Examples with NameIDMappingResponse com.sun.identity.saml2.protocol.NameIDMappingResponse used on opensource projects

Example 1 with NameIDMappingResponse

use of com.sun.identity.saml2.protocol.NameIDMappingResponse in project OpenAM by OpenRock.

the class NameIDMapping method signNIMResponse.

static void signNIMResponse(NameIDMappingResponse nimResponse, String realm, String idpEntityID, boolean includeCert) throws SAML2Exception {
    String alias = SAML2Utils.getSigningCertAlias(realm, idpEntityID, SAML2Constants.IDP_ROLE);
    if (SAML2Utils.debug.messageEnabled()) {
        SAML2Utils.debug.message("NameIDMapping.signNIMResponse: " + realm);
        SAML2Utils.debug.message("NameIDMapping.signNIMResponse: " + idpEntityID);
        SAML2Utils.debug.message("NameIDMapping.signNIMResponse: " + alias);
    }
    String encryptedKeyPass = SAML2Utils.getSigningCertEncryptedKeyPass(realm, idpEntityID, SAML2Constants.IDP_ROLE);
    PrivateKey signingKey;
    if (encryptedKeyPass == null || encryptedKeyPass.isEmpty()) {
        signingKey = keyProvider.getPrivateKey(alias);
    } else {
        signingKey = keyProvider.getPrivateKey(alias, encryptedKeyPass);
    }
    X509Certificate signingCert = null;
    if (includeCert) {
        signingCert = keyProvider.getX509Certificate(alias);
    }
    if (signingKey != null) {
        nimResponse.sign(signingKey, signingCert);
    } else {
        SAML2Utils.debug.error("NameIDMapping.signNIMResponse: " + "Incorrect configuration for Signing Certificate.");
        throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
    }
}

Example 2 with NameIDMappingResponse

use of com.sun.identity.saml2.protocol.NameIDMappingResponse in project OpenAM by OpenRock.

the class NameIDMapping method initiateNameIDMappingRequest.

/**
     * Parses the request parameters and builds the NameIDMappingRequest to
     * sent to remote identity provider.
     *
     * @param session user session.
     * @param realm the realm of hosted entity
     * @param spEntityID entity ID of hosted service provider
     * @param idpEntityID entity ID of remote idendity provider
     * @param targetSPEntityID entity ID of target entity ID of service
     *     provider
     * @param targetNameIDFormat format of target Name ID
     * @param paramsMap Map of all other parameters
     *
     * @return the <code>NameIDMappingResponse</code>
     * @throws SAML2Exception if error initiating request to remote entity.
     *
     * @supported.api
     */
public static NameIDMappingResponse initiateNameIDMappingRequest(Object session, String realm, String spEntityID, String idpEntityID, String targetSPEntityID, String targetNameIDFormat, Map paramsMap) throws SAML2Exception {
    if (spEntityID == null) {
        throw new SAML2Exception(SAML2Utils.bundle.getString("nullSPEntityID"));
    }
    if (idpEntityID == null) {
        throw new SAML2Exception(SAML2Utils.bundle.getString("nullIDPEntityID"));
    }
    String userID = null;
    try {
        userID = sessionProvider.getPrincipalName(session);
    } catch (SessionException e) {
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message("NameIDMapping.createNameIDMappingRequest: ", e);
        }
    }
    if (userID == null) {
        throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSSOToken"));
    }
    if (SAML2Utils.debug.messageEnabled()) {
        SAML2Utils.debug.message("NameIDMapping.initiateNameMappingRequest:" + " IDP EntityID is : " + idpEntityID);
        SAML2Utils.debug.message("NameIDMapping.initiateNameMappingRequest:" + " SP HOST EntityID is : " + spEntityID);
        SAML2Utils.debug.message("NameIDMapping.initiateNameMappingRequest:" + " target SP EntityID is : " + targetSPEntityID);
    }
    try {
        // nameIDMappingService
        String binding = SAML2Utils.getParameter(paramsMap, SAML2Constants.BINDING);
        if (binding == null) {
            binding = SAML2Constants.SOAP;
        } else if (!binding.equals(SAML2Constants.SOAP)) {
            throw new SAML2Exception(SAML2Utils.bundle.getString("nimServiceBindingUnsupport"));
        }
        String nimURL = SAML2Utils.getParameter(paramsMap, "nimURL");
        if (nimURL == null) {
            NameIDMappingServiceElement nameIDMappingService = getNameIDMappingService(realm, idpEntityID, binding);
            if (nameIDMappingService != null) {
                nimURL = nameIDMappingService.getLocation();
            }
        }
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message("NameIDMapping.initiateNameMappingRequest:" + " nimURL" + nimURL);
        }
        if (nimURL == null) {
            throw new SAML2Exception(SAML2Utils.bundle.getString("nimServiceNotFound"));
        }
        NameIDMappingRequest nimRequest = createNameIDMappingRequest(userID, realm, spEntityID, idpEntityID, nimURL, targetSPEntityID, targetNameIDFormat);
        signNIMRequest(nimRequest, realm, spEntityID, false);
        BaseConfigType config = metaManager.getIDPSSOConfig(realm, idpEntityID);
        nimURL = SAML2SDKUtils.fillInBasicAuthInfo(config, nimURL);
        return doNIMBySOAP(nimRequest.toXMLString(true, true), nimURL, realm, spEntityID);
    } catch (SAML2MetaException sme) {
        throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
    }
}

Example 3 with NameIDMappingResponse

use of com.sun.identity.saml2.protocol.NameIDMappingResponse in project OpenAM by OpenRock.

the class NameIDMapping method doNIMBySOAP.

private static NameIDMappingResponse doNIMBySOAP(String nimRequestXMLString, String nimURL, String realm, String spEntityID) throws SAML2Exception {
    if (SAML2Utils.debug.messageEnabled()) {
        SAML2Utils.debug.message("NameIDMapping.doNIMBySOAP: " + "NIMRequestXMLString : " + nimRequestXMLString);
        SAML2Utils.debug.message("NameIDMapping.doNIMBySOAP: " + "NIMRedirectURL : " + nimURL);
    }
    SOAPMessage resMsg = null;
    try {
        resMsg = SOAPCommunicator.getInstance().sendSOAPMessage(nimRequestXMLString, nimURL, true);
    } catch (SOAPException se) {
        SAML2Utils.debug.error("NameIDMapping.doNIMBySOAP: ", se);
        throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSOAPMessge"));
    }
    Element nimRespElem = SOAPCommunicator.getInstance().getSamlpElement(resMsg, SAML2Constants.NAME_ID_MAPPING_RESPONSE);
    NameIDMappingResponse nimResponse = pf.createNameIDMappingResponse(nimRespElem);
    if (SAML2Utils.debug.messageEnabled()) {
        SAML2Utils.debug.message("NameIDMapping.doNIMBySOAP: " + "NameIDMappingResponse without SOAP envelope:\n" + nimResponse.toXMLString(true, true));
    }
    String idpEntityID = nimResponse.getIssuer().getValue();
    Issuer resIssuer = nimResponse.getIssuer();
    String requestId = nimResponse.getInResponseTo();
    SAML2Utils.verifyResponseIssuer(realm, spEntityID, resIssuer, requestId);
    if (!verifyNIMResponse(nimResponse, realm, idpEntityID)) {
        throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSignInResponse"));
    }
    return nimResponse;
}

Example 4 with NameIDMappingResponse

use of com.sun.identity.saml2.protocol.NameIDMappingResponse in project OpenAM by OpenRock.

the class NameIDMapping method processNameIDMappingRequest.

public static NameIDMappingResponse processNameIDMappingRequest(NameIDMappingRequest nimRequest, String realm, String idpEntityID) throws SAML2Exception {
    NameIDMappingResponse nimResponse = null;
    String spEntityID = nimRequest.getIssuer().getValue();
    if (spEntityID == null) {
        throw new SAML2Exception(SAML2Utils.bundle.getString("nullSPEntityID"));
    }
    String responseID = SAML2Utils.generateID();
    if (responseID == null) {
        SAML2Utils.debug.error(SAML2Utils.bundle.getString("failedToGenResponseID"));
    }
    nimResponse = pf.createNameIDMappingResponse();
    nimResponse.setID(responseID);
    nimResponse.setInResponseTo(nimRequest.getID());
    nimResponse.setVersion(SAML2Constants.VERSION_2_0);
    nimResponse.setIssueInstant(new Date());
    nimResponse.setIssuer(SAML2Utils.createIssuer(idpEntityID));
    SAML2Utils.verifyRequestIssuer(realm, idpEntityID, nimRequest.getIssuer(), nimRequest.getID());
    NameIDPolicy nameIDPolicy = nimRequest.getNameIDPolicy();
    String targetSPEntityID = nameIDPolicy.getSPNameQualifier();
    String format = nameIDPolicy.getFormat();
    Status status = null;
    if ((format != null) && (format.length() != 0) && (!format.equals(SAML2Constants.PERSISTENT)) && (!format.equals(SAML2Constants.UNSPECIFIED))) {
        nimResponse.setNameID(nimRequest.getNameID());
        nimResponse.setEncryptedID(nimRequest.getEncryptedID());
        status = SAML2Utils.generateStatus(SAML2Constants.INVALID_NAME_ID_POLICY, SAML2Utils.bundle.getString("targetNameIDFormatUnsupported"));
    } else if ((targetSPEntityID == null) || (targetSPEntityID.length() == 0) || targetSPEntityID.equals(spEntityID)) {
        nimResponse.setNameID(nimRequest.getNameID());
        nimResponse.setEncryptedID(nimRequest.getEncryptedID());
        status = SAML2Utils.generateStatus(SAML2Constants.INVALID_NAME_ID_POLICY, SAML2Utils.bundle.getString("targetNameIDNoChange"));
    } else {
        // check if source SP has account fed
        // if yes then get nameid of targetSP
        IDPAccountMapper idpAcctMapper = SAML2Utils.getIDPAccountMapper(realm, idpEntityID);
        NameID nameID = getNameID(nimRequest, realm, idpEntityID);
        String userID = idpAcctMapper.getIdentity(nameID, idpEntityID, spEntityID, realm);
        NameIDInfo targetNameIDInfo = null;
        if (userID != null) {
            targetNameIDInfo = AccountUtils.getAccountFederation(userID, idpEntityID, targetSPEntityID);
        }
        if (targetNameIDInfo == null) {
            nimResponse.setNameID(nimRequest.getNameID());
            nimResponse.setEncryptedID(nimRequest.getEncryptedID());
            status = SAML2Utils.generateStatus(SAML2Constants.INVALID_NAME_ID_POLICY, SAML2Utils.bundle.getString("targetNameIDNotFound"));
        } else {
            NameID targetSPNameID = targetNameIDInfo.getNameID();
            if (SAML2Utils.debug.messageEnabled()) {
                SAML2Utils.debug.message("NameIDMapping.processNameIDMappingRequest: " + "User ID = " + userID + ", name ID = " + targetSPNameID.toXMLString(true, true));
            }
            nimResponse.setEncryptedID(getEncryptedID(targetSPNameID, realm, spEntityID, SAML2Constants.SP_ROLE));
            status = SAML2Utils.generateStatus(SAML2Constants.SUCCESS, null);
        }
    }
    nimResponse.setStatus(status);
    signNIMResponse(nimResponse, realm, idpEntityID, false);
    return nimResponse;
}

Example 5 with NameIDMappingResponse

use of com.sun.identity.saml2.protocol.NameIDMappingResponse in project OpenAM by OpenRock.

the class NameIDMapping method verifyNIMResponse.

private static boolean verifyNIMResponse(NameIDMappingResponse nimResponse, String realm, String idpEntityID) throws SAML2Exception {
    IDPSSODescriptorElement idpSSODesc = metaManager.getIDPSSODescriptor(realm, idpEntityID);
    Set<X509Certificate> signingCerts = KeyUtil.getVerificationCerts(idpSSODesc, idpEntityID, SAML2Constants.IDP_ROLE);
    if (!signingCerts.isEmpty()) {
        boolean valid = nimResponse.isSignatureValid(signingCerts);
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message("NameIDMapping.verifyNIMResponse: " + "Signature is : " + valid);
        }
        return valid;
    } else {
        throw new SAML2Exception(SAML2Utils.bundle.getString("missingSigningCertAlias"));
    }
}