Search in sources :

Example 11 with IDPSession

use of com.sun.identity.saml2.profile.IDPSession in project OpenAM by OpenRock.

the class SAML2SingleLogoutHandler method handleSOAPInitiatedSingleLogout.

private int handleSOAPInitiatedSingleLogout(Set userSession, String userID, HttpServletRequest request, HttpServletResponse response, String realm, String idpMetaAlias, String idpEntityId, String relayState, SAML2MetaManager saml2Manager) throws SAML2Exception, SessionException {
    debug.message("SAML2SingleLogoutHanlder: handleSOAPInitiatedSLO");
    // TODO : verify this works under LB        
    Object session = null;
    SessionProvider provider = SessionManager.getProvider();
    if ((userSession != null) && !userSession.isEmpty()) {
        // TODO : handle multiple SSO token case
        session = (Object) userSession.iterator().next();
        if (!provider.isValid(session)) {
            return SingleLogoutManager.LOGOUT_NO_ACTION_STATUS;
        }
    } else {
        return SingleLogoutManager.LOGOUT_NO_ACTION_STATUS;
    }
    if (debug.messageEnabled()) {
        debug.message("SAML2SLOHandler.handleSOAPSLO: " + "handler session " + session + " for user " + userID);
    }
    // get IDP session index from session
    String[] sessIndex = provider.getProperty(session, SAML2Constants.IDP_SESSION_INDEX);
    if (debug.messageEnabled()) {
        debug.message("SAML2SLOHandler.handleSOAPSLO: " + "session index = " + sessIndex);
    }
    if ((sessIndex == null) || (sessIndex.length == 0)) {
        if (debug.warningEnabled()) {
            debug.warning("SAML2SLOHandler.handleSOAPSLO: " + "Null session index for " + session);
        }
        return SingleLogoutManager.LOGOUT_NO_ACTION_STATUS;
    }
    IDPSession idpSession = (IDPSession) IDPCache.idpSessionsByIndices.get(sessIndex[0]);
    if (idpSession == null) {
        debug.error("SAML2SLOHanlder.handleSOAPSLO: " + "IDP no longer has this session index " + sessIndex[0]);
        return SingleLogoutManager.LOGOUT_FAILED_STATUS;
    }
    List list = (List) idpSession.getNameIDandSPpairs();
    int n = list.size();
    if (debug.messageEnabled()) {
        debug.message("SAML2SLOHanlder.handleSOAPSLO: " + "NameIDandSPpair for " + sessIndex[0] + " is " + list + ", size=" + n);
    }
    NameIDandSPpair pair = null;
    int soapFailCount = 0;
    for (int i = 0; i < n; i++) {
        pair = (NameIDandSPpair) list.get(i);
        String spEntityID = pair.getSPEntityID();
        if (debug.messageEnabled()) {
            debug.message("SAML2SLOHanlder.handleSOAPSLO: " + "SP for " + sessIndex[0] + " is " + spEntityID);
        }
        SPSSODescriptorElement sp = null;
        sp = SAML2Utils.getSAML2MetaManager().getSPSSODescriptor(realm, spEntityID);
        List slosList = sp.getSingleLogoutService();
        // get IDP entity config for basic auth info
        SPSSOConfigElement spConfig = SAML2Utils.getSAML2MetaManager().getSPSSOConfig(realm, spEntityID);
        HashMap paramsMap = new HashMap();
        paramsMap.put(SAML2Constants.ROLE, SAML2Constants.IDP_ROLE);
        try {
            LogoutUtil.doLogout(idpMetaAlias, spEntityID, slosList, null, SAML2Constants.SOAP, relayState, sessIndex[0], pair.getNameID(), request, response, paramsMap, spConfig);
        } catch (SAML2Exception ex) {
            debug.error("SAML2SLOHandler:handleSOAPSLO.doLogout", ex);
            soapFailCount++;
            continue;
        }
    }
    int retStatus = SingleLogoutManager.LOGOUT_SUCCEEDED_STATUS;
    if (soapFailCount == n) {
        retStatus = SingleLogoutManager.LOGOUT_FAILED_STATUS;
    } else if (soapFailCount > 0) {
        retStatus = SingleLogoutManager.LOGOUT_PARTIAL_STATUS;
    }
    //  invaidate session
    MultiProtocolUtils.invalidateSession(session, request, response, SingleLogoutManager.SAML2);
    IDPCache.idpSessionsByIndices.remove(sessIndex[0]);
    IDPCache.authnContextCache.remove(sessIndex[0]);
    if (debug.messageEnabled()) {
        debug.message("SAML2SLOHandler.doSOAPSLO: return status for " + session + " is " + retStatus);
    }
    return retStatus;
}
Also used : SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) NameIDandSPpair(com.sun.identity.saml2.profile.NameIDandSPpair) IDPSession(com.sun.identity.saml2.profile.IDPSession) HashMap(java.util.HashMap) SPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement) SPSSOConfigElement(com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement) List(java.util.List) SessionProvider(com.sun.identity.plugin.session.SessionProvider)

Example 12 with IDPSession

use of com.sun.identity.saml2.profile.IDPSession in project OpenAM by OpenRock.

the class IDPSingleLogout method sendLastResponse.

private static boolean sendLastResponse(IDPSession idpSession, LogoutResponse logoutRes, HttpServletRequest request, HttpServletResponse response, String idpSessionIndex, Object session, String realm, String idpEntityID, String relayState) throws SAML2Exception, SessionException, SAML2MetaException {
    String binding;
    //resetting the binding to the original value so the response is sent back with the correct binding
    binding = idpSession.getOriginatingLogoutRequestBinding();
    String originatingRequestID = idpSession.getOriginatingLogoutRequestID();
    String originatingLogoutSPEntityID = idpSession.getOriginatingLogoutSPEntityID();
    if (originatingRequestID == null) {
        // this is IDP initiated SLO
        if (idpSession.getLogoutAll()) {
            String userID = sessionProvider.getPrincipalName(idpSession.getSession());
            destroyAllTokenForUser(userID, request, response);
        } else {
            IDPCache.idpSessionsByIndices.remove(idpSessionIndex);
            if (agent != null && agent.isRunning() && saml2Svc != null) {
                saml2Svc.setIdpSessionCount((long) IDPCache.idpSessionsByIndices.size());
            }
            try {
                if (SAML2FailoverUtils.isSAML2FailoverEnabled()) {
                    SAML2FailoverUtils.deleteSAML2Token(idpSessionIndex);
                }
            } catch (SAML2TokenRepositoryException se) {
                debug.error("IDPSingleLogout.sendLastResponse: Error while deleting token from " + "SAML2 Token Repository for idpSessionIndex:" + idpSessionIndex, se);
            }
            IDPCache.authnContextCache.remove(idpSessionIndex);
            if (!MultiProtocolUtils.isMultipleProtocolSession(idpSession.getSession(), SingleLogoutManager.SAML2)) {
                sessionProvider.invalidateSession(idpSession.getSession(), request, response);
            } else {
                MultiProtocolUtils.removeFederationProtocol(idpSession.getSession(), SingleLogoutManager.SAML2);
                // call Multi-Federation protocol SingleLogoutManager
                SingleLogoutManager sloManager = SingleLogoutManager.getInstance();
                Set<Object> set = new HashSet<Object>(1);
                set.add(session);
                SessionProvider provider = SessionManager.getProvider();
                String uid = provider.getPrincipalName(session);
                debug.message("IDPSingleLogout.sendLastResponse: MP/Http");
                int retStatus = SingleLogoutManager.LOGOUT_SUCCEEDED_STATUS;
                try {
                    retStatus = sloManager.doIDPSingleLogout(set, uid, request, response, false, true, SingleLogoutManager.SAML2, realm, idpEntityID, originatingLogoutSPEntityID, relayState, null, null, getLogoutStatus(logoutRes));
                } catch (SAML2Exception ex) {
                    throw ex;
                } catch (Exception ex) {
                    debug.error("IDPSIngleLogout.sendLastResponse: MP/IDP initiated HTTP", ex);
                    throw new SAML2Exception(ex.getMessage());
                }
                if (retStatus == SingleLogoutManager.LOGOUT_REDIRECTED_STATUS) {
                    return true;
                }
            }
        }
        debug.message("IDP initiated SLO Success");
        return false;
    }
    List<SingleLogoutServiceElement> slosList = getSPSLOServiceEndpoints(realm, originatingLogoutSPEntityID);
    String location = LogoutUtil.getSLOResponseServiceLocation(slosList, binding);
    if (location == null || location.isEmpty()) {
        location = LogoutUtil.getSLOServiceLocation(slosList, binding);
        if (location == null || location.length() == 0) {
            debug.error("Unable to find the IDP's single logout response service with the HTTP-Redirect binding");
            throw new SAML2Exception(SAML2Utils.bundle.getString("sloResponseServiceLocationNotfound"));
        } else {
            if (debug.messageEnabled()) {
                debug.message("SP's single logout response service location = " + location);
            }
        }
    } else {
        if (debug.messageEnabled()) {
            debug.message("IDP's single logout response service location = " + location);
        }
    }
    Status status = destroyTokenAndGenerateStatus(idpSessionIndex, idpSession.getSession(), request, response, true);
    //here we are providing null for remote entity, because it's an unused variable in the method...
    logoutRes = LogoutUtil.generateResponse(status, originatingRequestID, SAML2Utils.createIssuer(idpEntityID), realm, SAML2Constants.IDP_ROLE, null);
    if (logoutRes != null) {
        logoutRes.setDestination(XMLUtils.escapeSpecialCharacters(location));
        IDPCache.idpSessionsByIndices.remove(idpSessionIndex);
        if (agent != null && agent.isRunning() && saml2Svc != null) {
            saml2Svc.setIdpSessionCount((long) IDPCache.idpSessionsByIndices.size());
        }
        try {
            if (SAML2FailoverUtils.isSAML2FailoverEnabled()) {
                SAML2FailoverUtils.deleteSAML2Token(idpSessionIndex);
            }
        } catch (SAML2TokenRepositoryException se) {
            debug.error("IDPSingleLogout.sendLastResponse: Error while deleting token from " + "SAML2 Token Repository for idpSessionIndex:" + idpSessionIndex, se);
        }
        IDPCache.authnContextCache.remove(idpSessionIndex);
        // call multi-federation protocol processing
        // this is the SP initiated HTTP binding case
        boolean isMultiProtocolSession = false;
        int retStatus = SingleLogoutManager.LOGOUT_SUCCEEDED_STATUS;
        try {
            SessionProvider provider = SessionManager.getProvider();
            session = idpSession.getSession();
            if (session != null && provider.isValid(session) && MultiProtocolUtils.isMultipleProtocolSession(session, SingleLogoutManager.SAML2)) {
                isMultiProtocolSession = true;
                // call Multi-Federation protocol SingleLogoutManager
                SingleLogoutManager sloManager = SingleLogoutManager.getInstance();
                Set set = new HashSet();
                set.add(session);
                String uid = provider.getPrincipalName(session);
                debug.message("IDPSingleLogout.sendLastResponse: MP/Http");
                retStatus = sloManager.doIDPSingleLogout(set, uid, request, response, false, true, SingleLogoutManager.SAML2, realm, idpEntityID, originatingLogoutSPEntityID, relayState, null, logoutRes.toXMLString(), getLogoutStatus(logoutRes));
            }
        } catch (SessionException e) {
            // ignore as session might not be valid
            debug.message("IDPSingleLogout.sendLastResponse: session", e);
        } catch (Exception e) {
            debug.message("IDPSingleLogout.sendLastResponse: MP2", e);
            retStatus = SingleLogoutManager.LOGOUT_FAILED_STATUS;
        }
        if (!isMultiProtocolSession || (retStatus != SingleLogoutManager.LOGOUT_REDIRECTED_STATUS)) {
            logoutRes = updateLogoutResponse(logoutRes, retStatus);
            LogoutUtil.sendSLOResponse(response, request, logoutRes, location, relayState, realm, idpEntityID, SAML2Constants.IDP_ROLE, originatingLogoutSPEntityID, binding);
            return true;
        } else {
            return false;
        }
    }
    IDPCache.idpSessionsByIndices.remove(idpSessionIndex);
    if (agent != null && agent.isRunning() && saml2Svc != null) {
        saml2Svc.setIdpSessionCount((long) IDPCache.idpSessionsByIndices.size());
    }
    try {
        if (SAML2FailoverUtils.isSAML2FailoverEnabled()) {
            SAML2FailoverUtils.deleteSAML2Token(idpSessionIndex);
        }
    } catch (SAML2TokenRepositoryException se) {
        debug.error("IDPSingleLogout.sendLastResponse: Error while deleting token from " + "SAML2 Token Repository for idpSessionIndex:" + idpSessionIndex, se);
    }
    IDPCache.authnContextCache.remove(idpSessionIndex);
    return false;
}
Also used : Status(com.sun.identity.saml2.protocol.Status) HashSet(java.util.HashSet) Set(java.util.Set) SessionException(com.sun.identity.plugin.session.SessionException) SessionException(com.sun.identity.plugin.session.SessionException) SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException) SAML2TokenRepositoryException(org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException) IOException(java.io.IOException) SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) SingleLogoutManager(com.sun.identity.multiprotocol.SingleLogoutManager) SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) SingleLogoutServiceElement(com.sun.identity.saml2.jaxb.metadata.SingleLogoutServiceElement) SAML2TokenRepositoryException(org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException) HashSet(java.util.HashSet) SessionProvider(com.sun.identity.plugin.session.SessionProvider)

Example 13 with IDPSession

use of com.sun.identity.saml2.profile.IDPSession in project OpenAM by OpenRock.

the class IDPSingleLogout method processLogoutResponse.

static boolean processLogoutResponse(HttpServletRequest request, HttpServletResponse response, LogoutResponse logoutRes, String relayState, String metaAlias, String idpEntityID, String spEntityID, String realm, String binding) throws SAML2Exception, SessionException {
    // use the cache to figure out which session index is in question
    // and then use the cache to see if any more SPs to send logout request
    // if yes, send one
    // if no, do local logout and send response back to original requesting
    // SP (this SP name should be remembered in cache)
    Object session = sessionProvider.getSession(request);
    String tokenID = sessionProvider.getSessionID(session);
    String idpSessionIndex = IDPSSOUtil.getSessionIndex(session);
    if (idpSessionIndex == null) {
        if (debug.messageEnabled()) {
            debug.message("No SP session participant(s)");
        }
        MultiProtocolUtils.invalidateSession(session, request, response, SingleLogoutManager.SAML2);
        return false;
    }
    IDPSession idpSession = IDPCache.idpSessionsByIndices.get(idpSessionIndex);
    if (idpSession == null) {
        if (debug.messageEnabled()) {
            debug.message("IDPSLO.processLogoutResponse : " + "IDP Session with session index " + idpSessionIndex + " already removed.");
        }
        try {
            if (SAML2FailoverUtils.isSAML2FailoverEnabled()) {
                SAML2FailoverUtils.deleteSAML2Token(idpSessionIndex);
            }
        } catch (SAML2TokenRepositoryException se) {
            debug.error("IDPSingleLogout.processLogoutRequest: Error while deleting token from " + "SAML2 Token Repository for idpSessionIndex:" + idpSessionIndex, se);
        }
        IDPCache.authnContextCache.remove(idpSessionIndex);
        MultiProtocolUtils.invalidateSession(session, request, response, SingleLogoutManager.SAML2);
        return false;
    }
    if (debug.messageEnabled()) {
        debug.message("idpSessionIndex=" + idpSessionIndex);
    }
    List<NameIDandSPpair> list = idpSession.getNameIDandSPpairs();
    debug.message("idpSession.getNameIDandSPpairs()=" + list);
    if (list.isEmpty()) {
        return sendLastResponse(idpSession, logoutRes, request, response, idpSessionIndex, session, realm, idpEntityID, relayState);
    } else {
        // send Next Requests
        Iterator<NameIDandSPpair> it = list.iterator();
        while (it.hasNext()) {
            NameIDandSPpair pair = it.next();
            it.remove();
            spEntityID = pair.getSPEntityID();
            removeTransientNameIDFromCache(pair.getNameID());
            Map paramsMap = new HashMap(request.getParameterMap());
            paramsMap.put(SAML2Constants.ROLE, SAML2Constants.IDP_ROLE);
            List<SingleLogoutServiceElement> slosList = getSPSLOServiceEndpoints(realm, spEntityID);
            List extensionsList = LogoutUtil.getExtensionsList(request.getParameterMap());
            SPSSOConfigElement spConfig = sm.getSPSSOConfig(realm, spEntityID);
            //When processing a logout response we must ensure that we try to use the original logout request
            //binding to make sure asynchronous bindings have precedence over synchronous bindings.
            SingleLogoutServiceElement logoutEndpoint = LogoutUtil.getMostAppropriateSLOServiceLocation(slosList, idpSession.getOriginatingLogoutRequestBinding());
            if (logoutEndpoint == null) {
                continue;
            }
            StringBuffer requestID = LogoutUtil.doLogout(metaAlias, spEntityID, extensionsList, logoutEndpoint, relayState, idpSessionIndex, pair.getNameID(), request, response, paramsMap, spConfig);
            String bindingUsed = logoutEndpoint.getBinding();
            if (bindingUsed.equals(SAML2Constants.HTTP_REDIRECT) || bindingUsed.equals(SAML2Constants.HTTP_POST)) {
                String requestIDStr = requestID.toString();
                if (debug.messageEnabled()) {
                    debug.message("IDPSingleLogout.processLogoutRequest: requestIDStr = " + requestIDStr + "\nbinding = " + bindingUsed);
                }
                if (requestIDStr != null && requestIDStr.length() != 0) {
                    idpSession.setPendingLogoutRequestID(requestIDStr);
                }
                return true;
            }
        }
        //response.
        return sendLastResponse(idpSession, logoutRes, request, response, idpSessionIndex, session, realm, idpEntityID, relayState);
    }
}
Also used : HashMap(java.util.HashMap) SPSSOConfigElement(com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement) SingleLogoutServiceElement(com.sun.identity.saml2.jaxb.metadata.SingleLogoutServiceElement) SAML2TokenRepositoryException(org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException) List(java.util.List) HashMap(java.util.HashMap) Map(java.util.Map)

Example 14 with IDPSession

use of com.sun.identity.saml2.profile.IDPSession in project OpenAM by OpenRock.

the class IDPSessionListener method sessionInvalidated.

/**
     *  Callback for SessionListener.
     *  It is used for cleaning up the IDP session cache.
     *  
     *  @param session The session object
     */
public void sessionInvalidated(Object session) {
    String classMethod = "IDPSessionListener.sessionInvalidated: ";
    HashMap paramsMap = new HashMap();
    if (SAML2Utils.debug.messageEnabled()) {
        SAML2Utils.debug.message(classMethod + "Entering ...");
    }
    if (session == null) {
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message(classMethod + "Session is null.");
        }
        return;
    }
    try {
        SessionProvider sessionProvider = SessionManager.getProvider();
        String[] values = sessionProvider.getProperty(session, SAML2Constants.IDP_SESSION_INDEX);
        if (values == null || values.length == 0) {
            if (SAML2Utils.debug.messageEnabled()) {
                SAML2Utils.debug.message(classMethod + "No sessionIndex stored in session.");
            }
            return;
        }
        String sessionIndex = values[0];
        if (sessionIndex == null || sessionIndex.length() == 0) {
            if (SAML2Utils.debug.messageEnabled()) {
                SAML2Utils.debug.message(classMethod + "No sessionIndex stored in session.");
            }
            return;
        }
        IDPSession idpSession = (IDPSession) IDPCache.idpSessionsByIndices.get(sessionIndex);
        if (idpSession != null) {
            paramsMap.put(SAML2Constants.ROLE, SAML2Constants.IDP_ROLE);
            String metaAlias = idpSession.getMetaAlias();
            String realm = SAML2Utils.getRealm(SAML2MetaUtils.getRealmByMetaAlias(metaAlias));
            String idpEntityID = sm.getEntityByMetaAlias(metaAlias);
            try {
                List list = (List) idpSession.getNameIDandSPpairs();
                for (Iterator iter = list.iterator(); iter.hasNext(); ) {
                    NameIDandSPpair pair = (NameIDandSPpair) iter.next();
                    String spEntityID = pair.getSPEntityID();
                    NameID nameID = pair.getNameID();
                    BaseConfigType idpConfig = sm.getIDPSSOConfig(realm, idpEntityID);
                    if (idpConfig != null) {
                        List idpSessionSyncList = (List) SAML2MetaUtils.getAttributes(idpConfig).get(SAML2Constants.IDP_SESSION_SYNC_ENABLED);
                        if ((idpEntityID != null && spEntityID != null && idpSessionSyncList != null && idpSessionSyncList.size() != 0)) {
                            boolean idpSessionSyncEnabled = ((String) idpSessionSyncList.get(0)).equals(SAML2Constants.TRUE) ? true : false;
                            // Sync flag is enabled
                            if (idpSessionSyncEnabled) {
                                if (SAML2Utils.debug.messageEnabled()) {
                                    SAML2Utils.debug.message(classMethod + "IDP Session Synchronization flag " + "is enabled, initiating SLO to SP");
                                }
                                initiateIDPSingleLogout(sessionIndex, metaAlias, realm, SAML2Constants.SOAP, nameID, spEntityID, paramsMap);
                            }
                        }
                    } else {
                        if (SAML2Utils.debug.messageEnabled()) {
                            SAML2Utils.debug.message(classMethod + "Unable to retrieve the IDP " + "config data, idpConfig is null");
                        }
                    }
                }
            } catch (SAML2MetaException sme) {
                SAML2Utils.debug.error("IDPSessionListener.sessionInvalidated:", sme);
            } catch (SAML2Exception se) {
                SAML2Utils.debug.error("IDPSessionListener.sessionInvalidated:", se);
            } catch (SessionException s) {
                SAML2Utils.debug.error("IDPSessionListener.sessionInvalidated:", s);
            }
            synchronized (IDPCache.idpSessionsByIndices) {
                List list = (List) idpSession.getNameIDandSPpairs();
                for (Iterator iter = list.iterator(); iter.hasNext(); ) {
                    NameIDandSPpair pair = (NameIDandSPpair) iter.next();
                    NameID nameID = pair.getNameID();
                    if (SAML2Constants.NAMEID_TRANSIENT_FORMAT.equals(nameID.getFormat())) {
                        IDPCache.userIDByTransientNameIDValue.remove(nameID.getValue());
                    }
                }
            }
        } else {
            if (SAML2Utils.debug.messageEnabled()) {
                SAML2Utils.debug.message(classMethod + "IDP Session with session index " + sessionIndex + " already removed.");
            }
        }
        IDPCache.idpSessionsByIndices.remove(sessionIndex);
        IDPCache.authnContextCache.remove(sessionIndex);
        String sessID = sessionProvider.getSessionID(session);
        if (IDPCache.idpSessionsBySessionID.get(sessID) != null) {
            IDPCache.idpSessionsBySessionID.remove(sessID);
            if ((agent != null) && agent.isRunning() && (saml2Svc != null)) {
                saml2Svc.setIdpSessionCount((long) IDPCache.idpSessionsBySessionID.size());
            }
        }
        if (IDPCache.spSessionPartnerBySessionID.get(sessID) != null) {
            IDPCache.spSessionPartnerBySessionID.remove(sessID);
        }
        // This failing should not cause the whole process to fail
        try {
            if (SAML2FailoverUtils.isSAML2FailoverEnabled()) {
                SAML2FailoverUtils.deleteSAML2Token(sessionIndex);
            }
        } catch (SAML2TokenRepositoryException se) {
            SAML2Utils.debug.error(classMethod + "SAML2 Token Repository error, sessionIndex:" + sessionIndex, se);
        }
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message(classMethod + "cleaned up the IDP session cache for a session expiring or being destroyed: sessionIndex=" + sessionIndex);
        }
    } catch (SessionException e) {
        if (SAML2Utils.debug.warningEnabled()) {
            SAML2Utils.debug.warning(classMethod + "invalid or expired session.", e);
        }
    } catch (SAML2MetaException samlme) {
        if (SAML2Utils.debug.warningEnabled()) {
            SAML2Utils.debug.warning(classMethod + "unable to retrieve idp entity id.", samlme);
        }
    }
}
Also used : HashMap(java.util.HashMap) NameID(com.sun.identity.saml2.assertion.NameID) SessionException(com.sun.identity.plugin.session.SessionException) BaseConfigType(com.sun.identity.saml2.jaxb.entityconfig.BaseConfigType) SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) Iterator(java.util.Iterator) List(java.util.List) SAML2TokenRepositoryException(org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException) SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException) SessionProvider(com.sun.identity.plugin.session.SessionProvider)

Example 15 with IDPSession

use of com.sun.identity.saml2.profile.IDPSession in project OpenAM by OpenRock.

the class Saml2SessionUpgradeHandler method handleSessionUpgrade.

@Override
public void handleSessionUpgrade(InternalSession oldSession, InternalSession newSession) {
    final String sessionIndex = oldSession.getProperty(SAML2Constants.IDP_SESSION_INDEX);
    if (StringUtils.isNotEmpty(sessionIndex)) {
        final String oldSessionID = oldSession.getID().toString();
        final String newSessionID = newSession.getID().toString();
        final SSOToken oldSSOToken;
        final SSOToken newSSOToken;
        try {
            oldSSOToken = ssoTokenManager.createSSOToken(oldSessionID);
            newSSOToken = ssoTokenManager.createSSOToken(newSessionID);
        } catch (SSOException ssoe) {
            debug.warning("Unable to create an SSOToken for the session ID due to " + ssoe.toString());
            return;
        }
        IDPSession idpSession = IDPCache.idpSessionsByIndices.get(sessionIndex);
        if (idpSession == null) {
            if (SAML2FailoverUtils.isSAML2FailoverEnabled()) {
                try {
                    final IDPSessionCopy idpSessionCopy = (IDPSessionCopy) SAML2FailoverUtils.retrieveSAML2Token(sessionIndex);
                    if (idpSessionCopy != null) {
                        idpSession = new IDPSession(idpSessionCopy);
                    }
                } catch (SAML2TokenRepositoryException stre) {
                    debug.warning("Unable to retrieve IDPSessionCopy from SAML failover store", stre);
                }
            }
        }
        if (idpSession != null) {
            idpSession.setSession(newSSOToken);
            if (SAML2FailoverUtils.isSAML2FailoverEnabled()) {
                try {
                    SAML2FailoverUtils.deleteSAML2Token(sessionIndex);
                    long expirationTime = System.currentTimeMillis() / 1000 + newSession.getTimeLeft();
                    SAML2FailoverUtils.saveSAML2TokenWithoutSecondaryKey(sessionIndex, new IDPSessionCopy(idpSession), expirationTime);
                } catch (SAML2TokenRepositoryException stre) {
                    debug.error("Failed to update IDPSession in SAML failover store", stre);
                }
            }
            IDPCache.idpSessionsByIndices.put(sessionIndex, idpSession);
            IDPCache.idpSessionsBySessionID.put(newSessionID, idpSession);
        }
        IDPCache.idpSessionsBySessionID.remove(oldSessionID);
        final String partner = IDPCache.spSessionPartnerBySessionID.remove(oldSessionID);
        if (partner != null) {
            IDPCache.spSessionPartnerBySessionID.put(newSessionID, partner);
        }
        try {
            //We set the sessionIndex to a dummy value so that IDPSessionListener won't try to clear out the caches
            //for the still valid sessionIndex.
            oldSSOToken.setProperty(SAML2Constants.IDP_SESSION_INDEX, "dummy");
        } catch (SSOException ssoe) {
            debug.error("Failed to set IDP Session Index for old session", ssoe);
        }
    }
}
Also used : SSOToken(com.iplanet.sso.SSOToken) IDPSession(com.sun.identity.saml2.profile.IDPSession) SSOException(com.iplanet.sso.SSOException) SAML2TokenRepositoryException(org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException) IDPSessionCopy(com.sun.identity.saml2.profile.IDPSessionCopy)

Aggregations

SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)15 SessionException (com.sun.identity.plugin.session.SessionException)14 List (java.util.List)13 SAML2TokenRepositoryException (org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException)8 SAML2MetaException (com.sun.identity.saml2.meta.SAML2MetaException)7 IOException (java.io.IOException)7 HashMap (java.util.HashMap)7 SessionProvider (com.sun.identity.plugin.session.SessionProvider)6 Iterator (java.util.Iterator)6 SPSSOConfigElement (com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement)5 IDPSession (com.sun.identity.saml2.profile.IDPSession)5 Map (java.util.Map)5 NameID (com.sun.identity.saml2.assertion.NameID)4 SingleLogoutServiceElement (com.sun.identity.saml2.jaxb.metadata.SingleLogoutServiceElement)4 ArrayList (java.util.ArrayList)4 HashSet (java.util.HashSet)4 Set (java.util.Set)4 SPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)3 NameIDInfo (com.sun.identity.saml2.common.NameIDInfo)2 BaseConfigType (com.sun.identity.saml2.jaxb.entityconfig.BaseConfigType)2