Example 1 with NameIDPolicy
use of com.sun.identity.saml2.protocol.NameIDPolicy in project OpenAM by OpenRock.
the class IDPSSOUtil method getSubject.
/**
* Returns a <code>SAML Subject</code> object
*
* @param session the user's session
* @param authnReq the <code>AuthnRequest</code> object
* @param acsURL the <code>ACS</code> service <code>url</code>
* @param nameIDFormat the <code>NameIDFormat</code>
* @param realm The realm name
* @param idpEntityID the entity id of the identity provider
* @param recipientEntityID the entity id of the response recipient
* @param effectiveTime the effective time of the assertion
* @param affiliationID affiliationID for IDP initiated SSO
* @return the <code>SAML Subject</code> object
* @throws SAML2Exception if the operation is not successful
*/
private static Subject getSubject(Object session, AuthnRequest authnReq, String acsURL, String nameIDFormat, String realm, String idpEntityID, String recipientEntityID, int effectiveTime, String affiliationID) throws SAML2Exception {
String classMethod = "IDPSSOUtil.getSubject: ";
Subject subject = AssertionFactory.getInstance().createSubject();
boolean ignoreProfile = false;
String userName = null;
try {
userName = sessionProvider.getPrincipalName(session);
ignoreProfile = SAML2Utils.isIgnoreProfileSet(session);
} catch (SessionException se) {
SAML2Utils.debug.error(classMethod + "There was a problem with the session.", se);
throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSSOToken"));
}
// allow create is the default
boolean allowCreate = true;
String remoteEntityID = null;
String spNameQualifier = null;
boolean isAffiliation = false;
if (authnReq != null) {
remoteEntityID = authnReq.getIssuer().getValue();
NameIDPolicy nameIDPolicy = authnReq.getNameIDPolicy();
if (nameIDPolicy != null) {
// this will take care of affiliation
allowCreate = nameIDPolicy.isAllowCreate();
spNameQualifier = nameIDPolicy.getSPNameQualifier();
if (spNameQualifier != null && !spNameQualifier.isEmpty()) {
AffiliationDescriptorType affiDesc = metaManager.getAffiliationDescriptor(realm, spNameQualifier);
if (affiDesc != null) {
if (affiDesc.getAffiliateMember().contains(remoteEntityID)) {
isAffiliation = true;
remoteEntityID = spNameQualifier;
} else {
throw new SAML2Exception(SAML2Utils.bundle.getString("spNotAffiliationMember"));
}
}
} else {
spNameQualifier = recipientEntityID;
}
}
} else {
// IDP initialted SSO
if (affiliationID != null) {
AffiliationDescriptorType affiDesc = metaManager.getAffiliationDescriptor(realm, affiliationID);
if (affiDesc == null) {
throw new SAML2Exception(SAML2Utils.bundle.getString("affiliationNotFound"));
}
if (affiDesc.getAffiliateMember().contains(recipientEntityID)) {
isAffiliation = true;
remoteEntityID = affiliationID;
spNameQualifier = affiliationID;
} else {
throw new SAML2Exception(SAML2Utils.bundle.getString("spNotAffiliationMember"));
}
} else {
remoteEntityID = recipientEntityID;
spNameQualifier = recipientEntityID;
}
}
SPSSODescriptorElement spsso = getSPSSODescriptor(realm, recipientEntityID, classMethod);
if (spsso == null) {
String[] data = { recipientEntityID };
LogUtil.error(Level.INFO, LogUtil.SP_METADATA_ERROR, data, null);
throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
}
IDPSSODescriptorElement idpsso = metaManager.getIDPSSODescriptor(realm, idpEntityID);
if (idpsso == null) {
String[] data = { idpEntityID };
LogUtil.error(Level.INFO, LogUtil.IDP_METADATA_ERROR, data, null);
throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
}
nameIDFormat = SAML2Utils.verifyNameIDFormat(nameIDFormat, spsso, idpsso);
boolean isTransient = SAML2Constants.NAMEID_TRANSIENT_FORMAT.equals(nameIDFormat);
boolean isPersistent = SAML2Constants.PERSISTENT.equals(nameIDFormat);
NameIDInfo nameIDInfo;
NameID nameID = null;
IDPAccountMapper idpAccountMapper = SAML2Utils.getIDPAccountMapper(realm, idpEntityID);
//Use-cases for NameID persistence:
//* persistent NameID -> The NameID MUST be stored
//* transient NameID -> The NameID MUST NOT be stored
//* ignored user profile mode -> The NameID CANNOT be stored
//* for any other cases -> The NameID MAY be stored based on customizable logic
boolean shouldPersistNameID = isPersistent || (!isTransient && !ignoreProfile && idpAccountMapper.shouldPersistNameIDFormat(realm, idpEntityID, remoteEntityID, nameIDFormat));
if (!isTransient) {
String userID;
try {
userID = sessionProvider.getPrincipalName(session);
} catch (SessionException se) {
SAML2Utils.debug.error(classMethod + "Unable to get principal name from the session.", se);
throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSSOToken"));
}
if (isPersistent || shouldPersistNameID) {
nameIDInfo = AccountUtils.getAccountFederation(userID, idpEntityID, remoteEntityID);
if (nameIDInfo != null) {
nameID = nameIDInfo.getNameID();
if (!nameIDFormat.equals(nameID.getFormat())) {
AccountUtils.removeAccountFederation(nameIDInfo, userID);
DoManageNameID.removeIDPFedSession(remoteEntityID, nameID.getValue());
nameID = null;
}
}
}
}
if (nameID == null) {
if (!allowCreate && isPersistent) {
throw new SAML2InvalidNameIDPolicyException(SAML2Utils.bundle.getString("cannotCreateNameID"));
}
nameID = idpAccountMapper.getNameID(session, idpEntityID, spNameQualifier, realm, nameIDFormat);
SAML2Utils.debug.message(classMethod + " shouldPersistNameID = " + shouldPersistNameID);
if (shouldPersistNameID && allowCreate) {
// write federation info into the persistent datastore
if (SAML2Utils.isDualRole(idpEntityID, realm)) {
nameIDInfo = new NameIDInfo(idpEntityID, remoteEntityID, nameID, SAML2Constants.DUAL_ROLE, false);
} else {
nameIDInfo = new NameIDInfo(idpEntityID, remoteEntityID, nameID, SAML2Constants.IDP_ROLE, isAffiliation);
}
AccountUtils.setAccountFederation(nameIDInfo, userName);
}
}
subject.setNameID(nameID);
if (isTransient) {
IDPCache.userIDByTransientNameIDValue.put(nameID.getValue(), userName);
}
String inResponseTo = null;
if (authnReq != null) {
inResponseTo = authnReq.getID();
}
SubjectConfirmation sc = getSubjectConfirmation(inResponseTo, acsURL, effectiveTime);
if (sc == null) {
SAML2Utils.debug.error(classMethod + "Unable to get subject confirmation");
throw new SAML2Exception(SAML2Utils.bundle.getString("noSubjectConfirmation"));
}
List list = new ArrayList();
list.add(sc);
subject.setSubjectConfirmation(list);
return subject;
}
Also used :
NameIDInfo(com.sun.identity.saml2.common.NameIDInfo)
IDPAccountMapper(com.sun.identity.saml2.plugins.IDPAccountMapper)
NameIDPolicy(com.sun.identity.saml2.protocol.NameIDPolicy)
NameID(com.sun.identity.saml2.assertion.NameID)
SPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)
ArrayList(java.util.ArrayList)
SessionException(com.sun.identity.plugin.session.SessionException)
AffiliationDescriptorType(com.sun.identity.saml2.jaxb.metadata.AffiliationDescriptorType)
Subject(com.sun.identity.saml2.assertion.Subject)
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
SubjectConfirmation(com.sun.identity.saml2.assertion.SubjectConfirmation)
List(java.util.List)
ArrayList(java.util.ArrayList)
SAML2InvalidNameIDPolicyException(com.sun.identity.saml2.common.SAML2InvalidNameIDPolicyException)
IDPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)
Example 2 with NameIDPolicy
use of com.sun.identity.saml2.protocol.NameIDPolicy in project OpenAM by OpenRock.
the class ECPRequestImpl method parseElement.
/* Parses the NameIDPolicy Element */
private void parseElement(Element element) throws SAML2Exception {
if (element == null) {
if (SAML2SDKUtils.debug.messageEnabled()) {
SAML2SDKUtils.debug.message("ECPRequestImpl.parseElement:" + " Input is null.");
}
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("nullInput"));
}
String localName = element.getLocalName();
if (!REQUEST.equals(localName)) {
if (SAML2SDKUtils.debug.messageEnabled()) {
SAML2SDKUtils.debug.message("ECPRequestImpl.parseElement:" + " element local name should be " + REQUEST);
}
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("invalidECPRequest"));
}
String namespaceURI = element.getNamespaceURI();
if (!SAML2Constants.ECP_NAMESPACE.equals(namespaceURI)) {
if (SAML2SDKUtils.debug.messageEnabled()) {
SAML2SDKUtils.debug.message("ECPRequestImpl.parseElement:" + " element namespace should be " + SAML2Constants.ECP_NAMESPACE);
}
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("invalidECPNamesapce"));
}
String str = XMLUtils.getNodeAttributeValueNS(element, SAML2Constants.SOAP_ENV_NAMESPACE, SAML2Constants.MUST_UNDERSTAND);
mustUnderstand = SAML2SDKUtils.StringToBoolean(str);
actor = XMLUtils.getNodeAttributeValueNS(element, SAML2Constants.SOAP_ENV_NAMESPACE, SAML2Constants.ACTOR);
providerName = XMLUtils.getNodeAttributeValue(element, SAML2Constants.PROVIDER_NAME);
str = XMLUtils.getNodeAttributeValue(element, SAML2Constants.ISPASSIVE);
isPassive = SAML2SDKUtils.StringToBoolean(str);
NodeList nList = element.getChildNodes();
if ((nList != null) && (nList.getLength() > 0)) {
for (int i = 0; i < nList.getLength(); i++) {
Node childNode = nList.item(i);
if (childNode.getNodeType() != Node.ELEMENT_NODE) {
continue;
}
String cName = childNode.getLocalName();
if (cName.equals(SAML2Constants.ISSUER)) {
validateIssuer();
issuer = AssertionFactory.getInstance().createIssuer((Element) childNode);
} else if (cName.equals(SAML2Constants.IDPLIST)) {
validateIDPList();
idpList = ProtocolFactory.getInstance().createIDPList((Element) childNode);
} else {
if (SAML2SDKUtils.debug.messageEnabled()) {
SAML2SDKUtils.debug.message("ECPRequestImpl.parseElement: " + "ECP Request has invalid child element");
}
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("invalidElementECPReq"));
}
}
}
validateData();
}
Also used :
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
NodeList(org.w3c.dom.NodeList)
Node(org.w3c.dom.Node)
Element(org.w3c.dom.Element)
Example 3 with NameIDPolicy
use of com.sun.identity.saml2.protocol.NameIDPolicy in project OpenAM by OpenRock.
the class SPSSOFederate method createAuthnRequest.
/**
* Create an AuthnRequest.
*
* @param realmName the authentication realm for this request
* @param spEntityID the entity id for the service provider
* @param paramsMap the map of parameters for the authentication request
* @param spConfigMap the configuration map for the service provider
* @param extensionsList a list of extendsions for the authentication request
* @param spsso the SPSSODescriptorElement for theservcie provider
* @param idpsso the IDPSSODescriptorElement for the identity provider
* @param ssourl the url for the single sign on request
* @param isForECP boolean to indicatge if the request originated from an ECP
* @return a new AuthnRequest object
* @throws SAML2Exception
*/
public static AuthnRequest createAuthnRequest(final String realmName, final String spEntityID, final Map paramsMap, final Map spConfigMap, final List extensionsList, final SPSSODescriptorElement spsso, final IDPSSODescriptorElement idpsso, final String ssourl, final boolean isForECP) throws SAML2Exception {
// generate unique request ID
String requestID = SAML2Utils.generateID();
if ((requestID == null) || (requestID.length() == 0)) {
throw new SAML2Exception(SAML2Utils.bundle.getString("cannotGenerateID"));
}
// retrieve data from the params map and if not found get
// default values from the SPConfig Attributes
// destinationURI required if message is signed.
String destinationURI = getParameter(paramsMap, SAML2Constants.DESTINATION);
Boolean isPassive = doPassive(paramsMap, spConfigMap);
Boolean isforceAuthn = isForceAuthN(paramsMap, spConfigMap);
boolean allowCreate = isAllowCreate(paramsMap, spConfigMap);
boolean includeRequestedAuthnContextFlag = includeRequestedAuthnContext(paramsMap, spConfigMap);
String consent = getParameter(paramsMap, SAML2Constants.CONSENT);
Extensions extensions = createExtensions(extensionsList);
String nameIDPolicyFormat = getParameter(paramsMap, SAML2Constants.NAMEID_POLICY_FORMAT);
// get NameIDPolicy Element
NameIDPolicy nameIDPolicy = createNameIDPolicy(spEntityID, nameIDPolicyFormat, allowCreate, spsso, idpsso, realmName, paramsMap);
Issuer issuer = createIssuer(spEntityID);
Integer acsIndex = getIndex(paramsMap, SAML2Constants.ACS_URL_INDEX);
Integer attrIndex = getIndex(paramsMap, SAML2Constants.ATTR_INDEX);
String protocolBinding = isForECP ? SAML2Constants.PAOS : getParameter(paramsMap, "binding");
OrderedSet acsSet = getACSUrl(spsso, protocolBinding);
String acsURL = (String) acsSet.get(0);
protocolBinding = (String) acsSet.get(1);
if (!SAML2Utils.isSPProfileBindingSupported(realmName, spEntityID, SAML2Constants.ACS_SERVICE, protocolBinding)) {
SAML2Utils.debug.error("SPSSOFederate.createAuthnRequest:" + protocolBinding + "is not supported for " + spEntityID);
String[] data = { spEntityID, protocolBinding };
LogUtil.error(Level.INFO, LogUtil.BINDING_NOT_SUPPORTED, data, null);
throw new SAML2Exception(SAML2Utils.bundle.getString("unsupportedBinding"));
}
AuthnRequest authnReq = ProtocolFactory.getInstance().createAuthnRequest();
if (!isForECP) {
if ((destinationURI == null) || (destinationURI.length() == 0)) {
authnReq.setDestination(XMLUtils.escapeSpecialCharacters(ssourl));
} else {
authnReq.setDestination(XMLUtils.escapeSpecialCharacters(destinationURI));
}
}
authnReq.setConsent(consent);
authnReq.setIsPassive(isPassive);
authnReq.setForceAuthn(isforceAuthn);
authnReq.setAttributeConsumingServiceIndex(attrIndex);
authnReq.setAssertionConsumerServiceIndex(acsIndex);
authnReq.setAssertionConsumerServiceURL(XMLUtils.escapeSpecialCharacters(acsURL));
authnReq.setProtocolBinding(protocolBinding);
authnReq.setIssuer(issuer);
authnReq.setNameIDPolicy(nameIDPolicy);
if (includeRequestedAuthnContextFlag) {
authnReq.setRequestedAuthnContext(createReqAuthnContext(realmName, spEntityID, paramsMap, spConfigMap));
}
if (extensions != null) {
authnReq.setExtensions(extensions);
}
// Required attributes in authn request
authnReq.setID(requestID);
authnReq.setVersion(SAML2Constants.VERSION_2_0);
authnReq.setIssueInstant(new Date());
//IDP Proxy
Boolean enableIDPProxy = getAttrValueFromMap(spConfigMap, SAML2Constants.ENABLE_IDP_PROXY);
if ((enableIDPProxy != null) && enableIDPProxy.booleanValue()) {
Scoping scoping = ProtocolFactory.getInstance().createScoping();
String proxyCountParam = getParameter(spConfigMap, SAML2Constants.IDP_PROXY_COUNT);
if (proxyCountParam != null && (!proxyCountParam.equals(""))) {
scoping.setProxyCount(new Integer(proxyCountParam));
}
List proxyIDPs = (List) spConfigMap.get(SAML2Constants.IDP_PROXY_LIST);
if (proxyIDPs != null && !proxyIDPs.isEmpty()) {
Iterator iter = proxyIDPs.iterator();
ArrayList list = new ArrayList();
while (iter.hasNext()) {
IDPEntry entry = ProtocolFactory.getInstance().createIDPEntry();
entry.setProviderID((String) iter.next());
list.add(entry);
}
IDPList idpList = ProtocolFactory.getInstance().createIDPList();
idpList.setIDPEntries(list);
scoping.setIDPList(idpList);
}
authnReq.setScoping(scoping);
}
return authnReq;
}
Also used :
OrderedSet(com.sun.identity.shared.datastruct.OrderedSet)
NameIDPolicy(com.sun.identity.saml2.protocol.NameIDPolicy)
Issuer(com.sun.identity.saml2.assertion.Issuer)
ArrayList(java.util.ArrayList)
IDPList(com.sun.identity.saml2.protocol.IDPList)
Extensions(com.sun.identity.saml2.protocol.Extensions)
Date(java.util.Date)
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
AuthnRequest(com.sun.identity.saml2.protocol.AuthnRequest)
Scoping(com.sun.identity.saml2.protocol.Scoping)
Iterator(java.util.Iterator)
List(java.util.List)
IDPList(com.sun.identity.saml2.protocol.IDPList)
ArrayList(java.util.ArrayList)
IDPEntry(com.sun.identity.saml2.protocol.IDPEntry)
Example 4 with NameIDPolicy
use of com.sun.identity.saml2.protocol.NameIDPolicy in project OpenAM by OpenRock.
the class SPSSOFederate method createNameIDPolicy.
/* Create NameIDPolicy Element */
private static NameIDPolicy createNameIDPolicy(String spEntityID, String format, boolean allowCreate, SPSSODescriptorElement spsso, IDPSSODescriptorElement idpsso, String realm, Map paramsMap) throws SAML2Exception {
format = SAML2Utils.verifyNameIDFormat(format, spsso, idpsso);
NameIDPolicy nameIDPolicy = ProtocolFactory.getInstance().createNameIDPolicy();
String affiliationID = getParameter(paramsMap, SAML2Constants.AFFILIATION_ID);
if (affiliationID != null) {
AffiliationDescriptorType affiDesc = sm.getAffiliationDescriptor(realm, affiliationID);
if (affiDesc == null) {
throw new SAML2Exception(SAML2Utils.bundle.getString("affiliationNotFound"));
}
if (!affiDesc.getAffiliateMember().contains(spEntityID)) {
throw new SAML2Exception(SAML2Utils.bundle.getString("spNotAffiliationMember"));
}
nameIDPolicy.setSPNameQualifier(affiliationID);
} else {
nameIDPolicy.setSPNameQualifier(spEntityID);
}
nameIDPolicy.setAllowCreate(allowCreate);
nameIDPolicy.setFormat(format);
return nameIDPolicy;
}
Also used :
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
NameIDPolicy(com.sun.identity.saml2.protocol.NameIDPolicy)
AffiliationDescriptorType(com.sun.identity.saml2.jaxb.metadata.AffiliationDescriptorType)
Example 5 with NameIDPolicy
use of com.sun.identity.saml2.protocol.NameIDPolicy in project OpenAM by OpenRock.
the class NameIDMappingRequestImpl method parseDOMChileElements.
/**
* Parses child elements of the Docuemnt Element for this object.
*
* @param iter the child elements iterator.
* @throws SAML2Exception if error parsing the Document Element.
*/
protected void parseDOMChileElements(ListIterator iter) throws SAML2Exception {
super.parseDOMChileElements(iter);
AssertionFactory assertionFactory = AssertionFactory.getInstance();
if (iter.hasNext()) {
Element childElement = (Element) iter.next();
String localName = childElement.getLocalName();
if (SAML2Constants.BASEID.equals(localName)) {
baseID = assertionFactory.createBaseID(childElement);
} else if (SAML2Constants.NAMEID.equals(localName)) {
nameID = assertionFactory.createNameID(childElement);
} else if (SAML2Constants.ENCRYPTEDID.equals(localName)) {
encryptedID = assertionFactory.createEncryptedID(childElement);
} else {
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("nameIDMReqWrongID"));
}
} else {
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("nameIDMReqWrongID"));
}
if (iter.hasNext()) {
Element childElement = (Element) iter.next();
String localName = childElement.getLocalName();
if (SAML2Constants.NAMEID_POLICY.equals(localName)) {
nameIDPolicy = ProtocolFactory.getInstance().createNameIDPolicy(childElement);
} else {
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("nameIDMReqMissingNameIDPolicy"));
}
} else {
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("nameIDMReqMissingNameIDPolicy"));
}
}
Also used :
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
AssertionFactory(com.sun.identity.saml2.assertion.AssertionFactory)
Element(org.w3c.dom.Element)
Aggregations
SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)9
NameIDPolicy (com.sun.identity.saml2.protocol.NameIDPolicy)8
SessionException (com.sun.identity.plugin.session.SessionException)3
NameID (com.sun.identity.saml2.assertion.NameID)3
NameIDInfo (com.sun.identity.saml2.common.NameIDInfo)3
ArrayList (java.util.ArrayList)3
Date (java.util.Date)3
List (java.util.List)3
Element (org.w3c.dom.Element)3
AssertionFactory (com.sun.identity.saml2.assertion.AssertionFactory)2
Issuer (com.sun.identity.saml2.assertion.Issuer)2
AffiliationDescriptorType (com.sun.identity.saml2.jaxb.metadata.AffiliationDescriptorType)2
SPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)2
IDPAccountMapper (com.sun.identity.saml2.plugins.IDPAccountMapper)2
CacheObject (com.sun.identity.saml2.profile.CacheObject)2
ServerFaultException (com.sun.identity.saml2.profile.ServerFaultException)2
AuthnRequest (com.sun.identity.saml2.protocol.AuthnRequest)2
IDPEntry (com.sun.identity.saml2.protocol.IDPEntry)2
IDPList (com.sun.identity.saml2.protocol.IDPList)2
Scoping (com.sun.identity.saml2.protocol.Scoping)2
