Example 1 with SubjectConfirmation
use of com.sun.identity.saml2.assertion.SubjectConfirmation in project OpenAM by OpenRock.
the class DiscoveryBootstrap method convertSC.
private static com.sun.identity.saml.assertion.SubjectConfirmation convertSC(List subjectConfirmations) throws SAMLException {
if ((subjectConfirmations == null) || subjectConfirmations.isEmpty()) {
return null;
}
SubjectConfirmation subjectConfirmation = (SubjectConfirmation) subjectConfirmations.get(0);
com.sun.identity.saml.assertion.SubjectConfirmation samlSC = new com.sun.identity.saml.assertion.SubjectConfirmation(subjectConfirmation.getMethod());
SubjectConfirmationData scData = subjectConfirmation.getSubjectConfirmationData();
if (scData != null) {
List content = scData.getContent();
if ((content != null) && (!content.isEmpty())) {
samlSC.setSubjectConfirmationData((String) content.get(0));
}
}
return samlSC;
}
Also used :
SubjectConfirmation(com.sun.identity.saml2.assertion.SubjectConfirmation)
ArrayList(java.util.ArrayList)
List(java.util.List)
SubjectConfirmationData(com.sun.identity.saml2.assertion.SubjectConfirmationData)
Example 2 with SubjectConfirmation
use of com.sun.identity.saml2.assertion.SubjectConfirmation in project OpenAM by OpenRock.
the class IDPSSOUtil method getSubjectConfirmation.
/**
* Returns a <code>SAML SubjectConfirmation</code> object
*
* @param inResponseTo the request id of the <code>AuthnRequest</code>
* @param acsURL the <code>ACS</code> service <code>url</code>
* @param effectiveTime the effective time of the assertion
* @return the <code>SAML SubjectConfirmation</code> object
* @throws SAML2Exception if the operation is not successful
*/
private static SubjectConfirmation getSubjectConfirmation(String inResponseTo, String acsURL, int effectiveTime) throws SAML2Exception {
SubjectConfirmation sc = AssertionFactory.getInstance().createSubjectConfirmation();
sc.setMethod(SAML2Constants.SUBJECT_CONFIRMATION_METHOD_BEARER);
SubjectConfirmationData scd = AssertionFactory.getInstance().createSubjectConfirmationData();
scd.setRecipient(XMLUtils.escapeSpecialCharacters(acsURL));
if (inResponseTo != null) {
scd.setInResponseTo(inResponseTo);
}
Date date = new Date();
date.setTime(date.getTime() + effectiveTime * 1000);
scd.setNotOnOrAfter(date);
sc.setSubjectConfirmationData(scd);
return sc;
}
Also used :
SubjectConfirmation(com.sun.identity.saml2.assertion.SubjectConfirmation)
SubjectConfirmationData(com.sun.identity.saml2.assertion.SubjectConfirmationData)
Date(java.util.Date)
Example 3 with SubjectConfirmation
use of com.sun.identity.saml2.assertion.SubjectConfirmation in project OpenAM by OpenRock.
the class IDPSSOUtil method getSubject.
/**
* Returns a <code>SAML Subject</code> object
*
* @param session the user's session
* @param authnReq the <code>AuthnRequest</code> object
* @param acsURL the <code>ACS</code> service <code>url</code>
* @param nameIDFormat the <code>NameIDFormat</code>
* @param realm The realm name
* @param idpEntityID the entity id of the identity provider
* @param recipientEntityID the entity id of the response recipient
* @param effectiveTime the effective time of the assertion
* @param affiliationID affiliationID for IDP initiated SSO
* @return the <code>SAML Subject</code> object
* @throws SAML2Exception if the operation is not successful
*/
private static Subject getSubject(Object session, AuthnRequest authnReq, String acsURL, String nameIDFormat, String realm, String idpEntityID, String recipientEntityID, int effectiveTime, String affiliationID) throws SAML2Exception {
String classMethod = "IDPSSOUtil.getSubject: ";
Subject subject = AssertionFactory.getInstance().createSubject();
boolean ignoreProfile = false;
String userName = null;
try {
userName = sessionProvider.getPrincipalName(session);
ignoreProfile = SAML2Utils.isIgnoreProfileSet(session);
} catch (SessionException se) {
SAML2Utils.debug.error(classMethod + "There was a problem with the session.", se);
throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSSOToken"));
}
// allow create is the default
boolean allowCreate = true;
String remoteEntityID = null;
String spNameQualifier = null;
boolean isAffiliation = false;
if (authnReq != null) {
remoteEntityID = authnReq.getIssuer().getValue();
NameIDPolicy nameIDPolicy = authnReq.getNameIDPolicy();
if (nameIDPolicy != null) {
// this will take care of affiliation
allowCreate = nameIDPolicy.isAllowCreate();
spNameQualifier = nameIDPolicy.getSPNameQualifier();
if (spNameQualifier != null && !spNameQualifier.isEmpty()) {
AffiliationDescriptorType affiDesc = metaManager.getAffiliationDescriptor(realm, spNameQualifier);
if (affiDesc != null) {
if (affiDesc.getAffiliateMember().contains(remoteEntityID)) {
isAffiliation = true;
remoteEntityID = spNameQualifier;
} else {
throw new SAML2Exception(SAML2Utils.bundle.getString("spNotAffiliationMember"));
}
}
} else {
spNameQualifier = recipientEntityID;
}
}
} else {
// IDP initialted SSO
if (affiliationID != null) {
AffiliationDescriptorType affiDesc = metaManager.getAffiliationDescriptor(realm, affiliationID);
if (affiDesc == null) {
throw new SAML2Exception(SAML2Utils.bundle.getString("affiliationNotFound"));
}
if (affiDesc.getAffiliateMember().contains(recipientEntityID)) {
isAffiliation = true;
remoteEntityID = affiliationID;
spNameQualifier = affiliationID;
} else {
throw new SAML2Exception(SAML2Utils.bundle.getString("spNotAffiliationMember"));
}
} else {
remoteEntityID = recipientEntityID;
spNameQualifier = recipientEntityID;
}
}
SPSSODescriptorElement spsso = getSPSSODescriptor(realm, recipientEntityID, classMethod);
if (spsso == null) {
String[] data = { recipientEntityID };
LogUtil.error(Level.INFO, LogUtil.SP_METADATA_ERROR, data, null);
throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
}
IDPSSODescriptorElement idpsso = metaManager.getIDPSSODescriptor(realm, idpEntityID);
if (idpsso == null) {
String[] data = { idpEntityID };
LogUtil.error(Level.INFO, LogUtil.IDP_METADATA_ERROR, data, null);
throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
}
nameIDFormat = SAML2Utils.verifyNameIDFormat(nameIDFormat, spsso, idpsso);
boolean isTransient = SAML2Constants.NAMEID_TRANSIENT_FORMAT.equals(nameIDFormat);
boolean isPersistent = SAML2Constants.PERSISTENT.equals(nameIDFormat);
NameIDInfo nameIDInfo;
NameID nameID = null;
IDPAccountMapper idpAccountMapper = SAML2Utils.getIDPAccountMapper(realm, idpEntityID);
//Use-cases for NameID persistence:
//* persistent NameID -> The NameID MUST be stored
//* transient NameID -> The NameID MUST NOT be stored
//* ignored user profile mode -> The NameID CANNOT be stored
//* for any other cases -> The NameID MAY be stored based on customizable logic
boolean shouldPersistNameID = isPersistent || (!isTransient && !ignoreProfile && idpAccountMapper.shouldPersistNameIDFormat(realm, idpEntityID, remoteEntityID, nameIDFormat));
if (!isTransient) {
String userID;
try {
userID = sessionProvider.getPrincipalName(session);
} catch (SessionException se) {
SAML2Utils.debug.error(classMethod + "Unable to get principal name from the session.", se);
throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSSOToken"));
}
if (isPersistent || shouldPersistNameID) {
nameIDInfo = AccountUtils.getAccountFederation(userID, idpEntityID, remoteEntityID);
if (nameIDInfo != null) {
nameID = nameIDInfo.getNameID();
if (!nameIDFormat.equals(nameID.getFormat())) {
AccountUtils.removeAccountFederation(nameIDInfo, userID);
DoManageNameID.removeIDPFedSession(remoteEntityID, nameID.getValue());
nameID = null;
}
}
}
}
if (nameID == null) {
if (!allowCreate && isPersistent) {
throw new SAML2InvalidNameIDPolicyException(SAML2Utils.bundle.getString("cannotCreateNameID"));
}
nameID = idpAccountMapper.getNameID(session, idpEntityID, spNameQualifier, realm, nameIDFormat);
SAML2Utils.debug.message(classMethod + " shouldPersistNameID = " + shouldPersistNameID);
if (shouldPersistNameID && allowCreate) {
// write federation info into the persistent datastore
if (SAML2Utils.isDualRole(idpEntityID, realm)) {
nameIDInfo = new NameIDInfo(idpEntityID, remoteEntityID, nameID, SAML2Constants.DUAL_ROLE, false);
} else {
nameIDInfo = new NameIDInfo(idpEntityID, remoteEntityID, nameID, SAML2Constants.IDP_ROLE, isAffiliation);
}
AccountUtils.setAccountFederation(nameIDInfo, userName);
}
}
subject.setNameID(nameID);
if (isTransient) {
IDPCache.userIDByTransientNameIDValue.put(nameID.getValue(), userName);
}
String inResponseTo = null;
if (authnReq != null) {
inResponseTo = authnReq.getID();
}
SubjectConfirmation sc = getSubjectConfirmation(inResponseTo, acsURL, effectiveTime);
if (sc == null) {
SAML2Utils.debug.error(classMethod + "Unable to get subject confirmation");
throw new SAML2Exception(SAML2Utils.bundle.getString("noSubjectConfirmation"));
}
List list = new ArrayList();
list.add(sc);
subject.setSubjectConfirmation(list);
return subject;
}
Also used :
NameIDInfo(com.sun.identity.saml2.common.NameIDInfo)
IDPAccountMapper(com.sun.identity.saml2.plugins.IDPAccountMapper)
NameIDPolicy(com.sun.identity.saml2.protocol.NameIDPolicy)
NameID(com.sun.identity.saml2.assertion.NameID)
SPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)
ArrayList(java.util.ArrayList)
SessionException(com.sun.identity.plugin.session.SessionException)
AffiliationDescriptorType(com.sun.identity.saml2.jaxb.metadata.AffiliationDescriptorType)
Subject(com.sun.identity.saml2.assertion.Subject)
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
SubjectConfirmation(com.sun.identity.saml2.assertion.SubjectConfirmation)
List(java.util.List)
ArrayList(java.util.ArrayList)
SAML2InvalidNameIDPolicyException(com.sun.identity.saml2.common.SAML2InvalidNameIDPolicyException)
IDPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)
Example 4 with SubjectConfirmation
use of com.sun.identity.saml2.assertion.SubjectConfirmation in project OpenAM by OpenRock.
the class SubjectImpl method makeImmutable.
/**
* Makes the object immutable
*/
public void makeImmutable() {
if (isMutable) {
if (subjectConfirmations != null) {
int length = subjectConfirmations.size();
for (int i = 0; i < length; i++) {
SubjectConfirmation subjectConfirmation = (SubjectConfirmation) subjectConfirmations.get(i);
subjectConfirmation.makeImmutable();
}
subjectConfirmations = Collections.unmodifiableList(subjectConfirmations);
}
if (baseId != null) {
baseId.makeImmutable();
}
if (nameId != null) {
nameId.makeImmutable();
}
isMutable = false;
}
}
Also used :
SubjectConfirmation(com.sun.identity.saml2.assertion.SubjectConfirmation)
Example 5 with SubjectConfirmation
use of com.sun.identity.saml2.assertion.SubjectConfirmation in project OpenAM by OpenRock.
the class SubjectImpl method processElement.
private void processElement(Element element) throws SAML2Exception {
if (element == null) {
SAML2SDKUtils.debug.error("SubjectImpl.processElement(): invalid root element");
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("invalid_element"));
}
String elemName = element.getLocalName();
if (elemName == null) {
SAML2SDKUtils.debug.error("SubjectImpl.processElement(): local name missing");
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("missing_local_name"));
}
if (!elemName.equals(SUBJECT_ELEMENT)) {
SAML2SDKUtils.debug.error("SubjectImpl.processElement(): invalid local name " + elemName);
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("invalid_local_name"));
}
// starts processing subelements
NodeList nodes = element.getChildNodes();
int numOfNodes = nodes.getLength();
if (numOfNodes < 1) {
SAML2SDKUtils.debug.error("SubjectImpl.processElement(): subject has no subelements");
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("missing_subelements"));
}
int nextElem = 0;
Node child = (Node) nodes.item(nextElem);
while (child.getNodeType() != Node.ELEMENT_NODE) {
if (++nextElem >= numOfNodes) {
SAML2SDKUtils.debug.error("SubjectImpl.processElement():" + " subject has no subelements");
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("missing_subelements"));
}
child = (Node) nodes.item(nextElem);
}
String childName = child.getLocalName();
if (childName != null) {
if (childName.equals(SUBJECT_CONFIRMATION_ELEMENT)) {
subjectConfirmations.add(AssertionFactory.getInstance().createSubjectConfirmation((Element) child));
} else if (childName.equals(BASE_ID_ELEMENT)) {
baseId = AssertionFactory.getInstance().createBaseID((Element) child);
} else if (childName.equals(NAME_ID_ELEMENT)) {
nameId = AssertionFactory.getInstance().createNameID((Element) child);
} else if (childName.equals(ENCRYPTED_ID_ELEMENT)) {
encryptedId = AssertionFactory.getInstance().createEncryptedID((Element) child);
} else {
SAML2SDKUtils.debug.error("SubjectImpl.processElement(): " + "unexpected subelement " + childName);
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("unexpected_subelement"));
}
}
if (++nextElem >= numOfNodes) {
return;
}
// The next subelements are all <SubjectConfirmation>
while (nextElem < numOfNodes) {
child = (Node) nodes.item(nextElem);
if (child.getNodeType() == Node.ELEMENT_NODE) {
childName = child.getLocalName();
if (childName != null) {
if (childName.equals(SUBJECT_CONFIRMATION_ELEMENT)) {
subjectConfirmations.add(AssertionFactory.getInstance().createSubjectConfirmation((Element) child));
} else {
SAML2SDKUtils.debug.error("SubjectImpl." + "processElement(): unexpected subelement " + childName);
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("unexpected_subelement"));
}
}
}
nextElem++;
}
}
Also used :
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
NodeList(org.w3c.dom.NodeList)
Node(org.w3c.dom.Node)
Element(org.w3c.dom.Element)
Aggregations
SubjectConfirmation (com.sun.identity.saml2.assertion.SubjectConfirmation)10
SubjectConfirmationData (com.sun.identity.saml2.assertion.SubjectConfirmationData)8
Date (java.util.Date)8
SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)7
ArrayList (java.util.ArrayList)6
Subject (com.sun.identity.saml2.assertion.Subject)5
List (java.util.List)3
TokenCreationException (org.forgerock.openam.sts.TokenCreationException)3
SAML2SubjectConfirmation (org.forgerock.openam.sts.token.SAML2SubjectConfirmation)3
AudienceRestriction (com.sun.identity.saml2.assertion.AudienceRestriction)2
Conditions (com.sun.identity.saml2.assertion.Conditions)2
KeyInfoFactory (org.forgerock.openam.sts.tokengeneration.saml2.xmlsig.KeyInfoFactory)2
Test (org.testng.annotations.Test)2
Element (org.w3c.dom.Element)2
SessionException (com.sun.identity.plugin.session.SessionException)1
Issuer (com.sun.identity.saml2.assertion.Issuer)1
NameID (com.sun.identity.saml2.assertion.NameID)1
NameIDInfo (com.sun.identity.saml2.common.NameIDInfo)1
SAML2InvalidNameIDPolicyException (com.sun.identity.saml2.common.SAML2InvalidNameIDPolicyException)1
AffiliationDescriptorType (com.sun.identity.saml2.jaxb.metadata.AffiliationDescriptorType)1
