Example 1 with IDPAccountMapper
use of com.sun.identity.saml2.plugins.IDPAccountMapper in project OpenAM by OpenRock.
the class IDPSSOUtil method getSubject.
/**
* Returns a <code>SAML Subject</code> object
*
* @param session the user's session
* @param authnReq the <code>AuthnRequest</code> object
* @param acsURL the <code>ACS</code> service <code>url</code>
* @param nameIDFormat the <code>NameIDFormat</code>
* @param realm The realm name
* @param idpEntityID the entity id of the identity provider
* @param recipientEntityID the entity id of the response recipient
* @param effectiveTime the effective time of the assertion
* @param affiliationID affiliationID for IDP initiated SSO
* @return the <code>SAML Subject</code> object
* @throws SAML2Exception if the operation is not successful
*/
private static Subject getSubject(Object session, AuthnRequest authnReq, String acsURL, String nameIDFormat, String realm, String idpEntityID, String recipientEntityID, int effectiveTime, String affiliationID) throws SAML2Exception {
String classMethod = "IDPSSOUtil.getSubject: ";
Subject subject = AssertionFactory.getInstance().createSubject();
boolean ignoreProfile = false;
String userName = null;
try {
userName = sessionProvider.getPrincipalName(session);
ignoreProfile = SAML2Utils.isIgnoreProfileSet(session);
} catch (SessionException se) {
SAML2Utils.debug.error(classMethod + "There was a problem with the session.", se);
throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSSOToken"));
}
// allow create is the default
boolean allowCreate = true;
String remoteEntityID = null;
String spNameQualifier = null;
boolean isAffiliation = false;
if (authnReq != null) {
remoteEntityID = authnReq.getIssuer().getValue();
NameIDPolicy nameIDPolicy = authnReq.getNameIDPolicy();
if (nameIDPolicy != null) {
// this will take care of affiliation
allowCreate = nameIDPolicy.isAllowCreate();
spNameQualifier = nameIDPolicy.getSPNameQualifier();
if (spNameQualifier != null && !spNameQualifier.isEmpty()) {
AffiliationDescriptorType affiDesc = metaManager.getAffiliationDescriptor(realm, spNameQualifier);
if (affiDesc != null) {
if (affiDesc.getAffiliateMember().contains(remoteEntityID)) {
isAffiliation = true;
remoteEntityID = spNameQualifier;
} else {
throw new SAML2Exception(SAML2Utils.bundle.getString("spNotAffiliationMember"));
}
}
} else {
spNameQualifier = recipientEntityID;
}
}
} else {
// IDP initialted SSO
if (affiliationID != null) {
AffiliationDescriptorType affiDesc = metaManager.getAffiliationDescriptor(realm, affiliationID);
if (affiDesc == null) {
throw new SAML2Exception(SAML2Utils.bundle.getString("affiliationNotFound"));
}
if (affiDesc.getAffiliateMember().contains(recipientEntityID)) {
isAffiliation = true;
remoteEntityID = affiliationID;
spNameQualifier = affiliationID;
} else {
throw new SAML2Exception(SAML2Utils.bundle.getString("spNotAffiliationMember"));
}
} else {
remoteEntityID = recipientEntityID;
spNameQualifier = recipientEntityID;
}
}
SPSSODescriptorElement spsso = getSPSSODescriptor(realm, recipientEntityID, classMethod);
if (spsso == null) {
String[] data = { recipientEntityID };
LogUtil.error(Level.INFO, LogUtil.SP_METADATA_ERROR, data, null);
throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
}
IDPSSODescriptorElement idpsso = metaManager.getIDPSSODescriptor(realm, idpEntityID);
if (idpsso == null) {
String[] data = { idpEntityID };
LogUtil.error(Level.INFO, LogUtil.IDP_METADATA_ERROR, data, null);
throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
}
nameIDFormat = SAML2Utils.verifyNameIDFormat(nameIDFormat, spsso, idpsso);
boolean isTransient = SAML2Constants.NAMEID_TRANSIENT_FORMAT.equals(nameIDFormat);
boolean isPersistent = SAML2Constants.PERSISTENT.equals(nameIDFormat);
NameIDInfo nameIDInfo;
NameID nameID = null;
IDPAccountMapper idpAccountMapper = SAML2Utils.getIDPAccountMapper(realm, idpEntityID);
//Use-cases for NameID persistence:
//* persistent NameID -> The NameID MUST be stored
//* transient NameID -> The NameID MUST NOT be stored
//* ignored user profile mode -> The NameID CANNOT be stored
//* for any other cases -> The NameID MAY be stored based on customizable logic
boolean shouldPersistNameID = isPersistent || (!isTransient && !ignoreProfile && idpAccountMapper.shouldPersistNameIDFormat(realm, idpEntityID, remoteEntityID, nameIDFormat));
if (!isTransient) {
String userID;
try {
userID = sessionProvider.getPrincipalName(session);
} catch (SessionException se) {
SAML2Utils.debug.error(classMethod + "Unable to get principal name from the session.", se);
throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSSOToken"));
}
if (isPersistent || shouldPersistNameID) {
nameIDInfo = AccountUtils.getAccountFederation(userID, idpEntityID, remoteEntityID);
if (nameIDInfo != null) {
nameID = nameIDInfo.getNameID();
if (!nameIDFormat.equals(nameID.getFormat())) {
AccountUtils.removeAccountFederation(nameIDInfo, userID);
DoManageNameID.removeIDPFedSession(remoteEntityID, nameID.getValue());
nameID = null;
}
}
}
}
if (nameID == null) {
if (!allowCreate && isPersistent) {
throw new SAML2InvalidNameIDPolicyException(SAML2Utils.bundle.getString("cannotCreateNameID"));
}
nameID = idpAccountMapper.getNameID(session, idpEntityID, spNameQualifier, realm, nameIDFormat);
SAML2Utils.debug.message(classMethod + " shouldPersistNameID = " + shouldPersistNameID);
if (shouldPersistNameID && allowCreate) {
// write federation info into the persistent datastore
if (SAML2Utils.isDualRole(idpEntityID, realm)) {
nameIDInfo = new NameIDInfo(idpEntityID, remoteEntityID, nameID, SAML2Constants.DUAL_ROLE, false);
} else {
nameIDInfo = new NameIDInfo(idpEntityID, remoteEntityID, nameID, SAML2Constants.IDP_ROLE, isAffiliation);
}
AccountUtils.setAccountFederation(nameIDInfo, userName);
}
}
subject.setNameID(nameID);
if (isTransient) {
IDPCache.userIDByTransientNameIDValue.put(nameID.getValue(), userName);
}
String inResponseTo = null;
if (authnReq != null) {
inResponseTo = authnReq.getID();
}
SubjectConfirmation sc = getSubjectConfirmation(inResponseTo, acsURL, effectiveTime);
if (sc == null) {
SAML2Utils.debug.error(classMethod + "Unable to get subject confirmation");
throw new SAML2Exception(SAML2Utils.bundle.getString("noSubjectConfirmation"));
}
List list = new ArrayList();
list.add(sc);
subject.setSubjectConfirmation(list);
return subject;
}
Also used :
NameIDInfo(com.sun.identity.saml2.common.NameIDInfo)
IDPAccountMapper(com.sun.identity.saml2.plugins.IDPAccountMapper)
NameIDPolicy(com.sun.identity.saml2.protocol.NameIDPolicy)
NameID(com.sun.identity.saml2.assertion.NameID)
SPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)
ArrayList(java.util.ArrayList)
SessionException(com.sun.identity.plugin.session.SessionException)
AffiliationDescriptorType(com.sun.identity.saml2.jaxb.metadata.AffiliationDescriptorType)
Subject(com.sun.identity.saml2.assertion.Subject)
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
SubjectConfirmation(com.sun.identity.saml2.assertion.SubjectConfirmation)
List(java.util.List)
ArrayList(java.util.ArrayList)
SAML2InvalidNameIDPolicyException(com.sun.identity.saml2.common.SAML2InvalidNameIDPolicyException)
IDPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)
Example 2 with IDPAccountMapper
use of com.sun.identity.saml2.plugins.IDPAccountMapper in project OpenAM by OpenRock.
the class SAML2Utils method getIDPAccountMapper.
/**
* Returns an <code>IDPAccountMapper</code>
*
* @param realm the realm name
* @param idpEntityID the entity id of the identity provider
* @return the <code>IDPAccountMapper</code>
* @throws SAML2Exception if the operation is not successful
*/
public static IDPAccountMapper getIDPAccountMapper(String realm, String idpEntityID) throws SAML2Exception {
String classMethod = "SAML2Utils.getIDPAccountMapper: ";
String idpAccountMapperName = null;
IDPAccountMapper idpAccountMapper = null;
try {
idpAccountMapperName = getAttributeValueFromSSOConfig(realm, idpEntityID, SAML2Constants.IDP_ROLE, SAML2Constants.IDP_ACCOUNT_MAPPER);
if (idpAccountMapperName == null) {
idpAccountMapperName = SAML2Constants.DEFAULT_IDP_ACCOUNT_MAPPER_CLASS;
if (debug.messageEnabled()) {
debug.message(classMethod + "use " + SAML2Constants.DEFAULT_IDP_ACCOUNT_MAPPER_CLASS);
}
}
idpAccountMapper = (IDPAccountMapper) IDPCache.idpAccountMapperCache.get(idpAccountMapperName);
if (idpAccountMapper == null) {
idpAccountMapper = (IDPAccountMapper) Class.forName(idpAccountMapperName).newInstance();
IDPCache.idpAccountMapperCache.put(idpAccountMapperName, idpAccountMapper);
} else {
if (debug.messageEnabled()) {
debug.message(classMethod + "got the IDPAccountMapper from cache");
}
}
} catch (Exception ex) {
debug.error(classMethod + "Unable to get IDP Account Mapper.", ex);
throw new SAML2Exception(ex);
}
return idpAccountMapper;
}
Also used :
IDPAccountMapper(com.sun.identity.saml2.plugins.IDPAccountMapper)
SystemConfigurationException(com.sun.identity.common.SystemConfigurationException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException)
IOException(java.io.IOException)
ServletException(javax.servlet.ServletException)
SessionException(com.sun.identity.plugin.session.SessionException)
DataStoreProviderException(com.sun.identity.plugin.datastore.DataStoreProviderException)
UnsupportedEncodingException(java.io.UnsupportedEncodingException)
COTException(com.sun.identity.cot.COTException)
SAML2TokenRepositoryException(org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException)
Example 3 with IDPAccountMapper
use of com.sun.identity.saml2.plugins.IDPAccountMapper in project OpenAM by OpenRock.
the class NameIDMapping method processNameIDMappingRequest.
public static NameIDMappingResponse processNameIDMappingRequest(NameIDMappingRequest nimRequest, String realm, String idpEntityID) throws SAML2Exception {
NameIDMappingResponse nimResponse = null;
String spEntityID = nimRequest.getIssuer().getValue();
if (spEntityID == null) {
throw new SAML2Exception(SAML2Utils.bundle.getString("nullSPEntityID"));
}
String responseID = SAML2Utils.generateID();
if (responseID == null) {
SAML2Utils.debug.error(SAML2Utils.bundle.getString("failedToGenResponseID"));
}
nimResponse = pf.createNameIDMappingResponse();
nimResponse.setID(responseID);
nimResponse.setInResponseTo(nimRequest.getID());
nimResponse.setVersion(SAML2Constants.VERSION_2_0);
nimResponse.setIssueInstant(new Date());
nimResponse.setIssuer(SAML2Utils.createIssuer(idpEntityID));
SAML2Utils.verifyRequestIssuer(realm, idpEntityID, nimRequest.getIssuer(), nimRequest.getID());
NameIDPolicy nameIDPolicy = nimRequest.getNameIDPolicy();
String targetSPEntityID = nameIDPolicy.getSPNameQualifier();
String format = nameIDPolicy.getFormat();
Status status = null;
if ((format != null) && (format.length() != 0) && (!format.equals(SAML2Constants.PERSISTENT)) && (!format.equals(SAML2Constants.UNSPECIFIED))) {
nimResponse.setNameID(nimRequest.getNameID());
nimResponse.setEncryptedID(nimRequest.getEncryptedID());
status = SAML2Utils.generateStatus(SAML2Constants.INVALID_NAME_ID_POLICY, SAML2Utils.bundle.getString("targetNameIDFormatUnsupported"));
} else if ((targetSPEntityID == null) || (targetSPEntityID.length() == 0) || targetSPEntityID.equals(spEntityID)) {
nimResponse.setNameID(nimRequest.getNameID());
nimResponse.setEncryptedID(nimRequest.getEncryptedID());
status = SAML2Utils.generateStatus(SAML2Constants.INVALID_NAME_ID_POLICY, SAML2Utils.bundle.getString("targetNameIDNoChange"));
} else {
// check if source SP has account fed
// if yes then get nameid of targetSP
IDPAccountMapper idpAcctMapper = SAML2Utils.getIDPAccountMapper(realm, idpEntityID);
NameID nameID = getNameID(nimRequest, realm, idpEntityID);
String userID = idpAcctMapper.getIdentity(nameID, idpEntityID, spEntityID, realm);
NameIDInfo targetNameIDInfo = null;
if (userID != null) {
targetNameIDInfo = AccountUtils.getAccountFederation(userID, idpEntityID, targetSPEntityID);
}
if (targetNameIDInfo == null) {
nimResponse.setNameID(nimRequest.getNameID());
nimResponse.setEncryptedID(nimRequest.getEncryptedID());
status = SAML2Utils.generateStatus(SAML2Constants.INVALID_NAME_ID_POLICY, SAML2Utils.bundle.getString("targetNameIDNotFound"));
} else {
NameID targetSPNameID = targetNameIDInfo.getNameID();
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("NameIDMapping.processNameIDMappingRequest: " + "User ID = " + userID + ", name ID = " + targetSPNameID.toXMLString(true, true));
}
nimResponse.setEncryptedID(getEncryptedID(targetSPNameID, realm, spEntityID, SAML2Constants.SP_ROLE));
status = SAML2Utils.generateStatus(SAML2Constants.SUCCESS, null);
}
}
nimResponse.setStatus(status);
signNIMResponse(nimResponse, realm, idpEntityID, false);
return nimResponse;
}
Also used :
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
Status(com.sun.identity.saml2.protocol.Status)
IDPAccountMapper(com.sun.identity.saml2.plugins.IDPAccountMapper)
NameIDInfo(com.sun.identity.saml2.common.NameIDInfo)
NameIDPolicy(com.sun.identity.saml2.protocol.NameIDPolicy)
NameID(com.sun.identity.saml2.assertion.NameID)
NameIDMappingResponse(com.sun.identity.saml2.protocol.NameIDMappingResponse)
Date(java.util.Date)
Example 4 with IDPAccountMapper
use of com.sun.identity.saml2.plugins.IDPAccountMapper in project OpenAM by OpenRock.
the class AuthnQueryUtil method processAuthnQuery.
/**
* This method processes the <code>AuthnQuery</code> coming
* from a requester.
*
* @param authnQuery the <code>AuthnQuery</code> object
* @param request the <code>HttpServletRequest</code> object
* @param response the <code>HttpServletResponse</code> object
* @param authnAuthorityEntityID entity ID of authentication authority
* @param realm the realm of hosted entity
*
* @return the <code>Response</code> object
* @exception SAML2Exception if the operation is not successful
*/
public static Response processAuthnQuery(AuthnQuery authnQuery, HttpServletRequest request, HttpServletResponse response, String authnAuthorityEntityID, String realm) throws SAML2Exception {
try {
verifyAuthnQuery(authnQuery, authnAuthorityEntityID, realm);
} catch (SAML2Exception se) {
SAML2Utils.debug.error("AuthnQueryUtil.processAuthnQuery:", se);
return SAML2Utils.getErrorResponse(authnQuery, SAML2Constants.REQUESTER, null, se.getMessage(), null);
}
Issuer issuer = authnQuery.getIssuer();
String spEntityID = issuer.getValue();
AuthnAuthorityDescriptorElement aad = null;
SAML2MetaManager metaManager = SAML2Utils.getSAML2MetaManager();
try {
aad = metaManager.getAuthnAuthorityDescriptor(realm, authnAuthorityEntityID);
} catch (SAML2MetaException sme) {
SAML2Utils.debug.error("AuthnQueryUtil.processAuthnQuery:", sme);
return SAML2Utils.getErrorResponse(authnQuery, SAML2Constants.RESPONDER, null, SAML2Utils.bundle.getString("metaDataError"), null);
}
if (aad == null) {
return SAML2Utils.getErrorResponse(authnQuery, SAML2Constants.REQUESTER, null, SAML2Utils.bundle.getString("authnAuthorityNotFound"), null);
}
NameID nameID = getNameID(authnQuery.getSubject(), realm, authnAuthorityEntityID);
if (nameID == null) {
return SAML2Utils.getErrorResponse(authnQuery, SAML2Constants.REQUESTER, SAML2Constants.UNKNOWN_PRINCIPAL, null, null);
}
IDPAccountMapper idpAcctMapper = SAML2Utils.getIDPAccountMapper(realm, authnAuthorityEntityID);
String userID = idpAcctMapper.getIdentity(nameID, authnAuthorityEntityID, spEntityID, realm);
if (userID == null) {
return SAML2Utils.getErrorResponse(authnQuery, SAML2Constants.REQUESTER, SAML2Constants.UNKNOWN_PRINCIPAL, null, null);
}
IDPAuthnContextMapper idpAuthnContextMapper = IDPSSOUtil.getIDPAuthnContextMapper(realm, authnAuthorityEntityID);
// get assertion for matching authncontext using session
List returnAssertions = new ArrayList();
String qSessionIndex = authnQuery.getSessionIndex();
RequestedAuthnContext requestedAC = authnQuery.getRequestedAuthnContext();
List assertions = null;
String cacheKey = userID.toLowerCase();
AssertionFactory assertionFactory = AssertionFactory.getInstance();
if (SAML2FailoverUtils.isSAML2FailoverEnabled()) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("AuthnQueryUtil.processAuthnQuery: " + "getting user assertions from DB. user = " + cacheKey);
}
List list = null;
try {
list = SAML2FailoverUtils.retrieveSAML2TokensWithSecondaryKey(cacheKey);
} catch (SAML2TokenRepositoryException se) {
SAML2Utils.debug.error("AuthnQueryUtil.processAuthnQuery: " + "Unable to obtain user assertions from CTS Repository. user = " + cacheKey, se);
}
if (list != null && !list.isEmpty()) {
assertions = new ArrayList();
for (Iterator iter = list.iterator(); iter.hasNext(); ) {
String assertionStr = (String) iter.next();
assertions.add(assertionFactory.createAssertion(assertionStr));
}
}
} else {
assertions = (List) IDPCache.assertionCache.get(cacheKey);
}
if ((assertions != null) && (!assertions.isEmpty())) {
synchronized (assertions) {
for (Iterator aIter = assertions.iterator(); aIter.hasNext(); ) {
Assertion assertion = (Assertion) aIter.next();
if (!assertion.isTimeValid()) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("AuthnQueryUtil.processAuthnQuery: " + " assertion " + assertion.getID() + " expired.");
}
continue;
}
List authnStmts = assertion.getAuthnStatements();
for (Iterator asIter = authnStmts.iterator(); asIter.hasNext(); ) {
AuthnStatement authnStmt = (AuthnStatement) asIter.next();
AuthnContext authnStmtAC = authnStmt.getAuthnContext();
String sessionIndex = authnStmt.getSessionIndex();
String authnStmtACClassRef = authnStmtAC.getAuthnContextClassRef();
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("AuthnQueryUtil.processAuthnQuery: " + "authnStmtACClassRef is " + authnStmtACClassRef + ", sessionIndex = " + sessionIndex);
}
if ((qSessionIndex != null) && (qSessionIndex.length() != 0) && (!qSessionIndex.equals(sessionIndex))) {
continue;
}
if (requestedAC != null) {
List requestedACClassRefs = requestedAC.getAuthnContextClassRef();
String comparison = requestedAC.getComparison();
if (idpAuthnContextMapper.isAuthnContextMatching(requestedACClassRefs, authnStmtACClassRef, comparison, realm, authnAuthorityEntityID)) {
returnAssertions.add(assertion);
break;
}
} else {
returnAssertions.add(assertion);
break;
}
}
}
}
// end assertion iterator while.
}
ProtocolFactory protocolFactory = ProtocolFactory.getInstance();
Response samlResp = protocolFactory.createResponse();
if (!returnAssertions.isEmpty()) {
samlResp.setAssertion(returnAssertions);
}
samlResp.setID(SAML2Utils.generateID());
samlResp.setInResponseTo(authnQuery.getID());
samlResp.setVersion(SAML2Constants.VERSION_2_0);
samlResp.setIssueInstant(new Date());
Status status = protocolFactory.createStatus();
StatusCode statusCode = protocolFactory.createStatusCode();
statusCode.setValue(SAML2Constants.SUCCESS);
status.setStatusCode(statusCode);
samlResp.setStatus(status);
Issuer respIssuer = assertionFactory.createIssuer();
respIssuer.setValue(authnAuthorityEntityID);
samlResp.setIssuer(respIssuer);
signResponse(samlResp, authnAuthorityEntityID, realm, false);
return samlResp;
}
Also used :
Status(com.sun.identity.saml2.protocol.Status)
AuthnAuthorityDescriptorElement(com.sun.identity.saml2.jaxb.metadata.AuthnAuthorityDescriptorElement)
IDPAccountMapper(com.sun.identity.saml2.plugins.IDPAccountMapper)
IDPAuthnContextMapper(com.sun.identity.saml2.plugins.IDPAuthnContextMapper)
Issuer(com.sun.identity.saml2.assertion.Issuer)
NameID(com.sun.identity.saml2.assertion.NameID)
ArrayList(java.util.ArrayList)
EncryptedAssertion(com.sun.identity.saml2.assertion.EncryptedAssertion)
Assertion(com.sun.identity.saml2.assertion.Assertion)
SAML2MetaManager(com.sun.identity.saml2.meta.SAML2MetaManager)
StatusCode(com.sun.identity.saml2.protocol.StatusCode)
Date(java.util.Date)
RequestedAuthnContext(com.sun.identity.saml2.protocol.RequestedAuthnContext)
AuthnContext(com.sun.identity.saml2.assertion.AuthnContext)
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
ProtocolFactory(com.sun.identity.saml2.protocol.ProtocolFactory)
Response(com.sun.identity.saml2.protocol.Response)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
RequestedAuthnContext(com.sun.identity.saml2.protocol.RequestedAuthnContext)
AssertionFactory(com.sun.identity.saml2.assertion.AssertionFactory)
Iterator(java.util.Iterator)
AuthnStatement(com.sun.identity.saml2.assertion.AuthnStatement)
ArrayList(java.util.ArrayList)
List(java.util.List)
SAML2TokenRepositoryException(org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException)
SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException)
Example 5 with IDPAccountMapper
use of com.sun.identity.saml2.plugins.IDPAccountMapper in project OpenAM by OpenRock.
the class DoManageNameID method processManageNameIDRequest.
private static ManageNameIDResponse processManageNameIDRequest(ManageNameIDRequest mniRequest, String metaAlias, String remoteEntityID, Map paramsMap, String destination, String binding, HttpServletRequest request, HttpServletResponse response) {
String realm = SAML2MetaUtils.getRealmByMetaAlias(metaAlias);
String hostEntityID = null;
String hostRole = null;
Status status = null;
String userID = null;
try {
hostEntityID = metaManager.getEntityByMetaAlias(metaAlias);
hostRole = SAML2Utils.getHostEntityRole(paramsMap);
SAML2Utils.verifyRequestIssuer(realm, hostEntityID, mniRequest.getIssuer(), mniRequest.getID());
if (hostRole.equalsIgnoreCase(SAML2Constants.IDP_ROLE)) {
IDPAccountMapper idpAcctMapper = SAML2Utils.getIDPAccountMapper(realm, hostEntityID);
userID = idpAcctMapper.getIdentity(mniRequest, hostEntityID, realm);
} else if (hostRole.equalsIgnoreCase(SAML2Constants.SP_ROLE)) {
SPAccountMapper spAcctMapper = SAML2Utils.getSPAccountMapper(realm, hostEntityID);
userID = spAcctMapper.getIdentity(mniRequest, hostEntityID, realm);
}
if (userID == null) {
status = SAML2Utils.generateStatus(SAML2Constants.REQUESTER, SAML2Constants.UNKNOWN_PRINCIPAL, null);
} else {
status = processManageNameIDRequest(mniRequest, realm, hostEntityID, remoteEntityID, hostRole, userID);
}
} catch (Exception e) {
if (debug.messageEnabled()) {
debug.message("DoManageNameID.processManageNameIDRequest:", e);
}
status = SAML2Utils.generateStatus(SAML2Constants.RESPONDER, e.toString());
}
ManageNameIDResponse mniResponse = null;
try {
String responseID = SAML2Utils.generateID();
if (responseID == null) {
debug.error(SAML2Utils.bundle.getString("failedToGenResponseID"));
}
mniResponse = pf.createManageNameIDResponse();
mniResponse.setStatus(status);
mniResponse.setID(responseID);
mniResponse.setInResponseTo(mniRequest.getID());
mniResponse.setVersion(SAML2Constants.VERSION_2_0);
mniResponse.setIssueInstant(new Date());
mniResponse.setIssuer(SAML2Utils.createIssuer(hostEntityID));
if (destination != null && (destination.length() != 0)) {
mniResponse.setDestination(XMLUtils.escapeSpecialCharacters(destination));
}
} catch (SAML2Exception e) {
debug.error("Error : ", e);
}
if (hostRole.equalsIgnoreCase(SAML2Constants.SP_ROLE) && mniResponse.getStatus().getStatusCode().getValue().equals(SAML2Constants.SUCCESS)) {
// invoke SPAdapter for post temination success
postTerminationSuccess(hostEntityID, realm, request, response, userID, mniRequest, mniResponse, binding);
}
return mniResponse;
}
Also used :
Status(com.sun.identity.saml2.protocol.Status)
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
IDPAccountMapper(com.sun.identity.saml2.plugins.IDPAccountMapper)
ManageNameIDResponse(com.sun.identity.saml2.protocol.ManageNameIDResponse)
ServletException(javax.servlet.ServletException)
SOAPException(javax.xml.soap.SOAPException)
SessionException(com.sun.identity.plugin.session.SessionException)
SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException)
IOException(java.io.IOException)
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
Date(java.util.Date)
SPAccountMapper(com.sun.identity.saml2.plugins.SPAccountMapper)
Aggregations
IDPAccountMapper (com.sun.identity.saml2.plugins.IDPAccountMapper)5
SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)4
SessionException (com.sun.identity.plugin.session.SessionException)3
NameID (com.sun.identity.saml2.assertion.NameID)3
SAML2MetaException (com.sun.identity.saml2.meta.SAML2MetaException)3
Status (com.sun.identity.saml2.protocol.Status)3
Date (java.util.Date)3
NameIDInfo (com.sun.identity.saml2.common.NameIDInfo)2
NameIDPolicy (com.sun.identity.saml2.protocol.NameIDPolicy)2
IOException (java.io.IOException)2
ArrayList (java.util.ArrayList)2
List (java.util.List)2
ServletException (javax.servlet.ServletException)2
SAML2TokenRepositoryException (org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException)2
SystemConfigurationException (com.sun.identity.common.SystemConfigurationException)1
COTException (com.sun.identity.cot.COTException)1
DataStoreProviderException (com.sun.identity.plugin.datastore.DataStoreProviderException)1
Assertion (com.sun.identity.saml2.assertion.Assertion)1
AssertionFactory (com.sun.identity.saml2.assertion.AssertionFactory)1
AuthnContext (com.sun.identity.saml2.assertion.AuthnContext)1
