Example 6 with SPSSOConfigElement
use of com.sun.identity.wsfederation.jaxb.entityconfig.SPSSOConfigElement in project OpenAM by OpenRock.
the class WSFederationMetaManager method isTrustedProvider.
/**
* Determines whether two entities are in the same circle of trust
* under the realm.
*
* @param realm The realm under which the entity resides.
* @param federationId The ID of the entity
* @param trustedEntityId The ID of the entity
* @throws WSFederationMetaException if unable to determine the trusted
* relationship.
*/
public boolean isTrustedProvider(String realm, String federationId, String trustedEntityId) throws WSFederationMetaException {
boolean result = false;
SPSSOConfigElement spconfig = getSPSSOConfig(realm, federationId);
if (spconfig != null) {
result = isSameCircleOfTrust(spconfig, realm, trustedEntityId);
}
if (result) {
return true;
}
IDPSSOConfigElement idpconfig = getIDPSSOConfig(realm, federationId);
if (idpconfig != null) {
return (isSameCircleOfTrust(idpconfig, realm, trustedEntityId));
}
return false;
}
Also used :
SPSSOConfigElement(com.sun.identity.wsfederation.jaxb.entityconfig.SPSSOConfigElement)
IDPSSOConfigElement(com.sun.identity.wsfederation.jaxb.entityconfig.IDPSSOConfigElement)
Example 7 with SPSSOConfigElement
use of com.sun.identity.wsfederation.jaxb.entityconfig.SPSSOConfigElement in project OpenAM by OpenRock.
the class WSFederationMetaManager method getSPSSOConfig.
/**
* Returns first service provider's SSO configuration in an entity under
* the realm.
*
* @param realm The realm under which the entity resides.
* @param federationId ID of the entity to be retrieved.
* @return <code>SPSSOConfigElement</code> for the entity or null if not
* found.
* @throws WSFederationMetaException if unable to retrieve the first service
* provider's SSO configuration.
*/
public SPSSOConfigElement getSPSSOConfig(String realm, String federationId) throws WSFederationMetaException {
FederationConfigElement eConfig = getEntityConfig(realm, federationId);
if (eConfig == null) {
return null;
}
List list = eConfig.getIDPSSOConfigOrSPSSOConfig();
for (Iterator iter = list.iterator(); iter.hasNext(); ) {
Object obj = iter.next();
if (obj instanceof SPSSOConfigElement) {
return (SPSSOConfigElement) obj;
}
}
return null;
}
Also used :
Iterator(java.util.Iterator)
SPSSOConfigElement(com.sun.identity.wsfederation.jaxb.entityconfig.SPSSOConfigElement)
FederationConfigElement(com.sun.identity.wsfederation.jaxb.entityconfig.FederationConfigElement)
ArrayList(java.util.ArrayList)
List(java.util.List)
Example 8 with SPSSOConfigElement
use of com.sun.identity.wsfederation.jaxb.entityconfig.SPSSOConfigElement in project OpenAM by OpenRock.
the class RPSigninRequest method process.
/**
* Processes the sign-in request, redirecting the browser to the identity
* provider via the HttpServletResponse passed to the constructor.
*/
public void process() throws WSFederationException, IOException {
String classMethod = "RPSigninRequest.process: ";
if (debug.messageEnabled()) {
debug.message(classMethod + "entered method");
}
if (wctx == null || wctx.length() == 0) {
// Exchange reply URL for opaque identifier
wctx = (wreply != null && (wreply.length() > 0)) ? WSFederationUtils.putReplyURL(wreply) : null;
}
String spMetaAlias = WSFederationMetaUtils.getMetaAliasByUri(request.getRequestURI());
if (spMetaAlias == null || spMetaAlias.length() == 0) {
throw new WSFederationException(WSFederationUtils.bundle.getString("MetaAliasNotFound"));
}
String spRealm = SAML2MetaUtils.getRealmByMetaAlias(spMetaAlias);
WSFederationMetaManager metaManager = WSFederationUtils.getMetaManager();
String spEntityId = metaManager.getEntityByMetaAlias(spMetaAlias);
if (spEntityId == null || spEntityId.length() == 0) {
String[] args = { spMetaAlias, spRealm };
throw new WSFederationException(WSFederationConstants.BUNDLE_NAME, "invalidMetaAlias", args);
}
SPSSOConfigElement spConfig = metaManager.getSPSSOConfig(spRealm, spEntityId);
if (spConfig == null) {
String[] args = { spEntityId, spRealm };
throw new WSFederationException(WSFederationConstants.BUNDLE_NAME, "badSPEntityID", args);
}
Map<String, List<String>> spConfigAttributes = WSFederationMetaUtils.getAttributes(spConfig);
String accountRealmSelection = spConfigAttributes.get(com.sun.identity.wsfederation.common.WSFederationConstants.ACCOUNT_REALM_SELECTION).get(0);
if (accountRealmSelection == null) {
accountRealmSelection = WSFederationConstants.ACCOUNT_REALM_SELECTION_DEFAULT;
}
String accountRealmCookieName = spConfigAttributes.get(WSFederationConstants.ACCOUNT_REALM_COOKIE_NAME).get(0);
if (accountRealmCookieName == null) {
accountRealmCookieName = WSFederationConstants.ACCOUNT_REALM_COOKIE_NAME_DEFAULT;
}
String homeRealmDiscoveryService = spConfigAttributes.get(WSFederationConstants.HOME_REALM_DISCOVERY_SERVICE).get(0);
if (debug.messageEnabled()) {
debug.message(classMethod + "account realm selection method is " + accountRealmSelection);
}
String idpIssuerName = null;
if (whr != null && whr.length() > 0) {
// whr parameter overrides other mechanisms...
idpIssuerName = whr;
if (accountRealmSelection.equals(WSFederationConstants.COOKIE)) {
// ...and overwrites cookie
Cookie cookie = new Cookie(accountRealmCookieName, whr);
// Set cookie to persist for a year
cookie.setMaxAge(60 * 60 * 24 * 365);
CookieUtils.addCookieToResponse(response, cookie);
}
} else {
if (accountRealmSelection.equals(WSFederationConstants.USERAGENT)) {
String uaHeader = request.getHeader(WSFederationConstants.USERAGENT);
if (debug.messageEnabled()) {
debug.message(classMethod + "user-agent is :" + uaHeader);
}
idpIssuerName = WSFederationUtils.accountRealmFromUserAgent(uaHeader, accountRealmCookieName);
} else if (accountRealmSelection.equals(WSFederationConstants.COOKIE)) {
Cookie[] cookies = request.getCookies();
if (cookies != null) {
for (int i = 0; i < cookies.length; i++) {
if (cookies[i].getName().equals(accountRealmCookieName)) {
idpIssuerName = cookies[i].getValue();
break;
}
}
}
} else {
debug.error(classMethod + "unexpected value for " + WSFederationConstants.ACCOUNT_REALM_SELECTION + " : " + accountRealmSelection);
throw new WSFederationException(WSFederationUtils.bundle.getString("badAccountRealm"));
}
}
FederationElement sp = metaManager.getEntityDescriptor(spRealm, spEntityId);
String spIssuerName = metaManager.getTokenIssuerName(sp);
if (debug.messageEnabled()) {
debug.message(classMethod + "SP issuer name:" + spIssuerName);
}
String idpEntityId = null;
if (idpIssuerName != null && idpIssuerName.length() > 0) {
// Got the issuer name from the cookie/UA string - let's see if
// we know the entity ID
idpEntityId = metaManager.getEntityByTokenIssuerName(null, idpIssuerName);
}
if (idpEntityId == null) {
// See if there is only one trusted IdP configured...
List<String> allRemoteIdPs = metaManager.getAllRemoteIdentityProviderEntities(spRealm);
ArrayList<String> trustedRemoteIdPs = new ArrayList<String>();
for (String idp : allRemoteIdPs) {
if (metaManager.isTrustedProvider(spRealm, spEntityId, idp)) {
trustedRemoteIdPs.add(idp);
}
}
if (trustedRemoteIdPs.size() == 0) {
// Misconfiguration!
throw new WSFederationException(WSFederationUtils.bundle.getString("noIDPConfigured"));
} else if (trustedRemoteIdPs.size() == 1) {
idpEntityId = trustedRemoteIdPs.get(0);
}
}
FederationElement idp = null;
if (idpEntityId != null) {
idp = metaManager.getEntityDescriptor(null, idpEntityId);
}
// Set LB cookie here so it's done regardless of which redirect happens
// We want response to come back to this instance
WSFederationUtils.sessionProvider.setLoadBalancerCookie(request, response);
// If we still don't know the IdP, redirect to home realm discovery
if (idp == null) {
StringBuffer url = new StringBuffer(homeRealmDiscoveryService);
url.append("?wreply=");
url.append(URLEncDec.encode(request.getRequestURL().toString()));
if (wctx != null) {
url.append("&wctx=");
url.append(URLEncDec.encode(wctx));
}
if (debug.messageEnabled()) {
debug.message(classMethod + "no account realm - redirecting to :" + url);
}
response.sendRedirect(url.toString());
return;
}
if (debug.messageEnabled()) {
debug.message(classMethod + "account realm:" + idpEntityId);
}
String endpoint = metaManager.getTokenIssuerEndpoint(idp);
if (debug.messageEnabled()) {
debug.message(classMethod + "endpoint:" + endpoint);
}
String replyURL = metaManager.getTokenIssuerEndpoint(sp);
if (debug.messageEnabled()) {
debug.message(classMethod + "replyURL:" + replyURL);
}
StringBuffer url = new StringBuffer(endpoint);
url.append("?wa=");
url.append(URLEncDec.encode(WSFederationConstants.WSIGNIN10));
if (wctx != null) {
url.append("&wctx=");
url.append(URLEncDec.encode(wctx));
}
url.append("&wreply=");
url.append(URLEncDec.encode(replyURL));
url.append("&wct=");
url.append(URLEncDec.encode(DateUtils.toUTCDateFormat(new Date())));
url.append("&wtrealm=");
url.append(URLEncDec.encode(spIssuerName));
if (debug.messageEnabled()) {
debug.message(classMethod + "Redirecting to:" + url);
}
response.sendRedirect(url.toString());
}
Also used :
Cookie(javax.servlet.http.Cookie)
WSFederationMetaManager(com.sun.identity.wsfederation.meta.WSFederationMetaManager)
WSFederationException(com.sun.identity.wsfederation.common.WSFederationException)
SPSSOConfigElement(com.sun.identity.wsfederation.jaxb.entityconfig.SPSSOConfigElement)
ArrayList(java.util.ArrayList)
Date(java.util.Date)
ArrayList(java.util.ArrayList)
List(java.util.List)
FederationElement(com.sun.identity.wsfederation.jaxb.wsfederation.FederationElement)
Example 9 with SPSSOConfigElement
use of com.sun.identity.wsfederation.jaxb.entityconfig.SPSSOConfigElement in project OpenAM by OpenRock.
the class RPSigninResponse method process.
/**
* Processes the sign-in response, redirecting the browser wreply URL
* supplied in the sign-in request via the HttpServletResponse passed to
* the constructor.
*/
public void process() throws WSFederationException, IOException {
String classMethod = "RPSigninResponse.process: ";
if ((wresult == null) || (wresult.length() == 0)) {
String[] data = { request.getQueryString() };
LogUtil.error(Level.INFO, LogUtil.MISSING_WRESULT, data, null);
throw new WSFederationException(WSFederationUtils.bundle.getString("nullWresult"));
}
RequestSecurityTokenResponse rstr = null;
try {
rstr = RequestSecurityTokenResponse.parseXML(wresult);
} catch (WSFederationException wsfe) {
String[] data = { wresult };
LogUtil.error(Level.INFO, LogUtil.INVALID_WRESULT, data, null);
throw new WSFederationException(WSFederationUtils.bundle.getString("invalidWresult"));
}
if (debug.messageEnabled()) {
debug.message(classMethod + "Received RSTR: " + rstr.toString());
}
String realm = null;
String requestURL = request.getRequestURL().toString();
// get entity id and orgName
String metaAlias = WSFederationMetaUtils.getMetaAliasByUri(requestURL);
realm = WSFederationMetaUtils.getRealmByMetaAlias(metaAlias);
WSFederationMetaManager metaManager = WSFederationUtils.getMetaManager();
String spEntityId = null;
try {
spEntityId = metaManager.getEntityByMetaAlias(metaAlias);
} catch (WSFederationException wsfe) {
String[] data = { wsfe.getLocalizedMessage(), metaAlias, realm };
LogUtil.error(Level.INFO, LogUtil.CONFIG_ERROR_GET_ENTITY_CONFIG, data, null);
String[] args = { metaAlias, realm };
throw new WSFederationException(WSFederationConstants.BUNDLE_NAME, "invalidMetaAlias", args);
}
if (realm == null || realm.length() == 0) {
realm = "/";
}
SPSSOConfigElement spssoconfig = metaManager.getSPSSOConfig(realm, spEntityId);
int timeskew = SAML2Constants.ASSERTION_TIME_SKEW_DEFAULT;
String timeskewStr = WSFederationMetaUtils.getAttribute(spssoconfig, SAML2Constants.ASSERTION_TIME_SKEW);
if (timeskewStr != null && timeskewStr.trim().length() > 0) {
timeskew = Integer.parseInt(timeskewStr);
if (timeskew < 0) {
timeskew = SAML2Constants.ASSERTION_TIME_SKEW_DEFAULT;
}
}
if (debug.messageEnabled()) {
debug.message(classMethod + "timeskew = " + timeskew);
}
// Subject, SOAPEntry for the partner and the List of Assertions.
if (debug.messageEnabled()) {
debug.message(classMethod + " - verifying assertion");
}
// verifyToken will throw an exception, rather than return null, so we
// need not test the return value
Map<String, Object> smap = rstr.getRequestedSecurityToken().verifyToken(realm, spEntityId, timeskew);
assert smap != null;
Map attributes = WSFederationMetaUtils.getAttributes(spssoconfig);
SPAccountMapper acctMapper = getSPAccountMapper(attributes);
SPAttributeMapper attrMapper = getSPAttributeMapper(attributes);
String userName = acctMapper.getIdentity(rstr, spEntityId, realm);
if (userName == null) {
throw new WSFederationException(WSFederationUtils.bundle.getString("nullUserID"));
}
String idpEntityId = metaManager.getEntityByTokenIssuerName(realm, rstr.getRequestedSecurityToken().getIssuer());
List attrs = rstr.getRequestedSecurityToken().getAttributes();
Map attrMap = null;
if (attrs != null) {
attrMap = attrMapper.getAttributes(attrs, userName, spEntityId, idpEntityId, realm);
}
String authLevel = smap.get(SAML2Constants.AUTH_LEVEL).toString();
// Set up Attributes for session creation
Map sessionInfoMap = new HashMap();
sessionInfoMap.put(SessionProvider.REALM, realm);
sessionInfoMap.put(SessionProvider.PRINCIPAL_NAME, userName);
sessionInfoMap.put(SessionProvider.AUTH_LEVEL, authLevel);
Object session = null;
try {
SessionProvider sessionProvider = SessionManager.getProvider();
session = sessionProvider.createSession(sessionInfoMap, request, response, null);
SPACSUtils.setAttrMapInSession(sessionProvider, attrMap, session);
String[] idpArray = { idpEntityId };
sessionProvider.setProperty(session, WSFederationConstants.SESSION_IDP, idpArray);
RequestedSecurityToken rst = rstr.getRequestedSecurityToken();
if (isAssertionCacheEnabled(spssoconfig)) {
String tokenID = rst.getTokenId();
String[] assertionID = { tokenID };
sessionProvider.setProperty(session, "AssertionID", assertionID);
SPCache.assertionByIDCache.put(tokenID, rst.toString());
}
} catch (SessionException se) {
String[] data = { se.getLocalizedMessage(), realm, userName, authLevel };
LogUtil.error(Level.INFO, LogUtil.CANT_CREATE_SESSION, data, null);
throw new WSFederationException(se);
}
String target = null;
if (wctx != null) {
target = WSFederationUtils.removeReplyURL(wctx);
} else {
target = WSFederationMetaUtils.getAttribute(spssoconfig, SAML2Constants.DEFAULT_RELAY_STATE);
}
String[] data = { wctx, LogUtil.isErrorLoggable(Level.FINER) ? wresult : rstr.getRequestedSecurityToken().getTokenId(), realm, userName, authLevel, target };
LogUtil.access(Level.INFO, LogUtil.SSO_SUCCESSFUL, data, session);
if (target == null) {
// What to do? There was no wreply URL specified, and there is no
// default target configured
PrintWriter pw = response.getWriter();
pw.println("Logged in");
return;
}
response.sendRedirect(target);
}
Also used :
WSFederationMetaManager(com.sun.identity.wsfederation.meta.WSFederationMetaManager)
WSFederationException(com.sun.identity.wsfederation.common.WSFederationException)
RequestedSecurityToken(com.sun.identity.wsfederation.profile.RequestedSecurityToken)
HashMap(java.util.HashMap)
SPSSOConfigElement(com.sun.identity.wsfederation.jaxb.entityconfig.SPSSOConfigElement)
SessionException(com.sun.identity.plugin.session.SessionException)
SPAccountMapper(com.sun.identity.wsfederation.plugins.SPAccountMapper)
SPAttributeMapper(com.sun.identity.wsfederation.plugins.SPAttributeMapper)
List(java.util.List)
RequestSecurityTokenResponse(com.sun.identity.wsfederation.profile.RequestSecurityTokenResponse)
HashMap(java.util.HashMap)
Map(java.util.Map)
SessionProvider(com.sun.identity.plugin.session.SessionProvider)
PrintWriter(java.io.PrintWriter)
Example 10 with SPSSOConfigElement
use of com.sun.identity.wsfederation.jaxb.entityconfig.SPSSOConfigElement in project OpenAM by OpenRock.
the class WSFedPropertiesModelImpl method getServiceProviderAttributes.
/**
* Returns a map with service provider attributes and values.
*
* @param realm to which the entity belongs.
* @param fedId is the Federation Id otherwise known as the entity id.
* @return attribute values of SP based on realm and fedId passed.
* @throws AMConsoleException if unable to retreive the Service Provider
* attrubutes based on the realm and fedId passed.
*/
public Map getServiceProviderAttributes(String realm, String fedId) throws AMConsoleException {
Map SPAttributes = null;
try {
WSFederationMetaManager metaManager = getWSFederationMetaManager();
SPSSOConfigElement spconfig = metaManager.getSPSSOConfig(realm, fedId);
if (spconfig != null) {
SPAttributes = WSFederationMetaUtils.getAttributes(spconfig);
}
} catch (WSFederationMetaException e) {
debug.warning("WSFedPropertiesModelImpl.getServiceProviderAttributes", e);
throw new AMConsoleException(getErrorString(e));
}
return (SPAttributes != null) ? SPAttributes : Collections.EMPTY_MAP;
}
Also used :
WSFederationMetaManager(com.sun.identity.wsfederation.meta.WSFederationMetaManager)
SPSSOConfigElement(com.sun.identity.wsfederation.jaxb.entityconfig.SPSSOConfigElement)
WSFederationMetaException(com.sun.identity.wsfederation.meta.WSFederationMetaException)
AMConsoleException(com.sun.identity.console.base.model.AMConsoleException)
HashMap(java.util.HashMap)
Map(java.util.Map)
Aggregations
SPSSOConfigElement (com.sun.identity.wsfederation.jaxb.entityconfig.SPSSOConfigElement)15
IDPSSOConfigElement (com.sun.identity.wsfederation.jaxb.entityconfig.IDPSSOConfigElement)7
WSFederationMetaManager (com.sun.identity.wsfederation.meta.WSFederationMetaManager)6
List (java.util.List)6
ArrayList (java.util.ArrayList)5
WSFederationException (com.sun.identity.wsfederation.common.WSFederationException)4
Map (java.util.Map)4
ConfigurationException (com.sun.identity.plugin.configuration.ConfigurationException)3
FederationConfigElement (com.sun.identity.wsfederation.jaxb.entityconfig.FederationConfigElement)3
Date (java.util.Date)3
HashMap (java.util.HashMap)3
HashSet (java.util.HashSet)3
Iterator (java.util.Iterator)3
Set (java.util.Set)3
AMConsoleException (com.sun.identity.console.base.model.AMConsoleException)2
SessionException (com.sun.identity.plugin.session.SessionException)2
BaseConfigType (com.sun.identity.wsfederation.jaxb.entityconfig.BaseConfigType)2
FederationElement (com.sun.identity.wsfederation.jaxb.wsfederation.FederationElement)2
WSFederationMetaException (com.sun.identity.wsfederation.meta.WSFederationMetaException)2
RequestSecurityTokenResponse (com.sun.identity.wsfederation.profile.RequestSecurityTokenResponse)2
