Example 36 with IDPSSODescriptorElement
use of com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement in project OpenAM by OpenRock.
the class SPSessionListener method initiateSPSingleLogout.
/**
* Performs an SP initiated SLO against the remote IdP using SOAP binding.
*
* @param metaAlias SP meta alias
* @param realm Realm
* @param binding Binding used
* @param nameIdInfoKey the nameIdInfoKey
* @param fedSession SP Federated session
* @param paramsMap parameters map
* @throws SAML2MetaException If there was an error while retrieving the metadata.
* @throws SAML2Exception If there was an error while initiating SLO.
* @throws SessionException If there was a problem with the session.
*/
private static void initiateSPSingleLogout(String metaAlias, String realm, String binding, NameIDInfoKey nameIdInfoKey, SPFedSession fedSession, Map paramsMap) throws SAML2MetaException, SAML2Exception, SessionException {
IDPSSODescriptorElement idpsso = sm.getIDPSSODescriptor(realm, nameIdInfoKey.getRemoteEntityID());
if (idpsso == null) {
String[] data = { nameIdInfoKey.getRemoteEntityID() };
LogUtil.error(Level.INFO, LogUtil.IDP_METADATA_ERROR, data, null);
throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
}
List<EndpointType> slosList = idpsso.getSingleLogoutService();
String location = LogoutUtil.getSLOServiceLocation(slosList, SAML2Constants.SOAP);
if (location == null) {
if (debug.warningEnabled()) {
debug.warning("SPSessionListener.initiateSPSingleLogout(): Unable to synchronize sessions with IdP \"" + nameIdInfoKey.getRemoteEntityID() + "\" since the IdP does not have SOAP SLO endpoint " + "specified in its metadata, possibly this is a misconfiguration of the hosted SP");
}
return;
}
IDPSSOConfigElement idpConfig = sm.getIDPSSOConfig(realm, nameIdInfoKey.getRemoteEntityID());
LogoutUtil.doLogout(metaAlias, nameIdInfoKey.getRemoteEntityID(), slosList, null, binding, null, fedSession.idpSessionIndex, fedSession.info.getNameID(), null, null, paramsMap, idpConfig);
}
Also used :
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
EndpointType(com.sun.identity.saml2.jaxb.metadata.EndpointType)
IDPSSOConfigElement(com.sun.identity.saml2.jaxb.entityconfig.IDPSSOConfigElement)
IDPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)
Example 37 with IDPSSODescriptorElement
use of com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement in project OpenAM by OpenRock.
the class SAMLv2ModelImpl method setIDPStdAttributeValues.
/**
* Saves the standard attribute values for the Identiy Provider.
*
* @param realm to which the entity belongs.
* @param entityName is the entity id.
* @param idpStdValues Map which contains the standard attribute values.
* @throws AMConsoleException if saving of attribute value fails.
*/
public void setIDPStdAttributeValues(String realm, String entityName, Map idpStdValues) throws AMConsoleException {
String[] params = { realm, entityName, "SAMLv2", "IDP-Standard" };
logEvent("ATTEMPT_MODIFY_ENTITY_DESCRIPTOR", params);
IDPSSODescriptorElement idpssoDescriptor = null;
com.sun.identity.saml2.jaxb.metadata.ObjectFactory objFact = new com.sun.identity.saml2.jaxb.metadata.ObjectFactory();
try {
SAML2MetaManager samlManager = getSAML2MetaManager();
EntityDescriptorElement entityDescriptor = samlManager.getEntityDescriptor(realm, entityName);
idpssoDescriptor = samlManager.getIDPSSODescriptor(realm, entityName);
if (idpssoDescriptor != null) {
// save for WantAuthnRequestsSigned
if (idpStdValues.keySet().contains(WANT_AUTHN_REQ_SIGNED)) {
boolean value = setToBoolean(idpStdValues, WANT_AUTHN_REQ_SIGNED);
idpssoDescriptor.setWantAuthnRequestsSigned(value);
}
// save for Artifact Resolution Service
if (idpStdValues.keySet().contains(ART_RES_LOCATION)) {
String artLocation = getResult(idpStdValues, ART_RES_LOCATION);
String indexValue = getResult(idpStdValues, ART_RES_INDEX);
if (StringUtils.isEmpty(indexValue)) {
indexValue = "0";
}
boolean isDefault = setToBoolean(idpStdValues, ART_RES_ISDEFAULT);
ArtifactResolutionServiceElement elem = null;
List artList = idpssoDescriptor.getArtifactResolutionService();
if (artList.isEmpty()) {
elem = objFact.createArtifactResolutionServiceElement();
elem.setBinding(soapBinding);
elem.setLocation("");
elem.setIndex(0);
elem.setIsDefault(false);
idpssoDescriptor.getArtifactResolutionService().add(elem);
artList = idpssoDescriptor.getArtifactResolutionService();
}
elem = (ArtifactResolutionServiceElement) artList.get(0);
elem.setLocation(artLocation);
elem.setIndex(Integer.parseInt(indexValue));
elem.setIsDefault(isDefault);
idpssoDescriptor.getArtifactResolutionService().clear();
idpssoDescriptor.getArtifactResolutionService().add(elem);
}
// save for Single Logout Service - Http-Redirect
if (idpStdValues.keySet().contains(SINGLE_LOGOUT_HTTP_LOCATION)) {
String lohttpLocation = getResult(idpStdValues, SINGLE_LOGOUT_HTTP_LOCATION);
String lohttpRespLocation = getResult(idpStdValues, SINGLE_LOGOUT_HTTP_RESP_LOCATION);
String postLocation = getResult(idpStdValues, SLO_POST_LOC);
String postRespLocation = getResult(idpStdValues, SLO_POST_RESPLOC);
String losoapLocation = getResult(idpStdValues, SINGLE_LOGOUT_SOAP_LOCATION);
String priority = getResult(idpStdValues, SINGLE_LOGOUT_DEFAULT);
if (priority.contains("none")) {
if (lohttpLocation != null) {
priority = httpRedirectBinding;
} else if (postLocation != null) {
priority = httpPostBinding;
} else if (losoapLocation != null) {
priority = soapBinding;
}
}
List logList = idpssoDescriptor.getSingleLogoutService();
if (!logList.isEmpty()) {
logList.clear();
}
if (priority != null && priority.contains("HTTP-Redirect")) {
savehttpRedLogout(lohttpLocation, lohttpRespLocation, logList, objFact);
savepostLogout(postLocation, postRespLocation, logList, objFact);
savesoapLogout(losoapLocation, logList, objFact);
} else if (priority != null && priority.contains("HTTP-POST")) {
savepostLogout(postLocation, postRespLocation, logList, objFact);
savehttpRedLogout(lohttpLocation, lohttpRespLocation, logList, objFact);
savesoapLogout(losoapLocation, logList, objFact);
} else if (priority != null && priority.contains("SOAP")) {
savesoapLogout(losoapLocation, logList, objFact);
savehttpRedLogout(lohttpLocation, lohttpRespLocation, logList, objFact);
savepostLogout(postLocation, postRespLocation, logList, objFact);
}
}
// save for Manage Name ID Service
if (idpStdValues.keySet().contains(MANAGE_NAMEID_HTTP_LOCATION)) {
String mnihttpLocation = getResult(idpStdValues, MANAGE_NAMEID_HTTP_LOCATION);
String mnihttpRespLocation = getResult(idpStdValues, MANAGE_NAMEID_HTTP_RESP_LOCATION);
String mnipostLocation = getResult(idpStdValues, MNI_POST_LOC);
String mnipostRespLocation = getResult(idpStdValues, MNI_POST_RESPLOC);
String mnisoapLocation = getResult(idpStdValues, MANAGE_NAMEID_SOAP_LOCATION);
String priority = getResult(idpStdValues, SINGLE_MANAGE_NAMEID_DEFAULT);
if (priority.contains("none")) {
if (mnihttpLocation != null) {
priority = httpRedirectBinding;
} else if (mnipostLocation != null) {
priority = httpPostBinding;
} else if (mnisoapLocation != null) {
priority = soapBinding;
}
}
List manageNameIdList = idpssoDescriptor.getManageNameIDService();
if (!manageNameIdList.isEmpty()) {
manageNameIdList.clear();
}
if (priority != null && priority.contains("HTTP-Redirect")) {
savehttpRedMni(mnihttpLocation, mnihttpRespLocation, manageNameIdList, objFact);
savepostMni(mnipostLocation, mnipostRespLocation, manageNameIdList, objFact);
savesoapMni(mnisoapLocation, manageNameIdList, objFact);
} else if (priority != null && priority.contains("HTTP-POST")) {
savepostMni(mnipostLocation, mnipostRespLocation, manageNameIdList, objFact);
savehttpRedMni(mnihttpLocation, mnihttpRespLocation, manageNameIdList, objFact);
savesoapMni(mnisoapLocation, manageNameIdList, objFact);
} else if (priority != null && priority.contains("SOAP")) {
savesoapMni(mnisoapLocation, manageNameIdList, objFact);
savehttpRedMni(mnihttpLocation, mnihttpRespLocation, manageNameIdList, objFact);
savepostMni(mnipostLocation, mnipostRespLocation, manageNameIdList, objFact);
}
}
//save nameid mapping
if (idpStdValues.keySet().contains(NAME_ID_MAPPPING)) {
String nameIDmappingloc = getResult(idpStdValues, NAME_ID_MAPPPING);
NameIDMappingServiceElement namidElem1 = null;
List nameIDmappingList = idpssoDescriptor.getNameIDMappingService();
if (nameIDmappingList.isEmpty()) {
namidElem1 = objFact.createNameIDMappingServiceElement();
namidElem1.setBinding(soapBinding);
idpssoDescriptor.getNameIDMappingService().add(namidElem1);
nameIDmappingList = idpssoDescriptor.getNameIDMappingService();
}
namidElem1 = (NameIDMappingServiceElement) nameIDmappingList.get(0);
namidElem1.setLocation(nameIDmappingloc);
idpssoDescriptor.getNameIDMappingService().clear();
idpssoDescriptor.getNameIDMappingService().add(namidElem1);
}
//save nameid format
if (idpStdValues.keySet().contains(NAMEID_FORMAT)) {
saveNameIdFormat(idpssoDescriptor, idpStdValues);
}
//save for SingleSignOnService
if (idpStdValues.keySet().contains(SINGLE_SIGNON_HTTP_LOCATION)) {
String ssohttpLocation = getResult(idpStdValues, SINGLE_SIGNON_HTTP_LOCATION);
String ssopostLocation = getResult(idpStdValues, SINGLE_SIGNON_SOAP_LOCATION);
String ssoSoapLocation = getResult(idpStdValues, SSO_SOAPS_LOC);
List signonList = idpssoDescriptor.getSingleSignOnService();
if (!signonList.isEmpty()) {
signonList.clear();
}
if (ssohttpLocation != null && ssohttpLocation.length() > 0) {
SingleSignOnServiceElement slsElemRed = objFact.createSingleSignOnServiceElement();
slsElemRed.setBinding(httpRedirectBinding);
slsElemRed.setLocation(ssohttpLocation);
signonList.add(slsElemRed);
}
if (ssopostLocation != null && ssopostLocation.length() > 0) {
SingleSignOnServiceElement slsElemPost = objFact.createSingleSignOnServiceElement();
slsElemPost.setBinding(httpPostBinding);
slsElemPost.setLocation(ssopostLocation);
signonList.add(slsElemPost);
}
if (ssoSoapLocation != null && ssoSoapLocation.length() > 0) {
SingleSignOnServiceElement slsElemSoap = objFact.createSingleSignOnServiceElement();
slsElemSoap.setBinding(soapBinding);
slsElemSoap.setLocation(ssoSoapLocation);
signonList.add(slsElemSoap);
}
}
samlManager.setEntityDescriptor(realm, entityDescriptor);
}
logEvent("SUCCEED_MODIFY_ENTITY_DESCRIPTOR", params);
} catch (SAML2MetaException e) {
debug.warning("SAMLv2ModelImpl.setIDPStdAttributeValues:", e);
String strError = getErrorString(e);
String[] paramsEx = { realm, entityName, "SAMLv2", "IDP-Standard", strError };
logEvent("FEDERATION_EXCEPTION_MODIFY_ENTITY_DESCRIPTOR", paramsEx);
throw new AMConsoleException(strError);
} catch (JAXBException e) {
debug.warning("SAMLv2ModelImpl.setIDPStdAttributeValues:", e);
String strError = getErrorString(e);
String[] paramsEx = { realm, entityName, "SAMLv2", "IDP-Standard", strError };
logEvent("FEDERATION_EXCEPTION_MODIFY_ENTITY_DESCRIPTOR", paramsEx);
}
}
Also used :
JAXBException(javax.xml.bind.JAXBException)
SAML2MetaManager(com.sun.identity.saml2.meta.SAML2MetaManager)
EntityDescriptorElement(com.sun.identity.saml2.jaxb.metadata.EntityDescriptorElement)
SingleSignOnServiceElement(com.sun.identity.saml2.jaxb.metadata.SingleSignOnServiceElement)
ArtifactResolutionServiceElement(com.sun.identity.saml2.jaxb.metadata.ArtifactResolutionServiceElement)
NameIDMappingServiceElement(com.sun.identity.saml2.jaxb.metadata.NameIDMappingServiceElement)
ObjectFactory(com.sun.identity.saml2.jaxb.entityconfig.ObjectFactory)
List(java.util.List)
ArrayList(java.util.ArrayList)
AMConsoleException(com.sun.identity.console.base.model.AMConsoleException)
SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException)
IDPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)
Example 38 with IDPSSODescriptorElement
use of com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement in project OpenAM by OpenRock.
the class SPACSUtils method getResponseFromSOAP.
/**
* Obtains <code>SAML Response</code> from <code>SOAPBody</code>.
* Used by Artifact profile.
*/
private static Response getResponseFromSOAP(SOAPMessage resMsg, ArtifactResolve resolve, HttpServletRequest request, HttpServletResponse response, String idpEntityID, IDPSSODescriptorElement idp, String orgName, String hostEntityId, SAML2MetaManager sm) throws SAML2Exception, IOException {
String method = "SPACSUtils.getResponseFromSOAP:";
Element resElem = null;
try {
resElem = SOAPCommunicator.getInstance().getSamlpElement(resMsg, "ArtifactResponse");
} catch (SAML2Exception se) {
String[] data = { idpEntityID };
LogUtil.error(Level.INFO, LogUtil.SOAP_ERROR, data, null);
SAMLUtils.sendError(request, response, response.SC_INTERNAL_SERVER_ERROR, "soapError", se.getMessage());
throw se;
}
ArtifactResponse artiResp = null;
try {
artiResp = ProtocolFactory.getInstance().createArtifactResponse(resElem);
} catch (SAML2Exception se) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(method + "Couldn't create " + "ArtifactResponse:", se);
}
String[] data = { idpEntityID };
LogUtil.error(Level.INFO, LogUtil.CANNOT_INSTANTIATE_ARTIFACT_RESPONSE, data, null);
SAMLUtils.sendError(request, response, response.SC_INTERNAL_SERVER_ERROR, "failedToCreateArtifactResponse", se.getMessage());
throw se;
}
if (artiResp == null) {
String[] data = { idpEntityID };
LogUtil.error(Level.INFO, LogUtil.MISSING_ARTIFACT_RESPONSE, data, null);
SAMLUtils.sendError(request, response, response.SC_INTERNAL_SERVER_ERROR, "missingArtifactResponse", SAML2Utils.bundle.getString("missingArtifactResponse"));
throw new SAML2Exception(SAML2Utils.bundle.getString("missingArtifactResponse"));
} else {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(method + "Received ArtifactResponse:" + artiResp.toXMLString(true, true));
}
}
// verify ArtifactResponse
String wantArtiRespSigned = getAttributeValueFromSPSSOConfig(orgName, hostEntityId, sm, SAML2Constants.WANT_ARTIFACT_RESPONSE_SIGNED);
if (wantArtiRespSigned != null && wantArtiRespSigned.equals("true")) {
Set<X509Certificate> verificationCerts = KeyUtil.getVerificationCerts(idp, idpEntityID, SAML2Constants.IDP_ROLE);
if (!artiResp.isSigned() || !artiResp.isSignatureValid(verificationCerts)) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(method + "ArtifactResponse's signature is invalid.");
}
String[] data = { idpEntityID };
LogUtil.error(Level.INFO, LogUtil.ARTIFACT_RESPONSE_INVALID_SIGNATURE, data, null);
SAMLUtils.sendError(request, response, response.SC_INTERNAL_SERVER_ERROR, "invalidSignature", SAML2Utils.bundle.getString("invalidSignature"));
throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSignature"));
}
}
String inResponseTo = artiResp.getInResponseTo();
if (inResponseTo == null || !inResponseTo.equals(resolve.getID())) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(method + "ArtifactResponse's InResponseTo is invalid.");
}
String[] data = { idpEntityID };
LogUtil.error(Level.INFO, LogUtil.ARTIFACT_RESPONSE_INVALID_INRESPONSETO, data, null);
SAMLUtils.sendError(request, response, response.SC_INTERNAL_SERVER_ERROR, "invalidInResponseTo", SAML2Utils.bundle.getString("invalidInResponseTo"));
throw new SAML2Exception(SAML2Utils.bundle.getString("invalidInResponseTo"));
}
Issuer idpIssuer = artiResp.getIssuer();
if (idpIssuer == null || !idpIssuer.getValue().equals(idpEntityID)) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(method + "ArtifactResponse's Issuer is invalid.");
}
String[] data = { idpEntityID };
LogUtil.error(Level.INFO, LogUtil.ARTIFACT_RESPONSE_INVALID_ISSUER, data, null);
SAMLUtils.sendError(request, response, response.SC_INTERNAL_SERVER_ERROR, "invalidIssuer", SAML2Utils.bundle.getString("invalidIssuer"));
throw new SAML2Exception(SAML2Utils.bundle.getString("invalidIssuer"));
}
// check time?
Status status = artiResp.getStatus();
if (status == null || !status.getStatusCode().getValue().equals(SAML2Constants.SUCCESS)) {
String statusCode = (status == null) ? "" : status.getStatusCode().getValue();
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(method + "ArtifactResponse's status code is not success." + statusCode);
}
String[] data = { idpEntityID, "" };
if (LogUtil.isErrorLoggable(Level.FINE)) {
data[1] = statusCode;
}
LogUtil.error(Level.INFO, LogUtil.ARTIFACT_RESPONSE_INVALID_STATUS_CODE, data, null);
SAMLUtils.sendError(request, response, response.SC_INTERNAL_SERVER_ERROR, "invalidStatusCode", SAML2Utils.bundle.getString("invalidStatusCode"));
throw new SAML2Exception(SAML2Utils.bundle.getString("invalidStatusCode"));
}
try {
return ProtocolFactory.getInstance().createResponse(artiResp.getAny());
} catch (SAML2Exception se) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(method + "couldn't instantiate Response:", se);
}
String[] data = { idpEntityID };
LogUtil.error(Level.INFO, LogUtil.CANNOT_INSTANTIATE_RESPONSE_ARTIFACT, data, null);
SAMLUtils.sendError(request, response, response.SC_INTERNAL_SERVER_ERROR, "failedToCreateResponse", se.getMessage());
throw se;
}
}
Also used :
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
Status(com.sun.identity.saml2.protocol.Status)
Issuer(com.sun.identity.saml2.assertion.Issuer)
ArtifactResponse(com.sun.identity.saml2.protocol.ArtifactResponse)
SPSSOConfigElement(com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement)
SPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)
IDPSSOConfigElement(com.sun.identity.saml2.jaxb.entityconfig.IDPSSOConfigElement)
ArtifactResolutionServiceElement(com.sun.identity.saml2.jaxb.metadata.ArtifactResolutionServiceElement)
Element(org.w3c.dom.Element)
IDPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)
X509Certificate(java.security.cert.X509Certificate)
Example 39 with IDPSSODescriptorElement
use of com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement in project OpenAM by OpenRock.
the class LogoutUtil method verifySLORequest.
/**
* Verify the signature in LogoutRequest.
*
* @param sloRequest SLO request will be verified.
* @param realm realm of host entity.
* @param remoteEntity entity ID of remote host entity.
* @param hostEntity entity ID of host entity.
* @param hostEntityRole role of host entity.
* @return returns true if signature is valid.
* @throws SAML2Exception if error in verifying the signature.
* @throws SessionException if error in verifying the signature.
*/
public static boolean verifySLORequest(LogoutRequest sloRequest, String realm, String remoteEntity, String hostEntity, String hostEntityRole) throws SAML2Exception, SessionException {
String method = "verifySLORequest : ";
boolean needVerifySignature = SAML2Utils.getWantLogoutRequestSigned(realm, hostEntity, hostEntityRole);
if (needVerifySignature == false) {
if (debug.messageEnabled()) {
debug.message(method + "SLORequest doesn't need to be verified.");
}
return true;
}
if (debug.messageEnabled()) {
debug.message(method + "realm is : " + realm);
debug.message(method + "remoteEntity is : " + remoteEntity);
debug.message(method + "Host Entity role is : " + hostEntityRole);
}
boolean valid = false;
Set<X509Certificate> signingCerts;
if (hostEntityRole.equalsIgnoreCase(SAML2Constants.IDP_ROLE)) {
SPSSODescriptorElement spSSODesc = metaManager.getSPSSODescriptor(realm, remoteEntity);
signingCerts = KeyUtil.getVerificationCerts(spSSODesc, remoteEntity, SAML2Constants.SP_ROLE);
} else {
IDPSSODescriptorElement idpSSODesc = metaManager.getIDPSSODescriptor(realm, remoteEntity);
signingCerts = KeyUtil.getVerificationCerts(idpSSODesc, remoteEntity, SAML2Constants.IDP_ROLE);
}
if (!signingCerts.isEmpty()) {
valid = sloRequest.isSignatureValid(signingCerts);
if (debug.messageEnabled()) {
debug.message(method + "Signature is : " + valid);
}
} else {
debug.error("Incorrect configuration for Signing Certificate.");
throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
}
return valid;
}
Also used :
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
SPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)
X509Certificate(java.security.cert.X509Certificate)
IDPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)
Example 40 with IDPSSODescriptorElement
use of com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement in project OpenAM by OpenRock.
the class IDPSingleLogout method processLogoutRequest.
/**
* Gets and processes the Single <code>LogoutRequest</code> from SP.
*
* @param request the HttpServletRequest.
* @param response the HttpServletResponse.
* @param out the print writer for writing out presentation
* @param samlRequest <code>LogoutRequest</code> in the
* XML string format.
* @param relayState the target URL on successful
* <code>LogoutRequest</code>.
* @throws SAML2Exception if error processing
* <code>LogoutRequest</code>.
* @throws SessionException if error processing
* <code>LogoutRequest</code>.
*/
public static void processLogoutRequest(HttpServletRequest request, HttpServletResponse response, PrintWriter out, String samlRequest, String relayState) throws SAML2Exception, SessionException {
String classMethod = "IDPSingleLogout.processLogoutRequest : ";
if (debug.messageEnabled()) {
debug.message(classMethod + "IDPSingleLogout:processLogoutRequest");
debug.message(classMethod + "samlRequest : " + samlRequest);
debug.message(classMethod + "relayState : " + relayState);
}
String rmethod = request.getMethod();
String binding = SAML2Constants.HTTP_REDIRECT;
if (rmethod.equals("POST")) {
binding = SAML2Constants.HTTP_POST;
}
String metaAlias = SAML2MetaUtils.getMetaAliasByUri(request.getRequestURI());
String realm = SAML2Utils.getRealm(SAML2MetaUtils.getRealmByMetaAlias(metaAlias));
String idpEntityID = sm.getEntityByMetaAlias(metaAlias);
if (!SAML2Utils.isIDPProfileBindingSupported(realm, idpEntityID, SAML2Constants.SLO_SERVICE, binding)) {
debug.error(classMethod + "SLO service binding " + binding + " is not supported for " + idpEntityID);
throw new SAML2Exception(SAML2Utils.bundle.getString("unsupportedBinding"));
}
LogoutRequest logoutReq = null;
if (rmethod.equals("POST")) {
logoutReq = LogoutUtil.getLogoutRequestFromPost(samlRequest, response);
} else if (rmethod.equals("GET")) {
String decodedStr = SAML2Utils.decodeFromRedirect(samlRequest);
if (decodedStr == null) {
throw new SAML2Exception(SAML2Utils.bundle.getString("nullDecodedStrFromSamlRequest"));
}
logoutReq = ProtocolFactory.getInstance().createLogoutRequest(decodedStr);
}
if (logoutReq == null) {
if (debug.messageEnabled()) {
debug.message("IDPSingleLogout:processLogoutRequest: logoutReq " + "is null");
}
return;
}
String spEntityID = logoutReq.getIssuer().getValue();
boolean needToVerify = SAML2Utils.getWantLogoutRequestSigned(realm, idpEntityID, SAML2Constants.IDP_ROLE);
if (debug.messageEnabled()) {
debug.message(classMethod + "metaAlias : " + metaAlias);
debug.message(classMethod + "realm : " + realm);
debug.message(classMethod + "idpEntityID : " + idpEntityID);
debug.message(classMethod + "spEntityID : " + spEntityID);
}
if (needToVerify) {
boolean valid = false;
if (binding.equals(SAML2Constants.HTTP_REDIRECT)) {
String queryString = request.getQueryString();
valid = SAML2Utils.verifyQueryString(queryString, realm, SAML2Constants.IDP_ROLE, spEntityID);
} else {
valid = LogoutUtil.verifySLORequest(logoutReq, realm, spEntityID, idpEntityID, SAML2Constants.IDP_ROLE);
}
if (!valid) {
debug.error("Invalid signature in SLO Request.");
throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSignInRequest"));
}
IDPSSODescriptorElement idpsso = sm.getIDPSSODescriptor(realm, idpEntityID);
String loc = null;
if (idpsso != null) {
List sloList = idpsso.getSingleLogoutService();
if ((sloList != null) && (!sloList.isEmpty())) {
loc = LogoutUtil.getSLOResponseServiceLocation(sloList, binding);
if ((loc == null) || (loc.length() == 0)) {
loc = LogoutUtil.getSLOServiceLocation(sloList, binding);
}
}
}
if (!SAML2Utils.verifyDestination(logoutReq.getDestination(), loc)) {
throw new SAML2Exception(SAML2Utils.bundle.getString("invalidDestination"));
}
}
// Get the local session, if it does not exist send a succesful
// Logout Response with a status message of "Already Logout"
Object session = null;
try {
session = sessionProvider.getSession(request);
} catch (SessionException ssoe) {
sendAlreadyLogedOutResp(response, request, logoutReq, relayState, realm, idpEntityID, spEntityID, binding);
return;
}
// then send the request to the original server
if (session != null && !SAML2FailoverUtils.isSAML2FailoverEnabled() && isMisroutedRequest(request, response, out, session)) {
return;
} else {
if (debug.messageEnabled()) {
debug.message(classMethod + "SAML2 Failover will be attempted. Be sure SFO is " + "properly configured or the attempt will fail");
}
}
LogoutResponse logoutRes = processLogoutRequest(logoutReq, request, response, binding, relayState, idpEntityID, realm, true);
if (logoutRes == null) {
// through HTTP_Redirect, nothing to do here
return;
}
// this is the case where there is no more SP session
// participant
SingleLogoutServiceElement endpoint = getLogoutResponseEndpoint(realm, spEntityID, binding);
binding = endpoint.getBinding();
String location = getResponseLocation(endpoint);
logoutRes.setDestination(XMLUtils.escapeSpecialCharacters(location));
// call multi-federation protocol processing
// this is SP initiated HTTP based single logout
boolean isMultiProtocolSession = false;
int retStatus = SingleLogoutManager.LOGOUT_SUCCEEDED_STATUS;
try {
if ((session != null) && (sessionProvider.isValid(session)) && MultiProtocolUtils.isMultipleProtocolSession(session, SingleLogoutManager.SAML2)) {
isMultiProtocolSession = true;
// call Multi-Federation protocol SingleLogoutManager
SingleLogoutManager sloManager = SingleLogoutManager.getInstance();
Set set = new HashSet();
set.add(session);
String uid = sessionProvider.getPrincipalName(session);
debug.message("IDPSingleLogout.processLogReq: MP/SPinit/Http");
retStatus = sloManager.doIDPSingleLogout(set, uid, request, response, false, false, SingleLogoutManager.SAML2, realm, idpEntityID, spEntityID, relayState, logoutReq.toString(), logoutRes.toXMLString(), getLogoutStatus(logoutRes));
}
} catch (SessionException e) {
// ignore as session might not be valid
debug.message("IDPSingleLogout.processLogoutRequest: session", e);
} catch (Exception e) {
debug.message("IDPSingleLogout.processLogoutRequest: MP2", e);
retStatus = SingleLogoutManager.LOGOUT_FAILED_STATUS;
}
if (!isMultiProtocolSession || (retStatus != SingleLogoutManager.LOGOUT_REDIRECTED_STATUS)) {
logoutRes = updateLogoutResponse(logoutRes, retStatus);
List partners = IDPProxyUtil.getSessionPartners(request);
if (partners != null && !partners.isEmpty()) {
IDPProxyUtil.sendProxyLogoutRequest(request, response, out, logoutReq, partners, binding, relayState);
} else {
LogoutUtil.sendSLOResponse(response, request, logoutRes, location, relayState, realm, idpEntityID, SAML2Constants.IDP_ROLE, spEntityID, binding);
}
}
}
Also used :
HashSet(java.util.HashSet)
Set(java.util.Set)
LogoutResponse(com.sun.identity.saml2.protocol.LogoutResponse)
SessionException(com.sun.identity.plugin.session.SessionException)
SessionException(com.sun.identity.plugin.session.SessionException)
SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException)
SAML2TokenRepositoryException(org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException)
IOException(java.io.IOException)
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
SingleLogoutManager(com.sun.identity.multiprotocol.SingleLogoutManager)
SingleLogoutServiceElement(com.sun.identity.saml2.jaxb.metadata.SingleLogoutServiceElement)
LogoutRequest(com.sun.identity.saml2.protocol.LogoutRequest)
List(java.util.List)
IDPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)
HashSet(java.util.HashSet)
Aggregations
IDPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)42
List (java.util.List)28
SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)27
SPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)21
ArrayList (java.util.ArrayList)18
SAML2MetaException (com.sun.identity.saml2.meta.SAML2MetaException)17
X509Certificate (java.security.cert.X509Certificate)11
SAML2MetaManager (com.sun.identity.saml2.meta.SAML2MetaManager)10
Iterator (java.util.Iterator)10
IDPSSOConfigElement (com.sun.identity.saml2.jaxb.entityconfig.IDPSSOConfigElement)9
Map (java.util.Map)9
SAML2TokenRepositoryException (org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException)7
SPSSOConfigElement (com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement)6
ArtifactResolutionServiceElement (com.sun.identity.saml2.jaxb.metadata.ArtifactResolutionServiceElement)6
HashMap (java.util.HashMap)5
AMConsoleException (com.sun.identity.console.base.model.AMConsoleException)4
SessionException (com.sun.identity.plugin.session.SessionException)4
Issuer (com.sun.identity.saml2.assertion.Issuer)4
BaseConfigType (com.sun.identity.saml2.jaxb.entityconfig.BaseConfigType)4
EntityDescriptorElement (com.sun.identity.saml2.jaxb.metadata.EntityDescriptorElement)4
