Example 6 with NameIDPolicy
use of com.sun.identity.saml2.protocol.NameIDPolicy in project OpenAM by OpenRock.
the class NameIDMapping method setNameIDForNIMRequest.
private static void setNameIDForNIMRequest(NameIDMappingRequest nimRequest, String realm, String spEntityID, String idpEntityID, String targetSPEntityID, String targetNameIDFormat, String userID) throws SAML2Exception {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("NameIDMapping.setNameIDForNIMRequest: " + "user ID = " + userID);
}
NameID nameID = AssertionFactory.getInstance().createNameID();
NameIDInfo info = AccountUtils.getAccountFederation(userID, spEntityID, idpEntityID);
nameID.setValue(info.getNameIDValue());
nameID.setFormat(info.getFormat());
nameID.setNameQualifier(idpEntityID);
nameID.setSPNameQualifier(spEntityID);
NameIDPolicy nameIDPolicy = ProtocolFactory.getInstance().createNameIDPolicy();
nameIDPolicy.setSPNameQualifier(targetSPEntityID);
nameIDPolicy.setFormat(targetNameIDFormat);
nimRequest.setNameIDPolicy(nameIDPolicy);
boolean needEncryptIt = SAML2Utils.getWantNameIDEncrypted(realm, idpEntityID, SAML2Constants.IDP_ROLE);
if (!needEncryptIt) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("NameIDMapping.setNameIDForNIMRequest: " + "NamID doesn't need to be encrypted.");
}
nimRequest.setNameID(nameID);
return;
}
EncryptedID encryptedID = getEncryptedID(nameID, realm, idpEntityID, SAML2Constants.IDP_ROLE);
nimRequest.setEncryptedID(encryptedID);
}
Also used :
NameIDInfo(com.sun.identity.saml2.common.NameIDInfo)
NameID(com.sun.identity.saml2.assertion.NameID)
NameIDPolicy(com.sun.identity.saml2.protocol.NameIDPolicy)
EncryptedID(com.sun.identity.saml2.assertion.EncryptedID)
Example 7 with NameIDPolicy
use of com.sun.identity.saml2.protocol.NameIDPolicy in project OpenAM by OpenRock.
the class NameIDMapping method processNameIDMappingRequest.
public static NameIDMappingResponse processNameIDMappingRequest(NameIDMappingRequest nimRequest, String realm, String idpEntityID) throws SAML2Exception {
NameIDMappingResponse nimResponse = null;
String spEntityID = nimRequest.getIssuer().getValue();
if (spEntityID == null) {
throw new SAML2Exception(SAML2Utils.bundle.getString("nullSPEntityID"));
}
String responseID = SAML2Utils.generateID();
if (responseID == null) {
SAML2Utils.debug.error(SAML2Utils.bundle.getString("failedToGenResponseID"));
}
nimResponse = pf.createNameIDMappingResponse();
nimResponse.setID(responseID);
nimResponse.setInResponseTo(nimRequest.getID());
nimResponse.setVersion(SAML2Constants.VERSION_2_0);
nimResponse.setIssueInstant(new Date());
nimResponse.setIssuer(SAML2Utils.createIssuer(idpEntityID));
SAML2Utils.verifyRequestIssuer(realm, idpEntityID, nimRequest.getIssuer(), nimRequest.getID());
NameIDPolicy nameIDPolicy = nimRequest.getNameIDPolicy();
String targetSPEntityID = nameIDPolicy.getSPNameQualifier();
String format = nameIDPolicy.getFormat();
Status status = null;
if ((format != null) && (format.length() != 0) && (!format.equals(SAML2Constants.PERSISTENT)) && (!format.equals(SAML2Constants.UNSPECIFIED))) {
nimResponse.setNameID(nimRequest.getNameID());
nimResponse.setEncryptedID(nimRequest.getEncryptedID());
status = SAML2Utils.generateStatus(SAML2Constants.INVALID_NAME_ID_POLICY, SAML2Utils.bundle.getString("targetNameIDFormatUnsupported"));
} else if ((targetSPEntityID == null) || (targetSPEntityID.length() == 0) || targetSPEntityID.equals(spEntityID)) {
nimResponse.setNameID(nimRequest.getNameID());
nimResponse.setEncryptedID(nimRequest.getEncryptedID());
status = SAML2Utils.generateStatus(SAML2Constants.INVALID_NAME_ID_POLICY, SAML2Utils.bundle.getString("targetNameIDNoChange"));
} else {
// check if source SP has account fed
// if yes then get nameid of targetSP
IDPAccountMapper idpAcctMapper = SAML2Utils.getIDPAccountMapper(realm, idpEntityID);
NameID nameID = getNameID(nimRequest, realm, idpEntityID);
String userID = idpAcctMapper.getIdentity(nameID, idpEntityID, spEntityID, realm);
NameIDInfo targetNameIDInfo = null;
if (userID != null) {
targetNameIDInfo = AccountUtils.getAccountFederation(userID, idpEntityID, targetSPEntityID);
}
if (targetNameIDInfo == null) {
nimResponse.setNameID(nimRequest.getNameID());
nimResponse.setEncryptedID(nimRequest.getEncryptedID());
status = SAML2Utils.generateStatus(SAML2Constants.INVALID_NAME_ID_POLICY, SAML2Utils.bundle.getString("targetNameIDNotFound"));
} else {
NameID targetSPNameID = targetNameIDInfo.getNameID();
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("NameIDMapping.processNameIDMappingRequest: " + "User ID = " + userID + ", name ID = " + targetSPNameID.toXMLString(true, true));
}
nimResponse.setEncryptedID(getEncryptedID(targetSPNameID, realm, spEntityID, SAML2Constants.SP_ROLE));
status = SAML2Utils.generateStatus(SAML2Constants.SUCCESS, null);
}
}
nimResponse.setStatus(status);
signNIMResponse(nimResponse, realm, idpEntityID, false);
return nimResponse;
}
Also used :
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
Status(com.sun.identity.saml2.protocol.Status)
IDPAccountMapper(com.sun.identity.saml2.plugins.IDPAccountMapper)
NameIDInfo(com.sun.identity.saml2.common.NameIDInfo)
NameIDPolicy(com.sun.identity.saml2.protocol.NameIDPolicy)
NameID(com.sun.identity.saml2.assertion.NameID)
NameIDMappingResponse(com.sun.identity.saml2.protocol.NameIDMappingResponse)
Date(java.util.Date)
Example 8 with NameIDPolicy
use of com.sun.identity.saml2.protocol.NameIDPolicy in project OpenAM by OpenRock.
the class IDPProxyUtil method getNewAuthnRequest.
/**
* Constructs new authentication request by using the original request
* that is sent by the service provider to the proxying IDP.
* @param hostedEntityId hosted provider ID
* @param destination The destination where the new AuthnRequest will be sent to.
* @param realm Realm
* @param origRequest Original Authn Request
* @return AuthnRequest new authn request.
* @exception SAML2Exception for failure in creating new authn request.
* @return AuthnRequest object
*/
private static AuthnRequest getNewAuthnRequest(String hostedEntityId, String destination, String realm, AuthnRequest origRequest) throws SAML2Exception {
String classMethod = "IDPProxyUtil.getNewAuthnRequest: ";
// New Authentication request should only be a single sign-on request.
try {
AuthnRequest newRequest = ProtocolFactory.getInstance().createAuthnRequest();
String requestID = SAML2Utils.generateID();
if (requestID == null || requestID.isEmpty()) {
throw new SAML2Exception(SAML2Utils.bundle.getString("cannotGenerateID"));
}
newRequest.setID(requestID);
SPSSODescriptorElement localDescriptor = IDPSSOUtil.metaManager.getSPSSODescriptor(realm, hostedEntityId);
newRequest.setDestination(XMLUtils.escapeSpecialCharacters(destination));
newRequest.setConsent(origRequest.getConsent());
newRequest.setIsPassive(origRequest.isPassive());
newRequest.setForceAuthn(origRequest.isForceAuthn());
newRequest.setAttributeConsumingServiceIndex(origRequest.getAttributeConsumingServiceIndex());
newRequest.setAssertionConsumerServiceIndex(origRequest.getAssertionConsumerServiceIndex());
String protocolBinding = origRequest.getProtocolBinding();
newRequest.setProtocolBinding(protocolBinding);
OrderedSet acsSet = SPSSOFederate.getACSUrl(localDescriptor, protocolBinding);
String acsURL = (String) acsSet.get(0);
newRequest.setAssertionConsumerServiceURL(acsURL);
Issuer issuer = AssertionFactory.getInstance().createIssuer();
issuer.setValue(hostedEntityId);
newRequest.setIssuer(issuer);
NameIDPolicy origNameIDPolicy = origRequest.getNameIDPolicy();
if (origNameIDPolicy != null) {
NameIDPolicy newNameIDPolicy = ProtocolFactory.getInstance().createNameIDPolicy();
newNameIDPolicy.setFormat(origNameIDPolicy.getFormat());
newNameIDPolicy.setSPNameQualifier(hostedEntityId);
newNameIDPolicy.setAllowCreate(origNameIDPolicy.isAllowCreate());
newRequest.setNameIDPolicy(newNameIDPolicy);
}
newRequest.setRequestedAuthnContext(origRequest.getRequestedAuthnContext());
newRequest.setExtensions(origRequest.getExtensions());
newRequest.setIssueInstant(new Date());
newRequest.setVersion(SAML2Constants.VERSION_2_0);
Scoping scoping = origRequest.getScoping();
if (scoping != null) {
Scoping newScoping = ProtocolFactory.getInstance().createScoping();
Integer proxyCountInt = scoping.getProxyCount();
int proxyCount = 1;
if (proxyCountInt != null) {
proxyCount = scoping.getProxyCount().intValue();
newScoping.setProxyCount(new Integer(proxyCount - 1));
}
newScoping.setIDPList(scoping.getIDPList());
newRequest.setScoping(newScoping);
} else {
//handling the alwaysIdpProxy case -> the incoming request
//did not contained a Scoping field
SPSSOConfigElement spConfig = getSPSSOConfigByAuthnRequest(realm, origRequest);
Map<String, List<String>> spConfigAttrMap = SAML2MetaUtils.getAttributes(spConfig);
scoping = ProtocolFactory.getInstance().createScoping();
String proxyCountParam = SPSSOFederate.getParameter(spConfigAttrMap, SAML2Constants.IDP_PROXY_COUNT);
if (proxyCountParam != null && (!proxyCountParam.equals(""))) {
int proxyCount = Integer.valueOf(proxyCountParam);
if (proxyCount <= 0) {
scoping.setProxyCount(0);
} else {
//since this is a remote SP configuration, we should
//decrement the proxycount by one
scoping.setProxyCount(proxyCount - 1);
}
}
List<String> proxyIdPs = spConfigAttrMap.get(SAML2Constants.IDP_PROXY_LIST);
if (proxyIdPs != null && !proxyIdPs.isEmpty()) {
List<IDPEntry> list = new ArrayList<IDPEntry>();
for (String proxyIdP : proxyIdPs) {
IDPEntry entry = ProtocolFactory.getInstance().createIDPEntry();
entry.setProviderID(proxyIdP);
list.add(entry);
}
IDPList idpList = ProtocolFactory.getInstance().createIDPList();
idpList.setIDPEntries(list);
scoping.setIDPList(idpList);
newRequest.setScoping(scoping);
}
}
return newRequest;
} catch (Exception ex) {
SAML2Utils.debug.error(classMethod + "Error in creating new authn request.", ex);
throw new SAML2Exception(ex);
}
}
Also used :
OrderedSet(com.sun.identity.shared.datastruct.OrderedSet)
Issuer(com.sun.identity.saml2.assertion.Issuer)
NameIDPolicy(com.sun.identity.saml2.protocol.NameIDPolicy)
SPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)
SPSSOConfigElement(com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement)
ArrayList(java.util.ArrayList)
IDPList(com.sun.identity.saml2.protocol.IDPList)
Date(java.util.Date)
SOAPException(javax.xml.soap.SOAPException)
SessionException(com.sun.identity.plugin.session.SessionException)
SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException)
SAML2TokenRepositoryException(org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException)
IOException(java.io.IOException)
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
AuthnRequest(com.sun.identity.saml2.protocol.AuthnRequest)
Scoping(com.sun.identity.saml2.protocol.Scoping)
List(java.util.List)
IDPList(com.sun.identity.saml2.protocol.IDPList)
ArrayList(java.util.ArrayList)
IDPEntry(com.sun.identity.saml2.protocol.IDPEntry)
Example 9 with NameIDPolicy
use of com.sun.identity.saml2.protocol.NameIDPolicy in project OpenAM by OpenRock.
the class AuthnRequestImpl method parseDOMElement.
/**
* Parses the Docuemnt Element for this object.
*
* @param element the Document Element of this object.
* @throws SAML2Exception if error parsing the Document Element.
*/
protected void parseDOMElement(Element element) throws SAML2Exception {
AssertionFactory assertionFactory = AssertionFactory.getInstance();
ProtocolFactory protoFactory = ProtocolFactory.getInstance();
requestId = element.getAttribute(SAML2Constants.ID);
validateID(requestId);
version = element.getAttribute(SAML2Constants.VERSION);
validateVersion(version);
String issueInstantStr = element.getAttribute(SAML2Constants.ISSUE_INSTANT);
validateIssueInstant(issueInstantStr);
destinationURI = element.getAttribute(SAML2Constants.DESTINATION);
consent = element.getAttribute(SAML2Constants.CONSENT);
NodeList nList = element.getChildNodes();
if ((nList != null) && (nList.getLength() > 0)) {
for (int i = 0; i < nList.getLength(); i++) {
Node childNode = nList.item(i);
String cName = childNode.getLocalName();
if (cName != null) {
if (cName.equals(SAML2Constants.ISSUER)) {
validateIssuer();
nameID = assertionFactory.createIssuer((Element) childNode);
} else if (cName.equals(SAML2Constants.SIGNATURE)) {
validateSignature();
signatureString = XMLUtils.print((Element) childNode);
isSigned = true;
} else if (cName.equals(SAML2Constants.EXTENSIONS)) {
validateExtensions();
extensions = protoFactory.createExtensions((Element) childNode);
} else if (cName.equals(SAML2Constants.SUBJECT)) {
validateSubject();
subject = assertionFactory.createSubject((Element) childNode);
} else if (cName.equals(SAML2Constants.NAMEIDPOLICY)) {
validateNameIDPolicy();
nameIDPolicy = protoFactory.createNameIDPolicy((Element) childNode);
} else if (cName.equals(SAML2Constants.CONDITIONS)) {
validateConditions();
conditions = assertionFactory.createConditions((Element) childNode);
} else if (cName.equals(SAML2Constants.REQ_AUTHN_CONTEXT)) {
validateReqAuthnContext();
reqAuthnContext = protoFactory.createRequestedAuthnContext((Element) childNode);
} else if (cName.equals(SAML2Constants.SCOPING)) {
validateScoping();
scoping = protoFactory.createScoping((Element) childNode);
}
}
}
}
// Get ForceAuthn Attribute
String forceAuthnAttr = element.getAttribute(SAML2Constants.FORCEAUTHN);
if ((forceAuthnAttr != null) && (forceAuthnAttr.length() > 0)) {
forceAuthn = SAML2SDKUtils.booleanValueOf(forceAuthnAttr);
}
String isPassiveAttr = element.getAttribute(SAML2Constants.ISPASSIVE);
if ((isPassiveAttr != null) && (isPassiveAttr.length() > 0)) {
isPassive = SAML2SDKUtils.booleanValueOf(isPassiveAttr);
}
protocolBinding = element.getAttribute(SAML2Constants.PROTOBINDING);
String index = element.getAttribute(SAML2Constants.ASSERTION_CONSUMER_SVC_INDEX);
if ((index != null) && (index.length() > 0)) {
assertionConsumerSvcIndex = new Integer(index);
validateAssertionConsumerServiceIndex(assertionConsumerSvcIndex);
}
assertionConsumerServiceURL = XMLUtils.unescapeSpecialCharacters(element.getAttribute(SAML2Constants.ASSERTION_CONSUMER_SVC_URL));
index = element.getAttribute(SAML2Constants.ATTR_CONSUMING_SVC_INDEX);
if ((index != null) && (index.length() > 0)) {
attrConsumingSvcIndex = new Integer(index);
validateAttributeConsumingServiceIndex(attrConsumingSvcIndex);
}
providerName = element.getAttribute(SAML2Constants.PROVIDER_NAME);
}
Also used :
ProtocolFactory(com.sun.identity.saml2.protocol.ProtocolFactory)
AssertionFactory(com.sun.identity.saml2.assertion.AssertionFactory)
NodeList(org.w3c.dom.NodeList)
Node(org.w3c.dom.Node)
Element(org.w3c.dom.Element)
Example 10 with NameIDPolicy
use of com.sun.identity.saml2.protocol.NameIDPolicy in project OpenAM by OpenRock.
the class UtilProxySAMLAuthenticatorLookup method retrieveAuthenticationFromCache.
@Override
public void retrieveAuthenticationFromCache() throws SessionException, ServerFaultException, ClientFaultException {
final String classMethod = "UtilProxySAMLAuthenticatorLookup.retrieveAuthenticationFromCache: ";
// the second visit, the user has already authenticated
// retrieve the cache authn request and relay state
// We need the session to pass it to the IDP Adapter preSendResponse
SessionProvider sessionProvider = SessionManager.getProvider();
try {
data.setSession(sessionProvider.getSession(request));
data.getEventAuditor().setSSOTokenId(data.getSession());
} catch (SessionException se) {
SAML2Utils.debug.error("An error occurred while retrieving the session: " + se.getMessage());
data.setSession(null);
}
// Get the cached Authentication Request and Relay State before
// invoking the IDP Adapter
CacheObject cacheObj;
synchronized (IDPCache.authnRequestCache) {
cacheObj = (CacheObject) IDPCache.authnRequestCache.get(data.getRequestID());
}
if (cacheObj != null) {
data.setAuthnRequest((AuthnRequest) cacheObj.getObject());
}
data.setRelayState((String) IDPCache.relayStateCache.get(data.getRequestID()));
if (!isSessionValid(sessionProvider)) {
return;
}
// Invoke the IDP Adapter after the user has been authenticated
if (preSendResponse(request, response, data)) {
return;
}
synchronized (IDPCache.authnRequestCache) {
cacheObj = (CacheObject) IDPCache.authnRequestCache.remove(data.getRequestID());
}
if (cacheObj != null) {
data.setAuthnRequest((AuthnRequest) cacheObj.getObject());
}
synchronized (IDPCache.idpAuthnContextCache) {
cacheObj = (CacheObject) IDPCache.idpAuthnContextCache.remove(data.getRequestID());
}
if (cacheObj != null) {
data.setMatchingAuthnContext((AuthnContext) cacheObj.getObject());
}
data.setRelayState((String) IDPCache.relayStateCache.remove(data.getRequestID()));
if (data.getAuthnRequest() == null) {
authNotAvailable();
return;
}
SAML2Utils.debug.message("{} RequestID= {}", classMethod, data.getRequestID());
boolean isSessionUpgrade = false;
if (CollectionUtils.isNotEmpty(IDPCache.isSessionUpgradeCache)) {
isSessionUpgrade = IDPCache.isSessionUpgradeCache.contains(data.getRequestID());
}
if (isSessionUpgrade) {
IDPSession oldSess = (IDPSession) IDPCache.oldIDPSessionCache.remove(data.getRequestID());
String sessionIndex = IDPSSOUtil.getSessionIndex(data.getSession());
if (StringUtils.isNotEmpty(sessionIndex)) {
IDPCache.idpSessionsByIndices.put(sessionIndex, oldSess);
final FedMonAgent agent = MonitorManager.getAgent();
if (agent != null && agent.isRunning()) {
final FedMonSAML2Svc saml2Svc = MonitorManager.getSAML2Svc();
if (saml2Svc != null) {
saml2Svc.setIdpSessionCount(IDPCache.idpSessionsByIndices.size());
}
}
}
}
if (data.getSession() != null) {
// call multi-federation protocol to set the protocol
MultiProtocolUtils.addFederationProtocol(data.getSession(), SingleLogoutManager.SAML2);
}
// generate assertion response
data.setSpEntityID(data.getAuthnRequest().getIssuer().getValue());
NameIDPolicy policy = data.getAuthnRequest().getNameIDPolicy();
String nameIDFormat = (policy == null) ? null : policy.getFormat();
try {
IDPSSOUtil.sendResponseToACS(request, response, out, data.getSession(), data.getAuthnRequest(), data.getSpEntityID(), data.getIdpEntityID(), data.getIdpMetaAlias(), data.getRealm(), nameIDFormat, data.getRelayState(), data.getMatchingAuthnContext());
} catch (SAML2Exception se) {
SAML2Utils.debug.error(classMethod + "Unable to do sso or federation.", se);
throw new ServerFaultException(data.getIdpAdapter(), SSO_OR_FEDERATION_ERROR, se.getMessage());
}
}
Also used :
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
IDPSession(com.sun.identity.saml2.profile.IDPSession)
FedMonSAML2Svc(com.sun.identity.plugin.monitoring.FedMonSAML2Svc)
NameIDPolicy(com.sun.identity.saml2.protocol.NameIDPolicy)
ServerFaultException(com.sun.identity.saml2.profile.ServerFaultException)
SessionException(com.sun.identity.plugin.session.SessionException)
CacheObject(com.sun.identity.saml2.profile.CacheObject)
FedMonAgent(com.sun.identity.plugin.monitoring.FedMonAgent)
SessionProvider(com.sun.identity.plugin.session.SessionProvider)
Aggregations
SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)9
NameIDPolicy (com.sun.identity.saml2.protocol.NameIDPolicy)8
SessionException (com.sun.identity.plugin.session.SessionException)3
NameID (com.sun.identity.saml2.assertion.NameID)3
NameIDInfo (com.sun.identity.saml2.common.NameIDInfo)3
ArrayList (java.util.ArrayList)3
Date (java.util.Date)3
List (java.util.List)3
Element (org.w3c.dom.Element)3
AssertionFactory (com.sun.identity.saml2.assertion.AssertionFactory)2
Issuer (com.sun.identity.saml2.assertion.Issuer)2
AffiliationDescriptorType (com.sun.identity.saml2.jaxb.metadata.AffiliationDescriptorType)2
SPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)2
IDPAccountMapper (com.sun.identity.saml2.plugins.IDPAccountMapper)2
CacheObject (com.sun.identity.saml2.profile.CacheObject)2
ServerFaultException (com.sun.identity.saml2.profile.ServerFaultException)2
AuthnRequest (com.sun.identity.saml2.protocol.AuthnRequest)2
IDPEntry (com.sun.identity.saml2.protocol.IDPEntry)2
IDPList (com.sun.identity.saml2.protocol.IDPList)2
Scoping (com.sun.identity.saml2.protocol.Scoping)2
