Search in sources :

Example 1 with AuthnAuthorityDescriptorElement

use of com.sun.identity.saml2.jaxb.metadata.AuthnAuthorityDescriptorElement in project OpenAM by OpenRock.

the class SAML2COTUtils method updateEntityConfig.

/**
     * Updates the entity config to add the circle of turst name to the
     * <code>cotlist</code> attribute. The Service Provider and Identity
     * Provider Configuration are updated.
     *
     * @param realm the realm name where the entity configuration is.
     * @param name the circle of trust name.
     * @param entityId the name of the Entity identifier.
     * @throws SAML2MetaException if there is a configuration error when
     *         updating the configuration.
     * @throws JAXBException is there is an error updating the entity
     *          configuration.
     */
public void updateEntityConfig(String realm, String name, String entityId) throws SAML2MetaException, JAXBException {
    String classMethod = "SAML2COTUtils.updateEntityConfig: ";
    SAML2MetaManager metaManager = null;
    if (callerSession == null) {
        metaManager = new SAML2MetaManager();
    } else {
        metaManager = new SAML2MetaManager(callerSession);
    }
    ObjectFactory objFactory = new ObjectFactory();
    // Check whether the entity id existed in the DS
    EntityDescriptorElement edes = metaManager.getEntityDescriptor(realm, entityId);
    if (edes == null) {
        debug.error(classMethod + "No such entity: " + entityId);
        String[] data = { realm, entityId };
        throw new SAML2MetaException("entityid_invalid", data);
    }
    boolean isAffiliation = false;
    if (metaManager.getAffiliationDescriptor(realm, entityId) != null) {
        isAffiliation = true;
    }
    if (debug.messageEnabled()) {
        debug.message(classMethod + "is " + entityId + " in realm " + realm + " an affiliation? " + isAffiliation);
    }
    EntityConfigElement eConfig = metaManager.getEntityConfig(realm, entityId);
    if (eConfig == null) {
        BaseConfigType bctype = null;
        AttributeType atype = objFactory.createAttributeType();
        atype.setName(SAML2Constants.COT_LIST);
        atype.getValue().add(name);
        // add to eConfig
        EntityConfigElement ele = objFactory.createEntityConfigElement();
        ele.setEntityID(entityId);
        ele.setHosted(false);
        if (isAffiliation) {
            // handle affiliation case
            bctype = objFactory.createAffiliationConfigElement();
            bctype.getAttribute().add(atype);
            ele.setAffiliationConfig(bctype);
        } else {
            List ll = ele.getIDPSSOConfigOrSPSSOConfigOrAuthnAuthorityConfig();
            // Decide which role EntityDescriptorElement includes
            List list = edes.getRoleDescriptorOrIDPSSODescriptorOrSPSSODescriptor();
            for (Iterator iter = list.iterator(); iter.hasNext(); ) {
                Object obj = iter.next();
                if (obj instanceof SPSSODescriptorElement) {
                    bctype = objFactory.createSPSSOConfigElement();
                    bctype.getAttribute().add(atype);
                    ll.add(bctype);
                } else if (obj instanceof IDPSSODescriptorElement) {
                    bctype = objFactory.createIDPSSOConfigElement();
                    bctype.getAttribute().add(atype);
                    ll.add(bctype);
                } else if (obj instanceof XACMLPDPDescriptorElement) {
                    bctype = objFactory.createXACMLPDPConfigElement();
                    bctype.getAttribute().add(atype);
                    ll.add(bctype);
                } else if (obj instanceof XACMLAuthzDecisionQueryDescriptorElement) {
                    bctype = objFactory.createXACMLAuthzDecisionQueryConfigElement();
                    bctype.getAttribute().add(atype);
                    ll.add(bctype);
                } else if (obj instanceof AttributeAuthorityDescriptorElement) {
                    bctype = objFactory.createAttributeAuthorityConfigElement();
                    bctype.getAttribute().add(atype);
                    ll.add(bctype);
                } else if (obj instanceof AttributeQueryDescriptorElement) {
                    bctype = objFactory.createAttributeQueryConfigElement();
                    bctype.getAttribute().add(atype);
                    ll.add(bctype);
                } else if (obj instanceof AuthnAuthorityDescriptorElement) {
                    bctype = objFactory.createAuthnAuthorityConfigElement();
                    bctype.getAttribute().add(atype);
                    ll.add(bctype);
                }
            }
        }
        metaManager.setEntityConfig(realm, ele);
    } else {
        boolean needToSave = true;
        List elist = null;
        if (isAffiliation) {
            AffiliationConfigElement affiliationCfgElm = metaManager.getAffiliationConfig(realm, entityId);
            elist = new ArrayList();
            elist.add(affiliationCfgElm);
        } else {
            elist = eConfig.getIDPSSOConfigOrSPSSOConfigOrAuthnAuthorityConfig();
        }
        for (Iterator iter = elist.iterator(); iter.hasNext(); ) {
            boolean foundCOT = false;
            BaseConfigType bConfig = (BaseConfigType) iter.next();
            List list = bConfig.getAttribute();
            for (Iterator iter2 = list.iterator(); iter2.hasNext(); ) {
                AttributeType avp = (AttributeType) iter2.next();
                if (avp.getName().trim().equalsIgnoreCase(SAML2Constants.COT_LIST)) {
                    foundCOT = true;
                    List avpl = avp.getValue();
                    if (avpl.isEmpty() || !containsValue(avpl, name)) {
                        avpl.add(name);
                        needToSave = true;
                        break;
                    }
                }
            }
            // no cot_list in the original entity config
            if (!foundCOT) {
                AttributeType atype = objFactory.createAttributeType();
                atype.setName(SAML2Constants.COT_LIST);
                atype.getValue().add(name);
                list.add(atype);
                needToSave = true;
            }
        }
        if (needToSave) {
            metaManager.setEntityConfig(realm, eConfig);
        }
    }
}
Also used : AuthnAuthorityDescriptorElement(com.sun.identity.saml2.jaxb.metadata.AuthnAuthorityDescriptorElement) SPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement) XACMLPDPDescriptorElement(com.sun.identity.saml2.jaxb.metadata.XACMLPDPDescriptorElement) AttributeAuthorityDescriptorElement(com.sun.identity.saml2.jaxb.metadata.AttributeAuthorityDescriptorElement) ArrayList(java.util.ArrayList) AttributeQueryDescriptorElement(com.sun.identity.saml2.jaxb.metadataextquery.AttributeQueryDescriptorElement) EntityDescriptorElement(com.sun.identity.saml2.jaxb.metadata.EntityDescriptorElement) BaseConfigType(com.sun.identity.saml2.jaxb.entityconfig.BaseConfigType) AffiliationConfigElement(com.sun.identity.saml2.jaxb.entityconfig.AffiliationConfigElement) ObjectFactory(com.sun.identity.saml2.jaxb.entityconfig.ObjectFactory) AttributeType(com.sun.identity.saml2.jaxb.entityconfig.AttributeType) Iterator(java.util.Iterator) ArrayList(java.util.ArrayList) List(java.util.List) XACMLAuthzDecisionQueryDescriptorElement(com.sun.identity.saml2.jaxb.metadata.XACMLAuthzDecisionQueryDescriptorElement) EntityConfigElement(com.sun.identity.saml2.jaxb.entityconfig.EntityConfigElement) IDPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)

Example 2 with AuthnAuthorityDescriptorElement

use of com.sun.identity.saml2.jaxb.metadata.AuthnAuthorityDescriptorElement in project OpenAM by OpenRock.

the class AuthnQueryUtil method verifyResponse.

private static void verifyResponse(Response response, AuthnQuery authnQuery, String authnAuthorityEntityID, String realm, AuthnAuthorityDescriptorElement aad) throws SAML2Exception {
    String authnQueryID = authnQuery.getID();
    if ((authnQueryID != null) && (!authnQueryID.equals(response.getInResponseTo()))) {
        throw new SAML2Exception(SAML2Utils.bundle.getString("invalidInResponseToAuthnQuery"));
    }
    Issuer respIssuer = response.getIssuer();
    if (respIssuer == null) {
        return;
    }
    if (!authnAuthorityEntityID.equals(respIssuer.getValue())) {
        throw new SAML2Exception(SAML2Utils.bundle.getString("responseIssuerMismatch"));
    }
    if (!response.isSigned()) {
        throw new SAML2Exception(SAML2Utils.bundle.getString("responseNotSigned"));
    }
    Set<X509Certificate> signingCerts = KeyUtil.getVerificationCerts(aad, authnAuthorityEntityID, SAML2Constants.AUTHN_AUTH_ROLE);
    if (signingCerts.isEmpty()) {
        throw new SAML2Exception(SAML2Utils.bundle.getString("missingSigningCertAlias"));
    }
    boolean valid = response.isSignatureValid(signingCerts);
    if (SAML2Utils.debug.messageEnabled()) {
        SAML2Utils.debug.message("AuthnQueryUtil.verifyResponse: " + "Signature validity is : " + valid);
    }
    if (!valid) {
        throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSignatureOnResponse"));
    }
    String spEntityID = authnQuery.getIssuer().getValue();
    List<Assertion> assertions = response.getAssertion();
    if (assertions == null) {
        List<EncryptedAssertion> encAssertions = response.getEncryptedAssertion();
        if (encAssertions != null && !encAssertions.isEmpty()) {
            Set<PrivateKey> privateKeys = KeyUtil.getDecryptionKeys(realm, spEntityID, SAML2Constants.SP_ROLE);
            for (EncryptedAssertion eAssertion : encAssertions) {
                Assertion assertion = eAssertion.decrypt(privateKeys);
                if (assertions == null) {
                    assertions = new ArrayList<>();
                }
                assertions.add(assertion);
            }
        }
    }
    if ((assertions == null) || (assertions.isEmpty())) {
        return;
    }
    signingCerts = KeyUtil.getVerificationCerts(aad, authnAuthorityEntityID, SAML2Constants.IDP_ROLE);
    for (Iterator iter = assertions.iterator(); iter.hasNext(); ) {
        Assertion assertion = (Assertion) iter.next();
        if (assertion.isSigned()) {
            if (signingCerts.isEmpty()) {
                throw new SAML2Exception(SAML2Utils.bundle.getString("missingSigningCertAlias"));
            }
            valid = assertion.isSignatureValid(signingCerts);
            if (SAML2Utils.debug.messageEnabled()) {
                SAML2Utils.debug.message("AuthnQueryUtil.verifyResponse: " + "Signature validity is : " + valid);
            }
            if (!valid) {
                throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSignatureOnAssertion"));
            }
        }
    }
}
Also used : PrivateKey(java.security.PrivateKey) Issuer(com.sun.identity.saml2.assertion.Issuer) EncryptedAssertion(com.sun.identity.saml2.assertion.EncryptedAssertion) Assertion(com.sun.identity.saml2.assertion.Assertion) X509Certificate(java.security.cert.X509Certificate) SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) EncryptedAssertion(com.sun.identity.saml2.assertion.EncryptedAssertion) Iterator(java.util.Iterator)

Example 3 with AuthnAuthorityDescriptorElement

use of com.sun.identity.saml2.jaxb.metadata.AuthnAuthorityDescriptorElement in project OpenAM by OpenRock.

the class AuthnQueryUtil method sendAuthnQuerySOAP.

private static Response sendAuthnQuerySOAP(AuthnQuery authnQuery, String authnServiceURL, String authnAuthorityEntityID, String realm, AuthnAuthorityDescriptorElement aad) throws SAML2Exception {
    String authnQueryXMLString = authnQuery.toXMLString(true, true);
    if (SAML2Utils.debug.messageEnabled()) {
        SAML2Utils.debug.message("AuthnQueryUtil.sendAuthnQuerySOAP: " + "authnQueryXMLString = " + authnQueryXMLString);
        SAML2Utils.debug.message("AuthnQueryUtil.sendAuthnQuerySOAP: " + "authnServiceURL= " + authnServiceURL);
    }
    AuthnAuthorityConfigElement config = metaManager.getAuthnAuthorityConfig(realm, authnAuthorityEntityID);
    authnServiceURL = SAML2Utils.fillInBasicAuthInfo(config, authnServiceURL);
    SOAPMessage resMsg = null;
    try {
        resMsg = SOAPCommunicator.getInstance().sendSOAPMessage(authnQueryXMLString, authnServiceURL, true);
    } catch (SOAPException se) {
        SAML2Utils.debug.error("AuthnQueryUtil.sendAuthnQuerySOAP: ", se);
        throw new SAML2Exception(SAML2Utils.bundle.getString("errorSendingAuthnQuery"));
    }
    Element respElem = SOAPCommunicator.getInstance().getSamlpElement(resMsg, "Response");
    Response response = ProtocolFactory.getInstance().createResponse(respElem);
    if (SAML2Utils.debug.messageEnabled()) {
        SAML2Utils.debug.message("AuthnQueryUtil.sendAuthnQuerySOAP: " + "response = " + response.toXMLString(true, true));
    }
    verifyResponse(response, authnQuery, authnAuthorityEntityID, realm, aad);
    return response;
}
Also used : SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) Response(com.sun.identity.saml2.protocol.Response) HttpServletResponse(javax.servlet.http.HttpServletResponse) SOAPException(javax.xml.soap.SOAPException) AuthnAuthorityConfigElement(com.sun.identity.saml2.jaxb.entityconfig.AuthnAuthorityConfigElement) AuthnQueryServiceElement(com.sun.identity.saml2.jaxb.metadata.AuthnQueryServiceElement) AuthnAuthorityDescriptorElement(com.sun.identity.saml2.jaxb.metadata.AuthnAuthorityDescriptorElement) SPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement) Element(org.w3c.dom.Element) AuthnAuthorityConfigElement(com.sun.identity.saml2.jaxb.entityconfig.AuthnAuthorityConfigElement) SOAPMessage(javax.xml.soap.SOAPMessage)

Example 4 with AuthnAuthorityDescriptorElement

use of com.sun.identity.saml2.jaxb.metadata.AuthnAuthorityDescriptorElement in project OpenAM by OpenRock.

the class AuthnQueryUtil method sendAuthnQuery.

/**
     * This method sends the <code>AuthnQuery</code> to specifiied
     * authentication authority and returns <code>Response</code> coming
     * from the authentication authority.
     *
     * @param authnQuery the <code>AuthnQuery</code> object
     * @param authnAuthorityEntityID entity ID of authentication authority
     * @param realm the realm of hosted entity
     * @param binding the binding
     *
     * @return the <code>Response</code> object
     * @exception SAML2Exception if the operation is not successful
     *
     * @supported.api
     */
public static Response sendAuthnQuery(AuthnQuery authnQuery, String authnAuthorityEntityID, String realm, String binding) throws SAML2Exception {
    SAML2MetaManager metaManager = SAML2Utils.getSAML2MetaManager();
    AuthnAuthorityDescriptorElement aad = null;
    try {
        aad = metaManager.getAuthnAuthorityDescriptor(realm, authnAuthorityEntityID);
    } catch (SAML2MetaException sme) {
        SAML2Utils.debug.error("AttributeService.sendAuthnQuery:", sme);
        throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
    }
    if (aad == null) {
        throw new SAML2Exception(SAML2Utils.bundle.getString("authnAuthorityNotFound"));
    }
    if (binding == null) {
        throw new SAML2Exception(SAML2Utils.bundle.getString("unsupportedBinding"));
    }
    String location = null;
    List authnService = aad.getAuthnQueryService();
    for (Iterator iter = authnService.iterator(); iter.hasNext(); ) {
        AuthnQueryServiceElement authnService1 = (AuthnQueryServiceElement) iter.next();
        if (binding.equalsIgnoreCase(authnService1.getBinding())) {
            location = authnService1.getLocation();
            break;
        }
    }
    if (location == null) {
        throw new SAML2Exception(SAML2Utils.bundle.getString("unsupportedBinding"));
    }
    if (binding.equalsIgnoreCase(SAML2Constants.SOAP)) {
        signAuthnQuery(authnQuery, realm, false);
        return sendAuthnQuerySOAP(authnQuery, location, authnAuthorityEntityID, realm, aad);
    } else {
        throw new SAML2Exception(SAML2Utils.bundle.getString("unsupportedBinding"));
    }
}
Also used : SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) AuthnAuthorityDescriptorElement(com.sun.identity.saml2.jaxb.metadata.AuthnAuthorityDescriptorElement) Iterator(java.util.Iterator) ArrayList(java.util.ArrayList) List(java.util.List) AuthnQueryServiceElement(com.sun.identity.saml2.jaxb.metadata.AuthnQueryServiceElement) SAML2MetaManager(com.sun.identity.saml2.meta.SAML2MetaManager) SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException)

Example 5 with AuthnAuthorityDescriptorElement

use of com.sun.identity.saml2.jaxb.metadata.AuthnAuthorityDescriptorElement in project OpenAM by OpenRock.

the class AssertionIDRequestUtil method getRoleDescriptorAndLocation.

private static RoleDescriptorType getRoleDescriptorAndLocation(String samlAuthorityEntityID, String role, String realm, String binding, StringBuffer location) throws SAML2Exception {
    List aIDReqServices = null;
    RoleDescriptorType roled = null;
    try {
        if (role == null) {
            throw new SAML2Exception(SAML2Utils.bundle.getString("unsupportedRole"));
        } else if (role.equals(SAML2Constants.IDP_ROLE)) {
            IDPSSODescriptorElement idpd = metaManager.getIDPSSODescriptor(realm, samlAuthorityEntityID);
            if (idpd == null) {
                throw new SAML2Exception(SAML2Utils.bundle.getString("idpNotFound"));
            }
            aIDReqServices = idpd.getAssertionIDRequestService();
            roled = idpd;
        } else if (role.equals(SAML2Constants.AUTHN_AUTH_ROLE)) {
            AuthnAuthorityDescriptorElement attrd = metaManager.getAuthnAuthorityDescriptor(realm, samlAuthorityEntityID);
            if (attrd == null) {
                throw new SAML2Exception(SAML2Utils.bundle.getString("authnAuthorityNotFound"));
            }
            aIDReqServices = attrd.getAssertionIDRequestService();
            roled = attrd;
        } else if (role.equals(SAML2Constants.ATTR_AUTH_ROLE)) {
            AttributeAuthorityDescriptorElement aad = metaManager.getAttributeAuthorityDescriptor(realm, samlAuthorityEntityID);
            if (aad == null) {
                throw new SAML2Exception(SAML2Utils.bundle.getString("attrAuthorityNotFound"));
            }
            aIDReqServices = aad.getAssertionIDRequestService();
            roled = aad;
        } else {
            throw new SAML2Exception(SAML2Utils.bundle.getString("unsupportedRole"));
        }
    } catch (SAML2MetaException sme) {
        SAML2Utils.debug.error("AssertionIDRequest.getRoleDescriptorAndLocation:", sme);
        throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
    }
    if (binding == null) {
        throw new SAML2Exception(SAML2Utils.bundle.getString("unsupportedBinding"));
    }
    if ((aIDReqServices == null) || (aIDReqServices.isEmpty())) {
        throw new SAML2Exception(SAML2Utils.bundle.getString("aIDReqServiceNotFound"));
    }
    for (Iterator iter = aIDReqServices.iterator(); iter.hasNext(); ) {
        AssertionIDRequestServiceElement aIDReqService = (AssertionIDRequestServiceElement) iter.next();
        if (binding.equalsIgnoreCase(aIDReqService.getBinding())) {
            location.append(aIDReqService.getLocation());
            break;
        }
    }
    if (location.length() == 0) {
        throw new SAML2Exception(SAML2Utils.bundle.getString("unsupportedBinding"));
    }
    return roled;
}
Also used : SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) AuthnAuthorityDescriptorElement(com.sun.identity.saml2.jaxb.metadata.AuthnAuthorityDescriptorElement) AssertionIDRequestServiceElement(com.sun.identity.saml2.jaxb.metadata.AssertionIDRequestServiceElement) RoleDescriptorType(com.sun.identity.saml2.jaxb.metadata.RoleDescriptorType) AttributeAuthorityDescriptorElement(com.sun.identity.saml2.jaxb.metadata.AttributeAuthorityDescriptorElement) Iterator(java.util.Iterator) List(java.util.List) ArrayList(java.util.ArrayList) SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException) IDPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)

Aggregations

AuthnAuthorityDescriptorElement (com.sun.identity.saml2.jaxb.metadata.AuthnAuthorityDescriptorElement)8 ArrayList (java.util.ArrayList)7 List (java.util.List)7 SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)5 SAML2MetaException (com.sun.identity.saml2.meta.SAML2MetaException)5 SAML2MetaManager (com.sun.identity.saml2.meta.SAML2MetaManager)5 Iterator (java.util.Iterator)5 AuthnQueryServiceElement (com.sun.identity.saml2.jaxb.metadata.AuthnQueryServiceElement)4 ObjectFactory (com.sun.identity.saml2.jaxb.entityconfig.ObjectFactory)3 AssertionIDRequestServiceElement (com.sun.identity.saml2.jaxb.metadata.AssertionIDRequestServiceElement)3 AttributeAuthorityDescriptorElement (com.sun.identity.saml2.jaxb.metadata.AttributeAuthorityDescriptorElement)3 EntityDescriptorElement (com.sun.identity.saml2.jaxb.metadata.EntityDescriptorElement)3 IDPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)3 SPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)3 AMConsoleException (com.sun.identity.console.base.model.AMConsoleException)2 Assertion (com.sun.identity.saml2.assertion.Assertion)2 EncryptedAssertion (com.sun.identity.saml2.assertion.EncryptedAssertion)2 Issuer (com.sun.identity.saml2.assertion.Issuer)2 BaseConfigType (com.sun.identity.saml2.jaxb.entityconfig.BaseConfigType)2 EntityConfigElement (com.sun.identity.saml2.jaxb.entityconfig.EntityConfigElement)2