Search in sources :

Example 1 with DefaultLibrarySPAccountMapper

use of com.sun.identity.saml2.plugins.DefaultLibrarySPAccountMapper in project OpenAM by OpenRock.

the class DefaultLibrarySPAccountMapper method getAutoFedUser.

/**
     * Returns user for the auto federate attribute.
     *
     * @param realm Realm name.
     * @param entityID Hosted <code>EntityID</code>.
     * @param assertion <code>Assertion</code> from the identity provider.
     * @return Auto federation mapped user from the assertion auto federation <code>AttributeStatement</code>. if the
     * statement does not have the auto federation attribute then the NameID value will be used if use NameID as SP user
     * ID is enabled, otherwise null.
     */
protected String getAutoFedUser(String realm, String entityID, Assertion assertion, String decryptedNameID, Set<PrivateKey> decryptionKeys) throws SAML2Exception {
    if (!isAutoFedEnabled(realm, entityID)) {
        if (debug.messageEnabled()) {
            debug.message("DefaultLibrarySPAccountMapper.getAutoFedUser: Auto federation is disabled.");
        }
        return null;
    }
    String autoFedAttribute = getAttribute(realm, entityID, SAML2Constants.AUTO_FED_ATTRIBUTE);
    if (autoFedAttribute == null || autoFedAttribute.isEmpty()) {
        debug.error("DefaultLibrarySPAccountMapper.getAutoFedUser: " + "Auto federation is enabled but the auto federation attribute is not configured.");
        return null;
    }
    if (debug.messageEnabled()) {
        debug.message("DefaultLibrarySPAccountMapper.getAutoFedUser: Auto federation attribute is set to: " + autoFedAttribute);
    }
    Set<String> autoFedAttributeValue = null;
    List<AttributeStatement> attributeStatements = assertion.getAttributeStatements();
    if (attributeStatements == null || attributeStatements.isEmpty()) {
        if (debug.messageEnabled()) {
            debug.message("DefaultLibrarySPAccountMapper.getAutoFedUser: " + "Assertion does not have any attribute statements.");
        }
    } else {
        for (AttributeStatement statement : attributeStatements) {
            autoFedAttributeValue = getAttribute(statement, autoFedAttribute, decryptionKeys);
            if (autoFedAttributeValue != null && !autoFedAttributeValue.isEmpty()) {
                if (debug.messageEnabled()) {
                    debug.message("DefaultLibrarySPAccountMapper.getAutoFedUser: " + "Found auto federation attribute value in Assertion: " + autoFedAttributeValue);
                }
                break;
            }
        }
    }
    if (autoFedAttributeValue == null || autoFedAttributeValue.isEmpty()) {
        if (debug.messageEnabled()) {
            debug.message("DefaultLibrarySPAccountMapper.getAutoFedUser: Auto federation attribute is not specified" + " as an attribute.");
        }
        if (!useNameIDAsSPUserID(realm, entityID)) {
            if (debug.messageEnabled()) {
                debug.message("DefaultLibrarySPAccountMapper.getAutoFedUser: NameID as SP UserID was not enabled " + " and auto federation attribute " + autoFedAttribute + " was not found in the Assertion");
            }
            return null;
        } else {
            if (debug.messageEnabled()) {
                debug.message("DefaultLibrarySPAccountMapper.getAutoFedUser: Trying now to autofederate with nameID" + ", nameID =" + decryptedNameID);
            }
            autoFedAttributeValue = CollectionUtils.asSet(decryptedNameID);
        }
    }
    String autoFedMapAttribute = null;
    DefaultSPAttributeMapper attributeMapper = new DefaultSPAttributeMapper();
    Map<String, String> attributeMap = attributeMapper.getConfigAttributeMap(realm, entityID, SP);
    if (attributeMap == null || attributeMap.isEmpty()) {
        if (debug.messageEnabled()) {
            debug.message("DefaultLibrarySPAccountMapper.getAutoFedUser: attribute map is not configured.");
        }
    } else {
        autoFedMapAttribute = attributeMap.get(autoFedAttribute);
    }
    if (autoFedMapAttribute == null) {
        if (debug.messageEnabled()) {
            debug.message("DefaultLibrarySPAccountMapper.getAutoFedUser: " + "Auto federation attribute map is not specified in config.");
        }
        // assume it is the same as the auto fed attribute name 
        autoFedMapAttribute = autoFedAttribute;
    }
    try {
        Map<String, Set<String>> map = new HashMap<>(1);
        map.put(autoFedMapAttribute, autoFedAttributeValue);
        if (debug.messageEnabled()) {
            debug.message("DefaultLibrarySPAccountMapper.getAutoFedUser: Search map: " + map);
        }
        String userId = dsProvider.getUserID(realm, map);
        if (userId != null && !userId.isEmpty()) {
            return userId;
        } else {
            // return auto-federation attribute value as uid 
            if (isDynamicalOrIgnoredProfile(realm)) {
                if (debug.messageEnabled()) {
                    debug.message("DefaultLibrarySPAccountMapper: dynamical user creation or ignore profile " + "enabled : uid=" + autoFedAttributeValue);
                }
                // return the first value as uid
                return autoFedAttributeValue.iterator().next();
            }
        }
    } catch (DataStoreProviderException dse) {
        if (debug.warningEnabled()) {
            debug.warning("DefaultLibrarySPAccountMapper.getAutoFedUser: Datastore provider exception", dse);
        }
    }
    return null;
}
Also used : DataStoreProviderException(com.sun.identity.plugin.datastore.DataStoreProviderException) Set(java.util.Set) HashSet(java.util.HashSet) HashMap(java.util.HashMap) AttributeStatement(com.sun.identity.saml2.assertion.AttributeStatement)

Example 2 with DefaultLibrarySPAccountMapper

use of com.sun.identity.saml2.plugins.DefaultLibrarySPAccountMapper in project OpenAM by OpenRock.

the class SAML2 method shouldPersistNameID.

private boolean shouldPersistNameID(String spEntityId) throws SAML2Exception {
    final DefaultLibrarySPAccountMapper spAccountMapper = new DefaultLibrarySPAccountMapper();
    final String spEntityID = SPSSOFederate.getSPEntityId(metaAlias);
    final IDPSSODescriptorElement idpsso = SPSSOFederate.getIDPSSOForAuthnReq(realm, entityName);
    final SPSSODescriptorElement spsso = SPSSOFederate.getSPSSOForAuthnReq(realm, spEntityID);
    nameIDFormat = SAML2Utils.verifyNameIDFormat(nameIDFormat, spsso, idpsso);
    isTransient = SAML2Constants.NAMEID_TRANSIENT_FORMAT.equals(nameIDFormat);
    boolean isPersistent = SAML2Constants.PERSISTENT.equals(nameIDFormat);
    boolean ignoreProfile = SAML2PluginsUtils.isIgnoredProfile(realm);
    return isPersistent || (!isTransient && !ignoreProfile && spAccountMapper.shouldPersistNameIDFormat(realm, spEntityId, entityName, nameIDFormat));
}
Also used : SPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement) DefaultLibrarySPAccountMapper(com.sun.identity.saml2.plugins.DefaultLibrarySPAccountMapper) IDPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)

Aggregations

DataStoreProviderException (com.sun.identity.plugin.datastore.DataStoreProviderException)1 AttributeStatement (com.sun.identity.saml2.assertion.AttributeStatement)1 IDPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)1 SPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)1 DefaultLibrarySPAccountMapper (com.sun.identity.saml2.plugins.DefaultLibrarySPAccountMapper)1 HashMap (java.util.HashMap)1 HashSet (java.util.HashSet)1 Set (java.util.Set)1