Search in sources :

Example 1 with ManageNameIDRequest

use of com.sun.identity.saml2.protocol.ManageNameIDRequest in project OpenAM by OpenRock.

the class DoManageNameID method processPOSTRequest.

public static void processPOSTRequest(HttpServletRequest request, HttpServletResponse response, Map paramsMap) throws SAML2Exception, IOException, SOAPException, SessionException, ServletException {
    String classMethod = "DoManageNameID.processPOSTRequest:";
    String samlRequest = request.getParameter(SAML2Constants.SAML_REQUEST);
    if (samlRequest == null) {
        SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST, "MissingSAMLRequest", SAML2Utils.bundle.getString("MissingSAMLRequest"));
        throw new SAML2Exception(SAML2Utils.bundle.getString("MissingSAMLRequest"));
    }
    String metaAlias = SAML2MetaUtils.getMetaAliasByUri(request.getRequestURI());
    if (metaAlias == null) {
        logError("MetaAliasNotFound", LogUtil.MISSING_META_ALIAS, metaAlias);
        throw new SAML2Exception(SAML2Utils.bundle.getString("MetaAliasNotFound"));
    }
    String realm = SAML2MetaUtils.getRealmByMetaAlias(metaAlias);
    String hostEntityID = metaManager.getEntityByMetaAlias(metaAlias);
    String hostEntityRole = SAML2Utils.getHostEntityRole(paramsMap);
    boolean isSupported = false;
    if (SAML2Constants.IDP_ROLE.equals(hostEntityRole)) {
        isSupported = SAML2Utils.isIDPProfileBindingSupported(realm, hostEntityID, SAML2Constants.MNI_SERVICE, SAML2Constants.HTTP_POST);
    } else {
        isSupported = SAML2Utils.isSPProfileBindingSupported(realm, hostEntityID, SAML2Constants.MNI_SERVICE, SAML2Constants.HTTP_POST);
    }
    if (!isSupported) {
        debug.error(classMethod + "MNI binding: POST is not supported for " + hostEntityID);
        String[] data = { hostEntityID, SAML2Constants.HTTP_POST };
        LogUtil.error(Level.INFO, LogUtil.BINDING_NOT_SUPPORTED, data, null);
        throw new SAML2Exception(SAML2Utils.bundle.getString("unsupportedBinding"));
    }
    ManageNameIDRequest mniRequest = null;
    ByteArrayInputStream bis = null;
    try {
        byte[] raw = Base64.decode(samlRequest);
        if (raw != null) {
            bis = new ByteArrayInputStream(raw);
            Document doc = XMLUtils.toDOMDocument(bis, SAML2Utils.debug);
            if (doc != null) {
                mniRequest = ProtocolFactory.getInstance().createManageNameIDRequest(doc.getDocumentElement());
            }
        }
    } catch (SAML2Exception se) {
        debug.error("DoManageNameID.processPOSTRequest:", se);
        SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST, "nullDecodedStrFromSamlResponse", SAML2Utils.bundle.getString("nullDecodedStrFromSamlResponse") + " " + se.getMessage());
        throw new SAML2Exception(SAML2Utils.bundle.getString("nullDecodedStrFromSamlResponse"));
    } catch (Exception e) {
        debug.error("DoManageNameID.processPOSTRequest:", e);
        SAMLUtils.sendError(request, response, response.SC_INTERNAL_SERVER_ERROR, "nullDecodedStrFromSamlResponse", SAML2Utils.bundle.getString("nullDecodedStrFromSamlResponse") + " " + e.getMessage());
        throw new SAML2Exception(SAML2Utils.bundle.getString("nullDecodedStrFromSamlResponse"));
    } finally {
        if (bis != null) {
            try {
                bis.close();
            } catch (Exception ie) {
                if (debug.messageEnabled()) {
                    debug.message("DoManageNameID.processPOSTRequest:", ie);
                }
            }
        }
    }
    if (mniRequest != null) {
        String remoteEntityID = mniRequest.getIssuer().getValue();
        if (remoteEntityID == null) {
            logError("nullRemoteEntityID", LogUtil.MISSING_ENTITY, metaAlias);
            throw new SAML2Exception(SAML2Utils.bundle.getString("nullRemoteEntityID"));
        }
        if (debug.messageEnabled()) {
            debug.message("DoManageNameID.processPOSTRequest: " + "Meta Alias is : " + metaAlias);
            debug.message("DoManageNameID.processPOSTRequest: " + "Host EntityID is : " + hostEntityID);
            debug.message("DoManageNameID.processPOSTRequest: " + "Remote EntityID is : " + remoteEntityID);
        }
        String dest = mniRequest.getDestination();
        boolean valid = verifyMNIRequest(mniRequest, realm, remoteEntityID, hostEntityID, hostEntityRole, dest);
        if (!valid) {
            logError("invalidSignInRequest", LogUtil.MNI_REQUEST_INVALID_SIGNATURE, metaAlias);
            throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSignInRequest"));
        }
        ManageNameIDServiceElement mniService = getMNIServiceElement(realm, remoteEntityID, hostEntityRole, SAML2Constants.HTTP_POST);
        String mniURL = mniService.getResponseLocation();
        if (mniURL == null) {
            mniURL = mniService.getLocation();
        }
        ///common for post, redirect, soap
        ManageNameIDResponse mniResponse = processManageNameIDRequest(mniRequest, metaAlias, remoteEntityID, paramsMap, null, SAML2Constants.HTTP_POST, request, response);
        signMNIResponse(mniResponse, realm, hostEntityID, hostEntityRole, remoteEntityID);
        //send MNI Response by POST
        String mniRespString = mniResponse.toXMLString(true, true);
        String encMsg = SAML2Utils.encodeForPOST(mniRespString);
        String relayState = request.getParameter(SAML2Constants.RELAY_STATE);
        try {
            SAML2Utils.postToTarget(request, response, "SAMLResponse", encMsg, "RelayState", relayState, mniURL);
        } catch (Exception e) {
            debug.message("DoManageNameID.processPOSTRequest:", e);
            throw new SAML2Exception("Error posting to target");
        }
    }
    return;
}
Also used : SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) ManageNameIDServiceElement(com.sun.identity.saml2.jaxb.metadata.ManageNameIDServiceElement) ManageNameIDRequest(com.sun.identity.saml2.protocol.ManageNameIDRequest) ByteArrayInputStream(java.io.ByteArrayInputStream) Document(org.w3c.dom.Document) ManageNameIDResponse(com.sun.identity.saml2.protocol.ManageNameIDResponse) ServletException(javax.servlet.ServletException) SOAPException(javax.xml.soap.SOAPException) SessionException(com.sun.identity.plugin.session.SessionException) SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException) IOException(java.io.IOException) SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)

Example 2 with ManageNameIDRequest

use of com.sun.identity.saml2.protocol.ManageNameIDRequest in project OpenAM by OpenRock.

the class DoManageNameID method setNameIDForMNIRequest.

private static void setNameIDForMNIRequest(ManageNameIDRequest mniRequest, NameID nameID, boolean changeID, String realm, String hostEntity, String hostEntityRole, String remoteEntity) throws SAML2Exception {
    String method = "DoManageNameID.setNameIDForMNIRequest: ";
    boolean needEncryptIt = false;
    if (hostEntityRole.equalsIgnoreCase(SAML2Constants.IDP_ROLE)) {
        needEncryptIt = SAML2Utils.getWantNameIDEncrypted(realm, remoteEntity, SAML2Constants.SP_ROLE);
    } else {
        needEncryptIt = SAML2Utils.getWantNameIDEncrypted(realm, remoteEntity, SAML2Constants.IDP_ROLE);
    }
    NewID newID = null;
    if (changeID) {
        String newIDValue = SAML2Utils.createNameIdentifier();
        newID = ProtocolFactory.getInstance().createNewID(newIDValue);
        mniRequest.setNewID(newID);
    }
    mniRequest.setNameID(nameID);
    if (!needEncryptIt) {
        if (debug.messageEnabled()) {
            debug.message(method + "NamID doesn't need to be encrypted.");
        }
        return;
    }
    EncInfo encInfo = null;
    if (hostEntityRole.equalsIgnoreCase(SAML2Constants.IDP_ROLE)) {
        SPSSODescriptorElement spSSODesc = metaManager.getSPSSODescriptor(realm, remoteEntity);
        encInfo = KeyUtil.getEncInfo(spSSODesc, remoteEntity, SAML2Constants.SP_ROLE);
    } else {
        IDPSSODescriptorElement idpSSODesc = metaManager.getIDPSSODescriptor(realm, remoteEntity);
        encInfo = KeyUtil.getEncInfo(idpSSODesc, remoteEntity, SAML2Constants.IDP_ROLE);
    }
    if (debug.messageEnabled()) {
        debug.message(method + "realm is : " + realm);
        debug.message(method + "hostEntity is : " + hostEntity);
        debug.message(method + "Host Entity role is : " + hostEntityRole);
        debug.message(method + "remoteEntity is : " + remoteEntity);
    }
    if (encInfo == null) {
        logError("UnableToFindEncryptKeyInfo", LogUtil.METADATA_ERROR, null);
        throw new SAML2Exception(SAML2Utils.bundle.getString("UnableToFindEncryptKeyInfo"));
    }
    EncryptedID encryptedID = nameID.encrypt(encInfo.getWrappingKey(), encInfo.getDataEncAlgorithm(), encInfo.getDataEncStrength(), remoteEntity);
    // This non-encrypted NameID will be removed just 
    // after saveMNIRequestInfo and just before it send to 
    mniRequest.setEncryptedID(encryptedID);
    if (newID != null) {
        NewEncryptedID newEncID = newID.encrypt(encInfo.getWrappingKey(), encInfo.getDataEncAlgorithm(), encInfo.getDataEncStrength(), remoteEntity);
        // This non-encrypted newID will be removed just 
        // after saveMNIRequestInfo and just before it send to 
        mniRequest.setNewEncryptedID(newEncID);
    }
}
Also used : EncInfo(com.sun.identity.saml2.key.EncInfo) SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) NewID(com.sun.identity.saml2.protocol.NewID) NewEncryptedID(com.sun.identity.saml2.protocol.NewEncryptedID) SPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement) NewEncryptedID(com.sun.identity.saml2.protocol.NewEncryptedID) EncryptedID(com.sun.identity.saml2.assertion.EncryptedID) IDPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)

Example 3 with ManageNameIDRequest

use of com.sun.identity.saml2.protocol.ManageNameIDRequest in project OpenAM by OpenRock.

the class DoManageNameID method signMNIRequest.

private static void signMNIRequest(ManageNameIDRequest mniRequest, String realm, String hostEntity, String hostEntityRole, String remoteEntity, boolean includeCert) throws SAML2Exception {
    String method = "signMNIRequest : ";
    boolean needRequestSign = false;
    if (hostEntityRole.equalsIgnoreCase(SAML2Constants.IDP_ROLE)) {
        needRequestSign = SAML2Utils.getWantMNIRequestSigned(realm, remoteEntity, SAML2Constants.SP_ROLE);
    } else {
        needRequestSign = SAML2Utils.getWantMNIRequestSigned(realm, remoteEntity, SAML2Constants.IDP_ROLE);
    }
    if (!needRequestSign) {
        if (debug.messageEnabled()) {
            debug.message(method + "MNIRequest doesn't need to be signed.");
        }
        return;
    }
    String alias = SAML2Utils.getSigningCertAlias(realm, hostEntity, hostEntityRole);
    if (debug.messageEnabled()) {
        debug.message(method + "realm is : " + realm);
        debug.message(method + "hostEntity is : " + hostEntity);
        debug.message(method + "Host Entity role is : " + hostEntityRole);
        debug.message(method + "remoteEntity is : " + remoteEntity);
        debug.message(method + "Cert Alias is : " + alias);
        debug.message(method + "MNI Request before sign : " + mniRequest.toXMLString(true, true));
    }
    PrivateKey signingKey = keyProvider.getPrivateKey(alias);
    X509Certificate signingCert = null;
    if (includeCert) {
        signingCert = keyProvider.getX509Certificate(alias);
    }
    if (signingKey != null) {
        mniRequest.sign(signingKey, signingCert);
    } else {
        logError("missingSigningCertAlias", LogUtil.METADATA_ERROR, null);
        throw new SAML2Exception(SAML2Utils.bundle.getString("missingSigningCertAlias"));
    }
    if (debug.messageEnabled()) {
        debug.message(method + "MNI Request after sign : " + mniRequest.toXMLString(true, true));
    }
}
Also used : SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) PrivateKey(java.security.PrivateKey) X509Certificate(java.security.cert.X509Certificate)

Example 4 with ManageNameIDRequest

use of com.sun.identity.saml2.protocol.ManageNameIDRequest in project OpenAM by OpenRock.

the class DoManageNameID method getNameIDFromMNIRequest.

private static NameID getNameIDFromMNIRequest(ManageNameIDRequest request, String realm, String hostEntity, String hostEntityRole) throws SAML2Exception {
    String method = "DoManageNameID.getNameIDFromMNIRequest: ";
    boolean needDecryptIt = SAML2Utils.getWantNameIDEncrypted(realm, hostEntity, hostEntityRole);
    if (!needDecryptIt) {
        if (debug.messageEnabled()) {
            debug.message(method + "NamID doesn't need to be decrypted.");
        }
        return request.getNameID();
    }
    if (debug.messageEnabled()) {
        debug.message(method + "realm is : " + realm);
        debug.message(method + "hostEntity is : " + hostEntity);
        debug.message(method + "Host Entity role is : " + hostEntityRole);
    }
    EncryptedID encryptedID = request.getEncryptedID();
    return encryptedID.decrypt(KeyUtil.getDecryptionKeys(realm, hostEntity, hostEntityRole));
}
Also used : NewEncryptedID(com.sun.identity.saml2.protocol.NewEncryptedID) EncryptedID(com.sun.identity.saml2.assertion.EncryptedID)

Example 5 with ManageNameIDRequest

use of com.sun.identity.saml2.protocol.ManageNameIDRequest in project OpenAM by OpenRock.

the class DoManageNameID method processManageNameIDRequest.

private static Status processManageNameIDRequest(ManageNameIDRequest mniRequest, String realm, String hostEntityID, String remoteEntityID, String hostRole, String userID) throws Exception {
    String method = "processManageNameIDRequest: ";
    if (debug.messageEnabled()) {
        debug.message(method + "Host EntityID is : " + hostEntityID);
        debug.message(method + "Host role is : " + hostRole);
        debug.message(method + "Realm  is : " + realm);
    }
    NameID nameID = getNameIDFromMNIRequest(mniRequest, realm, hostEntityID, hostRole);
    NameIDInfo oldNameIDInfo = getNameIDInfo(userID, hostEntityID, remoteEntityID, hostRole, realm, nameID.getSPNameQualifier(), true);
    NameID oldNameID = null;
    if (oldNameIDInfo != null) {
        oldNameID = oldNameIDInfo.getNameID();
    }
    if (oldNameID == null) {
        // log manage name id failure
        logError("unknownPrinciapl", LogUtil.UNKNOWN_PRINCIPAL, mniRequest.toXMLString(true, true));
        return SAML2Utils.generateStatus(SAML2Constants.REQUESTER, SAML2Constants.UNKNOWN_PRINCIPAL, null);
    }
    List spFedSessions = null;
    IDPSession idpSession = null;
    // Terminate
    if (hostRole.equalsIgnoreCase(SAML2Constants.IDP_ROLE)) {
        idpSession = removeIDPFedSession(remoteEntityID, oldNameID.getValue());
    } else {
        spFedSessions = (List) SPCache.fedSessionListsByNameIDInfoKey.remove(oldNameIDInfo.getNameIDInfoKey().toValueString());
        if ((agent != null) && agent.isRunning() && (saml2Svc != null)) {
            saml2Svc.setFedSessionCount((long) SPCache.fedSessionListsByNameIDInfoKey.size());
        }
    }
    if (!AccountUtils.removeAccountFederation(oldNameIDInfo, userID)) {
        // log termination failure
        logError("unableToTerminate", LogUtil.UNABLE_TO_TERMINATE, userID);
        return SAML2Utils.generateStatus(SAML2Constants.RESPONDER, SAML2Utils.bundle.getString("unableToTerminate"));
    }
    if (mniRequest.getTerminate()) {
        // log termination success
        logAccess("requestSuccess", LogUtil.SUCCESS_FED_TERMINATION, userID);
        return SAML2Utils.generateStatus(SAML2Constants.SUCCESS, SAML2Utils.bundle.getString("requestSuccess"));
    }
    // newID case
    NewID newID = getNewIDFromMNIRequest(mniRequest, realm, hostEntityID, hostRole);
    boolean isAffiliation = oldNameIDInfo.isAffiliation();
    String spNameQualifier = oldNameID.getSPNameQualifier();
    if (hostRole.equalsIgnoreCase(SAML2Constants.IDP_ROLE)) {
        NameID newNameID = AssertionFactory.getInstance().createNameID();
        newNameID.setValue(oldNameID.getValue());
        newNameID.setNameQualifier(oldNameID.getNameQualifier());
        newNameID.setSPNameQualifier(spNameQualifier);
        newNameID.setFormat(oldNameID.getFormat());
        newNameID.setSPProvidedID(newID.getValue());
        NameIDInfo newNameIDinfo = new NameIDInfo(hostEntityID, (isAffiliation ? spNameQualifier : remoteEntityID), newNameID, SAML2Constants.IDP_ROLE, isAffiliation);
        AccountUtils.setAccountFederation(newNameIDinfo, userID);
        if (idpSession != null) {
            // there are active session using this Name id
            NameIDandSPpair pair = new NameIDandSPpair(newNameID, remoteEntityID);
            synchronized (IDPCache.idpSessionsByIndices) {
                List list = (List) idpSession.getNameIDandSPpairs();
                list.add(pair);
            }
        }
        // log new name id success
        logAccess("requestSuccess", LogUtil.SUCCESS_NEW_NAMEID, userID);
        return SAML2Utils.generateStatus(SAML2Constants.SUCCESS, SAML2Utils.bundle.getString("requestSuccess"));
    }
    // SP ROLE
    NameID newNameID = AssertionFactory.getInstance().createNameID();
    newNameID.setValue(newID.getValue());
    newNameID.setNameQualifier(oldNameID.getNameQualifier());
    newNameID.setSPProvidedID(oldNameID.getSPProvidedID());
    newNameID.setSPNameQualifier(spNameQualifier);
    newNameID.setFormat(oldNameID.getFormat());
    NameIDInfo newNameIDInfo = new NameIDInfo((isAffiliation ? spNameQualifier : hostEntityID), remoteEntityID, newNameID, hostRole, isAffiliation);
    AccountUtils.setAccountFederation(newNameIDInfo, userID);
    if (spFedSessions != null) {
        String newInfoKeyStr = newNameIDInfo.getNameIDInfoKey().toValueString();
        String infoKeyAttribute = AccountUtils.getNameIDInfoKeyAttribute();
        synchronized (spFedSessions) {
            for (Iterator iter = spFedSessions.iterator(); iter.hasNext(); ) {
                SPFedSession spFedSession = (SPFedSession) iter.next();
                spFedSession.info = newNameIDInfo;
                String tokenID = spFedSession.spTokenID;
                try {
                    Object session = sessionProvider.getSession(tokenID);
                    String[] fromToken = sessionProvider.getProperty(session, infoKeyAttribute);
                    if ((fromToken == null) || (fromToken.length == 0) || (fromToken[0] == null) || (fromToken[0].length() == 0)) {
                        String[] values = { newInfoKeyStr };
                        sessionProvider.setProperty(session, infoKeyAttribute, values);
                    } else {
                        if (fromToken[0].indexOf(newInfoKeyStr) == -1) {
                            String[] values = { fromToken[0] + SAML2Constants.SECOND_DELIM + newInfoKeyStr };
                            sessionProvider.setProperty(session, infoKeyAttribute, values);
                        }
                    }
                } catch (SessionException ex) {
                    debug.error("DoManageNameID." + "processManageNameIDRequest:", ex);
                }
            }
        }
        SPCache.fedSessionListsByNameIDInfoKey.put(newInfoKeyStr, spFedSessions);
        if ((agent != null) && agent.isRunning() && (saml2Svc != null)) {
            saml2Svc.setFedSessionCount((long) SPCache.fedSessionListsByNameIDInfoKey.size());
        }
    }
    // log new name id success
    logAccess("requestSuccess", LogUtil.SUCCESS_NEW_NAMEID, userID);
    return SAML2Utils.generateStatus(SAML2Constants.SUCCESS, SAML2Utils.bundle.getString("requestSuccess"));
}
Also used : NewID(com.sun.identity.saml2.protocol.NewID) NameIDInfo(com.sun.identity.saml2.common.NameIDInfo) NameID(com.sun.identity.saml2.assertion.NameID) SessionException(com.sun.identity.plugin.session.SessionException) Iterator(java.util.Iterator) List(java.util.List)

Aggregations

SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)15 ManageNameIDRequest (com.sun.identity.saml2.protocol.ManageNameIDRequest)9 SessionException (com.sun.identity.plugin.session.SessionException)8 SAML2MetaException (com.sun.identity.saml2.meta.SAML2MetaException)7 NameID (com.sun.identity.saml2.assertion.NameID)5 ManageNameIDServiceElement (com.sun.identity.saml2.jaxb.metadata.ManageNameIDServiceElement)5 ManageNameIDResponse (com.sun.identity.saml2.protocol.ManageNameIDResponse)5 IOException (java.io.IOException)5 SOAPException (javax.xml.soap.SOAPException)5 EncryptedID (com.sun.identity.saml2.assertion.EncryptedID)4 IDPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)4 SPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)4 NewEncryptedID (com.sun.identity.saml2.protocol.NewEncryptedID)4 ServletException (javax.servlet.ServletException)4 NewID (com.sun.identity.saml2.protocol.NewID)3 Element (org.w3c.dom.Element)3 NameIDInfo (com.sun.identity.saml2.common.NameIDInfo)2 ByteArrayInputStream (java.io.ByteArrayInputStream)2 PrivateKey (java.security.PrivateKey)2 X509Certificate (java.security.cert.X509Certificate)2