer (com.sun.identity.saml2.assertion.Issuer)1 NameID (com.sun.identity.saml2.assertion.NameID)1 NameIDInfo (com.sun.identity.saml2.common.NameIDInfo)1 SAML2InvalidNameIDPolicyException (com.sun.identity.saml2.common.SAML2InvalidNameIDPolicyException)1 AffiliationDescriptorType (com.sun.identity.saml2.jaxb.metadata.AffiliationDescriptorType)1