Search in sources :

Example 26 with SAML2Exception

use of com.sun.identity.saml2.common.SAML2Exception in project OpenAM by OpenRock.

the class SPSessionListener method sessionInvalidated.

/**
     *  Callback for SessionListener.
     *  It is used for cleaning up the SP session cache.
     *  
     *  @param session The session object
     */
public void sessionInvalidated(Object session) {
    String classMethod = "SPSessionListener.sessionInvalidated: ";
    HashMap paramsMap = new HashMap();
    NameIDInfoKey nameIdInfoKey = null;
    if (session == null || infoKeyString == null || sessionID == null) {
        return;
    }
    SessionProvider sessionProvider = null;
    SPFedSession fedSession = null;
    try {
        sessionProvider = SessionManager.getProvider();
    } catch (SessionException se) {
        return;
    }
    if (!sessionID.equals(sessionProvider.getSessionID(session))) {
        return;
    }
    List fedSessionList = (List) SPCache.fedSessionListsByNameIDInfoKey.get(infoKeyString);
    if (fedSessionList == null) {
        return;
    }
    try {
        Iterator iter = fedSessionList.iterator();
        while (iter.hasNext()) {
            fedSession = (SPFedSession) iter.next();
            if (fedSession.spTokenID.equals(sessionID)) {
                paramsMap.put(SAML2Constants.ROLE, SAML2Constants.SP_ROLE);
                String metaAlias = fedSession.metaAlias;
                nameIdInfoKey = NameIDInfoKey.parse(infoKeyString);
                String spEntityID = sm.getEntityByMetaAlias(metaAlias);
                String realm = SAML2Utils.getRealm(SAML2MetaUtils.getRealmByMetaAlias(metaAlias));
                BaseConfigType spConfig = sm.getSPSSOConfig(realm, spEntityID);
                if (spConfig != null) {
                    List spSessionSyncList = (List) SAML2MetaUtils.getAttributes(spConfig).get(SAML2Constants.SP_SESSION_SYNC_ENABLED);
                    if (spEntityID != null && spSessionSyncList != null && (spSessionSyncList.size() != 0)) {
                        boolean spSessionSyncEnabled = ((String) spSessionSyncList.get(0)).equals(SAML2Constants.TRUE) ? true : false;
                        // is enabled
                        if (spSessionSyncEnabled) {
                            if (SAML2Utils.debug.messageEnabled()) {
                                SAML2Utils.debug.message(classMethod + "SP Session Synchronization flag " + "is enabled, initiating SLO to IDP");
                            }
                            initiateSPSingleLogout(metaAlias, realm, SAML2Constants.SOAP, nameIdInfoKey, fedSession, paramsMap);
                        }
                    }
                } else {
                    if (SAML2Utils.debug.messageEnabled()) {
                        SAML2Utils.debug.message(classMethod + "Unable to retrieve the SP config" + " data, spConfig is null");
                    }
                }
            }
        }
    } catch (SAML2MetaException sme) {
        SAML2Utils.debug.error("SPSessionListener.sessionInvalidated:", sme);
    } catch (SAML2Exception se) {
        SAML2Utils.debug.error("SPSessionListener.sessionInvalidated:", se);
    } catch (SessionException s) {
        SAML2Utils.debug.error("IDPSessionListener.sessionInvalidated:", s);
    }
    synchronized (fedSessionList) {
        Iterator iter = fedSessionList.iterator();
        while (iter.hasNext()) {
            fedSession = (SPFedSession) iter.next();
            if (fedSession.spTokenID.equals(sessionID)) {
                iter.remove();
                if ((agent != null) && agent.isRunning() && (saml2Svc != null)) {
                    saml2Svc.setFedSessionCount((long) SPCache.fedSessionListsByNameIDInfoKey.size());
                }
            }
        }
        if (fedSessionList.isEmpty()) {
            SPCache.fedSessionListsByNameIDInfoKey.remove(infoKeyString);
        }
    }
}
Also used : BaseConfigType(com.sun.identity.saml2.jaxb.entityconfig.BaseConfigType) SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) HashMap(java.util.HashMap) Iterator(java.util.Iterator) SessionException(com.sun.identity.plugin.session.SessionException) List(java.util.List) SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException) NameIDInfoKey(com.sun.identity.saml2.common.NameIDInfoKey) SessionProvider(com.sun.identity.plugin.session.SessionProvider)

Example 27 with SAML2Exception

use of com.sun.identity.saml2.common.SAML2Exception in project OpenAM by OpenRock.

the class SPSSOFederate method createIssuer.

/* Create Issuer */
private static Issuer createIssuer(String spEntityID) throws SAML2Exception {
    Issuer issuer = AssertionFactory.getInstance().createIssuer();
    issuer.setValue(spEntityID);
    return issuer;
}
Also used : Issuer(com.sun.identity.saml2.assertion.Issuer)

Example 28 with SAML2Exception

use of com.sun.identity.saml2.common.SAML2Exception in project OpenAM by OpenRock.

the class SPSSOFederate method createReqAuthnContext.

/* Creates RequestedAuthnContext Object */
private static RequestedAuthnContext createReqAuthnContext(String realmName, String spEntityID, Map paramsMap, Map spConfigMap) {
    RequestedAuthnContext reqCtx = null;
    String className = null;
    if ((spConfigMap != null) && (!spConfigMap.isEmpty())) {
        List listVal = (List) spConfigMap.get(SAML2Constants.SP_AUTHCONTEXT_MAPPER);
        if (listVal != null && listVal.size() != 0) {
            className = ((String) listVal.iterator().next()).trim();
        }
    }
    SPAuthnContextMapper spAuthnContextMapper = SAML2Utils.getSPAuthnContextMapper(realmName, spEntityID, className);
    try {
        reqCtx = spAuthnContextMapper.getRequestedAuthnContext(realmName, spEntityID, paramsMap);
    } catch (SAML2Exception e) {
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message("SPSSOFederate:Error creating " + "RequestedAuthnContext", e);
        }
    }
    return reqCtx;
}
Also used : SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) RequestedAuthnContext(com.sun.identity.saml2.protocol.RequestedAuthnContext) List(java.util.List) IDPList(com.sun.identity.saml2.protocol.IDPList) ArrayList(java.util.ArrayList) SPAuthnContextMapper(com.sun.identity.saml2.plugins.SPAuthnContextMapper)

Example 29 with SAML2Exception

use of com.sun.identity.saml2.common.SAML2Exception in project OpenAM by OpenRock.

the class SPSSOFederate method createNameIDPolicy.

/* Create NameIDPolicy Element */
private static NameIDPolicy createNameIDPolicy(String spEntityID, String format, boolean allowCreate, SPSSODescriptorElement spsso, IDPSSODescriptorElement idpsso, String realm, Map paramsMap) throws SAML2Exception {
    format = SAML2Utils.verifyNameIDFormat(format, spsso, idpsso);
    NameIDPolicy nameIDPolicy = ProtocolFactory.getInstance().createNameIDPolicy();
    String affiliationID = getParameter(paramsMap, SAML2Constants.AFFILIATION_ID);
    if (affiliationID != null) {
        AffiliationDescriptorType affiDesc = sm.getAffiliationDescriptor(realm, affiliationID);
        if (affiDesc == null) {
            throw new SAML2Exception(SAML2Utils.bundle.getString("affiliationNotFound"));
        }
        if (!affiDesc.getAffiliateMember().contains(spEntityID)) {
            throw new SAML2Exception(SAML2Utils.bundle.getString("spNotAffiliationMember"));
        }
        nameIDPolicy.setSPNameQualifier(affiliationID);
    } else {
        nameIDPolicy.setSPNameQualifier(spEntityID);
    }
    nameIDPolicy.setAllowCreate(allowCreate);
    nameIDPolicy.setFormat(format);
    return nameIDPolicy;
}
Also used : SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) NameIDPolicy(com.sun.identity.saml2.protocol.NameIDPolicy) AffiliationDescriptorType(com.sun.identity.saml2.jaxb.metadata.AffiliationDescriptorType)

Example 30 with SAML2Exception

use of com.sun.identity.saml2.common.SAML2Exception in project OpenAM by OpenRock.

the class SPSSOFederate method initiateECPRequest.

/**
     * Parses the request parameters and builds ECP Request to sent to the IDP.
     *
     * @param request the HttpServletRequest.
     * @param response the HttpServletResponse.
     *
     * @throws SAML2Exception if error creating AuthnRequest.
     * @throws IOException if error sending AuthnRequest to ECP.
     */
public static void initiateECPRequest(HttpServletRequest request, HttpServletResponse response) throws SAML2Exception, IOException {
    if (!isFromECP(request)) {
        SAML2Utils.debug.error("SPSSOFederate.initiateECPRequest: " + "invalid HTTP request from ECP.");
        SAMLUtils.sendError(request, response, HttpServletResponse.SC_BAD_REQUEST, "invalidHttpRequestFromECP", SAML2Utils.bundle.getString("invalidHttpRequestFromECP"));
        return;
    }
    String metaAlias = request.getParameter("metaAlias");
    Map paramsMap = SAML2Utils.getParamsMap(request);
    // get the sp entity ID from the metaAlias
    String spEntityID = sm.getEntityByMetaAlias(metaAlias);
    String realm = getRealm(SAML2MetaUtils.getRealmByMetaAlias(metaAlias));
    if (SAML2Utils.debug.messageEnabled()) {
        SAML2Utils.debug.message("SPSSOFederate.initiateECPRequest: " + "spEntityID is " + spEntityID + ", realm is " + realm);
    }
    try {
        // Retreive MetaData 
        if (sm == null) {
            throw new SAML2Exception(SAML2Utils.bundle.getString("errorMetaManager"));
        }
        SPSSOConfigElement spEntityCfg = sm.getSPSSOConfig(realm, spEntityID);
        Map spConfigAttrsMap = null;
        if (spEntityCfg != null) {
            spConfigAttrsMap = SAML2MetaUtils.getAttributes(spEntityCfg);
        }
        // get SPSSODescriptor
        SPSSODescriptorElement spsso = sm.getSPSSODescriptor(realm, spEntityID);
        if (spsso == null) {
            String[] data = { spEntityID };
            LogUtil.error(Level.INFO, LogUtil.SP_METADATA_ERROR, data, null);
            throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
        }
        String[] data = { spEntityID, realm };
        LogUtil.access(Level.INFO, LogUtil.RECEIVED_HTTP_REQUEST_ECP, data, null);
        List extensionsList = getExtensionsList(spEntityID, realm);
        // create AuthnRequest 
        AuthnRequest authnRequest = createAuthnRequest(realm, spEntityID, paramsMap, spConfigAttrsMap, extensionsList, spsso, null, null, true);
        // invoke SP Adapter class if registered
        SAML2ServiceProviderAdapter spAdapter = SAML2Utils.getSPAdapterClass(spEntityID, realm);
        if (spAdapter != null) {
            spAdapter.preSingleSignOnRequest(spEntityID, realm, null, request, response, authnRequest);
        }
        String alias = SAML2Utils.getSigningCertAlias(realm, spEntityID, SAML2Constants.SP_ROLE);
        PrivateKey signingKey = KeyUtil.getKeyProviderInstance().getPrivateKey(alias);
        if (signingKey != null) {
            authnRequest.sign(signingKey, null);
        } else {
            SAML2Utils.debug.error("SPSSOFederate.initiateECPRequest: " + "Unable to find signing key.");
            throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
        }
        ECPFactory ecpFactory = ECPFactory.getInstance();
        // Default URL if relayState not present? in providerConfig?
        // TODO get Default URL from metadata 
        String relayState = getParameter(paramsMap, SAML2Constants.RELAY_STATE);
        String ecpRelayStateXmlStr = "";
        if (relayState != null && relayState.length() > 0) {
            String relayStateID = getRelayStateID(relayState, authnRequest.getID());
            ECPRelayState ecpRelayState = ecpFactory.createECPRelayState();
            ecpRelayState.setValue(relayStateID);
            ecpRelayState.setMustUnderstand(Boolean.TRUE);
            ecpRelayState.setActor(SAML2Constants.SOAP_ACTOR_NEXT);
            ecpRelayStateXmlStr = ecpRelayState.toXMLString(true, true);
        }
        ECPRequest ecpRequest = ecpFactory.createECPRequest();
        ecpRequest.setIssuer(createIssuer(spEntityID));
        ecpRequest.setMustUnderstand(Boolean.TRUE);
        ecpRequest.setActor(SAML2Constants.SOAP_ACTOR_NEXT);
        ecpRequest.setIsPassive(authnRequest.isPassive());
        SAML2IDPFinder ecpIDPFinder = SAML2Utils.getECPIDPFinder(realm, spEntityID);
        if (ecpIDPFinder != null) {
            List idps = ecpIDPFinder.getPreferredIDP(authnRequest, spEntityID, realm, request, response);
            if ((idps != null) && (!idps.isEmpty())) {
                SAML2MetaManager saml2MetaManager = SAML2Utils.getSAML2MetaManager();
                List idpEntries = null;
                for (Iterator iter = idps.iterator(); iter.hasNext(); ) {
                    String idpEntityID = (String) iter.next();
                    IDPSSODescriptorElement idpDesc = saml2MetaManager.getIDPSSODescriptor(realm, idpEntityID);
                    if (idpDesc != null) {
                        IDPEntry idpEntry = ProtocolFactory.getInstance().createIDPEntry();
                        idpEntry.setProviderID(idpEntityID);
                        String description = SAML2Utils.getAttributeValueFromSSOConfig(realm, idpEntityID, SAML2Constants.IDP_ROLE, SAML2Constants.ENTITY_DESCRIPTION);
                        idpEntry.setName(description);
                        List ssoServiceList = idpDesc.getSingleSignOnService();
                        String ssoURL = getSSOURL(ssoServiceList, SAML2Constants.SOAP);
                        idpEntry.setLoc(ssoURL);
                        if (idpEntries == null) {
                            idpEntries = new ArrayList();
                        }
                        idpEntries.add(idpEntry);
                    }
                }
                if (idpEntries != null) {
                    IDPList idpList = ProtocolFactory.getInstance().createIDPList();
                    idpList.setIDPEntries(idpEntries);
                    ecpRequest.setIDPList(idpList);
                    Map attrs = SAML2MetaUtils.getAttributes(spEntityCfg);
                    List values = (List) attrs.get(SAML2Constants.ECP_REQUEST_IDP_LIST_GET_COMPLETE);
                    if ((values != null) && (!values.isEmpty())) {
                        GetComplete getComplete = ProtocolFactory.getInstance().createGetComplete();
                        getComplete.setValue((String) values.get(0));
                        idpList.setGetComplete(getComplete);
                    }
                }
            }
        }
        String paosRequestXmlStr = "";
        try {
            PAOSRequest paosRequest = new PAOSRequest(authnRequest.getAssertionConsumerServiceURL(), SAML2Constants.PAOS_ECP_SERVICE, null, Boolean.TRUE, SAML2Constants.SOAP_ACTOR_NEXT);
            paosRequestXmlStr = paosRequest.toXMLString(true, true);
        } catch (PAOSException paosex) {
            SAML2Utils.debug.error("SPSSOFederate.initiateECPRequest:", paosex);
            throw new SAML2Exception(paosex.getMessage());
        }
        String header = paosRequestXmlStr + ecpRequest.toXMLString(true, true) + ecpRelayStateXmlStr;
        String body = authnRequest.toXMLString(true, true);
        try {
            SOAPMessage reply = SOAPCommunicator.getInstance().createSOAPMessage(header, body, false);
            String[] data2 = { spEntityID, realm, "" };
            if (LogUtil.isAccessLoggable(Level.FINE)) {
                data2[2] = SOAPCommunicator.getInstance().soapMessageToString(reply);
            }
            LogUtil.access(Level.INFO, LogUtil.SEND_ECP_PAOS_REQUEST, data2, null);
            // are generated as part of the save.
            if (reply.saveRequired()) {
                reply.saveChanges();
            }
            response.setStatus(HttpServletResponse.SC_OK);
            SAML2Utils.putHeaders(reply.getMimeHeaders(), response);
            response.setContentType(PAOSConstants.PAOS_MIME_TYPE);
            // Write out the message on the response stream
            OutputStream os = response.getOutputStream();
            reply.writeTo(os);
            os.flush();
        } catch (SOAPException soapex) {
            SAML2Utils.debug.error("SPSSOFederate.initiateECPRequest", soapex);
            String[] data3 = { spEntityID, realm };
            LogUtil.error(Level.INFO, LogUtil.SEND_ECP_PAOS_REQUEST_FAILED, data3, null);
            SAMLUtils.sendError(request, response, HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "soapError", soapex.getMessage());
            return;
        }
        AuthnRequestInfo reqInfo = new AuthnRequestInfo(request, response, realm, spEntityID, null, authnRequest, relayState, paramsMap);
        synchronized (SPCache.requestHash) {
            SPCache.requestHash.put(authnRequest.getID(), reqInfo);
        }
        if (SAML2FailoverUtils.isSAML2FailoverEnabled()) {
            // sessionExpireTime is counted in seconds
            long sessionExpireTime = System.currentTimeMillis() / 1000 + SPCache.interval;
            String key = authnRequest.getID();
            try {
                SAML2FailoverUtils.saveSAML2TokenWithoutSecondaryKey(key, new AuthnRequestInfoCopy(reqInfo), sessionExpireTime);
                if (SAML2Utils.debug.messageEnabled()) {
                    SAML2Utils.debug.message("SPSSOFederate.initiateECPRequest:" + " SAVE AuthnRequestInfoCopy for requestID " + key);
                }
            } catch (SAML2TokenRepositoryException e) {
                SAML2Utils.debug.error("SPSSOFederate.initiateECPRequest: There was a problem saving the " + "AuthnRequestInfoCopy in the SAML2 Token Repository for requestID " + key, e);
            }
        }
    } catch (SAML2MetaException sme) {
        SAML2Utils.debug.error("SPSSOFederate:Error retrieving metadata", sme);
        throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
    }
}
Also used : PrivateKey(java.security.PrivateKey) SPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement) GetComplete(com.sun.identity.saml2.protocol.GetComplete) OutputStream(java.io.OutputStream) ArrayList(java.util.ArrayList) PAOSException(com.sun.identity.liberty.ws.paos.PAOSException) SOAPMessage(javax.xml.soap.SOAPMessage) ECPFactory(com.sun.identity.saml2.ecp.ECPFactory) SOAPException(javax.xml.soap.SOAPException) ECPRelayState(com.sun.identity.saml2.ecp.ECPRelayState) Iterator(java.util.Iterator) List(java.util.List) IDPList(com.sun.identity.saml2.protocol.IDPList) ArrayList(java.util.ArrayList) SAML2ServiceProviderAdapter(com.sun.identity.saml2.plugins.SAML2ServiceProviderAdapter) SAML2IDPFinder(com.sun.identity.saml2.plugins.SAML2IDPFinder) SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException) ECPRequest(com.sun.identity.saml2.ecp.ECPRequest) SPSSOConfigElement(com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement) IDPList(com.sun.identity.saml2.protocol.IDPList) SAML2MetaManager(com.sun.identity.saml2.meta.SAML2MetaManager) SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) AuthnRequest(com.sun.identity.saml2.protocol.AuthnRequest) SAML2TokenRepositoryException(org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException) IDPEntry(com.sun.identity.saml2.protocol.IDPEntry) Map(java.util.Map) PAOSRequest(com.sun.identity.liberty.ws.paos.PAOSRequest) IDPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)

Aggregations

SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)275 ArrayList (java.util.ArrayList)92 List (java.util.List)86 SAML2MetaException (com.sun.identity.saml2.meta.SAML2MetaException)72 Element (org.w3c.dom.Element)64 SessionException (com.sun.identity.plugin.session.SessionException)56 IOException (java.io.IOException)51 SPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)44 Map (java.util.Map)44 HashMap (java.util.HashMap)43 Iterator (java.util.Iterator)43 Issuer (com.sun.identity.saml2.assertion.Issuer)42 Date (java.util.Date)40 SOAPException (javax.xml.soap.SOAPException)39 SAML2TokenRepositoryException (org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException)39 X509Certificate (java.security.cert.X509Certificate)36 NodeList (org.w3c.dom.NodeList)36 IDPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)35 Node (org.w3c.dom.Node)34 Response (com.sun.identity.saml2.protocol.Response)30