use of com.sun.identity.saml2.protocol.IDPList in project OpenAM by OpenRock.
the class ECPRequestImpl method parseElement.
/* Parses the NameIDPolicy Element */
private void parseElement(Element element) throws SAML2Exception {
if (element == null) {
if (SAML2SDKUtils.debug.messageEnabled()) {
SAML2SDKUtils.debug.message("ECPRequestImpl.parseElement:" + " Input is null.");
}
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("nullInput"));
}
String localName = element.getLocalName();
if (!REQUEST.equals(localName)) {
if (SAML2SDKUtils.debug.messageEnabled()) {
SAML2SDKUtils.debug.message("ECPRequestImpl.parseElement:" + " element local name should be " + REQUEST);
}
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("invalidECPRequest"));
}
String namespaceURI = element.getNamespaceURI();
if (!SAML2Constants.ECP_NAMESPACE.equals(namespaceURI)) {
if (SAML2SDKUtils.debug.messageEnabled()) {
SAML2SDKUtils.debug.message("ECPRequestImpl.parseElement:" + " element namespace should be " + SAML2Constants.ECP_NAMESPACE);
}
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("invalidECPNamesapce"));
}
String str = XMLUtils.getNodeAttributeValueNS(element, SAML2Constants.SOAP_ENV_NAMESPACE, SAML2Constants.MUST_UNDERSTAND);
mustUnderstand = SAML2SDKUtils.StringToBoolean(str);
actor = XMLUtils.getNodeAttributeValueNS(element, SAML2Constants.SOAP_ENV_NAMESPACE, SAML2Constants.ACTOR);
providerName = XMLUtils.getNodeAttributeValue(element, SAML2Constants.PROVIDER_NAME);
str = XMLUtils.getNodeAttributeValue(element, SAML2Constants.ISPASSIVE);
isPassive = SAML2SDKUtils.StringToBoolean(str);
NodeList nList = element.getChildNodes();
if ((nList != null) && (nList.getLength() > 0)) {
for (int i = 0; i < nList.getLength(); i++) {
Node childNode = nList.item(i);
if (childNode.getNodeType() != Node.ELEMENT_NODE) {
continue;
}
String cName = childNode.getLocalName();
if (cName.equals(SAML2Constants.ISSUER)) {
validateIssuer();
issuer = AssertionFactory.getInstance().createIssuer((Element) childNode);
} else if (cName.equals(SAML2Constants.IDPLIST)) {
validateIDPList();
idpList = ProtocolFactory.getInstance().createIDPList((Element) childNode);
} else {
if (SAML2SDKUtils.debug.messageEnabled()) {
SAML2SDKUtils.debug.message("ECPRequestImpl.parseElement: " + "ECP Request has invalid child element");
}
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("invalidElementECPReq"));
}
}
}
validateData();
}
use of com.sun.identity.saml2.protocol.IDPList in project OpenAM by OpenRock.
the class SPSSOFederate method createAuthnRequest.
/**
* Create an AuthnRequest.
*
* @param realmName the authentication realm for this request
* @param spEntityID the entity id for the service provider
* @param paramsMap the map of parameters for the authentication request
* @param spConfigMap the configuration map for the service provider
* @param extensionsList a list of extendsions for the authentication request
* @param spsso the SPSSODescriptorElement for theservcie provider
* @param idpsso the IDPSSODescriptorElement for the identity provider
* @param ssourl the url for the single sign on request
* @param isForECP boolean to indicatge if the request originated from an ECP
* @return a new AuthnRequest object
* @throws SAML2Exception
*/
public static AuthnRequest createAuthnRequest(final String realmName, final String spEntityID, final Map paramsMap, final Map spConfigMap, final List extensionsList, final SPSSODescriptorElement spsso, final IDPSSODescriptorElement idpsso, final String ssourl, final boolean isForECP) throws SAML2Exception {
// generate unique request ID
String requestID = SAML2Utils.generateID();
if ((requestID == null) || (requestID.length() == 0)) {
throw new SAML2Exception(SAML2Utils.bundle.getString("cannotGenerateID"));
}
// retrieve data from the params map and if not found get
// default values from the SPConfig Attributes
// destinationURI required if message is signed.
String destinationURI = getParameter(paramsMap, SAML2Constants.DESTINATION);
Boolean isPassive = doPassive(paramsMap, spConfigMap);
Boolean isforceAuthn = isForceAuthN(paramsMap, spConfigMap);
boolean allowCreate = isAllowCreate(paramsMap, spConfigMap);
boolean includeRequestedAuthnContextFlag = includeRequestedAuthnContext(paramsMap, spConfigMap);
String consent = getParameter(paramsMap, SAML2Constants.CONSENT);
Extensions extensions = createExtensions(extensionsList);
String nameIDPolicyFormat = getParameter(paramsMap, SAML2Constants.NAMEID_POLICY_FORMAT);
// get NameIDPolicy Element
NameIDPolicy nameIDPolicy = createNameIDPolicy(spEntityID, nameIDPolicyFormat, allowCreate, spsso, idpsso, realmName, paramsMap);
Issuer issuer = createIssuer(spEntityID);
Integer acsIndex = getIndex(paramsMap, SAML2Constants.ACS_URL_INDEX);
Integer attrIndex = getIndex(paramsMap, SAML2Constants.ATTR_INDEX);
String protocolBinding = isForECP ? SAML2Constants.PAOS : getParameter(paramsMap, "binding");
OrderedSet acsSet = getACSUrl(spsso, protocolBinding);
String acsURL = (String) acsSet.get(0);
protocolBinding = (String) acsSet.get(1);
if (!SAML2Utils.isSPProfileBindingSupported(realmName, spEntityID, SAML2Constants.ACS_SERVICE, protocolBinding)) {
SAML2Utils.debug.error("SPSSOFederate.createAuthnRequest:" + protocolBinding + "is not supported for " + spEntityID);
String[] data = { spEntityID, protocolBinding };
LogUtil.error(Level.INFO, LogUtil.BINDING_NOT_SUPPORTED, data, null);
throw new SAML2Exception(SAML2Utils.bundle.getString("unsupportedBinding"));
}
AuthnRequest authnReq = ProtocolFactory.getInstance().createAuthnRequest();
if (!isForECP) {
if ((destinationURI == null) || (destinationURI.length() == 0)) {
authnReq.setDestination(XMLUtils.escapeSpecialCharacters(ssourl));
} else {
authnReq.setDestination(XMLUtils.escapeSpecialCharacters(destinationURI));
}
}
authnReq.setConsent(consent);
authnReq.setIsPassive(isPassive);
authnReq.setForceAuthn(isforceAuthn);
authnReq.setAttributeConsumingServiceIndex(attrIndex);
authnReq.setAssertionConsumerServiceIndex(acsIndex);
authnReq.setAssertionConsumerServiceURL(XMLUtils.escapeSpecialCharacters(acsURL));
authnReq.setProtocolBinding(protocolBinding);
authnReq.setIssuer(issuer);
authnReq.setNameIDPolicy(nameIDPolicy);
if (includeRequestedAuthnContextFlag) {
authnReq.setRequestedAuthnContext(createReqAuthnContext(realmName, spEntityID, paramsMap, spConfigMap));
}
if (extensions != null) {
authnReq.setExtensions(extensions);
}
// Required attributes in authn request
authnReq.setID(requestID);
authnReq.setVersion(SAML2Constants.VERSION_2_0);
authnReq.setIssueInstant(new Date());
//IDP Proxy
Boolean enableIDPProxy = getAttrValueFromMap(spConfigMap, SAML2Constants.ENABLE_IDP_PROXY);
if ((enableIDPProxy != null) && enableIDPProxy.booleanValue()) {
Scoping scoping = ProtocolFactory.getInstance().createScoping();
String proxyCountParam = getParameter(spConfigMap, SAML2Constants.IDP_PROXY_COUNT);
if (proxyCountParam != null && (!proxyCountParam.equals(""))) {
scoping.setProxyCount(new Integer(proxyCountParam));
}
List proxyIDPs = (List) spConfigMap.get(SAML2Constants.IDP_PROXY_LIST);
if (proxyIDPs != null && !proxyIDPs.isEmpty()) {
Iterator iter = proxyIDPs.iterator();
ArrayList list = new ArrayList();
while (iter.hasNext()) {
IDPEntry entry = ProtocolFactory.getInstance().createIDPEntry();
entry.setProviderID((String) iter.next());
list.add(entry);
}
IDPList idpList = ProtocolFactory.getInstance().createIDPList();
idpList.setIDPEntries(list);
scoping.setIDPList(idpList);
}
authnReq.setScoping(scoping);
}
return authnReq;
}
use of com.sun.identity.saml2.protocol.IDPList in project OpenAM by OpenRock.
the class SPSSOFederate method initiateECPRequest.
/**
* Parses the request parameters and builds ECP Request to sent to the IDP.
*
* @param request the HttpServletRequest.
* @param response the HttpServletResponse.
*
* @throws SAML2Exception if error creating AuthnRequest.
* @throws IOException if error sending AuthnRequest to ECP.
*/
public static void initiateECPRequest(HttpServletRequest request, HttpServletResponse response) throws SAML2Exception, IOException {
if (!isFromECP(request)) {
SAML2Utils.debug.error("SPSSOFederate.initiateECPRequest: " + "invalid HTTP request from ECP.");
SAMLUtils.sendError(request, response, HttpServletResponse.SC_BAD_REQUEST, "invalidHttpRequestFromECP", SAML2Utils.bundle.getString("invalidHttpRequestFromECP"));
return;
}
String metaAlias = request.getParameter("metaAlias");
Map paramsMap = SAML2Utils.getParamsMap(request);
// get the sp entity ID from the metaAlias
String spEntityID = sm.getEntityByMetaAlias(metaAlias);
String realm = getRealm(SAML2MetaUtils.getRealmByMetaAlias(metaAlias));
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("SPSSOFederate.initiateECPRequest: " + "spEntityID is " + spEntityID + ", realm is " + realm);
}
try {
// Retreive MetaData
if (sm == null) {
throw new SAML2Exception(SAML2Utils.bundle.getString("errorMetaManager"));
}
SPSSOConfigElement spEntityCfg = sm.getSPSSOConfig(realm, spEntityID);
Map spConfigAttrsMap = null;
if (spEntityCfg != null) {
spConfigAttrsMap = SAML2MetaUtils.getAttributes(spEntityCfg);
}
// get SPSSODescriptor
SPSSODescriptorElement spsso = sm.getSPSSODescriptor(realm, spEntityID);
if (spsso == null) {
String[] data = { spEntityID };
LogUtil.error(Level.INFO, LogUtil.SP_METADATA_ERROR, data, null);
throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
}
String[] data = { spEntityID, realm };
LogUtil.access(Level.INFO, LogUtil.RECEIVED_HTTP_REQUEST_ECP, data, null);
List extensionsList = getExtensionsList(spEntityID, realm);
// create AuthnRequest
AuthnRequest authnRequest = createAuthnRequest(realm, spEntityID, paramsMap, spConfigAttrsMap, extensionsList, spsso, null, null, true);
// invoke SP Adapter class if registered
SAML2ServiceProviderAdapter spAdapter = SAML2Utils.getSPAdapterClass(spEntityID, realm);
if (spAdapter != null) {
spAdapter.preSingleSignOnRequest(spEntityID, realm, null, request, response, authnRequest);
}
String alias = SAML2Utils.getSigningCertAlias(realm, spEntityID, SAML2Constants.SP_ROLE);
PrivateKey signingKey = KeyUtil.getKeyProviderInstance().getPrivateKey(alias);
if (signingKey != null) {
authnRequest.sign(signingKey, null);
} else {
SAML2Utils.debug.error("SPSSOFederate.initiateECPRequest: " + "Unable to find signing key.");
throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
}
ECPFactory ecpFactory = ECPFactory.getInstance();
// Default URL if relayState not present? in providerConfig?
// TODO get Default URL from metadata
String relayState = getParameter(paramsMap, SAML2Constants.RELAY_STATE);
String ecpRelayStateXmlStr = "";
if (relayState != null && relayState.length() > 0) {
String relayStateID = getRelayStateID(relayState, authnRequest.getID());
ECPRelayState ecpRelayState = ecpFactory.createECPRelayState();
ecpRelayState.setValue(relayStateID);
ecpRelayState.setMustUnderstand(Boolean.TRUE);
ecpRelayState.setActor(SAML2Constants.SOAP_ACTOR_NEXT);
ecpRelayStateXmlStr = ecpRelayState.toXMLString(true, true);
}
ECPRequest ecpRequest = ecpFactory.createECPRequest();
ecpRequest.setIssuer(createIssuer(spEntityID));
ecpRequest.setMustUnderstand(Boolean.TRUE);
ecpRequest.setActor(SAML2Constants.SOAP_ACTOR_NEXT);
ecpRequest.setIsPassive(authnRequest.isPassive());
SAML2IDPFinder ecpIDPFinder = SAML2Utils.getECPIDPFinder(realm, spEntityID);
if (ecpIDPFinder != null) {
List idps = ecpIDPFinder.getPreferredIDP(authnRequest, spEntityID, realm, request, response);
if ((idps != null) && (!idps.isEmpty())) {
SAML2MetaManager saml2MetaManager = SAML2Utils.getSAML2MetaManager();
List idpEntries = null;
for (Iterator iter = idps.iterator(); iter.hasNext(); ) {
String idpEntityID = (String) iter.next();
IDPSSODescriptorElement idpDesc = saml2MetaManager.getIDPSSODescriptor(realm, idpEntityID);
if (idpDesc != null) {
IDPEntry idpEntry = ProtocolFactory.getInstance().createIDPEntry();
idpEntry.setProviderID(idpEntityID);
String description = SAML2Utils.getAttributeValueFromSSOConfig(realm, idpEntityID, SAML2Constants.IDP_ROLE, SAML2Constants.ENTITY_DESCRIPTION);
idpEntry.setName(description);
List ssoServiceList = idpDesc.getSingleSignOnService();
String ssoURL = getSSOURL(ssoServiceList, SAML2Constants.SOAP);
idpEntry.setLoc(ssoURL);
if (idpEntries == null) {
idpEntries = new ArrayList();
}
idpEntries.add(idpEntry);
}
}
if (idpEntries != null) {
IDPList idpList = ProtocolFactory.getInstance().createIDPList();
idpList.setIDPEntries(idpEntries);
ecpRequest.setIDPList(idpList);
Map attrs = SAML2MetaUtils.getAttributes(spEntityCfg);
List values = (List) attrs.get(SAML2Constants.ECP_REQUEST_IDP_LIST_GET_COMPLETE);
if ((values != null) && (!values.isEmpty())) {
GetComplete getComplete = ProtocolFactory.getInstance().createGetComplete();
getComplete.setValue((String) values.get(0));
idpList.setGetComplete(getComplete);
}
}
}
}
String paosRequestXmlStr = "";
try {
PAOSRequest paosRequest = new PAOSRequest(authnRequest.getAssertionConsumerServiceURL(), SAML2Constants.PAOS_ECP_SERVICE, null, Boolean.TRUE, SAML2Constants.SOAP_ACTOR_NEXT);
paosRequestXmlStr = paosRequest.toXMLString(true, true);
} catch (PAOSException paosex) {
SAML2Utils.debug.error("SPSSOFederate.initiateECPRequest:", paosex);
throw new SAML2Exception(paosex.getMessage());
}
String header = paosRequestXmlStr + ecpRequest.toXMLString(true, true) + ecpRelayStateXmlStr;
String body = authnRequest.toXMLString(true, true);
try {
SOAPMessage reply = SOAPCommunicator.getInstance().createSOAPMessage(header, body, false);
String[] data2 = { spEntityID, realm, "" };
if (LogUtil.isAccessLoggable(Level.FINE)) {
data2[2] = SOAPCommunicator.getInstance().soapMessageToString(reply);
}
LogUtil.access(Level.INFO, LogUtil.SEND_ECP_PAOS_REQUEST, data2, null);
// are generated as part of the save.
if (reply.saveRequired()) {
reply.saveChanges();
}
response.setStatus(HttpServletResponse.SC_OK);
SAML2Utils.putHeaders(reply.getMimeHeaders(), response);
response.setContentType(PAOSConstants.PAOS_MIME_TYPE);
// Write out the message on the response stream
OutputStream os = response.getOutputStream();
reply.writeTo(os);
os.flush();
} catch (SOAPException soapex) {
SAML2Utils.debug.error("SPSSOFederate.initiateECPRequest", soapex);
String[] data3 = { spEntityID, realm };
LogUtil.error(Level.INFO, LogUtil.SEND_ECP_PAOS_REQUEST_FAILED, data3, null);
SAMLUtils.sendError(request, response, HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "soapError", soapex.getMessage());
return;
}
AuthnRequestInfo reqInfo = new AuthnRequestInfo(request, response, realm, spEntityID, null, authnRequest, relayState, paramsMap);
synchronized (SPCache.requestHash) {
SPCache.requestHash.put(authnRequest.getID(), reqInfo);
}
if (SAML2FailoverUtils.isSAML2FailoverEnabled()) {
// sessionExpireTime is counted in seconds
long sessionExpireTime = System.currentTimeMillis() / 1000 + SPCache.interval;
String key = authnRequest.getID();
try {
SAML2FailoverUtils.saveSAML2TokenWithoutSecondaryKey(key, new AuthnRequestInfoCopy(reqInfo), sessionExpireTime);
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("SPSSOFederate.initiateECPRequest:" + " SAVE AuthnRequestInfoCopy for requestID " + key);
}
} catch (SAML2TokenRepositoryException e) {
SAML2Utils.debug.error("SPSSOFederate.initiateECPRequest: There was a problem saving the " + "AuthnRequestInfoCopy in the SAML2 Token Repository for requestID " + key, e);
}
}
} catch (SAML2MetaException sme) {
SAML2Utils.debug.error("SPSSOFederate:Error retrieving metadata", sme);
throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
}
}
use of com.sun.identity.saml2.protocol.IDPList in project OpenAM by OpenRock.
the class ScopingImpl method toXMLString.
/**
* Returns a String representation
*
* @param includeNSPrefix determines whether or not the namespace
* qualifier is prepended to the Element when converted
* @param declareNS determines whether or not the namespace is declared
* within the Element.
* @return the String representation of this Object.
* @throws SAML2Exception if String object cannot be created.
*/
public String toXMLString(boolean includeNSPrefix, boolean declareNS) throws SAML2Exception {
String xmlElementString = null;
if (idpList != null || (requesterIDList != null && !requesterIDList.isEmpty()) || proxyCount != null) {
validateProxyCount(proxyCount);
StringBuilder xmlString = new StringBuilder(300);
xmlString.append(SAML2Constants.START_TAG);
if (includeNSPrefix) {
xmlString.append(SAML2Constants.PROTOCOL_PREFIX);
}
xmlString.append(SAML2Constants.SCOPING);
if (declareNS) {
xmlString.append(SAML2Constants.PROTOCOL_DECLARE_STR);
}
if (proxyCount != null) {
xmlString.append(SAML2Constants.SPACE).append(PROXYCOUNT).append(SAML2Constants.EQUAL).append(SAML2Constants.QUOTE).append(proxyCount.intValue()).append(SAML2Constants.QUOTE);
}
xmlString.append(SAML2Constants.END_TAG).append(SAML2Constants.NEWLINE);
if (idpList != null) {
xmlString.append(idpList.toXMLString(includeNSPrefix, declareNS)).append(SAML2Constants.NEWLINE);
}
if (requesterIDList != null) {
for (RequesterID reqID : requesterIDList) {
String reqIDStr = reqID.toXMLString(includeNSPrefix, declareNS);
xmlString.append(reqIDStr).append(SAML2Constants.NEWLINE);
}
}
xmlString.append(SAML2Constants.SAML2_END_TAG).append(SAML2Constants.SCOPING).append(SAML2Constants.END_TAG);
xmlElementString = xmlString.toString();
}
return xmlElementString;
}
use of com.sun.identity.saml2.protocol.IDPList in project OpenAM by OpenRock.
the class IDPListImpl method parseElement.
/* Parse the IDPList Element */
void parseElement(Element element) throws SAML2Exception {
ProtocolFactory protoFactory = ProtocolFactory.getInstance();
// Get the IDPEntry Element, can be 1 or more
NodeList nList = element.getChildNodes();
if ((nList == null) || (nList.getLength() == 0)) {
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("noIDPEntry"));
}
if (idpEntryList == null) {
idpEntryList = new ArrayList();
}
for (int i = 0; i < nList.getLength(); i++) {
Node childNode = nList.item(i);
String cName = childNode.getLocalName();
if (cName != null) {
if (cName.equals(SAML2Constants.IDPENTRY)) {
validateIDPEntry();
idpEntryList.add(protoFactory.createIDPEntry(XMLUtils.print(childNode)));
} else if (cName.equals(SAML2Constants.GETCOMPLETE)) {
validateGetComplete();
Element getCompleteElement = (Element) childNode;
getComplete = protoFactory.createGetComplete(getCompleteElement);
}
}
}
validateIDPEntryList(idpEntryList);
idpEntryList = Collections.unmodifiableList(idpEntryList);
}
Aggregations