Search in sources :

Example 1 with EndpointType

use of com.sun.identity.saml2.jaxb.metadata.EndpointType in project OpenAM by OpenRock.

the class LogoutUtil method doLogout.

public static StringBuffer doLogout(String metaAlias, String recipientEntityID, List extensionsList, EndpointType logoutEndpoint, String relayState, String sessionIndex, NameID nameID, HttpServletRequest request, HttpServletResponse response, Map paramsMap, BaseConfigType config) throws SAML2Exception, SessionException {
    StringBuffer logoutRequestID = new StringBuffer();
    String classMethod = "LogoutUtil.doLogout: ";
    String requesterEntityID = metaManager.getEntityByMetaAlias(metaAlias);
    String realm = SAML2MetaUtils.getRealmByMetaAlias(metaAlias);
    String hostEntityRole = SAML2Utils.getHostEntityRole(paramsMap);
    String location = null;
    String binding = null;
    if (logoutEndpoint != null) {
        location = logoutEndpoint.getLocation();
        binding = logoutEndpoint.getBinding();
    } else {
        debug.error(classMethod + "Unable to find the recipient's single logout service with the binding " + binding);
        throw new SAML2Exception(SAML2Utils.bundle.getString("sloServiceNotfound"));
    }
    if (debug.messageEnabled()) {
        debug.message(classMethod + "Entering ..." + "\nrequesterEntityID=" + requesterEntityID + "\nrecipientEntityID=" + recipientEntityID + "\nbinding=" + binding + "\nrelayState=" + relayState + "\nsessionIndex=" + sessionIndex);
    }
    // generate unique request ID
    String requestID = SAML2Utils.generateID();
    if ((requestID == null) || (requestID.length() == 0)) {
        throw new SAML2Exception(SAML2Utils.bundle.getString("cannotGenerateID"));
    }
    // retrieve data from the params map
    // destinationURI required if message is signed.
    String destinationURI = SAML2Utils.getParameter(paramsMap, SAML2Constants.DESTINATION);
    String consent = SAML2Utils.getParameter(paramsMap, SAML2Constants.CONSENT);
    Extensions extensions = createExtensions(extensionsList);
    Issuer issuer = SAML2Utils.createIssuer(requesterEntityID);
    // construct LogoutRequest
    LogoutRequest logoutReq = null;
    try {
        logoutReq = ProtocolFactory.getInstance().createLogoutRequest();
    } catch (Exception e) {
        debug.error(classMethod + "Unable to create LogoutRequest : ", e);
        throw new SAML2Exception(SAML2Utils.bundle.getString("errorCreatingLogoutRequest"));
    }
    // set required attributes / elements
    logoutReq.setID(requestID);
    logoutReq.setVersion(SAML2Constants.VERSION_2_0);
    logoutReq.setIssueInstant(new Date());
    setNameIDForSLORequest(logoutReq, nameID, realm, requesterEntityID, hostEntityRole, recipientEntityID);
    // set optional attributes / elements
    logoutReq.setDestination(XMLUtils.escapeSpecialCharacters(destinationURI));
    logoutReq.setConsent(consent);
    logoutReq.setIssuer(issuer);
    if (hostEntityRole.equals(SAML2Constants.IDP_ROLE)) {
        // use the assertion effective time (in seconds)
        int effectiveTime = SAML2Constants.ASSERTION_EFFECTIVE_TIME;
        String effectiveTimeStr = SAML2Utils.getAttributeValueFromSSOConfig(realm, requesterEntityID, SAML2Constants.IDP_ROLE, SAML2Constants.ASSERTION_EFFECTIVE_TIME_ATTRIBUTE);
        if (effectiveTimeStr != null) {
            try {
                effectiveTime = Integer.parseInt(effectiveTimeStr);
                if (SAML2Utils.debug.messageEnabled()) {
                    SAML2Utils.debug.message(classMethod + "got effective time from config:" + effectiveTime);
                }
            } catch (NumberFormatException nfe) {
                SAML2Utils.debug.error(classMethod + "Failed to get assertion effective time from " + "IDP SSO config: ", nfe);
                effectiveTime = SAML2Constants.ASSERTION_EFFECTIVE_TIME;
            }
        }
        Date date = new Date();
        date.setTime(date.getTime() + effectiveTime * 1000);
        logoutReq.setNotOnOrAfter(date);
    }
    if (extensions != null) {
        logoutReq.setExtensions(extensions);
    }
    if (sessionIndex != null) {
        List list = new ArrayList();
        list.add(sessionIndex);
        logoutReq.setSessionIndex(list);
    }
    debug.message(classMethod + "Recipient's single logout service location = " + location);
    if (destinationURI == null || destinationURI.isEmpty()) {
        logoutReq.setDestination(XMLUtils.escapeSpecialCharacters(location));
    }
    if (debug.messageEnabled()) {
        debug.message(classMethod + "SLO Request before signing : ");
        debug.message(logoutReq.toXMLString(true, true));
    }
    if (binding.equals(SAML2Constants.HTTP_REDIRECT)) {
        try {
            doSLOByHttpRedirect(logoutReq.toXMLString(true, true), location, relayState, realm, requesterEntityID, hostEntityRole, recipientEntityID, response);
            logoutRequestID.append(requestID);
            String[] data = { location };
            LogUtil.access(Level.INFO, LogUtil.REDIRECT_TO_IDP, data, null);
        } catch (Exception e) {
            debug.error("Exception :", e);
            throw new SAML2Exception(SAML2Utils.bundle.getString("errorRedirectingLogoutRequest"));
        }
    } else if (binding.equals(SAML2Constants.SOAP)) {
        logoutRequestID.append(requestID);
        signSLORequest(logoutReq, realm, requesterEntityID, hostEntityRole, recipientEntityID);
        if (debug.messageEnabled()) {
            debug.message(classMethod + "SLO Request after signing : ");
            debug.message(logoutReq.toXMLString(true, true));
        }
        location = SAML2Utils.fillInBasicAuthInfo(config, location);
        doSLOBySOAP(requestID, logoutReq, location, realm, requesterEntityID, hostEntityRole, request, response);
    } else if (binding.equals(SAML2Constants.HTTP_POST)) {
        logoutRequestID.append(requestID);
        signSLORequest(logoutReq, realm, requesterEntityID, hostEntityRole, recipientEntityID);
        if (debug.messageEnabled()) {
            debug.message(classMethod + "SLO Request after signing : ");
            debug.message(logoutReq.toXMLString(true, true));
        }
        doSLOByPOST(requestID, logoutReq.toXMLString(true, true), location, relayState, realm, requesterEntityID, hostEntityRole, response, request);
    }
    SPCache.logoutRequestIDHash.put(logoutRequestID.toString(), logoutReq);
    return logoutRequestID;
}
Also used : Issuer(com.sun.identity.saml2.assertion.Issuer) ArrayList(java.util.ArrayList) Extensions(com.sun.identity.saml2.protocol.Extensions) SOAPException(javax.xml.soap.SOAPException) SessionException(com.sun.identity.plugin.session.SessionException) SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException) IOException(java.io.IOException) SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) Date(java.util.Date) SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) LogoutRequest(com.sun.identity.saml2.protocol.LogoutRequest) List(java.util.List) ArrayList(java.util.ArrayList)

Example 2 with EndpointType

use of com.sun.identity.saml2.jaxb.metadata.EndpointType in project OpenAM by OpenRock.

the class SAML2PostAuthenticationPlugin method setupSingleLogOut.

private void setupSingleLogOut(SSOToken ssoToken, String metaAlias, String sessionIndex, String spEntityId, String idpEntityId, NameID nameId) throws SSOException, SAML2Exception, SessionException {
    final SAML2MetaManager sm = new SAML2MetaManager();
    final String realm = SAML2MetaUtils.getRealmByMetaAlias(metaAlias);
    final String relayState = ssoToken.getProperty(SAML2Constants.RELAY_STATE);
    final String binding = SAML2Constants.HTTP_REDIRECT;
    final IDPSSODescriptorElement idpsso = sm.getIDPSSODescriptor(realm, idpEntityId);
    final List<EndpointType> slosList = idpsso.getSingleLogoutService();
    EndpointType logoutEndpoint = null;
    for (EndpointType endpoint : slosList) {
        if (binding.equals(endpoint.getBinding())) {
            logoutEndpoint = endpoint;
            break;
        }
    }
    if (logoutEndpoint == null) {
        DEBUG.warning("Unable to determine SLO endpoint. Aborting SLO attempt. Please note this PAP " + "only supports HTTP-Redirect as a valid binding.");
        return;
    }
    final LogoutRequest logoutReq = createLogoutRequest(metaAlias, realm, idpEntityId, logoutEndpoint, nameId, sessionIndex);
    //survival time is one hours
    //counted in seconds
    final long sessionExpireTime = System.currentTimeMillis() / 1000 + SPCache.interval;
    final String sloRequestXMLString = logoutReq.toXMLString(true, true);
    final String redirect = getRedirectURL(sloRequestXMLString, relayState, realm, idpEntityId, logoutEndpoint.getLocation(), spEntityId);
    if (SAML2FailoverUtils.isSAML2FailoverEnabled()) {
        try {
            SAML2FailoverUtils.saveSAML2TokenWithoutSecondaryKey(logoutReq.getID(), logoutReq, sessionExpireTime);
        } catch (SAML2TokenRepositoryException e) {
            DEBUG.warning("Unable to set SLO redirect location. Aborting SLO attempt.");
            return;
        }
    } else {
        SAML2Store.saveTokenWithKey(logoutReq.getID(), logoutReq);
    }
    ssoToken.setProperty(SLO_SESSION_LOCATION, logoutEndpoint.getLocation());
    ssoToken.setProperty(SLO_SESSION_REFERENCE, redirect);
}
Also used : EndpointType(com.sun.identity.saml2.jaxb.metadata.EndpointType) LogoutRequest(com.sun.identity.saml2.protocol.LogoutRequest) SAML2TokenRepositoryException(org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException) SAML2MetaManager(com.sun.identity.saml2.meta.SAML2MetaManager) IDPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)

Example 3 with EndpointType

use of com.sun.identity.saml2.jaxb.metadata.EndpointType in project OpenAM by OpenRock.

the class IDPSessionListener method initiateIDPSingleLogout.

/**
     * Performs an IdP initiated SLO against the remote SP using SOAP binding.
     *
     * @param sessionIndex Session Index
     * @param metaAlias IDP meta alias
     * @param realm Realm
     * @param binding Binding used
     * @param nameID the NameID
     * @param spEntityID SP Entity ID
     * @param paramsMap parameters map
     * @throws SAML2MetaException If there was an error while retrieving the metadata.
     * @throws SAML2Exception If there was an error while initiating SLO.
     * @throws SessionException If there was a problem with the session.
     */
private void initiateIDPSingleLogout(String sessionIndex, String metaAlias, String realm, String binding, NameID nameID, String spEntityID, Map paramsMap) throws SAML2MetaException, SAML2Exception, SessionException {
    SPSSODescriptorElement spsso = sm.getSPSSODescriptor(realm, spEntityID);
    if (spsso == null) {
        String[] data = { spEntityID };
        LogUtil.error(Level.INFO, LogUtil.SP_METADATA_ERROR, data, null);
        throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
    }
    List<EndpointType> slosList = spsso.getSingleLogoutService();
    String location = LogoutUtil.getSLOServiceLocation(slosList, SAML2Constants.SOAP);
    if (location == null) {
        if (debug.messageEnabled()) {
            debug.message("IDPSessionListener.initiateIDPSingleLogout(): Unable to synchronize sessions with SP \"" + spEntityID + "\" since the SP does not have SOAP SLO endpoint specified in its metadata");
        }
        return;
    }
    SPSSOConfigElement spConfig = sm.getSPSSOConfig(realm, spEntityID);
    LogoutUtil.doLogout(metaAlias, spEntityID, slosList, null, binding, null, sessionIndex, nameID, null, null, paramsMap, spConfig);
}
Also used : SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) SPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement) EndpointType(com.sun.identity.saml2.jaxb.metadata.EndpointType) SPSSOConfigElement(com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement)

Example 4 with EndpointType

use of com.sun.identity.saml2.jaxb.metadata.EndpointType in project OpenAM by OpenRock.

the class SAML2Utils method isIDPProfileBindingSupported.

/**
     * Checks if a profile binding is suppported by an IDP.
     *
     * @param realm       Realm the IDP is in.
     * @param idpEntityID IDP entity id.
     * @param profile     name of the profile/service
     * @param binding     binding to be checked on
     * @return <code>true</code> if the binding is supported;
     * <code>false</code> otherwise.
     */
public static boolean isIDPProfileBindingSupported(String realm, String idpEntityID, String profile, String binding) {
    if ((saml2MetaManager == null) || (realm == null) || (idpEntityID == null) || (profile == null) || (binding == null)) {
        return false;
    }
    try {
        IDPSSODescriptorElement idpDescriptor = saml2MetaManager.getIDPSSODescriptor(realm, idpEntityID);
        List services = null;
        if (SAML2Constants.SSO_SERVICE.equals(profile)) {
            services = idpDescriptor.getSingleSignOnService();
        } else if (SAML2Constants.NAMEID_MAPPING_SERVICE.equals(profile)) {
            services = idpDescriptor.getNameIDMappingService();
        } else if (SAML2Constants.ASSERTION_ID_REQUEST_SERVICE.equals(profile)) {
            services = saml2MetaManager.getAuthnAuthorityDescriptor(realm, idpEntityID).getAssertionIDRequestService();
        } else if (SAML2Constants.ARTIFACT_RESOLUTION_SERVICE.equals(profile)) {
            services = idpDescriptor.getArtifactResolutionService();
        } else if (SAML2Constants.SLO_SERVICE.equals(profile)) {
            services = idpDescriptor.getSingleLogoutService();
        } else if (SAML2Constants.MNI_SERVICE.equals(profile)) {
            services = idpDescriptor.getManageNameIDService();
        }
        if ((services != null) && (!services.isEmpty())) {
            Iterator iter = services.iterator();
            while (iter.hasNext()) {
                EndpointType endpoint = (EndpointType) iter.next();
                if (binding.equals(endpoint.getBinding())) {
                    return true;
                }
            }
        }
    } catch (SAML2MetaException me) {
        debug.error("SAML2Utils.isIDPProfileBindingSupported:", me);
    }
    return false;
}
Also used : Iterator(java.util.Iterator) EndpointType(com.sun.identity.saml2.jaxb.metadata.EndpointType) ArrayList(java.util.ArrayList) List(java.util.List) SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException) IDPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)

Example 5 with EndpointType

use of com.sun.identity.saml2.jaxb.metadata.EndpointType in project OpenAM by OpenRock.

the class SAML2Utils method isSPProfileBindingSupported.

/**
     * Checks if a profile binding is suppported by a SP.
     *
     * @param realm      Realm the SP is in.
     * @param spEntityID SP entity id.
     * @param profile    name of the profile/service
     * @param binding    binding to be checked on
     * @return <code>true</code> if the binding is supported;
     * <code>false</code> otherwise.
     */
public static boolean isSPProfileBindingSupported(String realm, String spEntityID, String profile, String binding) {
    if ((saml2MetaManager == null) || (realm == null) || (spEntityID == null) || (profile == null) || (binding == null)) {
        return false;
    }
    try {
        SPSSODescriptorElement spDescriptor = saml2MetaManager.getSPSSODescriptor(realm, spEntityID);
        List services = null;
        if (SAML2Constants.ACS_SERVICE.equals(profile)) {
            services = spDescriptor.getAssertionConsumerService();
        } else if (SAML2Constants.SLO_SERVICE.equals(profile)) {
            services = spDescriptor.getSingleLogoutService();
        } else if (SAML2Constants.MNI_SERVICE.equals(profile)) {
            services = spDescriptor.getManageNameIDService();
        }
        if ((services != null) && (!services.isEmpty())) {
            Iterator iter = services.iterator();
            while (iter.hasNext()) {
                EndpointType endpoint = (EndpointType) iter.next();
                if (binding.equals(endpoint.getBinding())) {
                    return true;
                }
            }
        }
    } catch (SAML2MetaException me) {
        debug.error("SAML2Utils.isSPProfileBindingSupported:", me);
    }
    return false;
}
Also used : SPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement) Iterator(java.util.Iterator) EndpointType(com.sun.identity.saml2.jaxb.metadata.EndpointType) ArrayList(java.util.ArrayList) List(java.util.List) SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException)

Aggregations

EndpointType (com.sun.identity.saml2.jaxb.metadata.EndpointType)5 SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)4 IDPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)3 SAML2MetaException (com.sun.identity.saml2.meta.SAML2MetaException)3 LogoutRequest (com.sun.identity.saml2.protocol.LogoutRequest)3 ArrayList (java.util.ArrayList)3 List (java.util.List)3 Issuer (com.sun.identity.saml2.assertion.Issuer)2 SPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)2 Date (java.util.Date)2 Iterator (java.util.Iterator)2 SessionException (com.sun.identity.plugin.session.SessionException)1 IDPSSOConfigElement (com.sun.identity.saml2.jaxb.entityconfig.IDPSSOConfigElement)1 SPSSOConfigElement (com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement)1 SAML2MetaManager (com.sun.identity.saml2.meta.SAML2MetaManager)1 Extensions (com.sun.identity.saml2.protocol.Extensions)1 IOException (java.io.IOException)1 SOAPException (javax.xml.soap.SOAPException)1 SAML2TokenRepositoryException (org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException)1