Examples with SAML11RequestedSecurityToken com.sun.identity.wsfederation.profile.SAML11RequestedSecurityToken used on opensource projects

Example 1 with SAML11RequestedSecurityToken

use of com.sun.identity.wsfederation.profile.SAML11RequestedSecurityToken in project OpenAM by OpenRock.

the class IPSigninRequest method sendResponse.

/**
     * Sends <code>RequestSecurityTokenResponse</code> containing an 
     * <code>Assertion</code> back to the requesting service provider
     */
private void sendResponse(Object session, String idpEntityId, String spEntityId, String idpMetaAlias, String realm) throws WSFederationException, IOException {
    String classMethod = "IDPSSOFederate.sendResponse: ";
    /*    
        String nameIDFormat = null;
        NameIDPolicy policy = authnReq.getNameIDPolicy();
        if (policy != null) {
            nameIDFormat = policy.getFormat();
        }
 */
    String acsURL = IDPSSOUtil.getACSurl(spEntityId, realm, wreply);
    if ((acsURL == null) || (acsURL.trim().length() == 0)) {
        debug.error(classMethod + "no ACS URL found.");
        String[] data = { realm, spEntityId, wreply };
        LogUtil.error(Level.INFO, LogUtil.NO_ACS_URL, data, null);
        throw new WSFederationException(WSFederationUtils.bundle.getString("unableTofindACSURL"));
    }
    WSFederationMetaManager metaManager = WSFederationUtils.getMetaManager();
    IDPSSOConfigElement idpConfig = metaManager.getIDPSSOConfig(realm, idpEntityId);
    if (idpConfig == null) {
        debug.error(classMethod + "cannot find configuration for IdP " + idpEntityId);
        throw new WSFederationException(WSFederationUtils.bundle.getString("unableToFindIDPConfiguration"));
    }
    SPSSOConfigElement spConfig = metaManager.getSPSSOConfig(realm, spEntityId);
    if (spConfig == null) {
        debug.error(classMethod + "cannot find configuration for SP " + spEntityId);
        throw new WSFederationException(WSFederationUtils.bundle.getString("unableToFindSPConfiguration"));
    }
    String authMethod = null;
    String authSSOInstant = null;
    String userid = null;
    try {
        authMethod = WSFederationUtils.sessionProvider.getProperty(session, SessionProvider.AUTH_METHOD)[0];
        authSSOInstant = WSFederationUtils.sessionProvider.getProperty(session, SessionProvider.AUTH_INSTANT)[0];
        userid = WSFederationUtils.sessionProvider.getProperty(session, "UserId")[// ISAuthConstants.USER_ID
        0];
    } catch (SessionException se) {
        throw new WSFederationException(se);
    }
    IDPAttributeMapper attrMapper = getIDPAttributeMapper(WSFederationMetaUtils.getAttributes(idpConfig));
    IDPAccountMapper accountMapper = getIDPAccountMapper(WSFederationMetaUtils.getAttributes(idpConfig));
    List attributes = attrMapper.getAttributes(session, idpEntityId, spEntityId, realm);
    Date authInstant = null;
    if (authSSOInstant == null || authSSOInstant.equals("")) {
        authInstant = new Date();
    } else {
        try {
            authInstant = DateUtils.stringToDate(authSSOInstant);
        } catch (ParseException pe) {
            throw new WSFederationException(pe);
        }
    }
    NameIdentifier ni = accountMapper.getNameID(session, realm, idpEntityId, spEntityId);
    int notBeforeSkew = SAML2Constants.NOTBEFORE_ASSERTION_SKEW_DEFAULT;
    String notBeforeSkewStr = WSFederationMetaUtils.getAttribute(idpConfig, SAML2Constants.ASSERTION_NOTBEFORE_SKEW_ATTRIBUTE);
    if (notBeforeSkewStr != null) {
        try {
            notBeforeSkew = Integer.parseInt(notBeforeSkewStr);
            if (debug.messageEnabled()) {
                debug.message(classMethod + "got not before skew from config:" + notBeforeSkew);
            }
        } catch (NumberFormatException nfe) {
            debug.error(classMethod + "Failed to get not before skew from IDP SSO config: ", nfe);
            throw new WSFederationException(nfe);
        }
    }
    int effectiveTime = SAML2Constants.ASSERTION_EFFECTIVE_TIME;
    String effectiveTimeStr = WSFederationMetaUtils.getAttribute(idpConfig, SAML2Constants.ASSERTION_EFFECTIVE_TIME_ATTRIBUTE);
    if (effectiveTimeStr != null) {
        try {
            effectiveTime = Integer.parseInt(effectiveTimeStr);
            if (debug.messageEnabled()) {
                debug.message(classMethod + "got effective time from config:" + effectiveTime);
            }
        } catch (NumberFormatException nfe) {
            debug.error(classMethod + "Failed to get assertion effective time from " + "IDP SSO config: ", nfe);
            throw new WSFederationException(nfe);
        }
    }
    String strWantAssertionSigned = WSFederationMetaUtils.getAttribute(spConfig, WSFederationConstants.WANT_ASSERTION_SIGNED);
    // By default, we want to sign assertions
    boolean wantAssertionSigned = (strWantAssertionSigned != null) ? Boolean.parseBoolean(strWantAssertionSigned) : true;
    String certAlias = WSFederationMetaUtils.getAttribute(idpConfig, SAML2Constants.SIGNING_CERT_ALIAS);
    if (wantAssertionSigned && certAlias == null) {
        // SP wants us to sign the assertion, but we don't have a signing 
        // cert
        debug.error(classMethod + "SP wants signed assertion, but no signing cert is " + "configured");
        throw new WSFederationException(WSFederationUtils.bundle.getString("noIdPCertAlias"));
    }
    if (!wantAssertionSigned) {
        // SP doesn't want us to sign the assertion, so pass null certAlias 
        // to indicate no assertion signature required
        certAlias = null;
    }
    // generate a response for the authn request
    RequestSecurityTokenResponse rstr = new RequestSecurityTokenResponse(new SAML11RequestedSecurityToken(realm, spEntityId, idpEntityId, notBeforeSkew, effectiveTime, certAlias, authMethod, authInstant, ni, attributes), wtrealm);
    if (rstr == null) {
        debug.error(classMethod + "response is null");
        String errorMsg = WSFederationUtils.bundle.getString("UnableToCreateAssertion");
        /*
            res = IDPSSOUtil.getErrorResponse(authnReq, 
                SAML2Constants.RESPONDER, errorMsg, idpEntityID);
             */
        return;
    } else {
        try {
            String[] values = { idpMetaAlias };
            // Add SP to SP list in session
            String[] spList = WSFederationUtils.sessionProvider.getProperty(session, WSFederationConstants.SESSION_SP_LIST);
            ArrayList<String> newSpList = (spList != null) ? new ArrayList<String>(Arrays.asList(spList)) : new ArrayList<String>();
            if (!newSpList.contains(spEntityId)) {
                newSpList.add(spEntityId);
                WSFederationUtils.sessionProvider.setProperty(session, WSFederationConstants.SESSION_SP_LIST, newSpList.toArray(new String[0]));
            }
        } catch (SessionException e) {
            debug.error(classMethod + "error setting idpMetaAlias into the session: ", e);
        }
        try {
            postToTarget(rstr, acsURL);
        } catch (ServletException se) {
            throw new WSFederationException(se);
        }
    }
}

Example 2 with SAML11RequestedSecurityToken

use of com.sun.identity.wsfederation.profile.SAML11RequestedSecurityToken in project OpenAM by OpenRock.

the class DefaultLibrarySPAccountMapper method getIdentity.

/**
     * Returns the user's disntinguished name or the universal ID for the 
     * corresponding  <code>SAML</code> <code>Assertion</code>. This method
     * will be invoked by the <code>WS-Federation</code> framework while 
     * processing the <code>Assertion</code> and retrieves the identity  
     * information. The implementation of this method checks for
     * the user for the corresponding name identifier in the assertion.
     *
     * @param rstr Request Security Token Response.
     * @param hostEntityID <code>EntityID</code> of the hosted provider.
     * @param realm realm or the organization name that may be used to find
     *        the user information.
     * @return user's disntinguished name or the universal ID.
     * @exception WSFederationException if any failure.
     */
public String getIdentity(RequestSecurityTokenResponse rstr, String hostEntityID, String realm) throws WSFederationException {
    if (rstr == null) {
        throw new WSFederationException(bundle.getString("nullRstr"));
    }
    if (hostEntityID == null) {
        throw new WSFederationException(bundle.getString("nullHostEntityID"));
    }
    if (realm == null) {
        throw new WSFederationException(bundle.getString("nullRealm"));
    }
    SAML11RequestedSecurityToken rst = (SAML11RequestedSecurityToken) rstr.getRequestedSecurityToken();
    Subject subject = null;
    Assertion assertion = rst.getAssertion();
    Iterator iter = assertion.getStatement().iterator();
    while (iter.hasNext()) {
        Statement statement = (Statement) iter.next();
        if (statement.getStatementType() == Statement.AUTHENTICATION_STATEMENT) {
            subject = ((SubjectStatement) statement).getSubject();
            break;
        }
    }
    NameIdentifier nameID = subject.getNameIdentifier();
    String userID = null;
    String format = nameID.getFormat();
    String remoteEntityID = WSFederationUtils.getMetaManager().getEntityByTokenIssuerName(realm, assertion.getIssuer());
    if (debug.messageEnabled()) {
        debug.message("DefaultLibrarySPAccountMapper.getIdentity(Assertion):" + " realm = " + realm + " hostEntityID = " + hostEntityID);
    }
    try {
        userID = dsProvider.getUserID(realm, getSearchParameters(nameID, realm, hostEntityID, remoteEntityID));
    } catch (DataStoreProviderException dse) {
        debug.error("DefaultLibrarySPAccountMapper.getIdentity(Assertion): " + "DataStoreProviderException", dse);
        throw new WSFederationException(dse);
    }
    return userID;
}