Search in sources :

Example 1 with Scoping

use of com.sun.identity.saml2.protocol.Scoping in project OpenAM by OpenRock.

the class SPSSOFederate method createAuthnRequest.

/**
     * Create an AuthnRequest.
     *
     * @param realmName the authentication realm for this request
     * @param spEntityID the entity id for the service provider
     * @param paramsMap the map of parameters for the authentication request
     * @param spConfigMap the configuration map for the service provider
     * @param extensionsList a list of extendsions for the authentication request
     * @param spsso the SPSSODescriptorElement for theservcie provider
     * @param idpsso the IDPSSODescriptorElement for the identity provider
     * @param ssourl the url for the single sign on request
     * @param isForECP boolean to indicatge if the request originated from an ECP
     * @return a new AuthnRequest object
     * @throws SAML2Exception
     */
public static AuthnRequest createAuthnRequest(final String realmName, final String spEntityID, final Map paramsMap, final Map spConfigMap, final List extensionsList, final SPSSODescriptorElement spsso, final IDPSSODescriptorElement idpsso, final String ssourl, final boolean isForECP) throws SAML2Exception {
    // generate unique request ID
    String requestID = SAML2Utils.generateID();
    if ((requestID == null) || (requestID.length() == 0)) {
        throw new SAML2Exception(SAML2Utils.bundle.getString("cannotGenerateID"));
    }
    // retrieve data from the params map and if not found get
    // default values from the SPConfig Attributes
    // destinationURI required if message is signed.
    String destinationURI = getParameter(paramsMap, SAML2Constants.DESTINATION);
    Boolean isPassive = doPassive(paramsMap, spConfigMap);
    Boolean isforceAuthn = isForceAuthN(paramsMap, spConfigMap);
    boolean allowCreate = isAllowCreate(paramsMap, spConfigMap);
    boolean includeRequestedAuthnContextFlag = includeRequestedAuthnContext(paramsMap, spConfigMap);
    String consent = getParameter(paramsMap, SAML2Constants.CONSENT);
    Extensions extensions = createExtensions(extensionsList);
    String nameIDPolicyFormat = getParameter(paramsMap, SAML2Constants.NAMEID_POLICY_FORMAT);
    // get NameIDPolicy Element 
    NameIDPolicy nameIDPolicy = createNameIDPolicy(spEntityID, nameIDPolicyFormat, allowCreate, spsso, idpsso, realmName, paramsMap);
    Issuer issuer = createIssuer(spEntityID);
    Integer acsIndex = getIndex(paramsMap, SAML2Constants.ACS_URL_INDEX);
    Integer attrIndex = getIndex(paramsMap, SAML2Constants.ATTR_INDEX);
    String protocolBinding = isForECP ? SAML2Constants.PAOS : getParameter(paramsMap, "binding");
    OrderedSet acsSet = getACSUrl(spsso, protocolBinding);
    String acsURL = (String) acsSet.get(0);
    protocolBinding = (String) acsSet.get(1);
    if (!SAML2Utils.isSPProfileBindingSupported(realmName, spEntityID, SAML2Constants.ACS_SERVICE, protocolBinding)) {
        SAML2Utils.debug.error("SPSSOFederate.createAuthnRequest:" + protocolBinding + "is not supported for " + spEntityID);
        String[] data = { spEntityID, protocolBinding };
        LogUtil.error(Level.INFO, LogUtil.BINDING_NOT_SUPPORTED, data, null);
        throw new SAML2Exception(SAML2Utils.bundle.getString("unsupportedBinding"));
    }
    AuthnRequest authnReq = ProtocolFactory.getInstance().createAuthnRequest();
    if (!isForECP) {
        if ((destinationURI == null) || (destinationURI.length() == 0)) {
            authnReq.setDestination(XMLUtils.escapeSpecialCharacters(ssourl));
        } else {
            authnReq.setDestination(XMLUtils.escapeSpecialCharacters(destinationURI));
        }
    }
    authnReq.setConsent(consent);
    authnReq.setIsPassive(isPassive);
    authnReq.setForceAuthn(isforceAuthn);
    authnReq.setAttributeConsumingServiceIndex(attrIndex);
    authnReq.setAssertionConsumerServiceIndex(acsIndex);
    authnReq.setAssertionConsumerServiceURL(XMLUtils.escapeSpecialCharacters(acsURL));
    authnReq.setProtocolBinding(protocolBinding);
    authnReq.setIssuer(issuer);
    authnReq.setNameIDPolicy(nameIDPolicy);
    if (includeRequestedAuthnContextFlag) {
        authnReq.setRequestedAuthnContext(createReqAuthnContext(realmName, spEntityID, paramsMap, spConfigMap));
    }
    if (extensions != null) {
        authnReq.setExtensions(extensions);
    }
    // Required attributes in authn request
    authnReq.setID(requestID);
    authnReq.setVersion(SAML2Constants.VERSION_2_0);
    authnReq.setIssueInstant(new Date());
    //IDP Proxy 
    Boolean enableIDPProxy = getAttrValueFromMap(spConfigMap, SAML2Constants.ENABLE_IDP_PROXY);
    if ((enableIDPProxy != null) && enableIDPProxy.booleanValue()) {
        Scoping scoping = ProtocolFactory.getInstance().createScoping();
        String proxyCountParam = getParameter(spConfigMap, SAML2Constants.IDP_PROXY_COUNT);
        if (proxyCountParam != null && (!proxyCountParam.equals(""))) {
            scoping.setProxyCount(new Integer(proxyCountParam));
        }
        List proxyIDPs = (List) spConfigMap.get(SAML2Constants.IDP_PROXY_LIST);
        if (proxyIDPs != null && !proxyIDPs.isEmpty()) {
            Iterator iter = proxyIDPs.iterator();
            ArrayList list = new ArrayList();
            while (iter.hasNext()) {
                IDPEntry entry = ProtocolFactory.getInstance().createIDPEntry();
                entry.setProviderID((String) iter.next());
                list.add(entry);
            }
            IDPList idpList = ProtocolFactory.getInstance().createIDPList();
            idpList.setIDPEntries(list);
            scoping.setIDPList(idpList);
        }
        authnReq.setScoping(scoping);
    }
    return authnReq;
}
Also used : OrderedSet(com.sun.identity.shared.datastruct.OrderedSet) NameIDPolicy(com.sun.identity.saml2.protocol.NameIDPolicy) Issuer(com.sun.identity.saml2.assertion.Issuer) ArrayList(java.util.ArrayList) IDPList(com.sun.identity.saml2.protocol.IDPList) Extensions(com.sun.identity.saml2.protocol.Extensions) Date(java.util.Date) SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) AuthnRequest(com.sun.identity.saml2.protocol.AuthnRequest) Scoping(com.sun.identity.saml2.protocol.Scoping) Iterator(java.util.Iterator) List(java.util.List) IDPList(com.sun.identity.saml2.protocol.IDPList) ArrayList(java.util.ArrayList) IDPEntry(com.sun.identity.saml2.protocol.IDPEntry)

Example 2 with Scoping

use of com.sun.identity.saml2.protocol.Scoping in project OpenAM by OpenRock.

the class IDPProxyUtil method getNewAuthnRequest.

/**
     * Constructs new authentication request by using the original request
     * that is sent by the service provider to the proxying IDP.
     * @param hostedEntityId hosted provider ID
     * @param destination The destination where the new AuthnRequest will be sent to.
     * @param realm Realm
     * @param origRequest Original Authn Request
     * @return AuthnRequest new authn request.
     * @exception SAML2Exception for failure in creating new authn request.
     * @return AuthnRequest object 
     */
private static AuthnRequest getNewAuthnRequest(String hostedEntityId, String destination, String realm, AuthnRequest origRequest) throws SAML2Exception {
    String classMethod = "IDPProxyUtil.getNewAuthnRequest: ";
    // New Authentication request should only be a single sign-on request.   
    try {
        AuthnRequest newRequest = ProtocolFactory.getInstance().createAuthnRequest();
        String requestID = SAML2Utils.generateID();
        if (requestID == null || requestID.isEmpty()) {
            throw new SAML2Exception(SAML2Utils.bundle.getString("cannotGenerateID"));
        }
        newRequest.setID(requestID);
        SPSSODescriptorElement localDescriptor = IDPSSOUtil.metaManager.getSPSSODescriptor(realm, hostedEntityId);
        newRequest.setDestination(XMLUtils.escapeSpecialCharacters(destination));
        newRequest.setConsent(origRequest.getConsent());
        newRequest.setIsPassive(origRequest.isPassive());
        newRequest.setForceAuthn(origRequest.isForceAuthn());
        newRequest.setAttributeConsumingServiceIndex(origRequest.getAttributeConsumingServiceIndex());
        newRequest.setAssertionConsumerServiceIndex(origRequest.getAssertionConsumerServiceIndex());
        String protocolBinding = origRequest.getProtocolBinding();
        newRequest.setProtocolBinding(protocolBinding);
        OrderedSet acsSet = SPSSOFederate.getACSUrl(localDescriptor, protocolBinding);
        String acsURL = (String) acsSet.get(0);
        newRequest.setAssertionConsumerServiceURL(acsURL);
        Issuer issuer = AssertionFactory.getInstance().createIssuer();
        issuer.setValue(hostedEntityId);
        newRequest.setIssuer(issuer);
        NameIDPolicy origNameIDPolicy = origRequest.getNameIDPolicy();
        if (origNameIDPolicy != null) {
            NameIDPolicy newNameIDPolicy = ProtocolFactory.getInstance().createNameIDPolicy();
            newNameIDPolicy.setFormat(origNameIDPolicy.getFormat());
            newNameIDPolicy.setSPNameQualifier(hostedEntityId);
            newNameIDPolicy.setAllowCreate(origNameIDPolicy.isAllowCreate());
            newRequest.setNameIDPolicy(newNameIDPolicy);
        }
        newRequest.setRequestedAuthnContext(origRequest.getRequestedAuthnContext());
        newRequest.setExtensions(origRequest.getExtensions());
        newRequest.setIssueInstant(new Date());
        newRequest.setVersion(SAML2Constants.VERSION_2_0);
        Scoping scoping = origRequest.getScoping();
        if (scoping != null) {
            Scoping newScoping = ProtocolFactory.getInstance().createScoping();
            Integer proxyCountInt = scoping.getProxyCount();
            int proxyCount = 1;
            if (proxyCountInt != null) {
                proxyCount = scoping.getProxyCount().intValue();
                newScoping.setProxyCount(new Integer(proxyCount - 1));
            }
            newScoping.setIDPList(scoping.getIDPList());
            newRequest.setScoping(newScoping);
        } else {
            //handling the alwaysIdpProxy case -> the incoming request
            //did not contained a Scoping field
            SPSSOConfigElement spConfig = getSPSSOConfigByAuthnRequest(realm, origRequest);
            Map<String, List<String>> spConfigAttrMap = SAML2MetaUtils.getAttributes(spConfig);
            scoping = ProtocolFactory.getInstance().createScoping();
            String proxyCountParam = SPSSOFederate.getParameter(spConfigAttrMap, SAML2Constants.IDP_PROXY_COUNT);
            if (proxyCountParam != null && (!proxyCountParam.equals(""))) {
                int proxyCount = Integer.valueOf(proxyCountParam);
                if (proxyCount <= 0) {
                    scoping.setProxyCount(0);
                } else {
                    //since this is a remote SP configuration, we should
                    //decrement the proxycount by one
                    scoping.setProxyCount(proxyCount - 1);
                }
            }
            List<String> proxyIdPs = spConfigAttrMap.get(SAML2Constants.IDP_PROXY_LIST);
            if (proxyIdPs != null && !proxyIdPs.isEmpty()) {
                List<IDPEntry> list = new ArrayList<IDPEntry>();
                for (String proxyIdP : proxyIdPs) {
                    IDPEntry entry = ProtocolFactory.getInstance().createIDPEntry();
                    entry.setProviderID(proxyIdP);
                    list.add(entry);
                }
                IDPList idpList = ProtocolFactory.getInstance().createIDPList();
                idpList.setIDPEntries(list);
                scoping.setIDPList(idpList);
                newRequest.setScoping(scoping);
            }
        }
        return newRequest;
    } catch (Exception ex) {
        SAML2Utils.debug.error(classMethod + "Error in creating new authn request.", ex);
        throw new SAML2Exception(ex);
    }
}
Also used : OrderedSet(com.sun.identity.shared.datastruct.OrderedSet) Issuer(com.sun.identity.saml2.assertion.Issuer) NameIDPolicy(com.sun.identity.saml2.protocol.NameIDPolicy) SPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement) SPSSOConfigElement(com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement) ArrayList(java.util.ArrayList) IDPList(com.sun.identity.saml2.protocol.IDPList) Date(java.util.Date) SOAPException(javax.xml.soap.SOAPException) SessionException(com.sun.identity.plugin.session.SessionException) SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException) SAML2TokenRepositoryException(org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException) IOException(java.io.IOException) SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) AuthnRequest(com.sun.identity.saml2.protocol.AuthnRequest) Scoping(com.sun.identity.saml2.protocol.Scoping) List(java.util.List) IDPList(com.sun.identity.saml2.protocol.IDPList) ArrayList(java.util.ArrayList) IDPEntry(com.sun.identity.saml2.protocol.IDPEntry)

Example 3 with Scoping

use of com.sun.identity.saml2.protocol.Scoping in project OpenAM by OpenRock.

the class IDPProxyUtil method isIDPProxyEnabled.

/**
     * Checks if the identity provider is configured for proxying the
     * authentication requests for a requesting service provider.
     * @param authnRequest Authentication Request.
     * @param realm Realm
     * @return <code>true</code> if the IDP is configured for proxying.
     * @exception SAML2Exception for any failure.
     */
public static boolean isIDPProxyEnabled(AuthnRequest authnRequest, String realm) throws SAML2Exception {
    SPSSOConfigElement spConfig;
    Map spConfigAttrsMap = null;
    Scoping scoping = authnRequest.getScoping();
    if (scoping == null) {
        //let's check if always IdP proxy and IdP Proxy itself is enabled
        spConfig = getSPSSOConfigByAuthnRequest(realm, authnRequest);
        if (spConfig != null) {
            spConfigAttrsMap = SAML2MetaUtils.getAttributes(spConfig);
            Boolean alwaysEnabled = SPSSOFederate.getAttrValueFromMap(spConfigAttrsMap, SAML2Constants.ALWAYS_IDP_PROXY);
            Boolean proxyEnabled = SPSSOFederate.getAttrValueFromMap(spConfigAttrsMap, SAML2Constants.ENABLE_IDP_PROXY);
            if (alwaysEnabled != null && alwaysEnabled && proxyEnabled != null && proxyEnabled) {
                return true;
            }
        }
        return false;
    }
    Integer proxyCountInt = scoping.getProxyCount();
    int proxyCount = 0;
    if (proxyCountInt == null) {
        //Proxy count missing, IDP Proxy allowed 
        proxyCount = 1;
    } else {
        proxyCount = proxyCountInt.intValue();
    }
    if (proxyCount <= 0) {
        return false;
    }
    spConfig = IDPSSOUtil.metaManager.getSPSSOConfig(realm, authnRequest.getIssuer().getValue());
    if (spConfig != null) {
        spConfigAttrsMap = SAML2MetaUtils.getAttributes(spConfig);
    }
    Boolean enabledString = SPSSOFederate.getAttrValueFromMap(spConfigAttrsMap, SAML2Constants.ENABLE_IDP_PROXY);
    if (enabledString == null) {
        return false;
    }
    return (enabledString.booleanValue());
}
Also used : Scoping(com.sun.identity.saml2.protocol.Scoping) SPSSOConfigElement(com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement) Map(java.util.Map) HashMap(java.util.HashMap)

Example 4 with Scoping

use of com.sun.identity.saml2.protocol.Scoping in project OpenAM by OpenRock.

the class AuthnRequestImpl method parseDOMElement.

/** 
     * Parses the Docuemnt Element for this object.
     * 
     * @param element the Document Element of this object.
     * @throws SAML2Exception if error parsing the Document Element.
     */
protected void parseDOMElement(Element element) throws SAML2Exception {
    AssertionFactory assertionFactory = AssertionFactory.getInstance();
    ProtocolFactory protoFactory = ProtocolFactory.getInstance();
    requestId = element.getAttribute(SAML2Constants.ID);
    validateID(requestId);
    version = element.getAttribute(SAML2Constants.VERSION);
    validateVersion(version);
    String issueInstantStr = element.getAttribute(SAML2Constants.ISSUE_INSTANT);
    validateIssueInstant(issueInstantStr);
    destinationURI = element.getAttribute(SAML2Constants.DESTINATION);
    consent = element.getAttribute(SAML2Constants.CONSENT);
    NodeList nList = element.getChildNodes();
    if ((nList != null) && (nList.getLength() > 0)) {
        for (int i = 0; i < nList.getLength(); i++) {
            Node childNode = nList.item(i);
            String cName = childNode.getLocalName();
            if (cName != null) {
                if (cName.equals(SAML2Constants.ISSUER)) {
                    validateIssuer();
                    nameID = assertionFactory.createIssuer((Element) childNode);
                } else if (cName.equals(SAML2Constants.SIGNATURE)) {
                    validateSignature();
                    signatureString = XMLUtils.print((Element) childNode);
                    isSigned = true;
                } else if (cName.equals(SAML2Constants.EXTENSIONS)) {
                    validateExtensions();
                    extensions = protoFactory.createExtensions((Element) childNode);
                } else if (cName.equals(SAML2Constants.SUBJECT)) {
                    validateSubject();
                    subject = assertionFactory.createSubject((Element) childNode);
                } else if (cName.equals(SAML2Constants.NAMEIDPOLICY)) {
                    validateNameIDPolicy();
                    nameIDPolicy = protoFactory.createNameIDPolicy((Element) childNode);
                } else if (cName.equals(SAML2Constants.CONDITIONS)) {
                    validateConditions();
                    conditions = assertionFactory.createConditions((Element) childNode);
                } else if (cName.equals(SAML2Constants.REQ_AUTHN_CONTEXT)) {
                    validateReqAuthnContext();
                    reqAuthnContext = protoFactory.createRequestedAuthnContext((Element) childNode);
                } else if (cName.equals(SAML2Constants.SCOPING)) {
                    validateScoping();
                    scoping = protoFactory.createScoping((Element) childNode);
                }
            }
        }
    }
    // Get ForceAuthn Attribute
    String forceAuthnAttr = element.getAttribute(SAML2Constants.FORCEAUTHN);
    if ((forceAuthnAttr != null) && (forceAuthnAttr.length() > 0)) {
        forceAuthn = SAML2SDKUtils.booleanValueOf(forceAuthnAttr);
    }
    String isPassiveAttr = element.getAttribute(SAML2Constants.ISPASSIVE);
    if ((isPassiveAttr != null) && (isPassiveAttr.length() > 0)) {
        isPassive = SAML2SDKUtils.booleanValueOf(isPassiveAttr);
    }
    protocolBinding = element.getAttribute(SAML2Constants.PROTOBINDING);
    String index = element.getAttribute(SAML2Constants.ASSERTION_CONSUMER_SVC_INDEX);
    if ((index != null) && (index.length() > 0)) {
        assertionConsumerSvcIndex = new Integer(index);
        validateAssertionConsumerServiceIndex(assertionConsumerSvcIndex);
    }
    assertionConsumerServiceURL = XMLUtils.unescapeSpecialCharacters(element.getAttribute(SAML2Constants.ASSERTION_CONSUMER_SVC_URL));
    index = element.getAttribute(SAML2Constants.ATTR_CONSUMING_SVC_INDEX);
    if ((index != null) && (index.length() > 0)) {
        attrConsumingSvcIndex = new Integer(index);
        validateAttributeConsumingServiceIndex(attrConsumingSvcIndex);
    }
    providerName = element.getAttribute(SAML2Constants.PROVIDER_NAME);
}
Also used : ProtocolFactory(com.sun.identity.saml2.protocol.ProtocolFactory) AssertionFactory(com.sun.identity.saml2.assertion.AssertionFactory) NodeList(org.w3c.dom.NodeList) Node(org.w3c.dom.Node) Element(org.w3c.dom.Element)

Aggregations

Scoping (com.sun.identity.saml2.protocol.Scoping)3 Issuer (com.sun.identity.saml2.assertion.Issuer)2 SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)2 SPSSOConfigElement (com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement)2 AuthnRequest (com.sun.identity.saml2.protocol.AuthnRequest)2 IDPEntry (com.sun.identity.saml2.protocol.IDPEntry)2 IDPList (com.sun.identity.saml2.protocol.IDPList)2 NameIDPolicy (com.sun.identity.saml2.protocol.NameIDPolicy)2 OrderedSet (com.sun.identity.shared.datastruct.OrderedSet)2 ArrayList (java.util.ArrayList)2 Date (java.util.Date)2 List (java.util.List)2 SessionException (com.sun.identity.plugin.session.SessionException)1 AssertionFactory (com.sun.identity.saml2.assertion.AssertionFactory)1 SPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)1 SAML2MetaException (com.sun.identity.saml2.meta.SAML2MetaException)1 Extensions (com.sun.identity.saml2.protocol.Extensions)1 ProtocolFactory (com.sun.identity.saml2.protocol.ProtocolFactory)1 IOException (java.io.IOException)1 HashMap (java.util.HashMap)1