Search in sources :

Example 1 with SAML2IDPFinder

use of com.sun.identity.saml2.plugins.SAML2IDPFinder in project OpenAM by OpenRock.

the class SPSSOFederate method initiateECPRequest.

/**
     * Parses the request parameters and builds ECP Request to sent to the IDP.
     *
     * @param request the HttpServletRequest.
     * @param response the HttpServletResponse.
     *
     * @throws SAML2Exception if error creating AuthnRequest.
     * @throws IOException if error sending AuthnRequest to ECP.
     */
public static void initiateECPRequest(HttpServletRequest request, HttpServletResponse response) throws SAML2Exception, IOException {
    if (!isFromECP(request)) {
        SAML2Utils.debug.error("SPSSOFederate.initiateECPRequest: " + "invalid HTTP request from ECP.");
        SAMLUtils.sendError(request, response, HttpServletResponse.SC_BAD_REQUEST, "invalidHttpRequestFromECP", SAML2Utils.bundle.getString("invalidHttpRequestFromECP"));
        return;
    }
    String metaAlias = request.getParameter("metaAlias");
    Map paramsMap = SAML2Utils.getParamsMap(request);
    // get the sp entity ID from the metaAlias
    String spEntityID = sm.getEntityByMetaAlias(metaAlias);
    String realm = getRealm(SAML2MetaUtils.getRealmByMetaAlias(metaAlias));
    if (SAML2Utils.debug.messageEnabled()) {
        SAML2Utils.debug.message("SPSSOFederate.initiateECPRequest: " + "spEntityID is " + spEntityID + ", realm is " + realm);
    }
    try {
        // Retreive MetaData 
        if (sm == null) {
            throw new SAML2Exception(SAML2Utils.bundle.getString("errorMetaManager"));
        }
        SPSSOConfigElement spEntityCfg = sm.getSPSSOConfig(realm, spEntityID);
        Map spConfigAttrsMap = null;
        if (spEntityCfg != null) {
            spConfigAttrsMap = SAML2MetaUtils.getAttributes(spEntityCfg);
        }
        // get SPSSODescriptor
        SPSSODescriptorElement spsso = sm.getSPSSODescriptor(realm, spEntityID);
        if (spsso == null) {
            String[] data = { spEntityID };
            LogUtil.error(Level.INFO, LogUtil.SP_METADATA_ERROR, data, null);
            throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
        }
        String[] data = { spEntityID, realm };
        LogUtil.access(Level.INFO, LogUtil.RECEIVED_HTTP_REQUEST_ECP, data, null);
        List extensionsList = getExtensionsList(spEntityID, realm);
        // create AuthnRequest 
        AuthnRequest authnRequest = createAuthnRequest(realm, spEntityID, paramsMap, spConfigAttrsMap, extensionsList, spsso, null, null, true);
        // invoke SP Adapter class if registered
        SAML2ServiceProviderAdapter spAdapter = SAML2Utils.getSPAdapterClass(spEntityID, realm);
        if (spAdapter != null) {
            spAdapter.preSingleSignOnRequest(spEntityID, realm, null, request, response, authnRequest);
        }
        String alias = SAML2Utils.getSigningCertAlias(realm, spEntityID, SAML2Constants.SP_ROLE);
        PrivateKey signingKey = KeyUtil.getKeyProviderInstance().getPrivateKey(alias);
        if (signingKey != null) {
            authnRequest.sign(signingKey, null);
        } else {
            SAML2Utils.debug.error("SPSSOFederate.initiateECPRequest: " + "Unable to find signing key.");
            throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
        }
        ECPFactory ecpFactory = ECPFactory.getInstance();
        // Default URL if relayState not present? in providerConfig?
        // TODO get Default URL from metadata 
        String relayState = getParameter(paramsMap, SAML2Constants.RELAY_STATE);
        String ecpRelayStateXmlStr = "";
        if (relayState != null && relayState.length() > 0) {
            String relayStateID = getRelayStateID(relayState, authnRequest.getID());
            ECPRelayState ecpRelayState = ecpFactory.createECPRelayState();
            ecpRelayState.setValue(relayStateID);
            ecpRelayState.setMustUnderstand(Boolean.TRUE);
            ecpRelayState.setActor(SAML2Constants.SOAP_ACTOR_NEXT);
            ecpRelayStateXmlStr = ecpRelayState.toXMLString(true, true);
        }
        ECPRequest ecpRequest = ecpFactory.createECPRequest();
        ecpRequest.setIssuer(createIssuer(spEntityID));
        ecpRequest.setMustUnderstand(Boolean.TRUE);
        ecpRequest.setActor(SAML2Constants.SOAP_ACTOR_NEXT);
        ecpRequest.setIsPassive(authnRequest.isPassive());
        SAML2IDPFinder ecpIDPFinder = SAML2Utils.getECPIDPFinder(realm, spEntityID);
        if (ecpIDPFinder != null) {
            List idps = ecpIDPFinder.getPreferredIDP(authnRequest, spEntityID, realm, request, response);
            if ((idps != null) && (!idps.isEmpty())) {
                SAML2MetaManager saml2MetaManager = SAML2Utils.getSAML2MetaManager();
                List idpEntries = null;
                for (Iterator iter = idps.iterator(); iter.hasNext(); ) {
                    String idpEntityID = (String) iter.next();
                    IDPSSODescriptorElement idpDesc = saml2MetaManager.getIDPSSODescriptor(realm, idpEntityID);
                    if (idpDesc != null) {
                        IDPEntry idpEntry = ProtocolFactory.getInstance().createIDPEntry();
                        idpEntry.setProviderID(idpEntityID);
                        String description = SAML2Utils.getAttributeValueFromSSOConfig(realm, idpEntityID, SAML2Constants.IDP_ROLE, SAML2Constants.ENTITY_DESCRIPTION);
                        idpEntry.setName(description);
                        List ssoServiceList = idpDesc.getSingleSignOnService();
                        String ssoURL = getSSOURL(ssoServiceList, SAML2Constants.SOAP);
                        idpEntry.setLoc(ssoURL);
                        if (idpEntries == null) {
                            idpEntries = new ArrayList();
                        }
                        idpEntries.add(idpEntry);
                    }
                }
                if (idpEntries != null) {
                    IDPList idpList = ProtocolFactory.getInstance().createIDPList();
                    idpList.setIDPEntries(idpEntries);
                    ecpRequest.setIDPList(idpList);
                    Map attrs = SAML2MetaUtils.getAttributes(spEntityCfg);
                    List values = (List) attrs.get(SAML2Constants.ECP_REQUEST_IDP_LIST_GET_COMPLETE);
                    if ((values != null) && (!values.isEmpty())) {
                        GetComplete getComplete = ProtocolFactory.getInstance().createGetComplete();
                        getComplete.setValue((String) values.get(0));
                        idpList.setGetComplete(getComplete);
                    }
                }
            }
        }
        String paosRequestXmlStr = "";
        try {
            PAOSRequest paosRequest = new PAOSRequest(authnRequest.getAssertionConsumerServiceURL(), SAML2Constants.PAOS_ECP_SERVICE, null, Boolean.TRUE, SAML2Constants.SOAP_ACTOR_NEXT);
            paosRequestXmlStr = paosRequest.toXMLString(true, true);
        } catch (PAOSException paosex) {
            SAML2Utils.debug.error("SPSSOFederate.initiateECPRequest:", paosex);
            throw new SAML2Exception(paosex.getMessage());
        }
        String header = paosRequestXmlStr + ecpRequest.toXMLString(true, true) + ecpRelayStateXmlStr;
        String body = authnRequest.toXMLString(true, true);
        try {
            SOAPMessage reply = SOAPCommunicator.getInstance().createSOAPMessage(header, body, false);
            String[] data2 = { spEntityID, realm, "" };
            if (LogUtil.isAccessLoggable(Level.FINE)) {
                data2[2] = SOAPCommunicator.getInstance().soapMessageToString(reply);
            }
            LogUtil.access(Level.INFO, LogUtil.SEND_ECP_PAOS_REQUEST, data2, null);
            // are generated as part of the save.
            if (reply.saveRequired()) {
                reply.saveChanges();
            }
            response.setStatus(HttpServletResponse.SC_OK);
            SAML2Utils.putHeaders(reply.getMimeHeaders(), response);
            response.setContentType(PAOSConstants.PAOS_MIME_TYPE);
            // Write out the message on the response stream
            OutputStream os = response.getOutputStream();
            reply.writeTo(os);
            os.flush();
        } catch (SOAPException soapex) {
            SAML2Utils.debug.error("SPSSOFederate.initiateECPRequest", soapex);
            String[] data3 = { spEntityID, realm };
            LogUtil.error(Level.INFO, LogUtil.SEND_ECP_PAOS_REQUEST_FAILED, data3, null);
            SAMLUtils.sendError(request, response, HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "soapError", soapex.getMessage());
            return;
        }
        AuthnRequestInfo reqInfo = new AuthnRequestInfo(request, response, realm, spEntityID, null, authnRequest, relayState, paramsMap);
        synchronized (SPCache.requestHash) {
            SPCache.requestHash.put(authnRequest.getID(), reqInfo);
        }
        if (SAML2FailoverUtils.isSAML2FailoverEnabled()) {
            // sessionExpireTime is counted in seconds
            long sessionExpireTime = System.currentTimeMillis() / 1000 + SPCache.interval;
            String key = authnRequest.getID();
            try {
                SAML2FailoverUtils.saveSAML2TokenWithoutSecondaryKey(key, new AuthnRequestInfoCopy(reqInfo), sessionExpireTime);
                if (SAML2Utils.debug.messageEnabled()) {
                    SAML2Utils.debug.message("SPSSOFederate.initiateECPRequest:" + " SAVE AuthnRequestInfoCopy for requestID " + key);
                }
            } catch (SAML2TokenRepositoryException e) {
                SAML2Utils.debug.error("SPSSOFederate.initiateECPRequest: There was a problem saving the " + "AuthnRequestInfoCopy in the SAML2 Token Repository for requestID " + key, e);
            }
        }
    } catch (SAML2MetaException sme) {
        SAML2Utils.debug.error("SPSSOFederate:Error retrieving metadata", sme);
        throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
    }
}
Also used : PrivateKey(java.security.PrivateKey) SPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement) GetComplete(com.sun.identity.saml2.protocol.GetComplete) OutputStream(java.io.OutputStream) ArrayList(java.util.ArrayList) PAOSException(com.sun.identity.liberty.ws.paos.PAOSException) SOAPMessage(javax.xml.soap.SOAPMessage) ECPFactory(com.sun.identity.saml2.ecp.ECPFactory) SOAPException(javax.xml.soap.SOAPException) ECPRelayState(com.sun.identity.saml2.ecp.ECPRelayState) Iterator(java.util.Iterator) List(java.util.List) IDPList(com.sun.identity.saml2.protocol.IDPList) ArrayList(java.util.ArrayList) SAML2ServiceProviderAdapter(com.sun.identity.saml2.plugins.SAML2ServiceProviderAdapter) SAML2IDPFinder(com.sun.identity.saml2.plugins.SAML2IDPFinder) SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException) ECPRequest(com.sun.identity.saml2.ecp.ECPRequest) SPSSOConfigElement(com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement) IDPList(com.sun.identity.saml2.protocol.IDPList) SAML2MetaManager(com.sun.identity.saml2.meta.SAML2MetaManager) SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) AuthnRequest(com.sun.identity.saml2.protocol.AuthnRequest) SAML2TokenRepositoryException(org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException) IDPEntry(com.sun.identity.saml2.protocol.IDPEntry) Map(java.util.Map) PAOSRequest(com.sun.identity.liberty.ws.paos.PAOSRequest) IDPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)

Example 2 with SAML2IDPFinder

use of com.sun.identity.saml2.plugins.SAML2IDPFinder in project OpenAM by OpenRock.

the class SAML2Utils method getECPIDPFinder.

/**
     * Returns an <code>SAML2IDPFinder</code> which is used to find a list
     * of IDP's for ECP Request.
     *
     * @param realm      the realm name
     * @param spEntityID the entity id of the service provider
     * @return the <code>SAML2IDPFinder</code>
     * @throws SAML2Exception if the operation is not successful
     */
public static SAML2IDPFinder getECPIDPFinder(String realm, String spEntityID) throws SAML2Exception {
    String classMethod = "SAML2Utils.getECPIDPFinder: ";
    String implClassName = null;
    SAML2IDPFinder ecpRequestIDPListFinder = null;
    try {
        implClassName = getAttributeValueFromSSOConfig(realm, spEntityID, SAML2Constants.SP_ROLE, SAML2Constants.ECP_REQUEST_IDP_LIST_FINDER_IMPL);
        if (debug.messageEnabled()) {
            debug.message(classMethod + "use " + implClassName);
        }
        if ((implClassName == null) || (implClassName.trim().length() == 0)) {
            return null;
        }
        ecpRequestIDPListFinder = (SAML2IDPFinder) SPCache.ecpRequestIDPListFinderCache.get(implClassName);
        if (ecpRequestIDPListFinder == null) {
            ecpRequestIDPListFinder = (SAML2IDPFinder) Class.forName(implClassName).newInstance();
            SPCache.ecpRequestIDPListFinderCache.put(implClassName, ecpRequestIDPListFinder);
        } else {
            if (debug.messageEnabled()) {
                debug.message(classMethod + "got the ECP Request IDP List Finder from cache");
            }
        }
    } catch (Exception ex) {
        if (debug.warningEnabled()) {
            debug.warning(classMethod + "Unable to get ECP Request IDP List Finder.", ex);
        }
    }
    return ecpRequestIDPListFinder;
}
Also used : SAML2IDPFinder(com.sun.identity.saml2.plugins.SAML2IDPFinder) SystemConfigurationException(com.sun.identity.common.SystemConfigurationException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException) IOException(java.io.IOException) ServletException(javax.servlet.ServletException) SessionException(com.sun.identity.plugin.session.SessionException) DataStoreProviderException(com.sun.identity.plugin.datastore.DataStoreProviderException) UnsupportedEncodingException(java.io.UnsupportedEncodingException) COTException(com.sun.identity.cot.COTException) SAML2TokenRepositoryException(org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException)

Example 3 with SAML2IDPFinder

use of com.sun.identity.saml2.plugins.SAML2IDPFinder in project OpenAM by OpenRock.

the class IDPProxyUtil method getPreferredIDP.

/**
     * Gets the preferred IDP Id to be proxied. This method makes use of an
     * SPI to determine the preferred IDP.
     * @param authnRequest original Authn Request.
     * @param hostedEntityId hosted provider ID 
     * @param realm Realm 
     * @param request HttpServletRequest
     * @param response HttpServletResponse 
     * @exception SAML2Exception for any SAML2 failure.
     * @return String Provider id of the preferred IDP to be proxied.
     */
public static String getPreferredIDP(AuthnRequest authnRequest, String hostedEntityId, String realm, HttpServletRequest request, HttpServletResponse response) throws SAML2Exception {
    SAML2IDPFinder proxyFinder = getIDPProxyFinder(realm, hostedEntityId);
    List idpProviderIDs = proxyFinder.getPreferredIDP(authnRequest, hostedEntityId, realm, request, response);
    if ((idpProviderIDs == null) || idpProviderIDs.isEmpty()) {
        return null;
    }
    return (String) idpProviderIDs.get(0);
}
Also used : List(java.util.List) IDPList(com.sun.identity.saml2.protocol.IDPList) ArrayList(java.util.ArrayList) SAML2IDPFinder(com.sun.identity.saml2.plugins.SAML2IDPFinder)

Example 4 with SAML2IDPFinder

use of com.sun.identity.saml2.plugins.SAML2IDPFinder in project OpenAM by OpenRock.

the class IDPProxyUtil method getIDPProxyFinder.

/**
     * Returns an <code>IDPProxyFinder</code>
     *
     * @param realm the realm name
     * @param idpEntityID the entity id of the identity provider
     *
     * @return the <code>IDPProxyFinder</code>
     * @exception SAML2Exception if the operation is not successful
     */
static SAML2IDPFinder getIDPProxyFinder(String realm, String idpEntityID) throws SAML2Exception {
    String classMethod = "IDPProxyUtil.getIDPProxyFinder: ";
    String idpProxyFinderName = null;
    SAML2IDPFinder idpProxyFinder = null;
    try {
        idpProxyFinderName = IDPSSOUtil.getAttributeValueFromIDPSSOConfig(realm, idpEntityID, SAML2Constants.PROXY_IDP_FINDER_CLASS);
        if (idpProxyFinderName == null || idpProxyFinderName.isEmpty()) {
            idpProxyFinderName = SAML2Constants.DEFAULT_IDP_PROXY_FINDER;
            if (SAML2Utils.debug.messageEnabled()) {
                SAML2Utils.debug.message(classMethod + "use " + SAML2Constants.DEFAULT_IDP_PROXY_FINDER);
            }
        }
        idpProxyFinder = (SAML2IDPFinder) IDPCache.idpProxyFinderCache.get(idpProxyFinderName);
        if (idpProxyFinder == null) {
            idpProxyFinder = (SAML2IDPFinder) Class.forName(idpProxyFinderName).newInstance();
            IDPCache.idpProxyFinderCache.put(idpProxyFinderName, idpProxyFinder);
        } else {
            if (SAML2Utils.debug.messageEnabled()) {
                SAML2Utils.debug.message(classMethod + "got the IDPProxyFinder from cache");
            }
        }
    } catch (Exception ex) {
        SAML2Utils.debug.error(classMethod + "Unable to get IDP Proxy Finder.", ex);
        throw new SAML2Exception(ex);
    }
    return idpProxyFinder;
}
Also used : SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) SAML2IDPFinder(com.sun.identity.saml2.plugins.SAML2IDPFinder) SOAPException(javax.xml.soap.SOAPException) SessionException(com.sun.identity.plugin.session.SessionException) SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException) SAML2TokenRepositoryException(org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException) IOException(java.io.IOException) SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)

Aggregations

SAML2IDPFinder (com.sun.identity.saml2.plugins.SAML2IDPFinder)4 SAML2MetaException (com.sun.identity.saml2.meta.SAML2MetaException)3 SAML2TokenRepositoryException (org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException)3 SessionException (com.sun.identity.plugin.session.SessionException)2 SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)2 IDPList (com.sun.identity.saml2.protocol.IDPList)2 IOException (java.io.IOException)2 ArrayList (java.util.ArrayList)2 List (java.util.List)2 SOAPException (javax.xml.soap.SOAPException)2 SystemConfigurationException (com.sun.identity.common.SystemConfigurationException)1 COTException (com.sun.identity.cot.COTException)1 PAOSException (com.sun.identity.liberty.ws.paos.PAOSException)1 PAOSRequest (com.sun.identity.liberty.ws.paos.PAOSRequest)1 DataStoreProviderException (com.sun.identity.plugin.datastore.DataStoreProviderException)1 ECPFactory (com.sun.identity.saml2.ecp.ECPFactory)1 ECPRelayState (com.sun.identity.saml2.ecp.ECPRelayState)1 ECPRequest (com.sun.identity.saml2.ecp.ECPRequest)1 SPSSOConfigElement (com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement)1 IDPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)1