Search in sources :

Example 86 with Response

use of com.sun.identity.saml2.protocol.Response in project OpenAM by OpenRock.

the class DoManageNameID method processMNIResponsePOST.

public static boolean processMNIResponsePOST(HttpServletRequest request, HttpServletResponse response, Map paramsMap) throws SAML2Exception {
    String method = "processMNIResponsePOST: ";
    boolean success = false;
    String requestURL = request.getRequestURI();
    String metaAlias = SAML2MetaUtils.getMetaAliasByUri(requestURL);
    if (metaAlias == null) {
        logError("MetaAliasNotFound", LogUtil.MISSING_META_ALIAS, null);
        throw new SAML2Exception(SAML2Utils.bundle.getString("MetaAliasNotFound"));
    }
    String realm = SAML2MetaUtils.getRealmByMetaAlias(metaAlias);
    String hostEntityID = metaManager.getEntityByMetaAlias(metaAlias);
    String hostRole = SAML2Utils.getHostEntityRole(paramsMap);
    boolean isSupported = false;
    if (SAML2Constants.IDP_ROLE.equals(hostRole)) {
        isSupported = SAML2Utils.isIDPProfileBindingSupported(realm, hostEntityID, SAML2Constants.MNI_SERVICE, SAML2Constants.HTTP_POST);
    } else {
        isSupported = SAML2Utils.isSPProfileBindingSupported(realm, hostEntityID, SAML2Constants.MNI_SERVICE, SAML2Constants.HTTP_POST);
    }
    if (!isSupported) {
        debug.error(method + "MNI binding: POST is not supported for " + hostEntityID);
        String[] data = { hostEntityID, SAML2Constants.HTTP_POST };
        LogUtil.error(Level.INFO, LogUtil.BINDING_NOT_SUPPORTED, data, null);
        throw new SAML2Exception(SAML2Utils.bundle.getString("unsupportedBinding"));
    }
    String relayState = request.getParameter(SAML2Constants.RELAY_STATE);
    String mniRes = request.getParameter(SAML2Constants.SAML_RESPONSE);
    String mniResStr = getMNIResponseFromPost(mniRes, response);
    if (mniResStr == null) {
        logError("nullDecodedStrFromSamlResponse", LogUtil.CANNOT_DECODE_RESPONSE, null);
        throw new SAML2Exception(SAML2Utils.bundle.getString("nullDecodedStrFromSamlResponse"));
    }
    if (debug.messageEnabled()) {
        debug.message("DoManageNameID.processMNIResponsePOST: " + "Meta Alias is : " + metaAlias);
        debug.message("DoManageNameID.processMNIResponsePOST: " + "Host role is : " + hostRole);
        debug.message("DoManageNameID.processMNIResponsePOST: " + "Relay state is : " + relayState);
        debug.message("DoManageNameID.processMNIResponsePOST: " + "MNI Response : " + mniResStr);
    }
    // Validate the RelayState URL.
    SAML2Utils.validateRelayStateURL(realm, hostEntityID, relayState, hostRole);
    ManageNameIDResponse mniResponse = null;
    try {
        mniResponse = pf.createManageNameIDResponse(mniResStr);
        String remoteEntityID = mniResponse.getIssuer().getValue();
        Issuer resIssuer = mniResponse.getIssuer();
        String requestId = mniResponse.getInResponseTo();
        SAML2Utils.verifyResponseIssuer(realm, hostEntityID, resIssuer, requestId);
        boolean needToVerify = SAML2Utils.getWantMNIResponseSigned(realm, hostEntityID, hostRole);
        if (needToVerify) {
            boolean valid = verifyMNIResponse(mniResponse, realm, remoteEntityID, hostEntityID, hostRole, mniResponse.getDestination());
            if (!valid) {
                logError("invalidSignInResponse", LogUtil.MNI_RESPONSE_INVALID_SIGNATURE, null);
                throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSignInResponse"));
            }
        }
        success = checkMNIResponse(mniResponse, realm, hostEntityID, hostRole, new StringBuffer());
    } catch (SessionException e) {
        logError("invalidSSOToken", LogUtil.INVALID_SSOTOKEN, null);
        throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSSOToken"));
    }
    if (debug.messageEnabled()) {
        debug.message("DoManageNameID.processMNIResponsePOST: " + "Request success : " + success);
    }
    return success;
}
Also used : SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) Issuer(com.sun.identity.saml2.assertion.Issuer) SessionException(com.sun.identity.plugin.session.SessionException) ManageNameIDResponse(com.sun.identity.saml2.protocol.ManageNameIDResponse)

Example 87 with Response

use of com.sun.identity.saml2.protocol.Response in project OpenAM by OpenRock.

the class AttributeQueryUtil method validateSAMLResponseForFedlet.

/**
     * Validates the SAML response obtained from Attribute Authortity
     *
     * @param samlResp saml response
     *
     * @exception SAML2Exception if the operation is not successful
     *
     * @supported.api
     */
private static boolean validateSAMLResponseForFedlet(Response samlResp, String spEntityID, boolean wantNameIDEncrypted) throws SAML2Exception {
    boolean resp = true;
    if (samlResp != null && samlResp.isSigned()) {
        List assertions = null;
        if (wantNameIDEncrypted) {
            assertions = samlResp.getEncryptedAssertion();
        } else {
            assertions = samlResp.getAssertion();
        }
        if (assertions == null) {
            return false;
        }
        for (Iterator asserIter = assertions.iterator(); asserIter.hasNext(); ) {
            Assertion assertion = null;
            if (wantNameIDEncrypted) {
                assertion = getDecryptedAssertion((EncryptedAssertion) asserIter.next(), spEntityID);
            } else {
                assertion = (Assertion) asserIter.next();
            }
            if (assertion != null) {
                Conditions conditions = assertion.getConditions();
                if (conditions != null) {
                    List audienceRes = conditions.getAudienceRestrictions();
                    if (audienceRes.size() > 1) {
                        resp = false;
                        break;
                    }
                }
                List statements = assertion.getAttributeStatements();
                if (statements.size() > 1) {
                    resp = false;
                    break;
                }
            }
        }
    } else {
        resp = false;
    }
    return resp;
}
Also used : EncryptedAssertion(com.sun.identity.saml2.assertion.EncryptedAssertion) Iterator(java.util.Iterator) EncryptedAssertion(com.sun.identity.saml2.assertion.EncryptedAssertion) Assertion(com.sun.identity.saml2.assertion.Assertion) List(java.util.List) ArrayList(java.util.ArrayList) Conditions(com.sun.identity.saml2.assertion.Conditions)

Example 88 with Response

use of com.sun.identity.saml2.protocol.Response in project OpenAM by OpenRock.

the class AttributeQueryUtil method getAttributesForFedlet.

/**
     * Sends the AttributeQuery to specified attribute authority,
     * validates the response and returns the attribute map
     * <code>Map&lt;String, Set&lt;String&gt;&gt;</code> to the Fedlet
     *
     * @param spEntityID SP entity ID
     * @param idpEntityID IDP entity ID
     * @param nameIDValue  NameID value 
     * @param attrsList The list of attributes whose values need to be
     *                  fetched from IDP
     * @param attrQueryProfileAlias  Attribute Query Profile Alias
     * @param subjectDN  Attribute name which contains X.509 subject DN
     *
     * @return the <code>Map</code> object
     * @exception SAML2Exception if the operation is not successful
     *
     * @supported.api
     */
public static Map<String, Set<String>> getAttributesForFedlet(String spEntityID, String idpEntityID, String nameIDValue, List<String> attrsList, String attrQueryProfileAlias, String subjectDN) throws SAML2Exception {
    final String classMethod = "AttributeQueryUtil.getAttributesForFedlet: ";
    AttributeQueryConfigElement attrQueryConfig = metaManager.getAttributeQueryConfig("/", spEntityID);
    if (attrQueryConfig == null) {
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message(classMethod + "Attribute Query Config is null");
        }
        return null;
    }
    String attrqMetaAlias = attrQueryConfig.getMetaAlias();
    if (attrqMetaAlias == null) {
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message(classMethod + "Attribute Query MetaAlias is null");
        }
        return null;
    }
    boolean wantNameIDEncrypted = SAML2Utils.getWantNameIDEncrypted("/", spEntityID, SAML2Constants.ATTR_QUERY_ROLE);
    AttributeQuery attrQuery = constructAttrQueryForFedlet(spEntityID, idpEntityID, nameIDValue, attrsList, attrqMetaAlias, attrQueryProfileAlias, subjectDN, wantNameIDEncrypted);
    String attrQueryProfile = null;
    if (attrQueryProfileAlias.equals(SAML2Constants.DEFAULT_ATTR_QUERY_PROFILE_ALIAS)) {
        attrQueryProfile = SAML2Constants.DEFAULT_ATTR_QUERY_PROFILE;
    } else if (attrQueryProfileAlias.equals(SAML2Constants.X509_SUBJECT_ATTR_QUERY_PROFILE_ALIAS)) {
        attrQueryProfile = SAML2Constants.X509_SUBJECT_ATTR_QUERY_PROFILE;
    }
    Response samlResp = sendAttributeQuery(attrQuery, idpEntityID, "/", attrQueryProfile, SAML2Constants.BASIC_ATTRIBUTE_PROFILE, SAML2Constants.SOAP);
    // Validate the response
    boolean validResp = validateSAMLResponseForFedlet(samlResp, spEntityID, wantNameIDEncrypted);
    Map<String, Set<String>> attrMap = new HashMap<String, Set<String>>();
    if (validResp) {
        // Return back the AttributeMap
        if (samlResp != null) {
            List<Object> assertions;
            if (wantNameIDEncrypted) {
                assertions = samlResp.getEncryptedAssertion();
            } else {
                assertions = samlResp.getAssertion();
            }
            for (Object currentAssertion : assertions) {
                Assertion assertion;
                if (wantNameIDEncrypted) {
                    assertion = getDecryptedAssertion((EncryptedAssertion) currentAssertion, spEntityID);
                } else {
                    assertion = (Assertion) currentAssertion;
                }
                if (assertion != null) {
                    List<AttributeStatement> statements = assertion.getAttributeStatements();
                    if (statements != null && statements.size() > 0) {
                        for (AttributeStatement statement : statements) {
                            List<Attribute> attributes = statement.getAttribute();
                            attrMap.putAll(mapAttributes("/", spEntityID, idpEntityID, nameIDValue, attributes));
                        }
                    } else {
                        if (SAML2Utils.debug.messageEnabled()) {
                            SAML2Utils.debug.message(classMethod + "Empty Statement present in SAML response");
                        }
                    }
                } else {
                    if (SAML2Utils.debug.messageEnabled()) {
                        SAML2Utils.debug.message(classMethod + "Empty Assertion present in SAML response");
                    }
                }
            }
            if (SAML2Utils.debug.messageEnabled()) {
                SAML2Utils.debug.message(classMethod + "attributes received from Attribute Query: " + attrMap);
            }
        }
    } else {
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message(classMethod + "Invalid response obtained from Attribute Authority");
        }
    }
    // Return the attribute map and to the fedlet
    return attrMap;
}
Also used : Set(java.util.Set) HashSet(java.util.HashSet) HashMap(java.util.HashMap) Attribute(com.sun.identity.saml2.assertion.Attribute) EncryptedAssertion(com.sun.identity.saml2.assertion.EncryptedAssertion) Assertion(com.sun.identity.saml2.assertion.Assertion) AttributeQueryConfigElement(com.sun.identity.saml2.jaxb.entityconfig.AttributeQueryConfigElement) Response(com.sun.identity.saml2.protocol.Response) HttpServletResponse(javax.servlet.http.HttpServletResponse) AttributeQuery(com.sun.identity.saml2.protocol.AttributeQuery) EncryptedAssertion(com.sun.identity.saml2.assertion.EncryptedAssertion) AttributeStatement(com.sun.identity.saml2.assertion.AttributeStatement)

Example 89 with Response

use of com.sun.identity.saml2.protocol.Response in project OpenAM by OpenRock.

the class AttributeQueryUtil method processAttributeQuery.

/**
     * Processes the <code>AttributeQuery</code> coming
     * from a requester.
     *
     * @param attrQuery the <code>AttributeQuery</code> object
     * @param request the <code>HttpServletRequest</code> object
     * @param response the <code>HttpServletResponse</code> object
     * @param attrAuthorityEntityID entity ID of attribute authority
     * @param realm the realm of hosted entity
     * @param attrQueryProfileAlias the attribute query profile alias
     *
     * @return the <code>Response</code> object
     * @exception SAML2Exception if the operation is not successful
     */
public static Response processAttributeQuery(AttributeQuery attrQuery, HttpServletRequest request, HttpServletResponse response, String attrAuthorityEntityID, String realm, String attrQueryProfileAlias) throws SAML2Exception {
    AttributeAuthorityMapper attrAuthorityMapper = getAttributeAuthorityMapper(realm, attrAuthorityEntityID, attrQueryProfileAlias);
    String attrQueryProfile = AttributeQueryUtil.getAttributeQueryProfile(attrQueryProfileAlias);
    try {
        attrAuthorityMapper.authenticateRequester(request, response, attrQuery, attrAuthorityEntityID, realm);
    } catch (SAML2Exception se) {
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message("AttributeQueryUtil." + "processAttributeQuery: ", se);
        }
        return SAML2Utils.getErrorResponse(attrQuery, SAML2Constants.REQUESTER, null, se.getMessage(), null);
    }
    try {
        attrAuthorityMapper.validateAttributeQuery(request, response, attrQuery, attrAuthorityEntityID, realm);
    } catch (SAML2Exception se) {
        SAML2Utils.debug.error("AttributeQueryUtil.processAttributeQuery:", se);
        return SAML2Utils.getErrorResponse(attrQuery, SAML2Constants.REQUESTER, null, se.getMessage(), null);
    }
    Issuer issuer = attrQuery.getIssuer();
    String requesterEntityID = issuer.getValue();
    AttributeAuthorityDescriptorElement aad = null;
    try {
        aad = metaManager.getAttributeAuthorityDescriptor(realm, attrAuthorityEntityID);
    } catch (SAML2MetaException sme) {
        SAML2Utils.debug.error("AttributeQueryUtil.processAttributeQuery:", sme);
        return SAML2Utils.getErrorResponse(attrQuery, SAML2Constants.RESPONDER, null, SAML2Utils.bundle.getString("metaDataError"), null);
    }
    if (aad == null) {
        return SAML2Utils.getErrorResponse(attrQuery, SAML2Constants.REQUESTER, null, SAML2Utils.bundle.getString("attrAuthorityNotFound"), null);
    }
    Object identity = null;
    try {
        identity = attrAuthorityMapper.getIdentity(request, response, attrQuery, attrAuthorityEntityID, realm);
    } catch (SAML2Exception se) {
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message("AttributeQueryUtil." + "processAttributeQuery: ", se);
        }
        return SAML2Utils.getErrorResponse(attrQuery, SAML2Constants.REQUESTER, SAML2Constants.UNKNOWN_PRINCIPAL, se.getMessage(), null);
    }
    if (identity == null) {
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message("AttributeQueryUtil." + "processAttributeQuery: unable to find identity.");
        }
        return SAML2Utils.getErrorResponse(attrQuery, SAML2Constants.REQUESTER, SAML2Constants.UNKNOWN_PRINCIPAL, null, null);
    }
    // Addition to support changing of desired attributes list
    List desiredAttrs = (List) request.getAttribute("AttributeQueryUtil-desiredAttrs");
    if (desiredAttrs == null) {
        desiredAttrs = attrQuery.getAttributes();
    }
    try {
        desiredAttrs = verifyDesiredAttributes(aad.getAttribute(), desiredAttrs);
    } catch (SAML2Exception se) {
        return SAML2Utils.getErrorResponse(attrQuery, SAML2Constants.REQUESTER, SAML2Constants.INVALID_ATTR_NAME_OR_VALUE, null, null);
    }
    List attributes = attrAuthorityMapper.getAttributes(identity, attrQuery, attrAuthorityEntityID, realm);
    if (request.getAttribute("AttributeQueryUtil-storeAllAttributes") != null) {
        request.setAttribute("AttributeQueryUtil-allAttributes", attributes);
    }
    attributes = filterAttributes(attributes, desiredAttrs);
    ProtocolFactory protocolFactory = ProtocolFactory.getInstance();
    Response samlResp = protocolFactory.createResponse();
    List assertionList = new ArrayList();
    Assertion assertion = null;
    try {
        assertion = getAssertion(attrQuery, attrAuthorityEntityID, requesterEntityID, realm, attrQueryProfileAlias, attributes);
    } catch (SAML2Exception se) {
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message("AttributeQueryUtil.processAttributeQuery:", se);
        }
        return SAML2Utils.getErrorResponse(attrQuery, SAML2Constants.RESPONDER, null, se.getMessage(), null);
    }
    EncryptedID encryptedID = attrQuery.getSubject().getEncryptedID();
    if (encryptedID != null) {
        EncryptedAssertion encryptedAssertion = null;
        try {
            signAssertion(assertion, realm, attrAuthorityEntityID, false);
            encryptedAssertion = encryptAssertion(assertion, encryptedID, attrAuthorityEntityID, requesterEntityID, realm, attrQueryProfileAlias);
        } catch (SAML2Exception se) {
            if (SAML2Utils.debug.messageEnabled()) {
                SAML2Utils.debug.message("AttributeQueryUtil.processAttributeQuery:", se);
            }
            return SAML2Utils.getErrorResponse(attrQuery, SAML2Constants.RESPONDER, null, se.getMessage(), null);
        }
        assertionList.add(encryptedAssertion);
        samlResp.setEncryptedAssertion(assertionList);
    } else {
        assertionList.add(assertion);
        samlResp.setAssertion(assertionList);
    }
    samlResp.setID(SAML2Utils.generateID());
    samlResp.setInResponseTo(attrQuery.getID());
    samlResp.setVersion(SAML2Constants.VERSION_2_0);
    samlResp.setIssueInstant(new Date());
    Status status = protocolFactory.createStatus();
    StatusCode statusCode = protocolFactory.createStatusCode();
    statusCode.setValue(SAML2Constants.SUCCESS);
    status.setStatusCode(statusCode);
    samlResp.setStatus(status);
    Issuer respIssuer = AssertionFactory.getInstance().createIssuer();
    respIssuer.setValue(attrAuthorityEntityID);
    samlResp.setIssuer(respIssuer);
    signResponse(samlResp, attrAuthorityEntityID, realm, false);
    return samlResp;
}
Also used : Status(com.sun.identity.saml2.protocol.Status) Issuer(com.sun.identity.saml2.assertion.Issuer) AttributeAuthorityDescriptorElement(com.sun.identity.saml2.jaxb.metadata.AttributeAuthorityDescriptorElement) ArrayList(java.util.ArrayList) EncryptedAssertion(com.sun.identity.saml2.assertion.EncryptedAssertion) Assertion(com.sun.identity.saml2.assertion.Assertion) EncryptedID(com.sun.identity.saml2.assertion.EncryptedID) StatusCode(com.sun.identity.saml2.protocol.StatusCode) Date(java.util.Date) AttributeAuthorityMapper(com.sun.identity.saml2.plugins.AttributeAuthorityMapper) SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) ProtocolFactory(com.sun.identity.saml2.protocol.ProtocolFactory) Response(com.sun.identity.saml2.protocol.Response) HttpServletResponse(javax.servlet.http.HttpServletResponse) EncryptedAssertion(com.sun.identity.saml2.assertion.EncryptedAssertion) List(java.util.List) ArrayList(java.util.ArrayList) SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException)

Example 90 with Response

use of com.sun.identity.saml2.protocol.Response in project OpenAM by OpenRock.

the class IDPSSOFederate method process.

@VisibleForTesting
void process(final HttpServletRequest request, final HttpServletResponse response, final PrintWriter out, final String reqBinding) throws FederatedSSOException, IOException, SessionException {
    if (cookieRedirector.needSetLBCookieAndRedirect(request, response, true)) {
        return;
    }
    final IDPRequestValidator validator = saml2ActorFactory.getIDPRequestValidator(reqBinding, isFromECP);
    //IDP Proxy with introduction cookie case.
    //After reading the introduction cookie, it redirects to here.
    String requestID = request.getParameter("requestID");
    if (idpProxyCase(requestID, request, response)) {
        return;
    }
    // Fetch a number of properties about the request.
    String idpMetaAlias = validator.getMetaAlias(request);
    String realm = validator.getRealmByMetaAlias(idpMetaAlias);
    String idpEntityID = validator.getIDPEntity(idpMetaAlias, realm);
    SAML2IdentityProviderAdapter idpAdapter = validator.getIDPAdapter(realm, idpEntityID);
    String reqID = request.getParameter(REQ_ID);
    if (null != auditor && StringUtils.isNotEmpty(reqID)) {
        auditor.setRequestId(reqID);
    }
    IDPSSOFederateRequest reqData = new IDPSSOFederateRequest(reqID, realm, idpAdapter, idpMetaAlias, idpEntityID);
    reqData.setEventAuditor(auditor);
    // id should be there.
    if (StringUtils.isEmpty(reqData.getRequestID())) {
        SAMLAuthenticator samlAuthenticator = saml2ActorFactory.getSAMLAuthenticator(reqData, request, response, out, isFromECP);
        samlAuthenticator.authenticate();
    } else {
        SAMLAuthenticatorLookup samlLookup = saml2ActorFactory.getSAMLAuthenticatorLookup(reqData, request, response, out);
        samlLookup.retrieveAuthenticationFromCache();
    }
}
Also used : SAMLAuthenticator(org.forgerock.openam.saml2.SAMLAuthenticator) IDPSSOFederateRequest(org.forgerock.openam.saml2.IDPSSOFederateRequest) SAMLAuthenticatorLookup(org.forgerock.openam.saml2.SAMLAuthenticatorLookup) IDPRequestValidator(org.forgerock.openam.saml2.IDPRequestValidator) SAML2IdentityProviderAdapter(com.sun.identity.saml2.plugins.SAML2IdentityProviderAdapter) VisibleForTesting(org.forgerock.util.annotations.VisibleForTesting)

Aggregations

SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)119 List (java.util.List)53 SAML2MetaException (com.sun.identity.saml2.meta.SAML2MetaException)45 ArrayList (java.util.ArrayList)41 IOException (java.io.IOException)40 SessionException (com.sun.identity.plugin.session.SessionException)35 Response (com.sun.identity.saml2.protocol.Response)31 SOAPException (javax.xml.soap.SOAPException)31 Issuer (com.sun.identity.saml2.assertion.Issuer)28 HttpServletResponse (javax.servlet.http.HttpServletResponse)28 SAML2TokenRepositoryException (org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException)25 Map (java.util.Map)24 Assertion (com.sun.identity.saml2.assertion.Assertion)23 SPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)23 SOAPMessage (javax.xml.soap.SOAPMessage)22 IDPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)20 Date (java.util.Date)20 HashMap (java.util.HashMap)20 Element (org.w3c.dom.Element)20 X509Certificate (java.security.cert.X509Certificate)16