Search in sources :

Example 6 with SAML2Exception

use of com.sun.identity.saml2.common.SAML2Exception in project OpenAM by OpenRock.

the class DefaultIDPAuthnContextMapper method getIDPAuthnContextInfo.

/** 
    * Returns an <code>IDPAuthnContextInfo</code> object.
    *
    * @param authnRequest the <code>AuthnRequest</code> from the 
    * Service Provider
    * @param idpEntityID the Entity ID of the Identity Provider    
    * @param realm the realm to which the Identity Provider belongs
    * 
    * @return an <code>IDPAuthnContextInfo</code> object
    * @throws SAML2Exception if an error occurs.
    */
public IDPAuthnContextInfo getIDPAuthnContextInfo(AuthnRequest authnRequest, String idpEntityID, String realm) throws SAML2Exception {
    String classMethod = "DefaultIDPAuthnContextMapper.getIDPAuthnContextInfo: ";
    // Get the ClassRef to AuthnType and Value Map
    Map classRefSchemesMap = null;
    if (IDPCache.classRefSchemesHash != null) {
        classRefSchemesMap = (Map) IDPCache.classRefSchemesHash.get(idpEntityID + "|" + realm);
    }
    // Get the ClassRef to AuthN Level Map
    Map classRefLevelMap = null;
    if (IDPCache.classRefLevelHash != null) {
        classRefLevelMap = (Map) IDPCache.classRefLevelHash.get(idpEntityID + "|" + realm);
    }
    // If one of the Maps above was empty populate them
    if (classRefSchemesMap == null || classRefSchemesMap.isEmpty() || classRefLevelMap == null || classRefLevelMap.isEmpty()) {
        updateAuthnContextMapping(realm, idpEntityID);
        classRefSchemesMap = (Map) IDPCache.classRefSchemesHash.get(idpEntityID + "|" + realm);
        if (classRefSchemesMap == null) {
            classRefSchemesMap = new LinkedHashMap();
        }
        classRefLevelMap = (Map) IDPCache.classRefLevelHash.get(idpEntityID + "|" + realm);
        if (classRefLevelMap == null) {
            classRefLevelMap = new LinkedHashMap();
        }
    }
    // Look now for the Authn Class Ref that fulfills the request
    String classRef = null;
    Set authTypeAndValues = null;
    Integer authnLevel = null;
    RequestedAuthnContext requestedAuthnContext = null;
    if (authnRequest != null) {
        requestedAuthnContext = authnRequest.getRequestedAuthnContext();
    }
    if (requestedAuthnContext != null) {
        List requestedClassRefs = requestedAuthnContext.getAuthnContextClassRef();
        String comparison = requestedAuthnContext.getComparison();
        for (Iterator iter1 = requestedClassRefs.iterator(); iter1.hasNext(); ) {
            List singleClassRef = new ArrayList();
            singleClassRef.add((String) iter1.next());
            for (Iterator iter = classRefSchemesMap.keySet().iterator(); iter.hasNext(); ) {
                String tmpClassRef = (String) iter.next();
                if (isAuthnContextMatching(singleClassRef, tmpClassRef, comparison, realm, idpEntityID)) {
                    authTypeAndValues = (Set) classRefSchemesMap.get(tmpClassRef);
                    classRef = tmpClassRef;
                    authnLevel = (Integer) classRefLevelMap.get(tmpClassRef);
                    break;
                }
            }
            if (classRef != null) {
                break;
            }
        }
        if (classRef == null) {
            return null;
        }
    } else {
        authTypeAndValues = (Set) classRefSchemesMap.get(DEFAULT);
        classRef = (String) IDPCache.defaultClassRefHash.get(idpEntityID + "|" + realm);
        authnLevel = (Integer) classRefLevelMap.get(classRef);
        if (classRef == null) {
            classRef = SAML2Constants.CLASSREF_PASSWORD_PROTECTED_TRANSPORT;
        }
    }
    AuthnContext authnContext = AssertionFactory.getInstance().createAuthnContext();
    authnContext.setAuthnContextClassRef(classRef);
    IDPAuthnContextInfo info = new IDPAuthnContextInfo(authnContext, authTypeAndValues, authnLevel);
    if (SAML2Utils.debug.messageEnabled()) {
        SAML2Utils.debug.message(classMethod + "\nreturned AuthnContextClassRef=" + classRef + "\nauthTypeAndValues=" + authTypeAndValues + "\nauthnLevel=" + authnLevel);
    }
    return info;
}
Also used : RequestedAuthnContext(com.sun.identity.saml2.protocol.RequestedAuthnContext) Set(java.util.Set) HashSet(java.util.HashSet) Iterator(java.util.Iterator) ArrayList(java.util.ArrayList) ArrayList(java.util.ArrayList) List(java.util.List) HashMap(java.util.HashMap) LinkedHashMap(java.util.LinkedHashMap) Map(java.util.Map) LinkedHashMap(java.util.LinkedHashMap) AuthnContext(com.sun.identity.saml2.assertion.AuthnContext) RequestedAuthnContext(com.sun.identity.saml2.protocol.RequestedAuthnContext)

Example 7 with SAML2Exception

use of com.sun.identity.saml2.common.SAML2Exception in project OpenAM by OpenRock.

the class ECPRequestImpl method parseElement.

/* Parses the NameIDPolicy Element */
private void parseElement(Element element) throws SAML2Exception {
    if (element == null) {
        if (SAML2SDKUtils.debug.messageEnabled()) {
            SAML2SDKUtils.debug.message("ECPRequestImpl.parseElement:" + " Input is null.");
        }
        throw new SAML2Exception(SAML2SDKUtils.bundle.getString("nullInput"));
    }
    String localName = element.getLocalName();
    if (!REQUEST.equals(localName)) {
        if (SAML2SDKUtils.debug.messageEnabled()) {
            SAML2SDKUtils.debug.message("ECPRequestImpl.parseElement:" + " element local name should be " + REQUEST);
        }
        throw new SAML2Exception(SAML2SDKUtils.bundle.getString("invalidECPRequest"));
    }
    String namespaceURI = element.getNamespaceURI();
    if (!SAML2Constants.ECP_NAMESPACE.equals(namespaceURI)) {
        if (SAML2SDKUtils.debug.messageEnabled()) {
            SAML2SDKUtils.debug.message("ECPRequestImpl.parseElement:" + " element namespace should be " + SAML2Constants.ECP_NAMESPACE);
        }
        throw new SAML2Exception(SAML2SDKUtils.bundle.getString("invalidECPNamesapce"));
    }
    String str = XMLUtils.getNodeAttributeValueNS(element, SAML2Constants.SOAP_ENV_NAMESPACE, SAML2Constants.MUST_UNDERSTAND);
    mustUnderstand = SAML2SDKUtils.StringToBoolean(str);
    actor = XMLUtils.getNodeAttributeValueNS(element, SAML2Constants.SOAP_ENV_NAMESPACE, SAML2Constants.ACTOR);
    providerName = XMLUtils.getNodeAttributeValue(element, SAML2Constants.PROVIDER_NAME);
    str = XMLUtils.getNodeAttributeValue(element, SAML2Constants.ISPASSIVE);
    isPassive = SAML2SDKUtils.StringToBoolean(str);
    NodeList nList = element.getChildNodes();
    if ((nList != null) && (nList.getLength() > 0)) {
        for (int i = 0; i < nList.getLength(); i++) {
            Node childNode = nList.item(i);
            if (childNode.getNodeType() != Node.ELEMENT_NODE) {
                continue;
            }
            String cName = childNode.getLocalName();
            if (cName.equals(SAML2Constants.ISSUER)) {
                validateIssuer();
                issuer = AssertionFactory.getInstance().createIssuer((Element) childNode);
            } else if (cName.equals(SAML2Constants.IDPLIST)) {
                validateIDPList();
                idpList = ProtocolFactory.getInstance().createIDPList((Element) childNode);
            } else {
                if (SAML2SDKUtils.debug.messageEnabled()) {
                    SAML2SDKUtils.debug.message("ECPRequestImpl.parseElement: " + "ECP Request has invalid child element");
                }
                throw new SAML2Exception(SAML2SDKUtils.bundle.getString("invalidElementECPReq"));
            }
        }
    }
    validateData();
}
Also used : SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) NodeList(org.w3c.dom.NodeList) Node(org.w3c.dom.Node) Element(org.w3c.dom.Element)

Example 8 with SAML2Exception

use of com.sun.identity.saml2.common.SAML2Exception in project OpenAM by OpenRock.

the class DefaultFedletAdapter method doFedletSLO.

/**
     * Invokes after Fedlet receives SLO request from IDP. It does the work
     * of logout the user.
     * @param request servlet request
     * @param response servlet response
     * @param hostedEntityID entity ID for the fedlet
     * @param idpEntityID entity id for the IDP to which the request is
     *          received from.
     * @param siList List of SessionIndex whose session to be logged out
     * @param nameIDValue nameID value whose session to be logged out
     * @param binding Single Logout binding used,
     *      one of following values:
     *          <code>SAML2Constants.SOAP</code>,
     *          <code>SAML2Constants.HTTP_POST</code>,
     *          <code>SAML2Constants.HTTP_REDIRECT</code>
     * @return <code>true</code> if user is logged out successfully;
     *          <code>false</code> otherwise.
     * @exception SAML2Exception if user want to fail the process.
     */
public boolean doFedletSLO(HttpServletRequest request, HttpServletResponse response, LogoutRequest logoutReq, String hostedEntityID, String idpEntityID, List siList, String nameIDValue, String binding) throws SAML2Exception {
    boolean status = true;
    String method = "DefaultFedletAdapter:doFedletSLO:";
    try {
        if (logoutUrl == null) {
            BaseConfigType spConfig = SAML2Utils.getSAML2MetaManager().getSPSSOConfig("/", hostedEntityID);
            List appLogoutURL = (List) SAML2MetaUtils.getAttributes(spConfig).get(SAML2Constants.APP_LOGOUT_URL);
            if ((appLogoutURL != null) && !appLogoutURL.isEmpty()) {
                logoutUrl = (String) appLogoutURL.get(0);
            }
        }
        if (logoutUrl == null) {
            String deployuri = request.getRequestURI();
            int slashLoc = deployuri.indexOf("/", 1);
            if (slashLoc != -1) {
                deployuri = deployuri.substring(0, slashLoc);
            }
            if (deployuri != null) {
                String url = request.getRequestURL().toString();
                int loc = url.indexOf(deployuri + "/");
                if (loc != -1) {
                    logoutUrl = url.substring(0, loc + deployuri.length()) + "/logout";
                }
            }
        }
        if (logoutUrl == null) {
            return status;
        }
        URL url = new URL(logoutUrl);
        HttpURLConnection conn = HttpURLConnectionManager.getConnection(url);
        conn.setDoOutput(true);
        conn.setRequestMethod("POST");
        conn.setFollowRedirects(false);
        conn.setInstanceFollowRedirects(false);
        // replay cookies
        String strCookies = SAML2Utils.getCookiesString(request);
        if (strCookies != null) {
            if (SAML2Utils.debug.messageEnabled()) {
                SAML2Utils.debug.message(method + "Sending cookies : " + strCookies);
            }
            conn.setRequestProperty("Cookie", strCookies);
        }
        conn.setRequestProperty("Content-Type", "application/x-www-form-urlencoded");
        conn.setRequestProperty("IDP", URLEncDec.encode(idpEntityID));
        conn.setRequestProperty("SP", URLEncDec.encode(hostedEntityID));
        conn.setRequestProperty("NameIDValue", URLEncDec.encode(nameIDValue));
        if (siList != null && !siList.isEmpty()) {
            Iterator iter = siList.iterator();
            StringBuffer siValue = new StringBuffer();
            siValue.append((String) iter.next());
            while (iter.hasNext()) {
                siValue.append(",").append((String) iter.next());
            }
            conn.setRequestProperty("SessionIndex", URLEncDec.encode(siValue.toString()));
        }
        conn.setRequestProperty("Binding", binding);
        OutputStream outputStream = conn.getOutputStream();
        // Write the request to the HTTP server.
        outputStream.write("".getBytes());
        outputStream.flush();
        outputStream.close();
        // Check response code
        if (conn.getResponseCode() == HttpURLConnection.HTTP_OK) {
            if (SAML2Utils.debug.messageEnabled()) {
                SAML2Utils.debug.message(method + "Response code OK");
            }
            status = true;
        } else {
            SAML2Utils.debug.error(method + "Response code NOT OK: " + conn.getResponseCode());
            status = false;
        }
    } catch (Exception e) {
        status = false;
    }
    return status;
}
Also used : BaseConfigType(com.sun.identity.saml2.jaxb.entityconfig.BaseConfigType) HttpURLConnection(java.net.HttpURLConnection) OutputStream(java.io.OutputStream) Iterator(java.util.Iterator) List(java.util.List) URL(java.net.URL) SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)

Example 9 with SAML2Exception

use of com.sun.identity.saml2.common.SAML2Exception in project OpenAM by OpenRock.

the class UtilProxySAMLAuthenticator method getAuthnRequest.

/**
     * Returns the <code>AuthnRequest</code> from saml request string
     */
private static AuthnRequest getAuthnRequest(String compressedReq) {
    AuthnRequest authnReq = null;
    String outputString = SAML2Utils.decodeFromRedirect(compressedReq);
    if (outputString != null) {
        try {
            authnReq = ProtocolFactory.getInstance().createAuthnRequest(outputString);
        } catch (SAML2Exception se) {
            SAML2Utils.debug.error("IDPSSOFederate.getAuthnRequest(): cannot construct a AuthnRequest object from " + "the SAMLRequest value:", se);
        }
    }
    return authnReq;
}
Also used : SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) AuthnRequest(com.sun.identity.saml2.protocol.AuthnRequest)

Example 10 with SAML2Exception

use of com.sun.identity.saml2.common.SAML2Exception in project OpenAM by OpenRock.

the class UtilProxySAMLAuthenticator method authenticate.

@Override
public void authenticate() throws FederatedSSOException, IOException {
    final String classMethod = "UtilProxySAMLAuthenticator.authenticate: ";
    SPSSODescriptorElement spSSODescriptor = null;
    String preferredIDP;
    // There is no reqID, this is the first time that we pass here.
    String binding = SAML2Constants.HTTP_REDIRECT;
    if (request.getMethod().equals("POST")) {
        binding = SAML2Constants.HTTP_POST;
    }
    data.setAuthnRequest(getAuthnRequest(request, isFromECP, binding));
    if (data.getAuthnRequest() == null) {
        throw new ClientFaultException(data.getIdpAdapter(), INVALID_SAML_REQUEST);
    }
    data.getEventAuditor().setRequestId(data.getRequestID());
    data.setSpEntityID(data.getAuthnRequest().getIssuer().getValue());
    try {
        logAccess(isFromECP ? LogUtil.RECEIVED_AUTHN_REQUEST_ECP : LogUtil.RECEIVED_AUTHN_REQUEST, Level.INFO, data.getSpEntityID(), data.getIdpMetaAlias(), data.getAuthnRequest().toXMLString());
    } catch (SAML2Exception saml2ex) {
        SAML2Utils.debug.error(classMethod, saml2ex);
        throw new ClientFaultException(data.getIdpAdapter(), INVALID_SAML_REQUEST, saml2ex.getMessage());
    }
    if (!SAML2Utils.isSourceSiteValid(data.getAuthnRequest().getIssuer(), data.getRealm(), data.getIdpEntityID())) {
        SAML2Utils.debug.warning("{} Issuer in Request is not valid.", classMethod);
        throw new ClientFaultException(data.getIdpAdapter(), INVALID_SAML_REQUEST);
    }
    // verify the signature of the query string if applicable
    IDPSSODescriptorElement idpSSODescriptor;
    try {
        idpSSODescriptor = IDPSSOUtil.metaManager.getIDPSSODescriptor(data.getRealm(), data.getIdpEntityID());
    } catch (SAML2MetaException sme) {
        SAML2Utils.debug.error(classMethod + "Unable to get IDP SSO Descriptor from meta.");
        throw new ServerFaultException(data.getIdpAdapter(), METADATA_ERROR);
    }
    try {
        spSSODescriptor = IDPSSOUtil.metaManager.getSPSSODescriptor(data.getRealm(), data.getSpEntityID());
    } catch (SAML2MetaException sme) {
        SAML2Utils.debug.error(classMethod + "Unable to get SP SSO Descriptor from meta.");
        SAML2Utils.debug.error(classMethod, sme);
    }
    if (isFromECP || idpSSODescriptor.isWantAuthnRequestsSigned() || (spSSODescriptor != null && spSSODescriptor.isAuthnRequestsSigned())) {
        // need to verify the query string containing authnRequest
        if (StringUtils.isBlank(data.getSpEntityID())) {
            throw new ClientFaultException(data.getIdpAdapter(), INVALID_SAML_REQUEST);
        }
        if (spSSODescriptor == null) {
            SAML2Utils.debug.error(classMethod + "Unable to get SP SSO Descriptor from meta.");
            throw new ServerFaultException(data.getIdpAdapter(), METADATA_ERROR);
        }
        Set<X509Certificate> certificates = KeyUtil.getVerificationCerts(spSSODescriptor, data.getSpEntityID(), SAML2Constants.SP_ROLE);
        try {
            boolean isSignatureOK;
            if (isFromECP) {
                isSignatureOK = data.getAuthnRequest().isSignatureValid(certificates);
            } else {
                if ("POST".equals(request.getMethod())) {
                    isSignatureOK = data.getAuthnRequest().isSignatureValid(certificates);
                } else {
                    isSignatureOK = QuerySignatureUtil.verify(request.getQueryString(), certificates);
                }
            }
            if (!isSignatureOK) {
                SAML2Utils.debug.error(classMethod + "authn request verification failed.");
                throw new ClientFaultException(data.getIdpAdapter(), "invalidSignInRequest");
            }
            // In ECP profile, sp doesn't know idp.
            if (!isFromECP) {
                // verify Destination
                List ssoServiceList = idpSSODescriptor.getSingleSignOnService();
                String ssoURL = SPSSOFederate.getSSOURL(ssoServiceList, binding);
                if (!SAML2Utils.verifyDestination(data.getAuthnRequest().getDestination(), ssoURL)) {
                    SAML2Utils.debug.error(classMethod + "authn request destination verification failed.");
                    throw new ClientFaultException(data.getIdpAdapter(), "invalidDestination");
                }
            }
        } catch (SAML2Exception se) {
            SAML2Utils.debug.error(classMethod + "authn request verification failed.", se);
            throw new ClientFaultException(data.getIdpAdapter(), "invalidSignInRequest");
        }
        SAML2Utils.debug.message("{} authn request signature verification is successful.", classMethod);
    }
    SAML2Utils.debug.message("{} request id= {}", classMethod, data.getRequestID());
    if (data.getRequestID() == null) {
        SAML2Utils.debug.error(classMethod + "Request id is null");
        throw new ClientFaultException(data.getIdpAdapter(), "InvalidSAMLRequestID");
    }
    if (isFromECP) {
        try {
            IDPECPSessionMapper idpECPSessonMapper = IDPSSOUtil.getIDPECPSessionMapper(data.getRealm(), data.getIdpEntityID());
            data.setSession(idpECPSessonMapper.getSession(request, response));
        } catch (SAML2Exception se) {
            SAML2Utils.debug.message("Unable to retrieve user session.", classMethod);
        }
    } else {
        // get the user sso session from the request
        try {
            data.setSession(SessionManager.getProvider().getSession(request));
        } catch (SessionException se) {
            SAML2Utils.debug.message("{} Unable to retrieve user session.", classMethod);
        }
    }
    if (null != data.getSession()) {
        data.getEventAuditor().setAuthTokenId(data.getSession());
    }
    // will not trigger this adapter call
    if (preSingleSignOn(request, response, data)) {
        return;
    }
    // End of adapter invocation
    IDPAuthnContextMapper idpAuthnContextMapper = null;
    try {
        idpAuthnContextMapper = IDPSSOUtil.getIDPAuthnContextMapper(data.getRealm(), data.getIdpEntityID());
    } catch (SAML2Exception sme) {
        SAML2Utils.debug.error(classMethod, sme);
    }
    if (idpAuthnContextMapper == null) {
        SAML2Utils.debug.error(classMethod + "Unable to get IDPAuthnContextMapper from meta.");
        throw new ServerFaultException(data.getIdpAdapter(), METADATA_ERROR);
    }
    IDPAuthnContextInfo idpAuthnContextInfo = null;
    try {
        idpAuthnContextInfo = idpAuthnContextMapper.getIDPAuthnContextInfo(data.getAuthnRequest(), data.getIdpEntityID(), data.getRealm());
    } catch (SAML2Exception sme) {
        SAML2Utils.debug.error(classMethod, sme);
    }
    if (idpAuthnContextInfo == null) {
        SAML2Utils.debug.message("{} Unable to find valid AuthnContext. Sending error Response.", classMethod);
        try {
            Response res = SAML2Utils.getErrorResponse(data.getAuthnRequest(), SAML2Constants.REQUESTER, SAML2Constants.NO_AUTHN_CONTEXT, null, data.getIdpEntityID());
            StringBuffer returnedBinding = new StringBuffer();
            String acsURL = IDPSSOUtil.getACSurl(data.getSpEntityID(), data.getRealm(), data.getAuthnRequest(), request, returnedBinding);
            String acsBinding = returnedBinding.toString();
            IDPSSOUtil.sendResponse(request, response, out, acsBinding, data.getSpEntityID(), data.getIdpEntityID(), data.getIdpMetaAlias(), data.getRealm(), data.getRelayState(), acsURL, res, data.getSession());
        } catch (SAML2Exception sme) {
            SAML2Utils.debug.error(classMethod, sme);
            throw new ServerFaultException(data.getIdpAdapter(), METADATA_ERROR);
        }
        return;
    }
    // get the relay state query parameter from the request
    data.setRelayState(request.getParameter(SAML2Constants.RELAY_STATE));
    data.setMatchingAuthnContext(idpAuthnContextInfo.getAuthnContext());
    if (data.getSession() == null) {
        // the user has not logged in yet, redirect to auth
        redirectToAuth(spSSODescriptor, binding, idpAuthnContextInfo, data);
    } else {
        SAML2Utils.debug.message("{} There is an existing session", classMethod);
        // Let's verify that the realm is the same for the user and the IdP
        boolean isValidSessionInRealm = IDPSSOUtil.isValidSessionInRealm(data.getRealm(), data.getSession());
        String sessionIndex = IDPSSOUtil.getSessionIndex(data.getSession());
        boolean sessionUpgrade = false;
        if (isValidSessionInRealm) {
            sessionUpgrade = isSessionUpgrade(idpAuthnContextInfo, data.getSession());
            SAML2Utils.debug.message("{} IDP Session Upgrade is : {}", classMethod, sessionUpgrade);
        }
        // Holder for any exception encountered while redirecting for authentication:
        FederatedSSOException redirectException = null;
        if (sessionUpgrade || !isValidSessionInRealm || ((Boolean.TRUE.equals(data.getAuthnRequest().isForceAuthn())) && (!Boolean.TRUE.equals(data.getAuthnRequest().isPassive())))) {
            // sessionIndex
            if (sessionIndex != null && sessionIndex.length() != 0) {
                // Save the original IDP Session
                IDPSession oldIDPSession = IDPCache.idpSessionsByIndices.get(sessionIndex);
                if (oldIDPSession != null) {
                    IDPCache.oldIDPSessionCache.put(data.getRequestID(), oldIDPSession);
                } else {
                    SAML2Utils.debug.error(classMethod + "The old SAML2 session  was not found in the idp session " + "by indices cache");
                }
            }
            // Save the new requestId and AuthnRequest
            IDPCache.authnRequestCache.put(data.getRequestID(), new CacheObject(data.getAuthnRequest()));
            // Save the new requestId and AuthnContext
            IDPCache.idpAuthnContextCache.put(data.getRequestID(), new CacheObject(data.getMatchingAuthnContext()));
            // save if the request was an Session Upgrade case.
            IDPCache.isSessionUpgradeCache.add(data.getRequestID());
            // authenticates
            if (StringUtils.isNotBlank(data.getRelayState())) {
                IDPCache.relayStateCache.put(data.getRequestID(), data.getRelayState());
            }
            // Session upgrade could be requested by asking a greater AuthnContext
            if (isValidSessionInRealm) {
                try {
                    boolean isProxy = IDPProxyUtil.isIDPProxyEnabled(data.getAuthnRequest(), data.getRealm());
                    if (isProxy) {
                        preferredIDP = IDPProxyUtil.getPreferredIDP(data.getAuthnRequest(), data.getIdpEntityID(), data.getRealm(), request, response);
                        if (preferredIDP != null) {
                            if ((SPCache.reqParamHash != null) && (!(SPCache.reqParamHash.containsKey(preferredIDP)))) {
                                // IDP Proxy with configured proxy list
                                SAML2Utils.debug.message("{} IDP to be proxied {}", classMethod, preferredIDP);
                                IDPProxyUtil.sendProxyAuthnRequest(data.getAuthnRequest(), preferredIDP, spSSODescriptor, data.getIdpEntityID(), request, response, data.getRealm(), data.getRelayState(), binding);
                                return;
                            } else {
                                // IDP proxy with introduction cookie
                                Map paramsMap = (Map) SPCache.reqParamHash.get(preferredIDP);
                                paramsMap.put("authnReq", data.getAuthnRequest());
                                paramsMap.put("spSSODescriptor", spSSODescriptor);
                                paramsMap.put("idpEntityID", data.getIdpEntityID());
                                paramsMap.put("realm", data.getRealm());
                                paramsMap.put("relayState", data.getRelayState());
                                paramsMap.put("binding", binding);
                                SPCache.reqParamHash.put(preferredIDP, paramsMap);
                                return;
                            }
                        }
                    }
                //else continue for the local authentication.
                } catch (SAML2Exception re) {
                    SAML2Utils.debug.message("{} Redirecting for the proxy handling error: {}", classMethod, re.getMessage());
                    redirectException = new ServerFaultException(data.getIdpAdapter(), "UnableToRedirectToPreferredIDP", re.getMessage());
                }
            // End of IDP Proxy: Initiate proxying when session upgrade is requested
            }
            // Invoke the IDP Adapter before redirecting to authn
            if (preAuthenticationAdapter(request, response, data)) {
                return;
            }
            //we don't have a session
            try {
                //and they want to authenticate
                if (!Boolean.TRUE.equals(data.getAuthnRequest().isPassive())) {
                    redirectAuthentication(request, response, idpAuthnContextInfo, data, true);
                    return;
                } else {
                    try {
                        //and they want to get into the system with passive auth - response no passive
                        IDPSSOUtil.sendNoPassiveResponse(request, response, out, data.getIdpMetaAlias(), data.getIdpEntityID(), data.getRealm(), data.getAuthnRequest(), data.getRelayState(), data.getSpEntityID());
                    } catch (SAML2Exception sme) {
                        SAML2Utils.debug.error(classMethod, sme);
                        redirectException = new ServerFaultException(data.getIdpAdapter(), METADATA_ERROR);
                    }
                }
            } catch (IOException | SAML2Exception e) {
                SAML2Utils.debug.error(classMethod + "Unable to redirect to authentication.", e);
                sessionUpgrade = false;
                cleanUpCache(data.getRequestID());
                redirectException = new ServerFaultException(data.getIdpAdapter(), "UnableToRedirectToAuth", e.getMessage());
            }
        }
        // generate assertion response
        if (!sessionUpgrade && isValidSessionInRealm) {
            generateAssertionResponse(data);
        }
        if (redirectException != null) {
            throw redirectException;
        }
    }
}
Also used : IDPAuthnContextInfo(com.sun.identity.saml2.plugins.IDPAuthnContextInfo) IDPAuthnContextMapper(com.sun.identity.saml2.plugins.IDPAuthnContextMapper) IDPSession(com.sun.identity.saml2.profile.IDPSession) ServerFaultException(com.sun.identity.saml2.profile.ServerFaultException) SPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement) SessionException(com.sun.identity.plugin.session.SessionException) IOException(java.io.IOException) X509Certificate(java.security.cert.X509Certificate) IDPECPSessionMapper(com.sun.identity.saml2.plugins.IDPECPSessionMapper) SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) Response(com.sun.identity.saml2.protocol.Response) HttpServletResponse(javax.servlet.http.HttpServletResponse) ClientFaultException(com.sun.identity.saml2.profile.ClientFaultException) List(java.util.List) CacheObject(com.sun.identity.saml2.profile.CacheObject) FederatedSSOException(com.sun.identity.saml2.profile.FederatedSSOException) SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException) Map(java.util.Map) IDPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)

Aggregations

SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)275 ArrayList (java.util.ArrayList)92 List (java.util.List)86 SAML2MetaException (com.sun.identity.saml2.meta.SAML2MetaException)72 Element (org.w3c.dom.Element)64 SessionException (com.sun.identity.plugin.session.SessionException)56 IOException (java.io.IOException)51 SPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)44 Map (java.util.Map)44 HashMap (java.util.HashMap)43 Iterator (java.util.Iterator)43 Issuer (com.sun.identity.saml2.assertion.Issuer)42 Date (java.util.Date)40 SOAPException (javax.xml.soap.SOAPException)39 SAML2TokenRepositoryException (org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException)39 X509Certificate (java.security.cert.X509Certificate)36 NodeList (org.w3c.dom.NodeList)36 IDPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)35 Node (org.w3c.dom.Node)34 Response (com.sun.identity.saml2.protocol.Response)30