Search in sources :

Example 61 with SAML2MetaException

use of com.sun.identity.saml2.meta.SAML2MetaException in project OpenAM by OpenRock.

the class SAML2Utils method verifyResponse.

/**
     * Verifies single sign on <code>Response</code> and returns information
     * to SAML2 auth module for further processing. This method is used by
     * SAML2 auth module only.
     *
     * @param httpRequest    HttpServletRequest
     * @param httpResponse   HttpServletResponse
     * @param response       Single Sign On <code>Response</code>.
     * @param orgName        name of the realm or organization the provider is in.
     * @param hostEntityId   Entity ID of the hosted provider.
     * @param profileBinding Profile binding used.
     * @return A Map of information extracted from the Response. The keys of
     * map are:
     * <code>SAML2Constants.SUBJECT</code>,
     * <code>SAML2Constants.POST_ASSERTION</code>,
     * <code>SAML2Constants.ASSERTIONS</code>,
     * <code>SAML2Constants.SESSION_INDEX</code>,
     * <code>SAML2Constants.AUTH_LEVEL</code>,
     * <code>SAML2Constants.MAX_SESSION_TIME</code>.
     * @throws SAML2Exception if the Response is not valid according to the
     *                        processing rules.
     */
public static Map verifyResponse(final HttpServletRequest httpRequest, final HttpServletResponse httpResponse, final Response response, final String orgName, final String hostEntityId, final String profileBinding) throws SAML2Exception {
    final String method = "SAML2Utils.verifyResponse:";
    if (response == null || orgName == null || orgName.length() == 0) {
        if (debug.messageEnabled()) {
            debug.message(method + "response or orgName is null.");
        }
        throw new SAML2Exception(bundle.getString("nullInput"));
    }
    String respID = response.getID();
    AuthnRequestInfo reqInfo = null;
    String inRespToResp = response.getInResponseTo();
    if (inRespToResp != null && inRespToResp.length() != 0) {
        reqInfo = (AuthnRequestInfo) SPCache.requestHash.get(inRespToResp);
        if (reqInfo == null) {
            if (SAML2FailoverUtils.isSAML2FailoverEnabled()) {
                // Attempt to read AuthnRequestInfoCopy from SAML2 repository
                AuthnRequestInfoCopy reqInfoCopy = null;
                try {
                    reqInfoCopy = (AuthnRequestInfoCopy) SAML2FailoverUtils.retrieveSAML2Token(inRespToResp);
                } catch (SAML2TokenRepositoryException se) {
                    debug.error(method + "AuthnRequestInfoCopy" + " unable to retrieve from SAML2 repository for inResponseTo: " + inRespToResp);
                }
                if (reqInfoCopy != null) {
                    // Get back the AuthnRequestInfo
                    reqInfo = reqInfoCopy.getAuthnRequestInfo(httpRequest, httpResponse);
                    if (debug.messageEnabled()) {
                        debug.message(method + "AuthnRequestInfoCopy" + " retrieved from SAML2 repository for inResponseTo: " + inRespToResp);
                    }
                } else {
                    debug.error(method + "InResponseTo attribute in Response" + " is invalid: " + inRespToResp + ", SAML2 failover is enabled");
                    String[] data = { respID };
                    LogUtil.error(Level.INFO, LogUtil.INVALID_INRESPONSETO_RESPONSE, data, null);
                    throw new SAML2Exception(bundle.getString("invalidInResponseToInResponse"));
                }
            } else {
                AuthnRequestInfoCopy reqInfoCopy = (AuthnRequestInfoCopy) SAML2Store.getTokenFromStore(inRespToResp);
                if (reqInfoCopy != null) {
                    // Get back the AuthnRequestInfo
                    reqInfo = reqInfoCopy.getAuthnRequestInfo(httpRequest, httpResponse);
                    if (debug.messageEnabled()) {
                        debug.message(method + "AuthnRequestInfoCopy" + " retrieved from SAML2 repository for inResponseTo: " + inRespToResp);
                    }
                } else {
                    debug.error(method + "InResponseTo attribute in Response" + " is invalid: " + inRespToResp + ", SAML2 failover is enabled");
                    String[] data = { respID };
                    LogUtil.error(Level.INFO, LogUtil.INVALID_INRESPONSETO_RESPONSE, data, null);
                    throw new SAML2Exception(bundle.getString("invalidInResponseToInResponse"));
                }
            }
        }
    }
    // reqInfo can remain null and will do for IDP initiated SSO requests
    // invoke SP Adapter
    SAML2ServiceProviderAdapter spAdapter = SAML2Utils.getSPAdapterClass(hostEntityId, orgName);
    if (spAdapter != null) {
        AuthnRequest authnRequest = null;
        if (reqInfo != null) {
            authnRequest = reqInfo.getAuthnRequest();
        }
        spAdapter.preSingleSignOnProcess(hostEntityId, orgName, httpRequest, httpResponse, authnRequest, response, profileBinding);
    }
    String idpEntityId = null;
    Issuer respIssuer = response.getIssuer();
    if (respIssuer != null) {
        // optional
        if (!isSourceSiteValid(respIssuer, orgName, hostEntityId)) {
            if (debug.messageEnabled()) {
                debug.message(method + "Issuer in Response is not valid.");
            }
            String[] data = { hostEntityId, orgName, respID };
            LogUtil.error(Level.INFO, LogUtil.INVALID_ISSUER_RESPONSE, data, null);
            throw new SAML2Exception(bundle.getString("invalidIssuerInResponse"));
        } else {
            idpEntityId = respIssuer.getValue();
        }
    }
    Status status = response.getStatus();
    if (status == null || !status.getStatusCode().getValue().equals(SAML2Constants.SUCCESS)) {
        String statusCode = (status == null) ? "" : status.getStatusCode().getValue();
        if (debug.messageEnabled()) {
            debug.message(method + "Response's status code is not success: " + statusCode);
        }
        String[] data = { respID, "" };
        if (LogUtil.isErrorLoggable(Level.FINE)) {
            data[1] = statusCode;
        }
        LogUtil.error(Level.INFO, LogUtil.WRONG_STATUS_CODE, data, null);
        if (SAML2Constants.RESPONDER.equals(statusCode)) {
            //In case of passive authentication the NoPassive response will be sent using two StatusCode nodes:
            //the outer StatusCode will be Responder and the inner StatusCode will contain the NoPassive URN
            StatusCode secondLevelStatusCode = status.getStatusCode().getStatusCode();
            if (secondLevelStatusCode != null && SAML2Constants.NOPASSIVE.equals(secondLevelStatusCode.getValue())) {
                throw new SAML2Exception(SAML2Utils.BUNDLE_NAME, "noPassiveResponse", null);
            }
        } else if (SAML2Constants.REQUESTER.equals(statusCode)) {
            // when is AllowCreate=false mode the auth module gets here with a
            // statusCode of urn:oasis:names:tc:SAML:2.0:status:Requester
            StatusCode secondLevelStatusCode = status.getStatusCode().getStatusCode();
            if (secondLevelStatusCode != null && SAML2Constants.INVALID_NAME_ID_POLICY.equals(secondLevelStatusCode.getValue())) {
                throw new SAML2Exception(SAML2Utils.BUNDLE_NAME, "nameIDMReqInvalidNameIDPolicy", null);
            }
        }
        throw new SAML2Exception(bundle.getString("invalidStatusCodeInResponse"));
    }
    if (saml2MetaManager == null) {
        throw new SAML2Exception(bundle.getString("nullMetaManager"));
    }
    SPSSOConfigElement spConfig = null;
    SPSSODescriptorElement spDesc = null;
    spConfig = saml2MetaManager.getSPSSOConfig(orgName, hostEntityId);
    spDesc = saml2MetaManager.getSPSSODescriptor(orgName, hostEntityId);
    if (debug.messageEnabled()) {
        debug.message(method + "binding is :" + profileBinding);
    }
    // SAML spec processing
    //  4.1.4.3   Verify any signatures present on the assertion(s) or the response
    boolean responseIsSigned = false;
    if (response.isSigned()) {
        IDPSSODescriptorElement idpSSODescriptor = null;
        try {
            idpSSODescriptor = saml2MetaManager.getIDPSSODescriptor(orgName, idpEntityId);
        } catch (SAML2MetaException sme) {
            String[] data = { orgName, idpEntityId };
            LogUtil.error(Level.INFO, LogUtil.IDP_METADATA_ERROR, data, null);
            throw new SAML2Exception(sme);
        }
        if (idpSSODescriptor != null) {
            Set<X509Certificate> verificationCerts = KeyUtil.getVerificationCerts(idpSSODescriptor, idpEntityId, SAML2Constants.IDP_ROLE);
            if (CollectionUtils.isEmpty(verificationCerts) || !response.isSignatureValid(verificationCerts)) {
                debug.error(method + "Response is not signed or signature is not valid.");
                String[] data = { orgName, hostEntityId, idpEntityId };
                LogUtil.error(Level.INFO, LogUtil.POST_RESPONSE_INVALID_SIGNATURE, data, null);
                throw new SAML2Exception(bundle.getString("invalidSignInResponse"));
            }
        } else {
            String[] data = { idpEntityId };
            LogUtil.error(Level.INFO, LogUtil.IDP_METADATA_ERROR, data, null);
            throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
        }
        responseIsSigned = true;
    }
    if (debug.messageEnabled()) {
        debug.message(method + "responseIsSigned is :" + responseIsSigned);
    }
    // assertion encryption check
    boolean needAssertionEncrypted = false;
    String assertionEncryptedAttr = getAttributeValueFromSPSSOConfig(spConfig, SAML2Constants.WANT_ASSERTION_ENCRYPTED);
    needAssertionEncrypted = Boolean.parseBoolean(assertionEncryptedAttr);
    if (debug.messageEnabled()) {
        debug.message(method + "NeedAssertionEncrypted is :" + needAssertionEncrypted);
    }
    List<Assertion> assertions = response.getAssertion();
    if (needAssertionEncrypted && !CollectionUtils.isEmpty(assertions)) {
        String[] data = { respID };
        LogUtil.error(Level.INFO, LogUtil.ASSERTION_NOT_ENCRYPTED, data, null);
        throw new SAML2Exception(SAML2Utils.bundle.getString("assertionNotEncrypted"));
    }
    Set<PrivateKey> decryptionKeys;
    List<EncryptedAssertion> encAssertions = response.getEncryptedAssertion();
    if (encAssertions != null) {
        decryptionKeys = KeyUtil.getDecryptionKeys(spConfig);
        for (EncryptedAssertion encAssertion : encAssertions) {
            Assertion assertion = encAssertion.decrypt(decryptionKeys);
            if (assertions == null) {
                assertions = new ArrayList<>();
            }
            assertions.add(assertion);
        }
    }
    if (CollectionUtils.isEmpty(assertions)) {
        if (debug.messageEnabled()) {
            debug.message(method + "no assertion in the Response.");
        }
        String[] data = { respID };
        LogUtil.error(Level.INFO, LogUtil.MISSING_ASSERTION, data, null);
        throw new SAML2Exception(SAML2Utils.bundle.getString("missingAssertion"));
    }
    boolean wantAssertionsSigned = spDesc.isWantAssertionsSigned();
    if (debug.messageEnabled()) {
        debug.message(method + "wantAssertionsSigned is :" + wantAssertionsSigned);
    }
    // validate the assertions
    Map smap = null;
    Map bearerMap = null;
    IDPSSODescriptorElement idp = null;
    Set<X509Certificate> verificationCerts = null;
    boolean allAssertionsSigned = true;
    for (Assertion assertion : assertions) {
        String assertionID = assertion.getID();
        Issuer issuer = assertion.getIssuer();
        if (!isSourceSiteValid(issuer, orgName, hostEntityId)) {
            debug.error("assertion's source site is not valid.");
            String[] data = { assertionID };
            LogUtil.error(Level.INFO, LogUtil.INVALID_ISSUER_ASSERTION, data, null);
            throw new SAML2Exception(bundle.getString("invalidIssuerInAssertion"));
        }
        if (idpEntityId == null) {
            idpEntityId = issuer.getValue();
        } else {
            if (!idpEntityId.equals(issuer.getValue())) {
                if (debug.messageEnabled()) {
                    debug.message(method + "Issuer in Assertion doesn't " + "match the Issuer in Response or other " + "Assertions in the Response.");
                }
                String[] data = { assertionID };
                LogUtil.error(Level.INFO, LogUtil.MISMATCH_ISSUER_ASSERTION, data, null);
                throw new SAML2Exception(SAML2Utils.bundle.getString("mismatchIssuer"));
            }
        }
        if (assertion.isSigned()) {
            if (verificationCerts == null) {
                idp = saml2MetaManager.getIDPSSODescriptor(orgName, idpEntityId);
                verificationCerts = KeyUtil.getVerificationCerts(idp, idpEntityId, SAML2Constants.IDP_ROLE);
            }
            if (CollectionUtils.isEmpty(verificationCerts) || !assertion.isSignatureValid(verificationCerts)) {
                debug.error(method + "Assertion is not signed or signature is not valid.");
                String[] data = { assertionID };
                LogUtil.error(Level.INFO, LogUtil.INVALID_SIGNATURE_ASSERTION, data, null);
                throw new SAML2Exception(bundle.getString("invalidSignatureOnAssertion"));
            }
        } else {
            allAssertionsSigned = false;
        }
        List authnStmts = assertion.getAuthnStatements();
        if (authnStmts != null && !authnStmts.isEmpty()) {
            Subject subject = assertion.getSubject();
            if (subject == null) {
                continue;
            }
            List subjectConfirms = subject.getSubjectConfirmation();
            if (subjectConfirms == null || subjectConfirms.isEmpty()) {
                continue;
            }
            bearerMap = isBearerSubjectConfirmation(subjectConfirms, inRespToResp, spDesc, spConfig, assertionID);
            if (!((Boolean) bearerMap.get(SAML2Constants.IS_BEARER))) {
                continue;
            }
            boolean foundAssertion = false;
            if ((SPCache.assertionByIDCache != null) && (SPCache.assertionByIDCache.containsKey(assertionID))) {
                foundAssertion = true;
            }
            if ((!foundAssertion) && SAML2FailoverUtils.isSAML2FailoverEnabled()) {
                try {
                    if (SAML2FailoverUtils.retrieveSAML2Token(assertionID) != null) {
                        foundAssertion = true;
                    }
                } catch (SAML2TokenRepositoryException e) {
                    if (debug.messageEnabled()) {
                        debug.message("Session not found in AMTokenSAML2Repository.", e);
                    }
                }
            }
            if (foundAssertion) {
                debug.error("Bearer Assertion is one time use only!");
                throw new SAML2Exception(bundle.getString("usedBearAssertion"));
            }
            checkAudience(assertion.getConditions(), hostEntityId, assertionID);
            if (smap == null) {
                smap = fillMap(authnStmts, subject, assertion, assertions, reqInfo, inRespToResp, orgName, hostEntityId, idpEntityId, spConfig, (Date) bearerMap.get(SAML2Constants.NOTONORAFTER));
            }
        }
    // end of having authnStmt
    }
    if (smap == null) {
        debug.error("No Authentication Assertion in Response.");
        throw new SAML2Exception(bundle.getString("missingAuthnAssertion"));
    }
    // the enclosing element
    if (wantAssertionsSigned && !(responseIsSigned || allAssertionsSigned)) {
        debug.error(method + "WantAssertionsSigned is true and response or all assertions are not signed");
        String[] data = { orgName, hostEntityId, idpEntityId };
        LogUtil.error(Level.INFO, LogUtil.INVALID_SIGNATURE_ASSERTION, data, null);
        throw new SAML2Exception(bundle.getString("assertionNotSigned"));
    }
    // signing each individual <Assertion> element or by signing the <Response> element.
    if (profileBinding.equals(SAML2Constants.HTTP_POST)) {
        boolean wantPostResponseSigned = SAML2Utils.wantPOSTResponseSigned(orgName, hostEntityId, SAML2Constants.SP_ROLE);
        if (debug.messageEnabled()) {
            debug.message(method + "wantPostResponseSigned is :" + wantPostResponseSigned);
        }
        if (wantPostResponseSigned && !responseIsSigned) {
            debug.error(method + "wantPostResponseSigned is true but response is not signed");
            String[] data = { orgName, hostEntityId, idpEntityId };
            LogUtil.error(Level.INFO, LogUtil.POST_RESPONSE_INVALID_SIGNATURE, data, null);
            throw new SAML2Exception(bundle.getString("responseNotSigned"));
        }
        if (!responseIsSigned && !allAssertionsSigned) {
            debug.error(method + "WantAssertionsSigned is true but some or all assertions are not signed");
            String[] data = { orgName, hostEntityId, idpEntityId };
            LogUtil.error(Level.INFO, LogUtil.INVALID_SIGNATURE_ASSERTION, data, null);
            throw new SAML2Exception(bundle.getString("assertionNotSigned"));
        }
    }
    return smap;
}
Also used : PrivateKey(java.security.PrivateKey) Issuer(com.sun.identity.saml2.assertion.Issuer) AuthnRequestInfo(com.sun.identity.saml2.profile.AuthnRequestInfo) SPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement) StatusCode(com.sun.identity.saml2.protocol.StatusCode) ArrayList(java.util.ArrayList) List(java.util.List) AuthnRequestInfoCopy(com.sun.identity.saml2.profile.AuthnRequestInfoCopy) SAML2ServiceProviderAdapter(com.sun.identity.saml2.plugins.SAML2ServiceProviderAdapter) SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException) Status(com.sun.identity.saml2.protocol.Status) SPSSOConfigElement(com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement) EncryptedAssertion(com.sun.identity.saml2.assertion.EncryptedAssertion) Assertion(com.sun.identity.saml2.assertion.Assertion) X509Certificate(java.security.cert.X509Certificate) Subject(com.sun.identity.saml2.assertion.Subject) Date(java.util.Date) AuthnRequest(com.sun.identity.saml2.protocol.AuthnRequest) EncryptedAssertion(com.sun.identity.saml2.assertion.EncryptedAssertion) SAML2TokenRepositoryException(org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException) Map(java.util.Map) HashMap(java.util.HashMap) IDPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)

Example 62 with SAML2MetaException

use of com.sun.identity.saml2.meta.SAML2MetaException in project OpenAM by OpenRock.

the class SAML2Utils method isIDPProfileBindingSupported.

/**
     * Checks if a profile binding is suppported by an IDP.
     *
     * @param realm       Realm the IDP is in.
     * @param idpEntityID IDP entity id.
     * @param profile     name of the profile/service
     * @param binding     binding to be checked on
     * @return <code>true</code> if the binding is supported;
     * <code>false</code> otherwise.
     */
public static boolean isIDPProfileBindingSupported(String realm, String idpEntityID, String profile, String binding) {
    if ((saml2MetaManager == null) || (realm == null) || (idpEntityID == null) || (profile == null) || (binding == null)) {
        return false;
    }
    try {
        IDPSSODescriptorElement idpDescriptor = saml2MetaManager.getIDPSSODescriptor(realm, idpEntityID);
        List services = null;
        if (SAML2Constants.SSO_SERVICE.equals(profile)) {
            services = idpDescriptor.getSingleSignOnService();
        } else if (SAML2Constants.NAMEID_MAPPING_SERVICE.equals(profile)) {
            services = idpDescriptor.getNameIDMappingService();
        } else if (SAML2Constants.ASSERTION_ID_REQUEST_SERVICE.equals(profile)) {
            services = saml2MetaManager.getAuthnAuthorityDescriptor(realm, idpEntityID).getAssertionIDRequestService();
        } else if (SAML2Constants.ARTIFACT_RESOLUTION_SERVICE.equals(profile)) {
            services = idpDescriptor.getArtifactResolutionService();
        } else if (SAML2Constants.SLO_SERVICE.equals(profile)) {
            services = idpDescriptor.getSingleLogoutService();
        } else if (SAML2Constants.MNI_SERVICE.equals(profile)) {
            services = idpDescriptor.getManageNameIDService();
        }
        if ((services != null) && (!services.isEmpty())) {
            Iterator iter = services.iterator();
            while (iter.hasNext()) {
                EndpointType endpoint = (EndpointType) iter.next();
                if (binding.equals(endpoint.getBinding())) {
                    return true;
                }
            }
        }
    } catch (SAML2MetaException me) {
        debug.error("SAML2Utils.isIDPProfileBindingSupported:", me);
    }
    return false;
}
Also used : Iterator(java.util.Iterator) EndpointType(com.sun.identity.saml2.jaxb.metadata.EndpointType) ArrayList(java.util.ArrayList) List(java.util.List) SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException) IDPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)

Example 63 with SAML2MetaException

use of com.sun.identity.saml2.meta.SAML2MetaException in project OpenAM by OpenRock.

the class SAML2Utils method isSPProfileBindingSupported.

/**
     * Checks if a profile binding is suppported by a SP.
     *
     * @param realm      Realm the SP is in.
     * @param spEntityID SP entity id.
     * @param profile    name of the profile/service
     * @param binding    binding to be checked on
     * @return <code>true</code> if the binding is supported;
     * <code>false</code> otherwise.
     */
public static boolean isSPProfileBindingSupported(String realm, String spEntityID, String profile, String binding) {
    if ((saml2MetaManager == null) || (realm == null) || (spEntityID == null) || (profile == null) || (binding == null)) {
        return false;
    }
    try {
        SPSSODescriptorElement spDescriptor = saml2MetaManager.getSPSSODescriptor(realm, spEntityID);
        List services = null;
        if (SAML2Constants.ACS_SERVICE.equals(profile)) {
            services = spDescriptor.getAssertionConsumerService();
        } else if (SAML2Constants.SLO_SERVICE.equals(profile)) {
            services = spDescriptor.getSingleLogoutService();
        } else if (SAML2Constants.MNI_SERVICE.equals(profile)) {
            services = spDescriptor.getManageNameIDService();
        }
        if ((services != null) && (!services.isEmpty())) {
            Iterator iter = services.iterator();
            while (iter.hasNext()) {
                EndpointType endpoint = (EndpointType) iter.next();
                if (binding.equals(endpoint.getBinding())) {
                    return true;
                }
            }
        }
    } catch (SAML2MetaException me) {
        debug.error("SAML2Utils.isSPProfileBindingSupported:", me);
    }
    return false;
}
Also used : SPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement) Iterator(java.util.Iterator) EndpointType(com.sun.identity.saml2.jaxb.metadata.EndpointType) ArrayList(java.util.ArrayList) List(java.util.List) SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException)

Example 64 with SAML2MetaException

use of com.sun.identity.saml2.meta.SAML2MetaException in project OpenAM by OpenRock.

the class QueryClient method getPEPConfig.

/**
     * Returns the extended Policy Enforcement Point Configuration.
     *
     * @param realm the realm of the entity.
     * @param pepEntityId identifier of the PEP.
     * @return the <code>XACMLAuthzDecisionQueryConfigElement</code> object.
     * @exception <code>SAML2Exception</code> if there is an error retreiving
     *            the extended configuration.
     */
private static XACMLAuthzDecisionQueryConfigElement getPEPConfig(String realm, String pepEntityID) throws SAML2Exception {
    XACMLAuthzDecisionQueryConfigElement pepConfig = null;
    String classMethod = "QueryClient:getPEPConfig";
    if (saml2MetaManager != null) {
        try {
            pepConfig = saml2MetaManager.getPolicyEnforcementPointConfig(realm, pepEntityID);
        } catch (SAML2MetaException sme) {
            if (debug.messageEnabled()) {
                debug.message(classMethod + "Error retreiving PEP meta", sme);
            }
            String[] args = { pepEntityID };
            LogUtil.error(Level.INFO, LogUtil.PEP_METADATA_ERROR, args);
            throw new SAML2Exception(SAML2SDKUtils.BUNDLE_NAME, "pepMetaRetreivalError", args);
        }
    }
    return pepConfig;
}
Also used : SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) XACMLAuthzDecisionQueryConfigElement(com.sun.identity.saml2.jaxb.entityconfig.XACMLAuthzDecisionQueryConfigElement) SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException)

Example 65 with SAML2MetaException

use of com.sun.identity.saml2.meta.SAML2MetaException in project OpenAM by OpenRock.

the class QueryClient method getPDPConfig.

/**
     * Returns the extended Policy Decision Point Configuration.
     *
     * @param realm the realm of the entity.
     * @param pdpEntityId identifier of the PDP.
     * @return the <code>XACMLPDPConfigElement</code> object.
     * @exception <code>SAML2Exception</code> if there is an error retreiving
     *            the extended configuration.
     */
private static XACMLPDPConfigElement getPDPConfig(String realm, String pdpEntityID) throws SAML2Exception {
    XACMLPDPConfigElement pdpConfig = null;
    String classMethod = "QueryClient:getPDPConfig";
    if (saml2MetaManager != null) {
        try {
            pdpConfig = saml2MetaManager.getPolicyDecisionPointConfig(realm, pdpEntityID);
        } catch (SAML2MetaException sme) {
            if (debug.messageEnabled()) {
                debug.message(classMethod + "Error retreiving PDP meta", sme);
            }
            String[] args = { pdpEntityID };
            LogUtil.error(Level.INFO, LogUtil.PEP_METADATA_ERROR, args);
            throw new SAML2Exception(SAML2SDKUtils.BUNDLE_NAME, "pdpMetaRetreivalError", args);
        }
    }
    return pdpConfig;
}
Also used : SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) XACMLPDPConfigElement(com.sun.identity.saml2.jaxb.entityconfig.XACMLPDPConfigElement) SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException)

Aggregations

SAML2MetaException (com.sun.identity.saml2.meta.SAML2MetaException)138 List (java.util.List)106 SAML2MetaManager (com.sun.identity.saml2.meta.SAML2MetaManager)90 ArrayList (java.util.ArrayList)80 Iterator (java.util.Iterator)55 Map (java.util.Map)50 AMConsoleException (com.sun.identity.console.base.model.AMConsoleException)47 SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)44 EntityConfigElement (com.sun.identity.saml2.jaxb.entityconfig.EntityConfigElement)43 HashMap (java.util.HashMap)41 SPSSOConfigElement (com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement)30 BaseConfigType (com.sun.identity.saml2.jaxb.entityconfig.BaseConfigType)29 EntityDescriptorElement (com.sun.identity.saml2.jaxb.metadata.EntityDescriptorElement)28 JAXBException (javax.xml.bind.JAXBException)28 SPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)26 IDPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)24 IDPSSOConfigElement (com.sun.identity.saml2.jaxb.entityconfig.IDPSSOConfigElement)23 Set (java.util.Set)20 IOException (java.io.IOException)15 HashSet (java.util.HashSet)15