Example 6 with SAML2TokenRepositoryException
use of org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException in project OpenAM by OpenRock.
the class IDPArtifactResolution method onMessage.
/**
* This method generates a <code>SOAPMessage</code> containing the
* <code>ArtifactResponse</code> that is corresponding to the
* <code>ArtifactResolve</code> contained in the
* <code>SOAPMessage</code> passed in.
*
* @param message <code>SOAPMessage</code> contains a
* <code>ArtifactResolve</code>
* @param request the <code>HttpServletRequest</code> object
* @param realm the realm to where the identity provider belongs
* @param idpEntityID the entity id of the identity provider
*
* @return <code>SOAPMessage</code> contains the
* <code>ArtifactResponse</code>
* @exception SAML2Exception if the operation is not successful
*/
public static SOAPMessage onMessage(SOAPMessage message, HttpServletRequest request, HttpServletResponse response, String realm, String idpEntityID) throws SAML2Exception {
String classMethod = "IDPArtifactResolution.onMessage: ";
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "Entering onMessage().");
}
Element reqElem = SOAPCommunicator.getInstance().getSamlpElement(message, "ArtifactResolve");
ArtifactResolve artResolve = ProtocolFactory.getInstance().createArtifactResolve(reqElem);
if (artResolve == null) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "no valid ArtifactResolve node found in SOAP body.");
}
return SOAPCommunicator.getInstance().createSOAPFault(SAML2Constants.CLIENT_FAULT, "noArtifactResolve", null);
}
String spEntityID = artResolve.getIssuer().getValue();
if (!SAML2Utils.isSourceSiteValid(artResolve.getIssuer(), realm, idpEntityID)) {
SAML2Utils.debug.error(classMethod + spEntityID + " is not trusted issuer.");
String[] data = { idpEntityID, realm, artResolve.getID() };
LogUtil.error(Level.INFO, LogUtil.INVALID_ISSUER_REQUEST, data, null);
return SOAPCommunicator.getInstance().createSOAPFault(SAML2Constants.CLIENT_FAULT, "invalidIssuerInRequest", null);
}
SPSSODescriptorElement spSSODescriptor = null;
try {
spSSODescriptor = IDPSSOUtil.metaManager.getSPSSODescriptor(realm, spEntityID);
} catch (SAML2MetaException sme) {
SAML2Utils.debug.error(classMethod, sme);
spSSODescriptor = null;
}
if (spSSODescriptor == null) {
SAML2Utils.debug.error(classMethod + "Unable to get SP SSO Descriptor from meta.");
return SOAPCommunicator.getInstance().createSOAPFault(SAML2Constants.SERVER_FAULT, "metaDataError", null);
}
OrderedSet acsSet = SPSSOFederate.getACSUrl(spSSODescriptor, SAML2Constants.HTTP_ARTIFACT);
String acsURL = (String) acsSet.get(0);
//String protocolBinding = (String) acsSet.get(1);
String isArtifactResolveSigned = SAML2Utils.getAttributeValueFromSSOConfig(realm, idpEntityID, SAML2Constants.IDP_ROLE, SAML2Constants.WANT_ARTIFACT_RESOLVE_SIGNED);
if ((isArtifactResolveSigned != null) && (isArtifactResolveSigned.equals(SAML2Constants.TRUE))) {
if (!artResolve.isSigned()) {
SAML2Utils.debug.error(classMethod + "The artifact resolve is not signed " + "when it is expected to be signed.");
return SOAPCommunicator.getInstance().createSOAPFault(SAML2Constants.CLIENT_FAULT, "ArtifactResolveNotSigned", null);
}
Set<X509Certificate> verificationCerts = KeyUtil.getVerificationCerts(spSSODescriptor, spEntityID, SAML2Constants.SP_ROLE);
if (!artResolve.isSignatureValid(verificationCerts)) {
SAML2Utils.debug.error(classMethod + "artifact resolve verification failed.");
return SOAPCommunicator.getInstance().createSOAPFault(SAML2Constants.CLIENT_FAULT, "invalidArtifact", null);
}
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "artifact resolve signature verification is successful.");
}
}
Artifact art = artResolve.getArtifact();
if (art == null) {
SAML2Utils.debug.error(classMethod + "Unable to get an artifact from ArtifactResolve.");
return SOAPCommunicator.getInstance().createSOAPFault(SAML2Constants.CLIENT_FAULT, "invalidArtifactSignature", null);
}
String artStr = art.getArtifactValue();
Response res = (Response) IDPCache.responsesByArtifacts.remove(artStr);
String remoteArtURL = null;
boolean saml2FailoverEnabled = SAML2FailoverUtils.isSAML2FailoverEnabled();
if (res == null) {
// in LB case, artifact may reside on the other server.
String targetServerID = SAML2Utils.extractServerId(art.getMessageHandle());
if (targetServerID == null) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "target serverID is null");
}
return SOAPCommunicator.getInstance().createSOAPFault(SAML2Constants.CLIENT_FAULT, "InvalidArtifactId", null);
}
String localServerID = SAML2Utils.getLocalServerID();
boolean localTarget = localServerID.equals(targetServerID);
if (!localTarget) {
if (!SystemConfigurationUtil.isValidServerId(targetServerID)) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "target serverID is not valid: " + targetServerID);
}
return SOAPCommunicator.getInstance().createSOAPFault(SAML2Constants.CLIENT_FAULT, "InvalidArtifactId", null);
}
try {
String remoteServiceURL = SystemConfigurationUtil.getServerFromID(targetServerID);
remoteArtURL = remoteServiceURL + SAML2Utils.removeDeployUri(request.getRequestURI());
SOAPConnection con = SOAPCommunicator.getInstance().openSOAPConnection();
SOAPMessage resMsg = con.call(message, remoteArtURL);
return resMsg;
} catch (Exception ex) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "unable to forward request to remote server. " + "remote url = " + remoteArtURL, ex);
}
if (!saml2FailoverEnabled) {
return SOAPCommunicator.getInstance().createSOAPFault(SAML2Constants.SERVER_FAULT, "RemoteArtifactResolutionFailed", null);
}
// when the target server is running but the remote call was
// failed to this server (due to a network error)
// and the saml2failover is enabled, we can still find the
// artifact in the SAML2 repository.
// However the cached entry in the target server will not be
// deleted this way.
}
}
if (saml2FailoverEnabled) {
// Check the SAML2 Token Repository
try {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message("Artifact=" + artStr);
}
String tmp = (String) SAML2FailoverUtils.retrieveSAML2Token(artStr);
res = ProtocolFactory.getInstance().createResponse(tmp);
} catch (SAML2Exception e) {
SAML2Utils.debug.error(classMethod + " SAML2 ERROR!!!", e);
return SOAPCommunicator.getInstance().createSOAPFault(SAML2Constants.CLIENT_FAULT, "UnableToFindResponseInRepo", null);
} catch (SAML2TokenRepositoryException se) {
SAML2Utils.debug.error(classMethod + " There was a problem reading the response " + "from the SAML2 Token Repository using artStr:" + artStr, se);
return SOAPCommunicator.getInstance().createSOAPFault(SAML2Constants.CLIENT_FAULT, "UnableToFindResponseInRepo", null);
}
}
}
if (res == null) {
return SOAPCommunicator.getInstance().createSOAPFault(SAML2Constants.CLIENT_FAULT, saml2FailoverEnabled ? "UnableToFindResponseInRepo" : "UnableToFindResponse", null);
}
// Remove Response from SAML2 Token Repository
try {
if (saml2FailoverEnabled) {
SAML2FailoverUtils.deleteSAML2Token(artStr);
}
} catch (SAML2TokenRepositoryException e) {
SAML2Utils.debug.error(classMethod + " Error deleting the response from the SAML2 Token Repository using artStr:" + artStr, e);
}
Map props = new HashMap();
String nameIDString = SAML2Utils.getNameIDStringFromResponse(res);
if (nameIDString != null) {
props.put(LogUtil.NAME_ID, nameIDString);
}
// check if need to sign the assertion
boolean signAssertion = spSSODescriptor.isWantAssertionsSigned();
if (signAssertion) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "signing the assertion.");
}
}
// encrypt the assertion or its NameID and/or Attribute based
// on SP config setting and sign the assertion.
IDPSSOUtil.signAndEncryptResponseComponents(realm, spEntityID, idpEntityID, res, signAssertion);
ArtifactResponse artResponse = ProtocolFactory.getInstance().createArtifactResponse();
Status status = ProtocolFactory.getInstance().createStatus();
StatusCode statusCode = ProtocolFactory.getInstance().createStatusCode();
statusCode.setValue(SAML2Constants.SUCCESS);
status.setStatusCode(statusCode);
// set the idp entity id as the response issuer
Issuer issuer = AssertionFactory.getInstance().createIssuer();
issuer.setValue(idpEntityID);
artResponse.setStatus(status);
artResponse.setID(SAML2Utils.generateID());
artResponse.setInResponseTo(artResolve.getID());
artResponse.setVersion(SAML2Constants.VERSION_2_0);
artResponse.setIssueInstant(new Date());
artResponse.setAny(res.toXMLString(true, true));
artResponse.setIssuer(issuer);
artResponse.setDestination(XMLUtils.escapeSpecialCharacters(acsURL));
String wantArtifactResponseSigned = SAML2Utils.getAttributeValueFromSSOConfig(realm, spEntityID, SAML2Constants.SP_ROLE, SAML2Constants.WANT_ARTIFACT_RESPONSE_SIGNED);
if ((wantArtifactResponseSigned != null) && (wantArtifactResponseSigned.equals(SAML2Constants.TRUE))) {
KeyProvider kp = KeyUtil.getKeyProviderInstance();
if (kp == null) {
SAML2Utils.debug.error(classMethod + "Unable to get a key provider instance.");
return SOAPCommunicator.getInstance().createSOAPFault(SAML2Constants.SERVER_FAULT, "nullKeyProvider", null);
}
String idpSignCertAlias = SAML2Utils.getSigningCertAlias(realm, idpEntityID, SAML2Constants.IDP_ROLE);
if (idpSignCertAlias == null) {
SAML2Utils.debug.error(classMethod + "Unable to get the hosted IDP signing certificate alias.");
return SOAPCommunicator.getInstance().createSOAPFault(SAML2Constants.SERVER_FAULT, "missingSigningCertAlias", null);
}
String encryptedKeyPass = SAML2Utils.getSigningCertEncryptedKeyPass(realm, idpEntityID, SAML2Constants.IDP_ROLE);
PrivateKey key;
if (encryptedKeyPass == null || encryptedKeyPass.isEmpty()) {
key = kp.getPrivateKey(idpSignCertAlias);
} else {
key = kp.getPrivateKey(idpSignCertAlias, encryptedKeyPass);
}
artResponse.sign(key, kp.getX509Certificate(idpSignCertAlias));
}
String str = artResponse.toXMLString(true, true);
String[] logdata = { idpEntityID, artStr, str };
LogUtil.access(Level.INFO, LogUtil.ARTIFACT_RESPONSE, logdata, null, props);
if (str != null) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "ArtifactResponse message:\n" + str);
}
} else {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "Unable to print ArtifactResponse message.");
}
}
SOAPMessage msg = null;
try {
msg = SOAPCommunicator.getInstance().createSOAPMessage(str, false);
} catch (SOAPException se) {
SAML2Utils.debug.error(classMethod + "Unable to create a SOAPMessage and add a document ", se);
return SOAPCommunicator.getInstance().createSOAPFault(SAML2Constants.SERVER_FAULT, "unableToCreateSOAPMessage", null);
}
return msg;
}
Also used :
KeyProvider(com.sun.identity.saml.xmlsig.KeyProvider)
PrivateKey(java.security.PrivateKey)
HashMap(java.util.HashMap)
Issuer(com.sun.identity.saml2.assertion.Issuer)
SPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)
SPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)
Element(org.w3c.dom.Element)
SOAPConnection(javax.xml.soap.SOAPConnection)
SOAPMessage(javax.xml.soap.SOAPMessage)
StatusCode(com.sun.identity.saml2.protocol.StatusCode)
ArtifactResolve(com.sun.identity.saml2.protocol.ArtifactResolve)
SOAPException(javax.xml.soap.SOAPException)
SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException)
Status(com.sun.identity.saml2.protocol.Status)
OrderedSet(com.sun.identity.shared.datastruct.OrderedSet)
X509Certificate(java.security.cert.X509Certificate)
Artifact(com.sun.identity.saml2.protocol.Artifact)
SOAPException(javax.xml.soap.SOAPException)
SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException)
SAML2TokenRepositoryException(org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException)
IOException(java.io.IOException)
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
Date(java.util.Date)
Response(com.sun.identity.saml2.protocol.Response)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
ArtifactResponse(com.sun.identity.saml2.protocol.ArtifactResponse)
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
ArtifactResponse(com.sun.identity.saml2.protocol.ArtifactResponse)
SAML2TokenRepositoryException(org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException)
HashMap(java.util.HashMap)
Map(java.util.Map)
Example 7 with SAML2TokenRepositoryException
use of org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException in project OpenAM by OpenRock.
the class IDPSSOUtil method getAssertion.
/**
* Returns a <code>SAML Assertion</code> object
*
* @throws SAML2Exception if the operation is not successful
* @param request The HTTP request.
* @param session The user's session object.
* @param authnReq The <code>AuthnRequest</code> object.
* @param recipientEntityID The entity ID of the response recipient.
* @param idpEntityID The entity ID of the identity provider.
* @param realm The realm name.
* @param nameIDFormat The <code>NameIDFormat</code>.
* @param acsURL The <code>ACS</code> service <code>url</code>.
* @param affiliationID AffiliationID for IDP initiated SSO.
* @param matchingAuthnContext the <code>AuthnContext</code> used to find authentication type and scheme.
* @return the <code>SAML Assertion</code> object.
* @throws SAML2Exception if the operation is not successful.
*/
private static Assertion getAssertion(HttpServletRequest request, Object session, AuthnRequest authnReq, String recipientEntityID, String idpEntityID, String idpMetaAlias, String realm, String nameIDFormat, String acsURL, String affiliationID, AuthnContext matchingAuthnContext) throws SAML2Exception {
String classMethod = "IDPSSOUtil.getAssertion: ";
Assertion assertion = AssertionFactory.getInstance().createAssertion();
String assertionID = SAML2Utils.generateID();
assertion.setID(assertionID);
assertion.setVersion(SAML2Constants.VERSION_2_0);
assertion.setIssueInstant(new Date());
Issuer issuer = AssertionFactory.getInstance().createIssuer();
issuer.setValue(idpEntityID);
assertion.setIssuer(issuer);
List statementList = new ArrayList();
NewBoolean isNewSessionIndex = new NewBoolean();
AuthnStatement authnStatement = null;
IDPSession idpSession = null;
String sessionIndex = null;
String sessionID = sessionProvider.getSessionID(session);
synchronized (sessionID) {
authnStatement = getAuthnStatement(request, session, isNewSessionIndex, authnReq, idpEntityID, realm, matchingAuthnContext);
if (authnStatement == null) {
return null;
}
sessionIndex = authnStatement.getSessionIndex();
if (isNewSessionIndex.getValue()) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "This is a new IDP session with sessionIndex=" + sessionIndex + ", and sessionID=" + sessionID);
}
idpSession = (IDPSession) IDPCache.idpSessionsBySessionID.get(sessionProvider.getSessionID(session));
if (idpSession == null) {
idpSession = new IDPSession(session);
}
// Set the metaAlias in the IDP session object
idpSession.setMetaAlias(idpMetaAlias);
IDPCache.idpSessionsByIndices.put(sessionIndex, idpSession);
if ((agent != null) && agent.isRunning() && (saml2Svc != null)) {
saml2Svc.setIdpSessionCount((long) IDPCache.idpSessionsByIndices.size());
}
} else {
idpSession = (IDPSession) IDPCache.idpSessionsByIndices.get(sessionIndex);
}
}
if (isNewSessionIndex.getValue()) {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "a new IDP session has been saved in cache, " + "with sessionIndex=" + sessionIndex);
}
try {
sessionProvider.addListener(session, sessionListener);
} catch (SessionException e) {
SAML2Utils.debug.error(classMethod + "Unable to add session listener.");
}
} else {
if (idpSession == null && SAML2FailoverUtils.isSAML2FailoverEnabled()) {
// Read from SAML2 Token Repository
IDPSessionCopy idpSessionCopy = null;
try {
idpSessionCopy = (IDPSessionCopy) SAML2FailoverUtils.retrieveSAML2Token(sessionIndex);
} catch (SAML2TokenRepositoryException se) {
SAML2Utils.debug.error(classMethod + "Unable to obtain IDPSessionCopy from the SAML2 Token Repository for sessionIndex:" + sessionIndex, se);
}
// Copy back to IDPSession
if (idpSessionCopy != null) {
idpSession = new IDPSession(idpSessionCopy);
} else {
SAML2Utils.debug.error("IDPSessionCopy is null");
throw new SAML2Exception(SAML2Utils.bundle.getString("IDPSessionIsNULL"));
}
} else if ((idpSession == null) && (!SAML2FailoverUtils.isSAML2FailoverEnabled())) {
SAML2Utils.debug.error("IDPSession is null; SAML2 failover" + "is disabled");
throw new SAML2Exception(SAML2Utils.bundle.getString("IDPSessionIsNULL"));
} else {
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "This is an existing IDP session with sessionIndex=" + sessionIndex + ", and sessionID=" + sessionProvider.getSessionID(idpSession.getSession()));
}
}
}
statementList.add(authnStatement);
AttributeStatement attrStatement = getAttributeStatement(session, idpEntityID, recipientEntityID, realm);
if (attrStatement != null) {
List attrStatementList = new ArrayList();
attrStatementList.add(attrStatement);
assertion.setAttributeStatements(attrStatementList);
}
// get the assertion effective time (in seconds)
int effectiveTime = getEffectiveTime(realm, idpEntityID);
// get the NotBefore skew (in seconds)
int notBeforeSkewTime = getNotBeforeSkewTime(realm, idpEntityID);
// get the subject element
Subject subject = getSubject(session, authnReq, acsURL, nameIDFormat, realm, idpEntityID, recipientEntityID, effectiveTime, affiliationID);
// register (spEntityID, nameID) with the sso token
// for later logout use
String spEntityID = null;
if (authnReq != null) {
spEntityID = authnReq.getIssuer().getValue();
} else {
spEntityID = recipientEntityID;
}
NameIDandSPpair pair = new NameIDandSPpair(subject.getNameID(), spEntityID);
synchronized (IDPCache.idpSessionsByIndices) {
List<NameIDandSPpair> list = idpSession.getNameIDandSPpairs();
String id;
if (authnReq != null) {
id = authnReq.getIssuer().getValue();
} else {
id = spEntityID;
}
boolean found = false;
for (NameIDandSPpair nameIDandSPpair : list) {
if (nameIDandSPpair.getSPEntityID().equals(id)) {
found = true;
break;
}
}
if (!found) {
list.add(pair);
}
}
assertion.setAuthnStatements(statementList);
assertion.setSubject(subject);
Conditions conditions = getConditions(recipientEntityID, notBeforeSkewTime, effectiveTime);
assertion.setConditions(conditions);
String discoBootstrapEnabled = getAttributeValueFromIDPSSOConfig(realm, idpEntityID, SAML2Constants.DISCO_BOOTSTRAPPING_ENABLED);
if ((discoBootstrapEnabled != null) && discoBootstrapEnabled.equalsIgnoreCase("true")) {
List attrStatementList = assertion.getAttributeStatements();
if (attrStatementList == null) {
attrStatementList = new ArrayList();
assertion.setAttributeStatements(attrStatementList);
}
DiscoveryBootstrap bootstrap = new DiscoveryBootstrap(session, subject, authnStatement.getAuthnContext().getAuthnContextClassRef(), spEntityID, realm);
attrStatementList.add(bootstrap.getBootstrapStatement());
assertion.setAdvice(bootstrap.getCredentials());
}
if (assertionCacheEnabled(realm, idpEntityID)) {
String userName = null;
try {
userName = sessionProvider.getPrincipalName(session);
} catch (SessionException se) {
SAML2Utils.debug.error(classMethod + "Unable to get principal name from the session.", se);
throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSSOToken"));
}
String cacheKey = userName.toLowerCase();
List assertions = (List) IDPCache.assertionCache.get(cacheKey);
if (assertions == null) {
synchronized (IDPCache.assertionCache) {
assertions = (List) IDPCache.assertionCache.get(cacheKey);
if (assertions == null) {
assertions = new ArrayList();
IDPCache.assertionCache.put(cacheKey, assertions);
}
}
}
synchronized (assertions) {
assertions.add(assertion);
}
IDPCache.assertionByIDCache.put(assertionID, assertion);
if (SAML2FailoverUtils.isSAML2FailoverEnabled()) {
try {
SAML2FailoverUtils.saveSAML2Token(assertionID, cacheKey, assertion.toXMLString(true, true), conditions.getNotOnOrAfter().getTime() / 1000);
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "Saving Assertion to SAML2 Token Repository. ID = " + assertionID);
}
} catch (SAML2TokenRepositoryException se) {
SAML2Utils.debug.error(classMethod + "Unable to save Assertion to the SAML2 Token Repository", se);
}
}
}
// Save to SAML2 Token Repository
try {
if (SAML2FailoverUtils.isSAML2FailoverEnabled()) {
long sessionExpireTime = System.currentTimeMillis() / 1000 + (sessionProvider.getTimeLeft(session));
SAML2FailoverUtils.saveSAML2TokenWithoutSecondaryKey(sessionIndex, new IDPSessionCopy(idpSession), sessionExpireTime);
}
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "SAVE IDPSession!");
}
} catch (SessionException se) {
SAML2Utils.debug.error(classMethod + "Unable to get left-time from the session.", se);
throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSSOToken"));
} catch (SAML2TokenRepositoryException se) {
SAML2Utils.debug.error(classMethod + "Unable to save IDPSession to the SAML2 Token Repository", se);
}
return assertion;
}
Also used :
Issuer(com.sun.identity.saml2.assertion.Issuer)
EncryptedAssertion(com.sun.identity.saml2.assertion.EncryptedAssertion)
Assertion(com.sun.identity.saml2.assertion.Assertion)
ArrayList(java.util.ArrayList)
NewBoolean(com.sun.identity.saml2.common.NewBoolean)
SessionException(com.sun.identity.plugin.session.SessionException)
Date(java.util.Date)
Subject(com.sun.identity.saml2.assertion.Subject)
Conditions(com.sun.identity.saml2.assertion.Conditions)
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
AttributeStatement(com.sun.identity.saml2.assertion.AttributeStatement)
AuthnStatement(com.sun.identity.saml2.assertion.AuthnStatement)
List(java.util.List)
ArrayList(java.util.ArrayList)
SAML2TokenRepositoryException(org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException)
Example 8 with SAML2TokenRepositoryException
use of org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException in project OpenAM by OpenRock.
the class IDPSSOUtil method sendResponseArtifact.
/**
* This method opens a URL connection to the target specified and
* sends artifact response to it using the
* <code>HttpServletResponse</code> object.
*
* @param response the <code>HttpServletResponse</code> object
* @param idpEntityID the entity id of the identity provider
* @param realm the realm name of the identity provider
* @param acsURL the assertion consumer service <code>URL</code>
* @param relayState the value of the <code>RelayState</code>
* @param res the <code>SAML Response</code> object
* @param session user session
* @param props property map including nameIDString for logging
* @throws SAML2Exception if the operation is not successful
*/
public static void sendResponseArtifact(HttpServletRequest request, HttpServletResponse response, String idpEntityID, String spEntityID, String realm, String acsURL, String relayState, Response res, Object session, Map props) throws SAML2Exception {
String classMethod = "IDPSSOUtil.sendResponseArtifact: ";
IDPSSODescriptorElement idpSSODescriptorElement = null;
try {
idpSSODescriptorElement = metaManager.getIDPSSODescriptor(realm, idpEntityID);
if (idpSSODescriptorElement == null) {
SAML2Utils.debug.error(classMethod + "Unable to get IDP SSO Descriptor from meta.");
String[] data = { idpEntityID };
LogUtil.error(Level.INFO, LogUtil.IDP_METADATA_ERROR, data, session, props);
throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
}
} catch (SAML2MetaException sme) {
SAML2Utils.debug.error(classMethod + "Unable to get IDP SSO Descriptor from meta.");
String[] data = { idpEntityID };
LogUtil.error(Level.INFO, LogUtil.IDP_METADATA_ERROR, data, session, props);
throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
}
ArtifactResolutionServiceElement ars = (ArtifactResolutionServiceElement) idpSSODescriptorElement.getArtifactResolutionService().get(0);
if (ars == null) {
SAML2Utils.debug.error(classMethod + "Unable to get ArtifactResolutionServiceElement from meta.");
String[] data = { idpEntityID };
LogUtil.error(Level.INFO, LogUtil.IDP_METADATA_ERROR, data, session, props);
throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
}
Artifact art = null;
try {
art = ProtocolFactory.getInstance().createArtifact(null, ars.getIndex(), SAML2Utils.generateSourceID(idpEntityID), SAML2Utils.generateMessageHandleWithServerID());
} catch (SAML2Exception se) {
SAML2Utils.debug.error(classMethod + "Unable to create artifact: ", se);
String[] data = { idpEntityID };
LogUtil.error(Level.INFO, LogUtil.CANNOT_CREATE_ARTIFACT, data, session, props);
SAMLUtils.sendError(request, response, response.SC_INTERNAL_SERVER_ERROR, "errorCreateArtifact", SAML2Utils.bundle.getString("errorCreateArtifact"));
return;
}
String artStr = art.getArtifactValue();
try {
IDPCache.responsesByArtifacts.put(artStr, res);
if (SAML2FailoverUtils.isSAML2FailoverEnabled()) {
try {
long expireTime = getValidTimeofResponse(realm, idpEntityID, res) / 1000;
SAML2FailoverUtils.saveSAML2TokenWithoutSecondaryKey(artStr, res.toXMLString(true, true), expireTime);
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "Saved Response to SAML2 Token Repository using key " + artStr);
}
} catch (SAML2TokenRepositoryException se) {
SAML2Utils.debug.error(classMethod + "Unable to save Response to the SAML2 Token Repository", se);
}
}
String messageEncoding = SAML2Utils.getAttributeValueFromSSOConfig(realm, spEntityID, SAML2Constants.SP_ROLE, SAML2Constants.RESPONSE_ARTIFACT_MESSAGE_ENCODING);
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "messageEncoding = " + messageEncoding);
SAML2Utils.debug.message(classMethod + "artStr = " + artStr);
}
if ((messageEncoding != null) && (messageEncoding.equals(SAML2Constants.FORM_ENCODING))) {
String[] logdata = { idpEntityID, realm, acsURL };
LogUtil.access(Level.INFO, LogUtil.SEND_ARTIFACT, logdata, session, props);
SAML2Utils.postToTarget(request, response, SAML2Constants.SAML_ART, artStr, "RelayState", relayState, acsURL);
} else {
String redirectURL = acsURL + (acsURL.contains("?") ? "&" : "?") + "SAMLart=" + URLEncDec.encode(artStr);
if ((relayState != null) && (relayState.trim().length() != 0)) {
redirectURL += "&RelayState=" + URLEncDec.encode(relayState);
}
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "Redirect URL = " + redirectURL);
}
String[] logdata = { idpEntityID, realm, redirectURL };
LogUtil.access(Level.INFO, LogUtil.SEND_ARTIFACT, logdata, session, props);
response.sendRedirect(redirectURL);
}
} catch (IOException ioe) {
SAML2Utils.debug.error(classMethod + "Unable to send redirect: ", ioe);
}
}
Also used :
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
SAML2TokenRepositoryException(org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException)
IOException(java.io.IOException)
SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException)
ArtifactResolutionServiceElement(com.sun.identity.saml2.jaxb.metadata.ArtifactResolutionServiceElement)
Artifact(com.sun.identity.saml2.protocol.Artifact)
IDPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)
Example 9 with SAML2TokenRepositoryException
use of org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException in project OpenAM by OpenRock.
the class IDPProxyUtil method sendProxyAuthnRequest.
/**
* Sends a new AuthnRequest to the authenticating provider.
* @param authnRequest original AuthnRequest sent by the service provider.
* @param preferredIDP IDP to be proxied.
* @param spSSODescriptor SPSSO Descriptor Element
* @param hostedEntityId hosted provider ID
* @param request HttpServletRequest
* @param response HttpServletResponse
* @param realm Realm
* @param relayState the Relay State
* @param originalBinding The binding used to send the original AuthnRequest.
* @exception SAML2Exception for any SAML2 failure.
* @exception IOException if there is a failure in redirection.
*/
public static void sendProxyAuthnRequest(AuthnRequest authnRequest, String preferredIDP, SPSSODescriptorElement spSSODescriptor, String hostedEntityId, HttpServletRequest request, HttpServletResponse response, String realm, String relayState, String originalBinding) throws SAML2Exception, IOException {
String classMethod = "IDPProxyUtil.sendProxyAuthnRequest: ";
String destination = null;
SPSSODescriptorElement localDescriptor = null;
SPSSOConfigElement localDescriptorConfig = null;
IDPSSODescriptorElement idpDescriptor = null;
String binding;
try {
idpDescriptor = IDPSSOUtil.metaManager.getIDPSSODescriptor(realm, preferredIDP);
List<SingleSignOnServiceElement> ssoServiceList = idpDescriptor.getSingleSignOnService();
SingleSignOnServiceElement endpoint = getMatchingSSOEndpoint(ssoServiceList, originalBinding);
if (endpoint == null) {
SAML2Utils.debug.error(classMethod + "Single Sign-on service is not found for the proxying IDP.");
throw new SAML2Exception(SAML2Utils.bundle.getString("ssoServiceNotFoundIDPProxy"));
}
binding = endpoint.getBinding();
destination = endpoint.getLocation();
localDescriptor = IDPSSOUtil.metaManager.getSPSSODescriptor(realm, hostedEntityId);
localDescriptorConfig = IDPSSOUtil.metaManager.getSPSSOConfig(realm, hostedEntityId);
} catch (SAML2MetaException e) {
SAML2Utils.debug.error(classMethod, e);
throw new SAML2Exception(e.getMessage());
}
AuthnRequest newAuthnRequest = getNewAuthnRequest(hostedEntityId, destination, realm, authnRequest);
// invoke SP Adapter class if registered
SAML2ServiceProviderAdapter spAdapter = SAML2Utils.getSPAdapterClass(hostedEntityId, realm);
if (spAdapter != null) {
spAdapter.preSingleSignOnRequest(hostedEntityId, preferredIDP, realm, request, response, newAuthnRequest);
}
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + "New Authentication request:" + newAuthnRequest.toXMLString());
}
String requestID = newAuthnRequest.getID();
// save the AuthnRequest in the IDPCache so that it can be
// retrieved later when the user successfully authenticates
IDPCache.authnRequestCache.put(requestID, newAuthnRequest);
// save the original AuthnRequest
IDPCache.proxySPAuthnReqCache.put(requestID, authnRequest);
boolean signingNeeded = idpDescriptor.isWantAuthnRequestsSigned() || localDescriptor.isAuthnRequestsSigned();
// check if relayState is present and get the unique
// id which will be appended to the SSO URL before
// redirecting
String relayStateID = null;
if (relayState != null && relayState.length() > 0) {
relayStateID = SPSSOFederate.getRelayStateID(relayState, authnRequest.getID());
}
if (binding.equals(SAML2Constants.HTTP_POST)) {
if (signingNeeded) {
String certAlias = SPSSOFederate.getParameter(SAML2MetaUtils.getAttributes(localDescriptorConfig), SAML2Constants.SIGNING_CERT_ALIAS);
SPSSOFederate.signAuthnRequest(certAlias, newAuthnRequest);
}
String authXMLString = newAuthnRequest.toXMLString(true, true);
String encodedReqMsg = SAML2Utils.encodeForPOST(authXMLString);
SAML2Utils.postToTarget(request, response, "SAMLRequest", encodedReqMsg, "RelayState", relayStateID, destination);
} else {
String authReqXMLString = newAuthnRequest.toXMLString(true, true);
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + " AuthnRequest: " + authReqXMLString);
}
String encodedXML = SAML2Utils.encodeForRedirect(authReqXMLString);
StringBuffer queryString = new StringBuffer().append(SAML2Constants.SAML_REQUEST).append(SAML2Constants.EQUAL).append(encodedXML);
//TODO: should it be newAuthnRequest???
if (relayStateID != null && relayStateID.length() > 0) {
queryString.append("&").append(SAML2Constants.RELAY_STATE).append("=").append(URLEncDec.encode(relayStateID));
}
StringBuffer redirectURL = new StringBuffer().append(destination).append(destination.contains("?") ? "&" : "?");
if (signingNeeded) {
String certAlias = SPSSOFederate.getParameter(SAML2MetaUtils.getAttributes(localDescriptorConfig), SAML2Constants.SIGNING_CERT_ALIAS);
String signedQueryStr = SPSSOFederate.signQueryString(queryString.toString(), certAlias);
redirectURL.append(signedQueryStr);
} else {
redirectURL.append(queryString);
}
response.sendRedirect(redirectURL.toString());
}
String[] data = { destination };
LogUtil.access(Level.INFO, LogUtil.REDIRECT_TO_SP, data, null);
AuthnRequestInfo reqInfo = new AuthnRequestInfo(request, response, realm, hostedEntityId, preferredIDP, newAuthnRequest, relayState, null);
synchronized (SPCache.requestHash) {
SPCache.requestHash.put(requestID, reqInfo);
}
if (SAML2FailoverUtils.isSAML2FailoverEnabled()) {
try {
// sessionExpireTime is counted in seconds
long sessionExpireTime = System.currentTimeMillis() / 1000 + SPCache.interval;
SAML2FailoverUtils.saveSAML2TokenWithoutSecondaryKey(requestID, new AuthnRequestInfoCopy(reqInfo), sessionExpireTime);
if (SAML2Utils.debug.messageEnabled()) {
SAML2Utils.debug.message(classMethod + " SAVE AuthnRequestInfoCopy for requestID " + requestID);
}
} catch (SAML2TokenRepositoryException se) {
SAML2Utils.debug.error(classMethod + " SAVE AuthnRequestInfoCopy for requestID " + requestID + ", failed!", se);
}
}
}
Also used :
SPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)
SPSSOConfigElement(com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement)
SingleSignOnServiceElement(com.sun.identity.saml2.jaxb.metadata.SingleSignOnServiceElement)
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
AuthnRequest(com.sun.identity.saml2.protocol.AuthnRequest)
SAML2TokenRepositoryException(org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException)
SAML2ServiceProviderAdapter(com.sun.identity.saml2.plugins.SAML2ServiceProviderAdapter)
SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException)
IDPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)
Example 10 with SAML2TokenRepositoryException
use of org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException in project OpenAM by OpenRock.
the class SAML2Utils method verifyResponse.
/**
* Verifies single sign on <code>Response</code> and returns information
* to SAML2 auth module for further processing. This method is used by
* SAML2 auth module only.
*
* @param httpRequest HttpServletRequest
* @param httpResponse HttpServletResponse
* @param response Single Sign On <code>Response</code>.
* @param orgName name of the realm or organization the provider is in.
* @param hostEntityId Entity ID of the hosted provider.
* @param profileBinding Profile binding used.
* @return A Map of information extracted from the Response. The keys of
* map are:
* <code>SAML2Constants.SUBJECT</code>,
* <code>SAML2Constants.POST_ASSERTION</code>,
* <code>SAML2Constants.ASSERTIONS</code>,
* <code>SAML2Constants.SESSION_INDEX</code>,
* <code>SAML2Constants.AUTH_LEVEL</code>,
* <code>SAML2Constants.MAX_SESSION_TIME</code>.
* @throws SAML2Exception if the Response is not valid according to the
* processing rules.
*/
public static Map verifyResponse(final HttpServletRequest httpRequest, final HttpServletResponse httpResponse, final Response response, final String orgName, final String hostEntityId, final String profileBinding) throws SAML2Exception {
final String method = "SAML2Utils.verifyResponse:";
if (response == null || orgName == null || orgName.length() == 0) {
if (debug.messageEnabled()) {
debug.message(method + "response or orgName is null.");
}
throw new SAML2Exception(bundle.getString("nullInput"));
}
String respID = response.getID();
AuthnRequestInfo reqInfo = null;
String inRespToResp = response.getInResponseTo();
if (inRespToResp != null && inRespToResp.length() != 0) {
reqInfo = (AuthnRequestInfo) SPCache.requestHash.get(inRespToResp);
if (reqInfo == null) {
if (SAML2FailoverUtils.isSAML2FailoverEnabled()) {
// Attempt to read AuthnRequestInfoCopy from SAML2 repository
AuthnRequestInfoCopy reqInfoCopy = null;
try {
reqInfoCopy = (AuthnRequestInfoCopy) SAML2FailoverUtils.retrieveSAML2Token(inRespToResp);
} catch (SAML2TokenRepositoryException se) {
debug.error(method + "AuthnRequestInfoCopy" + " unable to retrieve from SAML2 repository for inResponseTo: " + inRespToResp);
}
if (reqInfoCopy != null) {
// Get back the AuthnRequestInfo
reqInfo = reqInfoCopy.getAuthnRequestInfo(httpRequest, httpResponse);
if (debug.messageEnabled()) {
debug.message(method + "AuthnRequestInfoCopy" + " retrieved from SAML2 repository for inResponseTo: " + inRespToResp);
}
} else {
debug.error(method + "InResponseTo attribute in Response" + " is invalid: " + inRespToResp + ", SAML2 failover is enabled");
String[] data = { respID };
LogUtil.error(Level.INFO, LogUtil.INVALID_INRESPONSETO_RESPONSE, data, null);
throw new SAML2Exception(bundle.getString("invalidInResponseToInResponse"));
}
} else {
AuthnRequestInfoCopy reqInfoCopy = (AuthnRequestInfoCopy) SAML2Store.getTokenFromStore(inRespToResp);
if (reqInfoCopy != null) {
// Get back the AuthnRequestInfo
reqInfo = reqInfoCopy.getAuthnRequestInfo(httpRequest, httpResponse);
if (debug.messageEnabled()) {
debug.message(method + "AuthnRequestInfoCopy" + " retrieved from SAML2 repository for inResponseTo: " + inRespToResp);
}
} else {
debug.error(method + "InResponseTo attribute in Response" + " is invalid: " + inRespToResp + ", SAML2 failover is enabled");
String[] data = { respID };
LogUtil.error(Level.INFO, LogUtil.INVALID_INRESPONSETO_RESPONSE, data, null);
throw new SAML2Exception(bundle.getString("invalidInResponseToInResponse"));
}
}
}
}
// reqInfo can remain null and will do for IDP initiated SSO requests
// invoke SP Adapter
SAML2ServiceProviderAdapter spAdapter = SAML2Utils.getSPAdapterClass(hostEntityId, orgName);
if (spAdapter != null) {
AuthnRequest authnRequest = null;
if (reqInfo != null) {
authnRequest = reqInfo.getAuthnRequest();
}
spAdapter.preSingleSignOnProcess(hostEntityId, orgName, httpRequest, httpResponse, authnRequest, response, profileBinding);
}
String idpEntityId = null;
Issuer respIssuer = response.getIssuer();
if (respIssuer != null) {
// optional
if (!isSourceSiteValid(respIssuer, orgName, hostEntityId)) {
if (debug.messageEnabled()) {
debug.message(method + "Issuer in Response is not valid.");
}
String[] data = { hostEntityId, orgName, respID };
LogUtil.error(Level.INFO, LogUtil.INVALID_ISSUER_RESPONSE, data, null);
throw new SAML2Exception(bundle.getString("invalidIssuerInResponse"));
} else {
idpEntityId = respIssuer.getValue();
}
}
Status status = response.getStatus();
if (status == null || !status.getStatusCode().getValue().equals(SAML2Constants.SUCCESS)) {
String statusCode = (status == null) ? "" : status.getStatusCode().getValue();
if (debug.messageEnabled()) {
debug.message(method + "Response's status code is not success: " + statusCode);
}
String[] data = { respID, "" };
if (LogUtil.isErrorLoggable(Level.FINE)) {
data[1] = statusCode;
}
LogUtil.error(Level.INFO, LogUtil.WRONG_STATUS_CODE, data, null);
if (SAML2Constants.RESPONDER.equals(statusCode)) {
//In case of passive authentication the NoPassive response will be sent using two StatusCode nodes:
//the outer StatusCode will be Responder and the inner StatusCode will contain the NoPassive URN
StatusCode secondLevelStatusCode = status.getStatusCode().getStatusCode();
if (secondLevelStatusCode != null && SAML2Constants.NOPASSIVE.equals(secondLevelStatusCode.getValue())) {
throw new SAML2Exception(SAML2Utils.BUNDLE_NAME, "noPassiveResponse", null);
}
} else if (SAML2Constants.REQUESTER.equals(statusCode)) {
// when is AllowCreate=false mode the auth module gets here with a
// statusCode of urn:oasis:names:tc:SAML:2.0:status:Requester
StatusCode secondLevelStatusCode = status.getStatusCode().getStatusCode();
if (secondLevelStatusCode != null && SAML2Constants.INVALID_NAME_ID_POLICY.equals(secondLevelStatusCode.getValue())) {
throw new SAML2Exception(SAML2Utils.BUNDLE_NAME, "nameIDMReqInvalidNameIDPolicy", null);
}
}
throw new SAML2Exception(bundle.getString("invalidStatusCodeInResponse"));
}
if (saml2MetaManager == null) {
throw new SAML2Exception(bundle.getString("nullMetaManager"));
}
SPSSOConfigElement spConfig = null;
SPSSODescriptorElement spDesc = null;
spConfig = saml2MetaManager.getSPSSOConfig(orgName, hostEntityId);
spDesc = saml2MetaManager.getSPSSODescriptor(orgName, hostEntityId);
if (debug.messageEnabled()) {
debug.message(method + "binding is :" + profileBinding);
}
// SAML spec processing
// 4.1.4.3 Verify any signatures present on the assertion(s) or the response
boolean responseIsSigned = false;
if (response.isSigned()) {
IDPSSODescriptorElement idpSSODescriptor = null;
try {
idpSSODescriptor = saml2MetaManager.getIDPSSODescriptor(orgName, idpEntityId);
} catch (SAML2MetaException sme) {
String[] data = { orgName, idpEntityId };
LogUtil.error(Level.INFO, LogUtil.IDP_METADATA_ERROR, data, null);
throw new SAML2Exception(sme);
}
if (idpSSODescriptor != null) {
Set<X509Certificate> verificationCerts = KeyUtil.getVerificationCerts(idpSSODescriptor, idpEntityId, SAML2Constants.IDP_ROLE);
if (CollectionUtils.isEmpty(verificationCerts) || !response.isSignatureValid(verificationCerts)) {
debug.error(method + "Response is not signed or signature is not valid.");
String[] data = { orgName, hostEntityId, idpEntityId };
LogUtil.error(Level.INFO, LogUtil.POST_RESPONSE_INVALID_SIGNATURE, data, null);
throw new SAML2Exception(bundle.getString("invalidSignInResponse"));
}
} else {
String[] data = { idpEntityId };
LogUtil.error(Level.INFO, LogUtil.IDP_METADATA_ERROR, data, null);
throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
}
responseIsSigned = true;
}
if (debug.messageEnabled()) {
debug.message(method + "responseIsSigned is :" + responseIsSigned);
}
// assertion encryption check
boolean needAssertionEncrypted = false;
String assertionEncryptedAttr = getAttributeValueFromSPSSOConfig(spConfig, SAML2Constants.WANT_ASSERTION_ENCRYPTED);
needAssertionEncrypted = Boolean.parseBoolean(assertionEncryptedAttr);
if (debug.messageEnabled()) {
debug.message(method + "NeedAssertionEncrypted is :" + needAssertionEncrypted);
}
List<Assertion> assertions = response.getAssertion();
if (needAssertionEncrypted && !CollectionUtils.isEmpty(assertions)) {
String[] data = { respID };
LogUtil.error(Level.INFO, LogUtil.ASSERTION_NOT_ENCRYPTED, data, null);
throw new SAML2Exception(SAML2Utils.bundle.getString("assertionNotEncrypted"));
}
Set<PrivateKey> decryptionKeys;
List<EncryptedAssertion> encAssertions = response.getEncryptedAssertion();
if (encAssertions != null) {
decryptionKeys = KeyUtil.getDecryptionKeys(spConfig);
for (EncryptedAssertion encAssertion : encAssertions) {
Assertion assertion = encAssertion.decrypt(decryptionKeys);
if (assertions == null) {
assertions = new ArrayList<>();
}
assertions.add(assertion);
}
}
if (CollectionUtils.isEmpty(assertions)) {
if (debug.messageEnabled()) {
debug.message(method + "no assertion in the Response.");
}
String[] data = { respID };
LogUtil.error(Level.INFO, LogUtil.MISSING_ASSERTION, data, null);
throw new SAML2Exception(SAML2Utils.bundle.getString("missingAssertion"));
}
boolean wantAssertionsSigned = spDesc.isWantAssertionsSigned();
if (debug.messageEnabled()) {
debug.message(method + "wantAssertionsSigned is :" + wantAssertionsSigned);
}
// validate the assertions
Map smap = null;
Map bearerMap = null;
IDPSSODescriptorElement idp = null;
Set<X509Certificate> verificationCerts = null;
boolean allAssertionsSigned = true;
for (Assertion assertion : assertions) {
String assertionID = assertion.getID();
Issuer issuer = assertion.getIssuer();
if (!isSourceSiteValid(issuer, orgName, hostEntityId)) {
debug.error("assertion's source site is not valid.");
String[] data = { assertionID };
LogUtil.error(Level.INFO, LogUtil.INVALID_ISSUER_ASSERTION, data, null);
throw new SAML2Exception(bundle.getString("invalidIssuerInAssertion"));
}
if (idpEntityId == null) {
idpEntityId = issuer.getValue();
} else {
if (!idpEntityId.equals(issuer.getValue())) {
if (debug.messageEnabled()) {
debug.message(method + "Issuer in Assertion doesn't " + "match the Issuer in Response or other " + "Assertions in the Response.");
}
String[] data = { assertionID };
LogUtil.error(Level.INFO, LogUtil.MISMATCH_ISSUER_ASSERTION, data, null);
throw new SAML2Exception(SAML2Utils.bundle.getString("mismatchIssuer"));
}
}
if (assertion.isSigned()) {
if (verificationCerts == null) {
idp = saml2MetaManager.getIDPSSODescriptor(orgName, idpEntityId);
verificationCerts = KeyUtil.getVerificationCerts(idp, idpEntityId, SAML2Constants.IDP_ROLE);
}
if (CollectionUtils.isEmpty(verificationCerts) || !assertion.isSignatureValid(verificationCerts)) {
debug.error(method + "Assertion is not signed or signature is not valid.");
String[] data = { assertionID };
LogUtil.error(Level.INFO, LogUtil.INVALID_SIGNATURE_ASSERTION, data, null);
throw new SAML2Exception(bundle.getString("invalidSignatureOnAssertion"));
}
} else {
allAssertionsSigned = false;
}
List authnStmts = assertion.getAuthnStatements();
if (authnStmts != null && !authnStmts.isEmpty()) {
Subject subject = assertion.getSubject();
if (subject == null) {
continue;
}
List subjectConfirms = subject.getSubjectConfirmation();
if (subjectConfirms == null || subjectConfirms.isEmpty()) {
continue;
}
bearerMap = isBearerSubjectConfirmation(subjectConfirms, inRespToResp, spDesc, spConfig, assertionID);
if (!((Boolean) bearerMap.get(SAML2Constants.IS_BEARER))) {
continue;
}
boolean foundAssertion = false;
if ((SPCache.assertionByIDCache != null) && (SPCache.assertionByIDCache.containsKey(assertionID))) {
foundAssertion = true;
}
if ((!foundAssertion) && SAML2FailoverUtils.isSAML2FailoverEnabled()) {
try {
if (SAML2FailoverUtils.retrieveSAML2Token(assertionID) != null) {
foundAssertion = true;
}
} catch (SAML2TokenRepositoryException e) {
if (debug.messageEnabled()) {
debug.message("Session not found in AMTokenSAML2Repository.", e);
}
}
}
if (foundAssertion) {
debug.error("Bearer Assertion is one time use only!");
throw new SAML2Exception(bundle.getString("usedBearAssertion"));
}
checkAudience(assertion.getConditions(), hostEntityId, assertionID);
if (smap == null) {
smap = fillMap(authnStmts, subject, assertion, assertions, reqInfo, inRespToResp, orgName, hostEntityId, idpEntityId, spConfig, (Date) bearerMap.get(SAML2Constants.NOTONORAFTER));
}
}
// end of having authnStmt
}
if (smap == null) {
debug.error("No Authentication Assertion in Response.");
throw new SAML2Exception(bundle.getString("missingAuthnAssertion"));
}
// the enclosing element
if (wantAssertionsSigned && !(responseIsSigned || allAssertionsSigned)) {
debug.error(method + "WantAssertionsSigned is true and response or all assertions are not signed");
String[] data = { orgName, hostEntityId, idpEntityId };
LogUtil.error(Level.INFO, LogUtil.INVALID_SIGNATURE_ASSERTION, data, null);
throw new SAML2Exception(bundle.getString("assertionNotSigned"));
}
// signing each individual <Assertion> element or by signing the <Response> element.
if (profileBinding.equals(SAML2Constants.HTTP_POST)) {
boolean wantPostResponseSigned = SAML2Utils.wantPOSTResponseSigned(orgName, hostEntityId, SAML2Constants.SP_ROLE);
if (debug.messageEnabled()) {
debug.message(method + "wantPostResponseSigned is :" + wantPostResponseSigned);
}
if (wantPostResponseSigned && !responseIsSigned) {
debug.error(method + "wantPostResponseSigned is true but response is not signed");
String[] data = { orgName, hostEntityId, idpEntityId };
LogUtil.error(Level.INFO, LogUtil.POST_RESPONSE_INVALID_SIGNATURE, data, null);
throw new SAML2Exception(bundle.getString("responseNotSigned"));
}
if (!responseIsSigned && !allAssertionsSigned) {
debug.error(method + "WantAssertionsSigned is true but some or all assertions are not signed");
String[] data = { orgName, hostEntityId, idpEntityId };
LogUtil.error(Level.INFO, LogUtil.INVALID_SIGNATURE_ASSERTION, data, null);
throw new SAML2Exception(bundle.getString("assertionNotSigned"));
}
}
return smap;
}
Also used :
PrivateKey(java.security.PrivateKey)
Issuer(com.sun.identity.saml2.assertion.Issuer)
AuthnRequestInfo(com.sun.identity.saml2.profile.AuthnRequestInfo)
SPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)
StatusCode(com.sun.identity.saml2.protocol.StatusCode)
ArrayList(java.util.ArrayList)
List(java.util.List)
AuthnRequestInfoCopy(com.sun.identity.saml2.profile.AuthnRequestInfoCopy)
SAML2ServiceProviderAdapter(com.sun.identity.saml2.plugins.SAML2ServiceProviderAdapter)
SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException)
Status(com.sun.identity.saml2.protocol.Status)
SPSSOConfigElement(com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement)
EncryptedAssertion(com.sun.identity.saml2.assertion.EncryptedAssertion)
Assertion(com.sun.identity.saml2.assertion.Assertion)
X509Certificate(java.security.cert.X509Certificate)
Subject(com.sun.identity.saml2.assertion.Subject)
Date(java.util.Date)
AuthnRequest(com.sun.identity.saml2.protocol.AuthnRequest)
EncryptedAssertion(com.sun.identity.saml2.assertion.EncryptedAssertion)
SAML2TokenRepositoryException(org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException)
Map(java.util.Map)
HashMap(java.util.HashMap)
IDPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)
Aggregations
SAML2TokenRepositoryException (org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException)25
SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)18
SAML2MetaException (com.sun.identity.saml2.meta.SAML2MetaException)14
List (java.util.List)12
SessionException (com.sun.identity.plugin.session.SessionException)9
ArrayList (java.util.ArrayList)9
HashMap (java.util.HashMap)8
Map (java.util.Map)8
SPSSOConfigElement (com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement)7
SPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)7
Issuer (com.sun.identity.saml2.assertion.Issuer)6
IDPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)6
Status (com.sun.identity.saml2.protocol.Status)6
IOException (java.io.IOException)6
Iterator (java.util.Iterator)6
SessionProvider (com.sun.identity.plugin.session.SessionProvider)5
Assertion (com.sun.identity.saml2.assertion.Assertion)5
Date (java.util.Date)5
SingleLogoutServiceElement (com.sun.identity.saml2.jaxb.metadata.SingleLogoutServiceElement)4
SAML2MetaManager (com.sun.identity.saml2.meta.SAML2MetaManager)4
