Example 16 with Status
use of com.sun.identity.saml2.protocol.Status in project OpenAM by OpenRock.
the class IDPSingleLogout method isNameNotFound.
static boolean isNameNotFound(LogoutResponse logoutRes) {
Status status = logoutRes.getStatus();
String statusMessage = status.getStatusMessage();
return (status.getStatusCode().getValue().equals(SAML2Constants.RESPONDER) && statusMessage != null && statusMessage.equals(SAML2Utils.bundle.getString("invalid_name_identifier")));
}
Also used :
Status(com.sun.identity.saml2.protocol.Status)
Example 17 with Status
use of com.sun.identity.saml2.protocol.Status in project OpenAM by OpenRock.
the class IDPSingleLogout method sendAlreadyLogedOutResp.
/**
* Generates a new Logout Response with Success Status saying that the user has already logged out.
*
* @param response The Servlet response.
* @param logoutReq The SAML 2.0 Logout Request.
* @param relayState The original relay state that came with the request.
* @param realm The realm where the hosted entity has been defined.
* @param idpEntityID The entity id of the hosted IdP.
* @param spEntityID The entity id of the remote SP.
* @param binding The binding that the IdP should reply with to the SP.
*
* @throws SAML2Exception If there was a problem while constructing/sending the Logout Response.
*/
private static void sendAlreadyLogedOutResp(HttpServletResponse response, HttpServletRequest request, LogoutRequest logoutReq, String relayState, String realm, String idpEntityID, String spEntityID, String binding) throws SAML2Exception {
String classMethod = "IDPSingleLogout.sendAlreadyLogedOutResp";
debug.message(classMethod + "No session in the IdP. " + "We are already logged out. Generating success logout");
LogoutResponse logRes = LogoutUtil.generateResponse(ALREADY_LOGGEDOUT, logoutReq.getID(), SAML2Utils.createIssuer(idpEntityID), realm, SAML2Constants.IDP_ROLE, logoutReq.getIssuer().getSPProvidedID());
SingleLogoutServiceElement endpoint = getLogoutResponseEndpoint(realm, spEntityID, binding);
binding = endpoint.getBinding();
String location = getResponseLocation(endpoint);
debug.message(classMethod + "Location found: " + location + " for binding " + binding);
logRes.setDestination(XMLUtils.escapeSpecialCharacters(location));
LogoutUtil.sendSLOResponse(response, request, logRes, location, relayState, realm, idpEntityID, SAML2Constants.IDP_ROLE, spEntityID, binding);
}
Also used :
LogoutResponse(com.sun.identity.saml2.protocol.LogoutResponse)
SingleLogoutServiceElement(com.sun.identity.saml2.jaxb.metadata.SingleLogoutServiceElement)
Example 18 with Status
use of com.sun.identity.saml2.protocol.Status in project OpenAM by OpenRock.
the class SAML2SingleLogoutHandler method doIDPSingleLogout.
/**
* Performs single logout for a specific protocol. This method need to be
* implemented by each federation protocol, and will be invoked by other
* protocol to achieve cross federation protocol single logout. The local
* session shall not be destroyed by the SPI implementation. In cases of
* IDP proxying configuration, the implementation need to do single
* logout for the entity acting as both SP and IDP.
*
* Normally, there are three types of single logout to be supported:
* - logout single session (specified by userSession parameter)
* - logout a list of session (specified by userSession parameter)
* - logout all sessions for a specific user (specified by userID oarameter)
*
* As a single instance of the implementation class will be used internally
* in the SingleLogoutManager class, implementation of the method shall
* not maintain any states.
*
* @param userSession Set of user session objects (java.lang.Object) to be
* logout.
* @param userID Universal identifier of the user to be logout.
* @param request HTTP servlet request object of the request.
* @param response HTTP servlet response object of the request.
* @param isSOAPInitiated True means original single logout request is
* initiated using SOAP binding, false means the original single logout
* request is initiated using HTTP binding.
* @param isIDPInitiated True means this is identity provider initiated
* single logout, false means this is service provider initiated single
* logout.
* @param protocol The protocol of the original single logout.
* Possible values for this parameter:
* <code>SingleLogoutManager.SAML2</code>
* - single logout initiated using SAMLv2 protocol
* <code>SingleLogoutManager.IDFF</code>
* - single logout initiated using ID-FF protocol
* <code>SingleLogoutManager.WS-FED</code>
* - single logout initiated using WS-Federation protocol
* @param realm Realm of the hosted entity.
* @param idpEntityID <code>EntityID</code> of the hosted identity provider
* in the original Single Logout request.
* @param spEntityID <code>EntityID</code> of the remote service provider
* in the original Single Logout request.
* @param relayState A state information to be relayed back in response.
* @param singleLogoutRequestXML Original single logout request in XML
* string.
* @param singleLogoutResponseXML Logout response to be sent back to SP.
* This only apply to the case of SP initiated Single Logout, it will
* be null in case of IDP initiated single logout.
* @param currentStatus Current logout status, this is the accumulative
* single logout status for all protocols processed so far.
* Possible values:
* <code>SingleLogoutManager.LOGOUT_SUCCEEDED_STATUS</code>
* <code>SingleLogoutManager.LOGOUT_FAILED_STATUS</code>
* <code>SingleLogoutManager.LOGOUT_PARTIAL_STATUS</code>
* @return the single logout status for this protocol, possible values:
* <code>SingleLogoutManager.LOGOUT_SUCCEEDED_STATUS</code>
* <code>SingleLogoutManager.LOGOUT_FAILED_STATUS</code>
* <code>SingleLogoutManager.LOGOUT_PARTIAL_STATUS</code>
* <code>SingleLogoutManager.LOGOUT_REDIRECTED_STATUS</code>
* @exception Exception if error occurs when processing the protocol.
*/
public int doIDPSingleLogout(Set userSession, String userID, HttpServletRequest request, HttpServletResponse response, boolean isSOAPInitiated, boolean isIDPInitiated, String protocol, String realm, String idpEntityID, String spEntityID, String relayState, String singleLogoutRequestXML, String singleLogoutResponseXML, int currentStatus) throws Exception {
SingleLogoutManager.getInstance().debug.message("SAML2SingleLogoutHandler.doIDPSingleLogout : start");
if (!isSessionUsedInSAML2(userSession, userID)) {
// no session for this protocol
debug.message("SAML2SingleLogoutHander.doIDPSLO : no action");
return SingleLogoutManager.LOGOUT_NO_ACTION_STATUS;
}
if (isSOAPInitiated) {
SAML2MetaManager saml2Manager = new SAML2MetaManager();
String idpMetaAlias = findIDPMetaAlias(idpEntityID, spEntityID, realm, protocol, saml2Manager);
if (idpMetaAlias == null) {
// no SAML2 IDP found
return SingleLogoutManager.LOGOUT_NO_ACTION_STATUS;
}
if (debug.messageEnabled()) {
debug.message("SAML2SingleLogoutHandler: " + "userID=" + userID + ", session=" + userSession + ", isSOAInited=" + isSOAPInitiated + ", isIDPInited=" + isIDPInitiated + ", protocol=" + protocol + ", relam=" + realm + ", idpEntityID=" + idpEntityID + ", spEntityID=" + spEntityID + ", status=" + currentStatus + "\nlogout Request XML=" + singleLogoutRequestXML + "\nlogout response XML=" + singleLogoutResponseXML);
}
String idpEntityId = saml2Manager.getEntityByMetaAlias(idpMetaAlias);
return handleSOAPInitiatedSingleLogout(userSession, userID, request, response, realm, idpMetaAlias, idpEntityId, relayState, saml2Manager);
} else {
debug.message("SAML2SingleLogoutHandler.doIDPSLO : HTTP initiated SLO");
String redirectURL = MultiProtocolUtils.geServerBaseURL(request) + "/IDPSloInit?" + SAML2Constants.BINDING + "=" + SAML2Constants.HTTP_REDIRECT + "&" + SAML2Constants.RELAY_STATE + "=" + URLEncoder.encode(relayState, "UTF-8");
if (debug.messageEnabled()) {
debug.message("SAML2SingleLogoutHandler.doIDPSLO: HTTP init, redirect to " + redirectURL);
}
response.sendRedirect(redirectURL);
return SingleLogoutManager.LOGOUT_REDIRECTED_STATUS;
}
}
Also used :
SAML2MetaManager(com.sun.identity.saml2.meta.SAML2MetaManager)
Example 19 with Status
use of com.sun.identity.saml2.protocol.Status in project OpenAM by OpenRock.
the class SingleLogoutManager method doIDPSingleLogout.
/**
* Performs single logout cross multiple federation protocols. This method
* will invoke single logout processing for all the federation protocols.
*
* Normally, there are three types of single logout to be supported:
* - logout single session (specified by userSession parameter)
* - logout a list of session (specified by userSession parameter)
* - logout all sessions for a specific user (specified by userID parameter)
*
* As a single instance of the implementation class will be used internally
* in the SingleLogoutManager class, implementation of the method shall
* not maintain any states.
*
* @param userSession Set of user session objects (java.lang.Object) to be
* logout.
* @param userID Universal identifier of the user to be logout.
* @param request HTTP servlet request object of the request.
* @param response HTTP servlet response object of the request.
* @param isSOAPInitiated True means original single logout request is
* initiated using SOAP binding, false means the original single logout
* request is initiated using HTTP binding.
* @param isIDPInitiated True means this is identity provider initiated
* single logout, false means this is service provider initiated single
* logout.
* @param protocol The protocol of the original single logout.
* Possible values for this parameter:
* SAML2 - single logout initiated using SAMLv2 protocol
* IDFF - single logout initiated using ID-FF protocol
* WS_FED - single logout initiated using WS-Federation protocol
* @param realm Realm of the hosted entity.
* @param idpEntityID <code>EntityID</code> of the hosted identity provider
* in the original Single Logout request.
* @param spEntityID <code>EntityID</code> of the remote service provider
* in the original Single Logout request.
* @param relayState A state information to be relayed back in response.
* @param singleLogoutRequestXML Original single logout request in XML
* string.
* @param singleLogoutResponseXML Logout response to be sent back to SP.
* This only apply to the case of SP initiated Single Logout, it will
* be null in case of IDP initiated single logout.
* @param currentStatus Current logout status, this is the single logout
* status for the federation protocol just processed.
* Possible values:
* <code>LOGOUT_SUCCEEDED_STATUS</code> - single logout succeeded.
* <code>LOGOUT_FAILED_STATUS</code> - single logout failed.
* <code>LOGOUT_PARTIAL_STATUS</code> - single logout partially
* succeeded.
* @return accumulative status of single logout for all protocols
* processed so far, or status indicating the logout request has been
* redirected for processing. Possible values:
* <code>LOGOUT_SUCCEEDED_STATUS</code> - single logout succeeded.
* <code>LOGOUT_FAILED_STATUS</code> - single logout failed.
* <code>LOGOUT_PARTIAL_STATUS</code> - single logout partially
* succeeded.
* <code>LOGOUT_REDIRECTED_STATUS</code> - single logout request
* redirected.
* <code>LOGOUT_NO_ACTION_STATUS</code> - single loglout not
* performed.
* @exception Exception if error occurs when processing the protocol.
*/
public int doIDPSingleLogout(Set userSession, String userID, HttpServletRequest request, HttpServletResponse response, boolean isSOAPInitiated, boolean isIDPInitiated, String protocol, String realm, String idpEntityID, String spEntityID, String relayState, String singleLogoutRequestXML, String singleLogoutResponseXML, int currentStatus) throws Exception {
if (relayState == null) {
relayState = EMPTY_STRING;
}
if ((protocolList.isEmpty())) {
// no handler configured, just return
debug.message("SingleLogoutManager.doIDPSingleLogour : no handler");
return LOGOUT_NO_ACTION_STATUS;
}
// the imcoming relayState could be the original relayState or the
// generated relayStateString in this format:
// <proto>://<host>:<port>/<uri>/multiprotocolrelay/<40-byte-hex-string>
// or just <40-byte-hex-string>
String tmpRelayState = relayState;
if (!relayStateMap.containsKey(relayState)) {
tmpRelayState = getShortRelayState(relayState);
if ((tmpRelayState != null) && !relayStateMap.containsKey(tmpRelayState)) {
tmpRelayState = null;
}
}
if (debug.messageEnabled()) {
debug.message("SingleLogoutManager.doIDPSLO: userID=" + userID + ", protocol=" + protocol + ", relay=" + relayState + ", hex relay=" + tmpRelayState);
}
if (tmpRelayState == null) {
// this is the first time the doIDPSingleLogout called, save params
tmpRelayState = saveParameters(userSession, userID, isSOAPInitiated, isIDPInitiated, protocol, realm, idpEntityID, spEntityID, relayState, singleLogoutRequestXML, singleLogoutResponseXML, currentStatus);
// replace relaystate with multi-protocol relay state servlet
relayState = getRelayStateURL(request, tmpRelayState);
if (debug.messageEnabled()) {
debug.message("SingleLogoutManager.doIDPSingleLogout : save " + tmpRelayState + ", new relayState=" + relayState);
}
} else {
// update existing entry status
updateStatus(tmpRelayState, currentStatus);
if (tmpRelayState.equals(relayState)) {
relayState = getRelayStateURL(request, tmpRelayState);
}
if (debug.messageEnabled()) {
debug.message("SingleLogoutManager.doIDPSingleLogout : read " + tmpRelayState + ", nu relayState=" + relayState);
}
}
List list = (List) protocolListMap.get(tmpRelayState);
if ((list == null) || list.isEmpty()) {
return ((Integer) currentStatusMap.get(tmpRelayState)).intValue();
} else {
while (!list.isEmpty()) {
String proto = (String) list.remove(0);
SingleLogoutHandler handler = (SingleLogoutHandler) handlerMap.get(proto);
if (handler == null) {
debug.error("SingleLogoutManager.doIDPSingleLogout: " + "no handler for protocol " + proto);
continue;
}
if (debug.messageEnabled()) {
debug.message("SingleLogoutManager.doIDPSingleLogout: " + " handle protocol " + proto);
}
userSession = (Set) userSessionMap.get(tmpRelayState);
userID = (String) userIDMap.get(tmpRelayState);
isSOAPInitiated = ((Boolean) isSOAPInitiatedMap.get(tmpRelayState)).booleanValue();
isIDPInitiated = ((Boolean) isIDPInitiatedMap.get(tmpRelayState)).booleanValue();
protocol = (String) origProtocolMap.get(tmpRelayState);
realm = (String) realmMap.get(tmpRelayState);
idpEntityID = (String) idpEntityIDMap.get(tmpRelayState);
spEntityID = (String) spEntityIDMap.get(tmpRelayState);
singleLogoutRequestXML = (String) sloRequestXMLMap.get(tmpRelayState);
currentStatus = ((Integer) currentStatusMap.get(tmpRelayState)).intValue();
int status = SingleLogoutManager.LOGOUT_SUCCEEDED_STATUS;
try {
status = handler.doIDPSingleLogout(userSession, userID, request, response, isSOAPInitiated, isIDPInitiated, protocol, realm, idpEntityID, spEntityID, relayState, singleLogoutRequestXML, singleLogoutResponseXML, currentStatus);
if (debug.messageEnabled()) {
debug.message("SingleLogoutManager.doIDPSingleLogout: " + " logout status = " + status + " for " + proto);
}
} catch (Exception ex) {
debug.error("SingleLogoutManager.doIDPSingleLogout: error" + " for protocol " + proto, ex);
status = SingleLogoutManager.LOGOUT_FAILED_STATUS;
}
if (status == LOGOUT_REDIRECTED_STATUS) {
return status;
} else {
updateStatus(tmpRelayState, status);
}
}
int retVal = ((Integer) currentStatusMap.get(tmpRelayState)).intValue();
if (isSOAPInitiated) {
cleanupParameters(tmpRelayState);
}
return retVal;
}
}
Also used :
ArrayList(java.util.ArrayList)
List(java.util.List)
SAMLResponderException(com.sun.identity.saml.common.SAMLResponderException)
SAMLException(com.sun.identity.saml.common.SAMLException)
IDFFMetaException(com.sun.identity.federation.meta.IDFFMetaException)
ConfigurationException(com.sun.identity.plugin.configuration.ConfigurationException)
IOException(java.io.IOException)
FSMsgException(com.sun.identity.federation.message.common.FSMsgException)
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
Example 20 with Status
use of com.sun.identity.saml2.protocol.Status in project OpenAM by OpenRock.
the class ResponseImpl method parseElement.
private void parseElement(Element element) throws SAML2Exception {
// make sure that the input xml block is not null
if (element == null) {
if (SAML2SDKUtils.debug.messageEnabled()) {
SAML2SDKUtils.debug.message("ResponseImpl.parseElement: " + "element input is null.");
}
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("nullInput"));
}
// Make sure this is an Response.
String tag = null;
tag = element.getLocalName();
if ((tag == null) || (!tag.equals("Response"))) {
if (SAML2SDKUtils.debug.messageEnabled()) {
SAML2SDKUtils.debug.message("ResponseImpl.parseElement: " + "not Response.");
}
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("wrongInput"));
}
// handle the attributes of <Response> element
NamedNodeMap atts = ((Node) element).getAttributes();
if (atts != null) {
int length = atts.getLength();
for (int i = 0; i < length; i++) {
Attr attr = (Attr) atts.item(i);
String attrName = attr.getName();
String attrValue = attr.getValue().trim();
if (attrName.equals("ID")) {
responseId = attrValue;
} else if (attrName.equals("InResponseTo")) {
inResponseTo = attrValue;
} else if (attrName.equals("Version")) {
version = attrValue;
} else if (attrName.equals("IssueInstant")) {
try {
issueInstant = DateUtils.stringToDate(attrValue);
} catch (ParseException pe) {
throw new SAML2Exception(pe.getMessage());
}
} else if (attrName.equals("Destination")) {
destination = attrValue;
} else if (attrName.equals("Consent")) {
consent = attrValue;
}
}
}
// handle child elements
NodeList nl = element.getChildNodes();
Node child;
String childName;
int length = nl.getLength();
for (int i = 0; i < length; i++) {
child = nl.item(i);
if ((childName = child.getLocalName()) != null) {
if (childName.equals("Issuer")) {
if (issuer != null) {
if (SAML2SDKUtils.debug.messageEnabled()) {
SAML2SDKUtils.debug.message("ResponseImpl.parse" + "Element: included more than one Issuer.");
}
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("moreElement"));
}
if (signatureString != null || extensions != null || status != null || assertions != null || encAssertions != null) {
if (SAML2SDKUtils.debug.messageEnabled()) {
SAML2SDKUtils.debug.message("ResponseImpl.parse" + "Element:wrong sequence.");
}
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("schemaViolation"));
}
issuer = AssertionFactory.getInstance().createIssuer((Element) child);
} else if (childName.equals("Signature")) {
if (signatureString != null) {
if (SAML2SDKUtils.debug.messageEnabled()) {
SAML2SDKUtils.debug.message("ResponseImpl.parse" + "Element:included more than one Signature.");
}
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("moreElement"));
}
if (extensions != null || status != null || assertions != null || encAssertions != null) {
if (SAML2SDKUtils.debug.messageEnabled()) {
SAML2SDKUtils.debug.message("ResponseImpl.parse" + "Element:wrong sequence.");
}
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("schemaViolation"));
}
signatureString = XMLUtils.print((Element) child, "UTF-8");
isSigned = true;
} else if (childName.equals("Extensions")) {
if (extensions != null) {
if (SAML2SDKUtils.debug.messageEnabled()) {
SAML2SDKUtils.debug.message("ResponseImpl.parse" + "Element:included more than one Extensions.");
}
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("moreElement"));
}
if (status != null || assertions != null || encAssertions != null) {
if (SAML2SDKUtils.debug.messageEnabled()) {
SAML2SDKUtils.debug.message("ResponseImpl.parse" + "Element:wrong sequence.");
}
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("schemaViolation"));
}
extensions = ProtocolFactory.getInstance().createExtensions((Element) child);
} else if (childName.equals("Status")) {
if (status != null) {
if (SAML2SDKUtils.debug.messageEnabled()) {
SAML2SDKUtils.debug.message("ResponseImpl.parse" + "Element: included more than one Status.");
}
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("moreElement"));
}
if (assertions != null || encAssertions != null) {
if (SAML2SDKUtils.debug.messageEnabled()) {
SAML2SDKUtils.debug.message("ResponseImpl.parse" + "Element:wrong sequence.");
}
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("schemaViolation"));
}
status = ProtocolFactory.getInstance().createStatus((Element) child);
} else if (childName.equals("Assertion")) {
if (assertions == null) {
assertions = new ArrayList();
}
Element canoEle = SAMLUtils.getCanonicalElement(child);
if (canoEle == null) {
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("errorCanonical"));
}
assertions.add(AssertionFactory.getInstance().createAssertion(canoEle));
} else if (childName.equals("EncryptedAssertion")) {
if (encAssertions == null) {
encAssertions = new ArrayList();
}
encAssertions.add(AssertionFactory.getInstance().createEncryptedAssertion((Element) child));
} else {
if (SAML2SDKUtils.debug.messageEnabled()) {
SAML2SDKUtils.debug.message("ResponseImpl.parse" + "Element: Invalid element:" + childName);
}
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("invalidElement"));
}
}
}
super.validateData();
if (assertions != null) {
Iterator iter = assertions.iterator();
while (iter.hasNext()) {
((Assertion) iter.next()).makeImmutable();
}
assertions = Collections.unmodifiableList(assertions);
}
if (encAssertions != null) {
encAssertions = Collections.unmodifiableList(encAssertions);
}
isMutable = false;
}
Also used :
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
NamedNodeMap(org.w3c.dom.NamedNodeMap)
Node(org.w3c.dom.Node)
NodeList(org.w3c.dom.NodeList)
Element(org.w3c.dom.Element)
ArrayList(java.util.ArrayList)
Iterator(java.util.Iterator)
EncryptedAssertion(com.sun.identity.saml2.assertion.EncryptedAssertion)
Assertion(com.sun.identity.saml2.assertion.Assertion)
ParseException(java.text.ParseException)
Attr(org.w3c.dom.Attr)
Aggregations
SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)27
Status (com.sun.identity.saml2.protocol.Status)16
List (java.util.List)16
ArrayList (java.util.ArrayList)11
Date (java.util.Date)11
Element (org.w3c.dom.Element)11
SAML2MetaException (com.sun.identity.saml2.meta.SAML2MetaException)10
Issuer (com.sun.identity.saml2.assertion.Issuer)9
IOException (java.io.IOException)9
SessionException (com.sun.identity.plugin.session.SessionException)8
ProtocolFactory (com.sun.identity.saml2.protocol.ProtocolFactory)8
Iterator (java.util.Iterator)8
SAML2TokenRepositoryException (org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException)8
Response (com.sun.identity.saml2.protocol.Response)7
StatusCode (com.sun.identity.saml2.protocol.StatusCode)7
HttpServletResponse (javax.servlet.http.HttpServletResponse)7
Assertion (com.sun.identity.saml2.assertion.Assertion)6
LogoutResponse (com.sun.identity.saml2.protocol.LogoutResponse)6
Node (org.w3c.dom.Node)6
NodeList (org.w3c.dom.NodeList)6
