Example 1 with SAML2IDPFinder
use of com.sun.identity.saml2.plugins.SAML2IDPFinder in project OpenAM by OpenRock.
the class SPSSOFederate method initiateECPRequest.
/**
* Parses the request parameters and builds ECP Request to sent to the IDP.
*
* @param request the HttpServletRequest.
* @param response the HttpServletResponse.
*
* @throws SAML2Exception if error creating AuthnRequest.
* @throws IOException if error sending AuthnRequest to ECP.
*/
public static void initiateECPRequest(HttpServletRequest request, HttpServletResponse response) throws SAML2Exception, IOException {
if (!isFromECP(request)) {
SAML2Utils.debug.error("SPSSOFederate.initiateECPRequest: " + "invalid HTTP request from ECP.");
SAMLUtils.sendError(request, response, HttpServletResponse.SC_BAD_REQUEST, "invalidHttpRequestFromECP", SAML2Utils.bundle.getString("invalidHttpRequestFromECP"));
return;
}
String metaAlias = request.getParameter("metaAlias");
Map paramsMap = SAML2Utils.getParamsMap(request);
// get the sp entity ID from the metaAlias
String spEntityID = sm.getEntityByMetaAlias(metaAlias);
String realm = getRealm(SAML2MetaUtils.getRealmByMetaAlias(metaAlias));
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("SPSSOFederate.initiateECPRequest: " + "spEntityID is " + spEntityID + ", realm is " + realm);
}
try {
// Retreive MetaData
if (sm == null) {
throw new SAML2Exception(SAML2Utils.bundle.getString("errorMetaManager"));
}
SPSSOConfigElement spEntityCfg = sm.getSPSSOConfig(realm, spEntityID);
Map spConfigAttrsMap = null;
if (spEntityCfg != null) {
spConfigAttrsMap = SAML2MetaUtils.getAttributes(spEntityCfg);
}
// get SPSSODescriptor
SPSSODescriptorElement spsso = sm.getSPSSODescriptor(realm, spEntityID);
if (spsso == null) {
String[] data = { spEntityID };
LogUtil.error(Level.INFO, LogUtil.SP_METADATA_ERROR, data, null);
throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
}
String[] data = { spEntityID, realm };
LogUtil.access(Level.INFO, LogUtil.RECEIVED_HTTP_REQUEST_ECP, data, null);
List extensionsList = getExtensionsList(spEntityID, realm);
// create AuthnRequest
AuthnRequest authnRequest = createAuthnRequest(realm, spEntityID, paramsMap, spConfigAttrsMap, extensionsList, spsso, null, null, true);
// invoke SP Adapter class if registered
SAML2ServiceProviderAdapter spAdapter = SAML2Utils.getSPAdapterClass(spEntityID, realm);
if (spAdapter != null) {
spAdapter.preSingleSignOnRequest(spEntityID, realm, null, request, response, authnRequest);
}
String alias = SAML2Utils.getSigningCertAlias(realm, spEntityID, SAML2Constants.SP_ROLE);
PrivateKey signingKey = KeyUtil.getKeyProviderInstance().getPrivateKey(alias);
if (signingKey != null) {
authnRequest.sign(signingKey, null);
} else {
SAML2Utils.debug.error("SPSSOFederate.initiateECPRequest: " + "Unable to find signing key.");
throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
}
ECPFactory ecpFactory = ECPFactory.getInstance();
// Default URL if relayState not present? in providerConfig?
// TODO get Default URL from metadata
String relayState = getParameter(paramsMap, SAML2Constants.RELAY_STATE);
String ecpRelayStateXmlStr = "";
if (relayState != null && relayState.length() > 0) {
String relayStateID = getRelayStateID(relayState, authnRequest.getID());
ECPRelayState ecpRelayState = ecpFactory.createECPRelayState();
ecpRelayState.setValue(relayStateID);
ecpRelayState.setMustUnderstand(Boolean.TRUE);
ecpRelayState.setActor(SAML2Constants.SOAP_ACTOR_NEXT);
ecpRelayStateXmlStr = ecpRelayState.toXMLString(true, true);
}
ECPRequest ecpRequest = ecpFactory.createECPRequest();
ecpRequest.setIssuer(createIssuer(spEntityID));
ecpRequest.setMustUnderstand(Boolean.TRUE);
ecpRequest.setActor(SAML2Constants.SOAP_ACTOR_NEXT);
ecpRequest.setIsPassive(authnRequest.isPassive());
SAML2IDPFinder ecpIDPFinder = SAML2Utils.getECPIDPFinder(realm, spEntityID);
if (ecpIDPFinder != null) {
List idps = ecpIDPFinder.getPreferredIDP(authnRequest, spEntityID, realm, request, response);
if ((idps != null) && (!idps.isEmpty())) {
SAML2MetaManager saml2MetaManager = SAML2Utils.getSAML2MetaManager();
List idpEntries = null;
for (Iterator iter = idps.iterator(); iter.hasNext(); ) {
String idpEntityID = (String) iter.next();
IDPSSODescriptorElement idpDesc = saml2MetaManager.getIDPSSODescriptor(realm, idpEntityID);
if (idpDesc != null) {
IDPEntry idpEntry = ProtocolFactory.getInstance().createIDPEntry();
idpEntry.setProviderID(idpEntityID);
String description = SAML2Utils.getAttributeValueFromSSOConfig(realm, idpEntityID, SAML2Constants.IDP_ROLE, SAML2Constants.ENTITY_DESCRIPTION);
idpEntry.setName(description);
List ssoServiceList = idpDesc.getSingleSignOnService();
String ssoURL = getSSOURL(ssoServiceList, SAML2Constants.SOAP);
idpEntry.setLoc(ssoURL);
if (idpEntries == null) {
idpEntries = new ArrayList();
}
idpEntries.add(idpEntry);
}
}
if (idpEntries != null) {
IDPList idpList = ProtocolFactory.getInstance().createIDPList();
idpList.setIDPEntries(idpEntries);
ecpRequest.setIDPList(idpList);
Map attrs = SAML2MetaUtils.getAttributes(spEntityCfg);
List values = (List) attrs.get(SAML2Constants.ECP_REQUEST_IDP_LIST_GET_COMPLETE);
if ((values != null) && (!values.isEmpty())) {
GetComplete getComplete = ProtocolFactory.getInstance().createGetComplete();
getComplete.setValue((String) values.get(0));
idpList.setGetComplete(getComplete);
}
}
}
}
String paosRequestXmlStr = "";
try {
PAOSRequest paosRequest = new PAOSRequest(authnRequest.getAssertionConsumerServiceURL(), SAML2Constants.PAOS_ECP_SERVICE, null, Boolean.TRUE, SAML2Constants.SOAP_ACTOR_NEXT);
paosRequestXmlStr = paosRequest.toXMLString(true, true);
} catch (PAOSException paosex) {
SAML2Utils.debug.error("SPSSOFederate.initiateECPRequest:", paosex);
throw new SAML2Exception(paosex.getMessage());
}
String header = paosRequestXmlStr + ecpRequest.toXMLString(true, true) + ecpRelayStateXmlStr;
String body = authnRequest.toXMLString(true, true);
try {
SOAPMessage reply = SOAPCommunicator.getInstance().createSOAPMessage(header, body, false);
String[] data2 = { spEntityID, realm, "" };
if (LogUtil.isAccessLoggable(Level.FINE)) {
data2[2] = SOAPCommunicator.getInstance().soapMessageToString(reply);
}
LogUtil.access(Level.INFO, LogUtil.SEND_ECP_PAOS_REQUEST, data2, null);
// are generated as part of the save.
if (reply.saveRequired()) {
reply.saveChanges();
}
response.setStatus(HttpServletResponse.SC_OK);
SAML2Utils.putHeaders(reply.getMimeHeaders(), response);
response.setContentType(PAOSConstants.PAOS_MIME_TYPE);
// Write out the message on the response stream
OutputStream os = response.getOutputStream();
reply.writeTo(os);
os.flush();
} catch (SOAPException soapex) {
SAML2Utils.debug.error("SPSSOFederate.initiateECPRequest", soapex);
String[] data3 = { spEntityID, realm };
LogUtil.error(Level.INFO, LogUtil.SEND_ECP_PAOS_REQUEST_FAILED, data3, null);
SAMLUtils.sendError(request, response, HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "soapError", soapex.getMessage());
return;
}
AuthnRequestInfo reqInfo = new AuthnRequestInfo(request, response, realm, spEntityID, null, authnRequest, relayState, paramsMap);
synchronized (SPCache.requestHash) {
SPCache.requestHash.put(authnRequest.getID(), reqInfo);
}
if (SAML2FailoverUtils.isSAML2FailoverEnabled()) {
// sessionExpireTime is counted in seconds
long sessionExpireTime = System.currentTimeMillis() / 1000 + SPCache.interval;
String key = authnRequest.getID();
try {
SAML2FailoverUtils.saveSAML2TokenWithoutSecondaryKey(key, new AuthnRequestInfoCopy(reqInfo), sessionExpireTime);
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("SPSSOFederate.initiateECPRequest:" + " SAVE AuthnRequestInfoCopy for requestID " + key);
}
} catch (SAML2TokenRepositoryException e) {
SAML2Utils.debug.error("SPSSOFederate.initiateECPRequest: There was a problem saving the " + "AuthnRequestInfoCopy in the SAML2 Token Repository for requestID " + key, e);
}
}
} catch (SAML2MetaException sme) {
SAML2Utils.debug.error("SPSSOFederate:Error retrieving metadata", sme);
throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
}
}
Also used :
PrivateKey(java.security.PrivateKey)
SPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)
GetComplete(com.sun.identity.saml2.protocol.GetComplete)
OutputStream(java.io.OutputStream)
ArrayList(java.util.ArrayList)
PAOSException(com.sun.identity.liberty.ws.paos.PAOSException)
SOAPMessage(javax.xml.soap.SOAPMessage)
ECPFactory(com.sun.identity.saml2.ecp.ECPFactory)
SOAPException(javax.xml.soap.SOAPException)
ECPRelayState(com.sun.identity.saml2.ecp.ECPRelayState)
Iterator(java.util.Iterator)
List(java.util.List)
IDPList(com.sun.identity.saml2.protocol.IDPList)
ArrayList(java.util.ArrayList)
SAML2ServiceProviderAdapter(com.sun.identity.saml2.plugins.SAML2ServiceProviderAdapter)
SAML2IDPFinder(com.sun.identity.saml2.plugins.SAML2IDPFinder)
SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException)
ECPRequest(com.sun.identity.saml2.ecp.ECPRequest)
SPSSOConfigElement(com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement)
IDPList(com.sun.identity.saml2.protocol.IDPList)
SAML2MetaManager(com.sun.identity.saml2.meta.SAML2MetaManager)
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
AuthnRequest(com.sun.identity.saml2.protocol.AuthnRequest)
SAML2TokenRepositoryException(org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException)
IDPEntry(com.sun.identity.saml2.protocol.IDPEntry)
Map(java.util.Map)
PAOSRequest(com.sun.identity.liberty.ws.paos.PAOSRequest)
IDPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)
Example 2 with SAML2IDPFinder
use of com.sun.identity.saml2.plugins.SAML2IDPFinder in project OpenAM by OpenRock.
the class SAML2Utils method getECPIDPFinder.
/**
* Returns an <code>SAML2IDPFinder</code> which is used to find a list
* of IDP's for ECP Request.
*
* @param realm the realm name
* @param spEntityID the entity id of the service provider
* @return the <code>SAML2IDPFinder</code>
* @throws SAML2Exception if the operation is not successful
*/
public static SAML2IDPFinder getECPIDPFinder(String realm, String spEntityID) throws SAML2Exception {
String classMethod = "SAML2Utils.getECPIDPFinder: ";
String implClassName = null;
SAML2IDPFinder ecpRequestIDPListFinder = null;
try {
implClassName = getAttributeValueFromSSOConfig(realm, spEntityID, SAML2Constants.SP_ROLE, SAML2Constants.ECP_REQUEST_IDP_LIST_FINDER_IMPL);
if (debug.messageEnabled()) {
debug.message(classMethod + "use " + implClassName);
}
if ((implClassName == null) || (implClassName.trim().length() == 0)) {
return null;
}
ecpRequestIDPListFinder = (SAML2IDPFinder) SPCache.ecpRequestIDPListFinderCache.get(implClassName);
if (ecpRequestIDPListFinder == null) {
ecpRequestIDPListFinder = (SAML2IDPFinder) Class.forName(implClassName).newInstance();
SPCache.ecpRequestIDPListFinderCache.put(implClassName, ecpRequestIDPListFinder);
} else {
if (debug.messageEnabled()) {
debug.message(classMethod + "got the ECP Request IDP List Finder from cache");
}
}
} catch (Exception ex) {
if (debug.warningEnabled()) {
debug.warning(classMethod + "Unable to get ECP Request IDP List Finder.", ex);
}
}
return ecpRequestIDPListFinder;
}
Also used :
SAML2IDPFinder(com.sun.identity.saml2.plugins.SAML2IDPFinder)
SystemConfigurationException(com.sun.identity.common.SystemConfigurationException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException)
IOException(java.io.IOException)
ServletException(javax.servlet.ServletException)
SessionException(com.sun.identity.plugin.session.SessionException)
DataStoreProviderException(com.sun.identity.plugin.datastore.DataStoreProviderException)
UnsupportedEncodingException(java.io.UnsupportedEncodingException)
COTException(com.sun.identity.cot.COTException)
SAML2TokenRepositoryException(org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException)
Example 3 with SAML2IDPFinder
use of com.sun.identity.saml2.plugins.SAML2IDPFinder in project OpenAM by OpenRock.
the class IDPProxyUtil method getPreferredIDP.
/**
* Gets the preferred IDP Id to be proxied. This method makes use of an
* SPI to determine the preferred IDP.
* @param authnRequest original Authn Request.
* @param hostedEntityId hosted provider ID
* @param realm Realm
* @param request HttpServletRequest
* @param response HttpServletResponse
* @exception SAML2Exception for any SAML2 failure.
* @return String Provider id of the preferred IDP to be proxied.
*/
public static String getPreferredIDP(AuthnRequest authnRequest, String hostedEntityId, String realm, HttpServletRequest request, HttpServletResponse response) throws SAML2Exception {
SAML2IDPFinder proxyFinder = getIDPProxyFinder(realm, hostedEntityId);
List idpProviderIDs = proxyFinder.getPreferredIDP(authnRequest, hostedEntityId, realm, request, response);
if ((idpProviderIDs == null) || idpProviderIDs.isEmpty()) {
return null;
}
return (String) idpProviderIDs.get(0);
}
Also used :
List(java.util.List)
IDPList(com.sun.identity.saml2.protocol.IDPList)
ArrayList(java.util.ArrayList)
SAML2IDPFinder(com.sun.identity.saml2.plugins.SAML2IDPFinder)
Example 4 with SAML2IDPFinder
use of com.sun.identity.saml2.plugins.SAML2IDPFinder in project OpenAM by OpenRock.
the class IDPProxyUtil method getIDPProxyFinder.
/**
* Returns an <code>IDPProxyFinder</code>
*
* @param realm the realm name
* @param idpEntityID the entity id of the identity provider
*
* @return the <code>IDPProxyFinder</code>
* @exception SAML2Exception if the operation is not successful
*/
static SAML2IDPFinder getIDPProxyFinder(String realm, String idpEntityID) throws SAML2Exception {
String classMethod = "IDPProxyUtil.getIDPProxyFinder: ";
String idpProxyFinderName = null;
SAML2IDPFinder idpProxyFinder = null;
try {
idpProxyFinderName = IDPSSOUtil.getAttributeValueFromIDPSSOConfig(realm, idpEntityID, SAML2Constants.PROXY_IDP_FINDER_CLASS);
if (idpProxyFinderName == null || idpProxyFinderName.isEmpty()) {
idpProxyFinderName = SAML2Constants.DEFAULT_IDP_PROXY_FINDER;
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "use " + SAML2Constants.DEFAULT_IDP_PROXY_FINDER);
}
}
idpProxyFinder = (SAML2IDPFinder) IDPCache.idpProxyFinderCache.get(idpProxyFinderName);
if (idpProxyFinder == null) {
idpProxyFinder = (SAML2IDPFinder) Class.forName(idpProxyFinderName).newInstance();
IDPCache.idpProxyFinderCache.put(idpProxyFinderName, idpProxyFinder);
} else {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "got the IDPProxyFinder from cache");
}
}
} catch (Exception ex) {
SAML2Utils.debug.error(classMethod + "Unable to get IDP Proxy Finder.", ex);
throw new SAML2Exception(ex);
}
return idpProxyFinder;
}
Also used :
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
SAML2IDPFinder(com.sun.identity.saml2.plugins.SAML2IDPFinder)
SOAPException(javax.xml.soap.SOAPException)
SessionException(com.sun.identity.plugin.session.SessionException)
SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException)
SAML2TokenRepositoryException(org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException)
IOException(java.io.IOException)
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
Aggregations
SAML2IDPFinder (com.sun.identity.saml2.plugins.SAML2IDPFinder)4
SAML2MetaException (com.sun.identity.saml2.meta.SAML2MetaException)3
SAML2TokenRepositoryException (org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException)3
SessionException (com.sun.identity.plugin.session.SessionException)2
SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)2
IDPList (com.sun.identity.saml2.protocol.IDPList)2
IOException (java.io.IOException)2
ArrayList (java.util.ArrayList)2
List (java.util.List)2
SOAPException (javax.xml.soap.SOAPException)2
SystemConfigurationException (com.sun.identity.common.SystemConfigurationException)1
COTException (com.sun.identity.cot.COTException)1
PAOSException (com.sun.identity.liberty.ws.paos.PAOSException)1
PAOSRequest (com.sun.identity.liberty.ws.paos.PAOSRequest)1
DataStoreProviderException (com.sun.identity.plugin.datastore.DataStoreProviderException)1
ECPFactory (com.sun.identity.saml2.ecp.ECPFactory)1
ECPRelayState (com.sun.identity.saml2.ecp.ECPRelayState)1
ECPRequest (com.sun.identity.saml2.ecp.ECPRequest)1
SPSSOConfigElement (com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement)1
IDPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)1
