Search in sources :

Example 31 with AuthnRequest

use of com.sun.identity.saml2.protocol.AuthnRequest in project OpenAM by OpenRock.

the class IDPSSOFederate method idpProxyCase.

/**
     * Having read the requestID, look up the preferred IDP for this request.
     * If matched, send a proxy authentication request.
     * Performs no action if the requestID is null.
     *
     * @param requestID Nullable identifier for the request. May be null.
     * @throws ServerFaultException If we couldn't send the authentication request.
     */
private boolean idpProxyCase(String requestID, HttpServletRequest request, HttpServletResponse response) throws ServerFaultException {
    final String classMethod = "IDPSSOFederate.idpProxyCase:";
    final Map paramsMap = (Map) SPCache.reqParamHash.get(requestID);
    if (requestID != null) {
        String preferredIDP = SAML2Utils.getPreferredIDP(request);
        if (preferredIDP != null) {
            SAML2Utils.debug.message("{} IDP to be proxied {}", classMethod, preferredIDP);
            try {
                IDPProxyUtil.sendProxyAuthnRequest((AuthnRequest) paramsMap.get("authnReq"), preferredIDP, (SPSSODescriptorElement) paramsMap.get("spSSODescriptor"), (String) paramsMap.get("idpEntityID"), request, response, (String) paramsMap.get("realm"), (String) paramsMap.get("relayState"), (String) paramsMap.get("binding"));
                SPCache.reqParamHash.remove(requestID);
                return true;
            } catch (SAML2Exception | IOException e) {
                SAML2Utils.debug.message(classMethod + "{} Redirecting for the proxy handling error: {}", classMethod, e.getMessage());
                throw new ServerFaultException("UnableToRedirectToPreferredIDP", e.getMessage());
            }
        }
    }
    return false;
}
Also used : SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) IOException(java.io.IOException) Map(java.util.Map)

Example 32 with AuthnRequest

use of com.sun.identity.saml2.protocol.AuthnRequest in project OpenAM by OpenRock.

the class SPSSOFederate method signAuthnRequest.

/**
     * Sign an authentication request.
     *
     * @param certAlias the certificate alias
     * @param authnRequest the authentication request to sign
     * @throws SAML2Exception the signed authentication request
     */
public static void signAuthnRequest(final String certAlias, final AuthnRequest authnRequest) throws SAML2Exception {
    KeyProvider kp = KeyUtil.getKeyProviderInstance();
    if (kp == null) {
        SAML2Utils.debug.error("SPSSOFederate:signAuthnRequest: " + "Unable to get a key provider instance.");
        throw new SAML2Exception(SAML2Utils.bundle.getString("nullKeyProvider"));
    }
    authnRequest.sign(kp.getPrivateKey(certAlias), kp.getX509Certificate(certAlias));
}
Also used : KeyProvider(com.sun.identity.saml.xmlsig.KeyProvider) SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)

Example 33 with AuthnRequest

use of com.sun.identity.saml2.protocol.AuthnRequest in project OpenAM by OpenRock.

the class SPSSOFederate method initiateAuthnRequest.

/**
     * Parses the request parameters and builds the Authentication
     * Request to sent to the IDP.
     *
     * @param request the HttpServletRequest.
     * @param response the HttpServletResponse.
     * @param spEntityID entityID of Service Provider.
     * @param idpEntityID entityID of Identity Provider.
     * @param paramsMap Map of all other parameters.The key in the
     *              map are the parameter names of the type String. 
     *              The values in the paramsMap are of the type List.
     *              Some of the possible keys are:RelayState,NameIDFormat,
     *              reqBinding, binding, AssertionConsumerServiceIndex,
     *              AttributeConsumingServiceIndex (currently not supported),
     *              isPassive, ForceAuthN, AllowCreate, Destination,
     *              AuthnContextDeclRef, AuthnContextClassRef,
     *              AuthComparison, Consent (currently not supported),
     *              AuthLevel, and sunamcompositeadvice.
     * @param auditor the auditor for logging SAML2 Events - may be null
     * @throws SAML2Exception if error initiating request to IDP.
     */
private static void initiateAuthnRequest(final HttpServletRequest request, final HttpServletResponse response, final String spEntityID, final String idpEntityID, final String realmName, final Map paramsMap, final SAML2EventLogger auditor) throws SAML2Exception {
    if (FSUtils.needSetLBCookieAndRedirect(request, response, false)) {
        return;
    }
    if (spEntityID == null) {
        SAML2Utils.debug.error("SPSSOFederate:Service Provider ID  is missing.");
        String[] data = { spEntityID };
        LogUtil.error(Level.INFO, LogUtil.INVALID_SP, data, null);
        throw new SAML2Exception(SAML2Utils.bundle.getString("nullSPEntityID"));
    }
    if (idpEntityID == null) {
        SAML2Utils.debug.error("SPSSOFederate: Identity Provider ID is missing .");
        String[] data = { idpEntityID };
        LogUtil.error(Level.INFO, LogUtil.INVALID_IDP, data, null);
        throw new SAML2Exception(SAML2Utils.bundle.getString("nullIDPEntityID"));
    }
    String binding = getParameter(paramsMap, SAML2Constants.REQ_BINDING);
    if (binding == null) {
        binding = SAML2Constants.HTTP_REDIRECT;
    }
    if (SAML2Utils.debug.messageEnabled()) {
        SAML2Utils.debug.message("SPSSOFederate: in initiateSSOFed");
        SAML2Utils.debug.message("SPSSOFederate: spEntityID is : " + spEntityID);
        SAML2Utils.debug.message("SPSSOFederate: idpEntityID : " + idpEntityID);
    }
    String realm = getRealm(realmName);
    try {
        // Retreive MetaData 
        if (sm == null) {
            throw new SAML2Exception(SAML2Utils.bundle.getString("errorMetaManager"));
        }
        Map spConfigAttrsMap = getAttrsMapForAuthnReq(realm, spEntityID);
        // get SPSSODescriptor
        SPSSODescriptorElement spsso = getSPSSOForAuthnReq(realm, spEntityID);
        if (spsso == null) {
            String[] data = { spEntityID };
            LogUtil.error(Level.INFO, LogUtil.SP_METADATA_ERROR, data, null);
            throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
        }
        List extensionsList = getExtensionsList(spEntityID, realm);
        // get IDP Descriptor
        IDPSSODescriptorElement idpsso = getIDPSSOForAuthnReq(realm, idpEntityID);
        if (idpsso == null) {
            String[] data = { idpEntityID };
            LogUtil.error(Level.INFO, LogUtil.IDP_METADATA_ERROR, data, null);
            throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
        }
        List ssoServiceList = idpsso.getSingleSignOnService();
        String ssoURL = getSSOURL(ssoServiceList, binding);
        if (ssoURL == null || ssoURL.length() == 0) {
            String[] data = { idpEntityID };
            LogUtil.error(Level.INFO, LogUtil.SSO_NOT_FOUND, data, null);
            throw new SAML2Exception(SAML2Utils.bundle.getString("ssoServiceNotfound"));
        }
        // create AuthnRequest 
        AuthnRequest authnRequest = createAuthnRequest(realm, spEntityID, paramsMap, spConfigAttrsMap, extensionsList, spsso, idpsso, ssoURL, false);
        if (null != auditor && null != authnRequest) {
            auditor.setRequestId(authnRequest.getID());
        }
        // invoke SP Adapter class if registered
        SAML2ServiceProviderAdapter spAdapter = SAML2Utils.getSPAdapterClass(spEntityID, realmName);
        if (spAdapter != null) {
            spAdapter.preSingleSignOnRequest(spEntityID, idpEntityID, realmName, request, response, authnRequest);
        }
        String authReqXMLString = authnRequest.toXMLString(true, true);
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message("SPSSOFederate: AuthnRequest:" + authReqXMLString);
        }
        // Default URL if relayState not present? in providerConfig?
        // TODO get Default URL from metadata 
        String relayState = getParameter(paramsMap, SAML2Constants.RELAY_STATE);
        // Validate the RelayState URL.
        SAML2Utils.validateRelayStateURL(realm, spEntityID, relayState, SAML2Constants.SP_ROLE);
        // check if relayState is present and get the unique
        // id which will be appended to the SSO URL before
        // redirecting.
        String relayStateID = null;
        if (relayState != null && relayState.length() > 0) {
            relayStateID = getRelayStateID(relayState, authnRequest.getID());
        }
        if (binding.equals(SAML2Constants.HTTP_POST)) {
            String encodedReqMsg = getPostBindingMsg(idpsso, spsso, spConfigAttrsMap, authnRequest);
            SAML2Utils.postToTarget(request, response, "SAMLRequest", encodedReqMsg, "RelayState", relayStateID, ssoURL);
        } else {
            String redirect = getRedirect(authReqXMLString, relayStateID, ssoURL, idpsso, spsso, spConfigAttrsMap);
            response.sendRedirect(redirect);
        }
        String[] data = { ssoURL };
        LogUtil.access(Level.INFO, LogUtil.REDIRECT_TO_IDP, data, null);
        AuthnRequestInfo reqInfo = new AuthnRequestInfo(request, response, realm, spEntityID, idpEntityID, authnRequest, relayState, paramsMap);
        synchronized (SPCache.requestHash) {
            SPCache.requestHash.put(authnRequest.getID(), reqInfo);
        }
        if (SAML2FailoverUtils.isSAML2FailoverEnabled()) {
            // sessionExpireTime is counted in seconds
            long sessionExpireTime = System.currentTimeMillis() / 1000 + SPCache.interval;
            String key = authnRequest.getID();
            try {
                SAML2FailoverUtils.saveSAML2TokenWithoutSecondaryKey(key, new AuthnRequestInfoCopy(reqInfo), sessionExpireTime);
                if (SAML2Utils.debug.messageEnabled()) {
                    SAML2Utils.debug.message("SPSSOFederate.initiateAuthnRequest:" + " SAVE AuthnRequestInfoCopy for requestID " + key);
                }
            } catch (SAML2TokenRepositoryException e) {
                SAML2Utils.debug.error("SPSSOFederate.initiateAuthnRequest: There was a problem saving the " + "AuthnRequestInfoCopy in the SAML2 Token Repository for requestID " + key, e);
                throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
            }
        }
    } catch (IOException ioe) {
        SAML2Utils.debug.error("SPSSOFederate: Exception :", ioe);
        throw new SAML2Exception(SAML2Utils.bundle.getString("errorCreatingAuthnRequest"));
    } catch (SAML2MetaException sme) {
        SAML2Utils.debug.error("SPSSOFederate:Error retrieving metadata", sme);
        throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
    }
}
Also used : SPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement) IOException(java.io.IOException) SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) AuthnRequest(com.sun.identity.saml2.protocol.AuthnRequest) List(java.util.List) IDPList(com.sun.identity.saml2.protocol.IDPList) ArrayList(java.util.ArrayList) SAML2TokenRepositoryException(org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException) SAML2ServiceProviderAdapter(com.sun.identity.saml2.plugins.SAML2ServiceProviderAdapter) Map(java.util.Map) SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException) IDPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)

Example 34 with AuthnRequest

use of com.sun.identity.saml2.protocol.AuthnRequest in project OpenAM by OpenRock.

the class SPACSUtils method invokeSPAdapterForSSOFailure.

private static void invokeSPAdapterForSSOFailure(String hostEntityId, String realm, HttpServletRequest request, HttpServletResponse response, Map smap, ResponseInfo respInfo, int errorCode, SAML2Exception se) {
    SAML2ServiceProviderAdapter spAdapter = null;
    try {
        spAdapter = SAML2Utils.getSPAdapterClass(hostEntityId, realm);
    } catch (SAML2Exception e) {
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message("SPACSUtils.invokeSPAdapterForSSOFailure", e);
        }
    }
    if (spAdapter != null) {
        AuthnRequest authnRequest = null;
        if (smap != null) {
            authnRequest = (AuthnRequest) smap.get(SAML2Constants.AUTHN_REQUEST);
        }
        boolean redirected = spAdapter.postSingleSignOnFailure(hostEntityId, realm, request, response, authnRequest, respInfo.getResponse(), respInfo.getProfileBinding(), errorCode);
        se.setRedirectionDone(redirected);
    }
}
Also used : SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) AuthnRequest(com.sun.identity.saml2.protocol.AuthnRequest) SAML2ServiceProviderAdapter(com.sun.identity.saml2.plugins.SAML2ServiceProviderAdapter)

Example 35 with AuthnRequest

use of com.sun.identity.saml2.protocol.AuthnRequest in project OpenAM by OpenRock.

the class UtilProxySAMLAuthenticatorLookup method retrieveAuthenticationFromCache.

@Override
public void retrieveAuthenticationFromCache() throws SessionException, ServerFaultException, ClientFaultException {
    final String classMethod = "UtilProxySAMLAuthenticatorLookup.retrieveAuthenticationFromCache: ";
    // the second visit, the user has already authenticated
    // retrieve the cache authn request and relay state
    // We need the session to pass it to the IDP Adapter preSendResponse
    SessionProvider sessionProvider = SessionManager.getProvider();
    try {
        data.setSession(sessionProvider.getSession(request));
        data.getEventAuditor().setSSOTokenId(data.getSession());
    } catch (SessionException se) {
        SAML2Utils.debug.error("An error occurred while retrieving the session: " + se.getMessage());
        data.setSession(null);
    }
    // Get the cached Authentication Request and Relay State before
    // invoking the IDP Adapter
    CacheObject cacheObj;
    synchronized (IDPCache.authnRequestCache) {
        cacheObj = (CacheObject) IDPCache.authnRequestCache.get(data.getRequestID());
    }
    if (cacheObj != null) {
        data.setAuthnRequest((AuthnRequest) cacheObj.getObject());
    }
    data.setRelayState((String) IDPCache.relayStateCache.get(data.getRequestID()));
    if (!isSessionValid(sessionProvider)) {
        return;
    }
    // Invoke the IDP Adapter after the user has been authenticated
    if (preSendResponse(request, response, data)) {
        return;
    }
    synchronized (IDPCache.authnRequestCache) {
        cacheObj = (CacheObject) IDPCache.authnRequestCache.remove(data.getRequestID());
    }
    if (cacheObj != null) {
        data.setAuthnRequest((AuthnRequest) cacheObj.getObject());
    }
    synchronized (IDPCache.idpAuthnContextCache) {
        cacheObj = (CacheObject) IDPCache.idpAuthnContextCache.remove(data.getRequestID());
    }
    if (cacheObj != null) {
        data.setMatchingAuthnContext((AuthnContext) cacheObj.getObject());
    }
    data.setRelayState((String) IDPCache.relayStateCache.remove(data.getRequestID()));
    if (data.getAuthnRequest() == null) {
        authNotAvailable();
        return;
    }
    SAML2Utils.debug.message("{} RequestID= {}", classMethod, data.getRequestID());
    boolean isSessionUpgrade = false;
    if (CollectionUtils.isNotEmpty(IDPCache.isSessionUpgradeCache)) {
        isSessionUpgrade = IDPCache.isSessionUpgradeCache.contains(data.getRequestID());
    }
    if (isSessionUpgrade) {
        IDPSession oldSess = (IDPSession) IDPCache.oldIDPSessionCache.remove(data.getRequestID());
        String sessionIndex = IDPSSOUtil.getSessionIndex(data.getSession());
        if (StringUtils.isNotEmpty(sessionIndex)) {
            IDPCache.idpSessionsByIndices.put(sessionIndex, oldSess);
            final FedMonAgent agent = MonitorManager.getAgent();
            if (agent != null && agent.isRunning()) {
                final FedMonSAML2Svc saml2Svc = MonitorManager.getSAML2Svc();
                if (saml2Svc != null) {
                    saml2Svc.setIdpSessionCount(IDPCache.idpSessionsByIndices.size());
                }
            }
        }
    }
    if (data.getSession() != null) {
        // call multi-federation protocol to set the protocol
        MultiProtocolUtils.addFederationProtocol(data.getSession(), SingleLogoutManager.SAML2);
    }
    // generate assertion response
    data.setSpEntityID(data.getAuthnRequest().getIssuer().getValue());
    NameIDPolicy policy = data.getAuthnRequest().getNameIDPolicy();
    String nameIDFormat = (policy == null) ? null : policy.getFormat();
    try {
        IDPSSOUtil.sendResponseToACS(request, response, out, data.getSession(), data.getAuthnRequest(), data.getSpEntityID(), data.getIdpEntityID(), data.getIdpMetaAlias(), data.getRealm(), nameIDFormat, data.getRelayState(), data.getMatchingAuthnContext());
    } catch (SAML2Exception se) {
        SAML2Utils.debug.error(classMethod + "Unable to do sso or federation.", se);
        throw new ServerFaultException(data.getIdpAdapter(), SSO_OR_FEDERATION_ERROR, se.getMessage());
    }
}
Also used : SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) IDPSession(com.sun.identity.saml2.profile.IDPSession) FedMonSAML2Svc(com.sun.identity.plugin.monitoring.FedMonSAML2Svc) NameIDPolicy(com.sun.identity.saml2.protocol.NameIDPolicy) ServerFaultException(com.sun.identity.saml2.profile.ServerFaultException) SessionException(com.sun.identity.plugin.session.SessionException) CacheObject(com.sun.identity.saml2.profile.CacheObject) FedMonAgent(com.sun.identity.plugin.monitoring.FedMonAgent) SessionProvider(com.sun.identity.plugin.session.SessionProvider)

Aggregations

SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)27 List (java.util.List)18 SAML2MetaException (com.sun.identity.saml2.meta.SAML2MetaException)15 ArrayList (java.util.ArrayList)15 AuthnRequest (com.sun.identity.saml2.protocol.AuthnRequest)14 Map (java.util.Map)13 SessionException (com.sun.identity.plugin.session.SessionException)12 SPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)10 IOException (java.io.IOException)10 SAML2TokenRepositoryException (org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException)10 SPSSOConfigElement (com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement)9 Date (java.util.Date)8 HashMap (java.util.HashMap)8 IDPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)7 SAML2ServiceProviderAdapter (com.sun.identity.saml2.plugins.SAML2ServiceProviderAdapter)7 Iterator (java.util.Iterator)7 Issuer (com.sun.identity.saml2.assertion.Issuer)6 Assertion (com.sun.identity.saml2.assertion.Assertion)5 IDPList (com.sun.identity.saml2.protocol.IDPList)5 Response (com.sun.identity.saml2.protocol.Response)5