Example 36 with SPSSODescriptorElement
use of com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement in project OpenAM by OpenRock.
the class IDPProxyUtil method getNewAuthnRequest.
/**
* Constructs new authentication request by using the original request
* that is sent by the service provider to the proxying IDP.
* @param hostedEntityId hosted provider ID
* @param destination The destination where the new AuthnRequest will be sent to.
* @param realm Realm
* @param origRequest Original Authn Request
* @return AuthnRequest new authn request.
* @exception SAML2Exception for failure in creating new authn request.
* @return AuthnRequest object
*/
private static AuthnRequest getNewAuthnRequest(String hostedEntityId, String destination, String realm, AuthnRequest origRequest) throws SAML2Exception {
String classMethod = "IDPProxyUtil.getNewAuthnRequest: ";
// New Authentication request should only be a single sign-on request.
try {
AuthnRequest newRequest = ProtocolFactory.getInstance().createAuthnRequest();
String requestID = SAML2Utils.generateID();
if (requestID == null || requestID.isEmpty()) {
throw new SAML2Exception(SAML2Utils.bundle.getString("cannotGenerateID"));
}
newRequest.setID(requestID);
SPSSODescriptorElement localDescriptor = IDPSSOUtil.metaManager.getSPSSODescriptor(realm, hostedEntityId);
newRequest.setDestination(XMLUtils.escapeSpecialCharacters(destination));
newRequest.setConsent(origRequest.getConsent());
newRequest.setIsPassive(origRequest.isPassive());
newRequest.setForceAuthn(origRequest.isForceAuthn());
newRequest.setAttributeConsumingServiceIndex(origRequest.getAttributeConsumingServiceIndex());
newRequest.setAssertionConsumerServiceIndex(origRequest.getAssertionConsumerServiceIndex());
String protocolBinding = origRequest.getProtocolBinding();
newRequest.setProtocolBinding(protocolBinding);
OrderedSet acsSet = SPSSOFederate.getACSUrl(localDescriptor, protocolBinding);
String acsURL = (String) acsSet.get(0);
newRequest.setAssertionConsumerServiceURL(acsURL);
Issuer issuer = AssertionFactory.getInstance().createIssuer();
issuer.setValue(hostedEntityId);
newRequest.setIssuer(issuer);
NameIDPolicy origNameIDPolicy = origRequest.getNameIDPolicy();
if (origNameIDPolicy != null) {
NameIDPolicy newNameIDPolicy = ProtocolFactory.getInstance().createNameIDPolicy();
newNameIDPolicy.setFormat(origNameIDPolicy.getFormat());
newNameIDPolicy.setSPNameQualifier(hostedEntityId);
newNameIDPolicy.setAllowCreate(origNameIDPolicy.isAllowCreate());
newRequest.setNameIDPolicy(newNameIDPolicy);
}
newRequest.setRequestedAuthnContext(origRequest.getRequestedAuthnContext());
newRequest.setExtensions(origRequest.getExtensions());
newRequest.setIssueInstant(new Date());
newRequest.setVersion(SAML2Constants.VERSION_2_0);
Scoping scoping = origRequest.getScoping();
if (scoping != null) {
Scoping newScoping = ProtocolFactory.getInstance().createScoping();
Integer proxyCountInt = scoping.getProxyCount();
int proxyCount = 1;
if (proxyCountInt != null) {
proxyCount = scoping.getProxyCount().intValue();
newScoping.setProxyCount(new Integer(proxyCount - 1));
}
newScoping.setIDPList(scoping.getIDPList());
newRequest.setScoping(newScoping);
} else {
//handling the alwaysIdpProxy case -> the incoming request
//did not contained a Scoping field
SPSSOConfigElement spConfig = getSPSSOConfigByAuthnRequest(realm, origRequest);
Map<String, List<String>> spConfigAttrMap = SAML2MetaUtils.getAttributes(spConfig);
scoping = ProtocolFactory.getInstance().createScoping();
String proxyCountParam = SPSSOFederate.getParameter(spConfigAttrMap, SAML2Constants.IDP_PROXY_COUNT);
if (proxyCountParam != null && (!proxyCountParam.equals(""))) {
int proxyCount = Integer.valueOf(proxyCountParam);
if (proxyCount <= 0) {
scoping.setProxyCount(0);
} else {
//since this is a remote SP configuration, we should
//decrement the proxycount by one
scoping.setProxyCount(proxyCount - 1);
}
}
List<String> proxyIdPs = spConfigAttrMap.get(SAML2Constants.IDP_PROXY_LIST);
if (proxyIdPs != null && !proxyIdPs.isEmpty()) {
List<IDPEntry> list = new ArrayList<IDPEntry>();
for (String proxyIdP : proxyIdPs) {
IDPEntry entry = ProtocolFactory.getInstance().createIDPEntry();
entry.setProviderID(proxyIdP);
list.add(entry);
}
IDPList idpList = ProtocolFactory.getInstance().createIDPList();
idpList.setIDPEntries(list);
scoping.setIDPList(idpList);
newRequest.setScoping(scoping);
}
}
return newRequest;
} catch (Exception ex) {
SAML2Utils.debug.error(classMethod + "Error in creating new authn request.", ex);
throw new SAML2Exception(ex);
}
}
Also used :
OrderedSet(com.sun.identity.shared.datastruct.OrderedSet)
Issuer(com.sun.identity.saml2.assertion.Issuer)
NameIDPolicy(com.sun.identity.saml2.protocol.NameIDPolicy)
SPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)
SPSSOConfigElement(com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement)
ArrayList(java.util.ArrayList)
IDPList(com.sun.identity.saml2.protocol.IDPList)
Date(java.util.Date)
SOAPException(javax.xml.soap.SOAPException)
SessionException(com.sun.identity.plugin.session.SessionException)
SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException)
SAML2TokenRepositoryException(org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException)
IOException(java.io.IOException)
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
AuthnRequest(com.sun.identity.saml2.protocol.AuthnRequest)
Scoping(com.sun.identity.saml2.protocol.Scoping)
List(java.util.List)
IDPList(com.sun.identity.saml2.protocol.IDPList)
ArrayList(java.util.ArrayList)
IDPEntry(com.sun.identity.saml2.protocol.IDPEntry)
Example 37 with SPSSODescriptorElement
use of com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement in project OpenAM by OpenRock.
the class IDPSSOFederate method idpProxyCase.
/**
* Having read the requestID, look up the preferred IDP for this request.
* If matched, send a proxy authentication request.
* Performs no action if the requestID is null.
*
* @param requestID Nullable identifier for the request. May be null.
* @throws ServerFaultException If we couldn't send the authentication request.
*/
private boolean idpProxyCase(String requestID, HttpServletRequest request, HttpServletResponse response) throws ServerFaultException {
final String classMethod = "IDPSSOFederate.idpProxyCase:";
final Map paramsMap = (Map) SPCache.reqParamHash.get(requestID);
if (requestID != null) {
String preferredIDP = SAML2Utils.getPreferredIDP(request);
if (preferredIDP != null) {
SAML2Utils.debug.message("{} IDP to be proxied {}", classMethod, preferredIDP);
try {
IDPProxyUtil.sendProxyAuthnRequest((AuthnRequest) paramsMap.get("authnReq"), preferredIDP, (SPSSODescriptorElement) paramsMap.get("spSSODescriptor"), (String) paramsMap.get("idpEntityID"), request, response, (String) paramsMap.get("realm"), (String) paramsMap.get("relayState"), (String) paramsMap.get("binding"));
SPCache.reqParamHash.remove(requestID);
return true;
} catch (SAML2Exception | IOException e) {
SAML2Utils.debug.message(classMethod + "{} Redirecting for the proxy handling error: {}", classMethod, e.getMessage());
throw new ServerFaultException("UnableToRedirectToPreferredIDP", e.getMessage());
}
}
}
return false;
}
Also used :
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
IOException(java.io.IOException)
Map(java.util.Map)
Example 38 with SPSSODescriptorElement
use of com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement in project OpenAM by OpenRock.
the class AuthnQueryUtil method verifyAuthnQuery.
private static void verifyAuthnQuery(AuthnQuery authnQuery, String authnAuthorityEntityID, String realm) throws SAML2Exception {
if (!authnQuery.isSigned()) {
throw new SAML2Exception(SAML2Utils.bundle.getString("authnQueryNotSigned"));
}
Issuer issuer = authnQuery.getIssuer();
String spEntityID = issuer.getValue();
if (!SAML2Utils.isSourceSiteValid(issuer, realm, authnAuthorityEntityID)) {
throw new SAML2Exception(SAML2Utils.bundle.getString("authnQueryIssuerInvalid"));
}
SPSSODescriptorElement spSSODesc = SAML2Utils.getSAML2MetaManager().getSPSSODescriptor(realm, spEntityID);
if (spSSODesc == null) {
throw new SAML2Exception(SAML2Utils.bundle.getString("authnQueryIssuerNotFound"));
}
Set<X509Certificate> signingCerts = KeyUtil.getVerificationCerts(spSSODesc, spEntityID, SAML2Constants.SP_ROLE);
if (!signingCerts.isEmpty()) {
boolean valid = authnQuery.isSignatureValid(signingCerts);
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("AuthnQueryUtil.verifyAuthnQuery: " + "Signature validity is : " + valid);
}
if (!valid) {
throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSignatureAuthnQuery"));
}
} else {
throw new SAML2Exception(SAML2Utils.bundle.getString("missingSigningCertAlias"));
}
}
Also used :
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
Issuer(com.sun.identity.saml2.assertion.Issuer)
SPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)
X509Certificate(java.security.cert.X509Certificate)
Example 39 with SPSSODescriptorElement
use of com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement in project OpenAM by OpenRock.
the class DoManageNameID method getSPManageNameIDConfig.
/**
* Returns first ManageNameID configuration in an entity under
* the realm.
* @param realm The realm under which the entity resides.
* @param entityId ID of the entity to be retrieved.
* @param binding bind type need to has to be matched.
* @return <code>ManageNameIDServiceElement</code> for the entity or null
* @throws SAML2MetaException if unable to retrieve the first identity
* provider's SSO configuration.
* @throws SessionException invalid or expired single-sign-on session.
*/
public static ManageNameIDServiceElement getSPManageNameIDConfig(String realm, String entityId, String binding) throws SAML2MetaException, SessionException {
ManageNameIDServiceElement mni = null;
SPSSODescriptorElement spSSODesc = metaManager.getSPSSODescriptor(realm, entityId);
if (spSSODesc == null) {
return null;
}
List list = spSSODesc.getManageNameIDService();
if ((list != null) && !list.isEmpty()) {
if (binding == null) {
return (ManageNameIDServiceElement) list.get(0);
}
Iterator it = list.iterator();
while (it.hasNext()) {
mni = (ManageNameIDServiceElement) it.next();
if (binding.equalsIgnoreCase(mni.getBinding())) {
break;
}
}
}
return mni;
}
Also used :
ManageNameIDServiceElement(com.sun.identity.saml2.jaxb.metadata.ManageNameIDServiceElement)
SPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)
Iterator(java.util.Iterator)
List(java.util.List)
Example 40 with SPSSODescriptorElement
use of com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement in project OpenAM by OpenRock.
the class DoManageNameID method verifyMNIRequest.
private static boolean verifyMNIRequest(ManageNameIDRequest mniRequest, String realm, String remoteEntity, String hostEntity, String hostEntityRole, String destination) throws SAML2Exception {
String method = "verifyMNIRequest : ";
if (debug.messageEnabled()) {
debug.message(method + "realm is : " + realm);
debug.message(method + "remoteEntity is : " + remoteEntity);
debug.message(method + "Host Entity role is : " + hostEntityRole);
}
boolean needVerifySignature = SAML2Utils.getWantMNIRequestSigned(realm, hostEntity, hostEntityRole);
if (!needVerifySignature) {
if (debug.messageEnabled()) {
debug.message(method + "MNIRequest doesn't need to be verified.");
}
return true;
}
boolean valid;
Set<X509Certificate> signingCerts;
if (hostEntityRole.equalsIgnoreCase(SAML2Constants.IDP_ROLE)) {
SPSSODescriptorElement spSSODesc = metaManager.getSPSSODescriptor(realm, remoteEntity);
signingCerts = KeyUtil.getVerificationCerts(spSSODesc, remoteEntity, SAML2Constants.SP_ROLE);
} else {
IDPSSODescriptorElement idpSSODesc = metaManager.getIDPSSODescriptor(realm, remoteEntity);
signingCerts = KeyUtil.getVerificationCerts(idpSSODesc, remoteEntity, SAML2Constants.IDP_ROLE);
}
if (!signingCerts.isEmpty()) {
valid = mniRequest.isSignatureValid(signingCerts);
if (debug.messageEnabled()) {
debug.message(method + "Signature is : " + valid);
}
} else {
logError("missingSigningCertAlias.", LogUtil.METADATA_ERROR, null);
throw new SAML2Exception(SAML2Utils.bundle.getString("missingSigningCertAlias"));
}
return valid;
}
Also used :
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
SPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)
X509Certificate(java.security.cert.X509Certificate)
IDPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)
Aggregations
SPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)47
List (java.util.List)32
SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)29
ArrayList (java.util.ArrayList)25
IDPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)19
SAML2MetaException (com.sun.identity.saml2.meta.SAML2MetaException)18
X509Certificate (java.security.cert.X509Certificate)11
SPSSOConfigElement (com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement)10
Iterator (java.util.Iterator)10
Map (java.util.Map)10
AssertionConsumerServiceElement (com.sun.identity.saml2.jaxb.metadata.AssertionConsumerServiceElement)9
SAML2MetaManager (com.sun.identity.saml2.meta.SAML2MetaManager)9
SAML2TokenRepositoryException (org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException)8
Issuer (com.sun.identity.saml2.assertion.Issuer)7
AuthnRequest (com.sun.identity.saml2.protocol.AuthnRequest)7
IOException (java.io.IOException)7
HashMap (java.util.HashMap)7
SessionException (com.sun.identity.plugin.session.SessionException)6
EncryptedID (com.sun.identity.saml2.assertion.EncryptedID)5
EntityDescriptorElement (com.sun.identity.saml2.jaxb.metadata.EntityDescriptorElement)5
