use of com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement in project OpenAM by OpenRock.
the class SAML2Utils method isBearerSubjectConfirmation.
private static Map isBearerSubjectConfirmation(final List subjectConfirms, final String inRespToResponse, final SPSSODescriptorElement spDesc, final SPSSOConfigElement spConfig, final String assertionID) throws SAML2Exception {
String method = "SAML2Utils.isBearerSubjectConfirmation:";
Map retMap = new HashMap();
boolean hasBearer = false;
for (Iterator it = subjectConfirms.iterator(); it.hasNext(); ) {
SubjectConfirmation subjectConfirm = (SubjectConfirmation) it.next();
if (subjectConfirm == null || subjectConfirm.getMethod() == null || !subjectConfirm.getMethod().equals(SAML2Constants.SUBJECT_CONFIRMATION_METHOD_BEARER)) {
continue;
}
// since this is bearer SC, all below must be true
SubjectConfirmationData subjectConfData = subjectConfirm.getSubjectConfirmationData();
if (subjectConfData == null) {
if (debug.messageEnabled()) {
debug.message(method + "missing SubjectConfirmationData.");
}
String[] data = { assertionID };
LogUtil.error(Level.INFO, LogUtil.MISSING_SUBJECT_COMFIRMATION_DATA, data, null);
throw new SAML2Exception(bundle.getString("missingSubjectConfirmationData"));
}
String recipient = subjectConfData.getRecipient();
if (recipient == null || recipient.length() == 0) {
if (debug.messageEnabled()) {
debug.message(method + "missing Recipient in Assertion.");
}
String[] data = { assertionID };
LogUtil.error(Level.INFO, LogUtil.MISSING_RECIPIENT, data, null);
throw new SAML2Exception(bundle.getString("missingRecipient"));
}
boolean foundMatch = false;
Iterator acsIter = spDesc.getAssertionConsumerService().iterator();
while (acsIter.hasNext()) {
AssertionConsumerServiceElement acs = (AssertionConsumerServiceElement) acsIter.next();
if (recipient.equals(acs.getLocation())) {
foundMatch = true;
break;
}
}
if (!foundMatch) {
if (debug.messageEnabled()) {
debug.message(method + "this sp is not the intended " + "recipient.");
}
String[] data = { assertionID, recipient };
LogUtil.error(Level.INFO, LogUtil.WRONG_RECIPIENT, data, null);
throw new SAML2Exception(bundle.getString("wrongRecipient"));
}
// in seconds
int timeskew = SAML2Constants.ASSERTION_TIME_SKEW_DEFAULT;
String timeskewStr = getAttributeValueFromSPSSOConfig(spConfig, SAML2Constants.ASSERTION_TIME_SKEW);
if (timeskewStr != null && timeskewStr.trim().length() > 0) {
timeskew = Integer.parseInt(timeskewStr);
if (timeskew < 0) {
timeskew = SAML2Constants.ASSERTION_TIME_SKEW_DEFAULT;
}
}
if (debug.messageEnabled()) {
debug.message(method + "timeskew = " + timeskew);
}
Date notOnOrAfter = subjectConfData.getNotOnOrAfter();
if (notOnOrAfter == null || ((notOnOrAfter.getTime() + timeskew * 1000) < System.currentTimeMillis())) {
if (debug.messageEnabled()) {
debug.message(method + "Time in SubjectConfirmationData of " + "Assertion:" + assertionID + " is invalid.");
}
String[] data = { assertionID };
LogUtil.error(Level.INFO, LogUtil.INVALID_TIME_SUBJECT_CONFIRMATION_DATA, data, null);
throw new SAML2Exception(bundle.getString("invalidTimeOnSubjectConfirmationData"));
}
retMap.put(SAML2Constants.NOTONORAFTER, notOnOrAfter);
Date notBefore = subjectConfData.getNotBefore();
if (notBefore != null) {
if ((notBefore.getTime() + timeskew * 1000) > System.currentTimeMillis()) {
if (debug.messageEnabled()) {
debug.message(method + "SubjectConfirmationData included " + "NotBefore.");
}
String[] data = { assertionID };
LogUtil.error(Level.INFO, LogUtil.CONTAINED_NOT_BEFORE, data, null);
throw new SAML2Exception(bundle.getString("containedNotBefore"));
}
}
retMap.put(SAML2Constants.NOTBEFORE, notBefore);
String inRespTo = subjectConfData.getInResponseTo();
if (inRespTo != null && inRespTo.length() != 0) {
if (!inRespTo.equals(inRespToResponse)) {
if (debug.messageEnabled()) {
debug.message(method + "InResponseTo in Assertion is " + "different from the one in Response.");
}
String[] data = { assertionID };
LogUtil.error(Level.INFO, LogUtil.WRONG_INRESPONSETO_ASSERTION, data, null);
throw new SAML2Exception(bundle.getString("wrongInResponseToInAssertion"));
}
} else {
if (inRespToResponse != null && inRespToResponse.length() != 0) {
if (debug.messageEnabled()) {
debug.message(method + "Assertion doesn't contain " + "InResponseTo, but Response does.");
}
String[] data = { assertionID };
LogUtil.error(Level.INFO, LogUtil.WRONG_INRESPONSETO_ASSERTION, data, null);
throw new SAML2Exception(bundle.getString("wrongInResponseToInAssertion"));
}
}
hasBearer = true;
break;
}
retMap.put(SAML2Constants.IS_BEARER, Boolean.valueOf(hasBearer));
return retMap;
}
use of com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement in project OpenAM by OpenRock.
the class IDPProxyUtil method getNewAuthnRequest.
/**
* Constructs new authentication request by using the original request
* that is sent by the service provider to the proxying IDP.
* @param hostedEntityId hosted provider ID
* @param destination The destination where the new AuthnRequest will be sent to.
* @param realm Realm
* @param origRequest Original Authn Request
* @return AuthnRequest new authn request.
* @exception SAML2Exception for failure in creating new authn request.
* @return AuthnRequest object
*/
private static AuthnRequest getNewAuthnRequest(String hostedEntityId, String destination, String realm, AuthnRequest origRequest) throws SAML2Exception {
String classMethod = "IDPProxyUtil.getNewAuthnRequest: ";
// New Authentication request should only be a single sign-on request.
try {
AuthnRequest newRequest = ProtocolFactory.getInstance().createAuthnRequest();
String requestID = SAML2Utils.generateID();
if (requestID == null || requestID.isEmpty()) {
throw new SAML2Exception(SAML2Utils.bundle.getString("cannotGenerateID"));
}
newRequest.setID(requestID);
SPSSODescriptorElement localDescriptor = IDPSSOUtil.metaManager.getSPSSODescriptor(realm, hostedEntityId);
newRequest.setDestination(XMLUtils.escapeSpecialCharacters(destination));
newRequest.setConsent(origRequest.getConsent());
newRequest.setIsPassive(origRequest.isPassive());
newRequest.setForceAuthn(origRequest.isForceAuthn());
newRequest.setAttributeConsumingServiceIndex(origRequest.getAttributeConsumingServiceIndex());
newRequest.setAssertionConsumerServiceIndex(origRequest.getAssertionConsumerServiceIndex());
String protocolBinding = origRequest.getProtocolBinding();
newRequest.setProtocolBinding(protocolBinding);
OrderedSet acsSet = SPSSOFederate.getACSUrl(localDescriptor, protocolBinding);
String acsURL = (String) acsSet.get(0);
newRequest.setAssertionConsumerServiceURL(acsURL);
Issuer issuer = AssertionFactory.getInstance().createIssuer();
issuer.setValue(hostedEntityId);
newRequest.setIssuer(issuer);
NameIDPolicy origNameIDPolicy = origRequest.getNameIDPolicy();
if (origNameIDPolicy != null) {
NameIDPolicy newNameIDPolicy = ProtocolFactory.getInstance().createNameIDPolicy();
newNameIDPolicy.setFormat(origNameIDPolicy.getFormat());
newNameIDPolicy.setSPNameQualifier(hostedEntityId);
newNameIDPolicy.setAllowCreate(origNameIDPolicy.isAllowCreate());
newRequest.setNameIDPolicy(newNameIDPolicy);
}
newRequest.setRequestedAuthnContext(origRequest.getRequestedAuthnContext());
newRequest.setExtensions(origRequest.getExtensions());
newRequest.setIssueInstant(new Date());
newRequest.setVersion(SAML2Constants.VERSION_2_0);
Scoping scoping = origRequest.getScoping();
if (scoping != null) {
Scoping newScoping = ProtocolFactory.getInstance().createScoping();
Integer proxyCountInt = scoping.getProxyCount();
int proxyCount = 1;
if (proxyCountInt != null) {
proxyCount = scoping.getProxyCount().intValue();
newScoping.setProxyCount(new Integer(proxyCount - 1));
}
newScoping.setIDPList(scoping.getIDPList());
newRequest.setScoping(newScoping);
} else {
//handling the alwaysIdpProxy case -> the incoming request
//did not contained a Scoping field
SPSSOConfigElement spConfig = getSPSSOConfigByAuthnRequest(realm, origRequest);
Map<String, List<String>> spConfigAttrMap = SAML2MetaUtils.getAttributes(spConfig);
scoping = ProtocolFactory.getInstance().createScoping();
String proxyCountParam = SPSSOFederate.getParameter(spConfigAttrMap, SAML2Constants.IDP_PROXY_COUNT);
if (proxyCountParam != null && (!proxyCountParam.equals(""))) {
int proxyCount = Integer.valueOf(proxyCountParam);
if (proxyCount <= 0) {
scoping.setProxyCount(0);
} else {
//since this is a remote SP configuration, we should
//decrement the proxycount by one
scoping.setProxyCount(proxyCount - 1);
}
}
List<String> proxyIdPs = spConfigAttrMap.get(SAML2Constants.IDP_PROXY_LIST);
if (proxyIdPs != null && !proxyIdPs.isEmpty()) {
List<IDPEntry> list = new ArrayList<IDPEntry>();
for (String proxyIdP : proxyIdPs) {
IDPEntry entry = ProtocolFactory.getInstance().createIDPEntry();
entry.setProviderID(proxyIdP);
list.add(entry);
}
IDPList idpList = ProtocolFactory.getInstance().createIDPList();
idpList.setIDPEntries(list);
scoping.setIDPList(idpList);
newRequest.setScoping(scoping);
}
}
return newRequest;
} catch (Exception ex) {
SAML2Utils.debug.error(classMethod + "Error in creating new authn request.", ex);
throw new SAML2Exception(ex);
}
}
use of com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement in project OpenAM by OpenRock.
the class IDPProxyUtil method isIDPProxyEnabled.
/**
* Checks if the identity provider is configured for proxying the
* authentication requests for a requesting service provider.
* @param authnRequest Authentication Request.
* @param realm Realm
* @return <code>true</code> if the IDP is configured for proxying.
* @exception SAML2Exception for any failure.
*/
public static boolean isIDPProxyEnabled(AuthnRequest authnRequest, String realm) throws SAML2Exception {
SPSSOConfigElement spConfig;
Map spConfigAttrsMap = null;
Scoping scoping = authnRequest.getScoping();
if (scoping == null) {
//let's check if always IdP proxy and IdP Proxy itself is enabled
spConfig = getSPSSOConfigByAuthnRequest(realm, authnRequest);
if (spConfig != null) {
spConfigAttrsMap = SAML2MetaUtils.getAttributes(spConfig);
Boolean alwaysEnabled = SPSSOFederate.getAttrValueFromMap(spConfigAttrsMap, SAML2Constants.ALWAYS_IDP_PROXY);
Boolean proxyEnabled = SPSSOFederate.getAttrValueFromMap(spConfigAttrsMap, SAML2Constants.ENABLE_IDP_PROXY);
if (alwaysEnabled != null && alwaysEnabled && proxyEnabled != null && proxyEnabled) {
return true;
}
}
return false;
}
Integer proxyCountInt = scoping.getProxyCount();
int proxyCount = 0;
if (proxyCountInt == null) {
//Proxy count missing, IDP Proxy allowed
proxyCount = 1;
} else {
proxyCount = proxyCountInt.intValue();
}
if (proxyCount <= 0) {
return false;
}
spConfig = IDPSSOUtil.metaManager.getSPSSOConfig(realm, authnRequest.getIssuer().getValue());
if (spConfig != null) {
spConfigAttrsMap = SAML2MetaUtils.getAttributes(spConfig);
}
Boolean enabledString = SPSSOFederate.getAttrValueFromMap(spConfigAttrsMap, SAML2Constants.ENABLE_IDP_PROXY);
if (enabledString == null) {
return false;
}
return (enabledString.booleanValue());
}
use of com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement in project OpenAM by OpenRock.
the class SPACSUtils method getPrincipalWithoutLogin.
/**
* Returns the username if there was one from the Assertion we were able to map into a local user account. Returns
* null if not. Should only be used from the SP side. Should only be called in conjuncture with the Auth Module.
* In addition, it performs what attribute federation it can.
*
* This method is a picked apart version of the "processResponse" function.
*/
public static String getPrincipalWithoutLogin(Subject assertionSubject, Assertion authnAssertion, String realm, String spEntityId, SAML2MetaManager metaManager, String idpEntityId, String storageKey) throws SAML2Exception {
final EncryptedID encId = assertionSubject.getEncryptedID();
final SPSSOConfigElement spssoconfig = metaManager.getSPSSOConfig(realm, spEntityId);
final Set<PrivateKey> decryptionKeys = KeyUtil.getDecryptionKeys(spssoconfig);
final SPAccountMapper acctMapper = SAML2Utils.getSPAccountMapper(realm, spEntityId);
boolean needNameIDEncrypted = false;
NameID nameId = assertionSubject.getNameID();
String assertionEncryptedAttr = SAML2Utils.getAttributeValueFromSPSSOConfig(spssoconfig, SAML2Constants.WANT_ASSERTION_ENCRYPTED);
if (assertionEncryptedAttr == null || !Boolean.parseBoolean(assertionEncryptedAttr)) {
String idEncryptedStr = SAML2Utils.getAttributeValueFromSPSSOConfig(spssoconfig, SAML2Constants.WANT_NAMEID_ENCRYPTED);
if (idEncryptedStr != null && Boolean.parseBoolean(idEncryptedStr)) {
needNameIDEncrypted = true;
}
}
if (needNameIDEncrypted && encId == null) {
throw new SAML2Exception(SAML2Utils.bundle.getString("nameIDNotEncrypted"));
}
if (encId != null) {
nameId = encId.decrypt(decryptionKeys);
}
SPSSODescriptorElement spDesc = null;
try {
spDesc = metaManager.getSPSSODescriptor(realm, spEntityId);
} catch (SAML2MetaException ex) {
SAML2Utils.debug.error("Unable to read SPSSODescription", ex);
}
if (spDesc == null) {
throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
}
final String nameIDFormat = nameId.getFormat();
if (nameIDFormat != null) {
List spNameIDFormatList = spDesc.getNameIDFormat();
if (CollectionUtils.isNotEmpty(spNameIDFormatList) && !spNameIDFormatList.contains(nameIDFormat)) {
Object[] args = { nameIDFormat };
throw new SAML2Exception(SAML2Utils.BUNDLE_NAME, "unsupportedNameIDFormatSP", args);
}
}
final boolean isTransient = SAML2Constants.NAMEID_TRANSIENT_FORMAT.equals(nameIDFormat);
final boolean isPersistent = SAML2Constants.PERSISTENT.equals(nameIDFormat);
final boolean ignoreProfile = SAML2PluginsUtils.isIgnoredProfile(realm);
final boolean shouldPersistNameID = isPersistent || (!isTransient && !ignoreProfile && acctMapper.shouldPersistNameIDFormat(realm, spEntityId, idpEntityId, nameIDFormat));
String userName = null;
boolean isNewAccountLink = false;
try {
if (shouldPersistNameID) {
try {
userName = SAML2Utils.getDataStoreProvider().getUserID(realm, SAML2Utils.getNameIDKeyMap(nameId, spEntityId, idpEntityId, realm, SAML2Constants.SP_ROLE));
} catch (DataStoreProviderException dse) {
throw new SAML2Exception(dse.getMessage());
}
}
//if we can't get an already linked account, see if we'll be generating a new one based on federated data
if (userName == null) {
userName = acctMapper.getIdentity(authnAssertion, spEntityId, realm);
//we'll use this later to inform us
isNewAccountLink = true;
}
} catch (SAML2Exception se) {
return null;
}
//if we're new and we're persistent, store the federation data in the user pref
if (isNewAccountLink && isPersistent) {
try {
writeFedData(nameId, spEntityId, realm, metaManager, idpEntityId, userName, storageKey);
} catch (SAML2Exception se) {
return userName;
}
}
return userName;
}
use of com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement in project OpenAM by OpenRock.
the class SAMLv2ModelImpl method setSPExtAttributeValues.
/**
* Saves the extended attribute values for the Service Provider.
*
* @param realm to which the entity belongs.
* @param entityName is the entity id.
* @param spExtValues Map which contains the standard attribute values.
* @param location has the information whether remote or hosted.
* @throws AMConsoleException if saving of attribute value fails.
*/
public void setSPExtAttributeValues(String realm, String entityName, Map spExtValues, String location) throws AMConsoleException {
String[] params = { realm, entityName, "SAMLv2", "SP-Extended" };
logEvent("ATTEMPT_MODIFY_ENTITY_DESCRIPTOR", params);
String role = EntityModel.SERVICE_PROVIDER;
try {
SAML2MetaManager samlManager = getSAML2MetaManager();
//entityConfig is the extended entity configuration object
EntityConfigElement entityConfig = samlManager.getEntityConfig(realm, entityName);
//for remote cases
if (entityConfig == null) {
createExtendedObject(realm, entityName, location, role);
entityConfig = samlManager.getEntityConfig(realm, entityName);
}
SPSSOConfigElement spssoConfig = samlManager.getSPSSOConfig(realm, entityName);
if (spssoConfig != null) {
updateBaseConfig(spssoConfig, spExtValues, role);
}
//saves the attributes by passing the new entityConfig object
samlManager.setEntityConfig(realm, entityConfig);
logEvent("SUCCEED_MODIFY_ENTITY_DESCRIPTOR", params);
} catch (SAML2MetaException e) {
debug.error("SAMLv2ModelImpl.setSPExtAttributeValues:", e);
String strError = getErrorString(e);
String[] paramsEx = { realm, entityName, "SAMLv2", "SP Ext", strError };
logEvent("FEDERATION_EXCEPTION_MODIFY_ENTITY_DESCRIPTOR", paramsEx);
} catch (JAXBException e) {
debug.error("SAMLv2ModelImpl.setSPExtAttributeValues:", e);
String strError = getErrorString(e);
String[] paramsEx = { realm, entityName, "SAMLv2", "SP Ext", strError };
logEvent("FEDERATION_EXCEPTION_MODIFY_ENTITY_DESCRIPTOR", paramsEx);
} catch (AMConsoleException e) {
debug.error("SAMLv2ModelImpl.setSPExtAttributeValues:", e);
String strError = getErrorString(e);
String[] paramsEx = { realm, entityName, "SAMLv2", "SP Ext", strError };
logEvent("FEDERATION_EXCEPTION_MODIFY_ENTITY_DESCRIPTOR", paramsEx);
}
}
Aggregations