Search in sources :

Example 1 with Artifact

use of com.sun.identity.saml2.protocol.Artifact in project OpenAM by OpenRock.

the class SAMLv2ModelImpl method setSPStdAttributeValues.

/**
     * Saves the standard attribute values for the Service Provider.
     *
     * @param realm to which the entity belongs.
     * @param entityName is the entity id.
     * @param spStdValues Map which contains the standard attribute values.
     * @param assertionConsumer List with assertion consumer service values.
     * @throws AMConsoleException if saving of attribute value fails.
     */
public void setSPStdAttributeValues(String realm, String entityName, Map spStdValues, List assertionConsumer) throws AMConsoleException {
    String[] params = { realm, entityName, "SAMLv2", "SP-Standard" };
    logEvent("ATTEMPT_MODIFY_ENTITY_DESCRIPTOR", params);
    SPSSODescriptorElement spssoDescriptor = null;
    com.sun.identity.saml2.jaxb.metadata.ObjectFactory objFact = new com.sun.identity.saml2.jaxb.metadata.ObjectFactory();
    try {
        SAML2MetaManager samlManager = getSAML2MetaManager();
        EntityDescriptorElement entityDescriptor = samlManager.getEntityDescriptor(realm, entityName);
        spssoDescriptor = samlManager.getSPSSODescriptor(realm, entityName);
        if (spssoDescriptor != null) {
            // save for Single Logout Service - Http-Redirect
            if (spStdValues.keySet().contains(SP_SINGLE_LOGOUT_HTTP_LOCATION)) {
                String lohttpLocation = getResult(spStdValues, SP_SINGLE_LOGOUT_HTTP_LOCATION);
                String lohttpRespLocation = getResult(spStdValues, SP_SINGLE_LOGOUT_HTTP_RESP_LOCATION);
                String lopostLocation = getResult(spStdValues, SP_SLO_POST_LOC);
                String lopostRespLocation = getResult(spStdValues, SP_SLO_POST_RESPLOC);
                String losoapLocation = getResult(spStdValues, SP_SINGLE_LOGOUT_SOAP_LOCATION);
                String priority = getResult(spStdValues, SP_LOGOUT_DEFAULT);
                if (priority.contains("none")) {
                    if (lohttpLocation != null) {
                        priority = httpRedirectBinding;
                    } else if (lopostLocation != null) {
                        priority = httpPostBinding;
                    } else if (losoapLocation != null) {
                        priority = soapBinding;
                    }
                }
                List logList = spssoDescriptor.getSingleLogoutService();
                if (!logList.isEmpty()) {
                    logList.clear();
                }
                if (priority != null && priority.contains("HTTP-Redirect")) {
                    savehttpRedLogout(lohttpLocation, lohttpRespLocation, logList, objFact);
                    savepostLogout(lopostLocation, lopostRespLocation, logList, objFact);
                    savesoapLogout(losoapLocation, logList, objFact);
                } else if (priority != null && priority.contains("HTTP-POST")) {
                    savepostLogout(lopostLocation, lopostRespLocation, logList, objFact);
                    savehttpRedLogout(lohttpLocation, lohttpRespLocation, logList, objFact);
                    savesoapLogout(losoapLocation, logList, objFact);
                } else if (priority != null && priority.contains("SOAP")) {
                    savesoapLogout(losoapLocation, logList, objFact);
                    savehttpRedLogout(lohttpLocation, lohttpRespLocation, logList, objFact);
                    savepostLogout(lopostLocation, lopostRespLocation, logList, objFact);
                }
            }
            // save for Manage Name ID Service
            if (spStdValues.keySet().contains(SP_MANAGE_NAMEID_HTTP_LOCATION)) {
                String mnihttpLocation = getResult(spStdValues, SP_MANAGE_NAMEID_HTTP_LOCATION);
                String mnihttpRespLocation = getResult(spStdValues, SP_MANAGE_NAMEID_HTTP_RESP_LOCATION);
                String mnipostLocation = getResult(spStdValues, SP_MNI_POST_LOC);
                String mnipostRespLocation = getResult(spStdValues, SP_MNI_POST_RESPLOC);
                String mnisoapLocation = getResult(spStdValues, SP_MANAGE_NAMEID_SOAP_LOCATION);
                String mnisoapResLocation = getResult(spStdValues, SP_MANAGE_NAMEID_SOAP_RESP_LOCATION);
                String priority = getResult(spStdValues, SP_MNI_DEFAULT);
                if (priority.contains("none")) {
                    if (mnihttpLocation != null) {
                        priority = httpRedirectBinding;
                    } else if (mnipostLocation != null) {
                        priority = httpPostBinding;
                    } else if (mnisoapLocation != null) {
                        priority = soapBinding;
                    }
                }
                List manageNameIdList = spssoDescriptor.getManageNameIDService();
                if (!manageNameIdList.isEmpty()) {
                    manageNameIdList.clear();
                }
                if (priority != null && priority.contains("HTTP-Redirect")) {
                    savehttpRedMni(mnihttpLocation, mnihttpRespLocation, manageNameIdList, objFact);
                    savepostMni(mnipostLocation, mnipostRespLocation, manageNameIdList, objFact);
                    saveSPsoapMni(mnisoapLocation, mnisoapResLocation, manageNameIdList, objFact);
                } else if (priority != null && priority.contains("HTTP-POST")) {
                    savepostMni(mnipostLocation, mnipostRespLocation, manageNameIdList, objFact);
                    savehttpRedMni(mnihttpLocation, mnihttpRespLocation, manageNameIdList, objFact);
                    saveSPsoapMni(mnisoapLocation, mnisoapResLocation, manageNameIdList, objFact);
                } else if (priority != null && priority.contains("SOAP")) {
                    saveSPsoapMni(mnisoapLocation, mnisoapResLocation, manageNameIdList, objFact);
                    savehttpRedMni(mnihttpLocation, mnihttpRespLocation, manageNameIdList, objFact);
                    savepostMni(mnipostLocation, mnipostRespLocation, manageNameIdList, objFact);
                }
            }
            //save for artifact, post and paos Assertion Consumer Service
            if (!assertionConsumer.isEmpty() && assertionConsumer.size() > 0) {
                List asconsServiceList = spssoDescriptor.getAssertionConsumerService();
                if (!asconsServiceList.isEmpty()) {
                    asconsServiceList.clear();
                }
                asconsServiceList.addAll(assertionConsumer);
            }
            //save nameid format
            if (spStdValues.keySet().contains(NAMEID_FORMAT)) {
                saveNameIdFormat(spssoDescriptor, spStdValues);
            }
            //save AuthnRequestsSigned
            if (spStdValues.keySet().contains(IS_AUTHN_REQ_SIGNED)) {
                boolean authnValue = setToBoolean(spStdValues, IS_AUTHN_REQ_SIGNED);
                spssoDescriptor.setAuthnRequestsSigned(authnValue);
            }
            //save WantAssertionsSigned
            if (spStdValues.keySet().contains(WANT_ASSERTIONS_SIGNED)) {
                boolean assertValue = setToBoolean(spStdValues, WANT_ASSERTIONS_SIGNED);
                spssoDescriptor.setWantAssertionsSigned(assertValue);
            }
            samlManager.setEntityDescriptor(realm, entityDescriptor);
        }
        logEvent("SUCCEED_MODIFY_ENTITY_DESCRIPTOR", params);
    } catch (SAML2MetaException e) {
        debug.warning("SAMLv2ModelImpl.setSPStdAttributeValues:", e);
        String strError = getErrorString(e);
        String[] paramsEx = { realm, entityName, "SAMLv2", "SP-Standard", strError };
        logEvent("FEDERATION_EXCEPTION_MODIFY_ENTITY_DESCRIPTOR", paramsEx);
        throw new AMConsoleException(strError);
    } catch (JAXBException e) {
        debug.error("SAMLv2ModelImpl.setSPStdAttributeValues:", e);
        String strError = getErrorString(e);
        String[] paramsEx = { realm, entityName, "SAMLv2", "SP-Standard", strError };
        logEvent("FEDERATION_EXCEPTION_MODIFY_ENTITY_DESCRIPTOR", paramsEx);
    }
}
Also used : SPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement) JAXBException(javax.xml.bind.JAXBException) SAML2MetaManager(com.sun.identity.saml2.meta.SAML2MetaManager) EntityDescriptorElement(com.sun.identity.saml2.jaxb.metadata.EntityDescriptorElement) ObjectFactory(com.sun.identity.saml2.jaxb.entityconfig.ObjectFactory) List(java.util.List) ArrayList(java.util.ArrayList) AMConsoleException(com.sun.identity.console.base.model.AMConsoleException) SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException)

Example 2 with Artifact

use of com.sun.identity.saml2.protocol.Artifact in project OpenAM by OpenRock.

the class IDPArtifactResolution method doArtifactResolution.

/**
     * This method processes the artifact resolution request coming 
     * from a service provider. It processes the artifact
     * resolution request sent by the service provider and 
     * sends back a proper SOAPMessage that contains an Assertion.
     *
     * @param request the <code>HttpServletRequest</code> object
     * @param response the <code>HttpServletResponse</code> object
     */
public static void doArtifactResolution(HttpServletRequest request, HttpServletResponse response) {
    String classMethod = "IDPArtifactResolution.doArtifactResolution: ";
    try {
        String idpMetaAlias = request.getParameter(SAML2MetaManager.NAME_META_ALIAS_IN_URI);
        if ((idpMetaAlias == null) || (idpMetaAlias.trim().length() == 0)) {
            idpMetaAlias = SAML2MetaUtils.getMetaAliasByUri(request.getRequestURI());
        }
        if ((idpMetaAlias == null) || (idpMetaAlias.trim().length() == 0)) {
            if (SAML2Utils.debug.messageEnabled()) {
                SAML2Utils.debug.message(classMethod + "unable to get IDP meta alias from request.");
            }
            String[] data = { idpMetaAlias };
            LogUtil.error(Level.INFO, LogUtil.IDP_METADATA_ERROR, data, null);
            SAMLUtils.sendError(request, response, HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "nullIDPMetaAlias", SAML2Utils.bundle.getString("nullIDPMetaAlias"));
            return;
        }
        // retrieve IDP entity id from meta alias
        String idpEntityID = null;
        String realm = null;
        try {
            idpEntityID = IDPSSOUtil.metaManager.getEntityByMetaAlias(idpMetaAlias);
            if ((idpEntityID == null) || (idpEntityID.trim().length() == 0)) {
                SAMLUtils.debug.error(classMethod + "Unable to get IDP Entity ID from meta.");
                String[] data = { idpEntityID };
                LogUtil.error(Level.INFO, LogUtil.INVALID_IDP, data, null);
                SAMLUtils.sendError(request, response, HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "nullIDPEntityID", SAML2Utils.bundle.getString("nullIDPEntityID"));
                return;
            }
            realm = SAML2MetaUtils.getRealmByMetaAlias(idpMetaAlias);
        } catch (SAML2MetaException sme) {
            SAML2Utils.debug.error(classMethod + "Unable to get IDP Entity ID from meta.");
            String[] data = { idpMetaAlias };
            LogUtil.error(Level.INFO, LogUtil.IDP_METADATA_ERROR, data, null);
            SAMLUtils.sendError(request, response, HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "metaDataError", SAML2Utils.bundle.getString("metaDataError"));
            return;
        }
        if (!SAML2Utils.isIDPProfileBindingSupported(realm, idpEntityID, SAML2Constants.ARTIFACT_RESOLUTION_SERVICE, SAML2Constants.SOAP)) {
            SAML2Utils.debug.error(classMethod + "Artifact Resolution Service binding: Redirect is not " + "supported for " + idpEntityID);
            String[] data = { idpEntityID, SAML2Constants.SOAP };
            LogUtil.error(Level.INFO, LogUtil.BINDING_NOT_SUPPORTED, data, null);
            SAMLUtils.sendError(request, response, HttpServletResponse.SC_BAD_REQUEST, "unsupportedBinding", SAML2Utils.bundle.getString("unsupportedBinding"));
            return;
        }
        try {
            // Get all the headers from the HTTP request
            MimeHeaders headers = getHeaders(request);
            // Get the body of the HTTP request
            InputStream is = request.getInputStream();
            SOAPMessage msg = messageFactory.createMessage(headers, is);
            SOAPMessage reply = null;
            reply = onMessage(msg, request, response, realm, idpEntityID);
            if (reply != null) {
                /* Need to call saveChanges because we're
                     * going to use the MimeHeaders to set HTTP
                     * response information. These MimeHeaders
                     * are generated as part of the save. */
                if (reply.saveRequired()) {
                    reply.saveChanges();
                }
                response.setStatus(HttpServletResponse.SC_OK);
                putHeaders(reply.getMimeHeaders(), response);
                // Write out the message on the response stream
                OutputStream outputStream = response.getOutputStream();
                reply.writeTo(outputStream);
                outputStream.flush();
            } else {
                response.setStatus(HttpServletResponse.SC_NO_CONTENT);
            }
        } catch (SOAPException ex) {
            SAML2Utils.debug.error(classMethod + "SOAP error", ex);
            String[] data = { idpEntityID };
            LogUtil.error(Level.INFO, LogUtil.INVALID_SOAP_MESSAGE, data, null);
            SAMLUtils.sendError(request, response, HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "invalidSOAPMessage", SAML2Utils.bundle.getString("invalidSOAPMessage") + " " + ex.getMessage());
            return;
        } catch (SAML2Exception se) {
            SAML2Utils.debug.error(classMethod + "SAML2 error", se);
            SAMLUtils.sendError(request, response, HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "unableToCreateArtifactResponse", SAML2Utils.bundle.getString("unableToCreateArtifactResponse") + " " + se.getMessage());
            return;
        }
    } catch (IOException ioe) {
        SAML2Utils.debug.error(classMethod + "I/O rrror", ioe);
    }
}
Also used : SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) MimeHeaders(javax.xml.soap.MimeHeaders) InputStream(java.io.InputStream) OutputStream(java.io.OutputStream) SOAPException(javax.xml.soap.SOAPException) IOException(java.io.IOException) SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException) SOAPMessage(javax.xml.soap.SOAPMessage)

Example 3 with Artifact

use of com.sun.identity.saml2.protocol.Artifact in project OpenAM by OpenRock.

the class IDPArtifactResolution method onMessage.

/**
     * This method generates a <code>SOAPMessage</code> containing the
     * <code>ArtifactResponse</code> that is corresponding to the
     * <code>ArtifactResolve</code> contained in the 
     * <code>SOAPMessage</code> passed in.
     *
     * @param message <code>SOAPMessage</code> contains a
     *             <code>ArtifactResolve</code> 
     * @param request the <code>HttpServletRequest</code> object
     * @param realm the realm to where the identity provider belongs
     * @param idpEntityID the entity id of the identity provider 
     * 
     * @return <code>SOAPMessage</code> contains the 
     *             <code>ArtifactResponse</code>
     * @exception SAML2Exception if the operation is not successful
     */
public static SOAPMessage onMessage(SOAPMessage message, HttpServletRequest request, HttpServletResponse response, String realm, String idpEntityID) throws SAML2Exception {
    String classMethod = "IDPArtifactResolution.onMessage: ";
    if (SAML2Utils.debug.messageEnabled()) {
        SAML2Utils.debug.message(classMethod + "Entering onMessage().");
    }
    Element reqElem = SOAPCommunicator.getInstance().getSamlpElement(message, "ArtifactResolve");
    ArtifactResolve artResolve = ProtocolFactory.getInstance().createArtifactResolve(reqElem);
    if (artResolve == null) {
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message(classMethod + "no valid ArtifactResolve node found in SOAP body.");
        }
        return SOAPCommunicator.getInstance().createSOAPFault(SAML2Constants.CLIENT_FAULT, "noArtifactResolve", null);
    }
    String spEntityID = artResolve.getIssuer().getValue();
    if (!SAML2Utils.isSourceSiteValid(artResolve.getIssuer(), realm, idpEntityID)) {
        SAML2Utils.debug.error(classMethod + spEntityID + " is not trusted issuer.");
        String[] data = { idpEntityID, realm, artResolve.getID() };
        LogUtil.error(Level.INFO, LogUtil.INVALID_ISSUER_REQUEST, data, null);
        return SOAPCommunicator.getInstance().createSOAPFault(SAML2Constants.CLIENT_FAULT, "invalidIssuerInRequest", null);
    }
    SPSSODescriptorElement spSSODescriptor = null;
    try {
        spSSODescriptor = IDPSSOUtil.metaManager.getSPSSODescriptor(realm, spEntityID);
    } catch (SAML2MetaException sme) {
        SAML2Utils.debug.error(classMethod, sme);
        spSSODescriptor = null;
    }
    if (spSSODescriptor == null) {
        SAML2Utils.debug.error(classMethod + "Unable to get SP SSO Descriptor from meta.");
        return SOAPCommunicator.getInstance().createSOAPFault(SAML2Constants.SERVER_FAULT, "metaDataError", null);
    }
    OrderedSet acsSet = SPSSOFederate.getACSUrl(spSSODescriptor, SAML2Constants.HTTP_ARTIFACT);
    String acsURL = (String) acsSet.get(0);
    //String protocolBinding = (String) acsSet.get(1);
    String isArtifactResolveSigned = SAML2Utils.getAttributeValueFromSSOConfig(realm, idpEntityID, SAML2Constants.IDP_ROLE, SAML2Constants.WANT_ARTIFACT_RESOLVE_SIGNED);
    if ((isArtifactResolveSigned != null) && (isArtifactResolveSigned.equals(SAML2Constants.TRUE))) {
        if (!artResolve.isSigned()) {
            SAML2Utils.debug.error(classMethod + "The artifact resolve is not signed " + "when it is expected to be signed.");
            return SOAPCommunicator.getInstance().createSOAPFault(SAML2Constants.CLIENT_FAULT, "ArtifactResolveNotSigned", null);
        }
        Set<X509Certificate> verificationCerts = KeyUtil.getVerificationCerts(spSSODescriptor, spEntityID, SAML2Constants.SP_ROLE);
        if (!artResolve.isSignatureValid(verificationCerts)) {
            SAML2Utils.debug.error(classMethod + "artifact resolve verification failed.");
            return SOAPCommunicator.getInstance().createSOAPFault(SAML2Constants.CLIENT_FAULT, "invalidArtifact", null);
        }
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message(classMethod + "artifact resolve signature verification is successful.");
        }
    }
    Artifact art = artResolve.getArtifact();
    if (art == null) {
        SAML2Utils.debug.error(classMethod + "Unable to get an artifact from ArtifactResolve.");
        return SOAPCommunicator.getInstance().createSOAPFault(SAML2Constants.CLIENT_FAULT, "invalidArtifactSignature", null);
    }
    String artStr = art.getArtifactValue();
    Response res = (Response) IDPCache.responsesByArtifacts.remove(artStr);
    String remoteArtURL = null;
    boolean saml2FailoverEnabled = SAML2FailoverUtils.isSAML2FailoverEnabled();
    if (res == null) {
        // in LB case, artifact may reside on the other server.
        String targetServerID = SAML2Utils.extractServerId(art.getMessageHandle());
        if (targetServerID == null) {
            if (SAML2Utils.debug.messageEnabled()) {
                SAML2Utils.debug.message(classMethod + "target serverID is null");
            }
            return SOAPCommunicator.getInstance().createSOAPFault(SAML2Constants.CLIENT_FAULT, "InvalidArtifactId", null);
        }
        String localServerID = SAML2Utils.getLocalServerID();
        boolean localTarget = localServerID.equals(targetServerID);
        if (!localTarget) {
            if (!SystemConfigurationUtil.isValidServerId(targetServerID)) {
                if (SAML2Utils.debug.messageEnabled()) {
                    SAML2Utils.debug.message(classMethod + "target serverID is not valid: " + targetServerID);
                }
                return SOAPCommunicator.getInstance().createSOAPFault(SAML2Constants.CLIENT_FAULT, "InvalidArtifactId", null);
            }
            try {
                String remoteServiceURL = SystemConfigurationUtil.getServerFromID(targetServerID);
                remoteArtURL = remoteServiceURL + SAML2Utils.removeDeployUri(request.getRequestURI());
                SOAPConnection con = SOAPCommunicator.getInstance().openSOAPConnection();
                SOAPMessage resMsg = con.call(message, remoteArtURL);
                return resMsg;
            } catch (Exception ex) {
                if (SAML2Utils.debug.messageEnabled()) {
                    SAML2Utils.debug.message(classMethod + "unable to forward request to remote server. " + "remote url = " + remoteArtURL, ex);
                }
                if (!saml2FailoverEnabled) {
                    return SOAPCommunicator.getInstance().createSOAPFault(SAML2Constants.SERVER_FAULT, "RemoteArtifactResolutionFailed", null);
                }
            // when the target server is running but the remote call was
            // failed to this server (due to a network error)
            // and the saml2failover is enabled, we can still find the
            // artifact in the SAML2 repository.
            // However the cached entry in the target server will not be
            // deleted this way.
            }
        }
        if (saml2FailoverEnabled) {
            // Check the SAML2 Token Repository
            try {
                if (SAML2Utils.debug.messageEnabled()) {
                    SAML2Utils.debug.message("Artifact=" + artStr);
                }
                String tmp = (String) SAML2FailoverUtils.retrieveSAML2Token(artStr);
                res = ProtocolFactory.getInstance().createResponse(tmp);
            } catch (SAML2Exception e) {
                SAML2Utils.debug.error(classMethod + " SAML2 ERROR!!!", e);
                return SOAPCommunicator.getInstance().createSOAPFault(SAML2Constants.CLIENT_FAULT, "UnableToFindResponseInRepo", null);
            } catch (SAML2TokenRepositoryException se) {
                SAML2Utils.debug.error(classMethod + " There was a problem reading the response " + "from the SAML2 Token Repository using artStr:" + artStr, se);
                return SOAPCommunicator.getInstance().createSOAPFault(SAML2Constants.CLIENT_FAULT, "UnableToFindResponseInRepo", null);
            }
        }
    }
    if (res == null) {
        return SOAPCommunicator.getInstance().createSOAPFault(SAML2Constants.CLIENT_FAULT, saml2FailoverEnabled ? "UnableToFindResponseInRepo" : "UnableToFindResponse", null);
    }
    // Remove Response from SAML2 Token Repository
    try {
        if (saml2FailoverEnabled) {
            SAML2FailoverUtils.deleteSAML2Token(artStr);
        }
    } catch (SAML2TokenRepositoryException e) {
        SAML2Utils.debug.error(classMethod + " Error deleting the response from the SAML2 Token Repository using artStr:" + artStr, e);
    }
    Map props = new HashMap();
    String nameIDString = SAML2Utils.getNameIDStringFromResponse(res);
    if (nameIDString != null) {
        props.put(LogUtil.NAME_ID, nameIDString);
    }
    // check if need to sign the assertion
    boolean signAssertion = spSSODescriptor.isWantAssertionsSigned();
    if (signAssertion) {
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message(classMethod + "signing the assertion.");
        }
    }
    // encrypt the assertion or its NameID and/or Attribute based
    // on SP config setting and sign the assertion.
    IDPSSOUtil.signAndEncryptResponseComponents(realm, spEntityID, idpEntityID, res, signAssertion);
    ArtifactResponse artResponse = ProtocolFactory.getInstance().createArtifactResponse();
    Status status = ProtocolFactory.getInstance().createStatus();
    StatusCode statusCode = ProtocolFactory.getInstance().createStatusCode();
    statusCode.setValue(SAML2Constants.SUCCESS);
    status.setStatusCode(statusCode);
    // set the idp entity id as the response issuer
    Issuer issuer = AssertionFactory.getInstance().createIssuer();
    issuer.setValue(idpEntityID);
    artResponse.setStatus(status);
    artResponse.setID(SAML2Utils.generateID());
    artResponse.setInResponseTo(artResolve.getID());
    artResponse.setVersion(SAML2Constants.VERSION_2_0);
    artResponse.setIssueInstant(new Date());
    artResponse.setAny(res.toXMLString(true, true));
    artResponse.setIssuer(issuer);
    artResponse.setDestination(XMLUtils.escapeSpecialCharacters(acsURL));
    String wantArtifactResponseSigned = SAML2Utils.getAttributeValueFromSSOConfig(realm, spEntityID, SAML2Constants.SP_ROLE, SAML2Constants.WANT_ARTIFACT_RESPONSE_SIGNED);
    if ((wantArtifactResponseSigned != null) && (wantArtifactResponseSigned.equals(SAML2Constants.TRUE))) {
        KeyProvider kp = KeyUtil.getKeyProviderInstance();
        if (kp == null) {
            SAML2Utils.debug.error(classMethod + "Unable to get a key provider instance.");
            return SOAPCommunicator.getInstance().createSOAPFault(SAML2Constants.SERVER_FAULT, "nullKeyProvider", null);
        }
        String idpSignCertAlias = SAML2Utils.getSigningCertAlias(realm, idpEntityID, SAML2Constants.IDP_ROLE);
        if (idpSignCertAlias == null) {
            SAML2Utils.debug.error(classMethod + "Unable to get the hosted IDP signing certificate alias.");
            return SOAPCommunicator.getInstance().createSOAPFault(SAML2Constants.SERVER_FAULT, "missingSigningCertAlias", null);
        }
        String encryptedKeyPass = SAML2Utils.getSigningCertEncryptedKeyPass(realm, idpEntityID, SAML2Constants.IDP_ROLE);
        PrivateKey key;
        if (encryptedKeyPass == null || encryptedKeyPass.isEmpty()) {
            key = kp.getPrivateKey(idpSignCertAlias);
        } else {
            key = kp.getPrivateKey(idpSignCertAlias, encryptedKeyPass);
        }
        artResponse.sign(key, kp.getX509Certificate(idpSignCertAlias));
    }
    String str = artResponse.toXMLString(true, true);
    String[] logdata = { idpEntityID, artStr, str };
    LogUtil.access(Level.INFO, LogUtil.ARTIFACT_RESPONSE, logdata, null, props);
    if (str != null) {
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message(classMethod + "ArtifactResponse message:\n" + str);
        }
    } else {
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message(classMethod + "Unable to print ArtifactResponse message.");
        }
    }
    SOAPMessage msg = null;
    try {
        msg = SOAPCommunicator.getInstance().createSOAPMessage(str, false);
    } catch (SOAPException se) {
        SAML2Utils.debug.error(classMethod + "Unable to create a SOAPMessage and add a document ", se);
        return SOAPCommunicator.getInstance().createSOAPFault(SAML2Constants.SERVER_FAULT, "unableToCreateSOAPMessage", null);
    }
    return msg;
}
Also used : KeyProvider(com.sun.identity.saml.xmlsig.KeyProvider) PrivateKey(java.security.PrivateKey) HashMap(java.util.HashMap) Issuer(com.sun.identity.saml2.assertion.Issuer) SPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement) SPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement) Element(org.w3c.dom.Element) SOAPConnection(javax.xml.soap.SOAPConnection) SOAPMessage(javax.xml.soap.SOAPMessage) StatusCode(com.sun.identity.saml2.protocol.StatusCode) ArtifactResolve(com.sun.identity.saml2.protocol.ArtifactResolve) SOAPException(javax.xml.soap.SOAPException) SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException) Status(com.sun.identity.saml2.protocol.Status) OrderedSet(com.sun.identity.shared.datastruct.OrderedSet) X509Certificate(java.security.cert.X509Certificate) Artifact(com.sun.identity.saml2.protocol.Artifact) SOAPException(javax.xml.soap.SOAPException) SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException) SAML2TokenRepositoryException(org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException) IOException(java.io.IOException) SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) Date(java.util.Date) Response(com.sun.identity.saml2.protocol.Response) HttpServletResponse(javax.servlet.http.HttpServletResponse) ArtifactResponse(com.sun.identity.saml2.protocol.ArtifactResponse) SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) ArtifactResponse(com.sun.identity.saml2.protocol.ArtifactResponse) SAML2TokenRepositoryException(org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException) HashMap(java.util.HashMap) Map(java.util.Map)

Example 4 with Artifact

use of com.sun.identity.saml2.protocol.Artifact in project OpenAM by OpenRock.

the class IDPSSOUtil method sendResponse.

/**
     * Sends a response to service provider
     *
     * @param response     the <code>HttpServletResponse</code> object
     * @param acsBinding   the assertion consumer service binding
     * @param spEntityID   the entity id of the service provider
     * @param idpEntityID  the entity id of the identity provider
     * @param idpMetaAlias the meta alias of the identity provider
     * @param realm        the realm name
     * @param relayState   the relay state
     * @param acsURL       the assertion consumer service <code>url</code>
     * @param res          the <code>SAML Response</code> object
     * @throws SAML2Exception if the operation is not successful
     */
public static void sendResponse(HttpServletRequest request, HttpServletResponse response, PrintWriter out, String acsBinding, String spEntityID, String idpEntityID, String idpMetaAlias, String realm, String relayState, String acsURL, Response res, Object session) throws SAML2Exception {
    String classMethod = "IDPSSOUtil.sendResponse: ";
    String nameIDString = SAML2Utils.getNameIDStringFromResponse(res);
    Map props = new HashMap();
    props.put(LogUtil.NAME_ID, nameIDString);
    // send the response back through HTTP POST or Artifact
    if (acsBinding.equals(SAML2Constants.HTTP_POST)) {
        // 4.1.4.5 POST-Specific Processing Rules (sstc-saml-profiles-errata-2.0-wd-06-diff.pdf)
        //If response is not signed and POST binding is used, the assertion(s) MUST be signed.
        // encryption is optional based on SP config settings.
        boolean signAssertion = true;
        // check if response needs to be signed.
        boolean signResponse = SAML2Utils.wantPOSTResponseSigned(realm, spEntityID, SAML2Constants.SP_ROLE);
        // so will base on wantAssertionsSigned flag
        if (signResponse) {
            signAssertion = wantAssertionsSigned(spEntityID, realm);
        }
        signAndEncryptResponseComponents(realm, spEntityID, idpEntityID, res, signAssertion);
        if (signResponse) {
            signResponse(realm, idpEntityID, res);
        }
        String resMsg = res.toXMLString(true, true);
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message(classMethod + "SAML Response content :\n" + resMsg);
        }
        String encodedResMsg = SAML2Utils.encodeForPOST(resMsg);
        String[] logdata1 = { spEntityID, idpMetaAlias, resMsg };
        LogUtil.access(Level.INFO, LogUtil.POST_RESPONSE, logdata1, session, props);
        try {
            SAML2Utils.postToTarget(request, response, "SAMLResponse", encodedResMsg, "RelayState", relayState, acsURL);
        } catch (SAML2Exception saml2E) {
            String[] data = { acsURL };
            LogUtil.error(Level.INFO, LogUtil.POST_TO_TARGET_FAILED, data, session, props);
            throw saml2E;
        }
    } else if (acsBinding.equals(SAML2Constants.HTTP_ARTIFACT)) {
        IDPSSOUtil.sendResponseArtifact(request, response, idpEntityID, spEntityID, realm, acsURL, relayState, res, session, props);
    } else if (acsBinding.equals(SAML2Constants.PAOS)) {
        // signing assertion is a must for ECP profile.
        // encryption is optional based on SP config settings.
        signAndEncryptResponseComponents(realm, spEntityID, idpEntityID, res, true);
        IDPSSOUtil.sendResponseECP(request, response, out, idpEntityID, realm, acsURL, res);
    } else {
        SAML2Utils.debug.error(classMethod + "unsupported return binding.");
        throw new SAML2Exception(SAML2Utils.bundle.getString("UnSupportedReturnBinding"));
    }
}
Also used : SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) HashMap(java.util.HashMap) Map(java.util.Map) HashMap(java.util.HashMap)

Example 5 with Artifact

use of com.sun.identity.saml2.protocol.Artifact in project OpenAM by OpenRock.

the class IDPSSOUtil method sendResponseArtifact.

/**
     * This method opens a URL connection to the target specified and
     * sends artifact response to it using the
     * <code>HttpServletResponse</code> object.
     *
     * @param response    the <code>HttpServletResponse</code> object
     * @param idpEntityID the entity id of the identity provider
     * @param realm       the realm name of the identity provider
     * @param acsURL      the assertion consumer service <code>URL</code>
     * @param relayState  the value of the <code>RelayState</code>
     * @param res         the <code>SAML Response</code> object
     * @param session     user session
     * @param props       property map including nameIDString for logging
     * @throws SAML2Exception if the operation is not successful
     */
public static void sendResponseArtifact(HttpServletRequest request, HttpServletResponse response, String idpEntityID, String spEntityID, String realm, String acsURL, String relayState, Response res, Object session, Map props) throws SAML2Exception {
    String classMethod = "IDPSSOUtil.sendResponseArtifact: ";
    IDPSSODescriptorElement idpSSODescriptorElement = null;
    try {
        idpSSODescriptorElement = metaManager.getIDPSSODescriptor(realm, idpEntityID);
        if (idpSSODescriptorElement == null) {
            SAML2Utils.debug.error(classMethod + "Unable to get IDP SSO Descriptor from meta.");
            String[] data = { idpEntityID };
            LogUtil.error(Level.INFO, LogUtil.IDP_METADATA_ERROR, data, session, props);
            throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
        }
    } catch (SAML2MetaException sme) {
        SAML2Utils.debug.error(classMethod + "Unable to get IDP SSO Descriptor from meta.");
        String[] data = { idpEntityID };
        LogUtil.error(Level.INFO, LogUtil.IDP_METADATA_ERROR, data, session, props);
        throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
    }
    ArtifactResolutionServiceElement ars = (ArtifactResolutionServiceElement) idpSSODescriptorElement.getArtifactResolutionService().get(0);
    if (ars == null) {
        SAML2Utils.debug.error(classMethod + "Unable to get ArtifactResolutionServiceElement from meta.");
        String[] data = { idpEntityID };
        LogUtil.error(Level.INFO, LogUtil.IDP_METADATA_ERROR, data, session, props);
        throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
    }
    Artifact art = null;
    try {
        art = ProtocolFactory.getInstance().createArtifact(null, ars.getIndex(), SAML2Utils.generateSourceID(idpEntityID), SAML2Utils.generateMessageHandleWithServerID());
    } catch (SAML2Exception se) {
        SAML2Utils.debug.error(classMethod + "Unable to create artifact: ", se);
        String[] data = { idpEntityID };
        LogUtil.error(Level.INFO, LogUtil.CANNOT_CREATE_ARTIFACT, data, session, props);
        SAMLUtils.sendError(request, response, response.SC_INTERNAL_SERVER_ERROR, "errorCreateArtifact", SAML2Utils.bundle.getString("errorCreateArtifact"));
        return;
    }
    String artStr = art.getArtifactValue();
    try {
        IDPCache.responsesByArtifacts.put(artStr, res);
        if (SAML2FailoverUtils.isSAML2FailoverEnabled()) {
            try {
                long expireTime = getValidTimeofResponse(realm, idpEntityID, res) / 1000;
                SAML2FailoverUtils.saveSAML2TokenWithoutSecondaryKey(artStr, res.toXMLString(true, true), expireTime);
                if (SAML2Utils.debug.messageEnabled()) {
                    SAML2Utils.debug.message(classMethod + "Saved Response to SAML2 Token Repository using key " + artStr);
                }
            } catch (SAML2TokenRepositoryException se) {
                SAML2Utils.debug.error(classMethod + "Unable to save Response to the SAML2 Token Repository", se);
            }
        }
        String messageEncoding = SAML2Utils.getAttributeValueFromSSOConfig(realm, spEntityID, SAML2Constants.SP_ROLE, SAML2Constants.RESPONSE_ARTIFACT_MESSAGE_ENCODING);
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message(classMethod + "messageEncoding = " + messageEncoding);
            SAML2Utils.debug.message(classMethod + "artStr = " + artStr);
        }
        if ((messageEncoding != null) && (messageEncoding.equals(SAML2Constants.FORM_ENCODING))) {
            String[] logdata = { idpEntityID, realm, acsURL };
            LogUtil.access(Level.INFO, LogUtil.SEND_ARTIFACT, logdata, session, props);
            SAML2Utils.postToTarget(request, response, SAML2Constants.SAML_ART, artStr, "RelayState", relayState, acsURL);
        } else {
            String redirectURL = acsURL + (acsURL.contains("?") ? "&" : "?") + "SAMLart=" + URLEncDec.encode(artStr);
            if ((relayState != null) && (relayState.trim().length() != 0)) {
                redirectURL += "&RelayState=" + URLEncDec.encode(relayState);
            }
            if (SAML2Utils.debug.messageEnabled()) {
                SAML2Utils.debug.message(classMethod + "Redirect URL = " + redirectURL);
            }
            String[] logdata = { idpEntityID, realm, redirectURL };
            LogUtil.access(Level.INFO, LogUtil.SEND_ARTIFACT, logdata, session, props);
            response.sendRedirect(redirectURL);
        }
    } catch (IOException ioe) {
        SAML2Utils.debug.error(classMethod + "Unable to send redirect: ", ioe);
    }
}
Also used : SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) SAML2TokenRepositoryException(org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException) IOException(java.io.IOException) SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException) ArtifactResolutionServiceElement(com.sun.identity.saml2.jaxb.metadata.ArtifactResolutionServiceElement) Artifact(com.sun.identity.saml2.protocol.Artifact) IDPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)

Aggregations

SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)11 SAML2MetaException (com.sun.identity.saml2.meta.SAML2MetaException)6 ArtifactResolutionServiceElement (com.sun.identity.saml2.jaxb.metadata.ArtifactResolutionServiceElement)4 IDPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)4 Issuer (com.sun.identity.saml2.assertion.Issuer)3 SPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)3 Artifact (com.sun.identity.saml2.protocol.Artifact)3 ArtifactResponse (com.sun.identity.saml2.protocol.ArtifactResponse)3 IOException (java.io.IOException)3 ArrayList (java.util.ArrayList)3 List (java.util.List)3 SOAPException (javax.xml.soap.SOAPException)3 SOAPMessage (javax.xml.soap.SOAPMessage)3 Element (org.w3c.dom.Element)3 AMConsoleException (com.sun.identity.console.base.model.AMConsoleException)2 KeyProvider (com.sun.identity.saml.xmlsig.KeyProvider)2 IDPSSOConfigElement (com.sun.identity.saml2.jaxb.entityconfig.IDPSSOConfigElement)2 ObjectFactory (com.sun.identity.saml2.jaxb.entityconfig.ObjectFactory)2 EntityDescriptorElement (com.sun.identity.saml2.jaxb.metadata.EntityDescriptorElement)2 SAML2MetaManager (com.sun.identity.saml2.meta.SAML2MetaManager)2