use of com.sun.identity.saml2.protocol.Response in project OpenAM by OpenRock.
the class ECPIDPFinder method getPreferredIDP.
/**
* Returns a list of preferred IDP providerID's.
* @param authnRequest original authnrequest
* @param hostProviderID hosted providerID.
* @param realm Realm
* @param request HttpServletRequest
* @param response HttpServletResponse
* @return a list of IDP providerID's or null if not found.
* @exception SAML2Exception if error occurs.
*/
public List getPreferredIDP(AuthnRequest authnRequest, String hostProviderID, String realm, HttpServletRequest request, HttpServletResponse response) throws SAML2Exception {
SPSSOConfigElement spssoconfig = SAML2Utils.getSAML2MetaManager().getSPSSOConfig(realm, hostProviderID);
Map attributes = SAML2MetaUtils.getAttributes(spssoconfig);
List idps = (List) attributes.get(SAML2Constants.ECP_REQUEST_IDP_LIST);
if ((idps == null) || (idps.isEmpty())) {
return null;
}
return idps;
}
use of com.sun.identity.saml2.protocol.Response in project OpenAM by OpenRock.
the class SMAdapter method postSingleSignOnSuccess.
/**
* Invokes after Single-Sign-On processing succeeded.
* @param hostedEntityID Entity ID for the hosted SP
* @param realm Realm of the hosted SP.
* @param request servlet request
* @param response servlet response
* @param session user's session
* @param authnRequest the original authentication request sent from SP,
* null if this is IDP initiated SSO.
* @param ssoResponse response from IDP
* @param profile protocol profile used, one of the following values:
* <code>SAML2Constants.HTTP_POST</code>,
* <code>SAML2Constants.HTTP_ARTIFACT</code>,
* <code>SAML2Constants.PAOS</code>
* @param isFederation true if this is federation case, false otherwise.
* @return true if browser redirection happened after processing,
* false otherwise. Default to false.
* @exception SAML2Exception if user want to fail the process.
*/
public boolean postSingleSignOnSuccess(String hostedEntityID, String realm, HttpServletRequest request, HttpServletResponse response, Object session, AuthnRequest authnRequest, Response ssoResponse, String profile, boolean isFederation) throws SAML2Exception {
try {
SSOToken ssoToken = (SSOToken) session;
String famSession = ssoToken.getTokenID().toString();
/*
Cookie[] cookies = request.getCookies();
for (int i=0; i < cookies.length; i++) {
Cookie cookie = cookies[i];
if(cookie.getName().equals(famCookieName)) {
famSession = cookie.getValue();
}
}
*/
if (famSession == null) {
throw new SAML2Exception("No OpenSSO Session found");
}
UserCredentials uc = new UserCredentials("FMTOKEN", "FMTOKEN" + famSession);
SessionDef sd = new SessionDef();
ResourceContextDef rcd = new ResourceContextDef(agentID, agentHostName, resource, "GET");
RealmDef rd = new RealmDef();
int retCode = agentAPI.isProtected(agentIP, rcd, rd);
if (retCode != AgentAPI.YES) {
System.out.println("Agent is not protected.");
throw new SAML2Exception("Agent is not protected");
}
AttributeList al = new AttributeList();
int status = agentAPI.login(agentIP, rcd, rd, uc, sd, al);
if (status != AgentAPI.YES) {
throw new SAML2Exception("Agent authentication failed");
}
Cookie smCookie = new Cookie(smCookieName, sd.spec);
smCookie.setDomain(cookieDomain);
response.addCookie(smCookie);
return false;
} catch (Exception ex) {
ex.printStackTrace();
throw new SAML2Exception(ex.getMessage());
}
}
use of com.sun.identity.saml2.protocol.Response in project OpenAM by OpenRock.
the class OAMAdapter method postSingleSignOnSuccess.
/**
* Invokes after Single-Sign-On processing succeeded.
* @param hostedEntityID Entity ID for the hosted SP
* @param realm Realm of the hosted SP.
* @param request servlet request
* @param response servlet response
* @param session user's session
* @param authnRequest the original authentication request sent from SP,
* null if this is IDP initiated SSO.
* @param ssoResponse response from IDP
* @param profile protocol profile used, one of the following values:
* <code>SAML2Constants.HTTP_POST</code>,
* <code>SAML2Constants.HTTP_ARTIFACT</code>,
* <code>SAML2Constants.PAOS</code>
* @param isFederation true if this is federation case, false otherwise.
* @return true if browser redirection happened after processing,
* false otherwise. Default to false.
* @exception SAML2Exception if user want to fail the process.
*/
public boolean postSingleSignOnSuccess(String hostedEntityID, String realm, HttpServletRequest request, HttpServletResponse response, Object session, AuthnRequest authnRequest, Response ssoResponse, String profile, boolean isFederation) throws SAML2Exception {
try {
SSOToken ssoToken = (SSOToken) session;
String famSession = ssoToken.getTokenID().toString();
if (famSession == null) {
throw new SAML2Exception("No OpenSSO Session found");
}
ObResourceRequest orq = new ObResourceRequest(protocol, resource, action);
if (orq.isProtected()) {
ObAuthenticationScheme authScheme = new ObAuthenticationScheme(orq);
System.out.println("Authentication scheme is " + authScheme.getName());
Hashtable creds = new Hashtable();
creds.put("famsession", famSession);
ObUserSession userSession = new ObUserSession(orq, creds);
if (userSession.getStatus() == ObUserSession.LOGGEDIN) {
System.out.println("logged in principal: " + userSession.getUserIdentity());
String sessionid = userSession.getSessionToken();
System.out.println("User session: " + sessionid);
Cookie oamCookie = new Cookie(oamCookieName, sessionid);
oamCookie.setDomain(cookieDomain);
response.addCookie(oamCookie);
}
}
return false;
} catch (Exception ex) {
ex.printStackTrace();
throw new SAML2Exception(ex.getMessage());
}
}
use of com.sun.identity.saml2.protocol.Response in project OpenAM by OpenRock.
the class SAML2SingleLogoutHandler method doIDPSingleLogout.
/**
* Performs single logout for a specific protocol. This method need to be
* implemented by each federation protocol, and will be invoked by other
* protocol to achieve cross federation protocol single logout. The local
* session shall not be destroyed by the SPI implementation. In cases of
* IDP proxying configuration, the implementation need to do single
* logout for the entity acting as both SP and IDP.
*
* Normally, there are three types of single logout to be supported:
* - logout single session (specified by userSession parameter)
* - logout a list of session (specified by userSession parameter)
* - logout all sessions for a specific user (specified by userID oarameter)
*
* As a single instance of the implementation class will be used internally
* in the SingleLogoutManager class, implementation of the method shall
* not maintain any states.
*
* @param userSession Set of user session objects (java.lang.Object) to be
* logout.
* @param userID Universal identifier of the user to be logout.
* @param request HTTP servlet request object of the request.
* @param response HTTP servlet response object of the request.
* @param isSOAPInitiated True means original single logout request is
* initiated using SOAP binding, false means the original single logout
* request is initiated using HTTP binding.
* @param isIDPInitiated True means this is identity provider initiated
* single logout, false means this is service provider initiated single
* logout.
* @param protocol The protocol of the original single logout.
* Possible values for this parameter:
* <code>SingleLogoutManager.SAML2</code>
* - single logout initiated using SAMLv2 protocol
* <code>SingleLogoutManager.IDFF</code>
* - single logout initiated using ID-FF protocol
* <code>SingleLogoutManager.WS-FED</code>
* - single logout initiated using WS-Federation protocol
* @param realm Realm of the hosted entity.
* @param idpEntityID <code>EntityID</code> of the hosted identity provider
* in the original Single Logout request.
* @param spEntityID <code>EntityID</code> of the remote service provider
* in the original Single Logout request.
* @param relayState A state information to be relayed back in response.
* @param singleLogoutRequestXML Original single logout request in XML
* string.
* @param singleLogoutResponseXML Logout response to be sent back to SP.
* This only apply to the case of SP initiated Single Logout, it will
* be null in case of IDP initiated single logout.
* @param currentStatus Current logout status, this is the accumulative
* single logout status for all protocols processed so far.
* Possible values:
* <code>SingleLogoutManager.LOGOUT_SUCCEEDED_STATUS</code>
* <code>SingleLogoutManager.LOGOUT_FAILED_STATUS</code>
* <code>SingleLogoutManager.LOGOUT_PARTIAL_STATUS</code>
* @return the single logout status for this protocol, possible values:
* <code>SingleLogoutManager.LOGOUT_SUCCEEDED_STATUS</code>
* <code>SingleLogoutManager.LOGOUT_FAILED_STATUS</code>
* <code>SingleLogoutManager.LOGOUT_PARTIAL_STATUS</code>
* <code>SingleLogoutManager.LOGOUT_REDIRECTED_STATUS</code>
* @exception Exception if error occurs when processing the protocol.
*/
public int doIDPSingleLogout(Set userSession, String userID, HttpServletRequest request, HttpServletResponse response, boolean isSOAPInitiated, boolean isIDPInitiated, String protocol, String realm, String idpEntityID, String spEntityID, String relayState, String singleLogoutRequestXML, String singleLogoutResponseXML, int currentStatus) throws Exception {
SingleLogoutManager.getInstance().debug.message("SAML2SingleLogoutHandler.doIDPSingleLogout : start");
if (!isSessionUsedInSAML2(userSession, userID)) {
// no session for this protocol
debug.message("SAML2SingleLogoutHander.doIDPSLO : no action");
return SingleLogoutManager.LOGOUT_NO_ACTION_STATUS;
}
if (isSOAPInitiated) {
SAML2MetaManager saml2Manager = new SAML2MetaManager();
String idpMetaAlias = findIDPMetaAlias(idpEntityID, spEntityID, realm, protocol, saml2Manager);
if (idpMetaAlias == null) {
// no SAML2 IDP found
return SingleLogoutManager.LOGOUT_NO_ACTION_STATUS;
}
if (debug.messageEnabled()) {
debug.message("SAML2SingleLogoutHandler: " + "userID=" + userID + ", session=" + userSession + ", isSOAInited=" + isSOAPInitiated + ", isIDPInited=" + isIDPInitiated + ", protocol=" + protocol + ", relam=" + realm + ", idpEntityID=" + idpEntityID + ", spEntityID=" + spEntityID + ", status=" + currentStatus + "\nlogout Request XML=" + singleLogoutRequestXML + "\nlogout response XML=" + singleLogoutResponseXML);
}
String idpEntityId = saml2Manager.getEntityByMetaAlias(idpMetaAlias);
return handleSOAPInitiatedSingleLogout(userSession, userID, request, response, realm, idpMetaAlias, idpEntityId, relayState, saml2Manager);
} else {
debug.message("SAML2SingleLogoutHandler.doIDPSLO : HTTP initiated SLO");
String redirectURL = MultiProtocolUtils.geServerBaseURL(request) + "/IDPSloInit?" + SAML2Constants.BINDING + "=" + SAML2Constants.HTTP_REDIRECT + "&" + SAML2Constants.RELAY_STATE + "=" + URLEncoder.encode(relayState, "UTF-8");
if (debug.messageEnabled()) {
debug.message("SAML2SingleLogoutHandler.doIDPSLO: HTTP init, redirect to " + redirectURL);
}
response.sendRedirect(redirectURL);
return SingleLogoutManager.LOGOUT_REDIRECTED_STATUS;
}
}
use of com.sun.identity.saml2.protocol.Response in project OpenAM by OpenRock.
the class SingleLogoutManager method doIDPSingleLogout.
/**
* Performs single logout cross multiple federation protocols. This method
* will invoke single logout processing for all the federation protocols.
*
* Normally, there are three types of single logout to be supported:
* - logout single session (specified by userSession parameter)
* - logout a list of session (specified by userSession parameter)
* - logout all sessions for a specific user (specified by userID parameter)
*
* As a single instance of the implementation class will be used internally
* in the SingleLogoutManager class, implementation of the method shall
* not maintain any states.
*
* @param userSession Set of user session objects (java.lang.Object) to be
* logout.
* @param userID Universal identifier of the user to be logout.
* @param request HTTP servlet request object of the request.
* @param response HTTP servlet response object of the request.
* @param isSOAPInitiated True means original single logout request is
* initiated using SOAP binding, false means the original single logout
* request is initiated using HTTP binding.
* @param isIDPInitiated True means this is identity provider initiated
* single logout, false means this is service provider initiated single
* logout.
* @param protocol The protocol of the original single logout.
* Possible values for this parameter:
* SAML2 - single logout initiated using SAMLv2 protocol
* IDFF - single logout initiated using ID-FF protocol
* WS_FED - single logout initiated using WS-Federation protocol
* @param realm Realm of the hosted entity.
* @param idpEntityID <code>EntityID</code> of the hosted identity provider
* in the original Single Logout request.
* @param spEntityID <code>EntityID</code> of the remote service provider
* in the original Single Logout request.
* @param relayState A state information to be relayed back in response.
* @param singleLogoutRequestXML Original single logout request in XML
* string.
* @param singleLogoutResponseXML Logout response to be sent back to SP.
* This only apply to the case of SP initiated Single Logout, it will
* be null in case of IDP initiated single logout.
* @param currentStatus Current logout status, this is the single logout
* status for the federation protocol just processed.
* Possible values:
* <code>LOGOUT_SUCCEEDED_STATUS</code> - single logout succeeded.
* <code>LOGOUT_FAILED_STATUS</code> - single logout failed.
* <code>LOGOUT_PARTIAL_STATUS</code> - single logout partially
* succeeded.
* @return accumulative status of single logout for all protocols
* processed so far, or status indicating the logout request has been
* redirected for processing. Possible values:
* <code>LOGOUT_SUCCEEDED_STATUS</code> - single logout succeeded.
* <code>LOGOUT_FAILED_STATUS</code> - single logout failed.
* <code>LOGOUT_PARTIAL_STATUS</code> - single logout partially
* succeeded.
* <code>LOGOUT_REDIRECTED_STATUS</code> - single logout request
* redirected.
* <code>LOGOUT_NO_ACTION_STATUS</code> - single loglout not
* performed.
* @exception Exception if error occurs when processing the protocol.
*/
public int doIDPSingleLogout(Set userSession, String userID, HttpServletRequest request, HttpServletResponse response, boolean isSOAPInitiated, boolean isIDPInitiated, String protocol, String realm, String idpEntityID, String spEntityID, String relayState, String singleLogoutRequestXML, String singleLogoutResponseXML, int currentStatus) throws Exception {
if (relayState == null) {
relayState = EMPTY_STRING;
}
if ((protocolList.isEmpty())) {
// no handler configured, just return
debug.message("SingleLogoutManager.doIDPSingleLogour : no handler");
return LOGOUT_NO_ACTION_STATUS;
}
// the imcoming relayState could be the original relayState or the
// generated relayStateString in this format:
// <proto>://<host>:<port>/<uri>/multiprotocolrelay/<40-byte-hex-string>
// or just <40-byte-hex-string>
String tmpRelayState = relayState;
if (!relayStateMap.containsKey(relayState)) {
tmpRelayState = getShortRelayState(relayState);
if ((tmpRelayState != null) && !relayStateMap.containsKey(tmpRelayState)) {
tmpRelayState = null;
}
}
if (debug.messageEnabled()) {
debug.message("SingleLogoutManager.doIDPSLO: userID=" + userID + ", protocol=" + protocol + ", relay=" + relayState + ", hex relay=" + tmpRelayState);
}
if (tmpRelayState == null) {
// this is the first time the doIDPSingleLogout called, save params
tmpRelayState = saveParameters(userSession, userID, isSOAPInitiated, isIDPInitiated, protocol, realm, idpEntityID, spEntityID, relayState, singleLogoutRequestXML, singleLogoutResponseXML, currentStatus);
// replace relaystate with multi-protocol relay state servlet
relayState = getRelayStateURL(request, tmpRelayState);
if (debug.messageEnabled()) {
debug.message("SingleLogoutManager.doIDPSingleLogout : save " + tmpRelayState + ", new relayState=" + relayState);
}
} else {
// update existing entry status
updateStatus(tmpRelayState, currentStatus);
if (tmpRelayState.equals(relayState)) {
relayState = getRelayStateURL(request, tmpRelayState);
}
if (debug.messageEnabled()) {
debug.message("SingleLogoutManager.doIDPSingleLogout : read " + tmpRelayState + ", nu relayState=" + relayState);
}
}
List list = (List) protocolListMap.get(tmpRelayState);
if ((list == null) || list.isEmpty()) {
return ((Integer) currentStatusMap.get(tmpRelayState)).intValue();
} else {
while (!list.isEmpty()) {
String proto = (String) list.remove(0);
SingleLogoutHandler handler = (SingleLogoutHandler) handlerMap.get(proto);
if (handler == null) {
debug.error("SingleLogoutManager.doIDPSingleLogout: " + "no handler for protocol " + proto);
continue;
}
if (debug.messageEnabled()) {
debug.message("SingleLogoutManager.doIDPSingleLogout: " + " handle protocol " + proto);
}
userSession = (Set) userSessionMap.get(tmpRelayState);
userID = (String) userIDMap.get(tmpRelayState);
isSOAPInitiated = ((Boolean) isSOAPInitiatedMap.get(tmpRelayState)).booleanValue();
isIDPInitiated = ((Boolean) isIDPInitiatedMap.get(tmpRelayState)).booleanValue();
protocol = (String) origProtocolMap.get(tmpRelayState);
realm = (String) realmMap.get(tmpRelayState);
idpEntityID = (String) idpEntityIDMap.get(tmpRelayState);
spEntityID = (String) spEntityIDMap.get(tmpRelayState);
singleLogoutRequestXML = (String) sloRequestXMLMap.get(tmpRelayState);
currentStatus = ((Integer) currentStatusMap.get(tmpRelayState)).intValue();
int status = SingleLogoutManager.LOGOUT_SUCCEEDED_STATUS;
try {
status = handler.doIDPSingleLogout(userSession, userID, request, response, isSOAPInitiated, isIDPInitiated, protocol, realm, idpEntityID, spEntityID, relayState, singleLogoutRequestXML, singleLogoutResponseXML, currentStatus);
if (debug.messageEnabled()) {
debug.message("SingleLogoutManager.doIDPSingleLogout: " + " logout status = " + status + " for " + proto);
}
} catch (Exception ex) {
debug.error("SingleLogoutManager.doIDPSingleLogout: error" + " for protocol " + proto, ex);
status = SingleLogoutManager.LOGOUT_FAILED_STATUS;
}
if (status == LOGOUT_REDIRECTED_STATUS) {
return status;
} else {
updateStatus(tmpRelayState, status);
}
}
int retVal = ((Integer) currentStatusMap.get(tmpRelayState)).intValue();
if (isSOAPInitiated) {
cleanupParameters(tmpRelayState);
}
return retVal;
}
}
Aggregations