Example 56 with SAML2MetaException
use of com.sun.identity.saml2.meta.SAML2MetaException in project OpenAM by OpenRock.
the class IDPSSOUtil method wantAssertionsSigned.
/**
* Returns the the value of the wantAssertionsSigned property
* @param spEntityID ID of the SP entity to be retrieved.
* @param realm The realm under which the entity resides.
* @return boolean value of the wantAssertionsSigned property.
* @throws SAML2MetaException if unable to retrieve the service
* provider's SSO descriptor.
*/
private static boolean wantAssertionsSigned(String realm, String spEntityID) throws SAML2Exception {
String method = "IPDSSOUtil:wantAssertionsSigned : ";
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(method + ": realm - " + realm + "/: spEntityID - " + spEntityID);
}
SPSSODescriptorElement spSSODescriptor = getSPSSODescriptor(spEntityID, realm, method);
return spSSODescriptor.isWantAssertionsSigned();
}
Also used :
SPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)
Example 57 with SAML2MetaException
use of com.sun.identity.saml2.meta.SAML2MetaException in project OpenAM by OpenRock.
the class IDPProxyUtil method sendProxyAuthnRequest.
/**
* Sends a new AuthnRequest to the authenticating provider.
* @param authnRequest original AuthnRequest sent by the service provider.
* @param preferredIDP IDP to be proxied.
* @param spSSODescriptor SPSSO Descriptor Element
* @param hostedEntityId hosted provider ID
* @param request HttpServletRequest
* @param response HttpServletResponse
* @param realm Realm
* @param relayState the Relay State
* @param originalBinding The binding used to send the original AuthnRequest.
* @exception SAML2Exception for any SAML2 failure.
* @exception IOException if there is a failure in redirection.
*/
public static void sendProxyAuthnRequest(AuthnRequest authnRequest, String preferredIDP, SPSSODescriptorElement spSSODescriptor, String hostedEntityId, HttpServletRequest request, HttpServletResponse response, String realm, String relayState, String originalBinding) throws SAML2Exception, IOException {
String classMethod = "IDPProxyUtil.sendProxyAuthnRequest: ";
String destination = null;
SPSSODescriptorElement localDescriptor = null;
SPSSOConfigElement localDescriptorConfig = null;
IDPSSODescriptorElement idpDescriptor = null;
String binding;
try {
idpDescriptor = IDPSSOUtil.metaManager.getIDPSSODescriptor(realm, preferredIDP);
List<SingleSignOnServiceElement> ssoServiceList = idpDescriptor.getSingleSignOnService();
SingleSignOnServiceElement endpoint = getMatchingSSOEndpoint(ssoServiceList, originalBinding);
if (endpoint == null) {
SAML2Utils.debug.error(classMethod + "Single Sign-on service is not found for the proxying IDP.");
throw new SAML2Exception(SAML2Utils.bundle.getString("ssoServiceNotFoundIDPProxy"));
}
binding = endpoint.getBinding();
destination = endpoint.getLocation();
localDescriptor = IDPSSOUtil.metaManager.getSPSSODescriptor(realm, hostedEntityId);
localDescriptorConfig = IDPSSOUtil.metaManager.getSPSSOConfig(realm, hostedEntityId);
} catch (SAML2MetaException e) {
SAML2Utils.debug.error(classMethod, e);
throw new SAML2Exception(e.getMessage());
}
AuthnRequest newAuthnRequest = getNewAuthnRequest(hostedEntityId, destination, realm, authnRequest);
// invoke SP Adapter class if registered
SAML2ServiceProviderAdapter spAdapter = SAML2Utils.getSPAdapterClass(hostedEntityId, realm);
if (spAdapter != null) {
spAdapter.preSingleSignOnRequest(hostedEntityId, preferredIDP, realm, request, response, newAuthnRequest);
}
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "New Authentication request:" + newAuthnRequest.toXMLString());
}
String requestID = newAuthnRequest.getID();
// save the AuthnRequest in the IDPCache so that it can be
// retrieved later when the user successfully authenticates
IDPCache.authnRequestCache.put(requestID, newAuthnRequest);
// save the original AuthnRequest
IDPCache.proxySPAuthnReqCache.put(requestID, authnRequest);
boolean signingNeeded = idpDescriptor.isWantAuthnRequestsSigned() || localDescriptor.isAuthnRequestsSigned();
// check if relayState is present and get the unique
// id which will be appended to the SSO URL before
// redirecting
String relayStateID = null;
if (relayState != null && relayState.length() > 0) {
relayStateID = SPSSOFederate.getRelayStateID(relayState, authnRequest.getID());
}
if (binding.equals(SAML2Constants.HTTP_POST)) {
if (signingNeeded) {
String certAlias = SPSSOFederate.getParameter(SAML2MetaUtils.getAttributes(localDescriptorConfig), SAML2Constants.SIGNING_CERT_ALIAS);
SPSSOFederate.signAuthnRequest(certAlias, newAuthnRequest);
}
String authXMLString = newAuthnRequest.toXMLString(true, true);
String encodedReqMsg = SAML2Utils.encodeForPOST(authXMLString);
SAML2Utils.postToTarget(request, response, "SAMLRequest", encodedReqMsg, "RelayState", relayStateID, destination);
} else {
String authReqXMLString = newAuthnRequest.toXMLString(true, true);
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + " AuthnRequest: " + authReqXMLString);
}
String encodedXML = SAML2Utils.encodeForRedirect(authReqXMLString);
StringBuffer queryString = new StringBuffer().append(SAML2Constants.SAML_REQUEST).append(SAML2Constants.EQUAL).append(encodedXML);
//TODO: should it be newAuthnRequest???
if (relayStateID != null && relayStateID.length() > 0) {
queryString.append("&").append(SAML2Constants.RELAY_STATE).append("=").append(URLEncDec.encode(relayStateID));
}
StringBuffer redirectURL = new StringBuffer().append(destination).append(destination.contains("?") ? "&" : "?");
if (signingNeeded) {
String certAlias = SPSSOFederate.getParameter(SAML2MetaUtils.getAttributes(localDescriptorConfig), SAML2Constants.SIGNING_CERT_ALIAS);
String signedQueryStr = SPSSOFederate.signQueryString(queryString.toString(), certAlias);
redirectURL.append(signedQueryStr);
} else {
redirectURL.append(queryString);
}
response.sendRedirect(redirectURL.toString());
}
String[] data = { destination };
LogUtil.access(Level.INFO, LogUtil.REDIRECT_TO_SP, data, null);
AuthnRequestInfo reqInfo = new AuthnRequestInfo(request, response, realm, hostedEntityId, preferredIDP, newAuthnRequest, relayState, null);
synchronized (SPCache.requestHash) {
SPCache.requestHash.put(requestID, reqInfo);
}
if (SAML2FailoverUtils.isSAML2FailoverEnabled()) {
try {
// sessionExpireTime is counted in seconds
long sessionExpireTime = System.currentTimeMillis() / 1000 + SPCache.interval;
SAML2FailoverUtils.saveSAML2TokenWithoutSecondaryKey(requestID, new AuthnRequestInfoCopy(reqInfo), sessionExpireTime);
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + " SAVE AuthnRequestInfoCopy for requestID " + requestID);
}
} catch (SAML2TokenRepositoryException se) {
SAML2Utils.debug.error(classMethod + " SAVE AuthnRequestInfoCopy for requestID " + requestID + ", failed!", se);
}
}
}
Also used :
SPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)
SPSSOConfigElement(com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement)
SingleSignOnServiceElement(com.sun.identity.saml2.jaxb.metadata.SingleSignOnServiceElement)
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
AuthnRequest(com.sun.identity.saml2.protocol.AuthnRequest)
SAML2TokenRepositoryException(org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException)
SAML2ServiceProviderAdapter(com.sun.identity.saml2.plugins.SAML2ServiceProviderAdapter)
SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException)
IDPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)
Example 58 with SAML2MetaException
use of com.sun.identity.saml2.meta.SAML2MetaException in project OpenAM by OpenRock.
the class DoManageNameID method initiateManageNameIDRequest.
/**
* Parses the request parameters and builds the ManageNameID
* Request to sent to remote Entity.
*
* @param request the HttpServletRequest.
* @param response the HttpServletResponse.
* @param metaAlias entityID of hosted entity.
* @param remoteEntityID entityID of remote entity.
* @param paramsMap Map of all other parameters.
* @throws SAML2Exception if error initiating request to remote entity.
*/
public static void initiateManageNameIDRequest(HttpServletRequest request, HttpServletResponse response, String metaAlias, String remoteEntityID, Map paramsMap) throws SAML2Exception {
String method = "DoManageNameID.initiateManageNameIDRequest: ";
if (metaManager == null) {
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("errorMetaManager"));
}
if (metaAlias == null) {
logError("MetaAliasNotFound", LogUtil.MISSING_META_ALIAS, metaAlias);
throw new SAML2Exception(SAML2Utils.bundle.getString("nullEntityID"));
}
if (remoteEntityID == null) {
logError("nullRemoteEntityID", LogUtil.MISSING_ENTITY, remoteEntityID);
throw new SAML2Exception(SAML2Utils.bundle.getString("nullRemoteEntityID"));
}
Object session = null;
try {
session = SessionManager.getProvider().getSession(request);
} catch (SessionException se) {
if (debug.messageEnabled()) {
debug.message(method, se);
}
}
String realm = SAML2MetaUtils.getRealmByMetaAlias(metaAlias);
String hostEntityID = metaManager.getEntityByMetaAlias(metaAlias);
String hostEntityRole = SAML2Utils.getHostEntityRole(paramsMap);
if (session == null) {
if (debug.messageEnabled()) {
debug.message(method + "Session is missing." + "redirect to the authentication service");
}
// redirect to the authentication service
try {
SAML2Utils.redirectAuthentication(request, response, realm, hostEntityID, hostEntityRole);
} catch (IOException ioe) {
logError("UnableToRedirectToAuth", LogUtil.REDIRECT_TO_AUTH, null);
throw new SAML2Exception(ioe.toString());
}
return;
}
if (debug.messageEnabled()) {
debug.message(method + "Meta Alias is : " + metaAlias);
debug.message(method + "Remote EntityID is : " + remoteEntityID);
debug.message(method + "Host EntityID is : " + hostEntityID);
}
try {
String binding = SAML2Utils.getParameter(paramsMap, SAML2Constants.BINDING);
ManageNameIDServiceElement mniService = getMNIServiceElement(realm, remoteEntityID, hostEntityRole, binding);
if (binding == null) {
binding = mniService.getBinding();
}
if (binding == null) {
logError("UnableTofindBinding", LogUtil.METADATA_ERROR, null);
throw new SAML2Exception(SAML2Utils.bundle.getString("UnableTofindBinding"));
}
String mniURL = null;
if (mniService != null) {
mniURL = mniService.getLocation();
}
if (mniURL == null) {
logError("mniServiceNotFound", LogUtil.METADATA_ERROR, null);
throw new SAML2Exception(SAML2Utils.bundle.getString("mniServiceNotFound"));
}
String requestType = (String) paramsMap.get("requestType");
boolean changeID = "NewID".equals(requestType);
String affiliationID = SAML2Utils.getParameter(paramsMap, SAML2Constants.AFFILIATION_ID);
ManageNameIDRequest mniRequest = createManageNameIDRequest(session, realm, hostEntityID, hostEntityRole, remoteEntityID, mniURL, changeID, affiliationID);
String relayState = SAML2Utils.getParameter(paramsMap, SAML2Constants.RELAY_STATE);
if ((relayState == null) || (relayState.equals(""))) {
relayState = SAML2Utils.getAttributeValueFromSSOConfig(realm, hostEntityID, hostEntityRole, SAML2Constants.DEFAULT_RELAY_STATE);
}
// Validate the RelayState URL.
SAML2Utils.validateRelayStateURL(realm, hostEntityID, relayState, hostEntityRole);
mniRequest.setDestination(XMLUtils.escapeSpecialCharacters(mniURL));
saveMNIRequestInfo(request, response, paramsMap, mniRequest, relayState, hostEntityRole, session);
String mniRequestXMLString = null;
if (binding.equalsIgnoreCase(SAML2Constants.HTTP_REDIRECT)) {
mniRequestXMLString = mniRequest.toXMLString(true, true);
doMNIByHttpRedirect(mniRequestXMLString, mniURL, relayState, realm, hostEntityID, hostEntityRole, remoteEntityID, response);
} else if (binding.equalsIgnoreCase(SAML2Constants.SOAP)) {
signMNIRequest(mniRequest, realm, hostEntityID, hostEntityRole, remoteEntityID);
BaseConfigType config = null;
if (hostEntityRole.equalsIgnoreCase(SAML2Constants.SP_ROLE)) {
config = metaManager.getIDPSSOConfig(realm, remoteEntityID);
} else {
config = metaManager.getSPSSOConfig(realm, remoteEntityID);
}
mniURL = SAML2Utils.fillInBasicAuthInfo(config, mniURL);
if (!doMNIBySOAP(mniRequest, mniURL, metaAlias, hostEntityRole, request, response)) {
throw new SAML2Exception(SAML2Utils.bundle.getString("mniFailed"));
}
} else if (binding.equalsIgnoreCase(SAML2Constants.HTTP_POST)) {
signMNIRequest(mniRequest, realm, hostEntityID, hostEntityRole, remoteEntityID);
mniRequestXMLString = mniRequest.toXMLString(true, true);
doMNIByPOST(mniRequestXMLString, mniURL, relayState, realm, hostEntityID, hostEntityRole, remoteEntityID, response, request);
}
} catch (IOException ioe) {
logError("errorCreatingMNIRequest", LogUtil.CANNOT_INSTANTIATE_MNI_REQUEST, null);
throw new SAML2Exception(SAML2Utils.bundle.getString("errorCreatingMNIRequest"));
} catch (SAML2MetaException sme) {
logError("metaDataError", LogUtil.METADATA_ERROR, null);
throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
} catch (SessionException ssoe) {
logError("invalidSSOToken", LogUtil.INVALID_SSOTOKEN, null);
throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSSOToken"));
}
}
Also used :
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
ManageNameIDServiceElement(com.sun.identity.saml2.jaxb.metadata.ManageNameIDServiceElement)
BaseConfigType(com.sun.identity.saml2.jaxb.entityconfig.BaseConfigType)
ManageNameIDRequest(com.sun.identity.saml2.protocol.ManageNameIDRequest)
SessionException(com.sun.identity.plugin.session.SessionException)
IOException(java.io.IOException)
SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException)
Example 59 with SAML2MetaException
use of com.sun.identity.saml2.meta.SAML2MetaException in project OpenAM by OpenRock.
the class IDPSSOUtil method getSPSSODescriptor.
/**
* Returns the service provider's SSO descriptor in an entity under the realm.
* @param realm The realm under which the entity resides.
* @param spEntityID ID of the SP entity to be retrieved.
* @param classMethod the calling class method
* @return <code>SPSSODescriptorElement</code> for the entity
* @throws SAML2Exception if entity is not found
*/
private static SPSSODescriptorElement getSPSSODescriptor(String realm, String spEntityID, String classMethod) throws SAML2Exception {
SPSSODescriptorElement spSSODescriptor = null;
if (metaManager == null) {
SAML2Utils.debug.error(classMethod + "Unable to get meta manager.");
throw new SAML2Exception(SAML2Utils.bundle.getString("errorMetaManager"));
}
try {
spSSODescriptor = metaManager.getSPSSODescriptor(realm, spEntityID);
if (spSSODescriptor == null) {
SAML2Utils.debug.error(classMethod + "Unable to get SP SSO Descriptor from metadata, descriptor is null.");
String[] data = { spEntityID };
LogUtil.error(Level.INFO, LogUtil.SP_METADATA_ERROR, data, null);
throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
}
} catch (SAML2MetaException sme) {
SAML2Utils.debug.error(classMethod + "Unable to get SP SSO Descriptor from metadata, descriptor is null.");
String[] data = { spEntityID };
LogUtil.error(Level.INFO, LogUtil.SP_METADATA_ERROR, data, null);
throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
}
return spSSODescriptor;
}
Also used :
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
SPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)
SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException)
Example 60 with SAML2MetaException
use of com.sun.identity.saml2.meta.SAML2MetaException in project OpenAM by OpenRock.
the class SAML2Utils method getAttributeValueFromXACMLConfig.
/**
* Returns the value of attribute from entity configuration.
*
* @param realm the realm of the entity.
* @param entityRole role of the entity (PEP or PDP).
* @param entityID identity of the entity.
* @param attrName name of attribute whose value is to be retreived.
* @return value of the attribute.
*/
public static String getAttributeValueFromXACMLConfig(String realm, String entityRole, String entityID, String attrName) {
String method = "SAML2Utils:getAttributeValueFromXACMLConfig : ";
if (debug.messageEnabled()) {
debug.message(method + "realm - " + realm);
debug.message(method + "entityRole - " + entityRole);
debug.message(method + "EntityId - " + entityID);
debug.message(method + "attrName - " + attrName);
}
String result = null;
try {
XACMLAuthzDecisionQueryConfigElement pepConfig = null;
XACMLPDPConfigElement pdpConfig = null;
Map attrs = null;
if (entityRole.equalsIgnoreCase(SAML2Constants.PEP_ROLE)) {
pepConfig = saml2MetaManager.getPolicyEnforcementPointConfig(realm, entityID);
if (pepConfig != null) {
attrs = SAML2MetaUtils.getAttributes(pepConfig);
}
} else {
pdpConfig = saml2MetaManager.getPolicyDecisionPointConfig(realm, entityID);
if (pdpConfig != null) {
attrs = SAML2MetaUtils.getAttributes(pdpConfig);
}
}
if (attrs != null) {
List value = (List) attrs.get(attrName);
if (value != null && value.size() != 0) {
result = (String) value.get(0);
}
}
} catch (SAML2MetaException e) {
debug.message("Retreiving XACML Config failed:", e);
}
if (debug.messageEnabled()) {
debug.message("Attribute value is : " + result);
}
return result;
}
Also used :
XACMLPDPConfigElement(com.sun.identity.saml2.jaxb.entityconfig.XACMLPDPConfigElement)
XACMLAuthzDecisionQueryConfigElement(com.sun.identity.saml2.jaxb.entityconfig.XACMLAuthzDecisionQueryConfigElement)
ArrayList(java.util.ArrayList)
List(java.util.List)
Map(java.util.Map)
HashMap(java.util.HashMap)
SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException)
Aggregations
SAML2MetaException (com.sun.identity.saml2.meta.SAML2MetaException)138
List (java.util.List)106
SAML2MetaManager (com.sun.identity.saml2.meta.SAML2MetaManager)90
ArrayList (java.util.ArrayList)80
Iterator (java.util.Iterator)55
Map (java.util.Map)50
AMConsoleException (com.sun.identity.console.base.model.AMConsoleException)47
SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)44
EntityConfigElement (com.sun.identity.saml2.jaxb.entityconfig.EntityConfigElement)43
HashMap (java.util.HashMap)41
SPSSOConfigElement (com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement)30
BaseConfigType (com.sun.identity.saml2.jaxb.entityconfig.BaseConfigType)29
EntityDescriptorElement (com.sun.identity.saml2.jaxb.metadata.EntityDescriptorElement)28
JAXBException (javax.xml.bind.JAXBException)28
SPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)26
IDPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)24
IDPSSOConfigElement (com.sun.identity.saml2.jaxb.entityconfig.IDPSSOConfigElement)23
Set (java.util.Set)20
IOException (java.io.IOException)15
HashSet (java.util.HashSet)15
