Search in sources :

Example 11 with ManageNameIDResponse

use of com.sun.identity.saml2.protocol.ManageNameIDResponse in project OpenAM by OpenRock.

the class DoManageNameID method processManageNameIDResponse.

/**
     * Parses the request parameters and builds the Authentication
     * Request to sent to the IDP.
     *
     * @param request the HttpServletRequest.
     * @param response the HttpServletResponse.
     * @param paramsMap Map of all other parameters.
     * @return return true if the processing is successful.
     * @throws SAML2Exception if error initiating request to IDP.
     */
public static boolean processManageNameIDResponse(HttpServletRequest request, HttpServletResponse response, Map paramsMap) throws SAML2Exception {
    String method = "processManageNameIDResponse: ";
    boolean success = false;
    String requestURL = request.getRequestURI();
    String metaAlias = SAML2MetaUtils.getMetaAliasByUri(requestURL);
    if (metaAlias == null) {
        logError("MetaAliasNotFound", LogUtil.MISSING_META_ALIAS, null);
        throw new SAML2Exception(SAML2Utils.bundle.getString("MetaAliasNotFound"));
    }
    String realm = SAML2MetaUtils.getRealmByMetaAlias(metaAlias);
    String hostEntityID = metaManager.getEntityByMetaAlias(metaAlias);
    String hostRole = SAML2Utils.getHostEntityRole(paramsMap);
    boolean isSupported = false;
    if (SAML2Constants.IDP_ROLE.equals(hostRole)) {
        isSupported = SAML2Utils.isIDPProfileBindingSupported(realm, hostEntityID, SAML2Constants.MNI_SERVICE, SAML2Constants.HTTP_REDIRECT);
    } else {
        isSupported = SAML2Utils.isSPProfileBindingSupported(realm, hostEntityID, SAML2Constants.MNI_SERVICE, SAML2Constants.HTTP_REDIRECT);
    }
    if (!isSupported) {
        debug.error(method + "MNI binding: Redirect is not supported for " + hostEntityID);
        String[] data = { hostEntityID, SAML2Constants.HTTP_REDIRECT };
        LogUtil.error(Level.INFO, LogUtil.BINDING_NOT_SUPPORTED, data, null);
        throw new SAML2Exception(SAML2Utils.bundle.getString("unsupportedBinding"));
    }
    String relayState = request.getParameter(SAML2Constants.RELAY_STATE);
    String mniRes = request.getParameter(SAML2Constants.SAML_RESPONSE);
    String mniResStr = SAML2Utils.decodeFromRedirect(mniRes);
    if (mniResStr == null) {
        logError("nullDecodedStrFromSamlResponse", LogUtil.CANNOT_DECODE_RESPONSE, null);
        throw new SAML2Exception(SAML2Utils.bundle.getString("nullDecodedStrFromSamlResponse"));
    }
    if (debug.messageEnabled()) {
        debug.message(method + "Meta Alias is : " + metaAlias);
        debug.message(method + "Host role is : " + hostRole);
        debug.message(method + "Relay state is : " + relayState);
        debug.message(method + "MNI Response : " + mniResStr);
    }
    // Validate the RelayState URL.
    SAML2Utils.validateRelayStateURL(realm, hostEntityID, relayState, hostRole);
    ManageNameIDResponse mniResponse = null;
    try {
        mniResponse = pf.createManageNameIDResponse(mniResStr);
        String remoteEntityID = mniResponse.getIssuer().getValue();
        Issuer resIssuer = mniResponse.getIssuer();
        String requestId = mniResponse.getInResponseTo();
        SAML2Utils.verifyResponseIssuer(realm, hostEntityID, resIssuer, requestId);
        boolean needToVerify = SAML2Utils.getWantMNIResponseSigned(realm, hostEntityID, hostRole);
        if (needToVerify) {
            String queryString = request.getQueryString();
            boolean valid = SAML2Utils.verifyQueryString(queryString, realm, hostRole, remoteEntityID);
            if (!valid) {
                logError("invalidSignInResponse", LogUtil.MNI_RESPONSE_INVALID_SIGNATURE, null);
                throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSignInResponse"));
            }
        }
        StringBuffer mniUserId = new StringBuffer();
        success = checkMNIResponse(mniResponse, realm, hostEntityID, hostRole, mniUserId);
        if (success && (hostRole != null) && hostRole.equals(SAML2Constants.SP_ROLE)) {
            // invoke SPAdapter for termination success
            postTerminationSuccess(hostEntityID, realm, request, response, mniUserId.toString(), null, mniResponse, SAML2Constants.HTTP_REDIRECT);
        }
    } catch (SessionException e) {
        logError("invalidSSOToken", LogUtil.INVALID_SSOTOKEN, null);
        throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSSOToken"));
    }
    if (debug.messageEnabled()) {
        debug.message(method + "Request success : " + success);
    }
    return success;
}
Also used : SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) Issuer(com.sun.identity.saml2.assertion.Issuer) SessionException(com.sun.identity.plugin.session.SessionException) ManageNameIDResponse(com.sun.identity.saml2.protocol.ManageNameIDResponse)

Example 12 with ManageNameIDResponse

use of com.sun.identity.saml2.protocol.ManageNameIDResponse in project OpenAM by OpenRock.

the class DoManageNameID method verifyMNIResponse.

private static boolean verifyMNIResponse(ManageNameIDResponse mniResponse, String realm, String remoteEntity, String hostEntity, String hostEntityRole, String destination) throws SAML2Exception, SessionException {
    String method = "verifyMNIResponse : ";
    if (debug.messageEnabled()) {
        debug.message(method + "realm is : " + realm);
        debug.message(method + "remoteEntity is : " + remoteEntity);
        debug.message(method + "Host Entity role is : " + hostEntityRole);
    }
    boolean needVerifySignature = SAML2Utils.getWantMNIResponseSigned(realm, hostEntity, hostEntityRole);
    if (!needVerifySignature) {
        if (debug.messageEnabled()) {
            debug.message(method + "MNIResponse doesn't need to be verified.");
        }
        return true;
    }
    boolean valid;
    Set<X509Certificate> signingCerts;
    if (hostEntityRole.equalsIgnoreCase(SAML2Constants.IDP_ROLE)) {
        SPSSODescriptorElement spSSODesc = metaManager.getSPSSODescriptor(realm, remoteEntity);
        signingCerts = KeyUtil.getVerificationCerts(spSSODesc, remoteEntity, SAML2Constants.SP_ROLE);
    } else {
        IDPSSODescriptorElement idpSSODesc = metaManager.getIDPSSODescriptor(realm, remoteEntity);
        signingCerts = KeyUtil.getVerificationCerts(idpSSODesc, remoteEntity, SAML2Constants.IDP_ROLE);
    }
    if (!signingCerts.isEmpty()) {
        valid = mniResponse.isSignatureValid(signingCerts);
        if (debug.messageEnabled()) {
            debug.message(method + "Signature is : " + valid);
        }
    } else {
        logError("missingSigningCertAlias", LogUtil.METADATA_ERROR, null);
        throw new SAML2Exception(SAML2Utils.bundle.getString("missingSigningCertAlias"));
    }
    return valid;
}
Also used : SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) SPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement) X509Certificate(java.security.cert.X509Certificate) IDPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)

Example 13 with ManageNameIDResponse

use of com.sun.identity.saml2.protocol.ManageNameIDResponse in project OpenAM by OpenRock.

the class NameIDMappingResponseImpl method parseElement.

private void parseElement(Element element) throws SAML2Exception {
    AssertionFactory af = AssertionFactory.getInstance();
    ProtocolFactory pf = ProtocolFactory.getInstance();
    // make sure that the input xml block is not null
    if (element == null) {
        if (SAML2SDKUtils.debug.messageEnabled()) {
            SAML2SDKUtils.debug.message("NameIDMappingResponseImpl.parseElement: Input is null.");
        }
        throw new SAML2Exception(SAML2SDKUtils.bundle.getString("nullInput"));
    }
    // Make sure this is an EncryptedAssertion.
    String tag = null;
    tag = element.getLocalName();
    if ((tag == null) || (!tag.equals(elementName))) {
        if (SAML2SDKUtils.debug.messageEnabled()) {
            SAML2SDKUtils.debug.message("NameIDMappingResponseImpl.parseElement: " + "not ManageNameIDResponse.");
        }
        throw new SAML2Exception(SAML2SDKUtils.bundle.getString("wrongInput"));
    }
    responseId = element.getAttribute("ID");
    validateID(responseId);
    version = element.getAttribute("Version");
    validateVersion(version);
    String issueInstantStr = element.getAttribute("IssueInstant");
    validateIssueInstant(issueInstantStr);
    destination = element.getAttribute("Destination");
    consent = element.getAttribute("Consent");
    inResponseTo = element.getAttribute("InResponseTo");
    NodeList nList = element.getChildNodes();
    if ((nList != null) && (nList.getLength() > 0)) {
        for (int i = 0; i < nList.getLength(); i++) {
            Node childNode = nList.item(i);
            String cName = childNode.getLocalName();
            if (cName != null) {
                if (cName.equals("Issuer")) {
                    issuer = af.createIssuer((Element) childNode);
                } else if (cName.equals("Signature")) {
                    signatureString = XMLUtils.getElementString((Element) childNode);
                    isSigned = true;
                } else if (cName.equals("Extensions")) {
                    extensions = pf.createExtensions((Element) childNode);
                } else if (cName.equals("NameID")) {
                    nameID = af.createNameID((Element) childNode);
                } else if (cName.equals("EncryptedID")) {
                    encryptedID = af.createEncryptedID((Element) childNode);
                } else if (cName.equals("Status")) {
                    status = pf.createStatus((Element) childNode);
                }
            }
        }
    }
}
Also used : ProtocolFactory(com.sun.identity.saml2.protocol.ProtocolFactory) SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) AssertionFactory(com.sun.identity.saml2.assertion.AssertionFactory) NodeList(org.w3c.dom.NodeList) Node(org.w3c.dom.Node) Element(org.w3c.dom.Element)

Aggregations

SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)13 ManageNameIDResponse (com.sun.identity.saml2.protocol.ManageNameIDResponse)8 SessionException (com.sun.identity.plugin.session.SessionException)7 SAML2MetaException (com.sun.identity.saml2.meta.SAML2MetaException)5 SOAPException (javax.xml.soap.SOAPException)5 ManageNameIDRequest (com.sun.identity.saml2.protocol.ManageNameIDRequest)4 IOException (java.io.IOException)4 ServletException (javax.servlet.ServletException)4 Issuer (com.sun.identity.saml2.assertion.Issuer)3 ManageNameIDServiceElement (com.sun.identity.saml2.jaxb.metadata.ManageNameIDServiceElement)3 Element (org.w3c.dom.Element)3 AssertionFactory (com.sun.identity.saml2.assertion.AssertionFactory)2 IDPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)2 SPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)2 ProtocolFactory (com.sun.identity.saml2.protocol.ProtocolFactory)2 ByteArrayInputStream (java.io.ByteArrayInputStream)2 X509Certificate (java.security.cert.X509Certificate)2 SOAPMessage (javax.xml.soap.SOAPMessage)2 Document (org.w3c.dom.Document)2 Node (org.w3c.dom.Node)2