use of com.sun.identity.saml2.jaxb.metadata.AuthnAuthorityDescriptorElement in project OpenAM by OpenRock.
the class SAML2COTUtils method updateEntityConfig.
/**
* Updates the entity config to add the circle of turst name to the
* <code>cotlist</code> attribute. The Service Provider and Identity
* Provider Configuration are updated.
*
* @param realm the realm name where the entity configuration is.
* @param name the circle of trust name.
* @param entityId the name of the Entity identifier.
* @throws SAML2MetaException if there is a configuration error when
* updating the configuration.
* @throws JAXBException is there is an error updating the entity
* configuration.
*/
public void updateEntityConfig(String realm, String name, String entityId) throws SAML2MetaException, JAXBException {
String classMethod = "SAML2COTUtils.updateEntityConfig: ";
SAML2MetaManager metaManager = null;
if (callerSession == null) {
metaManager = new SAML2MetaManager();
} else {
metaManager = new SAML2MetaManager(callerSession);
}
ObjectFactory objFactory = new ObjectFactory();
// Check whether the entity id existed in the DS
EntityDescriptorElement edes = metaManager.getEntityDescriptor(realm, entityId);
if (edes == null) {
debug.error(classMethod + "No such entity: " + entityId);
String[] data = { realm, entityId };
throw new SAML2MetaException("entityid_invalid", data);
}
boolean isAffiliation = false;
if (metaManager.getAffiliationDescriptor(realm, entityId) != null) {
isAffiliation = true;
}
if (debug.messageEnabled()) {
debug.message(classMethod + "is " + entityId + " in realm " + realm + " an affiliation? " + isAffiliation);
}
EntityConfigElement eConfig = metaManager.getEntityConfig(realm, entityId);
if (eConfig == null) {
BaseConfigType bctype = null;
AttributeType atype = objFactory.createAttributeType();
atype.setName(SAML2Constants.COT_LIST);
atype.getValue().add(name);
// add to eConfig
EntityConfigElement ele = objFactory.createEntityConfigElement();
ele.setEntityID(entityId);
ele.setHosted(false);
if (isAffiliation) {
// handle affiliation case
bctype = objFactory.createAffiliationConfigElement();
bctype.getAttribute().add(atype);
ele.setAffiliationConfig(bctype);
} else {
List ll = ele.getIDPSSOConfigOrSPSSOConfigOrAuthnAuthorityConfig();
// Decide which role EntityDescriptorElement includes
List list = edes.getRoleDescriptorOrIDPSSODescriptorOrSPSSODescriptor();
for (Iterator iter = list.iterator(); iter.hasNext(); ) {
Object obj = iter.next();
if (obj instanceof SPSSODescriptorElement) {
bctype = objFactory.createSPSSOConfigElement();
bctype.getAttribute().add(atype);
ll.add(bctype);
} else if (obj instanceof IDPSSODescriptorElement) {
bctype = objFactory.createIDPSSOConfigElement();
bctype.getAttribute().add(atype);
ll.add(bctype);
} else if (obj instanceof XACMLPDPDescriptorElement) {
bctype = objFactory.createXACMLPDPConfigElement();
bctype.getAttribute().add(atype);
ll.add(bctype);
} else if (obj instanceof XACMLAuthzDecisionQueryDescriptorElement) {
bctype = objFactory.createXACMLAuthzDecisionQueryConfigElement();
bctype.getAttribute().add(atype);
ll.add(bctype);
} else if (obj instanceof AttributeAuthorityDescriptorElement) {
bctype = objFactory.createAttributeAuthorityConfigElement();
bctype.getAttribute().add(atype);
ll.add(bctype);
} else if (obj instanceof AttributeQueryDescriptorElement) {
bctype = objFactory.createAttributeQueryConfigElement();
bctype.getAttribute().add(atype);
ll.add(bctype);
} else if (obj instanceof AuthnAuthorityDescriptorElement) {
bctype = objFactory.createAuthnAuthorityConfigElement();
bctype.getAttribute().add(atype);
ll.add(bctype);
}
}
}
metaManager.setEntityConfig(realm, ele);
} else {
boolean needToSave = true;
List elist = null;
if (isAffiliation) {
AffiliationConfigElement affiliationCfgElm = metaManager.getAffiliationConfig(realm, entityId);
elist = new ArrayList();
elist.add(affiliationCfgElm);
} else {
elist = eConfig.getIDPSSOConfigOrSPSSOConfigOrAuthnAuthorityConfig();
}
for (Iterator iter = elist.iterator(); iter.hasNext(); ) {
boolean foundCOT = false;
BaseConfigType bConfig = (BaseConfigType) iter.next();
List list = bConfig.getAttribute();
for (Iterator iter2 = list.iterator(); iter2.hasNext(); ) {
AttributeType avp = (AttributeType) iter2.next();
if (avp.getName().trim().equalsIgnoreCase(SAML2Constants.COT_LIST)) {
foundCOT = true;
List avpl = avp.getValue();
if (avpl.isEmpty() || !containsValue(avpl, name)) {
avpl.add(name);
needToSave = true;
break;
}
}
}
// no cot_list in the original entity config
if (!foundCOT) {
AttributeType atype = objFactory.createAttributeType();
atype.setName(SAML2Constants.COT_LIST);
atype.getValue().add(name);
list.add(atype);
needToSave = true;
}
}
if (needToSave) {
metaManager.setEntityConfig(realm, eConfig);
}
}
}
use of com.sun.identity.saml2.jaxb.metadata.AuthnAuthorityDescriptorElement in project OpenAM by OpenRock.
the class AuthnQueryUtil method verifyResponse.
private static void verifyResponse(Response response, AuthnQuery authnQuery, String authnAuthorityEntityID, String realm, AuthnAuthorityDescriptorElement aad) throws SAML2Exception {
String authnQueryID = authnQuery.getID();
if ((authnQueryID != null) && (!authnQueryID.equals(response.getInResponseTo()))) {
throw new SAML2Exception(SAML2Utils.bundle.getString("invalidInResponseToAuthnQuery"));
}
Issuer respIssuer = response.getIssuer();
if (respIssuer == null) {
return;
}
if (!authnAuthorityEntityID.equals(respIssuer.getValue())) {
throw new SAML2Exception(SAML2Utils.bundle.getString("responseIssuerMismatch"));
}
if (!response.isSigned()) {
throw new SAML2Exception(SAML2Utils.bundle.getString("responseNotSigned"));
}
Set<X509Certificate> signingCerts = KeyUtil.getVerificationCerts(aad, authnAuthorityEntityID, SAML2Constants.AUTHN_AUTH_ROLE);
if (signingCerts.isEmpty()) {
throw new SAML2Exception(SAML2Utils.bundle.getString("missingSigningCertAlias"));
}
boolean valid = response.isSignatureValid(signingCerts);
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("AuthnQueryUtil.verifyResponse: " + "Signature validity is : " + valid);
}
if (!valid) {
throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSignatureOnResponse"));
}
String spEntityID = authnQuery.getIssuer().getValue();
List<Assertion> assertions = response.getAssertion();
if (assertions == null) {
List<EncryptedAssertion> encAssertions = response.getEncryptedAssertion();
if (encAssertions != null && !encAssertions.isEmpty()) {
Set<PrivateKey> privateKeys = KeyUtil.getDecryptionKeys(realm, spEntityID, SAML2Constants.SP_ROLE);
for (EncryptedAssertion eAssertion : encAssertions) {
Assertion assertion = eAssertion.decrypt(privateKeys);
if (assertions == null) {
assertions = new ArrayList<>();
}
assertions.add(assertion);
}
}
}
if ((assertions == null) || (assertions.isEmpty())) {
return;
}
signingCerts = KeyUtil.getVerificationCerts(aad, authnAuthorityEntityID, SAML2Constants.IDP_ROLE);
for (Iterator iter = assertions.iterator(); iter.hasNext(); ) {
Assertion assertion = (Assertion) iter.next();
if (assertion.isSigned()) {
if (signingCerts.isEmpty()) {
throw new SAML2Exception(SAML2Utils.bundle.getString("missingSigningCertAlias"));
}
valid = assertion.isSignatureValid(signingCerts);
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("AuthnQueryUtil.verifyResponse: " + "Signature validity is : " + valid);
}
if (!valid) {
throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSignatureOnAssertion"));
}
}
}
}
use of com.sun.identity.saml2.jaxb.metadata.AuthnAuthorityDescriptorElement in project OpenAM by OpenRock.
the class AuthnQueryUtil method sendAuthnQuerySOAP.
private static Response sendAuthnQuerySOAP(AuthnQuery authnQuery, String authnServiceURL, String authnAuthorityEntityID, String realm, AuthnAuthorityDescriptorElement aad) throws SAML2Exception {
String authnQueryXMLString = authnQuery.toXMLString(true, true);
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("AuthnQueryUtil.sendAuthnQuerySOAP: " + "authnQueryXMLString = " + authnQueryXMLString);
SAML2Utils.debug.message("AuthnQueryUtil.sendAuthnQuerySOAP: " + "authnServiceURL= " + authnServiceURL);
}
AuthnAuthorityConfigElement config = metaManager.getAuthnAuthorityConfig(realm, authnAuthorityEntityID);
authnServiceURL = SAML2Utils.fillInBasicAuthInfo(config, authnServiceURL);
SOAPMessage resMsg = null;
try {
resMsg = SOAPCommunicator.getInstance().sendSOAPMessage(authnQueryXMLString, authnServiceURL, true);
} catch (SOAPException se) {
SAML2Utils.debug.error("AuthnQueryUtil.sendAuthnQuerySOAP: ", se);
throw new SAML2Exception(SAML2Utils.bundle.getString("errorSendingAuthnQuery"));
}
Element respElem = SOAPCommunicator.getInstance().getSamlpElement(resMsg, "Response");
Response response = ProtocolFactory.getInstance().createResponse(respElem);
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("AuthnQueryUtil.sendAuthnQuerySOAP: " + "response = " + response.toXMLString(true, true));
}
verifyResponse(response, authnQuery, authnAuthorityEntityID, realm, aad);
return response;
}
use of com.sun.identity.saml2.jaxb.metadata.AuthnAuthorityDescriptorElement in project OpenAM by OpenRock.
the class AuthnQueryUtil method sendAuthnQuery.
/**
* This method sends the <code>AuthnQuery</code> to specifiied
* authentication authority and returns <code>Response</code> coming
* from the authentication authority.
*
* @param authnQuery the <code>AuthnQuery</code> object
* @param authnAuthorityEntityID entity ID of authentication authority
* @param realm the realm of hosted entity
* @param binding the binding
*
* @return the <code>Response</code> object
* @exception SAML2Exception if the operation is not successful
*
* @supported.api
*/
public static Response sendAuthnQuery(AuthnQuery authnQuery, String authnAuthorityEntityID, String realm, String binding) throws SAML2Exception {
SAML2MetaManager metaManager = SAML2Utils.getSAML2MetaManager();
AuthnAuthorityDescriptorElement aad = null;
try {
aad = metaManager.getAuthnAuthorityDescriptor(realm, authnAuthorityEntityID);
} catch (SAML2MetaException sme) {
SAML2Utils.debug.error("AttributeService.sendAuthnQuery:", sme);
throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
}
if (aad == null) {
throw new SAML2Exception(SAML2Utils.bundle.getString("authnAuthorityNotFound"));
}
if (binding == null) {
throw new SAML2Exception(SAML2Utils.bundle.getString("unsupportedBinding"));
}
String location = null;
List authnService = aad.getAuthnQueryService();
for (Iterator iter = authnService.iterator(); iter.hasNext(); ) {
AuthnQueryServiceElement authnService1 = (AuthnQueryServiceElement) iter.next();
if (binding.equalsIgnoreCase(authnService1.getBinding())) {
location = authnService1.getLocation();
break;
}
}
if (location == null) {
throw new SAML2Exception(SAML2Utils.bundle.getString("unsupportedBinding"));
}
if (binding.equalsIgnoreCase(SAML2Constants.SOAP)) {
signAuthnQuery(authnQuery, realm, false);
return sendAuthnQuerySOAP(authnQuery, location, authnAuthorityEntityID, realm, aad);
} else {
throw new SAML2Exception(SAML2Utils.bundle.getString("unsupportedBinding"));
}
}
use of com.sun.identity.saml2.jaxb.metadata.AuthnAuthorityDescriptorElement in project OpenAM by OpenRock.
the class AssertionIDRequestUtil method getRoleDescriptorAndLocation.
private static RoleDescriptorType getRoleDescriptorAndLocation(String samlAuthorityEntityID, String role, String realm, String binding, StringBuffer location) throws SAML2Exception {
List aIDReqServices = null;
RoleDescriptorType roled = null;
try {
if (role == null) {
throw new SAML2Exception(SAML2Utils.bundle.getString("unsupportedRole"));
} else if (role.equals(SAML2Constants.IDP_ROLE)) {
IDPSSODescriptorElement idpd = metaManager.getIDPSSODescriptor(realm, samlAuthorityEntityID);
if (idpd == null) {
throw new SAML2Exception(SAML2Utils.bundle.getString("idpNotFound"));
}
aIDReqServices = idpd.getAssertionIDRequestService();
roled = idpd;
} else if (role.equals(SAML2Constants.AUTHN_AUTH_ROLE)) {
AuthnAuthorityDescriptorElement attrd = metaManager.getAuthnAuthorityDescriptor(realm, samlAuthorityEntityID);
if (attrd == null) {
throw new SAML2Exception(SAML2Utils.bundle.getString("authnAuthorityNotFound"));
}
aIDReqServices = attrd.getAssertionIDRequestService();
roled = attrd;
} else if (role.equals(SAML2Constants.ATTR_AUTH_ROLE)) {
AttributeAuthorityDescriptorElement aad = metaManager.getAttributeAuthorityDescriptor(realm, samlAuthorityEntityID);
if (aad == null) {
throw new SAML2Exception(SAML2Utils.bundle.getString("attrAuthorityNotFound"));
}
aIDReqServices = aad.getAssertionIDRequestService();
roled = aad;
} else {
throw new SAML2Exception(SAML2Utils.bundle.getString("unsupportedRole"));
}
} catch (SAML2MetaException sme) {
SAML2Utils.debug.error("AssertionIDRequest.getRoleDescriptorAndLocation:", sme);
throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
}
if (binding == null) {
throw new SAML2Exception(SAML2Utils.bundle.getString("unsupportedBinding"));
}
if ((aIDReqServices == null) || (aIDReqServices.isEmpty())) {
throw new SAML2Exception(SAML2Utils.bundle.getString("aIDReqServiceNotFound"));
}
for (Iterator iter = aIDReqServices.iterator(); iter.hasNext(); ) {
AssertionIDRequestServiceElement aIDReqService = (AssertionIDRequestServiceElement) iter.next();
if (binding.equalsIgnoreCase(aIDReqService.getBinding())) {
location.append(aIDReqService.getLocation());
break;
}
}
if (location.length() == 0) {
throw new SAML2Exception(SAML2Utils.bundle.getString("unsupportedBinding"));
}
return roled;
}
Aggregations