Search in sources :

Example 6 with SPSSOConfigElement

use of com.sun.identity.wsfederation.jaxb.entityconfig.SPSSOConfigElement in project OpenAM by OpenRock.

the class WSFederationMetaManager method isTrustedProvider.

/**
     * Determines whether two entities are in the same circle of trust
     * under the realm.
     * 
     * @param realm The realm under which the entity resides.
     * @param federationId The ID of the entity
     * @param trustedEntityId The ID of the entity
     * @throws WSFederationMetaException if unable to determine the trusted
     *         relationship.
     */
public boolean isTrustedProvider(String realm, String federationId, String trustedEntityId) throws WSFederationMetaException {
    boolean result = false;
    SPSSOConfigElement spconfig = getSPSSOConfig(realm, federationId);
    if (spconfig != null) {
        result = isSameCircleOfTrust(spconfig, realm, trustedEntityId);
    }
    if (result) {
        return true;
    }
    IDPSSOConfigElement idpconfig = getIDPSSOConfig(realm, federationId);
    if (idpconfig != null) {
        return (isSameCircleOfTrust(idpconfig, realm, trustedEntityId));
    }
    return false;
}
Also used : SPSSOConfigElement(com.sun.identity.wsfederation.jaxb.entityconfig.SPSSOConfigElement) IDPSSOConfigElement(com.sun.identity.wsfederation.jaxb.entityconfig.IDPSSOConfigElement)

Example 7 with SPSSOConfigElement

use of com.sun.identity.wsfederation.jaxb.entityconfig.SPSSOConfigElement in project OpenAM by OpenRock.

the class WSFederationMetaManager method getSPSSOConfig.

/**
     * Returns first service provider's SSO configuration in an entity under
     * the realm.
     * 
     * @param realm The realm under which the entity resides.
     * @param federationId ID of the entity to be retrieved.
     * @return <code>SPSSOConfigElement</code> for the entity or null if not
     *         found.
     * @throws WSFederationMetaException if unable to retrieve the first service
     *                            provider's SSO configuration.
     */
public SPSSOConfigElement getSPSSOConfig(String realm, String federationId) throws WSFederationMetaException {
    FederationConfigElement eConfig = getEntityConfig(realm, federationId);
    if (eConfig == null) {
        return null;
    }
    List list = eConfig.getIDPSSOConfigOrSPSSOConfig();
    for (Iterator iter = list.iterator(); iter.hasNext(); ) {
        Object obj = iter.next();
        if (obj instanceof SPSSOConfigElement) {
            return (SPSSOConfigElement) obj;
        }
    }
    return null;
}
Also used : Iterator(java.util.Iterator) SPSSOConfigElement(com.sun.identity.wsfederation.jaxb.entityconfig.SPSSOConfigElement) FederationConfigElement(com.sun.identity.wsfederation.jaxb.entityconfig.FederationConfigElement) ArrayList(java.util.ArrayList) List(java.util.List)

Example 8 with SPSSOConfigElement

use of com.sun.identity.wsfederation.jaxb.entityconfig.SPSSOConfigElement in project OpenAM by OpenRock.

the class RPSigninRequest method process.

/**
     * Processes the sign-in request, redirecting the browser to the identity
     * provider via the HttpServletResponse passed to the constructor.
     */
public void process() throws WSFederationException, IOException {
    String classMethod = "RPSigninRequest.process: ";
    if (debug.messageEnabled()) {
        debug.message(classMethod + "entered method");
    }
    if (wctx == null || wctx.length() == 0) {
        // Exchange reply URL for opaque identifier
        wctx = (wreply != null && (wreply.length() > 0)) ? WSFederationUtils.putReplyURL(wreply) : null;
    }
    String spMetaAlias = WSFederationMetaUtils.getMetaAliasByUri(request.getRequestURI());
    if (spMetaAlias == null || spMetaAlias.length() == 0) {
        throw new WSFederationException(WSFederationUtils.bundle.getString("MetaAliasNotFound"));
    }
    String spRealm = SAML2MetaUtils.getRealmByMetaAlias(spMetaAlias);
    WSFederationMetaManager metaManager = WSFederationUtils.getMetaManager();
    String spEntityId = metaManager.getEntityByMetaAlias(spMetaAlias);
    if (spEntityId == null || spEntityId.length() == 0) {
        String[] args = { spMetaAlias, spRealm };
        throw new WSFederationException(WSFederationConstants.BUNDLE_NAME, "invalidMetaAlias", args);
    }
    SPSSOConfigElement spConfig = metaManager.getSPSSOConfig(spRealm, spEntityId);
    if (spConfig == null) {
        String[] args = { spEntityId, spRealm };
        throw new WSFederationException(WSFederationConstants.BUNDLE_NAME, "badSPEntityID", args);
    }
    Map<String, List<String>> spConfigAttributes = WSFederationMetaUtils.getAttributes(spConfig);
    String accountRealmSelection = spConfigAttributes.get(com.sun.identity.wsfederation.common.WSFederationConstants.ACCOUNT_REALM_SELECTION).get(0);
    if (accountRealmSelection == null) {
        accountRealmSelection = WSFederationConstants.ACCOUNT_REALM_SELECTION_DEFAULT;
    }
    String accountRealmCookieName = spConfigAttributes.get(WSFederationConstants.ACCOUNT_REALM_COOKIE_NAME).get(0);
    if (accountRealmCookieName == null) {
        accountRealmCookieName = WSFederationConstants.ACCOUNT_REALM_COOKIE_NAME_DEFAULT;
    }
    String homeRealmDiscoveryService = spConfigAttributes.get(WSFederationConstants.HOME_REALM_DISCOVERY_SERVICE).get(0);
    if (debug.messageEnabled()) {
        debug.message(classMethod + "account realm selection method is " + accountRealmSelection);
    }
    String idpIssuerName = null;
    if (whr != null && whr.length() > 0) {
        // whr parameter overrides other mechanisms...
        idpIssuerName = whr;
        if (accountRealmSelection.equals(WSFederationConstants.COOKIE)) {
            // ...and overwrites cookie
            Cookie cookie = new Cookie(accountRealmCookieName, whr);
            // Set cookie to persist for a year
            cookie.setMaxAge(60 * 60 * 24 * 365);
            CookieUtils.addCookieToResponse(response, cookie);
        }
    } else {
        if (accountRealmSelection.equals(WSFederationConstants.USERAGENT)) {
            String uaHeader = request.getHeader(WSFederationConstants.USERAGENT);
            if (debug.messageEnabled()) {
                debug.message(classMethod + "user-agent is :" + uaHeader);
            }
            idpIssuerName = WSFederationUtils.accountRealmFromUserAgent(uaHeader, accountRealmCookieName);
        } else if (accountRealmSelection.equals(WSFederationConstants.COOKIE)) {
            Cookie[] cookies = request.getCookies();
            if (cookies != null) {
                for (int i = 0; i < cookies.length; i++) {
                    if (cookies[i].getName().equals(accountRealmCookieName)) {
                        idpIssuerName = cookies[i].getValue();
                        break;
                    }
                }
            }
        } else {
            debug.error(classMethod + "unexpected value for " + WSFederationConstants.ACCOUNT_REALM_SELECTION + " : " + accountRealmSelection);
            throw new WSFederationException(WSFederationUtils.bundle.getString("badAccountRealm"));
        }
    }
    FederationElement sp = metaManager.getEntityDescriptor(spRealm, spEntityId);
    String spIssuerName = metaManager.getTokenIssuerName(sp);
    if (debug.messageEnabled()) {
        debug.message(classMethod + "SP issuer name:" + spIssuerName);
    }
    String idpEntityId = null;
    if (idpIssuerName != null && idpIssuerName.length() > 0) {
        // Got the issuer name from the cookie/UA string - let's see if 
        // we know the entity ID
        idpEntityId = metaManager.getEntityByTokenIssuerName(null, idpIssuerName);
    }
    if (idpEntityId == null) {
        // See if there is only one trusted IdP configured...
        List<String> allRemoteIdPs = metaManager.getAllRemoteIdentityProviderEntities(spRealm);
        ArrayList<String> trustedRemoteIdPs = new ArrayList<String>();
        for (String idp : allRemoteIdPs) {
            if (metaManager.isTrustedProvider(spRealm, spEntityId, idp)) {
                trustedRemoteIdPs.add(idp);
            }
        }
        if (trustedRemoteIdPs.size() == 0) {
            // Misconfiguration!
            throw new WSFederationException(WSFederationUtils.bundle.getString("noIDPConfigured"));
        } else if (trustedRemoteIdPs.size() == 1) {
            idpEntityId = trustedRemoteIdPs.get(0);
        }
    }
    FederationElement idp = null;
    if (idpEntityId != null) {
        idp = metaManager.getEntityDescriptor(null, idpEntityId);
    }
    // Set LB cookie here so it's done regardless of which redirect happens
    // We want response to come back to this instance
    WSFederationUtils.sessionProvider.setLoadBalancerCookie(request, response);
    // If we still don't know the IdP, redirect to home realm discovery
    if (idp == null) {
        StringBuffer url = new StringBuffer(homeRealmDiscoveryService);
        url.append("?wreply=");
        url.append(URLEncDec.encode(request.getRequestURL().toString()));
        if (wctx != null) {
            url.append("&wctx=");
            url.append(URLEncDec.encode(wctx));
        }
        if (debug.messageEnabled()) {
            debug.message(classMethod + "no account realm - redirecting to :" + url);
        }
        response.sendRedirect(url.toString());
        return;
    }
    if (debug.messageEnabled()) {
        debug.message(classMethod + "account realm:" + idpEntityId);
    }
    String endpoint = metaManager.getTokenIssuerEndpoint(idp);
    if (debug.messageEnabled()) {
        debug.message(classMethod + "endpoint:" + endpoint);
    }
    String replyURL = metaManager.getTokenIssuerEndpoint(sp);
    if (debug.messageEnabled()) {
        debug.message(classMethod + "replyURL:" + replyURL);
    }
    StringBuffer url = new StringBuffer(endpoint);
    url.append("?wa=");
    url.append(URLEncDec.encode(WSFederationConstants.WSIGNIN10));
    if (wctx != null) {
        url.append("&wctx=");
        url.append(URLEncDec.encode(wctx));
    }
    url.append("&wreply=");
    url.append(URLEncDec.encode(replyURL));
    url.append("&wct=");
    url.append(URLEncDec.encode(DateUtils.toUTCDateFormat(new Date())));
    url.append("&wtrealm=");
    url.append(URLEncDec.encode(spIssuerName));
    if (debug.messageEnabled()) {
        debug.message(classMethod + "Redirecting to:" + url);
    }
    response.sendRedirect(url.toString());
}
Also used : Cookie(javax.servlet.http.Cookie) WSFederationMetaManager(com.sun.identity.wsfederation.meta.WSFederationMetaManager) WSFederationException(com.sun.identity.wsfederation.common.WSFederationException) SPSSOConfigElement(com.sun.identity.wsfederation.jaxb.entityconfig.SPSSOConfigElement) ArrayList(java.util.ArrayList) Date(java.util.Date) ArrayList(java.util.ArrayList) List(java.util.List) FederationElement(com.sun.identity.wsfederation.jaxb.wsfederation.FederationElement)

Example 9 with SPSSOConfigElement

use of com.sun.identity.wsfederation.jaxb.entityconfig.SPSSOConfigElement in project OpenAM by OpenRock.

the class RPSigninResponse method process.

/**
     * Processes the sign-in response, redirecting the browser wreply URL 
     * supplied in the sign-in request via the HttpServletResponse passed to 
     * the constructor.
     */
public void process() throws WSFederationException, IOException {
    String classMethod = "RPSigninResponse.process: ";
    if ((wresult == null) || (wresult.length() == 0)) {
        String[] data = { request.getQueryString() };
        LogUtil.error(Level.INFO, LogUtil.MISSING_WRESULT, data, null);
        throw new WSFederationException(WSFederationUtils.bundle.getString("nullWresult"));
    }
    RequestSecurityTokenResponse rstr = null;
    try {
        rstr = RequestSecurityTokenResponse.parseXML(wresult);
    } catch (WSFederationException wsfe) {
        String[] data = { wresult };
        LogUtil.error(Level.INFO, LogUtil.INVALID_WRESULT, data, null);
        throw new WSFederationException(WSFederationUtils.bundle.getString("invalidWresult"));
    }
    if (debug.messageEnabled()) {
        debug.message(classMethod + "Received RSTR: " + rstr.toString());
    }
    String realm = null;
    String requestURL = request.getRequestURL().toString();
    // get entity id and orgName
    String metaAlias = WSFederationMetaUtils.getMetaAliasByUri(requestURL);
    realm = WSFederationMetaUtils.getRealmByMetaAlias(metaAlias);
    WSFederationMetaManager metaManager = WSFederationUtils.getMetaManager();
    String spEntityId = null;
    try {
        spEntityId = metaManager.getEntityByMetaAlias(metaAlias);
    } catch (WSFederationException wsfe) {
        String[] data = { wsfe.getLocalizedMessage(), metaAlias, realm };
        LogUtil.error(Level.INFO, LogUtil.CONFIG_ERROR_GET_ENTITY_CONFIG, data, null);
        String[] args = { metaAlias, realm };
        throw new WSFederationException(WSFederationConstants.BUNDLE_NAME, "invalidMetaAlias", args);
    }
    if (realm == null || realm.length() == 0) {
        realm = "/";
    }
    SPSSOConfigElement spssoconfig = metaManager.getSPSSOConfig(realm, spEntityId);
    int timeskew = SAML2Constants.ASSERTION_TIME_SKEW_DEFAULT;
    String timeskewStr = WSFederationMetaUtils.getAttribute(spssoconfig, SAML2Constants.ASSERTION_TIME_SKEW);
    if (timeskewStr != null && timeskewStr.trim().length() > 0) {
        timeskew = Integer.parseInt(timeskewStr);
        if (timeskew < 0) {
            timeskew = SAML2Constants.ASSERTION_TIME_SKEW_DEFAULT;
        }
    }
    if (debug.messageEnabled()) {
        debug.message(classMethod + "timeskew = " + timeskew);
    }
    // Subject, SOAPEntry for the partner and the List of Assertions.
    if (debug.messageEnabled()) {
        debug.message(classMethod + " - verifying assertion");
    }
    // verifyToken will throw an exception, rather than return null, so we
    // need not test the return value
    Map<String, Object> smap = rstr.getRequestedSecurityToken().verifyToken(realm, spEntityId, timeskew);
    assert smap != null;
    Map attributes = WSFederationMetaUtils.getAttributes(spssoconfig);
    SPAccountMapper acctMapper = getSPAccountMapper(attributes);
    SPAttributeMapper attrMapper = getSPAttributeMapper(attributes);
    String userName = acctMapper.getIdentity(rstr, spEntityId, realm);
    if (userName == null) {
        throw new WSFederationException(WSFederationUtils.bundle.getString("nullUserID"));
    }
    String idpEntityId = metaManager.getEntityByTokenIssuerName(realm, rstr.getRequestedSecurityToken().getIssuer());
    List attrs = rstr.getRequestedSecurityToken().getAttributes();
    Map attrMap = null;
    if (attrs != null) {
        attrMap = attrMapper.getAttributes(attrs, userName, spEntityId, idpEntityId, realm);
    }
    String authLevel = smap.get(SAML2Constants.AUTH_LEVEL).toString();
    // Set up Attributes for session creation
    Map sessionInfoMap = new HashMap();
    sessionInfoMap.put(SessionProvider.REALM, realm);
    sessionInfoMap.put(SessionProvider.PRINCIPAL_NAME, userName);
    sessionInfoMap.put(SessionProvider.AUTH_LEVEL, authLevel);
    Object session = null;
    try {
        SessionProvider sessionProvider = SessionManager.getProvider();
        session = sessionProvider.createSession(sessionInfoMap, request, response, null);
        SPACSUtils.setAttrMapInSession(sessionProvider, attrMap, session);
        String[] idpArray = { idpEntityId };
        sessionProvider.setProperty(session, WSFederationConstants.SESSION_IDP, idpArray);
        RequestedSecurityToken rst = rstr.getRequestedSecurityToken();
        if (isAssertionCacheEnabled(spssoconfig)) {
            String tokenID = rst.getTokenId();
            String[] assertionID = { tokenID };
            sessionProvider.setProperty(session, "AssertionID", assertionID);
            SPCache.assertionByIDCache.put(tokenID, rst.toString());
        }
    } catch (SessionException se) {
        String[] data = { se.getLocalizedMessage(), realm, userName, authLevel };
        LogUtil.error(Level.INFO, LogUtil.CANT_CREATE_SESSION, data, null);
        throw new WSFederationException(se);
    }
    String target = null;
    if (wctx != null) {
        target = WSFederationUtils.removeReplyURL(wctx);
    } else {
        target = WSFederationMetaUtils.getAttribute(spssoconfig, SAML2Constants.DEFAULT_RELAY_STATE);
    }
    String[] data = { wctx, LogUtil.isErrorLoggable(Level.FINER) ? wresult : rstr.getRequestedSecurityToken().getTokenId(), realm, userName, authLevel, target };
    LogUtil.access(Level.INFO, LogUtil.SSO_SUCCESSFUL, data, session);
    if (target == null) {
        // What to do? There was no wreply URL specified, and there is no
        // default target configured
        PrintWriter pw = response.getWriter();
        pw.println("Logged in");
        return;
    }
    response.sendRedirect(target);
}
Also used : WSFederationMetaManager(com.sun.identity.wsfederation.meta.WSFederationMetaManager) WSFederationException(com.sun.identity.wsfederation.common.WSFederationException) RequestedSecurityToken(com.sun.identity.wsfederation.profile.RequestedSecurityToken) HashMap(java.util.HashMap) SPSSOConfigElement(com.sun.identity.wsfederation.jaxb.entityconfig.SPSSOConfigElement) SessionException(com.sun.identity.plugin.session.SessionException) SPAccountMapper(com.sun.identity.wsfederation.plugins.SPAccountMapper) SPAttributeMapper(com.sun.identity.wsfederation.plugins.SPAttributeMapper) List(java.util.List) RequestSecurityTokenResponse(com.sun.identity.wsfederation.profile.RequestSecurityTokenResponse) HashMap(java.util.HashMap) Map(java.util.Map) SessionProvider(com.sun.identity.plugin.session.SessionProvider) PrintWriter(java.io.PrintWriter)

Example 10 with SPSSOConfigElement

use of com.sun.identity.wsfederation.jaxb.entityconfig.SPSSOConfigElement in project OpenAM by OpenRock.

the class WSFedPropertiesModelImpl method getServiceProviderAttributes.

/**
     * Returns a map with service provider attributes and values.
     *
     * @param realm to which the entity belongs.
     * @param fedId is the Federation Id otherwise known as the entity id.
     * @return attribute values of SP based on realm and fedId passed.
     * @throws AMConsoleException if unable to retreive the Service Provider
     *     attrubutes based on the realm and fedId passed.
     */
public Map getServiceProviderAttributes(String realm, String fedId) throws AMConsoleException {
    Map SPAttributes = null;
    try {
        WSFederationMetaManager metaManager = getWSFederationMetaManager();
        SPSSOConfigElement spconfig = metaManager.getSPSSOConfig(realm, fedId);
        if (spconfig != null) {
            SPAttributes = WSFederationMetaUtils.getAttributes(spconfig);
        }
    } catch (WSFederationMetaException e) {
        debug.warning("WSFedPropertiesModelImpl.getServiceProviderAttributes", e);
        throw new AMConsoleException(getErrorString(e));
    }
    return (SPAttributes != null) ? SPAttributes : Collections.EMPTY_MAP;
}
Also used : WSFederationMetaManager(com.sun.identity.wsfederation.meta.WSFederationMetaManager) SPSSOConfigElement(com.sun.identity.wsfederation.jaxb.entityconfig.SPSSOConfigElement) WSFederationMetaException(com.sun.identity.wsfederation.meta.WSFederationMetaException) AMConsoleException(com.sun.identity.console.base.model.AMConsoleException) HashMap(java.util.HashMap) Map(java.util.Map)

Aggregations

SPSSOConfigElement (com.sun.identity.wsfederation.jaxb.entityconfig.SPSSOConfigElement)15 IDPSSOConfigElement (com.sun.identity.wsfederation.jaxb.entityconfig.IDPSSOConfigElement)7 WSFederationMetaManager (com.sun.identity.wsfederation.meta.WSFederationMetaManager)6 List (java.util.List)6 ArrayList (java.util.ArrayList)5 WSFederationException (com.sun.identity.wsfederation.common.WSFederationException)4 Map (java.util.Map)4 ConfigurationException (com.sun.identity.plugin.configuration.ConfigurationException)3 FederationConfigElement (com.sun.identity.wsfederation.jaxb.entityconfig.FederationConfigElement)3 Date (java.util.Date)3 HashMap (java.util.HashMap)3 HashSet (java.util.HashSet)3 Iterator (java.util.Iterator)3 Set (java.util.Set)3 AMConsoleException (com.sun.identity.console.base.model.AMConsoleException)2 SessionException (com.sun.identity.plugin.session.SessionException)2 BaseConfigType (com.sun.identity.wsfederation.jaxb.entityconfig.BaseConfigType)2 FederationElement (com.sun.identity.wsfederation.jaxb.wsfederation.FederationElement)2 WSFederationMetaException (com.sun.identity.wsfederation.meta.WSFederationMetaException)2 RequestSecurityTokenResponse (com.sun.identity.wsfederation.profile.RequestSecurityTokenResponse)2