Search in sources :

Example 26 with AuthnRequest

use of com.sun.identity.saml2.protocol.AuthnRequest in project OpenAM by OpenRock.

the class IDPProxyUtil method sendNoPassiveProxyResponse.

/**
     * Sends back a NoPassive response for the original AuthnRequest.
     *
     * @param request The request.
     * @param response The response.
     * @param out The print writer for writing out presentation.
     * @param requestID The requestID of the proxied AuthnRequest.
     * @param idpMetaAlias The IdP's metaAlias.
     * @param hostEntityID The IdP's entity ID.
     * @param realm The realm where the IdP belongs to.
     * @throws SAML2Exception If there was an error while sending the NoPassive response.
     */
public static void sendNoPassiveProxyResponse(HttpServletRequest request, HttpServletResponse response, PrintWriter out, String requestID, String idpMetaAlias, String hostEntityID, String realm) throws SAML2Exception {
    AuthnRequest origRequest = (AuthnRequest) IDPCache.proxySPAuthnReqCache.remove(requestID);
    String relayState = (String) IDPCache.relayStateCache.remove(origRequest.getID());
    IDPSSOUtil.sendNoPassiveResponse(request, response, out, idpMetaAlias, hostEntityID, realm, origRequest, relayState, origRequest.getIssuer().getValue());
}
Also used : AuthnRequest(com.sun.identity.saml2.protocol.AuthnRequest)

Example 27 with AuthnRequest

use of com.sun.identity.saml2.protocol.AuthnRequest in project OpenAM by OpenRock.

the class IDPProxyUtil method getPreferredIDP.

/**
     * Gets the preferred IDP Id to be proxied. This method makes use of an
     * SPI to determine the preferred IDP.
     * @param authnRequest original Authn Request.
     * @param hostedEntityId hosted provider ID 
     * @param realm Realm 
     * @param request HttpServletRequest
     * @param response HttpServletResponse 
     * @exception SAML2Exception for any SAML2 failure.
     * @return String Provider id of the preferred IDP to be proxied.
     */
public static String getPreferredIDP(AuthnRequest authnRequest, String hostedEntityId, String realm, HttpServletRequest request, HttpServletResponse response) throws SAML2Exception {
    SAML2IDPFinder proxyFinder = getIDPProxyFinder(realm, hostedEntityId);
    List idpProviderIDs = proxyFinder.getPreferredIDP(authnRequest, hostedEntityId, realm, request, response);
    if ((idpProviderIDs == null) || idpProviderIDs.isEmpty()) {
        return null;
    }
    return (String) idpProviderIDs.get(0);
}
Also used : List(java.util.List) IDPList(com.sun.identity.saml2.protocol.IDPList) ArrayList(java.util.ArrayList) SAML2IDPFinder(com.sun.identity.saml2.plugins.SAML2IDPFinder)

Example 28 with AuthnRequest

use of com.sun.identity.saml2.protocol.AuthnRequest in project OpenAM by OpenRock.

the class IDPProxyUtil method getNewAuthnRequest.

/**
     * Constructs new authentication request by using the original request
     * that is sent by the service provider to the proxying IDP.
     * @param hostedEntityId hosted provider ID
     * @param destination The destination where the new AuthnRequest will be sent to.
     * @param realm Realm
     * @param origRequest Original Authn Request
     * @return AuthnRequest new authn request.
     * @exception SAML2Exception for failure in creating new authn request.
     * @return AuthnRequest object 
     */
private static AuthnRequest getNewAuthnRequest(String hostedEntityId, String destination, String realm, AuthnRequest origRequest) throws SAML2Exception {
    String classMethod = "IDPProxyUtil.getNewAuthnRequest: ";
    // New Authentication request should only be a single sign-on request.   
    try {
        AuthnRequest newRequest = ProtocolFactory.getInstance().createAuthnRequest();
        String requestID = SAML2Utils.generateID();
        if (requestID == null || requestID.isEmpty()) {
            throw new SAML2Exception(SAML2Utils.bundle.getString("cannotGenerateID"));
        }
        newRequest.setID(requestID);
        SPSSODescriptorElement localDescriptor = IDPSSOUtil.metaManager.getSPSSODescriptor(realm, hostedEntityId);
        newRequest.setDestination(XMLUtils.escapeSpecialCharacters(destination));
        newRequest.setConsent(origRequest.getConsent());
        newRequest.setIsPassive(origRequest.isPassive());
        newRequest.setForceAuthn(origRequest.isForceAuthn());
        newRequest.setAttributeConsumingServiceIndex(origRequest.getAttributeConsumingServiceIndex());
        newRequest.setAssertionConsumerServiceIndex(origRequest.getAssertionConsumerServiceIndex());
        String protocolBinding = origRequest.getProtocolBinding();
        newRequest.setProtocolBinding(protocolBinding);
        OrderedSet acsSet = SPSSOFederate.getACSUrl(localDescriptor, protocolBinding);
        String acsURL = (String) acsSet.get(0);
        newRequest.setAssertionConsumerServiceURL(acsURL);
        Issuer issuer = AssertionFactory.getInstance().createIssuer();
        issuer.setValue(hostedEntityId);
        newRequest.setIssuer(issuer);
        NameIDPolicy origNameIDPolicy = origRequest.getNameIDPolicy();
        if (origNameIDPolicy != null) {
            NameIDPolicy newNameIDPolicy = ProtocolFactory.getInstance().createNameIDPolicy();
            newNameIDPolicy.setFormat(origNameIDPolicy.getFormat());
            newNameIDPolicy.setSPNameQualifier(hostedEntityId);
            newNameIDPolicy.setAllowCreate(origNameIDPolicy.isAllowCreate());
            newRequest.setNameIDPolicy(newNameIDPolicy);
        }
        newRequest.setRequestedAuthnContext(origRequest.getRequestedAuthnContext());
        newRequest.setExtensions(origRequest.getExtensions());
        newRequest.setIssueInstant(new Date());
        newRequest.setVersion(SAML2Constants.VERSION_2_0);
        Scoping scoping = origRequest.getScoping();
        if (scoping != null) {
            Scoping newScoping = ProtocolFactory.getInstance().createScoping();
            Integer proxyCountInt = scoping.getProxyCount();
            int proxyCount = 1;
            if (proxyCountInt != null) {
                proxyCount = scoping.getProxyCount().intValue();
                newScoping.setProxyCount(new Integer(proxyCount - 1));
            }
            newScoping.setIDPList(scoping.getIDPList());
            newRequest.setScoping(newScoping);
        } else {
            //handling the alwaysIdpProxy case -> the incoming request
            //did not contained a Scoping field
            SPSSOConfigElement spConfig = getSPSSOConfigByAuthnRequest(realm, origRequest);
            Map<String, List<String>> spConfigAttrMap = SAML2MetaUtils.getAttributes(spConfig);
            scoping = ProtocolFactory.getInstance().createScoping();
            String proxyCountParam = SPSSOFederate.getParameter(spConfigAttrMap, SAML2Constants.IDP_PROXY_COUNT);
            if (proxyCountParam != null && (!proxyCountParam.equals(""))) {
                int proxyCount = Integer.valueOf(proxyCountParam);
                if (proxyCount <= 0) {
                    scoping.setProxyCount(0);
                } else {
                    //since this is a remote SP configuration, we should
                    //decrement the proxycount by one
                    scoping.setProxyCount(proxyCount - 1);
                }
            }
            List<String> proxyIdPs = spConfigAttrMap.get(SAML2Constants.IDP_PROXY_LIST);
            if (proxyIdPs != null && !proxyIdPs.isEmpty()) {
                List<IDPEntry> list = new ArrayList<IDPEntry>();
                for (String proxyIdP : proxyIdPs) {
                    IDPEntry entry = ProtocolFactory.getInstance().createIDPEntry();
                    entry.setProviderID(proxyIdP);
                    list.add(entry);
                }
                IDPList idpList = ProtocolFactory.getInstance().createIDPList();
                idpList.setIDPEntries(list);
                scoping.setIDPList(idpList);
                newRequest.setScoping(scoping);
            }
        }
        return newRequest;
    } catch (Exception ex) {
        SAML2Utils.debug.error(classMethod + "Error in creating new authn request.", ex);
        throw new SAML2Exception(ex);
    }
}
Also used : OrderedSet(com.sun.identity.shared.datastruct.OrderedSet) Issuer(com.sun.identity.saml2.assertion.Issuer) NameIDPolicy(com.sun.identity.saml2.protocol.NameIDPolicy) SPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement) SPSSOConfigElement(com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement) ArrayList(java.util.ArrayList) IDPList(com.sun.identity.saml2.protocol.IDPList) Date(java.util.Date) SOAPException(javax.xml.soap.SOAPException) SessionException(com.sun.identity.plugin.session.SessionException) SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException) SAML2TokenRepositoryException(org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException) IOException(java.io.IOException) SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) AuthnRequest(com.sun.identity.saml2.protocol.AuthnRequest) Scoping(com.sun.identity.saml2.protocol.Scoping) List(java.util.List) IDPList(com.sun.identity.saml2.protocol.IDPList) ArrayList(java.util.ArrayList) IDPEntry(com.sun.identity.saml2.protocol.IDPEntry)

Example 29 with AuthnRequest

use of com.sun.identity.saml2.protocol.AuthnRequest in project OpenAM by OpenRock.

the class IDPProxyUtil method isIDPProxyEnabled.

/**
     * Checks if the identity provider is configured for proxying the
     * authentication requests for a requesting service provider.
     * @param authnRequest Authentication Request.
     * @param realm Realm
     * @return <code>true</code> if the IDP is configured for proxying.
     * @exception SAML2Exception for any failure.
     */
public static boolean isIDPProxyEnabled(AuthnRequest authnRequest, String realm) throws SAML2Exception {
    SPSSOConfigElement spConfig;
    Map spConfigAttrsMap = null;
    Scoping scoping = authnRequest.getScoping();
    if (scoping == null) {
        //let's check if always IdP proxy and IdP Proxy itself is enabled
        spConfig = getSPSSOConfigByAuthnRequest(realm, authnRequest);
        if (spConfig != null) {
            spConfigAttrsMap = SAML2MetaUtils.getAttributes(spConfig);
            Boolean alwaysEnabled = SPSSOFederate.getAttrValueFromMap(spConfigAttrsMap, SAML2Constants.ALWAYS_IDP_PROXY);
            Boolean proxyEnabled = SPSSOFederate.getAttrValueFromMap(spConfigAttrsMap, SAML2Constants.ENABLE_IDP_PROXY);
            if (alwaysEnabled != null && alwaysEnabled && proxyEnabled != null && proxyEnabled) {
                return true;
            }
        }
        return false;
    }
    Integer proxyCountInt = scoping.getProxyCount();
    int proxyCount = 0;
    if (proxyCountInt == null) {
        //Proxy count missing, IDP Proxy allowed 
        proxyCount = 1;
    } else {
        proxyCount = proxyCountInt.intValue();
    }
    if (proxyCount <= 0) {
        return false;
    }
    spConfig = IDPSSOUtil.metaManager.getSPSSOConfig(realm, authnRequest.getIssuer().getValue());
    if (spConfig != null) {
        spConfigAttrsMap = SAML2MetaUtils.getAttributes(spConfig);
    }
    Boolean enabledString = SPSSOFederate.getAttrValueFromMap(spConfigAttrsMap, SAML2Constants.ENABLE_IDP_PROXY);
    if (enabledString == null) {
        return false;
    }
    return (enabledString.booleanValue());
}
Also used : Scoping(com.sun.identity.saml2.protocol.Scoping) SPSSOConfigElement(com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement) Map(java.util.Map) HashMap(java.util.HashMap)

Example 30 with AuthnRequest

use of com.sun.identity.saml2.protocol.AuthnRequest in project OpenAM by OpenRock.

the class IDPProxyUtil method sendProxyResponse.

/**
     * Sends the proxy authentication response to the proxying service
     * provider which has originally requested for the authentication.
     * @param request HttpServletRequest 
     * @param response HttpServletResponse
     * @param out the print writer for writing out presentation
     * @param requestID request ID 
     * @param idpMetaAlias meta Alias 
     * @param newSession Session object
     * @throws SAML2Exception for any SAML2 failure.
     */
private static void sendProxyResponse(HttpServletRequest request, HttpServletResponse response, PrintWriter out, String requestID, String idpMetaAlias, Object newSession, String nameIDFormat) throws SAML2Exception {
    String classMethod = "IDPProxyUtil.sendProxyResponse: ";
    AuthnRequest origRequest = null;
    origRequest = (AuthnRequest) IDPCache.proxySPAuthnReqCache.get(requestID);
    if (SAML2Utils.debug.messageEnabled()) {
        try {
            SAML2Utils.debug.message(classMethod + origRequest.toXMLString());
        } catch (Exception ex) {
            SAML2Utils.debug.error(classMethod + "toString(): Failed.", ex);
        }
    }
    IDPCache.proxySPAuthnReqCache.remove(requestID);
    String proxySPEntityId = origRequest.getIssuer().getValue();
    if (SAML2Utils.debug.messageEnabled()) {
        SAML2Utils.debug.message(classMethod + ":Original requesting service provider id:" + proxySPEntityId);
    }
    // Save the SP provider id based on the token id
    IDPCache.spSessionPartnerBySessionID.put(sessionProvider.getSessionID(newSession), proxySPEntityId);
    //TODO: set AuthnContext
    /*AuthnContext authnContextStm;
        if (authnContextStmt != null) {
            String authnContext = authnContextStmt.getAuthnContextClassRef();
            session.setAuthnContext(authnContext);
        }*/
    String relayState = (String) IDPCache.relayStateCache.get(origRequest.getID());
    IDPSSOUtil.doSSOFederate(request, response, out, origRequest, origRequest.getIssuer().getValue(), idpMetaAlias, nameIDFormat, relayState, newSession, null);
}
Also used : AuthnRequest(com.sun.identity.saml2.protocol.AuthnRequest) SOAPException(javax.xml.soap.SOAPException) SessionException(com.sun.identity.plugin.session.SessionException) SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException) SAML2TokenRepositoryException(org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException) IOException(java.io.IOException) SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)

Aggregations

SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)27 List (java.util.List)18 SAML2MetaException (com.sun.identity.saml2.meta.SAML2MetaException)15 ArrayList (java.util.ArrayList)15 AuthnRequest (com.sun.identity.saml2.protocol.AuthnRequest)14 Map (java.util.Map)13 SessionException (com.sun.identity.plugin.session.SessionException)12 SPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)10 IOException (java.io.IOException)10 SAML2TokenRepositoryException (org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException)10 SPSSOConfigElement (com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement)9 Date (java.util.Date)8 HashMap (java.util.HashMap)8 IDPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)7 SAML2ServiceProviderAdapter (com.sun.identity.saml2.plugins.SAML2ServiceProviderAdapter)7 Iterator (java.util.Iterator)7 Issuer (com.sun.identity.saml2.assertion.Issuer)6 Assertion (com.sun.identity.saml2.assertion.Assertion)5 IDPList (com.sun.identity.saml2.protocol.IDPList)5 Response (com.sun.identity.saml2.protocol.Response)5