Example 16 with IDPSSODescriptorElement
use of com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement in project OpenAM by OpenRock.
the class TaskModelImpl method getConfigureSalesForceAppsURLs.
public Map getConfigureSalesForceAppsURLs(String realm, String entityId, String attrMapping) throws AMConsoleException {
Map map = new HashMap();
String attributeNames = getAttributeNames(attrMapping);
IDPSSODescriptorElement idpssoDescriptor = null;
try {
SAML2MetaManager samlManager = new SAML2MetaManager();
idpssoDescriptor = samlManager.getIDPSSODescriptor(realm, entityId);
String signinPageURL = null;
// get pubkey
Map extValueMap = new HashMap();
IDPSSOConfigElement idpssoConfig = samlManager.getIDPSSOConfig(realm, entityId);
if (idpssoConfig != null) {
BaseConfigType baseConfig = (BaseConfigType) idpssoConfig;
extValueMap = SAML2MetaUtils.getAttributes(baseConfig);
}
List aList = (List) extValueMap.get("signingCertAlias");
String signingCertAlias = null;
if (aList != null) {
signingCertAlias = (String) aList.get(0);
}
String publickey = SAML2MetaSecurityUtils.buildX509Certificate(signingCertAlias);
String str = "-----BEGIN CERTIFICATE-----\n" + publickey + "\n-----END CERTIFICATE-----\n";
map.put("PubKey", returnEmptySetIfValueIsNull(str));
map.put("IssuerID", returnEmptySetIfValueIsNull(entityId));
map.put("AttributeName", returnEmptySetIfValueIsNull(attributeNames));
} catch (SAML2MetaException ex) {
throw new AMConsoleException(ex.getMessage());
}
return map;
}
Also used :
BaseConfigType(com.sun.identity.saml2.jaxb.entityconfig.BaseConfigType)
HashMap(java.util.HashMap)
IDPSSOConfigElement(com.sun.identity.saml2.jaxb.entityconfig.IDPSSOConfigElement)
List(java.util.List)
SAML2MetaManager(com.sun.identity.saml2.meta.SAML2MetaManager)
AMConsoleException(com.sun.identity.console.base.model.AMConsoleException)
HashMap(java.util.HashMap)
Map(java.util.Map)
SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException)
IDPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)
Example 17 with IDPSSODescriptorElement
use of com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement in project OpenAM by OpenRock.
the class IDPSingleLogout method processLogoutResponse.
/**
* Gets and processes the Single <code>LogoutResponse</code> from SP,
* destroys the local session, checks response's issuer
* and inResponseTo.
*
* @param request the HttpServletRequest.
* @param response the HttpServletResponse.
* @param samlResponse <code>LogoutResponse</code> in the
* XML string format.
* @param relayState the target URL on successful
* <code>LogoutResponse</code>.
* @return true if jsp has sendRedirect for relayState, false otherwise
* @throws SAML2Exception if error processing
* <code>LogoutResponse</code>.
* @throws SessionException if error processing
* <code>LogoutResponse</code>.
*/
public static boolean processLogoutResponse(HttpServletRequest request, HttpServletResponse response, String samlResponse, String relayState) throws SAML2Exception, SessionException {
String method = "processLogoutResponse : ";
if (debug.messageEnabled()) {
debug.message(method + "samlResponse : " + samlResponse);
debug.message(method + "relayState : " + relayState);
}
String rmethod = request.getMethod();
String binding = SAML2Constants.HTTP_REDIRECT;
if (rmethod.equals("POST")) {
binding = SAML2Constants.HTTP_POST;
}
String metaAlias = SAML2MetaUtils.getMetaAliasByUri(request.getRequestURI());
String realm = SAML2Utils.getRealm(SAML2MetaUtils.getRealmByMetaAlias(metaAlias));
String idpEntityID = sm.getEntityByMetaAlias(metaAlias);
if (!SAML2Utils.isIDPProfileBindingSupported(realm, idpEntityID, SAML2Constants.SLO_SERVICE, binding)) {
debug.error("SLO service binding " + binding + " is not supported:" + idpEntityID);
throw new SAML2Exception(SAML2Utils.bundle.getString("unsupportedBinding"));
}
LogoutResponse logoutRes = null;
if (rmethod.equals("POST")) {
logoutRes = LogoutUtil.getLogoutResponseFromPost(samlResponse, response);
} else if (rmethod.equals("GET")) {
String decodedStr = SAML2Utils.decodeFromRedirect(samlResponse);
if (decodedStr == null) {
throw new SAML2Exception(SAML2Utils.bundle.getString("nullDecodedStrFromSamlResponse"));
}
logoutRes = ProtocolFactory.getInstance().createLogoutResponse(decodedStr);
}
if (logoutRes == null) {
if (debug.messageEnabled()) {
debug.message("IDPSingleLogout:processLogoutResponse: logoutRes " + "is null");
}
return false;
}
String spEntityID = logoutRes.getIssuer().getValue();
Issuer resIssuer = logoutRes.getIssuer();
String requestId = logoutRes.getInResponseTo();
SAML2Utils.verifyResponseIssuer(realm, idpEntityID, resIssuer, requestId);
boolean needToVerify = SAML2Utils.getWantLogoutResponseSigned(realm, idpEntityID, SAML2Constants.IDP_ROLE);
if (debug.messageEnabled()) {
debug.message(method + "metaAlias : " + metaAlias);
debug.message(method + "realm : " + realm);
debug.message(method + "idpEntityID : " + idpEntityID);
debug.message(method + "spEntityID : " + spEntityID);
}
if (needToVerify) {
boolean valid = false;
if (rmethod.equals("POST")) {
valid = LogoutUtil.verifySLOResponse(logoutRes, realm, spEntityID, idpEntityID, SAML2Constants.IDP_ROLE);
} else {
String queryString = request.getQueryString();
valid = SAML2Utils.verifyQueryString(queryString, realm, SAML2Constants.IDP_ROLE, spEntityID);
}
if (!valid) {
debug.error("Invalid signature in SLO Response.");
throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSignInResponse"));
}
IDPSSODescriptorElement idpsso = sm.getIDPSSODescriptor(realm, idpEntityID);
String loc = null;
if (idpsso != null) {
List sloList = idpsso.getSingleLogoutService();
if (sloList != null && !sloList.isEmpty()) {
loc = LogoutUtil.getSLOResponseServiceLocation(sloList, binding);
if (loc == null || (loc.length() == 0)) {
loc = LogoutUtil.getSLOServiceLocation(sloList, binding);
}
}
}
if (!SAML2Utils.verifyDestination(logoutRes.getDestination(), loc)) {
throw new SAML2Exception(SAML2Utils.bundle.getString("invalidDestination"));
}
}
boolean doRelayState = processLogoutResponse(request, response, logoutRes, relayState, metaAlias, idpEntityID, spEntityID, realm, binding);
// IDPProxy
Map logoutResponseMap = (Map) IDPCache.logoutResponseCache.get(requestId);
if ((logoutResponseMap != null) && (!logoutResponseMap.isEmpty())) {
LogoutResponse logoutResp = (LogoutResponse) logoutResponseMap.get("LogoutResponse");
String location = (String) logoutResponseMap.get("Location");
String spEntity = (String) logoutResponseMap.get("spEntityID");
String idpEntity = (String) logoutResponseMap.get("idpEntityID");
if (logoutResp != null && location != null && spEntity != null && idpEntity != null) {
LogoutUtil.sendSLOResponse(response, request, logoutResp, location, relayState, "/", spEntity, SAML2Constants.SP_ROLE, idpEntity, binding);
return true;
}
}
return doRelayState;
}
Also used :
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
LogoutResponse(com.sun.identity.saml2.protocol.LogoutResponse)
Issuer(com.sun.identity.saml2.assertion.Issuer)
List(java.util.List)
HashMap(java.util.HashMap)
Map(java.util.Map)
IDPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)
Example 18 with IDPSSODescriptorElement
use of com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement in project OpenAM by OpenRock.
the class IDPSSOUtil method getSubject.
/**
* Returns a <code>SAML Subject</code> object
*
* @param session the user's session
* @param authnReq the <code>AuthnRequest</code> object
* @param acsURL the <code>ACS</code> service <code>url</code>
* @param nameIDFormat the <code>NameIDFormat</code>
* @param realm The realm name
* @param idpEntityID the entity id of the identity provider
* @param recipientEntityID the entity id of the response recipient
* @param effectiveTime the effective time of the assertion
* @param affiliationID affiliationID for IDP initiated SSO
* @return the <code>SAML Subject</code> object
* @throws SAML2Exception if the operation is not successful
*/
private static Subject getSubject(Object session, AuthnRequest authnReq, String acsURL, String nameIDFormat, String realm, String idpEntityID, String recipientEntityID, int effectiveTime, String affiliationID) throws SAML2Exception {
String classMethod = "IDPSSOUtil.getSubject: ";
Subject subject = AssertionFactory.getInstance().createSubject();
boolean ignoreProfile = false;
String userName = null;
try {
userName = sessionProvider.getPrincipalName(session);
ignoreProfile = SAML2Utils.isIgnoreProfileSet(session);
} catch (SessionException se) {
SAML2Utils.debug.error(classMethod + "There was a problem with the session.", se);
throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSSOToken"));
}
// allow create is the default
boolean allowCreate = true;
String remoteEntityID = null;
String spNameQualifier = null;
boolean isAffiliation = false;
if (authnReq != null) {
remoteEntityID = authnReq.getIssuer().getValue();
NameIDPolicy nameIDPolicy = authnReq.getNameIDPolicy();
if (nameIDPolicy != null) {
// this will take care of affiliation
allowCreate = nameIDPolicy.isAllowCreate();
spNameQualifier = nameIDPolicy.getSPNameQualifier();
if (spNameQualifier != null && !spNameQualifier.isEmpty()) {
AffiliationDescriptorType affiDesc = metaManager.getAffiliationDescriptor(realm, spNameQualifier);
if (affiDesc != null) {
if (affiDesc.getAffiliateMember().contains(remoteEntityID)) {
isAffiliation = true;
remoteEntityID = spNameQualifier;
} else {
throw new SAML2Exception(SAML2Utils.bundle.getString("spNotAffiliationMember"));
}
}
} else {
spNameQualifier = recipientEntityID;
}
}
} else {
// IDP initialted SSO
if (affiliationID != null) {
AffiliationDescriptorType affiDesc = metaManager.getAffiliationDescriptor(realm, affiliationID);
if (affiDesc == null) {
throw new SAML2Exception(SAML2Utils.bundle.getString("affiliationNotFound"));
}
if (affiDesc.getAffiliateMember().contains(recipientEntityID)) {
isAffiliation = true;
remoteEntityID = affiliationID;
spNameQualifier = affiliationID;
} else {
throw new SAML2Exception(SAML2Utils.bundle.getString("spNotAffiliationMember"));
}
} else {
remoteEntityID = recipientEntityID;
spNameQualifier = recipientEntityID;
}
}
SPSSODescriptorElement spsso = getSPSSODescriptor(realm, recipientEntityID, classMethod);
if (spsso == null) {
String[] data = { recipientEntityID };
LogUtil.error(Level.INFO, LogUtil.SP_METADATA_ERROR, data, null);
throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
}
IDPSSODescriptorElement idpsso = metaManager.getIDPSSODescriptor(realm, idpEntityID);
if (idpsso == null) {
String[] data = { idpEntityID };
LogUtil.error(Level.INFO, LogUtil.IDP_METADATA_ERROR, data, null);
throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
}
nameIDFormat = SAML2Utils.verifyNameIDFormat(nameIDFormat, spsso, idpsso);
boolean isTransient = SAML2Constants.NAMEID_TRANSIENT_FORMAT.equals(nameIDFormat);
boolean isPersistent = SAML2Constants.PERSISTENT.equals(nameIDFormat);
NameIDInfo nameIDInfo;
NameID nameID = null;
IDPAccountMapper idpAccountMapper = SAML2Utils.getIDPAccountMapper(realm, idpEntityID);
//Use-cases for NameID persistence:
//* persistent NameID -> The NameID MUST be stored
//* transient NameID -> The NameID MUST NOT be stored
//* ignored user profile mode -> The NameID CANNOT be stored
//* for any other cases -> The NameID MAY be stored based on customizable logic
boolean shouldPersistNameID = isPersistent || (!isTransient && !ignoreProfile && idpAccountMapper.shouldPersistNameIDFormat(realm, idpEntityID, remoteEntityID, nameIDFormat));
if (!isTransient) {
String userID;
try {
userID = sessionProvider.getPrincipalName(session);
} catch (SessionException se) {
SAML2Utils.debug.error(classMethod + "Unable to get principal name from the session.", se);
throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSSOToken"));
}
if (isPersistent || shouldPersistNameID) {
nameIDInfo = AccountUtils.getAccountFederation(userID, idpEntityID, remoteEntityID);
if (nameIDInfo != null) {
nameID = nameIDInfo.getNameID();
if (!nameIDFormat.equals(nameID.getFormat())) {
AccountUtils.removeAccountFederation(nameIDInfo, userID);
DoManageNameID.removeIDPFedSession(remoteEntityID, nameID.getValue());
nameID = null;
}
}
}
}
if (nameID == null) {
if (!allowCreate && isPersistent) {
throw new SAML2InvalidNameIDPolicyException(SAML2Utils.bundle.getString("cannotCreateNameID"));
}
nameID = idpAccountMapper.getNameID(session, idpEntityID, spNameQualifier, realm, nameIDFormat);
SAML2Utils.debug.message(classMethod + " shouldPersistNameID = " + shouldPersistNameID);
if (shouldPersistNameID && allowCreate) {
// write federation info into the persistent datastore
if (SAML2Utils.isDualRole(idpEntityID, realm)) {
nameIDInfo = new NameIDInfo(idpEntityID, remoteEntityID, nameID, SAML2Constants.DUAL_ROLE, false);
} else {
nameIDInfo = new NameIDInfo(idpEntityID, remoteEntityID, nameID, SAML2Constants.IDP_ROLE, isAffiliation);
}
AccountUtils.setAccountFederation(nameIDInfo, userName);
}
}
subject.setNameID(nameID);
if (isTransient) {
IDPCache.userIDByTransientNameIDValue.put(nameID.getValue(), userName);
}
String inResponseTo = null;
if (authnReq != null) {
inResponseTo = authnReq.getID();
}
SubjectConfirmation sc = getSubjectConfirmation(inResponseTo, acsURL, effectiveTime);
if (sc == null) {
SAML2Utils.debug.error(classMethod + "Unable to get subject confirmation");
throw new SAML2Exception(SAML2Utils.bundle.getString("noSubjectConfirmation"));
}
List list = new ArrayList();
list.add(sc);
subject.setSubjectConfirmation(list);
return subject;
}
Also used :
NameIDInfo(com.sun.identity.saml2.common.NameIDInfo)
IDPAccountMapper(com.sun.identity.saml2.plugins.IDPAccountMapper)
NameIDPolicy(com.sun.identity.saml2.protocol.NameIDPolicy)
NameID(com.sun.identity.saml2.assertion.NameID)
SPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)
ArrayList(java.util.ArrayList)
SessionException(com.sun.identity.plugin.session.SessionException)
AffiliationDescriptorType(com.sun.identity.saml2.jaxb.metadata.AffiliationDescriptorType)
Subject(com.sun.identity.saml2.assertion.Subject)
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
SubjectConfirmation(com.sun.identity.saml2.assertion.SubjectConfirmation)
List(java.util.List)
ArrayList(java.util.ArrayList)
SAML2InvalidNameIDPolicyException(com.sun.identity.saml2.common.SAML2InvalidNameIDPolicyException)
IDPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)
Example 19 with IDPSSODescriptorElement
use of com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement in project OpenAM by OpenRock.
the class IDPSSOUtil method sendResponseArtifact.
/**
* This method opens a URL connection to the target specified and
* sends artifact response to it using the
* <code>HttpServletResponse</code> object.
*
* @param response the <code>HttpServletResponse</code> object
* @param idpEntityID the entity id of the identity provider
* @param realm the realm name of the identity provider
* @param acsURL the assertion consumer service <code>URL</code>
* @param relayState the value of the <code>RelayState</code>
* @param res the <code>SAML Response</code> object
* @param session user session
* @param props property map including nameIDString for logging
* @throws SAML2Exception if the operation is not successful
*/
public static void sendResponseArtifact(HttpServletRequest request, HttpServletResponse response, String idpEntityID, String spEntityID, String realm, String acsURL, String relayState, Response res, Object session, Map props) throws SAML2Exception {
String classMethod = "IDPSSOUtil.sendResponseArtifact: ";
IDPSSODescriptorElement idpSSODescriptorElement = null;
try {
idpSSODescriptorElement = metaManager.getIDPSSODescriptor(realm, idpEntityID);
if (idpSSODescriptorElement == null) {
SAML2Utils.debug.error(classMethod + "Unable to get IDP SSO Descriptor from meta.");
String[] data = { idpEntityID };
LogUtil.error(Level.INFO, LogUtil.IDP_METADATA_ERROR, data, session, props);
throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
}
} catch (SAML2MetaException sme) {
SAML2Utils.debug.error(classMethod + "Unable to get IDP SSO Descriptor from meta.");
String[] data = { idpEntityID };
LogUtil.error(Level.INFO, LogUtil.IDP_METADATA_ERROR, data, session, props);
throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
}
ArtifactResolutionServiceElement ars = (ArtifactResolutionServiceElement) idpSSODescriptorElement.getArtifactResolutionService().get(0);
if (ars == null) {
SAML2Utils.debug.error(classMethod + "Unable to get ArtifactResolutionServiceElement from meta.");
String[] data = { idpEntityID };
LogUtil.error(Level.INFO, LogUtil.IDP_METADATA_ERROR, data, session, props);
throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
}
Artifact art = null;
try {
art = ProtocolFactory.getInstance().createArtifact(null, ars.getIndex(), SAML2Utils.generateSourceID(idpEntityID), SAML2Utils.generateMessageHandleWithServerID());
} catch (SAML2Exception se) {
SAML2Utils.debug.error(classMethod + "Unable to create artifact: ", se);
String[] data = { idpEntityID };
LogUtil.error(Level.INFO, LogUtil.CANNOT_CREATE_ARTIFACT, data, session, props);
SAMLUtils.sendError(request, response, response.SC_INTERNAL_SERVER_ERROR, "errorCreateArtifact", SAML2Utils.bundle.getString("errorCreateArtifact"));
return;
}
String artStr = art.getArtifactValue();
try {
IDPCache.responsesByArtifacts.put(artStr, res);
if (SAML2FailoverUtils.isSAML2FailoverEnabled()) {
try {
long expireTime = getValidTimeofResponse(realm, idpEntityID, res) / 1000;
SAML2FailoverUtils.saveSAML2TokenWithoutSecondaryKey(artStr, res.toXMLString(true, true), expireTime);
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "Saved Response to SAML2 Token Repository using key " + artStr);
}
} catch (SAML2TokenRepositoryException se) {
SAML2Utils.debug.error(classMethod + "Unable to save Response to the SAML2 Token Repository", se);
}
}
String messageEncoding = SAML2Utils.getAttributeValueFromSSOConfig(realm, spEntityID, SAML2Constants.SP_ROLE, SAML2Constants.RESPONSE_ARTIFACT_MESSAGE_ENCODING);
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "messageEncoding = " + messageEncoding);
SAML2Utils.debug.message(classMethod + "artStr = " + artStr);
}
if ((messageEncoding != null) && (messageEncoding.equals(SAML2Constants.FORM_ENCODING))) {
String[] logdata = { idpEntityID, realm, acsURL };
LogUtil.access(Level.INFO, LogUtil.SEND_ARTIFACT, logdata, session, props);
SAML2Utils.postToTarget(request, response, SAML2Constants.SAML_ART, artStr, "RelayState", relayState, acsURL);
} else {
String redirectURL = acsURL + (acsURL.contains("?") ? "&" : "?") + "SAMLart=" + URLEncDec.encode(artStr);
if ((relayState != null) && (relayState.trim().length() != 0)) {
redirectURL += "&RelayState=" + URLEncDec.encode(relayState);
}
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "Redirect URL = " + redirectURL);
}
String[] logdata = { idpEntityID, realm, redirectURL };
LogUtil.access(Level.INFO, LogUtil.SEND_ARTIFACT, logdata, session, props);
response.sendRedirect(redirectURL);
}
} catch (IOException ioe) {
SAML2Utils.debug.error(classMethod + "Unable to send redirect: ", ioe);
}
}
Also used :
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
SAML2TokenRepositoryException(org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException)
IOException(java.io.IOException)
SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException)
ArtifactResolutionServiceElement(com.sun.identity.saml2.jaxb.metadata.ArtifactResolutionServiceElement)
Artifact(com.sun.identity.saml2.protocol.Artifact)
IDPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)
Example 20 with IDPSSODescriptorElement
use of com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement in project OpenAM by OpenRock.
the class IDPProxyUtil method sendProxyAuthnRequest.
/**
* Sends a new AuthnRequest to the authenticating provider.
* @param authnRequest original AuthnRequest sent by the service provider.
* @param preferredIDP IDP to be proxied.
* @param spSSODescriptor SPSSO Descriptor Element
* @param hostedEntityId hosted provider ID
* @param request HttpServletRequest
* @param response HttpServletResponse
* @param realm Realm
* @param relayState the Relay State
* @param originalBinding The binding used to send the original AuthnRequest.
* @exception SAML2Exception for any SAML2 failure.
* @exception IOException if there is a failure in redirection.
*/
public static void sendProxyAuthnRequest(AuthnRequest authnRequest, String preferredIDP, SPSSODescriptorElement spSSODescriptor, String hostedEntityId, HttpServletRequest request, HttpServletResponse response, String realm, String relayState, String originalBinding) throws SAML2Exception, IOException {
String classMethod = "IDPProxyUtil.sendProxyAuthnRequest: ";
String destination = null;
SPSSODescriptorElement localDescriptor = null;
SPSSOConfigElement localDescriptorConfig = null;
IDPSSODescriptorElement idpDescriptor = null;
String binding;
try {
idpDescriptor = IDPSSOUtil.metaManager.getIDPSSODescriptor(realm, preferredIDP);
List<SingleSignOnServiceElement> ssoServiceList = idpDescriptor.getSingleSignOnService();
SingleSignOnServiceElement endpoint = getMatchingSSOEndpoint(ssoServiceList, originalBinding);
if (endpoint == null) {
SAML2Utils.debug.error(classMethod + "Single Sign-on service is not found for the proxying IDP.");
throw new SAML2Exception(SAML2Utils.bundle.getString("ssoServiceNotFoundIDPProxy"));
}
binding = endpoint.getBinding();
destination = endpoint.getLocation();
localDescriptor = IDPSSOUtil.metaManager.getSPSSODescriptor(realm, hostedEntityId);
localDescriptorConfig = IDPSSOUtil.metaManager.getSPSSOConfig(realm, hostedEntityId);
} catch (SAML2MetaException e) {
SAML2Utils.debug.error(classMethod, e);
throw new SAML2Exception(e.getMessage());
}
AuthnRequest newAuthnRequest = getNewAuthnRequest(hostedEntityId, destination, realm, authnRequest);
// invoke SP Adapter class if registered
SAML2ServiceProviderAdapter spAdapter = SAML2Utils.getSPAdapterClass(hostedEntityId, realm);
if (spAdapter != null) {
spAdapter.preSingleSignOnRequest(hostedEntityId, preferredIDP, realm, request, response, newAuthnRequest);
}
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "New Authentication request:" + newAuthnRequest.toXMLString());
}
String requestID = newAuthnRequest.getID();
// save the AuthnRequest in the IDPCache so that it can be
// retrieved later when the user successfully authenticates
IDPCache.authnRequestCache.put(requestID, newAuthnRequest);
// save the original AuthnRequest
IDPCache.proxySPAuthnReqCache.put(requestID, authnRequest);
boolean signingNeeded = idpDescriptor.isWantAuthnRequestsSigned() || localDescriptor.isAuthnRequestsSigned();
// check if relayState is present and get the unique
// id which will be appended to the SSO URL before
// redirecting
String relayStateID = null;
if (relayState != null && relayState.length() > 0) {
relayStateID = SPSSOFederate.getRelayStateID(relayState, authnRequest.getID());
}
if (binding.equals(SAML2Constants.HTTP_POST)) {
if (signingNeeded) {
String certAlias = SPSSOFederate.getParameter(SAML2MetaUtils.getAttributes(localDescriptorConfig), SAML2Constants.SIGNING_CERT_ALIAS);
SPSSOFederate.signAuthnRequest(certAlias, newAuthnRequest);
}
String authXMLString = newAuthnRequest.toXMLString(true, true);
String encodedReqMsg = SAML2Utils.encodeForPOST(authXMLString);
SAML2Utils.postToTarget(request, response, "SAMLRequest", encodedReqMsg, "RelayState", relayStateID, destination);
} else {
String authReqXMLString = newAuthnRequest.toXMLString(true, true);
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + " AuthnRequest: " + authReqXMLString);
}
String encodedXML = SAML2Utils.encodeForRedirect(authReqXMLString);
StringBuffer queryString = new StringBuffer().append(SAML2Constants.SAML_REQUEST).append(SAML2Constants.EQUAL).append(encodedXML);
//TODO: should it be newAuthnRequest???
if (relayStateID != null && relayStateID.length() > 0) {
queryString.append("&").append(SAML2Constants.RELAY_STATE).append("=").append(URLEncDec.encode(relayStateID));
}
StringBuffer redirectURL = new StringBuffer().append(destination).append(destination.contains("?") ? "&" : "?");
if (signingNeeded) {
String certAlias = SPSSOFederate.getParameter(SAML2MetaUtils.getAttributes(localDescriptorConfig), SAML2Constants.SIGNING_CERT_ALIAS);
String signedQueryStr = SPSSOFederate.signQueryString(queryString.toString(), certAlias);
redirectURL.append(signedQueryStr);
} else {
redirectURL.append(queryString);
}
response.sendRedirect(redirectURL.toString());
}
String[] data = { destination };
LogUtil.access(Level.INFO, LogUtil.REDIRECT_TO_SP, data, null);
AuthnRequestInfo reqInfo = new AuthnRequestInfo(request, response, realm, hostedEntityId, preferredIDP, newAuthnRequest, relayState, null);
synchronized (SPCache.requestHash) {
SPCache.requestHash.put(requestID, reqInfo);
}
if (SAML2FailoverUtils.isSAML2FailoverEnabled()) {
try {
// sessionExpireTime is counted in seconds
long sessionExpireTime = System.currentTimeMillis() / 1000 + SPCache.interval;
SAML2FailoverUtils.saveSAML2TokenWithoutSecondaryKey(requestID, new AuthnRequestInfoCopy(reqInfo), sessionExpireTime);
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + " SAVE AuthnRequestInfoCopy for requestID " + requestID);
}
} catch (SAML2TokenRepositoryException se) {
SAML2Utils.debug.error(classMethod + " SAVE AuthnRequestInfoCopy for requestID " + requestID + ", failed!", se);
}
}
}
Also used :
SPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)
SPSSOConfigElement(com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement)
SingleSignOnServiceElement(com.sun.identity.saml2.jaxb.metadata.SingleSignOnServiceElement)
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
AuthnRequest(com.sun.identity.saml2.protocol.AuthnRequest)
SAML2TokenRepositoryException(org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException)
SAML2ServiceProviderAdapter(com.sun.identity.saml2.plugins.SAML2ServiceProviderAdapter)
SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException)
IDPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)
Aggregations
IDPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)42
List (java.util.List)28
SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)27
SPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)21
ArrayList (java.util.ArrayList)18
SAML2MetaException (com.sun.identity.saml2.meta.SAML2MetaException)17
X509Certificate (java.security.cert.X509Certificate)11
SAML2MetaManager (com.sun.identity.saml2.meta.SAML2MetaManager)10
Iterator (java.util.Iterator)10
IDPSSOConfigElement (com.sun.identity.saml2.jaxb.entityconfig.IDPSSOConfigElement)9
Map (java.util.Map)9
SAML2TokenRepositoryException (org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException)7
SPSSOConfigElement (com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement)6
ArtifactResolutionServiceElement (com.sun.identity.saml2.jaxb.metadata.ArtifactResolutionServiceElement)6
HashMap (java.util.HashMap)5
AMConsoleException (com.sun.identity.console.base.model.AMConsoleException)4
SessionException (com.sun.identity.plugin.session.SessionException)4
Issuer (com.sun.identity.saml2.assertion.Issuer)4
BaseConfigType (com.sun.identity.saml2.jaxb.entityconfig.BaseConfigType)4
EntityDescriptorElement (com.sun.identity.saml2.jaxb.metadata.EntityDescriptorElement)4
