Examples with ManageNameIDRequest com.sun.identity.saml2.protocol.ManageNameIDRequest used on opensource projects

Example 16 with ManageNameIDRequest

use of com.sun.identity.saml2.protocol.ManageNameIDRequest in project OpenAM by OpenRock.

the class DoManageNameID method verifyMNIRequest.

private static boolean verifyMNIRequest(ManageNameIDRequest mniRequest, String realm, String remoteEntity, String hostEntity, String hostEntityRole, String destination) throws SAML2Exception {
    String method = "verifyMNIRequest : ";
    if (debug.messageEnabled()) {
        debug.message(method + "realm is : " + realm);
        debug.message(method + "remoteEntity is : " + remoteEntity);
        debug.message(method + "Host Entity role is : " + hostEntityRole);
    }
    boolean needVerifySignature = SAML2Utils.getWantMNIRequestSigned(realm, hostEntity, hostEntityRole);
    if (!needVerifySignature) {
        if (debug.messageEnabled()) {
            debug.message(method + "MNIRequest doesn't need to be verified.");
        }
        return true;
    }
    boolean valid;
    Set<X509Certificate> signingCerts;
    if (hostEntityRole.equalsIgnoreCase(SAML2Constants.IDP_ROLE)) {
        SPSSODescriptorElement spSSODesc = metaManager.getSPSSODescriptor(realm, remoteEntity);
        signingCerts = KeyUtil.getVerificationCerts(spSSODesc, remoteEntity, SAML2Constants.SP_ROLE);
    } else {
        IDPSSODescriptorElement idpSSODesc = metaManager.getIDPSSODescriptor(realm, remoteEntity);
        signingCerts = KeyUtil.getVerificationCerts(idpSSODesc, remoteEntity, SAML2Constants.IDP_ROLE);
    }
    if (!signingCerts.isEmpty()) {
        valid = mniRequest.isSignatureValid(signingCerts);
        if (debug.messageEnabled()) {
            debug.message(method + "Signature is : " + valid);
        }
    } else {
        logError("missingSigningCertAlias.", LogUtil.METADATA_ERROR, null);
        throw new SAML2Exception(SAML2Utils.bundle.getString("missingSigningCertAlias"));
    }
    return valid;
}

Example 17 with ManageNameIDRequest

use of com.sun.identity.saml2.protocol.ManageNameIDRequest in project OpenAM by OpenRock.

the class DoManageNameID method processManageNameIDRequest.

private static ManageNameIDResponse processManageNameIDRequest(ManageNameIDRequest mniRequest, String metaAlias, String remoteEntityID, Map paramsMap, String destination, String binding, HttpServletRequest request, HttpServletResponse response) {
    String realm = SAML2MetaUtils.getRealmByMetaAlias(metaAlias);
    String hostEntityID = null;
    String hostRole = null;
    Status status = null;
    String userID = null;
    try {
        hostEntityID = metaManager.getEntityByMetaAlias(metaAlias);
        hostRole = SAML2Utils.getHostEntityRole(paramsMap);
        SAML2Utils.verifyRequestIssuer(realm, hostEntityID, mniRequest.getIssuer(), mniRequest.getID());
        if (hostRole.equalsIgnoreCase(SAML2Constants.IDP_ROLE)) {
            IDPAccountMapper idpAcctMapper = SAML2Utils.getIDPAccountMapper(realm, hostEntityID);
            userID = idpAcctMapper.getIdentity(mniRequest, hostEntityID, realm);
        } else if (hostRole.equalsIgnoreCase(SAML2Constants.SP_ROLE)) {
            SPAccountMapper spAcctMapper = SAML2Utils.getSPAccountMapper(realm, hostEntityID);
            userID = spAcctMapper.getIdentity(mniRequest, hostEntityID, realm);
        }
        if (userID == null) {
            status = SAML2Utils.generateStatus(SAML2Constants.REQUESTER, SAML2Constants.UNKNOWN_PRINCIPAL, null);
        } else {
            status = processManageNameIDRequest(mniRequest, realm, hostEntityID, remoteEntityID, hostRole, userID);
        }
    } catch (Exception e) {
        if (debug.messageEnabled()) {
            debug.message("DoManageNameID.processManageNameIDRequest:", e);
        }
        status = SAML2Utils.generateStatus(SAML2Constants.RESPONDER, e.toString());
    }
    ManageNameIDResponse mniResponse = null;
    try {
        String responseID = SAML2Utils.generateID();
        if (responseID == null) {
            debug.error(SAML2Utils.bundle.getString("failedToGenResponseID"));
        }
        mniResponse = pf.createManageNameIDResponse();
        mniResponse.setStatus(status);
        mniResponse.setID(responseID);
        mniResponse.setInResponseTo(mniRequest.getID());
        mniResponse.setVersion(SAML2Constants.VERSION_2_0);
        mniResponse.setIssueInstant(new Date());
        mniResponse.setIssuer(SAML2Utils.createIssuer(hostEntityID));
        if (destination != null && (destination.length() != 0)) {
            mniResponse.setDestination(XMLUtils.escapeSpecialCharacters(destination));
        }
    } catch (SAML2Exception e) {
        debug.error("Error : ", e);
    }
    if (hostRole.equalsIgnoreCase(SAML2Constants.SP_ROLE) && mniResponse.getStatus().getStatusCode().getValue().equals(SAML2Constants.SUCCESS)) {
        // invoke SPAdapter for post temination success
        postTerminationSuccess(hostEntityID, realm, request, response, userID, mniRequest, mniResponse, binding);
    }
    return mniResponse;
}

Example 18 with ManageNameIDRequest

use of com.sun.identity.saml2.protocol.ManageNameIDRequest in project OpenAM by OpenRock.

the class DoManageNameID method saveMNIRequestInfo.

private static void saveMNIRequestInfo(HttpServletRequest request, HttpServletResponse response, Map paramsMap, ManageNameIDRequest mniRequest, String relayState, String hostEntityRole, Object session) throws SAML2Exception {
    String method = "saveMNIRequestInfo: ";
    if (debug.messageEnabled()) {
        debug.message(method + "hostEntityRole : " + hostEntityRole);
    }
    ManageNameIDRequest reqForSave = mniRequest;
    NameID nameID = mniRequest.getNameID();
    EncryptedID encryptedID = mniRequest.getEncryptedID();
    if (encryptedID != null) {
        NewEncryptedID newEncryptedID = mniRequest.getNewEncryptedID();
        mniRequest.setEncryptedID(null);
        mniRequest.setNewEncryptedID(null);
        reqForSave = (ManageNameIDRequest) pf.createManageNameIDRequest(mniRequest.toXMLString(true, true));
        mniRequest.setNameID(null);
        mniRequest.setNewID(null);
        mniRequest.setEncryptedID(encryptedID);
        mniRequest.setNewEncryptedID(newEncryptedID);
    }
    paramsMap.put(SAML2Constants.SESSION, session);
    ManageNameIDRequestInfo reqInfo = new ManageNameIDRequestInfo(request, response, reqForSave, relayState, paramsMap, session);
    reqInfo.setNameID(nameID);
    if (hostEntityRole.equalsIgnoreCase(SAML2Constants.SP_ROLE)) {
        SPCache.mniRequestHash.put(mniRequest.getID(), reqInfo);
    } else {
        IDPCache.mniRequestHash.put(mniRequest.getID(), reqInfo);
    }
}

Example 19 with ManageNameIDRequest

use of com.sun.identity.saml2.protocol.ManageNameIDRequest in project OpenAM by OpenRock.

the class ManageNameIDRequestImpl method parseElement.

private void parseElement(Element element) throws SAML2Exception {
    AssertionFactory assertionFactory = AssertionFactory.getInstance();
    ProtocolFactory protocolFactory = ProtocolFactory.getInstance();
    // make sure that the input xml block is not null
    if (element == null) {
        if (SAML2SDKUtils.debug.messageEnabled()) {
            SAML2SDKUtils.debug.message("ManageNameIDRequestImpl.parseElement: " + "Input is null.");
        }
        throw new SAML2Exception(SAML2SDKUtils.bundle.getString("nullInput"));
    }
    // Make sure this is an EncryptedAssertion.
    String tag = null;
    tag = element.getLocalName();
    if ((tag == null) || (!tag.equals(elementName))) {
        if (SAML2SDKUtils.debug.messageEnabled()) {
            SAML2SDKUtils.debug.message("ManageNameIDRequestImpl.parseElement:" + "not ManageNameIDRequest.");
        }
        throw new SAML2Exception(SAML2SDKUtils.bundle.getString("wrongInput"));
    }
    requestId = element.getAttribute("ID");
    validateID(requestId);
    version = element.getAttribute(SAML2Constants.VERSION);
    validateVersion(version);
    String issueInstantStr = element.getAttribute("IssueInstant");
    validateIssueInstant(issueInstantStr);
    destinationURI = element.getAttribute("Destination");
    consent = element.getAttribute("Consent");
    NodeList nList = element.getChildNodes();
    if ((nList != null) && (nList.getLength() > 0)) {
        for (int i = 0; i < nList.getLength(); i++) {
            Node childNode = nList.item(i);
            String cName = childNode.getLocalName();
            if (cName != null) {
                if (cName.equals("Issuer")) {
                    nameID = assertionFactory.createIssuer((Element) childNode);
                } else if (cName.equals("Signature")) {
                    signatureString = XMLUtils.getElementString((Element) childNode);
                    isSigned = true;
                } else if (cName.equals("Extensions")) {
                    extensions = protocolFactory.createExtensions((Element) childNode);
                } else if (cName.equals("NameID")) {
                    nameid = assertionFactory.createNameID((Element) childNode);
                } else if (cName.equals("EncryptedID")) {
                    encryptedID = assertionFactory.createEncryptedID((Element) childNode);
                } else if (cName.equals("NewID")) {
                    newID = protocolFactory.createNewID((Element) childNode);
                } else if (cName.equals("NewEncryptedID")) {
                    newEncryptedID = protocolFactory.createNewEncryptedID((Element) childNode);
                } else if (cName.equals("Terminate")) {
                    terminate = true;
                }
            }
        }
    }
}

Example 20 with ManageNameIDRequest

use of com.sun.identity.saml2.protocol.ManageNameIDRequest in project OpenAM by OpenRock.

the class DefaultAccountMapper method getIdentity.

/**
     * Returns the user's disntinguished name or the universal ID for the 
     * corresponding  <code>SAML</code> <code>ManageNameIDRequest</code>.
     * This method will be invoked by the <code>SAML</code> framework for
     * retrieving the user identity while processing the
     * <code>ManageIDRequest</code>. 
     * @param manageNameIDRequest <code>SAML</code> 
     *     <code>ManageNameIDRequest</code> that needs to be mapped to the user.
     * @param hostEntityID <code>EntityID</code> of the hosted provider.
     * @param realm realm or the organization name that may be used to find
     *        the user information.
     * @return user's disntinguished name or the universal ID.
     * @exception SAML2Exception if any failure.
     */
public String getIdentity(ManageNameIDRequest manageNameIDRequest, String hostEntityID, String realm) throws SAML2Exception {
    if (manageNameIDRequest == null) {
        throw new SAML2Exception(bundle.getString("nullManageIDRequest"));
    }
    if (hostEntityID == null) {
        throw new SAML2Exception(bundle.getString("nullHostEntityID"));
    }
    if (realm == null) {
        throw new SAML2Exception(bundle.getString("nullRealm"));
    }
    NameID nameID = null;
    EncryptedID encryptedID = manageNameIDRequest.getEncryptedID();
    if (encryptedID != null) {
        try {
            final Set<PrivateKey> decryptionKeys = KeyUtil.getDecryptionKeys(getSSOConfig(realm, hostEntityID));
            nameID = encryptedID.decrypt(decryptionKeys);
        } catch (SAML2MetaException sme) {
            debug.error("Unable to retrieve SAML entity config for entity: " + hostEntityID, sme);
        }
    } else {
        nameID = manageNameIDRequest.getNameID();
    }
    String remoteEntityID = manageNameIDRequest.getIssuer().getValue();
    if (debug.messageEnabled()) {
        debug.message("DefaultAccountMapper.getIdentity(ManageNameIDReq)" + " realm = " + realm + " hostEntityID = " + hostEntityID);
    }
    try {
        return dsProvider.getUserID(realm, SAML2Utils.getNameIDKeyMap(nameID, hostEntityID, remoteEntityID, realm, role));
    } catch (DataStoreProviderException dse) {
        debug.error("DefaultAccountMapper.getIdentity(MNIRequest,):" + " DataStoreProviderException", dse);
        throw new SAML2Exception(dse.getMessage());
    }
}