Search in sources :

Example 1 with NameIDPolicy

use of com.sun.identity.saml2.protocol.NameIDPolicy in project OpenAM by OpenRock.

the class IDPSSOUtil method getSubject.

/**
     * Returns a <code>SAML Subject</code> object
     *
     * @param session           the user's session
     * @param authnReq          the <code>AuthnRequest</code> object
     * @param acsURL            the <code>ACS</code> service <code>url</code>
     * @param nameIDFormat      the <code>NameIDFormat</code>
     * @param realm             The realm name
     * @param idpEntityID       the entity id of the identity provider
     * @param recipientEntityID the entity id of the response recipient
     * @param effectiveTime     the effective time of the assertion
     * @param affiliationID     affiliationID for IDP initiated SSO
     * @return the <code>SAML Subject</code> object
     * @throws SAML2Exception if the operation is not successful
     */
private static Subject getSubject(Object session, AuthnRequest authnReq, String acsURL, String nameIDFormat, String realm, String idpEntityID, String recipientEntityID, int effectiveTime, String affiliationID) throws SAML2Exception {
    String classMethod = "IDPSSOUtil.getSubject: ";
    Subject subject = AssertionFactory.getInstance().createSubject();
    boolean ignoreProfile = false;
    String userName = null;
    try {
        userName = sessionProvider.getPrincipalName(session);
        ignoreProfile = SAML2Utils.isIgnoreProfileSet(session);
    } catch (SessionException se) {
        SAML2Utils.debug.error(classMethod + "There was a problem with the session.", se);
        throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSSOToken"));
    }
    // allow create is the default
    boolean allowCreate = true;
    String remoteEntityID = null;
    String spNameQualifier = null;
    boolean isAffiliation = false;
    if (authnReq != null) {
        remoteEntityID = authnReq.getIssuer().getValue();
        NameIDPolicy nameIDPolicy = authnReq.getNameIDPolicy();
        if (nameIDPolicy != null) {
            // this will take care of affiliation
            allowCreate = nameIDPolicy.isAllowCreate();
            spNameQualifier = nameIDPolicy.getSPNameQualifier();
            if (spNameQualifier != null && !spNameQualifier.isEmpty()) {
                AffiliationDescriptorType affiDesc = metaManager.getAffiliationDescriptor(realm, spNameQualifier);
                if (affiDesc != null) {
                    if (affiDesc.getAffiliateMember().contains(remoteEntityID)) {
                        isAffiliation = true;
                        remoteEntityID = spNameQualifier;
                    } else {
                        throw new SAML2Exception(SAML2Utils.bundle.getString("spNotAffiliationMember"));
                    }
                }
            } else {
                spNameQualifier = recipientEntityID;
            }
        }
    } else {
        // IDP initialted SSO
        if (affiliationID != null) {
            AffiliationDescriptorType affiDesc = metaManager.getAffiliationDescriptor(realm, affiliationID);
            if (affiDesc == null) {
                throw new SAML2Exception(SAML2Utils.bundle.getString("affiliationNotFound"));
            }
            if (affiDesc.getAffiliateMember().contains(recipientEntityID)) {
                isAffiliation = true;
                remoteEntityID = affiliationID;
                spNameQualifier = affiliationID;
            } else {
                throw new SAML2Exception(SAML2Utils.bundle.getString("spNotAffiliationMember"));
            }
        } else {
            remoteEntityID = recipientEntityID;
            spNameQualifier = recipientEntityID;
        }
    }
    SPSSODescriptorElement spsso = getSPSSODescriptor(realm, recipientEntityID, classMethod);
    if (spsso == null) {
        String[] data = { recipientEntityID };
        LogUtil.error(Level.INFO, LogUtil.SP_METADATA_ERROR, data, null);
        throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
    }
    IDPSSODescriptorElement idpsso = metaManager.getIDPSSODescriptor(realm, idpEntityID);
    if (idpsso == null) {
        String[] data = { idpEntityID };
        LogUtil.error(Level.INFO, LogUtil.IDP_METADATA_ERROR, data, null);
        throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
    }
    nameIDFormat = SAML2Utils.verifyNameIDFormat(nameIDFormat, spsso, idpsso);
    boolean isTransient = SAML2Constants.NAMEID_TRANSIENT_FORMAT.equals(nameIDFormat);
    boolean isPersistent = SAML2Constants.PERSISTENT.equals(nameIDFormat);
    NameIDInfo nameIDInfo;
    NameID nameID = null;
    IDPAccountMapper idpAccountMapper = SAML2Utils.getIDPAccountMapper(realm, idpEntityID);
    //Use-cases for NameID persistence:
    //* persistent NameID -> The NameID MUST be stored
    //* transient NameID -> The NameID MUST NOT be stored
    //* ignored user profile mode -> The NameID CANNOT be stored
    //* for any other cases -> The NameID MAY be stored based on customizable logic
    boolean shouldPersistNameID = isPersistent || (!isTransient && !ignoreProfile && idpAccountMapper.shouldPersistNameIDFormat(realm, idpEntityID, remoteEntityID, nameIDFormat));
    if (!isTransient) {
        String userID;
        try {
            userID = sessionProvider.getPrincipalName(session);
        } catch (SessionException se) {
            SAML2Utils.debug.error(classMethod + "Unable to get principal name from the session.", se);
            throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSSOToken"));
        }
        if (isPersistent || shouldPersistNameID) {
            nameIDInfo = AccountUtils.getAccountFederation(userID, idpEntityID, remoteEntityID);
            if (nameIDInfo != null) {
                nameID = nameIDInfo.getNameID();
                if (!nameIDFormat.equals(nameID.getFormat())) {
                    AccountUtils.removeAccountFederation(nameIDInfo, userID);
                    DoManageNameID.removeIDPFedSession(remoteEntityID, nameID.getValue());
                    nameID = null;
                }
            }
        }
    }
    if (nameID == null) {
        if (!allowCreate && isPersistent) {
            throw new SAML2InvalidNameIDPolicyException(SAML2Utils.bundle.getString("cannotCreateNameID"));
        }
        nameID = idpAccountMapper.getNameID(session, idpEntityID, spNameQualifier, realm, nameIDFormat);
        SAML2Utils.debug.message(classMethod + " shouldPersistNameID = " + shouldPersistNameID);
        if (shouldPersistNameID && allowCreate) {
            // write federation info into the persistent datastore
            if (SAML2Utils.isDualRole(idpEntityID, realm)) {
                nameIDInfo = new NameIDInfo(idpEntityID, remoteEntityID, nameID, SAML2Constants.DUAL_ROLE, false);
            } else {
                nameIDInfo = new NameIDInfo(idpEntityID, remoteEntityID, nameID, SAML2Constants.IDP_ROLE, isAffiliation);
            }
            AccountUtils.setAccountFederation(nameIDInfo, userName);
        }
    }
    subject.setNameID(nameID);
    if (isTransient) {
        IDPCache.userIDByTransientNameIDValue.put(nameID.getValue(), userName);
    }
    String inResponseTo = null;
    if (authnReq != null) {
        inResponseTo = authnReq.getID();
    }
    SubjectConfirmation sc = getSubjectConfirmation(inResponseTo, acsURL, effectiveTime);
    if (sc == null) {
        SAML2Utils.debug.error(classMethod + "Unable to get subject confirmation");
        throw new SAML2Exception(SAML2Utils.bundle.getString("noSubjectConfirmation"));
    }
    List list = new ArrayList();
    list.add(sc);
    subject.setSubjectConfirmation(list);
    return subject;
}
Also used : NameIDInfo(com.sun.identity.saml2.common.NameIDInfo) IDPAccountMapper(com.sun.identity.saml2.plugins.IDPAccountMapper) NameIDPolicy(com.sun.identity.saml2.protocol.NameIDPolicy) NameID(com.sun.identity.saml2.assertion.NameID) SPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement) ArrayList(java.util.ArrayList) SessionException(com.sun.identity.plugin.session.SessionException) AffiliationDescriptorType(com.sun.identity.saml2.jaxb.metadata.AffiliationDescriptorType) Subject(com.sun.identity.saml2.assertion.Subject) SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) SubjectConfirmation(com.sun.identity.saml2.assertion.SubjectConfirmation) List(java.util.List) ArrayList(java.util.ArrayList) SAML2InvalidNameIDPolicyException(com.sun.identity.saml2.common.SAML2InvalidNameIDPolicyException) IDPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)

Example 2 with NameIDPolicy

use of com.sun.identity.saml2.protocol.NameIDPolicy in project OpenAM by OpenRock.

the class ECPRequestImpl method parseElement.

/* Parses the NameIDPolicy Element */
private void parseElement(Element element) throws SAML2Exception {
    if (element == null) {
        if (SAML2SDKUtils.debug.messageEnabled()) {
            SAML2SDKUtils.debug.message("ECPRequestImpl.parseElement:" + " Input is null.");
        }
        throw new SAML2Exception(SAML2SDKUtils.bundle.getString("nullInput"));
    }
    String localName = element.getLocalName();
    if (!REQUEST.equals(localName)) {
        if (SAML2SDKUtils.debug.messageEnabled()) {
            SAML2SDKUtils.debug.message("ECPRequestImpl.parseElement:" + " element local name should be " + REQUEST);
        }
        throw new SAML2Exception(SAML2SDKUtils.bundle.getString("invalidECPRequest"));
    }
    String namespaceURI = element.getNamespaceURI();
    if (!SAML2Constants.ECP_NAMESPACE.equals(namespaceURI)) {
        if (SAML2SDKUtils.debug.messageEnabled()) {
            SAML2SDKUtils.debug.message("ECPRequestImpl.parseElement:" + " element namespace should be " + SAML2Constants.ECP_NAMESPACE);
        }
        throw new SAML2Exception(SAML2SDKUtils.bundle.getString("invalidECPNamesapce"));
    }
    String str = XMLUtils.getNodeAttributeValueNS(element, SAML2Constants.SOAP_ENV_NAMESPACE, SAML2Constants.MUST_UNDERSTAND);
    mustUnderstand = SAML2SDKUtils.StringToBoolean(str);
    actor = XMLUtils.getNodeAttributeValueNS(element, SAML2Constants.SOAP_ENV_NAMESPACE, SAML2Constants.ACTOR);
    providerName = XMLUtils.getNodeAttributeValue(element, SAML2Constants.PROVIDER_NAME);
    str = XMLUtils.getNodeAttributeValue(element, SAML2Constants.ISPASSIVE);
    isPassive = SAML2SDKUtils.StringToBoolean(str);
    NodeList nList = element.getChildNodes();
    if ((nList != null) && (nList.getLength() > 0)) {
        for (int i = 0; i < nList.getLength(); i++) {
            Node childNode = nList.item(i);
            if (childNode.getNodeType() != Node.ELEMENT_NODE) {
                continue;
            }
            String cName = childNode.getLocalName();
            if (cName.equals(SAML2Constants.ISSUER)) {
                validateIssuer();
                issuer = AssertionFactory.getInstance().createIssuer((Element) childNode);
            } else if (cName.equals(SAML2Constants.IDPLIST)) {
                validateIDPList();
                idpList = ProtocolFactory.getInstance().createIDPList((Element) childNode);
            } else {
                if (SAML2SDKUtils.debug.messageEnabled()) {
                    SAML2SDKUtils.debug.message("ECPRequestImpl.parseElement: " + "ECP Request has invalid child element");
                }
                throw new SAML2Exception(SAML2SDKUtils.bundle.getString("invalidElementECPReq"));
            }
        }
    }
    validateData();
}
Also used : SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) NodeList(org.w3c.dom.NodeList) Node(org.w3c.dom.Node) Element(org.w3c.dom.Element)

Example 3 with NameIDPolicy

use of com.sun.identity.saml2.protocol.NameIDPolicy in project OpenAM by OpenRock.

the class SPSSOFederate method createAuthnRequest.

/**
     * Create an AuthnRequest.
     *
     * @param realmName the authentication realm for this request
     * @param spEntityID the entity id for the service provider
     * @param paramsMap the map of parameters for the authentication request
     * @param spConfigMap the configuration map for the service provider
     * @param extensionsList a list of extendsions for the authentication request
     * @param spsso the SPSSODescriptorElement for theservcie provider
     * @param idpsso the IDPSSODescriptorElement for the identity provider
     * @param ssourl the url for the single sign on request
     * @param isForECP boolean to indicatge if the request originated from an ECP
     * @return a new AuthnRequest object
     * @throws SAML2Exception
     */
public static AuthnRequest createAuthnRequest(final String realmName, final String spEntityID, final Map paramsMap, final Map spConfigMap, final List extensionsList, final SPSSODescriptorElement spsso, final IDPSSODescriptorElement idpsso, final String ssourl, final boolean isForECP) throws SAML2Exception {
    // generate unique request ID
    String requestID = SAML2Utils.generateID();
    if ((requestID == null) || (requestID.length() == 0)) {
        throw new SAML2Exception(SAML2Utils.bundle.getString("cannotGenerateID"));
    }
    // retrieve data from the params map and if not found get
    // default values from the SPConfig Attributes
    // destinationURI required if message is signed.
    String destinationURI = getParameter(paramsMap, SAML2Constants.DESTINATION);
    Boolean isPassive = doPassive(paramsMap, spConfigMap);
    Boolean isforceAuthn = isForceAuthN(paramsMap, spConfigMap);
    boolean allowCreate = isAllowCreate(paramsMap, spConfigMap);
    boolean includeRequestedAuthnContextFlag = includeRequestedAuthnContext(paramsMap, spConfigMap);
    String consent = getParameter(paramsMap, SAML2Constants.CONSENT);
    Extensions extensions = createExtensions(extensionsList);
    String nameIDPolicyFormat = getParameter(paramsMap, SAML2Constants.NAMEID_POLICY_FORMAT);
    // get NameIDPolicy Element 
    NameIDPolicy nameIDPolicy = createNameIDPolicy(spEntityID, nameIDPolicyFormat, allowCreate, spsso, idpsso, realmName, paramsMap);
    Issuer issuer = createIssuer(spEntityID);
    Integer acsIndex = getIndex(paramsMap, SAML2Constants.ACS_URL_INDEX);
    Integer attrIndex = getIndex(paramsMap, SAML2Constants.ATTR_INDEX);
    String protocolBinding = isForECP ? SAML2Constants.PAOS : getParameter(paramsMap, "binding");
    OrderedSet acsSet = getACSUrl(spsso, protocolBinding);
    String acsURL = (String) acsSet.get(0);
    protocolBinding = (String) acsSet.get(1);
    if (!SAML2Utils.isSPProfileBindingSupported(realmName, spEntityID, SAML2Constants.ACS_SERVICE, protocolBinding)) {
        SAML2Utils.debug.error("SPSSOFederate.createAuthnRequest:" + protocolBinding + "is not supported for " + spEntityID);
        String[] data = { spEntityID, protocolBinding };
        LogUtil.error(Level.INFO, LogUtil.BINDING_NOT_SUPPORTED, data, null);
        throw new SAML2Exception(SAML2Utils.bundle.getString("unsupportedBinding"));
    }
    AuthnRequest authnReq = ProtocolFactory.getInstance().createAuthnRequest();
    if (!isForECP) {
        if ((destinationURI == null) || (destinationURI.length() == 0)) {
            authnReq.setDestination(XMLUtils.escapeSpecialCharacters(ssourl));
        } else {
            authnReq.setDestination(XMLUtils.escapeSpecialCharacters(destinationURI));
        }
    }
    authnReq.setConsent(consent);
    authnReq.setIsPassive(isPassive);
    authnReq.setForceAuthn(isforceAuthn);
    authnReq.setAttributeConsumingServiceIndex(attrIndex);
    authnReq.setAssertionConsumerServiceIndex(acsIndex);
    authnReq.setAssertionConsumerServiceURL(XMLUtils.escapeSpecialCharacters(acsURL));
    authnReq.setProtocolBinding(protocolBinding);
    authnReq.setIssuer(issuer);
    authnReq.setNameIDPolicy(nameIDPolicy);
    if (includeRequestedAuthnContextFlag) {
        authnReq.setRequestedAuthnContext(createReqAuthnContext(realmName, spEntityID, paramsMap, spConfigMap));
    }
    if (extensions != null) {
        authnReq.setExtensions(extensions);
    }
    // Required attributes in authn request
    authnReq.setID(requestID);
    authnReq.setVersion(SAML2Constants.VERSION_2_0);
    authnReq.setIssueInstant(new Date());
    //IDP Proxy 
    Boolean enableIDPProxy = getAttrValueFromMap(spConfigMap, SAML2Constants.ENABLE_IDP_PROXY);
    if ((enableIDPProxy != null) && enableIDPProxy.booleanValue()) {
        Scoping scoping = ProtocolFactory.getInstance().createScoping();
        String proxyCountParam = getParameter(spConfigMap, SAML2Constants.IDP_PROXY_COUNT);
        if (proxyCountParam != null && (!proxyCountParam.equals(""))) {
            scoping.setProxyCount(new Integer(proxyCountParam));
        }
        List proxyIDPs = (List) spConfigMap.get(SAML2Constants.IDP_PROXY_LIST);
        if (proxyIDPs != null && !proxyIDPs.isEmpty()) {
            Iterator iter = proxyIDPs.iterator();
            ArrayList list = new ArrayList();
            while (iter.hasNext()) {
                IDPEntry entry = ProtocolFactory.getInstance().createIDPEntry();
                entry.setProviderID((String) iter.next());
                list.add(entry);
            }
            IDPList idpList = ProtocolFactory.getInstance().createIDPList();
            idpList.setIDPEntries(list);
            scoping.setIDPList(idpList);
        }
        authnReq.setScoping(scoping);
    }
    return authnReq;
}
Also used : OrderedSet(com.sun.identity.shared.datastruct.OrderedSet) NameIDPolicy(com.sun.identity.saml2.protocol.NameIDPolicy) Issuer(com.sun.identity.saml2.assertion.Issuer) ArrayList(java.util.ArrayList) IDPList(com.sun.identity.saml2.protocol.IDPList) Extensions(com.sun.identity.saml2.protocol.Extensions) Date(java.util.Date) SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) AuthnRequest(com.sun.identity.saml2.protocol.AuthnRequest) Scoping(com.sun.identity.saml2.protocol.Scoping) Iterator(java.util.Iterator) List(java.util.List) IDPList(com.sun.identity.saml2.protocol.IDPList) ArrayList(java.util.ArrayList) IDPEntry(com.sun.identity.saml2.protocol.IDPEntry)

Example 4 with NameIDPolicy

use of com.sun.identity.saml2.protocol.NameIDPolicy in project OpenAM by OpenRock.

the class SPSSOFederate method createNameIDPolicy.

/* Create NameIDPolicy Element */
private static NameIDPolicy createNameIDPolicy(String spEntityID, String format, boolean allowCreate, SPSSODescriptorElement spsso, IDPSSODescriptorElement idpsso, String realm, Map paramsMap) throws SAML2Exception {
    format = SAML2Utils.verifyNameIDFormat(format, spsso, idpsso);
    NameIDPolicy nameIDPolicy = ProtocolFactory.getInstance().createNameIDPolicy();
    String affiliationID = getParameter(paramsMap, SAML2Constants.AFFILIATION_ID);
    if (affiliationID != null) {
        AffiliationDescriptorType affiDesc = sm.getAffiliationDescriptor(realm, affiliationID);
        if (affiDesc == null) {
            throw new SAML2Exception(SAML2Utils.bundle.getString("affiliationNotFound"));
        }
        if (!affiDesc.getAffiliateMember().contains(spEntityID)) {
            throw new SAML2Exception(SAML2Utils.bundle.getString("spNotAffiliationMember"));
        }
        nameIDPolicy.setSPNameQualifier(affiliationID);
    } else {
        nameIDPolicy.setSPNameQualifier(spEntityID);
    }
    nameIDPolicy.setAllowCreate(allowCreate);
    nameIDPolicy.setFormat(format);
    return nameIDPolicy;
}
Also used : SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) NameIDPolicy(com.sun.identity.saml2.protocol.NameIDPolicy) AffiliationDescriptorType(com.sun.identity.saml2.jaxb.metadata.AffiliationDescriptorType)

Example 5 with NameIDPolicy

use of com.sun.identity.saml2.protocol.NameIDPolicy in project OpenAM by OpenRock.

the class NameIDMappingRequestImpl method parseDOMChileElements.

/**
     * Parses child elements of the Docuemnt Element for this object.
     *
     * @param iter the child elements iterator.
     * @throws SAML2Exception if error parsing the Document Element.
     */
protected void parseDOMChileElements(ListIterator iter) throws SAML2Exception {
    super.parseDOMChileElements(iter);
    AssertionFactory assertionFactory = AssertionFactory.getInstance();
    if (iter.hasNext()) {
        Element childElement = (Element) iter.next();
        String localName = childElement.getLocalName();
        if (SAML2Constants.BASEID.equals(localName)) {
            baseID = assertionFactory.createBaseID(childElement);
        } else if (SAML2Constants.NAMEID.equals(localName)) {
            nameID = assertionFactory.createNameID(childElement);
        } else if (SAML2Constants.ENCRYPTEDID.equals(localName)) {
            encryptedID = assertionFactory.createEncryptedID(childElement);
        } else {
            throw new SAML2Exception(SAML2SDKUtils.bundle.getString("nameIDMReqWrongID"));
        }
    } else {
        throw new SAML2Exception(SAML2SDKUtils.bundle.getString("nameIDMReqWrongID"));
    }
    if (iter.hasNext()) {
        Element childElement = (Element) iter.next();
        String localName = childElement.getLocalName();
        if (SAML2Constants.NAMEID_POLICY.equals(localName)) {
            nameIDPolicy = ProtocolFactory.getInstance().createNameIDPolicy(childElement);
        } else {
            throw new SAML2Exception(SAML2SDKUtils.bundle.getString("nameIDMReqMissingNameIDPolicy"));
        }
    } else {
        throw new SAML2Exception(SAML2SDKUtils.bundle.getString("nameIDMReqMissingNameIDPolicy"));
    }
}
Also used : SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) AssertionFactory(com.sun.identity.saml2.assertion.AssertionFactory) Element(org.w3c.dom.Element)

Aggregations

SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)9 NameIDPolicy (com.sun.identity.saml2.protocol.NameIDPolicy)8 SessionException (com.sun.identity.plugin.session.SessionException)3 NameID (com.sun.identity.saml2.assertion.NameID)3 NameIDInfo (com.sun.identity.saml2.common.NameIDInfo)3 ArrayList (java.util.ArrayList)3 Date (java.util.Date)3 List (java.util.List)3 Element (org.w3c.dom.Element)3 AssertionFactory (com.sun.identity.saml2.assertion.AssertionFactory)2 Issuer (com.sun.identity.saml2.assertion.Issuer)2 AffiliationDescriptorType (com.sun.identity.saml2.jaxb.metadata.AffiliationDescriptorType)2 SPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)2 IDPAccountMapper (com.sun.identity.saml2.plugins.IDPAccountMapper)2 CacheObject (com.sun.identity.saml2.profile.CacheObject)2 ServerFaultException (com.sun.identity.saml2.profile.ServerFaultException)2 AuthnRequest (com.sun.identity.saml2.protocol.AuthnRequest)2 IDPEntry (com.sun.identity.saml2.protocol.IDPEntry)2 IDPList (com.sun.identity.saml2.protocol.IDPList)2 Scoping (com.sun.identity.saml2.protocol.Scoping)2