Example 1 with SAML2IdentityProviderAdapter
use of com.sun.identity.saml2.plugins.SAML2IdentityProviderAdapter in project OpenAM by OpenRock.
the class IDPSSOUtil method sendResponseToACS.
/**
* Sends <code>Response</code> containing an <code>Assertion</code>
* back to the requesting service provider
*
* @param request the <code>HttpServletRequest</code> object
* @param response the <code>HttpServletResponse</code> object
* @param out the print writer for writing out presentation
* @param session user session
* @param authnReq the <code>AuthnRequest</code> object
* @param spEntityID the entity id of the service provider
* @param idpEntityID the entity id of the identity provider
* @param idpMetaAlias the meta alias of the identity provider
* @param realm the realm
* @param nameIDFormat the <code>NameIDFormat</code>
* @param relayState the relay state
* @param matchingAuthnContext the <code>AuthnContext</code> used to find
* authentication type and scheme.
*/
public static void sendResponseToACS(HttpServletRequest request, HttpServletResponse response, PrintWriter out, Object session, AuthnRequest authnReq, String spEntityID, String idpEntityID, String idpMetaAlias, String realm, String nameIDFormat, String relayState, AuthnContext matchingAuthnContext) throws SAML2Exception {
StringBuffer returnedBinding = new StringBuffer();
String acsURL = IDPSSOUtil.getACSurl(spEntityID, realm, authnReq, request, returnedBinding);
String acsBinding = returnedBinding.toString();
if ((acsURL == null) || (acsURL.trim().length() == 0)) {
SAML2Utils.debug.error("IDPSSOUtil.sendResponseToACS:" + " no ACS URL found.");
String[] data = { idpMetaAlias };
LogUtil.error(Level.INFO, LogUtil.NO_ACS_URL, data, session);
throw new SAML2Exception(SAML2Utils.bundle.getString("UnableTofindACSURL"));
}
if ((acsBinding == null) || (acsBinding.trim().length() == 0)) {
SAML2Utils.debug.error("IDPSSOUtil.sendResponseToACS:" + " no return binding found.");
String[] data = { idpMetaAlias };
LogUtil.error(Level.INFO, LogUtil.NO_RETURN_BINDING, data, session);
throw new SAML2Exception(SAML2Utils.bundle.getString("UnableTofindBinding"));
}
String affiliationID = request.getParameter(SAML2Constants.AFFILIATION_ID);
//check first if there is already an existing sessionindex associated with this SSOToken, if there is, then
//we need to redirect the request internally to the holder of the idpsession.
//The remoteServiceURL will be null if there is no sessionindex for this SSOToken, or there is, but it's
//local. If the remoteServiceURL is not null, we can start to send the request to the original server.
String remoteServiceURL = SAML2Utils.getRemoteServiceURL(getSessionIndex(session));
if (remoteServiceURL != null) {
remoteServiceURL += SAML2Utils.removeDeployUri(request.getRequestURI()) + "?" + request.getQueryString();
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("SessionIndex for this SSOToken is not local, forwarding the request to: " + remoteServiceURL);
}
String redirectUrl = null;
String outputData = null;
String responseCode = null;
HashMap<String, String> remoteRequestData = SAML2Utils.sendRequestToOrigServer(request, response, remoteServiceURL);
if (remoteRequestData != null && !remoteRequestData.isEmpty()) {
redirectUrl = remoteRequestData.get(SAML2Constants.AM_REDIRECT_URL);
outputData = remoteRequestData.get(SAML2Constants.OUTPUT_DATA);
responseCode = remoteRequestData.get(SAML2Constants.RESPONSE_CODE);
}
try {
if (redirectUrl != null && !redirectUrl.isEmpty()) {
response.sendRedirect(redirectUrl);
} else {
if (responseCode != null) {
response.setStatus(Integer.valueOf(responseCode));
}
// no redirect, perhaps an error page, return the content
if (outputData != null && !outputData.isEmpty()) {
SAML2Utils.debug.message("Printing the forwarded response");
response.setContentType("text/html; charset=UTF-8");
out.println(outputData);
return;
}
}
} catch (IOException ioe) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("IDPSSOUtil.sendResponseToACS() error in Request Routing", ioe);
}
}
return;
}
//end of request proxy
// generate a response for the authn request
Response res = getResponse(request, session, authnReq, spEntityID, idpEntityID, idpMetaAlias, realm, nameIDFormat, acsURL, affiliationID, matchingAuthnContext);
if (res == null) {
SAML2Utils.debug.error("IDPSSOUtil.sendResponseToACS:" + " response is null");
String errorMsg = SAML2Utils.bundle.getString("UnableToCreateAssertion");
if (authnReq == null) {
//idp initiated case, will not send error response to sp
throw new SAML2Exception(errorMsg);
}
res = SAML2Utils.getErrorResponse(authnReq, SAML2Constants.RESPONDER, null, errorMsg, idpEntityID);
} else {
try {
String[] values = { idpMetaAlias };
sessionProvider.setProperty(session, SAML2Constants.IDP_META_ALIAS, values);
} catch (SessionException e) {
SAML2Utils.debug.error("IDPSSOUtil.sendResponseToACS:" + " error setting idpMetaAlias into the session: ", e);
}
}
if (res != null) {
// call multi-federation protocol to set the protocol
MultiProtocolUtils.addFederationProtocol(session, SingleLogoutManager.SAML2);
// check if the COT cookie needs to be set
if (setCOTCookie(request, response, acsBinding, spEntityID, idpEntityID, idpMetaAlias, realm, relayState, acsURL, res, session)) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("IDPSSOUtil.sendResponseToACS:" + " Redirected to set COT cookie.");
}
return;
}
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("IDPSSOUtil.sendResponseToACS:" + " Doesn't set COT cookie.");
SAML2Utils.debug.message("IDPSSOUtil.sendResponseToACS:" + " Response is: " + res.toXMLString());
}
try {
SAML2Utils.debug.message("IDPSSOUtil.sendResponseToACS: Invoking the IDP Adapter");
SAML2IdentityProviderAdapter idpAdapter = IDPSSOUtil.getIDPAdapterClass(realm, idpEntityID);
if (idpAdapter != null) {
idpAdapter.preSignResponse(authnReq, res, idpEntityID, realm, request, session, relayState);
}
} catch (SAML2Exception se) {
SAML2Utils.debug.error("IDPSSOUtil.sendResponseToACS: There was a problem when invoking the " + "preSendResponse of the IDP Adapter: ", se);
}
sendResponse(request, response, out, acsBinding, spEntityID, idpEntityID, idpMetaAlias, realm, relayState, acsURL, res, session);
} else {
SAML2Utils.debug.error("IDPSSOUtil.sendResponseToACS:" + " error response is null");
throw new SAML2Exception(SAML2Utils.bundle.getString("UnableToCreateErrorResponse"));
}
}
Also used :
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
ECPResponse(com.sun.identity.saml2.ecp.ECPResponse)
Response(com.sun.identity.saml2.protocol.Response)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
SessionException(com.sun.identity.plugin.session.SessionException)
IOException(java.io.IOException)
SAML2IdentityProviderAdapter(com.sun.identity.saml2.plugins.SAML2IdentityProviderAdapter)
Example 2 with SAML2IdentityProviderAdapter
use of com.sun.identity.saml2.plugins.SAML2IdentityProviderAdapter in project OpenAM by OpenRock.
the class IDPSSOUtil method doSSOFederate.
/**
* Does SSO with existing federation or new federation
*
* @param request the <code>HttpServletRequest</code> object
* @param response the <code>HttpServletResponse</code> object
* @param out the print writer for writing out presentation
* @param authnReq the <code>AuthnRequest</code> object
* @param spEntityID the entity id of the service provider
* @param idpMetaAlias the meta alias of the identity provider
* @param nameIDFormat the <code>NameIDFormat</code>
* @param relayState the relay state
* @param newSession Session used in IDP Proxy Case
* @param auditor the auditor for logging SAML2 Events - may be null
* @throws SAML2Exception if the operation is not successful
*/
public static void doSSOFederate(HttpServletRequest request, HttpServletResponse response, PrintWriter out, AuthnRequest authnReq, String spEntityID, String idpMetaAlias, String nameIDFormat, String relayState, Object newSession, SAML2EventLogger auditor) throws SAML2Exception {
String classMethod = "IDPSSOUtil.doSSOFederate: ";
Object session = null;
if (newSession != null) {
session = newSession;
auditor.setSSOTokenId(session);
} else {
try {
session = sessionProvider.getSession(request);
if (null != auditor) {
auditor.setAuthTokenId(session);
}
} catch (SessionException se) {
if (SAML2Utils.debug.warningEnabled()) {
SAML2Utils.debug.warning(classMethod + "No session yet.");
}
}
}
// log the authnRequest
String authnRequestStr = null;
if (authnReq != null) {
authnRequestStr = authnReq.toXMLString();
auditor.setRequestId(authnReq.getID());
}
String[] logdata = { spEntityID, idpMetaAlias, authnRequestStr };
LogUtil.access(Level.INFO, LogUtil.RECEIVED_AUTHN_REQUEST, logdata, session);
// retrieve IDP entity id from meta alias
String idpEntityID = null;
String realm = null;
try {
if (metaManager == null) {
SAML2Utils.debug.error(classMethod + "Unable to get meta manager.");
throw new SAML2Exception(SAML2Utils.bundle.getString("errorMetaManager"));
}
idpEntityID = metaManager.getEntityByMetaAlias(idpMetaAlias);
if ((idpEntityID == null) || (idpEntityID.trim().length() == 0)) {
SAML2Utils.debug.error(classMethod + "Unable to get IDP Entity ID from meta.");
String[] data = { idpEntityID };
LogUtil.error(Level.INFO, LogUtil.INVALID_IDP, data, session);
throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
}
realm = SAML2MetaUtils.getRealmByMetaAlias(idpMetaAlias);
} catch (SAML2MetaException sme) {
SAML2Utils.debug.error(classMethod + "Unable to get IDP Entity ID from meta.");
String[] data = { idpMetaAlias };
LogUtil.error(Level.INFO, LogUtil.IDP_METADATA_ERROR, data, session);
throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
}
// check if the remote provider is valid
if (authnReq == null) {
Issuer issuer = AssertionFactory.getInstance().createIssuer();
issuer.setValue(spEntityID);
if (!SAML2Utils.isSourceSiteValid(issuer, realm, idpEntityID)) {
if (SAML2Utils.debug.warningEnabled()) {
SAML2Utils.debug.warning(classMethod + "The remote provider is not valid.");
}
throw new SAML2Exception(SAML2Utils.bundle.getString("invalidReceiver"));
}
}
// Validate the RelayState URL.
SAML2Utils.validateRelayStateURL(realm, idpEntityID, relayState, SAML2Constants.IDP_ROLE);
if (authnReq == null && (session == null || !isValidSessionInRealm(realm, session))) {
// idp initiated and not logged in yet, need to authenticate
try {
if (Boolean.parseBoolean(request.getParameter(REDIRECTED))) {
if (session == null) {
String[] data = { idpEntityID };
SAML2Utils.debug.error(classMethod + "The IdP was not able to create a session");
LogUtil.error(Level.INFO, LogUtil.SSO_NOT_FOUND, data, session, null);
} else {
try {
String ipAddress = ClientUtils.getClientIPAddress(request);
String sessionRealm = SAML2Utils.getSingleValuedSessionProperty(session, SAML2Constants.ORGANIZATION);
String[] data = { sessionRealm, realm, spEntityID, ipAddress, null };
SAML2Utils.debug.error(classMethod + "The realm of the session (" + sessionRealm + ") does not correspond to that of the IdP (" + realm + ")");
LogUtil.error(Level.INFO, LogUtil.INVALID_REALM_FOR_SESSION, data, session, null);
} catch (SessionException se) {
SAML2Utils.debug.error(classMethod + "Failed to retrieve realm from session", se);
}
}
String rbKey = "UnableToDOSSOOrFederation";
SAMLUtils.sendError(request, response, HttpServletResponse.SC_INTERNAL_SERVER_ERROR, rbKey, SAML2Utils.bundle.getString(rbKey));
} else {
redirectAuthentication(request, response, authnReq, null, realm, idpEntityID, spEntityID);
}
} catch (IOException ioe) {
SAML2Utils.debug.error(classMethod + "Unable to redirect to authentication.", ioe);
SAMLUtils.sendError(request, response, response.SC_INTERNAL_SERVER_ERROR, "UnableToRedirectToAuth", SAML2Utils.bundle.getString("UnableToRedirectToAuth"));
}
return;
}
// Invoke the IDP Adapter
try {
SAML2Utils.debug.message(classMethod + " Invoking the " + "IDP Adapter");
SAML2IdentityProviderAdapter idpAdapter = IDPSSOUtil.getIDPAdapterClass(realm, idpEntityID);
if (idpAdapter != null) {
// If the preSendResponse returns true we end here
if (idpAdapter.preSendResponse(authnReq, idpEntityID, realm, request, response, session, null, relayState)) {
return;
}
// else we continue with the logic. Beware of loops
}
} catch (SAML2Exception se2) {
SAML2Utils.debug.error(classMethod + " There was a problem when invoking" + "the preSendResponse of the IDP Adapter: ", se2);
}
// End of invocation
sendResponseToACS(request, response, out, session, authnReq, spEntityID, idpEntityID, idpMetaAlias, realm, nameIDFormat, relayState, null);
}
Also used :
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
Issuer(com.sun.identity.saml2.assertion.Issuer)
SessionException(com.sun.identity.plugin.session.SessionException)
IOException(java.io.IOException)
SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException)
SAML2IdentityProviderAdapter(com.sun.identity.saml2.plugins.SAML2IdentityProviderAdapter)
Example 3 with SAML2IdentityProviderAdapter
use of com.sun.identity.saml2.plugins.SAML2IdentityProviderAdapter in project OpenAM by OpenRock.
the class SAML2Utils method getIDPAdapterClass.
/**
* Returns a <code>SAML2IdentityProviderAdapter</code>
*
* @param realm the realm name
* @param idpEntityID the entity id of the identity provider
* @return the <code>SAML2IdentityProviderAdapter</code>
* @throws SAML2Exception if the operation is not successful
*/
public static SAML2IdentityProviderAdapter getIDPAdapterClass(String realm, String idpEntityID) throws SAML2Exception {
String classMethod = "SAML2Utils.getIDPAdapterClass: ";
String idpAdapterName = null;
SAML2IdentityProviderAdapter idpAdapter = null;
try {
idpAdapterName = IDPSSOUtil.getAttributeValueFromIDPSSOConfig(realm, idpEntityID, SAML2Constants.IDP_ADAPTER_CLASS);
if (idpAdapterName == null || idpAdapterName.trim().isEmpty()) {
idpAdapterName = SAML2Constants.DEFAULT_IDP_ADAPTER;
if (debug.messageEnabled()) {
debug.message(classMethod + " uses " + SAML2Constants.DEFAULT_IDP_ADAPTER);
}
}
// Attempt to retrieve the adapter from the cache
idpAdapter = (SAML2IdentityProviderAdapter) IDPCache.idpAdapterCache.get(realm + "$" + idpEntityID + "$" + idpAdapterName);
if (idpAdapter == null) {
// NB: multiple threads may cause several adapter objects to be created
idpAdapter = (SAML2IdentityProviderAdapter) Class.forName(idpAdapterName).newInstance();
idpAdapter.initialize(idpEntityID, realm);
// Add the adapter to the cache after initialization
IDPCache.idpAdapterCache.put(realm + "$" + idpEntityID + "$" + idpAdapterName, idpAdapter);
} else {
if (debug.messageEnabled()) {
debug.message(classMethod + " got the IDPAdapter from cache");
}
}
} catch (Exception ex) {
debug.error(classMethod + " unable to get IDP Adapter.", ex);
throw new SAML2Exception(ex);
}
return idpAdapter;
}
Also used :
SAML2IdentityProviderAdapter(com.sun.identity.saml2.plugins.SAML2IdentityProviderAdapter)
SystemConfigurationException(com.sun.identity.common.SystemConfigurationException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException)
IOException(java.io.IOException)
ServletException(javax.servlet.ServletException)
SessionException(com.sun.identity.plugin.session.SessionException)
DataStoreProviderException(com.sun.identity.plugin.datastore.DataStoreProviderException)
UnsupportedEncodingException(java.io.UnsupportedEncodingException)
COTException(com.sun.identity.cot.COTException)
SAML2TokenRepositoryException(org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException)
Example 4 with SAML2IdentityProviderAdapter
use of com.sun.identity.saml2.plugins.SAML2IdentityProviderAdapter in project OpenAM by OpenRock.
the class IDPSSOFederate method process.
@VisibleForTesting
void process(final HttpServletRequest request, final HttpServletResponse response, final PrintWriter out, final String reqBinding) throws FederatedSSOException, IOException, SessionException {
if (cookieRedirector.needSetLBCookieAndRedirect(request, response, true)) {
return;
}
final IDPRequestValidator validator = saml2ActorFactory.getIDPRequestValidator(reqBinding, isFromECP);
//IDP Proxy with introduction cookie case.
//After reading the introduction cookie, it redirects to here.
String requestID = request.getParameter("requestID");
if (idpProxyCase(requestID, request, response)) {
return;
}
// Fetch a number of properties about the request.
String idpMetaAlias = validator.getMetaAlias(request);
String realm = validator.getRealmByMetaAlias(idpMetaAlias);
String idpEntityID = validator.getIDPEntity(idpMetaAlias, realm);
SAML2IdentityProviderAdapter idpAdapter = validator.getIDPAdapter(realm, idpEntityID);
String reqID = request.getParameter(REQ_ID);
if (null != auditor && StringUtils.isNotEmpty(reqID)) {
auditor.setRequestId(reqID);
}
IDPSSOFederateRequest reqData = new IDPSSOFederateRequest(reqID, realm, idpAdapter, idpMetaAlias, idpEntityID);
reqData.setEventAuditor(auditor);
// id should be there.
if (StringUtils.isEmpty(reqData.getRequestID())) {
SAMLAuthenticator samlAuthenticator = saml2ActorFactory.getSAMLAuthenticator(reqData, request, response, out, isFromECP);
samlAuthenticator.authenticate();
} else {
SAMLAuthenticatorLookup samlLookup = saml2ActorFactory.getSAMLAuthenticatorLookup(reqData, request, response, out);
samlLookup.retrieveAuthenticationFromCache();
}
}
Also used :
SAMLAuthenticator(org.forgerock.openam.saml2.SAMLAuthenticator)
IDPSSOFederateRequest(org.forgerock.openam.saml2.IDPSSOFederateRequest)
SAMLAuthenticatorLookup(org.forgerock.openam.saml2.SAMLAuthenticatorLookup)
IDPRequestValidator(org.forgerock.openam.saml2.IDPRequestValidator)
SAML2IdentityProviderAdapter(com.sun.identity.saml2.plugins.SAML2IdentityProviderAdapter)
VisibleForTesting(org.forgerock.util.annotations.VisibleForTesting)
Example 5 with SAML2IdentityProviderAdapter
use of com.sun.identity.saml2.plugins.SAML2IdentityProviderAdapter in project OpenAM by OpenRock.
the class UtilProxyIDPRequestValidator method getIDPAdapter.
/**
* Loads the {@link SAML2IdentityProviderAdapter} IDP adapter which will be called as part
* of IDP processing.
*
* @param realm Possibly null realm.
* @param idpEntityID Non null idpEntityID.
*
* @return The loaded {@link SAML2IdentityProviderAdapter} if it could be loaded otherwise
* the default implementation {@link DefaultIDPAdapter}.
*/
public SAML2IdentityProviderAdapter getIDPAdapter(String realm, String idpEntityID) {
SAML2IdentityProviderAdapter r;
if (idpEntityID == null) {
if (debug.errorEnabled())
debug.error("No IDP Entity ID provided");
r = new DefaultIDPAdapter();
} else {
try {
r = IDPSSOUtil.getIDPAdapterClass(realm, idpEntityID);
} catch (SAML2Exception se2) {
debug.error("Unexpected error instantiating IDP Adapter: {0}", se2.getMessage(), se2);
r = new DefaultIDPAdapter();
}
}
debug.message("Using IDP Adapter class: {0}", r.getClass().getSimpleName());
return r;
}
Also used :
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
DefaultIDPAdapter(com.sun.identity.saml2.plugins.DefaultIDPAdapter)
SAML2IdentityProviderAdapter(com.sun.identity.saml2.plugins.SAML2IdentityProviderAdapter)
Aggregations
SAML2IdentityProviderAdapter (com.sun.identity.saml2.plugins.SAML2IdentityProviderAdapter)5
SessionException (com.sun.identity.plugin.session.SessionException)3
SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)3
IOException (java.io.IOException)3
SAML2MetaException (com.sun.identity.saml2.meta.SAML2MetaException)2
SystemConfigurationException (com.sun.identity.common.SystemConfigurationException)1
COTException (com.sun.identity.cot.COTException)1
DataStoreProviderException (com.sun.identity.plugin.datastore.DataStoreProviderException)1
Issuer (com.sun.identity.saml2.assertion.Issuer)1
ECPResponse (com.sun.identity.saml2.ecp.ECPResponse)1
DefaultIDPAdapter (com.sun.identity.saml2.plugins.DefaultIDPAdapter)1
Response (com.sun.identity.saml2.protocol.Response)1
UnsupportedEncodingException (java.io.UnsupportedEncodingException)1
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)1
ServletException (javax.servlet.ServletException)1
HttpServletResponse (javax.servlet.http.HttpServletResponse)1
SAML2TokenRepositoryException (org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException)1
IDPRequestValidator (org.forgerock.openam.saml2.IDPRequestValidator)1
IDPSSOFederateRequest (org.forgerock.openam.saml2.IDPSSOFederateRequest)1
SAMLAuthenticator (org.forgerock.openam.saml2.SAMLAuthenticator)1
