Example 21 with SAML2MetaManager
use of com.sun.identity.saml2.meta.SAML2MetaManager in project OpenAM by OpenRock.
the class SAML2SingleLogoutHandler method doIDPSingleLogout.
/**
* Performs single logout for a specific protocol. This method need to be
* implemented by each federation protocol, and will be invoked by other
* protocol to achieve cross federation protocol single logout. The local
* session shall not be destroyed by the SPI implementation. In cases of
* IDP proxying configuration, the implementation need to do single
* logout for the entity acting as both SP and IDP.
*
* Normally, there are three types of single logout to be supported:
* - logout single session (specified by userSession parameter)
* - logout a list of session (specified by userSession parameter)
* - logout all sessions for a specific user (specified by userID oarameter)
*
* As a single instance of the implementation class will be used internally
* in the SingleLogoutManager class, implementation of the method shall
* not maintain any states.
*
* @param userSession Set of user session objects (java.lang.Object) to be
* logout.
* @param userID Universal identifier of the user to be logout.
* @param request HTTP servlet request object of the request.
* @param response HTTP servlet response object of the request.
* @param isSOAPInitiated True means original single logout request is
* initiated using SOAP binding, false means the original single logout
* request is initiated using HTTP binding.
* @param isIDPInitiated True means this is identity provider initiated
* single logout, false means this is service provider initiated single
* logout.
* @param protocol The protocol of the original single logout.
* Possible values for this parameter:
* <code>SingleLogoutManager.SAML2</code>
* - single logout initiated using SAMLv2 protocol
* <code>SingleLogoutManager.IDFF</code>
* - single logout initiated using ID-FF protocol
* <code>SingleLogoutManager.WS-FED</code>
* - single logout initiated using WS-Federation protocol
* @param realm Realm of the hosted entity.
* @param idpEntityID <code>EntityID</code> of the hosted identity provider
* in the original Single Logout request.
* @param spEntityID <code>EntityID</code> of the remote service provider
* in the original Single Logout request.
* @param relayState A state information to be relayed back in response.
* @param singleLogoutRequestXML Original single logout request in XML
* string.
* @param singleLogoutResponseXML Logout response to be sent back to SP.
* This only apply to the case of SP initiated Single Logout, it will
* be null in case of IDP initiated single logout.
* @param currentStatus Current logout status, this is the accumulative
* single logout status for all protocols processed so far.
* Possible values:
* <code>SingleLogoutManager.LOGOUT_SUCCEEDED_STATUS</code>
* <code>SingleLogoutManager.LOGOUT_FAILED_STATUS</code>
* <code>SingleLogoutManager.LOGOUT_PARTIAL_STATUS</code>
* @return the single logout status for this protocol, possible values:
* <code>SingleLogoutManager.LOGOUT_SUCCEEDED_STATUS</code>
* <code>SingleLogoutManager.LOGOUT_FAILED_STATUS</code>
* <code>SingleLogoutManager.LOGOUT_PARTIAL_STATUS</code>
* <code>SingleLogoutManager.LOGOUT_REDIRECTED_STATUS</code>
* @exception Exception if error occurs when processing the protocol.
*/
public int doIDPSingleLogout(Set userSession, String userID, HttpServletRequest request, HttpServletResponse response, boolean isSOAPInitiated, boolean isIDPInitiated, String protocol, String realm, String idpEntityID, String spEntityID, String relayState, String singleLogoutRequestXML, String singleLogoutResponseXML, int currentStatus) throws Exception {
SingleLogoutManager.getInstance().debug.message("SAML2SingleLogoutHandler.doIDPSingleLogout : start");
if (!isSessionUsedInSAML2(userSession, userID)) {
// no session for this protocol
debug.message("SAML2SingleLogoutHander.doIDPSLO : no action");
return SingleLogoutManager.LOGOUT_NO_ACTION_STATUS;
}
if (isSOAPInitiated) {
SAML2MetaManager saml2Manager = new SAML2MetaManager();
String idpMetaAlias = findIDPMetaAlias(idpEntityID, spEntityID, realm, protocol, saml2Manager);
if (idpMetaAlias == null) {
// no SAML2 IDP found
return SingleLogoutManager.LOGOUT_NO_ACTION_STATUS;
}
if (debug.messageEnabled()) {
debug.message("SAML2SingleLogoutHandler: " + "userID=" + userID + ", session=" + userSession + ", isSOAInited=" + isSOAPInitiated + ", isIDPInited=" + isIDPInitiated + ", protocol=" + protocol + ", relam=" + realm + ", idpEntityID=" + idpEntityID + ", spEntityID=" + spEntityID + ", status=" + currentStatus + "\nlogout Request XML=" + singleLogoutRequestXML + "\nlogout response XML=" + singleLogoutResponseXML);
}
String idpEntityId = saml2Manager.getEntityByMetaAlias(idpMetaAlias);
return handleSOAPInitiatedSingleLogout(userSession, userID, request, response, realm, idpMetaAlias, idpEntityId, relayState, saml2Manager);
} else {
debug.message("SAML2SingleLogoutHandler.doIDPSLO : HTTP initiated SLO");
String redirectURL = MultiProtocolUtils.geServerBaseURL(request) + "/IDPSloInit?" + SAML2Constants.BINDING + "=" + SAML2Constants.HTTP_REDIRECT + "&" + SAML2Constants.RELAY_STATE + "=" + URLEncoder.encode(relayState, "UTF-8");
if (debug.messageEnabled()) {
debug.message("SAML2SingleLogoutHandler.doIDPSLO: HTTP init, redirect to " + redirectURL);
}
response.sendRedirect(redirectURL);
return SingleLogoutManager.LOGOUT_REDIRECTED_STATUS;
}
}
Also used :
SAML2MetaManager(com.sun.identity.saml2.meta.SAML2MetaManager)
Example 22 with SAML2MetaManager
use of com.sun.identity.saml2.meta.SAML2MetaManager in project OpenAM by OpenRock.
the class SAML2PostAuthenticationPlugin method setupSingleLogOut.
private void setupSingleLogOut(SSOToken ssoToken, String metaAlias, String sessionIndex, String spEntityId, String idpEntityId, NameID nameId) throws SSOException, SAML2Exception, SessionException {
final SAML2MetaManager sm = new SAML2MetaManager();
final String realm = SAML2MetaUtils.getRealmByMetaAlias(metaAlias);
final String relayState = ssoToken.getProperty(SAML2Constants.RELAY_STATE);
final String binding = SAML2Constants.HTTP_REDIRECT;
final IDPSSODescriptorElement idpsso = sm.getIDPSSODescriptor(realm, idpEntityId);
final List<EndpointType> slosList = idpsso.getSingleLogoutService();
EndpointType logoutEndpoint = null;
for (EndpointType endpoint : slosList) {
if (binding.equals(endpoint.getBinding())) {
logoutEndpoint = endpoint;
break;
}
}
if (logoutEndpoint == null) {
DEBUG.warning("Unable to determine SLO endpoint. Aborting SLO attempt. Please note this PAP " + "only supports HTTP-Redirect as a valid binding.");
return;
}
final LogoutRequest logoutReq = createLogoutRequest(metaAlias, realm, idpEntityId, logoutEndpoint, nameId, sessionIndex);
//survival time is one hours
//counted in seconds
final long sessionExpireTime = System.currentTimeMillis() / 1000 + SPCache.interval;
final String sloRequestXMLString = logoutReq.toXMLString(true, true);
final String redirect = getRedirectURL(sloRequestXMLString, relayState, realm, idpEntityId, logoutEndpoint.getLocation(), spEntityId);
if (SAML2FailoverUtils.isSAML2FailoverEnabled()) {
try {
SAML2FailoverUtils.saveSAML2TokenWithoutSecondaryKey(logoutReq.getID(), logoutReq, sessionExpireTime);
} catch (SAML2TokenRepositoryException e) {
DEBUG.warning("Unable to set SLO redirect location. Aborting SLO attempt.");
return;
}
} else {
SAML2Store.saveTokenWithKey(logoutReq.getID(), logoutReq);
}
ssoToken.setProperty(SLO_SESSION_LOCATION, logoutEndpoint.getLocation());
ssoToken.setProperty(SLO_SESSION_REFERENCE, redirect);
}
Also used :
EndpointType(com.sun.identity.saml2.jaxb.metadata.EndpointType)
LogoutRequest(com.sun.identity.saml2.protocol.LogoutRequest)
SAML2TokenRepositoryException(org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException)
SAML2MetaManager(com.sun.identity.saml2.meta.SAML2MetaManager)
IDPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)
Example 23 with SAML2MetaManager
use of com.sun.identity.saml2.meta.SAML2MetaManager in project OpenAM by OpenRock.
the class SAML2Proxy method getUrl.
private static String getUrl(HttpServletRequest request, HttpServletResponse response) throws IOException {
if (request == null || response == null) {
DEBUG.error("SAML2Proxy: Null request or response");
return getUrlWithError(request, BAD_REQUEST);
}
try {
SAMLUtils.checkHTTPContentLength(request);
} catch (ServletException se) {
DEBUG.error("SAML2Proxy: content length too large");
return getUrlWithError(request, BAD_REQUEST);
}
if (FSUtils.needSetLBCookieAndRedirect(request, response, false)) {
return getUrlWithError(request, MISSING_COOKIE);
}
// get entity id and orgName
String requestURL = request.getRequestURL().toString();
String metaAlias = SAML2MetaUtils.getMetaAliasByUri(requestURL);
SAML2MetaManager metaManager = SAML2Utils.getSAML2MetaManager();
String hostEntityId;
if (metaManager == null) {
DEBUG.error("SAML2Proxy: Unable to obtain metaManager");
return getUrlWithError(request, MISSING_META_MANAGER);
}
try {
hostEntityId = metaManager.getEntityByMetaAlias(metaAlias);
if (hostEntityId == null) {
throw new SAML2MetaException("Caught Instantly");
}
} catch (SAML2MetaException sme) {
DEBUG.warning("SAML2Proxy: unable to find hosted entity with metaAlias: {} Exception: {}", metaAlias, sme.toString());
return getUrlWithError(request, META_DATA_ERROR);
}
String realm = SAML2MetaUtils.getRealmByMetaAlias(metaAlias);
if (StringUtils.isEmpty(realm)) {
realm = "/";
}
ResponseInfo respInfo;
try {
respInfo = SPACSUtils.getResponse(request, response, realm, hostEntityId, metaManager);
} catch (SAML2Exception se) {
DEBUG.error("SAML2Proxy: Unable to obtain SAML response", se);
return getUrlWithError(request, SAML_GET_RESPONSE_ERROR, se.getL10NMessage(request.getLocale()));
}
Map smap;
try {
// check Response/Assertion and get back a Map of relevant data
smap = SAML2Utils.verifyResponse(request, response, respInfo.getResponse(), realm, hostEntityId, respInfo.getProfileBinding());
} catch (SAML2Exception se) {
DEBUG.error("SAML2Proxy: An error occurred while verifying the SAML response", se);
return getUrlWithError(request, SAML_VERIFY_RESPONSE_ERROR, se.getL10NMessage(request.getLocale()));
}
String key = generateKey();
//survival time is one hour
SAML2ResponseData data = new SAML2ResponseData((String) smap.get(SAML2Constants.SESSION_INDEX), (Subject) smap.get(SAML2Constants.SUBJECT), (Assertion) smap.get(SAML2Constants.POST_ASSERTION), respInfo);
if (SAML2FailoverUtils.isSAML2FailoverEnabled()) {
try {
//counted in seconds
long sessionExpireTime = System.currentTimeMillis() / 1000 + SPCache.interval;
SAML2FailoverUtils.saveSAML2TokenWithoutSecondaryKey(key, data, sessionExpireTime);
} catch (SAML2TokenRepositoryException e) {
DEBUG.error("An error occurred while persisting the SAML token", e);
return getUrlWithError(request, SAML_FAILOVER_DISABLED_ERROR);
}
} else {
SAML2Store.saveTokenWithKey(key, data);
}
return getUrlWithKey(request, key);
}
Also used :
ServletException(javax.servlet.ServletException)
ResponseInfo(com.sun.identity.saml2.profile.ResponseInfo)
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
SAML2TokenRepositoryException(org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException)
SAML2MetaManager(com.sun.identity.saml2.meta.SAML2MetaManager)
SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException)
Map(java.util.Map)
Example 24 with SAML2MetaManager
use of com.sun.identity.saml2.meta.SAML2MetaManager in project OpenAM by OpenRock.
the class TaskModelImpl method getEntities.
private Set getEntities(String realm, String cotName, boolean bIDP, boolean hosted) throws AMConsoleException {
try {
SAML2MetaManager mgr = new SAML2MetaManager();
Set entities = getEntities(realm, cotName);
Set results = new HashSet();
for (Iterator i = entities.iterator(); i.hasNext(); ) {
String entityId = (String) i.next();
EntityConfigElement elm = mgr.getEntityConfig(realm, entityId);
// elm could be null due to OPENAM-269
if (elm != null && elm.isHosted() == hosted) {
EntityDescriptorElement desc = mgr.getEntityDescriptor(realm, entityId);
if (bIDP) {
if (SAML2MetaUtils.getIDPSSODescriptor(desc) != null) {
results.add(entityId);
}
} else {
if (SAML2MetaUtils.getSPSSODescriptor(desc) != null) {
results.add(entityId);
}
}
}
}
return results;
} catch (SAML2MetaException ex) {
throw new AMConsoleException(ex.getMessage());
}
}
Also used :
TreeSet(java.util.TreeSet)
HashSet(java.util.HashSet)
Set(java.util.Set)
Iterator(java.util.Iterator)
SAML2MetaManager(com.sun.identity.saml2.meta.SAML2MetaManager)
AMConsoleException(com.sun.identity.console.base.model.AMConsoleException)
EntityDescriptorElement(com.sun.identity.saml2.jaxb.metadata.EntityDescriptorElement)
SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException)
HashSet(java.util.HashSet)
EntityConfigElement(com.sun.identity.saml2.jaxb.entityconfig.EntityConfigElement)
Example 25 with SAML2MetaManager
use of com.sun.identity.saml2.meta.SAML2MetaManager in project OpenAM by OpenRock.
the class TaskModelImpl method setAcsUrl.
/**
* Saves the Salesforce login url as the Assertion Consumer Service Location
* @param realm Realm
* @param entityId Entity Name
* @param acsUrl assertion consumer service location
* @throws AMConsoleException if value cannot be saved.
*/
public void setAcsUrl(String realm, String entityId, String acsUrl) throws AMConsoleException {
SPSSODescriptorElement spssoDescriptor = null;
try {
SAML2MetaManager samlManager = new SAML2MetaManager();
EntityDescriptorElement entityDescriptor = samlManager.getEntityDescriptor(realm, entityId);
spssoDescriptor = samlManager.getSPSSODescriptor(realm, entityId);
if (spssoDescriptor != null) {
List asconsServiceList = spssoDescriptor.getAssertionConsumerService();
for (Iterator i = asconsServiceList.listIterator(); i.hasNext(); ) {
AssertionConsumerServiceElement acsElem = (AssertionConsumerServiceElement) i.next();
if (acsElem.getBinding().contains("HTTP-POST")) {
acsElem.setLocation(acsUrl);
}
}
samlManager.setEntityDescriptor(realm, entityDescriptor);
}
} catch (SAML2MetaException e) {
debug.warning("SAMLv2ModelImpl.setSPStdAttributeValues:", e);
}
}
Also used :
SPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)
Iterator(java.util.Iterator)
AssertionConsumerServiceElement(com.sun.identity.saml2.jaxb.metadata.AssertionConsumerServiceElement)
List(java.util.List)
SAML2MetaManager(com.sun.identity.saml2.meta.SAML2MetaManager)
EntityDescriptorElement(com.sun.identity.saml2.jaxb.metadata.EntityDescriptorElement)
SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException)
Aggregations
SAML2MetaException (com.sun.identity.saml2.meta.SAML2MetaException)100
SAML2MetaManager (com.sun.identity.saml2.meta.SAML2MetaManager)93
List (java.util.List)67
ArrayList (java.util.ArrayList)48
AMConsoleException (com.sun.identity.console.base.model.AMConsoleException)46
Map (java.util.Map)33
HashMap (java.util.HashMap)31
Iterator (java.util.Iterator)28
EntityConfigElement (com.sun.identity.saml2.jaxb.entityconfig.EntityConfigElement)27
EntityDescriptorElement (com.sun.identity.saml2.jaxb.metadata.EntityDescriptorElement)23
SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)22
SPSSOConfigElement (com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement)21
JAXBException (javax.xml.bind.JAXBException)20
BaseConfigType (com.sun.identity.saml2.jaxb.entityconfig.BaseConfigType)19
SPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)17
IDPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)16
IDPSSOConfigElement (com.sun.identity.saml2.jaxb.entityconfig.IDPSSOConfigElement)15
Set (java.util.Set)10
CLIException (com.sun.identity.cli.CLIException)9
COTException (com.sun.identity.cot.COTException)9
