Example 6 with RequestedAuthnContext
use of com.sun.identity.saml2.protocol.RequestedAuthnContext in project OpenAM by OpenRock.
the class AuthnQueryUtil method processAuthnQuery.
/**
* This method processes the <code>AuthnQuery</code> coming
* from a requester.
*
* @param authnQuery the <code>AuthnQuery</code> object
* @param request the <code>HttpServletRequest</code> object
* @param response the <code>HttpServletResponse</code> object
* @param authnAuthorityEntityID entity ID of authentication authority
* @param realm the realm of hosted entity
*
* @return the <code>Response</code> object
* @exception SAML2Exception if the operation is not successful
*/
public static Response processAuthnQuery(AuthnQuery authnQuery, HttpServletRequest request, HttpServletResponse response, String authnAuthorityEntityID, String realm) throws SAML2Exception {
try {
verifyAuthnQuery(authnQuery, authnAuthorityEntityID, realm);
} catch (SAML2Exception se) {
SAML2Utils.debug.error("AuthnQueryUtil.processAuthnQuery:", se);
return SAML2Utils.getErrorResponse(authnQuery, SAML2Constants.REQUESTER, null, se.getMessage(), null);
}
Issuer issuer = authnQuery.getIssuer();
String spEntityID = issuer.getValue();
AuthnAuthorityDescriptorElement aad = null;
SAML2MetaManager metaManager = SAML2Utils.getSAML2MetaManager();
try {
aad = metaManager.getAuthnAuthorityDescriptor(realm, authnAuthorityEntityID);
} catch (SAML2MetaException sme) {
SAML2Utils.debug.error("AuthnQueryUtil.processAuthnQuery:", sme);
return SAML2Utils.getErrorResponse(authnQuery, SAML2Constants.RESPONDER, null, SAML2Utils.bundle.getString("metaDataError"), null);
}
if (aad == null) {
return SAML2Utils.getErrorResponse(authnQuery, SAML2Constants.REQUESTER, null, SAML2Utils.bundle.getString("authnAuthorityNotFound"), null);
}
NameID nameID = getNameID(authnQuery.getSubject(), realm, authnAuthorityEntityID);
if (nameID == null) {
return SAML2Utils.getErrorResponse(authnQuery, SAML2Constants.REQUESTER, SAML2Constants.UNKNOWN_PRINCIPAL, null, null);
}
IDPAccountMapper idpAcctMapper = SAML2Utils.getIDPAccountMapper(realm, authnAuthorityEntityID);
String userID = idpAcctMapper.getIdentity(nameID, authnAuthorityEntityID, spEntityID, realm);
if (userID == null) {
return SAML2Utils.getErrorResponse(authnQuery, SAML2Constants.REQUESTER, SAML2Constants.UNKNOWN_PRINCIPAL, null, null);
}
IDPAuthnContextMapper idpAuthnContextMapper = IDPSSOUtil.getIDPAuthnContextMapper(realm, authnAuthorityEntityID);
// get assertion for matching authncontext using session
List returnAssertions = new ArrayList();
String qSessionIndex = authnQuery.getSessionIndex();
RequestedAuthnContext requestedAC = authnQuery.getRequestedAuthnContext();
List assertions = null;
String cacheKey = userID.toLowerCase();
AssertionFactory assertionFactory = AssertionFactory.getInstance();
if (SAML2FailoverUtils.isSAML2FailoverEnabled()) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("AuthnQueryUtil.processAuthnQuery: " + "getting user assertions from DB. user = " + cacheKey);
}
List list = null;
try {
list = SAML2FailoverUtils.retrieveSAML2TokensWithSecondaryKey(cacheKey);
} catch (SAML2TokenRepositoryException se) {
SAML2Utils.debug.error("AuthnQueryUtil.processAuthnQuery: " + "Unable to obtain user assertions from CTS Repository. user = " + cacheKey, se);
}
if (list != null && !list.isEmpty()) {
assertions = new ArrayList();
for (Iterator iter = list.iterator(); iter.hasNext(); ) {
String assertionStr = (String) iter.next();
assertions.add(assertionFactory.createAssertion(assertionStr));
}
}
} else {
assertions = (List) IDPCache.assertionCache.get(cacheKey);
}
if ((assertions != null) && (!assertions.isEmpty())) {
synchronized (assertions) {
for (Iterator aIter = assertions.iterator(); aIter.hasNext(); ) {
Assertion assertion = (Assertion) aIter.next();
if (!assertion.isTimeValid()) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("AuthnQueryUtil.processAuthnQuery: " + " assertion " + assertion.getID() + " expired.");
}
continue;
}
List authnStmts = assertion.getAuthnStatements();
for (Iterator asIter = authnStmts.iterator(); asIter.hasNext(); ) {
AuthnStatement authnStmt = (AuthnStatement) asIter.next();
AuthnContext authnStmtAC = authnStmt.getAuthnContext();
String sessionIndex = authnStmt.getSessionIndex();
String authnStmtACClassRef = authnStmtAC.getAuthnContextClassRef();
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("AuthnQueryUtil.processAuthnQuery: " + "authnStmtACClassRef is " + authnStmtACClassRef + ", sessionIndex = " + sessionIndex);
}
if ((qSessionIndex != null) && (qSessionIndex.length() != 0) && (!qSessionIndex.equals(sessionIndex))) {
continue;
}
if (requestedAC != null) {
List requestedACClassRefs = requestedAC.getAuthnContextClassRef();
String comparison = requestedAC.getComparison();
if (idpAuthnContextMapper.isAuthnContextMatching(requestedACClassRefs, authnStmtACClassRef, comparison, realm, authnAuthorityEntityID)) {
returnAssertions.add(assertion);
break;
}
} else {
returnAssertions.add(assertion);
break;
}
}
}
}
// end assertion iterator while.
}
ProtocolFactory protocolFactory = ProtocolFactory.getInstance();
Response samlResp = protocolFactory.createResponse();
if (!returnAssertions.isEmpty()) {
samlResp.setAssertion(returnAssertions);
}
samlResp.setID(SAML2Utils.generateID());
samlResp.setInResponseTo(authnQuery.getID());
samlResp.setVersion(SAML2Constants.VERSION_2_0);
samlResp.setIssueInstant(new Date());
Status status = protocolFactory.createStatus();
StatusCode statusCode = protocolFactory.createStatusCode();
statusCode.setValue(SAML2Constants.SUCCESS);
status.setStatusCode(statusCode);
samlResp.setStatus(status);
Issuer respIssuer = assertionFactory.createIssuer();
respIssuer.setValue(authnAuthorityEntityID);
samlResp.setIssuer(respIssuer);
signResponse(samlResp, authnAuthorityEntityID, realm, false);
return samlResp;
}
Also used :
Status(com.sun.identity.saml2.protocol.Status)
AuthnAuthorityDescriptorElement(com.sun.identity.saml2.jaxb.metadata.AuthnAuthorityDescriptorElement)
IDPAccountMapper(com.sun.identity.saml2.plugins.IDPAccountMapper)
IDPAuthnContextMapper(com.sun.identity.saml2.plugins.IDPAuthnContextMapper)
Issuer(com.sun.identity.saml2.assertion.Issuer)
NameID(com.sun.identity.saml2.assertion.NameID)
ArrayList(java.util.ArrayList)
EncryptedAssertion(com.sun.identity.saml2.assertion.EncryptedAssertion)
Assertion(com.sun.identity.saml2.assertion.Assertion)
SAML2MetaManager(com.sun.identity.saml2.meta.SAML2MetaManager)
StatusCode(com.sun.identity.saml2.protocol.StatusCode)
Date(java.util.Date)
RequestedAuthnContext(com.sun.identity.saml2.protocol.RequestedAuthnContext)
AuthnContext(com.sun.identity.saml2.assertion.AuthnContext)
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
ProtocolFactory(com.sun.identity.saml2.protocol.ProtocolFactory)
Response(com.sun.identity.saml2.protocol.Response)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
RequestedAuthnContext(com.sun.identity.saml2.protocol.RequestedAuthnContext)
AssertionFactory(com.sun.identity.saml2.assertion.AssertionFactory)
Iterator(java.util.Iterator)
AuthnStatement(com.sun.identity.saml2.assertion.AuthnStatement)
ArrayList(java.util.ArrayList)
List(java.util.List)
SAML2TokenRepositoryException(org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException)
SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException)
Example 7 with RequestedAuthnContext
use of com.sun.identity.saml2.protocol.RequestedAuthnContext in project OpenAM by OpenRock.
the class DefaultSPAuthnContextMapper method getRequestedAuthnContext.
/**
* Returns the <code>RequestedAuthnContext</code> object.
*
* The RequestedAuthContext is created based on the query parameters
* AuthnContextClassRef and AuthComparison in the request
* and authnContext attribute ,
* spAuthncontextClassrefMapping, and authComparison
* attribute, spAuthncontextComparisonType ,
* set in the Service Provider Extended Configuration.
* If the AuthnContext Class Reference cannot be determined then
* the default value
* urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTranstport
* will be used. AuthnComparsion defaults to "exact" if no value
* is specified.
*
* @param realm Realm or Organization of the Service Provider.
* @param hostEntityID Entity ID of the Service Provider.
* @param paramsMap Map containing key/value pairs of parameters.
* The key/value pairs are those accepted during SP SSO
* initiation.
* @throws SAML2Exception if an error occurs.
*/
public RequestedAuthnContext getRequestedAuthnContext(String realm, String hostEntityID, Map paramsMap) throws SAML2Exception {
// Read the AuthnContext Class Reference passed as query string
// to SP
List authContextClassRef = (List) paramsMap.get(SAML2Constants.AUTH_CONTEXT_CLASS_REF);
List authLevelList = ((List) paramsMap.get(SAML2Constants.AUTH_LEVEL));
Integer authLevel = null;
if (authLevelList != null && !authLevelList.isEmpty()) {
try {
authLevel = new Integer((String) authLevelList.iterator().next());
} catch (NumberFormatException nfe) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("not a valid integer", nfe);
}
} catch (Exception e) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("error getting " + "integer object", e);
}
}
}
if (authLevel == null) {
authLevel = getAuthLevelFromAdvice(paramsMap);
}
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("authLevel in Query:" + authLevel);
SAML2Utils.debug.message("authContextClassRef in Query:" + authContextClassRef);
}
// Retreived the cached AuthClass Ref / Auth Level Map
Map authRefMap = getAuthRefMap(realm, hostEntityID);
List authCtxList = new ArrayList();
// create a List of AuthnContext Class Reference
if (authContextClassRef != null && !authContextClassRef.isEmpty()) {
Iterator i = authContextClassRef.iterator();
while (i.hasNext()) {
String authClassRef = prefixIfRequired((String) i.next());
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("DefaultSPAuthnContextMapper: " + "authClassRef=" + authClassRef);
}
authCtxList.add(authClassRef);
}
}
if (authLevel != null) {
Set authCtxSet = authRefMap.keySet();
Iterator i = authCtxSet.iterator();
while (i.hasNext()) {
String className = (String) i.next();
if (DEFAULT.equals(className) || DEFAULT_CLASS_REF.equals(className)) {
continue;
}
Integer aLevel = (Integer) authRefMap.get(className);
if (aLevel != null && aLevel.intValue() >= authLevel.intValue()) {
authCtxList.add(className);
}
}
}
if ((authCtxList == null || authCtxList.isEmpty()) && (authRefMap != null && !authRefMap.isEmpty())) {
String defaultClassRef = (String) authRefMap.get(DEFAULT_CLASS_REF);
if (defaultClassRef != null) {
authCtxList.add(defaultClassRef);
} else {
Set authCtxSet = authRefMap.keySet();
Iterator i = authCtxSet.iterator();
while (i.hasNext()) {
String val = (String) i.next();
if (val != null && !val.equals(DEFAULT)) {
authCtxList.add(val);
}
}
}
}
// if list empty set the default
if (authCtxList.isEmpty()) {
authCtxList.add(SAML2Constants.CLASSREF_PASSWORD_PROTECTED_TRANSPORT);
}
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("SPCache.authContextHash is: " + SPCache.authContextHash);
SAML2Utils.debug.message("authCtxList is: " + authCtxList);
}
// Retrieve Auth Comparison from Query parameter
String authCtxComparison = SPSSOFederate.getParameter(paramsMap, SAML2Constants.SP_AUTHCONTEXT_COMPARISON);
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("AuthComparison in Query:" + authCtxComparison);
}
if ((authCtxComparison == null) || !isValidAuthComparison(authCtxComparison)) {
authCtxComparison = SAML2Utils.getAttributeValueFromSSOConfig(realm, hostEntityID, SAML2Constants.SP_ROLE, SAML2Constants.SP_AUTHCONTEXT_COMPARISON_TYPE);
if ((authCtxComparison != null) && (!isValidAuthComparison(authCtxComparison))) {
authCtxComparison = null;
}
}
RequestedAuthnContext reqCtx = ProtocolFactory.getInstance().createRequestedAuthnContext();
reqCtx.setAuthnContextClassRef(authCtxList);
reqCtx.setComparison(authCtxComparison);
return reqCtx;
}
Also used :
RequestedAuthnContext(com.sun.identity.saml2.protocol.RequestedAuthnContext)
Set(java.util.Set)
ArrayList(java.util.ArrayList)
Iterator(java.util.Iterator)
ArrayList(java.util.ArrayList)
List(java.util.List)
HashMap(java.util.HashMap)
LinkedHashMap(java.util.LinkedHashMap)
Map(java.util.Map)
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
Example 8 with RequestedAuthnContext
use of com.sun.identity.saml2.protocol.RequestedAuthnContext in project OpenAM by OpenRock.
the class DefaultSPAuthnContextMapper method getAuthLevel.
/**
* Returns the auth level for the AuthContext
*
* @param reqCtx the RequestedAuthContext object.
* @param authnContext the AuthnContext object.
* @param realm the realm or organization to
* retreive the authncontext.
* @param hostEntityID the Service Provider Identity String.
* @param idpEntityID the Identity Provider Identity String.
* @return authlevel an integer value.
* @throws SAML2Exception if there is an error.
*/
public int getAuthLevel(RequestedAuthnContext reqCtx, AuthnContext authnContext, String realm, String hostEntityID, String idpEntityID) throws SAML2Exception {
Map authRefMap = (Map) SPCache.authContextHash.get(hostEntityID + "|" + realm);
if (authRefMap == null || authRefMap.isEmpty()) {
authRefMap = getAuthRefMap(realm, hostEntityID);
}
int authLevel = 0;
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("DefaultSPAuthnContextMapper:hostEntityID:" + hostEntityID);
SAML2Utils.debug.message("DefaultSPAuthnContextMapper:realm:" + realm);
SAML2Utils.debug.message("DefaultSPAuthnContextMapper:MAP:" + authRefMap);
SAML2Utils.debug.message("DefaultSPAuthnContextMapper:HASH:" + SPCache.authContextHash);
}
String authnClassRef = null;
if (authnContext != null) {
authnClassRef = authnContext.getAuthnContextClassRef();
}
if ((reqCtx != null) && (authnClassRef != null) && (!isAuthnContextMatching(reqCtx.getAuthnContextClassRef(), authnClassRef, reqCtx.getComparison(), realm, hostEntityID))) {
throw new SAML2Exception(SAML2Utils.bundle.getString("invalidAuthnContextClassRef"));
}
Integer authLevelInt = null;
if ((authnClassRef != null) && (authnClassRef.length() > 0)) {
if ((authRefMap != null) && (!authRefMap.isEmpty())) {
authLevelInt = (Integer) authRefMap.get(authnClassRef);
}
} else {
if ((authRefMap != null) && (!authRefMap.isEmpty())) {
authLevelInt = (Integer) authRefMap.get(DEFAULT);
}
}
if (authLevelInt != null) {
authLevel = authLevelInt.intValue();
}
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("DefaultSPAuthnContextMapper:authnClRef:" + authnClassRef);
SAML2Utils.debug.message("DefaultSPAuthnContextMapper:authLevel :" + authLevel);
}
return authLevel;
}
Also used :
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
HashMap(java.util.HashMap)
LinkedHashMap(java.util.LinkedHashMap)
Map(java.util.Map)
Example 9 with RequestedAuthnContext
use of com.sun.identity.saml2.protocol.RequestedAuthnContext in project OpenAM by OpenRock.
the class SAML2IDPProxyFRImpl method selectIDPBasedOnLOA.
private String selectIDPBasedOnLOA(List<String> idpList, String realm, AuthnRequest authnRequest) {
String classMethod = "selectIdPBasedOnLOA";
EntityDescriptorElement idpDesc = null;
Set authnRequestContextSet = null;
String idps = "";
try {
RequestedAuthnContext requestedAuthnContext = authnRequest.getRequestedAuthnContext();
if (requestedAuthnContext == null) {
//In this case we just simply return all the IdPs as each one should support a default AuthnContext.
return StringUtils.join(idpList, " ");
}
List listOfAuthnContexts = requestedAuthnContext.getAuthnContextClassRef();
debugMessage(classMethod, "listofAuthnContexts: " + listOfAuthnContexts);
try {
authnRequestContextSet = new HashSet(listOfAuthnContexts);
} catch (Exception ex1) {
authnRequestContextSet = new HashSet();
}
if ((idpList != null) && (!idpList.isEmpty())) {
Iterator idpI = idpList.iterator();
while (idpI.hasNext()) {
String idp = (String) idpI.next();
debugMessage(classMethod, "IDP is: " + idp);
idpDesc = SAML2Utils.getSAML2MetaManager().getEntityDescriptor(realm, idp);
if (idpDesc != null) {
ExtensionsType et = idpDesc.getExtensions();
if (et != null) {
debugMessage(classMethod, "Extensions found for idp: " + idp);
List idpExtensions = et.getAny();
if (idpExtensions != null || !idpExtensions.isEmpty()) {
debugMessage(classMethod, "Extensions content found for idp: " + idp);
Iterator idpExtensionsI = idpExtensions.iterator();
while (idpExtensionsI.hasNext()) {
EntityAttributesElement eael = (EntityAttributesElement) idpExtensionsI.next();
if (eael != null) {
debugMessage(classMethod, "Entity Attributes found for idp: " + idp);
List attribL = eael.getAttributeOrAssertion();
if (attribL != null || !attribL.isEmpty()) {
Iterator attrI = attribL.iterator();
while (attrI.hasNext()) {
AttributeElement ae = (AttributeElement) attrI.next();
// TODO: Verify what type of element this is (Attribute or assertion)
// For validation purposes
List av = ae.getAttributeValue();
if (av != null || !av.isEmpty()) {
debugMessage(classMethod, "Attribute Values found for idp: " + idp);
Iterator avI = av.iterator();
while (avI.hasNext()) {
AttributeValueElement ave = (AttributeValueElement) avI.next();
if (ave != null) {
List contentL = ave.getContent();
debugMessage(classMethod, "Attribute Value Elements found for idp: " + idp + "-->" + contentL);
if (contentL != null || !contentL.isEmpty()) {
Set idpContextSet = trimmedListToSet(contentL);
debugMessage(classMethod, "idpContextSet = " + idpContextSet);
idpContextSet.retainAll(authnRequestContextSet);
if (idpContextSet != null && !idpContextSet.isEmpty()) {
idps = idp + " " + idps;
debugMessage(classMethod, "Extension Values found for idp " + idp + ": " + idpContextSet);
}
}
}
}
}
}
}
}
}
}
} else {
debugMessage(classMethod, " No extensions found for IdP " + idp);
}
} else {
debugMessage(classMethod, "Configuration for the idp " + idp + " was not found in this system");
}
}
}
} catch (SAML2MetaException me) {
debugMessage(classMethod, "SOmething went wrong: " + me);
}
debugMessage(classMethod, " IDPList returns: " + idps);
return idps.trim();
}
Also used :
HashSet(java.util.HashSet)
Set(java.util.Set)
EntityAttributesElement(com.sun.identity.saml2.jaxb.metadataattr.EntityAttributesElement)
EntityDescriptorElement(com.sun.identity.saml2.jaxb.metadata.EntityDescriptorElement)
COTException(com.sun.identity.cot.COTException)
SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException)
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
RequestedAuthnContext(com.sun.identity.saml2.protocol.RequestedAuthnContext)
ExtensionsType(com.sun.identity.saml2.jaxb.metadata.ExtensionsType)
Iterator(java.util.Iterator)
ArrayList(java.util.ArrayList)
List(java.util.List)
AttributeValueElement(com.sun.identity.saml2.jaxb.assertion.AttributeValueElement)
AttributeElement(com.sun.identity.saml2.jaxb.assertion.AttributeElement)
SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException)
HashSet(java.util.HashSet)
Aggregations
RequestedAuthnContext (com.sun.identity.saml2.protocol.RequestedAuthnContext)7
SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)5
ArrayList (java.util.ArrayList)5
HashMap (java.util.HashMap)5
List (java.util.List)5
Map (java.util.Map)5
Iterator (java.util.Iterator)4
LinkedHashMap (java.util.LinkedHashMap)3
Set (java.util.Set)3
AuthnContext (com.sun.identity.saml2.assertion.AuthnContext)2
AuthnStatement (com.sun.identity.saml2.assertion.AuthnStatement)2
SAML2MetaException (com.sun.identity.saml2.meta.SAML2MetaException)2
SPAuthnContextMapper (com.sun.identity.saml2.plugins.SPAuthnContextMapper)2
ProtocolFactory (com.sun.identity.saml2.protocol.ProtocolFactory)2
Date (java.util.Date)2
HashSet (java.util.HashSet)2
COTException (com.sun.identity.cot.COTException)1
Assertion (com.sun.identity.saml2.assertion.Assertion)1
AssertionFactory (com.sun.identity.saml2.assertion.AssertionFactory)1
EncryptedAssertion (com.sun.identity.saml2.assertion.EncryptedAssertion)1
