Example 11 with SPSSOConfigElement
use of com.sun.identity.wsfederation.jaxb.entityconfig.SPSSOConfigElement in project OpenAM by OpenRock.
the class SAML11RequestedSecurityToken method verifyToken.
/**
* Verifies the token's validity, checking the signature, validity period
* etc.
* @param realm the realm of the local entity
* @param hostEntityId the local entity ID
* @param timeskew permitted skew between service provider and identity
* provider clocks, in seconds
* @return a Map of relevant data including Subject and the List of
* Assertions.
* @throws com.sun.identity.wsfederation.common.WSFederationException in
* case of any error - invalid token signature, token expired etc.
*/
public Map<String, Object> verifyToken(String realm, String hostEntityId, int timeskew) throws WSFederationException {
String classMethod = "SAML11RequestedSecurityToken.verifyToken";
// check that assertion issuer is trusted by the local entity
String issuer = assertion.getIssuer();
WSFederationMetaManager metaManager = WSFederationUtils.getMetaManager();
String remoteEntityId = metaManager.getEntityByTokenIssuerName(realm, issuer);
if (!metaManager.isTrustedProvider(realm, hostEntityId, remoteEntityId)) {
String[] data = { LogUtil.isErrorLoggable(Level.FINER) ? this.toString() : this.getTokenId(), realm, hostEntityId };
LogUtil.error(Level.INFO, LogUtil.UNTRUSTED_ISSUER, data, null);
throw new WSFederationException(WSFederationUtils.bundle.getString("untrustedIssuer"));
}
SPSSOConfigElement spConfig = metaManager.getSPSSOConfig(realm, hostEntityId);
if (spConfig == null) {
debug.error(classMethod + "cannot find configuration for SP " + hostEntityId);
throw new WSFederationException("unableToFindSPConfiguration");
}
String strWantAssertionSigned = WSFederationMetaUtils.getAttribute(spConfig, WSFederationConstants.WANT_ASSERTION_SIGNED);
// By default, we want to sign assertions
boolean wantAssertionSigned = (strWantAssertionSigned != null) ? Boolean.parseBoolean(strWantAssertionSigned) : true;
if (wantAssertionSigned && (!WSFederationUtils.isSignatureValid(assertion, realm, remoteEntityId))) {
// isSignatureValid will log the error
throw new WSFederationException(WSFederationUtils.bundle.getString("invalidSignature"));
}
// TODO: check AudienceRestrictionCondition
Subject assertionSubject = null;
Iterator stmtIter = assertion.getStatement().iterator();
while (stmtIter.hasNext()) {
Statement statement = (Statement) stmtIter.next();
if (statement.getStatementType() == Statement.AUTHENTICATION_STATEMENT) {
assertionSubject = ((SubjectStatement) statement).getSubject();
break;
}
}
if (assertionSubject == null) {
String[] data = { LogUtil.isErrorLoggable(Level.FINER) ? this.toString() : this.getTokenId() };
LogUtil.error(Level.INFO, LogUtil.MISSING_SUBJECT, data, null);
throw new WSFederationException(WSFederationUtils.bundle.getString("missingSubject"));
}
// must be valid (timewise)
if (!WSFederationUtils.isTimeValid(assertion, timeskew)) {
// isTimeValid will log the error
throw new WSFederationException(WSFederationUtils.bundle.getString("timeInvalid"));
}
List assertions = new ArrayList();
assertions.add(assertion);
Map<String, Object> attrMap = new HashMap<String, Object>();
attrMap.put(SAML2Constants.SUBJECT, assertionSubject);
attrMap.put(SAML2Constants.POST_ASSERTION, assertion);
attrMap.put(SAML2Constants.ASSERTIONS, assertions);
// TODO
int authLevel = 0;
if (authLevel >= 0) {
attrMap.put(SAML2Constants.AUTH_LEVEL, new Integer(authLevel));
}
Date sessionNotOnOrAfter = assertion.getConditions().getNotOnorAfter();
if (sessionNotOnOrAfter != null) {
long maxSessionTime = (sessionNotOnOrAfter.getTime() - System.currentTimeMillis()) / 60000;
if (maxSessionTime > 0) {
attrMap.put(SAML2Constants.MAX_SESSION_TIME, new Long(maxSessionTime));
}
}
if (debug.messageEnabled()) {
debug.message(classMethod + " Attribute Map : " + attrMap);
}
return attrMap;
}
Also used :
WSFederationMetaManager(com.sun.identity.wsfederation.meta.WSFederationMetaManager)
WSFederationException(com.sun.identity.wsfederation.common.WSFederationException)
HashMap(java.util.HashMap)
AttributeStatement(com.sun.identity.saml.assertion.AttributeStatement)
SubjectStatement(com.sun.identity.saml.assertion.SubjectStatement)
Statement(com.sun.identity.saml.assertion.Statement)
AuthenticationStatement(com.sun.identity.saml.assertion.AuthenticationStatement)
SPSSOConfigElement(com.sun.identity.wsfederation.jaxb.entityconfig.SPSSOConfigElement)
ArrayList(java.util.ArrayList)
Subject(com.sun.identity.saml.assertion.Subject)
Date(java.util.Date)
Iterator(java.util.Iterator)
ArrayList(java.util.ArrayList)
List(java.util.List)
Example 12 with SPSSOConfigElement
use of com.sun.identity.wsfederation.jaxb.entityconfig.SPSSOConfigElement in project OpenAM by OpenRock.
the class IPSigninRequest method sendResponse.
/**
* Sends <code>RequestSecurityTokenResponse</code> containing an
* <code>Assertion</code> back to the requesting service provider
*/
private void sendResponse(Object session, String idpEntityId, String spEntityId, String idpMetaAlias, String realm) throws WSFederationException, IOException {
String classMethod = "IDPSSOFederate.sendResponse: ";
/*
String nameIDFormat = null;
NameIDPolicy policy = authnReq.getNameIDPolicy();
if (policy != null) {
nameIDFormat = policy.getFormat();
}
*/
String acsURL = IDPSSOUtil.getACSurl(spEntityId, realm, wreply);
if ((acsURL == null) || (acsURL.trim().length() == 0)) {
debug.error(classMethod + "no ACS URL found.");
String[] data = { realm, spEntityId, wreply };
LogUtil.error(Level.INFO, LogUtil.NO_ACS_URL, data, null);
throw new WSFederationException(WSFederationUtils.bundle.getString("unableTofindACSURL"));
}
WSFederationMetaManager metaManager = WSFederationUtils.getMetaManager();
IDPSSOConfigElement idpConfig = metaManager.getIDPSSOConfig(realm, idpEntityId);
if (idpConfig == null) {
debug.error(classMethod + "cannot find configuration for IdP " + idpEntityId);
throw new WSFederationException(WSFederationUtils.bundle.getString("unableToFindIDPConfiguration"));
}
SPSSOConfigElement spConfig = metaManager.getSPSSOConfig(realm, spEntityId);
if (spConfig == null) {
debug.error(classMethod + "cannot find configuration for SP " + spEntityId);
throw new WSFederationException(WSFederationUtils.bundle.getString("unableToFindSPConfiguration"));
}
String authMethod = null;
String authSSOInstant = null;
String userid = null;
try {
authMethod = WSFederationUtils.sessionProvider.getProperty(session, SessionProvider.AUTH_METHOD)[0];
authSSOInstant = WSFederationUtils.sessionProvider.getProperty(session, SessionProvider.AUTH_INSTANT)[0];
userid = WSFederationUtils.sessionProvider.getProperty(session, "UserId")[// ISAuthConstants.USER_ID
0];
} catch (SessionException se) {
throw new WSFederationException(se);
}
IDPAttributeMapper attrMapper = getIDPAttributeMapper(WSFederationMetaUtils.getAttributes(idpConfig));
IDPAccountMapper accountMapper = getIDPAccountMapper(WSFederationMetaUtils.getAttributes(idpConfig));
List attributes = attrMapper.getAttributes(session, idpEntityId, spEntityId, realm);
Date authInstant = null;
if (authSSOInstant == null || authSSOInstant.equals("")) {
authInstant = new Date();
} else {
try {
authInstant = DateUtils.stringToDate(authSSOInstant);
} catch (ParseException pe) {
throw new WSFederationException(pe);
}
}
NameIdentifier ni = accountMapper.getNameID(session, realm, idpEntityId, spEntityId);
int notBeforeSkew = SAML2Constants.NOTBEFORE_ASSERTION_SKEW_DEFAULT;
String notBeforeSkewStr = WSFederationMetaUtils.getAttribute(idpConfig, SAML2Constants.ASSERTION_NOTBEFORE_SKEW_ATTRIBUTE);
if (notBeforeSkewStr != null) {
try {
notBeforeSkew = Integer.parseInt(notBeforeSkewStr);
if (debug.messageEnabled()) {
debug.message(classMethod + "got not before skew from config:" + notBeforeSkew);
}
} catch (NumberFormatException nfe) {
debug.error(classMethod + "Failed to get not before skew from IDP SSO config: ", nfe);
throw new WSFederationException(nfe);
}
}
int effectiveTime = SAML2Constants.ASSERTION_EFFECTIVE_TIME;
String effectiveTimeStr = WSFederationMetaUtils.getAttribute(idpConfig, SAML2Constants.ASSERTION_EFFECTIVE_TIME_ATTRIBUTE);
if (effectiveTimeStr != null) {
try {
effectiveTime = Integer.parseInt(effectiveTimeStr);
if (debug.messageEnabled()) {
debug.message(classMethod + "got effective time from config:" + effectiveTime);
}
} catch (NumberFormatException nfe) {
debug.error(classMethod + "Failed to get assertion effective time from " + "IDP SSO config: ", nfe);
throw new WSFederationException(nfe);
}
}
String strWantAssertionSigned = WSFederationMetaUtils.getAttribute(spConfig, WSFederationConstants.WANT_ASSERTION_SIGNED);
// By default, we want to sign assertions
boolean wantAssertionSigned = (strWantAssertionSigned != null) ? Boolean.parseBoolean(strWantAssertionSigned) : true;
String certAlias = WSFederationMetaUtils.getAttribute(idpConfig, SAML2Constants.SIGNING_CERT_ALIAS);
if (wantAssertionSigned && certAlias == null) {
// SP wants us to sign the assertion, but we don't have a signing
// cert
debug.error(classMethod + "SP wants signed assertion, but no signing cert is " + "configured");
throw new WSFederationException(WSFederationUtils.bundle.getString("noIdPCertAlias"));
}
if (!wantAssertionSigned) {
// SP doesn't want us to sign the assertion, so pass null certAlias
// to indicate no assertion signature required
certAlias = null;
}
// generate a response for the authn request
RequestSecurityTokenResponse rstr = new RequestSecurityTokenResponse(new SAML11RequestedSecurityToken(realm, spEntityId, idpEntityId, notBeforeSkew, effectiveTime, certAlias, authMethod, authInstant, ni, attributes), wtrealm);
if (rstr == null) {
debug.error(classMethod + "response is null");
String errorMsg = WSFederationUtils.bundle.getString("UnableToCreateAssertion");
/*
res = IDPSSOUtil.getErrorResponse(authnReq,
SAML2Constants.RESPONDER, errorMsg, idpEntityID);
*/
return;
} else {
try {
String[] values = { idpMetaAlias };
// Add SP to SP list in session
String[] spList = WSFederationUtils.sessionProvider.getProperty(session, WSFederationConstants.SESSION_SP_LIST);
ArrayList<String> newSpList = (spList != null) ? new ArrayList<String>(Arrays.asList(spList)) : new ArrayList<String>();
if (!newSpList.contains(spEntityId)) {
newSpList.add(spEntityId);
WSFederationUtils.sessionProvider.setProperty(session, WSFederationConstants.SESSION_SP_LIST, newSpList.toArray(new String[0]));
}
} catch (SessionException e) {
debug.error(classMethod + "error setting idpMetaAlias into the session: ", e);
}
try {
postToTarget(rstr, acsURL);
} catch (ServletException se) {
throw new WSFederationException(se);
}
}
}
Also used :
WSFederationMetaManager(com.sun.identity.wsfederation.meta.WSFederationMetaManager)
IDPAccountMapper(com.sun.identity.wsfederation.plugins.IDPAccountMapper)
WSFederationException(com.sun.identity.wsfederation.common.WSFederationException)
NameIdentifier(com.sun.identity.saml.assertion.NameIdentifier)
SPSSOConfigElement(com.sun.identity.wsfederation.jaxb.entityconfig.SPSSOConfigElement)
SessionException(com.sun.identity.plugin.session.SessionException)
IDPSSOConfigElement(com.sun.identity.wsfederation.jaxb.entityconfig.IDPSSOConfigElement)
Date(java.util.Date)
ServletException(javax.servlet.ServletException)
SAML11RequestedSecurityToken(com.sun.identity.wsfederation.profile.SAML11RequestedSecurityToken)
IDPAttributeMapper(com.sun.identity.wsfederation.plugins.IDPAttributeMapper)
ArrayList(java.util.ArrayList)
List(java.util.List)
ParseException(java.text.ParseException)
RequestSecurityTokenResponse(com.sun.identity.wsfederation.profile.RequestSecurityTokenResponse)
Example 13 with SPSSOConfigElement
use of com.sun.identity.wsfederation.jaxb.entityconfig.SPSSOConfigElement in project OpenAM by OpenRock.
the class WSFederationMetaManager method deleteEntityConfig.
/**
* Deletes the extended entity configuration under the realm.
*
* @param realm The realm under which the entity resides.
* @param federationId The ID of the entity for whom the extended entity
* configuration will be deleted.
* @throws WSFederationMetaException if unable to delete the entity
* descriptor.
*/
public void deleteEntityConfig(String realm, String federationId) throws WSFederationMetaException {
if (federationId == null) {
return;
}
if (realm == null) {
realm = "/";
}
String[] objs = { federationId, realm };
try {
Map oldAttrs = configInst.getConfiguration(realm, federationId);
Set oldValues = (Set) oldAttrs.get(ATTR_ENTITY_CONFIG);
if (oldValues == null || oldValues.isEmpty()) {
LogUtil.error(Level.INFO, LogUtil.NO_ENTITY_DESCRIPTOR_DELETE_ENTITY_CONFIG, objs, null);
throw new WSFederationMetaException("entity_config_not_exist", objs);
}
// Remove the entity from cot
IDPSSOConfigElement idpconfig = getIDPSSOConfig(realm, federationId);
if (idpconfig != null) {
removeFromCircleOfTrust(idpconfig, realm, federationId);
}
SPSSOConfigElement spconfig = getSPSSOConfig(realm, federationId);
if (spconfig != null) {
removeFromCircleOfTrust(spconfig, realm, federationId);
}
Set attr = new HashSet();
attr.add(ATTR_ENTITY_CONFIG);
configInst.deleteConfiguration(realm, federationId, attr);
LogUtil.access(Level.INFO, LogUtil.ENTITY_CONFIG_DELETED, objs, null);
WSFederationMetaCache.putEntityConfig(realm, federationId, null);
} catch (ConfigurationException e) {
debug.error("WSFederationMetaManager.deleteEntityConfig:", e);
String[] data = { e.getMessage(), federationId, realm };
LogUtil.error(Level.INFO, LogUtil.CONFIG_ERROR_DELETE_ENTITY_CONFIG, data, null);
throw new WSFederationMetaException(e);
}
}
Also used :
HashSet(java.util.HashSet)
Set(java.util.Set)
ConfigurationException(com.sun.identity.plugin.configuration.ConfigurationException)
SPSSOConfigElement(com.sun.identity.wsfederation.jaxb.entityconfig.SPSSOConfigElement)
IDPSSOConfigElement(com.sun.identity.wsfederation.jaxb.entityconfig.IDPSSOConfigElement)
Map(java.util.Map)
HashSet(java.util.HashSet)
Example 14 with SPSSOConfigElement
use of com.sun.identity.wsfederation.jaxb.entityconfig.SPSSOConfigElement in project OpenAM by OpenRock.
the class WSFederationMetaManager method getRoleByMetaAlias.
/**
* Returns role of an entity based on its metaAlias.
*
* @param metaAlias Meta alias of the entity.
* @return role of an entity either <code>SAML2Constants.IDP_ROLE</code>; or
* <code>SAML2Constants.SP_ROLE</code> or
* <code>SAML2Constants.UNKNOWN_ROLE</code>
* @throws WSFederationMetaException if there are issues in getting the
* entity profile from the meta alias.
*/
public String getRoleByMetaAlias(String metaAlias) throws WSFederationMetaException {
String role = SAML2Constants.UNKNOWN_ROLE;
String federationId = getEntityByMetaAlias(metaAlias);
if (federationId != null) {
String realm = WSFederationMetaUtils.getRealmByMetaAlias(metaAlias);
IDPSSOConfigElement idpConfig = getIDPSSOConfig(realm, federationId);
SPSSOConfigElement spConfig = getSPSSOConfig(realm, federationId);
if (idpConfig == null) {
String m = spConfig.getMetaAlias();
if ((m != null) && m.equals(metaAlias)) {
role = SAML2Constants.SP_ROLE;
}
} else if (spConfig == null) {
String m = idpConfig.getMetaAlias();
if ((m != null) && m.equals(metaAlias)) {
role = SAML2Constants.IDP_ROLE;
}
} else {
//Assuming that sp and idp cannot have the same metaAlias
String m = spConfig.getMetaAlias();
if ((m != null) && m.equals(metaAlias)) {
role = SAML2Constants.SP_ROLE;
} else {
m = idpConfig.getMetaAlias();
if ((m != null) && m.equals(metaAlias)) {
role = SAML2Constants.IDP_ROLE;
}
}
}
}
return role;
}
Also used :
SPSSOConfigElement(com.sun.identity.wsfederation.jaxb.entityconfig.SPSSOConfigElement)
IDPSSOConfigElement(com.sun.identity.wsfederation.jaxb.entityconfig.IDPSSOConfigElement)
Example 15 with SPSSOConfigElement
use of com.sun.identity.wsfederation.jaxb.entityconfig.SPSSOConfigElement in project OpenAM by OpenRock.
the class WSFederationMetaManager method deleteFederation.
/**
* Deletes the standard metadata entity descriptor under the realm.
*
* @param realm The realm under which the entity resides.
* @param federationId The ID of the entity for whom the standard entity
* descriptor will be deleted.
* @throws WSFederationMetaException if unable to delete the entity
* descriptor.
*/
public void deleteFederation(String realm, String federationId) throws WSFederationMetaException {
if (federationId == null) {
return;
}
if (realm == null) {
realm = "/";
}
String[] objs = { federationId, realm };
try {
// Remove the entity from cot
IDPSSOConfigElement idpconfig = getIDPSSOConfig(realm, federationId);
if (idpconfig != null) {
removeFromCircleOfTrust(idpconfig, realm, federationId);
}
SPSSOConfigElement spconfig = getSPSSOConfig(realm, federationId);
if (spconfig != null) {
removeFromCircleOfTrust(spconfig, realm, federationId);
}
// end of remove entity from cot
configInst.deleteConfiguration(realm, federationId, null);
LogUtil.access(Level.INFO, LogUtil.ENTITY_DESCRIPTOR_DELETED, objs, null);
WSFederationMetaCache.putFederation(realm, federationId, null);
} catch (ConfigurationException e) {
debug.error("WSFederationMetaManager.deleteFederation:", e);
String[] data = { e.getMessage(), federationId, realm };
LogUtil.error(Level.INFO, LogUtil.CONFIG_ERROR_DELETE_ENTITY_DESCRIPTOR, data, null);
throw new WSFederationMetaException(e);
}
}
Also used :
ConfigurationException(com.sun.identity.plugin.configuration.ConfigurationException)
SPSSOConfigElement(com.sun.identity.wsfederation.jaxb.entityconfig.SPSSOConfigElement)
IDPSSOConfigElement(com.sun.identity.wsfederation.jaxb.entityconfig.IDPSSOConfigElement)
Aggregations
SPSSOConfigElement (com.sun.identity.wsfederation.jaxb.entityconfig.SPSSOConfigElement)15
IDPSSOConfigElement (com.sun.identity.wsfederation.jaxb.entityconfig.IDPSSOConfigElement)7
WSFederationMetaManager (com.sun.identity.wsfederation.meta.WSFederationMetaManager)6
List (java.util.List)6
ArrayList (java.util.ArrayList)5
WSFederationException (com.sun.identity.wsfederation.common.WSFederationException)4
Map (java.util.Map)4
ConfigurationException (com.sun.identity.plugin.configuration.ConfigurationException)3
FederationConfigElement (com.sun.identity.wsfederation.jaxb.entityconfig.FederationConfigElement)3
Date (java.util.Date)3
HashMap (java.util.HashMap)3
HashSet (java.util.HashSet)3
Iterator (java.util.Iterator)3
Set (java.util.Set)3
AMConsoleException (com.sun.identity.console.base.model.AMConsoleException)2
SessionException (com.sun.identity.plugin.session.SessionException)2
BaseConfigType (com.sun.identity.wsfederation.jaxb.entityconfig.BaseConfigType)2
FederationElement (com.sun.identity.wsfederation.jaxb.wsfederation.FederationElement)2
WSFederationMetaException (com.sun.identity.wsfederation.meta.WSFederationMetaException)2
RequestSecurityTokenResponse (com.sun.identity.wsfederation.profile.RequestSecurityTokenResponse)2
