Search in sources :

Example 1 with AttributeQueryDescriptorElement

use of com.sun.identity.saml2.jaxb.metadataextquery.AttributeQueryDescriptorElement in project OpenAM by OpenRock.

the class SAML2COTUtils method updateEntityConfig.

/**
     * Updates the entity config to add the circle of turst name to the
     * <code>cotlist</code> attribute. The Service Provider and Identity
     * Provider Configuration are updated.
     *
     * @param realm the realm name where the entity configuration is.
     * @param name the circle of trust name.
     * @param entityId the name of the Entity identifier.
     * @throws SAML2MetaException if there is a configuration error when
     *         updating the configuration.
     * @throws JAXBException is there is an error updating the entity
     *          configuration.
     */
public void updateEntityConfig(String realm, String name, String entityId) throws SAML2MetaException, JAXBException {
    String classMethod = "SAML2COTUtils.updateEntityConfig: ";
    SAML2MetaManager metaManager = null;
    if (callerSession == null) {
        metaManager = new SAML2MetaManager();
    } else {
        metaManager = new SAML2MetaManager(callerSession);
    }
    ObjectFactory objFactory = new ObjectFactory();
    // Check whether the entity id existed in the DS
    EntityDescriptorElement edes = metaManager.getEntityDescriptor(realm, entityId);
    if (edes == null) {
        debug.error(classMethod + "No such entity: " + entityId);
        String[] data = { realm, entityId };
        throw new SAML2MetaException("entityid_invalid", data);
    }
    boolean isAffiliation = false;
    if (metaManager.getAffiliationDescriptor(realm, entityId) != null) {
        isAffiliation = true;
    }
    if (debug.messageEnabled()) {
        debug.message(classMethod + "is " + entityId + " in realm " + realm + " an affiliation? " + isAffiliation);
    }
    EntityConfigElement eConfig = metaManager.getEntityConfig(realm, entityId);
    if (eConfig == null) {
        BaseConfigType bctype = null;
        AttributeType atype = objFactory.createAttributeType();
        atype.setName(SAML2Constants.COT_LIST);
        atype.getValue().add(name);
        // add to eConfig
        EntityConfigElement ele = objFactory.createEntityConfigElement();
        ele.setEntityID(entityId);
        ele.setHosted(false);
        if (isAffiliation) {
            // handle affiliation case
            bctype = objFactory.createAffiliationConfigElement();
            bctype.getAttribute().add(atype);
            ele.setAffiliationConfig(bctype);
        } else {
            List ll = ele.getIDPSSOConfigOrSPSSOConfigOrAuthnAuthorityConfig();
            // Decide which role EntityDescriptorElement includes
            List list = edes.getRoleDescriptorOrIDPSSODescriptorOrSPSSODescriptor();
            for (Iterator iter = list.iterator(); iter.hasNext(); ) {
                Object obj = iter.next();
                if (obj instanceof SPSSODescriptorElement) {
                    bctype = objFactory.createSPSSOConfigElement();
                    bctype.getAttribute().add(atype);
                    ll.add(bctype);
                } else if (obj instanceof IDPSSODescriptorElement) {
                    bctype = objFactory.createIDPSSOConfigElement();
                    bctype.getAttribute().add(atype);
                    ll.add(bctype);
                } else if (obj instanceof XACMLPDPDescriptorElement) {
                    bctype = objFactory.createXACMLPDPConfigElement();
                    bctype.getAttribute().add(atype);
                    ll.add(bctype);
                } else if (obj instanceof XACMLAuthzDecisionQueryDescriptorElement) {
                    bctype = objFactory.createXACMLAuthzDecisionQueryConfigElement();
                    bctype.getAttribute().add(atype);
                    ll.add(bctype);
                } else if (obj instanceof AttributeAuthorityDescriptorElement) {
                    bctype = objFactory.createAttributeAuthorityConfigElement();
                    bctype.getAttribute().add(atype);
                    ll.add(bctype);
                } else if (obj instanceof AttributeQueryDescriptorElement) {
                    bctype = objFactory.createAttributeQueryConfigElement();
                    bctype.getAttribute().add(atype);
                    ll.add(bctype);
                } else if (obj instanceof AuthnAuthorityDescriptorElement) {
                    bctype = objFactory.createAuthnAuthorityConfigElement();
                    bctype.getAttribute().add(atype);
                    ll.add(bctype);
                }
            }
        }
        metaManager.setEntityConfig(realm, ele);
    } else {
        boolean needToSave = true;
        List elist = null;
        if (isAffiliation) {
            AffiliationConfigElement affiliationCfgElm = metaManager.getAffiliationConfig(realm, entityId);
            elist = new ArrayList();
            elist.add(affiliationCfgElm);
        } else {
            elist = eConfig.getIDPSSOConfigOrSPSSOConfigOrAuthnAuthorityConfig();
        }
        for (Iterator iter = elist.iterator(); iter.hasNext(); ) {
            boolean foundCOT = false;
            BaseConfigType bConfig = (BaseConfigType) iter.next();
            List list = bConfig.getAttribute();
            for (Iterator iter2 = list.iterator(); iter2.hasNext(); ) {
                AttributeType avp = (AttributeType) iter2.next();
                if (avp.getName().trim().equalsIgnoreCase(SAML2Constants.COT_LIST)) {
                    foundCOT = true;
                    List avpl = avp.getValue();
                    if (avpl.isEmpty() || !containsValue(avpl, name)) {
                        avpl.add(name);
                        needToSave = true;
                        break;
                    }
                }
            }
            // no cot_list in the original entity config
            if (!foundCOT) {
                AttributeType atype = objFactory.createAttributeType();
                atype.setName(SAML2Constants.COT_LIST);
                atype.getValue().add(name);
                list.add(atype);
                needToSave = true;
            }
        }
        if (needToSave) {
            metaManager.setEntityConfig(realm, eConfig);
        }
    }
}
Also used : AuthnAuthorityDescriptorElement(com.sun.identity.saml2.jaxb.metadata.AuthnAuthorityDescriptorElement) SPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement) XACMLPDPDescriptorElement(com.sun.identity.saml2.jaxb.metadata.XACMLPDPDescriptorElement) AttributeAuthorityDescriptorElement(com.sun.identity.saml2.jaxb.metadata.AttributeAuthorityDescriptorElement) ArrayList(java.util.ArrayList) AttributeQueryDescriptorElement(com.sun.identity.saml2.jaxb.metadataextquery.AttributeQueryDescriptorElement) EntityDescriptorElement(com.sun.identity.saml2.jaxb.metadata.EntityDescriptorElement) BaseConfigType(com.sun.identity.saml2.jaxb.entityconfig.BaseConfigType) AffiliationConfigElement(com.sun.identity.saml2.jaxb.entityconfig.AffiliationConfigElement) ObjectFactory(com.sun.identity.saml2.jaxb.entityconfig.ObjectFactory) AttributeType(com.sun.identity.saml2.jaxb.entityconfig.AttributeType) Iterator(java.util.Iterator) ArrayList(java.util.ArrayList) List(java.util.List) XACMLAuthzDecisionQueryDescriptorElement(com.sun.identity.saml2.jaxb.metadata.XACMLAuthzDecisionQueryDescriptorElement) EntityConfigElement(com.sun.identity.saml2.jaxb.entityconfig.EntityConfigElement) IDPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)

Example 2 with AttributeQueryDescriptorElement

use of com.sun.identity.saml2.jaxb.metadataextquery.AttributeQueryDescriptorElement in project OpenAM by OpenRock.

the class AttributeQueryUtil method encryptAssertion.

private static EncryptedAssertion encryptAssertion(Assertion assertion, EncryptedID encryptedID, String attrAuthorityEntityID, String requesterEntityID, String realm, String attrQueryProfileAlias) throws SAML2Exception {
    SecretKey secretKey = EncManager.getEncInstance().getSecretKey(encryptedID.toXMLString(true, true), KeyUtil.getDecryptionKeys(realm, attrAuthorityEntityID, SAML2Constants.ATTR_AUTH_ROLE));
    AttributeQueryDescriptorElement aqd = metaManager.getAttributeQueryDescriptor(realm, requesterEntityID);
    EncInfo encInfo = KeyUtil.getEncInfo(aqd, requesterEntityID, SAML2Constants.ATTR_QUERY_ROLE);
    Element el = EncManager.getEncInstance().encrypt(assertion.toXMLString(true, true), encInfo.getWrappingKey(), secretKey, encInfo.getDataEncAlgorithm(), encInfo.getDataEncStrength(), requesterEntityID, "EncryptedAssertion");
    return AssertionFactory.getInstance().createEncryptedAssertion(el);
}
Also used : EncInfo(com.sun.identity.saml2.key.EncInfo) SecretKey(javax.crypto.SecretKey) AttributeServiceElement(com.sun.identity.saml2.jaxb.metadata.AttributeServiceElement) AttributeValueElement(com.sun.identity.saml2.jaxb.assertion.AttributeValueElement) AttributeElement(com.sun.identity.saml2.jaxb.assertion.AttributeElement) IDPSSOConfigElement(com.sun.identity.saml2.jaxb.entityconfig.IDPSSOConfigElement) AttributeAuthorityConfigElement(com.sun.identity.saml2.jaxb.entityconfig.AttributeAuthorityConfigElement) AttributeQueryDescriptorElement(com.sun.identity.saml2.jaxb.metadataextquery.AttributeQueryDescriptorElement) AttributeAuthorityDescriptorElement(com.sun.identity.saml2.jaxb.metadata.AttributeAuthorityDescriptorElement) Element(org.w3c.dom.Element) AttributeQueryConfigElement(com.sun.identity.saml2.jaxb.entityconfig.AttributeQueryConfigElement) AttributeQueryDescriptorElement(com.sun.identity.saml2.jaxb.metadataextquery.AttributeQueryDescriptorElement)

Example 3 with AttributeQueryDescriptorElement

use of com.sun.identity.saml2.jaxb.metadataextquery.AttributeQueryDescriptorElement in project OpenAM by OpenRock.

the class AttributeQueryUtil method verifyAttrQuerySignature.

/**
     * Checks if the attribute query signature is valid.
     *
     * @param attrQuery attribute query
     * @param attrAuthorityEntityID entity ID of attribute authority
     * @param realm the realm of hosted entity
     *
     * @exception SAML2Exception if the attribute query signature is not valid.
     */
public static void verifyAttrQuerySignature(AttributeQuery attrQuery, String attrAuthorityEntityID, String realm) throws SAML2Exception {
    if (!attrQuery.isSigned()) {
        throw new SAML2Exception(SAML2Utils.bundle.getString("attrQueryNotSigned"));
    }
    String requestedEntityID = attrQuery.getIssuer().getValue();
    AttributeQueryDescriptorElement attrqDesc = metaManager.getAttributeQueryDescriptor(realm, requestedEntityID);
    if (attrqDesc == null) {
        throw new SAML2Exception(SAML2Utils.bundle.getString("attrQueryIssuerNotFound"));
    }
    Set<X509Certificate> signingCerts = KeyUtil.getVerificationCerts(attrqDesc, requestedEntityID, SAML2Constants.ATTR_QUERY_ROLE);
    if (!signingCerts.isEmpty()) {
        boolean valid = attrQuery.isSignatureValid(signingCerts);
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message("AttributeQueryUtil.verifyAttributeQuery: " + "Signature validity is : " + valid);
        }
        if (!valid) {
            throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSignatureAttrQuery"));
        }
    } else {
        throw new SAML2Exception(SAML2Utils.bundle.getString("missingSigningCertAlias"));
    }
}
Also used : SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) AttributeQueryDescriptorElement(com.sun.identity.saml2.jaxb.metadataextquery.AttributeQueryDescriptorElement) X509Certificate(java.security.cert.X509Certificate)

Example 4 with AttributeQueryDescriptorElement

use of com.sun.identity.saml2.jaxb.metadataextquery.AttributeQueryDescriptorElement in project OpenAM by OpenRock.

the class SAMLv2ModelImpl method createExtendedObject.

/**
     * Creates the extended config object when it does not exist.
     * @param realm the realm to which the entity belongs.
     * @param entityName is the entity id.
     * @param location indicates whether hosted or remote
     * @param role can be SP, IDP or SP/IDP.
     * @throws SAML2MetaException, JAXBException,
     *     AMConsoleException if saving of attribute value fails.
     */
private void createExtendedObject(String realm, String entityName, String location, String role) throws SAML2MetaException, JAXBException, AMConsoleException {
    SAML2MetaManager samlManager = getSAML2MetaManager();
    EntityDescriptorElement entityDescriptor = samlManager.getEntityDescriptor(realm, entityName);
    ObjectFactory objFactory = new ObjectFactory();
    EntityConfigElement entityConfigElement = objFactory.createEntityConfigElement();
    entityConfigElement.setEntityID(entityName);
    if (location.equals("remote")) {
        entityConfigElement.setHosted(false);
    } else {
        entityConfigElement.setHosted(true);
    }
    List configList = entityConfigElement.getIDPSSOConfigOrSPSSOConfigOrAuthnAuthorityConfig();
    BaseConfigType baseConfigIDP = null;
    BaseConfigType baseConfigSP = null;
    BaseConfigType baseConfigAuth = null;
    AttributeAuthorityDescriptorElement attrauthDescriptor = samlManager.getAttributeAuthorityDescriptor(realm, entityName);
    AuthnAuthorityDescriptorElement authnauthDescriptor = samlManager.getAuthnAuthorityDescriptor(realm, entityName);
    AttributeQueryDescriptorElement attrQueryDescriptor = samlManager.getAttributeQueryDescriptor(realm, entityName);
    IDPSSODescriptorElement idpssoDesc = samlManager.getIDPSSODescriptor(realm, entityName);
    SPSSODescriptorElement spssoDesc = samlManager.getSPSSODescriptor(realm, entityName);
    XACMLAuthzDecisionQueryDescriptorElement xacmlAuthzDescriptor = samlManager.getPolicyEnforcementPointDescriptor(realm, entityName);
    XACMLPDPDescriptorElement xacmlPDPDescriptor = samlManager.getPolicyDecisionPointDescriptor(realm, entityName);
    if (isDualRole(entityDescriptor)) {
        baseConfigIDP = objFactory.createIDPSSOConfigElement();
        baseConfigSP = objFactory.createSPSSOConfigElement();
        baseConfigIDP = addAttributeType(extendedMetaIdpMap, baseConfigIDP);
        baseConfigSP = addAttributeType(extendedMetaSpMap, baseConfigSP);
        configList.add(baseConfigIDP);
        configList.add(baseConfigSP);
    } else if (role.equals(EntityModel.IDENTITY_PROVIDER) || (idpssoDesc != null)) {
        baseConfigIDP = objFactory.createIDPSSOConfigElement();
        baseConfigIDP = addAttributeType(extendedMetaIdpMap, baseConfigIDP);
        configList.add(baseConfigIDP);
    } else if (role.equals(EntityModel.SERVICE_PROVIDER) || (spssoDesc != null)) {
        baseConfigSP = objFactory.createSPSSOConfigElement();
        baseConfigSP = addAttributeType(extendedMetaSpMap, baseConfigSP);
        configList.add(baseConfigSP);
    }
    if (role.equals(EntityModel.SAML_ATTRAUTHORITY) || (attrauthDescriptor != null)) {
        baseConfigAuth = objFactory.createAttributeAuthorityConfigElement();
        baseConfigAuth = addAttributeType(extAttrAuthMap, baseConfigAuth);
        configList.add(baseConfigAuth);
    }
    if (role.equals(EntityModel.SAML_AUTHNAUTHORITY) || (authnauthDescriptor != null)) {
        baseConfigAuth = objFactory.createAuthnAuthorityConfigElement();
        baseConfigAuth = addAttributeType(extAuthnAuthMap, baseConfigAuth);
        configList.add(baseConfigAuth);
    }
    if (role.equals(EntityModel.SAML_ATTRQUERY) || (attrQueryDescriptor != null)) {
        baseConfigAuth = objFactory.createAttributeQueryConfigElement();
        baseConfigAuth = addAttributeType(extattrQueryMap, baseConfigAuth);
        configList.add(baseConfigAuth);
    }
    if (role.equals(EntityModel.POLICY_DECISION_POINT_DESCRIPTOR) || (xacmlPDPDescriptor != null)) {
        baseConfigAuth = objFactory.createXACMLPDPConfigElement();
        baseConfigAuth = addAttributeType(xacmlPDPExtendedMeta, baseConfigAuth);
        configList.add(baseConfigAuth);
    }
    if (role.equals(EntityModel.POLICY_ENFORCEMENT_POINT_DESCRIPTOR) || (xacmlAuthzDescriptor != null)) {
        baseConfigAuth = objFactory.createXACMLAuthzDecisionQueryConfigElement();
        baseConfigAuth = addAttributeType(xacmlPEPExtendedMeta, baseConfigAuth);
        configList.add(baseConfigAuth);
    }
    samlManager.setEntityConfig(realm, entityConfigElement);
}
Also used : AuthnAuthorityDescriptorElement(com.sun.identity.saml2.jaxb.metadata.AuthnAuthorityDescriptorElement) SPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement) AttributeAuthorityDescriptorElement(com.sun.identity.saml2.jaxb.metadata.AttributeAuthorityDescriptorElement) XACMLPDPDescriptorElement(com.sun.identity.saml2.jaxb.metadata.XACMLPDPDescriptorElement) AttributeQueryDescriptorElement(com.sun.identity.saml2.jaxb.metadataextquery.AttributeQueryDescriptorElement) SAML2MetaManager(com.sun.identity.saml2.meta.SAML2MetaManager) EntityDescriptorElement(com.sun.identity.saml2.jaxb.metadata.EntityDescriptorElement) BaseConfigType(com.sun.identity.saml2.jaxb.entityconfig.BaseConfigType) ObjectFactory(com.sun.identity.saml2.jaxb.entityconfig.ObjectFactory) List(java.util.List) ArrayList(java.util.ArrayList) XACMLAuthzDecisionQueryDescriptorElement(com.sun.identity.saml2.jaxb.metadata.XACMLAuthzDecisionQueryDescriptorElement) EntityConfigElement(com.sun.identity.saml2.jaxb.entityconfig.EntityConfigElement) IDPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)

Example 5 with AttributeQueryDescriptorElement

use of com.sun.identity.saml2.jaxb.metadataextquery.AttributeQueryDescriptorElement in project OpenAM by OpenRock.

the class SAMLv2ModelImpl method setStdAttributeQueryValues.

/**
     * Saves the standard attribute values for Attribute Query.
     *
     * @param realm to which the entity belongs.
     * @param entityName is the entity id.
     * @param attrQueryValues Map which contains standard attribute query values.
     * @throws AMConsoleException if saving of attribute value fails.
     */
public void setStdAttributeQueryValues(String realm, String entityName, Map attrQueryValues) throws AMConsoleException {
    String[] params = { realm, entityName, "SAMLv2", "AttribQuery-Std" };
    logEvent("ATTEMPT_MODIFY_ATTR_QUERY_ATTR_VALUES", params);
    AttributeQueryDescriptorElement attrQueryDescriptor = null;
    try {
        SAML2MetaManager samlManager = getSAML2MetaManager();
        EntityDescriptorElement entityDescriptor = samlManager.getEntityDescriptor(realm, entityName);
        attrQueryDescriptor = samlManager.getAttributeQueryDescriptor(realm, entityName);
        if (attrQueryDescriptor != null) {
            //save nameid format
            List NameIdFormatList = attrQueryDescriptor.getNameIDFormat();
            if (!NameIdFormatList.isEmpty()) {
                attrQueryDescriptor.getNameIDFormat().clear();
            }
            List listtoSave = convertSetToList((Set) attrQueryValues.get(ATTR_NAMEID_FORMAT));
            Iterator itt = listtoSave.listIterator();
            while (itt.hasNext()) {
                String name = (String) itt.next();
                attrQueryDescriptor.getNameIDFormat().add(name);
            }
            samlManager.setEntityDescriptor(realm, entityDescriptor);
        }
        logEvent("SUCCEED_MODIFY_ATTR_QUERY_ATTR_VALUES", params);
    } catch (SAML2MetaException e) {
        debug.warning("SAMLv2ModelImpl.setStdAttributeQueryValues:", e);
        String strError = getErrorString(e);
        String[] paramsEx = { realm, entityName, "SAMLv2", "AttribQuery-Std", strError };
        logEvent("FEDERATION_EXCEPTION_MODIFY_ATTR_QUERY_ATTR_VALUES", paramsEx);
        throw new AMConsoleException(strError);
    }
}
Also used : Iterator(java.util.Iterator) AttributeQueryDescriptorElement(com.sun.identity.saml2.jaxb.metadataextquery.AttributeQueryDescriptorElement) List(java.util.List) ArrayList(java.util.ArrayList) SAML2MetaManager(com.sun.identity.saml2.meta.SAML2MetaManager) AMConsoleException(com.sun.identity.console.base.model.AMConsoleException) EntityDescriptorElement(com.sun.identity.saml2.jaxb.metadata.EntityDescriptorElement) SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException)

Aggregations

AttributeQueryDescriptorElement (com.sun.identity.saml2.jaxb.metadataextquery.AttributeQueryDescriptorElement)6 AttributeAuthorityDescriptorElement (com.sun.identity.saml2.jaxb.metadata.AttributeAuthorityDescriptorElement)3 EntityDescriptorElement (com.sun.identity.saml2.jaxb.metadata.EntityDescriptorElement)3 SAML2MetaManager (com.sun.identity.saml2.meta.SAML2MetaManager)3 ArrayList (java.util.ArrayList)3 List (java.util.List)3 AMConsoleException (com.sun.identity.console.base.model.AMConsoleException)2 BaseConfigType (com.sun.identity.saml2.jaxb.entityconfig.BaseConfigType)2 EntityConfigElement (com.sun.identity.saml2.jaxb.entityconfig.EntityConfigElement)2 ObjectFactory (com.sun.identity.saml2.jaxb.entityconfig.ObjectFactory)2 AuthnAuthorityDescriptorElement (com.sun.identity.saml2.jaxb.metadata.AuthnAuthorityDescriptorElement)2 IDPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)2 SPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)2 XACMLAuthzDecisionQueryDescriptorElement (com.sun.identity.saml2.jaxb.metadata.XACMLAuthzDecisionQueryDescriptorElement)2 XACMLPDPDescriptorElement (com.sun.identity.saml2.jaxb.metadata.XACMLPDPDescriptorElement)2 SAML2MetaException (com.sun.identity.saml2.meta.SAML2MetaException)2 Iterator (java.util.Iterator)2 SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)1 AttributeElement (com.sun.identity.saml2.jaxb.assertion.AttributeElement)1 AttributeValueElement (com.sun.identity.saml2.jaxb.assertion.AttributeValueElement)1