Examples with SPSSOConfigElement com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement used on opensource projects

Example 36 with SPSSOConfigElement

use of com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement in project OpenAM by OpenRock.

the class SAML2Utils method isBearerSubjectConfirmation.

private static Map isBearerSubjectConfirmation(final List subjectConfirms, final String inRespToResponse, final SPSSODescriptorElement spDesc, final SPSSOConfigElement spConfig, final String assertionID) throws SAML2Exception {
    String method = "SAML2Utils.isBearerSubjectConfirmation:";
    Map retMap = new HashMap();
    boolean hasBearer = false;
    for (Iterator it = subjectConfirms.iterator(); it.hasNext(); ) {
        SubjectConfirmation subjectConfirm = (SubjectConfirmation) it.next();
        if (subjectConfirm == null || subjectConfirm.getMethod() == null || !subjectConfirm.getMethod().equals(SAML2Constants.SUBJECT_CONFIRMATION_METHOD_BEARER)) {
            continue;
        }
        // since this is bearer SC, all below must be true
        SubjectConfirmationData subjectConfData = subjectConfirm.getSubjectConfirmationData();
        if (subjectConfData == null) {
            if (debug.messageEnabled()) {
                debug.message(method + "missing SubjectConfirmationData.");
            }
            String[] data = { assertionID };
            LogUtil.error(Level.INFO, LogUtil.MISSING_SUBJECT_COMFIRMATION_DATA, data, null);
            throw new SAML2Exception(bundle.getString("missingSubjectConfirmationData"));
        }
        String recipient = subjectConfData.getRecipient();
        if (recipient == null || recipient.length() == 0) {
            if (debug.messageEnabled()) {
                debug.message(method + "missing Recipient in Assertion.");
            }
            String[] data = { assertionID };
            LogUtil.error(Level.INFO, LogUtil.MISSING_RECIPIENT, data, null);
            throw new SAML2Exception(bundle.getString("missingRecipient"));
        }
        boolean foundMatch = false;
        Iterator acsIter = spDesc.getAssertionConsumerService().iterator();
        while (acsIter.hasNext()) {
            AssertionConsumerServiceElement acs = (AssertionConsumerServiceElement) acsIter.next();
            if (recipient.equals(acs.getLocation())) {
                foundMatch = true;
                break;
            }
        }
        if (!foundMatch) {
            if (debug.messageEnabled()) {
                debug.message(method + "this sp is not the intended " + "recipient.");
            }
            String[] data = { assertionID, recipient };
            LogUtil.error(Level.INFO, LogUtil.WRONG_RECIPIENT, data, null);
            throw new SAML2Exception(bundle.getString("wrongRecipient"));
        }
        // in seconds
        int timeskew = SAML2Constants.ASSERTION_TIME_SKEW_DEFAULT;
        String timeskewStr = getAttributeValueFromSPSSOConfig(spConfig, SAML2Constants.ASSERTION_TIME_SKEW);
        if (timeskewStr != null && timeskewStr.trim().length() > 0) {
            timeskew = Integer.parseInt(timeskewStr);
            if (timeskew < 0) {
                timeskew = SAML2Constants.ASSERTION_TIME_SKEW_DEFAULT;
            }
        }
        if (debug.messageEnabled()) {
            debug.message(method + "timeskew = " + timeskew);
        }
        Date notOnOrAfter = subjectConfData.getNotOnOrAfter();
        if (notOnOrAfter == null || ((notOnOrAfter.getTime() + timeskew * 1000) < System.currentTimeMillis())) {
            if (debug.messageEnabled()) {
                debug.message(method + "Time in SubjectConfirmationData of " + "Assertion:" + assertionID + " is invalid.");
            }
            String[] data = { assertionID };
            LogUtil.error(Level.INFO, LogUtil.INVALID_TIME_SUBJECT_CONFIRMATION_DATA, data, null);
            throw new SAML2Exception(bundle.getString("invalidTimeOnSubjectConfirmationData"));
        }
        retMap.put(SAML2Constants.NOTONORAFTER, notOnOrAfter);
        Date notBefore = subjectConfData.getNotBefore();
        if (notBefore != null) {
            if ((notBefore.getTime() + timeskew * 1000) > System.currentTimeMillis()) {
                if (debug.messageEnabled()) {
                    debug.message(method + "SubjectConfirmationData included " + "NotBefore.");
                }
                String[] data = { assertionID };
                LogUtil.error(Level.INFO, LogUtil.CONTAINED_NOT_BEFORE, data, null);
                throw new SAML2Exception(bundle.getString("containedNotBefore"));
            }
        }
        retMap.put(SAML2Constants.NOTBEFORE, notBefore);
        String inRespTo = subjectConfData.getInResponseTo();
        if (inRespTo != null && inRespTo.length() != 0) {
            if (!inRespTo.equals(inRespToResponse)) {
                if (debug.messageEnabled()) {
                    debug.message(method + "InResponseTo in Assertion is " + "different from the one in Response.");
                }
                String[] data = { assertionID };
                LogUtil.error(Level.INFO, LogUtil.WRONG_INRESPONSETO_ASSERTION, data, null);
                throw new SAML2Exception(bundle.getString("wrongInResponseToInAssertion"));
            }
        } else {
            if (inRespToResponse != null && inRespToResponse.length() != 0) {
                if (debug.messageEnabled()) {
                    debug.message(method + "Assertion doesn't contain " + "InResponseTo, but Response does.");
                }
                String[] data = { assertionID };
                LogUtil.error(Level.INFO, LogUtil.WRONG_INRESPONSETO_ASSERTION, data, null);
                throw new SAML2Exception(bundle.getString("wrongInResponseToInAssertion"));
            }
        }
        hasBearer = true;
        break;
    }
    retMap.put(SAML2Constants.IS_BEARER, Boolean.valueOf(hasBearer));
    return retMap;
}

Example 37 with SPSSOConfigElement

use of com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement in project OpenAM by OpenRock.

the class IDPProxyUtil method getNewAuthnRequest.

/**
     * Constructs new authentication request by using the original request
     * that is sent by the service provider to the proxying IDP.
     * @param hostedEntityId hosted provider ID
     * @param destination The destination where the new AuthnRequest will be sent to.
     * @param realm Realm
     * @param origRequest Original Authn Request
     * @return AuthnRequest new authn request.
     * @exception SAML2Exception for failure in creating new authn request.
     * @return AuthnRequest object 
     */
private static AuthnRequest getNewAuthnRequest(String hostedEntityId, String destination, String realm, AuthnRequest origRequest) throws SAML2Exception {
    String classMethod = "IDPProxyUtil.getNewAuthnRequest: ";
    // New Authentication request should only be a single sign-on request.   
    try {
        AuthnRequest newRequest = ProtocolFactory.getInstance().createAuthnRequest();
        String requestID = SAML2Utils.generateID();
        if (requestID == null || requestID.isEmpty()) {
            throw new SAML2Exception(SAML2Utils.bundle.getString("cannotGenerateID"));
        }
        newRequest.setID(requestID);
        SPSSODescriptorElement localDescriptor = IDPSSOUtil.metaManager.getSPSSODescriptor(realm, hostedEntityId);
        newRequest.setDestination(XMLUtils.escapeSpecialCharacters(destination));
        newRequest.setConsent(origRequest.getConsent());
        newRequest.setIsPassive(origRequest.isPassive());
        newRequest.setForceAuthn(origRequest.isForceAuthn());
        newRequest.setAttributeConsumingServiceIndex(origRequest.getAttributeConsumingServiceIndex());
        newRequest.setAssertionConsumerServiceIndex(origRequest.getAssertionConsumerServiceIndex());
        String protocolBinding = origRequest.getProtocolBinding();
        newRequest.setProtocolBinding(protocolBinding);
        OrderedSet acsSet = SPSSOFederate.getACSUrl(localDescriptor, protocolBinding);
        String acsURL = (String) acsSet.get(0);
        newRequest.setAssertionConsumerServiceURL(acsURL);
        Issuer issuer = AssertionFactory.getInstance().createIssuer();
        issuer.setValue(hostedEntityId);
        newRequest.setIssuer(issuer);
        NameIDPolicy origNameIDPolicy = origRequest.getNameIDPolicy();
        if (origNameIDPolicy != null) {
            NameIDPolicy newNameIDPolicy = ProtocolFactory.getInstance().createNameIDPolicy();
            newNameIDPolicy.setFormat(origNameIDPolicy.getFormat());
            newNameIDPolicy.setSPNameQualifier(hostedEntityId);
            newNameIDPolicy.setAllowCreate(origNameIDPolicy.isAllowCreate());
            newRequest.setNameIDPolicy(newNameIDPolicy);
        }
        newRequest.setRequestedAuthnContext(origRequest.getRequestedAuthnContext());
        newRequest.setExtensions(origRequest.getExtensions());
        newRequest.setIssueInstant(new Date());
        newRequest.setVersion(SAML2Constants.VERSION_2_0);
        Scoping scoping = origRequest.getScoping();
        if (scoping != null) {
            Scoping newScoping = ProtocolFactory.getInstance().createScoping();
            Integer proxyCountInt = scoping.getProxyCount();
            int proxyCount = 1;
            if (proxyCountInt != null) {
                proxyCount = scoping.getProxyCount().intValue();
                newScoping.setProxyCount(new Integer(proxyCount - 1));
            }
            newScoping.setIDPList(scoping.getIDPList());
            newRequest.setScoping(newScoping);
        } else {
            //handling the alwaysIdpProxy case -> the incoming request
            //did not contained a Scoping field
            SPSSOConfigElement spConfig = getSPSSOConfigByAuthnRequest(realm, origRequest);
            Map<String, List<String>> spConfigAttrMap = SAML2MetaUtils.getAttributes(spConfig);
            scoping = ProtocolFactory.getInstance().createScoping();
            String proxyCountParam = SPSSOFederate.getParameter(spConfigAttrMap, SAML2Constants.IDP_PROXY_COUNT);
            if (proxyCountParam != null && (!proxyCountParam.equals(""))) {
                int proxyCount = Integer.valueOf(proxyCountParam);
                if (proxyCount <= 0) {
                    scoping.setProxyCount(0);
                } else {
                    //since this is a remote SP configuration, we should
                    //decrement the proxycount by one
                    scoping.setProxyCount(proxyCount - 1);
                }
            }
            List<String> proxyIdPs = spConfigAttrMap.get(SAML2Constants.IDP_PROXY_LIST);
            if (proxyIdPs != null && !proxyIdPs.isEmpty()) {
                List<IDPEntry> list = new ArrayList<IDPEntry>();
                for (String proxyIdP : proxyIdPs) {
                    IDPEntry entry = ProtocolFactory.getInstance().createIDPEntry();
                    entry.setProviderID(proxyIdP);
                    list.add(entry);
                }
                IDPList idpList = ProtocolFactory.getInstance().createIDPList();
                idpList.setIDPEntries(list);
                scoping.setIDPList(idpList);
                newRequest.setScoping(scoping);
            }
        }
        return newRequest;
    } catch (Exception ex) {
        SAML2Utils.debug.error(classMethod + "Error in creating new authn request.", ex);
        throw new SAML2Exception(ex);
    }
}

Example 38 with SPSSOConfigElement

use of com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement in project OpenAM by OpenRock.

the class IDPProxyUtil method isIDPProxyEnabled.

/**
     * Checks if the identity provider is configured for proxying the
     * authentication requests for a requesting service provider.
     * @param authnRequest Authentication Request.
     * @param realm Realm
     * @return <code>true</code> if the IDP is configured for proxying.
     * @exception SAML2Exception for any failure.
     */
public static boolean isIDPProxyEnabled(AuthnRequest authnRequest, String realm) throws SAML2Exception {
    SPSSOConfigElement spConfig;
    Map spConfigAttrsMap = null;
    Scoping scoping = authnRequest.getScoping();
    if (scoping == null) {
        //let's check if always IdP proxy and IdP Proxy itself is enabled
        spConfig = getSPSSOConfigByAuthnRequest(realm, authnRequest);
        if (spConfig != null) {
            spConfigAttrsMap = SAML2MetaUtils.getAttributes(spConfig);
            Boolean alwaysEnabled = SPSSOFederate.getAttrValueFromMap(spConfigAttrsMap, SAML2Constants.ALWAYS_IDP_PROXY);
            Boolean proxyEnabled = SPSSOFederate.getAttrValueFromMap(spConfigAttrsMap, SAML2Constants.ENABLE_IDP_PROXY);
            if (alwaysEnabled != null && alwaysEnabled && proxyEnabled != null && proxyEnabled) {
                return true;
            }
        }
        return false;
    }
    Integer proxyCountInt = scoping.getProxyCount();
    int proxyCount = 0;
    if (proxyCountInt == null) {
        //Proxy count missing, IDP Proxy allowed 
        proxyCount = 1;
    } else {
        proxyCount = proxyCountInt.intValue();
    }
    if (proxyCount <= 0) {
        return false;
    }
    spConfig = IDPSSOUtil.metaManager.getSPSSOConfig(realm, authnRequest.getIssuer().getValue());
    if (spConfig != null) {
        spConfigAttrsMap = SAML2MetaUtils.getAttributes(spConfig);
    }
    Boolean enabledString = SPSSOFederate.getAttrValueFromMap(spConfigAttrsMap, SAML2Constants.ENABLE_IDP_PROXY);
    if (enabledString == null) {
        return false;
    }
    return (enabledString.booleanValue());
}

Example 39 with SPSSOConfigElement

use of com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement in project OpenAM by OpenRock.

the class SPACSUtils method getPrincipalWithoutLogin.

/**
     * Returns the username if there was one from the Assertion we were able to map into a local user account. Returns
     * null if not. Should only be used from the SP side. Should only be called in conjuncture with the Auth Module.
     * In addition, it performs what attribute federation it can.
     *
     * This method is a picked apart version of the "processResponse" function.
     */
public static String getPrincipalWithoutLogin(Subject assertionSubject, Assertion authnAssertion, String realm, String spEntityId, SAML2MetaManager metaManager, String idpEntityId, String storageKey) throws SAML2Exception {
    final EncryptedID encId = assertionSubject.getEncryptedID();
    final SPSSOConfigElement spssoconfig = metaManager.getSPSSOConfig(realm, spEntityId);
    final Set<PrivateKey> decryptionKeys = KeyUtil.getDecryptionKeys(spssoconfig);
    final SPAccountMapper acctMapper = SAML2Utils.getSPAccountMapper(realm, spEntityId);
    boolean needNameIDEncrypted = false;
    NameID nameId = assertionSubject.getNameID();
    String assertionEncryptedAttr = SAML2Utils.getAttributeValueFromSPSSOConfig(spssoconfig, SAML2Constants.WANT_ASSERTION_ENCRYPTED);
    if (assertionEncryptedAttr == null || !Boolean.parseBoolean(assertionEncryptedAttr)) {
        String idEncryptedStr = SAML2Utils.getAttributeValueFromSPSSOConfig(spssoconfig, SAML2Constants.WANT_NAMEID_ENCRYPTED);
        if (idEncryptedStr != null && Boolean.parseBoolean(idEncryptedStr)) {
            needNameIDEncrypted = true;
        }
    }
    if (needNameIDEncrypted && encId == null) {
        throw new SAML2Exception(SAML2Utils.bundle.getString("nameIDNotEncrypted"));
    }
    if (encId != null) {
        nameId = encId.decrypt(decryptionKeys);
    }
    SPSSODescriptorElement spDesc = null;
    try {
        spDesc = metaManager.getSPSSODescriptor(realm, spEntityId);
    } catch (SAML2MetaException ex) {
        SAML2Utils.debug.error("Unable to read SPSSODescription", ex);
    }
    if (spDesc == null) {
        throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
    }
    final String nameIDFormat = nameId.getFormat();
    if (nameIDFormat != null) {
        List spNameIDFormatList = spDesc.getNameIDFormat();
        if (CollectionUtils.isNotEmpty(spNameIDFormatList) && !spNameIDFormatList.contains(nameIDFormat)) {
            Object[] args = { nameIDFormat };
            throw new SAML2Exception(SAML2Utils.BUNDLE_NAME, "unsupportedNameIDFormatSP", args);
        }
    }
    final boolean isTransient = SAML2Constants.NAMEID_TRANSIENT_FORMAT.equals(nameIDFormat);
    final boolean isPersistent = SAML2Constants.PERSISTENT.equals(nameIDFormat);
    final boolean ignoreProfile = SAML2PluginsUtils.isIgnoredProfile(realm);
    final boolean shouldPersistNameID = isPersistent || (!isTransient && !ignoreProfile && acctMapper.shouldPersistNameIDFormat(realm, spEntityId, idpEntityId, nameIDFormat));
    String userName = null;
    boolean isNewAccountLink = false;
    try {
        if (shouldPersistNameID) {
            try {
                userName = SAML2Utils.getDataStoreProvider().getUserID(realm, SAML2Utils.getNameIDKeyMap(nameId, spEntityId, idpEntityId, realm, SAML2Constants.SP_ROLE));
            } catch (DataStoreProviderException dse) {
                throw new SAML2Exception(dse.getMessage());
            }
        }
        //if we can't get an already linked account, see if we'll be generating a new one based on federated data
        if (userName == null) {
            userName = acctMapper.getIdentity(authnAssertion, spEntityId, realm);
            //we'll use this later to inform us
            isNewAccountLink = true;
        }
    } catch (SAML2Exception se) {
        return null;
    }
    //if we're new and we're persistent, store the federation data in the user pref
    if (isNewAccountLink && isPersistent) {
        try {
            writeFedData(nameId, spEntityId, realm, metaManager, idpEntityId, userName, storageKey);
        } catch (SAML2Exception se) {
            return userName;
        }
    }
    return userName;
}

Example 40 with SPSSOConfigElement

use of com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement in project OpenAM by OpenRock.

the class SAML2Test method importEntity.

@Test(groups = { "samlv2", "samlv2op" }, dependsOnMethods = { "createMetaTemplate" })
public void importEntity() throws CLIException, SAML2MetaException {
    entering("importEntity", null);
    String[] args = { "import-entity", CLIConstants.PREFIX_ARGUMENT_LONG + FedCLIConstants.ARGUMENT_METADATA, "meta", CLIConstants.PREFIX_ARGUMENT_LONG + FedCLIConstants.ARGUMENT_EXTENDED_DATA, "extended", CLIConstants.PREFIX_ARGUMENT_LONG + FedCLIConstants.ARGUMENT_COT, NAME_COT, CLIConstants.PREFIX_ARGUMENT_LONG + FedCLIConstants.SPECIFICATION_VERSION, FedCLIConstants.SAML2_SPECIFICATION };
    CLIRequest req = new CLIRequest(null, args, getAdminSSOToken());
    cmdManager.addToRequestQueue(req);
    cmdManager.serviceRequestQueue();
    SAML2MetaManager mgr = new SAML2MetaManager();
    EntityDescriptorElement entity = mgr.getEntityDescriptor("/", NAME_IDP);
    assert (entity != null);
    SPSSODescriptorElement spElt = mgr.getSPSSODescriptor("/", NAME_IDP);
    assert (spElt != null);
    IDPSSODescriptorElement idpElt = mgr.getIDPSSODescriptor("/", NAME_IDP);
    assert (idpElt != null);
    XACMLPDPDescriptorElement pdpElt = mgr.getPolicyDecisionPointDescriptor("/", NAME_IDP);
    assert (pdpElt != null);
    XACMLAuthzDecisionQueryDescriptorElement pepElt = mgr.getPolicyEnforcementPointDescriptor("/", NAME_IDP);
    assert (pepElt != null);
    IDPSSOConfigElement idpConfig = mgr.getIDPSSOConfig("/", NAME_IDP);
    assert (idpConfig != null);
    SPSSOConfigElement spConfig = mgr.getSPSSOConfig("/", NAME_IDP);
    assert (spConfig != null);
    XACMLPDPConfigElement pdpConfig = mgr.getPolicyDecisionPointConfig("/", NAME_IDP);
    assert (pdpConfig != null);
    XACMLAuthzDecisionQueryConfigElement pepConfig = mgr.getPolicyEnforcementPointConfig("/", NAME_IDP);
    assert (pepConfig != null);
    exiting("importEntity");
}