Example 11 with ManageNameIDResponse
use of com.sun.identity.saml2.protocol.ManageNameIDResponse in project OpenAM by OpenRock.
the class DoManageNameID method processManageNameIDResponse.
/**
* Parses the request parameters and builds the Authentication
* Request to sent to the IDP.
*
* @param request the HttpServletRequest.
* @param response the HttpServletResponse.
* @param paramsMap Map of all other parameters.
* @return return true if the processing is successful.
* @throws SAML2Exception if error initiating request to IDP.
*/
public static boolean processManageNameIDResponse(HttpServletRequest request, HttpServletResponse response, Map paramsMap) throws SAML2Exception {
String method = "processManageNameIDResponse: ";
boolean success = false;
String requestURL = request.getRequestURI();
String metaAlias = SAML2MetaUtils.getMetaAliasByUri(requestURL);
if (metaAlias == null) {
logError("MetaAliasNotFound", LogUtil.MISSING_META_ALIAS, null);
throw new SAML2Exception(SAML2Utils.bundle.getString("MetaAliasNotFound"));
}
String realm = SAML2MetaUtils.getRealmByMetaAlias(metaAlias);
String hostEntityID = metaManager.getEntityByMetaAlias(metaAlias);
String hostRole = SAML2Utils.getHostEntityRole(paramsMap);
boolean isSupported = false;
if (SAML2Constants.IDP_ROLE.equals(hostRole)) {
isSupported = SAML2Utils.isIDPProfileBindingSupported(realm, hostEntityID, SAML2Constants.MNI_SERVICE, SAML2Constants.HTTP_REDIRECT);
} else {
isSupported = SAML2Utils.isSPProfileBindingSupported(realm, hostEntityID, SAML2Constants.MNI_SERVICE, SAML2Constants.HTTP_REDIRECT);
}
if (!isSupported) {
debug.error(method + "MNI binding: Redirect is not supported for " + hostEntityID);
String[] data = { hostEntityID, SAML2Constants.HTTP_REDIRECT };
LogUtil.error(Level.INFO, LogUtil.BINDING_NOT_SUPPORTED, data, null);
throw new SAML2Exception(SAML2Utils.bundle.getString("unsupportedBinding"));
}
String relayState = request.getParameter(SAML2Constants.RELAY_STATE);
String mniRes = request.getParameter(SAML2Constants.SAML_RESPONSE);
String mniResStr = SAML2Utils.decodeFromRedirect(mniRes);
if (mniResStr == null) {
logError("nullDecodedStrFromSamlResponse", LogUtil.CANNOT_DECODE_RESPONSE, null);
throw new SAML2Exception(SAML2Utils.bundle.getString("nullDecodedStrFromSamlResponse"));
}
if (debug.messageEnabled()) {
debug.message(method + "Meta Alias is : " + metaAlias);
debug.message(method + "Host role is : " + hostRole);
debug.message(method + "Relay state is : " + relayState);
debug.message(method + "MNI Response : " + mniResStr);
}
// Validate the RelayState URL.
SAML2Utils.validateRelayStateURL(realm, hostEntityID, relayState, hostRole);
ManageNameIDResponse mniResponse = null;
try {
mniResponse = pf.createManageNameIDResponse(mniResStr);
String remoteEntityID = mniResponse.getIssuer().getValue();
Issuer resIssuer = mniResponse.getIssuer();
String requestId = mniResponse.getInResponseTo();
SAML2Utils.verifyResponseIssuer(realm, hostEntityID, resIssuer, requestId);
boolean needToVerify = SAML2Utils.getWantMNIResponseSigned(realm, hostEntityID, hostRole);
if (needToVerify) {
String queryString = request.getQueryString();
boolean valid = SAML2Utils.verifyQueryString(queryString, realm, hostRole, remoteEntityID);
if (!valid) {
logError("invalidSignInResponse", LogUtil.MNI_RESPONSE_INVALID_SIGNATURE, null);
throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSignInResponse"));
}
}
StringBuffer mniUserId = new StringBuffer();
success = checkMNIResponse(mniResponse, realm, hostEntityID, hostRole, mniUserId);
if (success && (hostRole != null) && hostRole.equals(SAML2Constants.SP_ROLE)) {
// invoke SPAdapter for termination success
postTerminationSuccess(hostEntityID, realm, request, response, mniUserId.toString(), null, mniResponse, SAML2Constants.HTTP_REDIRECT);
}
} catch (SessionException e) {
logError("invalidSSOToken", LogUtil.INVALID_SSOTOKEN, null);
throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSSOToken"));
}
if (debug.messageEnabled()) {
debug.message(method + "Request success : " + success);
}
return success;
}
Also used :
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
Issuer(com.sun.identity.saml2.assertion.Issuer)
SessionException(com.sun.identity.plugin.session.SessionException)
ManageNameIDResponse(com.sun.identity.saml2.protocol.ManageNameIDResponse)
Example 12 with ManageNameIDResponse
use of com.sun.identity.saml2.protocol.ManageNameIDResponse in project OpenAM by OpenRock.
the class DoManageNameID method verifyMNIResponse.
private static boolean verifyMNIResponse(ManageNameIDResponse mniResponse, String realm, String remoteEntity, String hostEntity, String hostEntityRole, String destination) throws SAML2Exception, SessionException {
String method = "verifyMNIResponse : ";
if (debug.messageEnabled()) {
debug.message(method + "realm is : " + realm);
debug.message(method + "remoteEntity is : " + remoteEntity);
debug.message(method + "Host Entity role is : " + hostEntityRole);
}
boolean needVerifySignature = SAML2Utils.getWantMNIResponseSigned(realm, hostEntity, hostEntityRole);
if (!needVerifySignature) {
if (debug.messageEnabled()) {
debug.message(method + "MNIResponse doesn't need to be verified.");
}
return true;
}
boolean valid;
Set<X509Certificate> signingCerts;
if (hostEntityRole.equalsIgnoreCase(SAML2Constants.IDP_ROLE)) {
SPSSODescriptorElement spSSODesc = metaManager.getSPSSODescriptor(realm, remoteEntity);
signingCerts = KeyUtil.getVerificationCerts(spSSODesc, remoteEntity, SAML2Constants.SP_ROLE);
} else {
IDPSSODescriptorElement idpSSODesc = metaManager.getIDPSSODescriptor(realm, remoteEntity);
signingCerts = KeyUtil.getVerificationCerts(idpSSODesc, remoteEntity, SAML2Constants.IDP_ROLE);
}
if (!signingCerts.isEmpty()) {
valid = mniResponse.isSignatureValid(signingCerts);
if (debug.messageEnabled()) {
debug.message(method + "Signature is : " + valid);
}
} else {
logError("missingSigningCertAlias", LogUtil.METADATA_ERROR, null);
throw new SAML2Exception(SAML2Utils.bundle.getString("missingSigningCertAlias"));
}
return valid;
}
Also used :
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
SPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)
X509Certificate(java.security.cert.X509Certificate)
IDPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)
Example 13 with ManageNameIDResponse
use of com.sun.identity.saml2.protocol.ManageNameIDResponse in project OpenAM by OpenRock.
the class NameIDMappingResponseImpl method parseElement.
private void parseElement(Element element) throws SAML2Exception {
AssertionFactory af = AssertionFactory.getInstance();
ProtocolFactory pf = ProtocolFactory.getInstance();
// make sure that the input xml block is not null
if (element == null) {
if (SAML2SDKUtils.debug.messageEnabled()) {
SAML2SDKUtils.debug.message("NameIDMappingResponseImpl.parseElement: Input is null.");
}
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("nullInput"));
}
// Make sure this is an EncryptedAssertion.
String tag = null;
tag = element.getLocalName();
if ((tag == null) || (!tag.equals(elementName))) {
if (SAML2SDKUtils.debug.messageEnabled()) {
SAML2SDKUtils.debug.message("NameIDMappingResponseImpl.parseElement: " + "not ManageNameIDResponse.");
}
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("wrongInput"));
}
responseId = element.getAttribute("ID");
validateID(responseId);
version = element.getAttribute("Version");
validateVersion(version);
String issueInstantStr = element.getAttribute("IssueInstant");
validateIssueInstant(issueInstantStr);
destination = element.getAttribute("Destination");
consent = element.getAttribute("Consent");
inResponseTo = element.getAttribute("InResponseTo");
NodeList nList = element.getChildNodes();
if ((nList != null) && (nList.getLength() > 0)) {
for (int i = 0; i < nList.getLength(); i++) {
Node childNode = nList.item(i);
String cName = childNode.getLocalName();
if (cName != null) {
if (cName.equals("Issuer")) {
issuer = af.createIssuer((Element) childNode);
} else if (cName.equals("Signature")) {
signatureString = XMLUtils.getElementString((Element) childNode);
isSigned = true;
} else if (cName.equals("Extensions")) {
extensions = pf.createExtensions((Element) childNode);
} else if (cName.equals("NameID")) {
nameID = af.createNameID((Element) childNode);
} else if (cName.equals("EncryptedID")) {
encryptedID = af.createEncryptedID((Element) childNode);
} else if (cName.equals("Status")) {
status = pf.createStatus((Element) childNode);
}
}
}
}
}
Also used :
ProtocolFactory(com.sun.identity.saml2.protocol.ProtocolFactory)
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
AssertionFactory(com.sun.identity.saml2.assertion.AssertionFactory)
NodeList(org.w3c.dom.NodeList)
Node(org.w3c.dom.Node)
Element(org.w3c.dom.Element)
Aggregations
SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)13
ManageNameIDResponse (com.sun.identity.saml2.protocol.ManageNameIDResponse)8
SessionException (com.sun.identity.plugin.session.SessionException)7
SAML2MetaException (com.sun.identity.saml2.meta.SAML2MetaException)5
SOAPException (javax.xml.soap.SOAPException)5
ManageNameIDRequest (com.sun.identity.saml2.protocol.ManageNameIDRequest)4
IOException (java.io.IOException)4
ServletException (javax.servlet.ServletException)4
Issuer (com.sun.identity.saml2.assertion.Issuer)3
ManageNameIDServiceElement (com.sun.identity.saml2.jaxb.metadata.ManageNameIDServiceElement)3
Element (org.w3c.dom.Element)3
AssertionFactory (com.sun.identity.saml2.assertion.AssertionFactory)2
IDPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)2
SPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)2
ProtocolFactory (com.sun.identity.saml2.protocol.ProtocolFactory)2
ByteArrayInputStream (java.io.ByteArrayInputStream)2
X509Certificate (java.security.cert.X509Certificate)2
SOAPMessage (javax.xml.soap.SOAPMessage)2
Document (org.w3c.dom.Document)2
Node (org.w3c.dom.Node)2
