use of org.wso2.carbon.identity.application.authentication.framework.config.model.ExternalIdPConfig in project carbon-identity-framework by wso2.
the class FileBasedConfigurationBuilder method processIdPConfigElement.
private ExternalIdPConfig processIdPConfigElement(OMElement idpConfigElem) {
OMAttribute nameAttr = idpConfigElem.getAttribute(new QName("name"));
// if the name is not given, do not register this config
if (nameAttr == null) {
log.warn("Each IDP configuration should have a unique name attribute");
return null;
}
// read the config parameters
Map<String, String> parameterMap = new HashMap<>();
for (Iterator paramIterator = idpConfigElem.getChildrenWithLocalName("Parameter"); paramIterator.hasNext(); ) {
OMElement paramElem = (OMElement) paramIterator.next();
OMAttribute paramNameAttr = paramElem.getAttribute(new QName("name"));
if (paramNameAttr == null) {
log.warn("A Parameter should have a name attribute. Skipping the parameter.");
continue;
}
parameterMap.put(paramNameAttr.getAttributeValue(), paramElem.getText());
}
IdentityProvider fedIdp = new IdentityProvider();
fedIdp.setIdentityProviderName(nameAttr.getAttributeValue());
ExternalIdPConfig externalIdPConfig = new ExternalIdPConfig(fedIdp);
externalIdPConfig.setParameterMap(parameterMap);
return externalIdPConfig;
}
use of org.wso2.carbon.identity.application.authentication.framework.config.model.ExternalIdPConfig in project carbon-identity-framework by wso2.
the class ConfigurationFacade method getIdPConfigByName.
public ExternalIdPConfig getIdPConfigByName(String idpName, String tenantDomain) throws IdentityProviderManagementException {
ExternalIdPConfig externalIdPConfig = null;
IdentityProvider idpDO = null;
if (log.isDebugEnabled()) {
log.debug("Trying to find the IdP for name: " + idpName);
}
try {
IdentityProviderManager idpManager = IdentityProviderManager.getInstance();
idpDO = idpManager.getEnabledIdPByName(idpName, tenantDomain);
if (idpDO != null) {
if (log.isDebugEnabled()) {
log.debug("A registered IdP was found");
}
externalIdPConfig = new ExternalIdPConfig(idpDO);
} else {
if (log.isDebugEnabled()) {
log.debug("A registered IdP was not found the given name");
}
}
} catch (IdentityProviderManagementException e) {
throw new IdentityProviderManagementException("Exception while getting IdP by name", e);
}
return externalIdPConfig;
}
use of org.wso2.carbon.identity.application.authentication.framework.config.model.ExternalIdPConfig in project carbon-identity-framework by wso2.
the class JITProvisioningPostAuthenticationHandler method getLocalClaimValuesOfIDPInNonAttributeSelectionStep.
/**
* Uses to get local claim values of an authenticated user from an IDP in non attribute selection steps.
*
* @param context Authentication Context.
* @param stepConfig Current step configuration.
* @param externalIdPConfig Identity providers config.
* @return Mapped federated user values to local claims.
* @throws PostAuthenticationFailedException Post Authentication failed exception.
*/
private Map<String, String> getLocalClaimValuesOfIDPInNonAttributeSelectionStep(AuthenticationContext context, StepConfig stepConfig, ExternalIdPConfig externalIdPConfig) throws PostAuthenticationFailedException {
boolean useDefaultIdpDialect = externalIdPConfig.useDefaultLocalIdpDialect();
ApplicationAuthenticator authenticator = stepConfig.getAuthenticatedAutenticator().getApplicationAuthenticator();
String idPStandardDialect = authenticator.getClaimDialectURI();
Map<ClaimMapping, String> extAttrs = stepConfig.getAuthenticatedUser().getUserAttributes();
Map<String, String> originalExternalAttributeValueMap = FrameworkUtils.getClaimMappings(extAttrs, false);
Map<String, String> claimMapping = new HashMap<>();
Map<String, String> localClaimValues = new HashMap<>();
if (useDefaultIdpDialect && StringUtils.isNotBlank(idPStandardDialect)) {
try {
claimMapping = ClaimMetadataHandler.getInstance().getMappingsMapFromOtherDialectToCarbon(idPStandardDialect, originalExternalAttributeValueMap.keySet(), context.getTenantDomain(), true);
} catch (ClaimMetadataException e) {
throw new PostAuthenticationFailedException(ErrorMessages.ERROR_WHILE_HANDLING_CLAIM_MAPPINGS.getCode(), ErrorMessages.ERROR_WHILE_HANDLING_CLAIM_MAPPINGS.getMessage(), e);
}
} else {
ClaimMapping[] customClaimMapping = context.getExternalIdP().getClaimMappings();
for (ClaimMapping externalClaim : customClaimMapping) {
if (originalExternalAttributeValueMap.containsKey(externalClaim.getRemoteClaim().getClaimUri())) {
claimMapping.put(externalClaim.getLocalClaim().getClaimUri(), externalClaim.getRemoteClaim().getClaimUri());
}
}
}
if (claimMapping != null && claimMapping.size() > 0) {
for (Map.Entry<String, String> entry : claimMapping.entrySet()) {
if (originalExternalAttributeValueMap.containsKey(entry.getValue()) && originalExternalAttributeValueMap.get(entry.getValue()) != null) {
localClaimValues.put(entry.getKey(), originalExternalAttributeValueMap.get(entry.getValue()));
}
}
}
return localClaimValues;
}
use of org.wso2.carbon.identity.application.authentication.framework.config.model.ExternalIdPConfig in project carbon-identity-framework by wso2.
the class JITProvisioningPostAuthenticationHandler method handleResponseFlow.
/**
* This method is used to handle response flow, after going through password provisioning.
*
* @param request HttpServlet request.
* @param context Authentication context
* @return Status of PostAuthnHandler flow.
* @throws PostAuthenticationFailedException Post Authentication Failed Exception
*/
@SuppressWarnings("unchecked")
private PostAuthnHandlerFlowStatus handleResponseFlow(HttpServletRequest request, AuthenticationContext context) throws PostAuthenticationFailedException {
SequenceConfig sequenceConfig = context.getSequenceConfig();
for (Map.Entry<Integer, StepConfig> entry : sequenceConfig.getStepMap().entrySet()) {
StepConfig stepConfig = entry.getValue();
AuthenticatorConfig authenticatorConfig = stepConfig.getAuthenticatedAutenticator();
ApplicationAuthenticator authenticator = authenticatorConfig.getApplicationAuthenticator();
if (authenticator instanceof FederatedApplicationAuthenticator) {
String externalIdPConfigName = stepConfig.getAuthenticatedIdP();
ExternalIdPConfig externalIdPConfig = getExternalIdpConfig(externalIdPConfigName, context);
context.setExternalIdP(externalIdPConfig);
if (externalIdPConfig != null && externalIdPConfig.isProvisioningEnabled()) {
if (log.isDebugEnabled()) {
log.debug("JIT provisioning response flow has hit for the IDP " + externalIdPConfigName + " " + "for the user, " + sequenceConfig.getAuthenticatedUser().getLoggableUserId());
}
final Map<String, String> localClaimValues;
Object unfilteredLocalClaimValues = context.getProperty(FrameworkConstants.UNFILTERED_LOCAL_CLAIM_VALUES);
localClaimValues = unfilteredLocalClaimValues == null ? new HashMap<>() : (Map<String, String>) unfilteredLocalClaimValues;
Map<String, String> combinedLocalClaims = getCombinedClaims(request, localClaimValues, context);
if (externalIdPConfig.isPasswordProvisioningEnabled()) {
combinedLocalClaims.put(FrameworkConstants.PASSWORD, request.getParameter(FrameworkConstants.PASSWORD));
}
String username = getUsernameFederatedUser(stepConfig, sequenceConfig, externalIdPConfigName, context, localClaimValues, externalIdPConfig);
if (context.getProperty(FrameworkConstants.CHANGING_USERNAME_ALLOWED) != null) {
username = request.getParameter(FrameworkConstants.USERNAME);
try {
/*
Checks whether the provided user is already existing in the system. If so an exception
will be thrown.
*/
UserRealm realm = getUserRealm(context.getTenantDomain());
UserStoreManager userStoreManager = getUserStoreManager(context.getExternalIdP().getProvisioningUserStoreId(), realm, username);
String sanitizedUserName = UserCoreUtil.removeDomainFromName(MultitenantUtils.getTenantAwareUsername(username));
if (userStoreManager.isExistingUser(sanitizedUserName)) {
// Logging the error because the thrown exception is handled in the UI.
log.error(ErrorMessages.USER_ALREADY_EXISTS_ERROR.getCode() + " - " + ErrorMessages.USER_ALREADY_EXISTS_ERROR.getMessage());
handleExceptions(ErrorMessages.USER_ALREADY_EXISTS_ERROR.getMessage(), "provided.username.already.exists", null);
}
} catch (UserStoreException e) {
handleExceptions(ErrorMessages.ERROR_WHILE_CHECKING_USERNAME_EXISTENCE.getMessage(), "error.user.existence", e);
}
}
callDefaultProvisioningHandler(username, context, externalIdPConfig, combinedLocalClaims, stepConfig);
handleConsents(request, stepConfig, context.getTenantDomain());
}
}
}
return SUCCESS_COMPLETED;
}
use of org.wso2.carbon.identity.application.authentication.framework.config.model.ExternalIdPConfig in project carbon-identity-framework by wso2.
the class JITProvisioningPostAuthenticationHandler method handleRequestFlow.
/**
* To handle the request flow of the post authentication handler.
*
* @param response HttpServlet response.
* @param context Authentication context
* @return Status of this post authentication handler flow.
* @throws PostAuthenticationFailedException Exception that will be thrown in case of failure.
*/
@SuppressWarnings("unchecked")
private PostAuthnHandlerFlowStatus handleRequestFlow(HttpServletRequest request, HttpServletResponse response, AuthenticationContext context) throws PostAuthenticationFailedException {
String retryURL = ConfigurationFacade.getInstance().getAuthenticationEndpointRetryURL();
SequenceConfig sequenceConfig = context.getSequenceConfig();
for (Map.Entry<Integer, StepConfig> entry : sequenceConfig.getStepMap().entrySet()) {
StepConfig stepConfig = entry.getValue();
AuthenticatorConfig authenticatorConfig = stepConfig.getAuthenticatedAutenticator();
if (authenticatorConfig == null) {
// ex: Different authentication sequences evaluated by the script
continue;
}
ApplicationAuthenticator authenticator = authenticatorConfig.getApplicationAuthenticator();
if (authenticator instanceof FederatedApplicationAuthenticator) {
String externalIdPConfigName = stepConfig.getAuthenticatedIdP();
ExternalIdPConfig externalIdPConfig = getExternalIdpConfig(externalIdPConfigName, context);
context.setExternalIdP(externalIdPConfig);
Map<String, String> localClaimValues;
if (stepConfig.isSubjectAttributeStep()) {
localClaimValues = (Map<String, String>) context.getProperty(FrameworkConstants.UNFILTERED_LOCAL_CLAIM_VALUES);
} else {
localClaimValues = getLocalClaimValuesOfIDPInNonAttributeSelectionStep(context, stepConfig, externalIdPConfig);
}
if (localClaimValues == null || localClaimValues.size() == 0) {
Map<ClaimMapping, String> userAttributes = stepConfig.getAuthenticatedUser().getUserAttributes();
localClaimValues = FrameworkUtils.getClaimMappings(userAttributes, false);
}
if (externalIdPConfig != null && externalIdPConfig.isProvisioningEnabled()) {
if (localClaimValues == null) {
localClaimValues = new HashMap<>();
}
String associatedLocalUser = getLocalUserAssociatedForFederatedIdentifier(stepConfig.getAuthenticatedIdP(), stepConfig.getAuthenticatedUser().getAuthenticatedSubjectIdentifier(), context.getTenantDomain());
String username = associatedLocalUser;
// If associatedLocalUser is null, that means relevant association not exist already.
if (StringUtils.isEmpty(associatedLocalUser)) {
if (log.isDebugEnabled()) {
log.debug(sequenceConfig.getAuthenticatedUser().getLoggableUserId() + " coming from " + externalIdPConfig.getIdPName() + " do not have a local account, hence redirecting" + " to the UI to sign up.");
}
if (externalIdPConfig.isPromptConsentEnabled()) {
username = getUsernameFederatedUser(stepConfig, sequenceConfig, externalIdPConfigName, context, localClaimValues, externalIdPConfig);
redirectToAccountCreateUI(externalIdPConfig, context, localClaimValues, response, username, request);
// Set the property to make sure the request is a returning one.
context.setProperty(FrameworkConstants.PASSWORD_PROVISION_REDIRECTION_TRIGGERED, true);
return PostAuthnHandlerFlowStatus.INCOMPLETE;
}
}
if (StringUtils.isEmpty(username)) {
username = getUsernameFederatedUser(stepConfig, sequenceConfig, externalIdPConfigName, context, localClaimValues, externalIdPConfig);
}
if (StringUtils.isNotBlank(associatedLocalUser)) {
// Check if the associated local account is locked.
if (isAccountLocked(username, context.getTenantDomain())) {
if (log.isDebugEnabled()) {
log.debug(String.format("The account is locked for the user: %s in the " + "tenant domain: %s ", username, context.getTenantDomain()));
}
String retryParam = "&authFailure=true&authFailureMsg=error.user.account.locked&errorCode=" + UserCoreConstants.ErrorCode.USER_IS_LOCKED;
handleAccountLockLoginFailure(retryURL, context, response, retryParam);
return PostAuthnHandlerFlowStatus.INCOMPLETE;
}
// Check if the associated local account is disabled.
if (isAccountDisabled(associatedLocalUser, context.getTenantDomain())) {
if (log.isDebugEnabled()) {
log.debug(String.format("The account is disabled for the user: %s in the " + "tenant domain: %s ", username, context.getTenantDomain()));
}
String retryParam = "&authFailure=true&authFailureMsg=error.user.account.disabled&errorCode=" + IdentityCoreConstants.USER_ACCOUNT_DISABLED_ERROR_CODE;
handleAccountLockLoginFailure(retryURL, context, response, retryParam);
return PostAuthnHandlerFlowStatus.INCOMPLETE;
}
}
if (log.isDebugEnabled()) {
log.debug("User : " + sequenceConfig.getAuthenticatedUser().getLoggableUserId() + " coming from " + externalIdPConfig.getIdPName() + " do have a local account, with the username " + username);
}
callDefaultProvisioningHandler(username, context, externalIdPConfig, localClaimValues, stepConfig);
}
}
}
return SUCCESS_COMPLETED;
}
Aggregations