Search in sources :

Example 1 with NameIDMappingRequest

use of com.sun.identity.saml2.protocol.NameIDMappingRequest in project OpenAM by OpenRock.

the class NameIDMapping method initiateNameIDMappingRequest.

/**
     * Parses the request parameters and builds the NameIDMappingRequest to
     * sent to remote identity provider.
     *
     * @param session user session.
     * @param realm the realm of hosted entity
     * @param spEntityID entity ID of hosted service provider
     * @param idpEntityID entity ID of remote idendity provider
     * @param targetSPEntityID entity ID of target entity ID of service
     *     provider
     * @param targetNameIDFormat format of target Name ID
     * @param paramsMap Map of all other parameters
     *
     * @return the <code>NameIDMappingResponse</code>
     * @throws SAML2Exception if error initiating request to remote entity.
     *
     * @supported.api
     */
public static NameIDMappingResponse initiateNameIDMappingRequest(Object session, String realm, String spEntityID, String idpEntityID, String targetSPEntityID, String targetNameIDFormat, Map paramsMap) throws SAML2Exception {
    if (spEntityID == null) {
        throw new SAML2Exception(SAML2Utils.bundle.getString("nullSPEntityID"));
    }
    if (idpEntityID == null) {
        throw new SAML2Exception(SAML2Utils.bundle.getString("nullIDPEntityID"));
    }
    String userID = null;
    try {
        userID = sessionProvider.getPrincipalName(session);
    } catch (SessionException e) {
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message("NameIDMapping.createNameIDMappingRequest: ", e);
        }
    }
    if (userID == null) {
        throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSSOToken"));
    }
    if (SAML2Utils.debug.messageEnabled()) {
        SAML2Utils.debug.message("NameIDMapping.initiateNameMappingRequest:" + " IDP EntityID is : " + idpEntityID);
        SAML2Utils.debug.message("NameIDMapping.initiateNameMappingRequest:" + " SP HOST EntityID is : " + spEntityID);
        SAML2Utils.debug.message("NameIDMapping.initiateNameMappingRequest:" + " target SP EntityID is : " + targetSPEntityID);
    }
    try {
        // nameIDMappingService
        String binding = SAML2Utils.getParameter(paramsMap, SAML2Constants.BINDING);
        if (binding == null) {
            binding = SAML2Constants.SOAP;
        } else if (!binding.equals(SAML2Constants.SOAP)) {
            throw new SAML2Exception(SAML2Utils.bundle.getString("nimServiceBindingUnsupport"));
        }
        String nimURL = SAML2Utils.getParameter(paramsMap, "nimURL");
        if (nimURL == null) {
            NameIDMappingServiceElement nameIDMappingService = getNameIDMappingService(realm, idpEntityID, binding);
            if (nameIDMappingService != null) {
                nimURL = nameIDMappingService.getLocation();
            }
        }
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message("NameIDMapping.initiateNameMappingRequest:" + " nimURL" + nimURL);
        }
        if (nimURL == null) {
            throw new SAML2Exception(SAML2Utils.bundle.getString("nimServiceNotFound"));
        }
        NameIDMappingRequest nimRequest = createNameIDMappingRequest(userID, realm, spEntityID, idpEntityID, nimURL, targetSPEntityID, targetNameIDFormat);
        signNIMRequest(nimRequest, realm, spEntityID, false);
        BaseConfigType config = metaManager.getIDPSSOConfig(realm, idpEntityID);
        nimURL = SAML2SDKUtils.fillInBasicAuthInfo(config, nimURL);
        return doNIMBySOAP(nimRequest.toXMLString(true, true), nimURL, realm, spEntityID);
    } catch (SAML2MetaException sme) {
        throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
    }
}
Also used : SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) NameIDMappingServiceElement(com.sun.identity.saml2.jaxb.metadata.NameIDMappingServiceElement) BaseConfigType(com.sun.identity.saml2.jaxb.entityconfig.BaseConfigType) SessionException(com.sun.identity.plugin.session.SessionException) NameIDMappingRequest(com.sun.identity.saml2.protocol.NameIDMappingRequest) SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException)

Example 2 with NameIDMappingRequest

use of com.sun.identity.saml2.protocol.NameIDMappingRequest in project OpenAM by OpenRock.

the class NameIDMapping method createNameIDMappingRequest.

private static NameIDMappingRequest createNameIDMappingRequest(String userID, String realm, String spEntityID, String idpEntityID, String destination, String targetSPEntityID, String targetNameIDFormat) throws SAML2Exception {
    if (SAML2Utils.debug.messageEnabled()) {
        SAML2Utils.debug.message("NameIDMapping.createNameIDMappingRequest: User ID : " + userID);
    }
    NameIDMappingRequest nimRequest = pf.createNameIDMappingRequest();
    nimRequest.setID(SAML2Utils.generateID());
    nimRequest.setVersion(SAML2Constants.VERSION_2_0);
    nimRequest.setDestination(XMLUtils.escapeSpecialCharacters(destination));
    nimRequest.setIssuer(SAML2Utils.createIssuer(spEntityID));
    nimRequest.setIssueInstant(new Date());
    setNameIDForNIMRequest(nimRequest, realm, spEntityID, idpEntityID, targetSPEntityID, targetNameIDFormat, userID);
    return nimRequest;
}
Also used : NameIDMappingRequest(com.sun.identity.saml2.protocol.NameIDMappingRequest) Date(java.util.Date)

Example 3 with NameIDMappingRequest

use of com.sun.identity.saml2.protocol.NameIDMappingRequest in project OpenAM by OpenRock.

the class NameIDMapping method signNIMRequest.

private static void signNIMRequest(NameIDMappingRequest nimRequest, String realm, String spEntityID, boolean includeCert) throws SAML2Exception {
    String alias = SAML2Utils.getSigningCertAlias(realm, spEntityID, SAML2Constants.SP_ROLE);
    if (SAML2Utils.debug.messageEnabled()) {
        SAML2Utils.debug.message("NameIDMapping.signNIMRequest: " + "Cert Alias is : " + alias);
        SAML2Utils.debug.message("NameIDMapping.signNIMRequest: " + "NIMRequest before sign : " + nimRequest.toXMLString(true, true));
    }
    PrivateKey signingKey = keyProvider.getPrivateKey(alias);
    X509Certificate signingCert = null;
    if (includeCert) {
        signingCert = keyProvider.getX509Certificate(alias);
    }
    if (signingKey != null) {
        nimRequest.sign(signingKey, signingCert);
    } else {
        throw new SAML2Exception(SAML2Utils.bundle.getString("missingSigningCertAlias"));
    }
    if (SAML2Utils.debug.messageEnabled()) {
        SAML2Utils.debug.message("NameIDMapping.signNIMRequest: " + "NIMRequest after sign : " + nimRequest.toXMLString(true, true));
    }
}
Also used : SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) PrivateKey(java.security.PrivateKey) X509Certificate(java.security.cert.X509Certificate)

Example 4 with NameIDMappingRequest

use of com.sun.identity.saml2.protocol.NameIDMappingRequest in project OpenAM by OpenRock.

the class NameIDMapping method setNameIDForNIMRequest.

private static void setNameIDForNIMRequest(NameIDMappingRequest nimRequest, String realm, String spEntityID, String idpEntityID, String targetSPEntityID, String targetNameIDFormat, String userID) throws SAML2Exception {
    if (SAML2Utils.debug.messageEnabled()) {
        SAML2Utils.debug.message("NameIDMapping.setNameIDForNIMRequest: " + "user ID = " + userID);
    }
    NameID nameID = AssertionFactory.getInstance().createNameID();
    NameIDInfo info = AccountUtils.getAccountFederation(userID, spEntityID, idpEntityID);
    nameID.setValue(info.getNameIDValue());
    nameID.setFormat(info.getFormat());
    nameID.setNameQualifier(idpEntityID);
    nameID.setSPNameQualifier(spEntityID);
    NameIDPolicy nameIDPolicy = ProtocolFactory.getInstance().createNameIDPolicy();
    nameIDPolicy.setSPNameQualifier(targetSPEntityID);
    nameIDPolicy.setFormat(targetNameIDFormat);
    nimRequest.setNameIDPolicy(nameIDPolicy);
    boolean needEncryptIt = SAML2Utils.getWantNameIDEncrypted(realm, idpEntityID, SAML2Constants.IDP_ROLE);
    if (!needEncryptIt) {
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message("NameIDMapping.setNameIDForNIMRequest: " + "NamID doesn't need to be encrypted.");
        }
        nimRequest.setNameID(nameID);
        return;
    }
    EncryptedID encryptedID = getEncryptedID(nameID, realm, idpEntityID, SAML2Constants.IDP_ROLE);
    nimRequest.setEncryptedID(encryptedID);
}
Also used : NameIDInfo(com.sun.identity.saml2.common.NameIDInfo) NameID(com.sun.identity.saml2.assertion.NameID) NameIDPolicy(com.sun.identity.saml2.protocol.NameIDPolicy) EncryptedID(com.sun.identity.saml2.assertion.EncryptedID)

Example 5 with NameIDMappingRequest

use of com.sun.identity.saml2.protocol.NameIDMappingRequest in project OpenAM by OpenRock.

the class NameIDMapping method processNameIDMappingRequest.

public static NameIDMappingResponse processNameIDMappingRequest(NameIDMappingRequest nimRequest, String realm, String idpEntityID) throws SAML2Exception {
    NameIDMappingResponse nimResponse = null;
    String spEntityID = nimRequest.getIssuer().getValue();
    if (spEntityID == null) {
        throw new SAML2Exception(SAML2Utils.bundle.getString("nullSPEntityID"));
    }
    String responseID = SAML2Utils.generateID();
    if (responseID == null) {
        SAML2Utils.debug.error(SAML2Utils.bundle.getString("failedToGenResponseID"));
    }
    nimResponse = pf.createNameIDMappingResponse();
    nimResponse.setID(responseID);
    nimResponse.setInResponseTo(nimRequest.getID());
    nimResponse.setVersion(SAML2Constants.VERSION_2_0);
    nimResponse.setIssueInstant(new Date());
    nimResponse.setIssuer(SAML2Utils.createIssuer(idpEntityID));
    SAML2Utils.verifyRequestIssuer(realm, idpEntityID, nimRequest.getIssuer(), nimRequest.getID());
    NameIDPolicy nameIDPolicy = nimRequest.getNameIDPolicy();
    String targetSPEntityID = nameIDPolicy.getSPNameQualifier();
    String format = nameIDPolicy.getFormat();
    Status status = null;
    if ((format != null) && (format.length() != 0) && (!format.equals(SAML2Constants.PERSISTENT)) && (!format.equals(SAML2Constants.UNSPECIFIED))) {
        nimResponse.setNameID(nimRequest.getNameID());
        nimResponse.setEncryptedID(nimRequest.getEncryptedID());
        status = SAML2Utils.generateStatus(SAML2Constants.INVALID_NAME_ID_POLICY, SAML2Utils.bundle.getString("targetNameIDFormatUnsupported"));
    } else if ((targetSPEntityID == null) || (targetSPEntityID.length() == 0) || targetSPEntityID.equals(spEntityID)) {
        nimResponse.setNameID(nimRequest.getNameID());
        nimResponse.setEncryptedID(nimRequest.getEncryptedID());
        status = SAML2Utils.generateStatus(SAML2Constants.INVALID_NAME_ID_POLICY, SAML2Utils.bundle.getString("targetNameIDNoChange"));
    } else {
        // check if source SP has account fed
        // if yes then get nameid of targetSP
        IDPAccountMapper idpAcctMapper = SAML2Utils.getIDPAccountMapper(realm, idpEntityID);
        NameID nameID = getNameID(nimRequest, realm, idpEntityID);
        String userID = idpAcctMapper.getIdentity(nameID, idpEntityID, spEntityID, realm);
        NameIDInfo targetNameIDInfo = null;
        if (userID != null) {
            targetNameIDInfo = AccountUtils.getAccountFederation(userID, idpEntityID, targetSPEntityID);
        }
        if (targetNameIDInfo == null) {
            nimResponse.setNameID(nimRequest.getNameID());
            nimResponse.setEncryptedID(nimRequest.getEncryptedID());
            status = SAML2Utils.generateStatus(SAML2Constants.INVALID_NAME_ID_POLICY, SAML2Utils.bundle.getString("targetNameIDNotFound"));
        } else {
            NameID targetSPNameID = targetNameIDInfo.getNameID();
            if (SAML2Utils.debug.messageEnabled()) {
                SAML2Utils.debug.message("NameIDMapping.processNameIDMappingRequest: " + "User ID = " + userID + ", name ID = " + targetSPNameID.toXMLString(true, true));
            }
            nimResponse.setEncryptedID(getEncryptedID(targetSPNameID, realm, spEntityID, SAML2Constants.SP_ROLE));
            status = SAML2Utils.generateStatus(SAML2Constants.SUCCESS, null);
        }
    }
    nimResponse.setStatus(status);
    signNIMResponse(nimResponse, realm, idpEntityID, false);
    return nimResponse;
}
Also used : SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) Status(com.sun.identity.saml2.protocol.Status) IDPAccountMapper(com.sun.identity.saml2.plugins.IDPAccountMapper) NameIDInfo(com.sun.identity.saml2.common.NameIDInfo) NameIDPolicy(com.sun.identity.saml2.protocol.NameIDPolicy) NameID(com.sun.identity.saml2.assertion.NameID) NameIDMappingResponse(com.sun.identity.saml2.protocol.NameIDMappingResponse) Date(java.util.Date)

Aggregations

SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)5 NameID (com.sun.identity.saml2.assertion.NameID)3 NameIDMappingRequest (com.sun.identity.saml2.protocol.NameIDMappingRequest)3 EncryptedID (com.sun.identity.saml2.assertion.EncryptedID)2 NameIDInfo (com.sun.identity.saml2.common.NameIDInfo)2 NameIDMappingResponse (com.sun.identity.saml2.protocol.NameIDMappingResponse)2 NameIDPolicy (com.sun.identity.saml2.protocol.NameIDPolicy)2 Date (java.util.Date)2 SessionException (com.sun.identity.plugin.session.SessionException)1 BaseConfigType (com.sun.identity.saml2.jaxb.entityconfig.BaseConfigType)1 IDPSSOConfigElement (com.sun.identity.saml2.jaxb.entityconfig.IDPSSOConfigElement)1 NameIDMappingServiceElement (com.sun.identity.saml2.jaxb.metadata.NameIDMappingServiceElement)1 SAML2MetaException (com.sun.identity.saml2.meta.SAML2MetaException)1 IDPAccountMapper (com.sun.identity.saml2.plugins.IDPAccountMapper)1 Status (com.sun.identity.saml2.protocol.Status)1 OutputStream (java.io.OutputStream)1 PrivateKey (java.security.PrivateKey)1 X509Certificate (java.security.cert.X509Certificate)1 SOAPException (javax.xml.soap.SOAPException)1 SOAPMessage (javax.xml.soap.SOAPMessage)1