Search in sources :

Example 1 with ExternalIdPConfig

use of org.wso2.carbon.identity.application.authentication.framework.config.model.ExternalIdPConfig in project carbon-identity-framework by wso2.

the class FileBasedConfigurationBuilder method processIdPConfigElement.

private ExternalIdPConfig processIdPConfigElement(OMElement idpConfigElem) {
    OMAttribute nameAttr = idpConfigElem.getAttribute(new QName("name"));
    // if the name is not given, do not register this config
    if (nameAttr == null) {
        log.warn("Each IDP configuration should have a unique name attribute");
        return null;
    }
    // read the config parameters
    Map<String, String> parameterMap = new HashMap<>();
    for (Iterator paramIterator = idpConfigElem.getChildrenWithLocalName("Parameter"); paramIterator.hasNext(); ) {
        OMElement paramElem = (OMElement) paramIterator.next();
        OMAttribute paramNameAttr = paramElem.getAttribute(new QName("name"));
        if (paramNameAttr == null) {
            log.warn("A Parameter should have a name attribute. Skipping the parameter.");
            continue;
        }
        parameterMap.put(paramNameAttr.getAttributeValue(), paramElem.getText());
    }
    IdentityProvider fedIdp = new IdentityProvider();
    fedIdp.setIdentityProviderName(nameAttr.getAttributeValue());
    ExternalIdPConfig externalIdPConfig = new ExternalIdPConfig(fedIdp);
    externalIdPConfig.setParameterMap(parameterMap);
    return externalIdPConfig;
}
Also used : HashMap(java.util.HashMap) QName(javax.xml.namespace.QName) Iterator(java.util.Iterator) OMElement(org.apache.axiom.om.OMElement) IdentityProvider(org.wso2.carbon.identity.application.common.model.IdentityProvider) ExternalIdPConfig(org.wso2.carbon.identity.application.authentication.framework.config.model.ExternalIdPConfig) OMAttribute(org.apache.axiom.om.OMAttribute)

Example 2 with ExternalIdPConfig

use of org.wso2.carbon.identity.application.authentication.framework.config.model.ExternalIdPConfig in project carbon-identity-framework by wso2.

the class ConfigurationFacade method getIdPConfigByName.

public ExternalIdPConfig getIdPConfigByName(String idpName, String tenantDomain) throws IdentityProviderManagementException {
    ExternalIdPConfig externalIdPConfig = null;
    IdentityProvider idpDO = null;
    if (log.isDebugEnabled()) {
        log.debug("Trying to find the IdP for name: " + idpName);
    }
    try {
        IdentityProviderManager idpManager = IdentityProviderManager.getInstance();
        idpDO = idpManager.getEnabledIdPByName(idpName, tenantDomain);
        if (idpDO != null) {
            if (log.isDebugEnabled()) {
                log.debug("A registered IdP was found");
            }
            externalIdPConfig = new ExternalIdPConfig(idpDO);
        } else {
            if (log.isDebugEnabled()) {
                log.debug("A registered IdP was not found the given name");
            }
        }
    } catch (IdentityProviderManagementException e) {
        throw new IdentityProviderManagementException("Exception while getting IdP by name", e);
    }
    return externalIdPConfig;
}
Also used : IdentityProvider(org.wso2.carbon.identity.application.common.model.IdentityProvider) ExternalIdPConfig(org.wso2.carbon.identity.application.authentication.framework.config.model.ExternalIdPConfig) IdentityProviderManager(org.wso2.carbon.idp.mgt.IdentityProviderManager) IdentityProviderManagementException(org.wso2.carbon.idp.mgt.IdentityProviderManagementException)

Example 3 with ExternalIdPConfig

use of org.wso2.carbon.identity.application.authentication.framework.config.model.ExternalIdPConfig in project carbon-identity-framework by wso2.

the class JITProvisioningPostAuthenticationHandler method getLocalClaimValuesOfIDPInNonAttributeSelectionStep.

/**
 * Uses to get local claim values of an authenticated user from an IDP in non attribute selection steps.
 *
 * @param context           Authentication Context.
 * @param stepConfig        Current step configuration.
 * @param externalIdPConfig Identity providers config.
 * @return Mapped federated user values to local claims.
 * @throws PostAuthenticationFailedException Post Authentication failed exception.
 */
private Map<String, String> getLocalClaimValuesOfIDPInNonAttributeSelectionStep(AuthenticationContext context, StepConfig stepConfig, ExternalIdPConfig externalIdPConfig) throws PostAuthenticationFailedException {
    boolean useDefaultIdpDialect = externalIdPConfig.useDefaultLocalIdpDialect();
    ApplicationAuthenticator authenticator = stepConfig.getAuthenticatedAutenticator().getApplicationAuthenticator();
    String idPStandardDialect = authenticator.getClaimDialectURI();
    Map<ClaimMapping, String> extAttrs = stepConfig.getAuthenticatedUser().getUserAttributes();
    Map<String, String> originalExternalAttributeValueMap = FrameworkUtils.getClaimMappings(extAttrs, false);
    Map<String, String> claimMapping = new HashMap<>();
    Map<String, String> localClaimValues = new HashMap<>();
    if (useDefaultIdpDialect && StringUtils.isNotBlank(idPStandardDialect)) {
        try {
            claimMapping = ClaimMetadataHandler.getInstance().getMappingsMapFromOtherDialectToCarbon(idPStandardDialect, originalExternalAttributeValueMap.keySet(), context.getTenantDomain(), true);
        } catch (ClaimMetadataException e) {
            throw new PostAuthenticationFailedException(ErrorMessages.ERROR_WHILE_HANDLING_CLAIM_MAPPINGS.getCode(), ErrorMessages.ERROR_WHILE_HANDLING_CLAIM_MAPPINGS.getMessage(), e);
        }
    } else {
        ClaimMapping[] customClaimMapping = context.getExternalIdP().getClaimMappings();
        for (ClaimMapping externalClaim : customClaimMapping) {
            if (originalExternalAttributeValueMap.containsKey(externalClaim.getRemoteClaim().getClaimUri())) {
                claimMapping.put(externalClaim.getLocalClaim().getClaimUri(), externalClaim.getRemoteClaim().getClaimUri());
            }
        }
    }
    if (claimMapping != null && claimMapping.size() > 0) {
        for (Map.Entry<String, String> entry : claimMapping.entrySet()) {
            if (originalExternalAttributeValueMap.containsKey(entry.getValue()) && originalExternalAttributeValueMap.get(entry.getValue()) != null) {
                localClaimValues.put(entry.getKey(), originalExternalAttributeValueMap.get(entry.getValue()));
            }
        }
    }
    return localClaimValues;
}
Also used : ClaimMapping(org.wso2.carbon.identity.application.common.model.ClaimMapping) ClaimMetadataException(org.wso2.carbon.identity.claim.metadata.mgt.exception.ClaimMetadataException) FederatedApplicationAuthenticator(org.wso2.carbon.identity.application.authentication.framework.FederatedApplicationAuthenticator) ApplicationAuthenticator(org.wso2.carbon.identity.application.authentication.framework.ApplicationAuthenticator) HashMap(java.util.HashMap) PostAuthenticationFailedException(org.wso2.carbon.identity.application.authentication.framework.exception.PostAuthenticationFailedException) Map(java.util.Map) HashMap(java.util.HashMap)

Example 4 with ExternalIdPConfig

use of org.wso2.carbon.identity.application.authentication.framework.config.model.ExternalIdPConfig in project carbon-identity-framework by wso2.

the class JITProvisioningPostAuthenticationHandler method handleResponseFlow.

/**
 * This method is used to handle response flow, after going through password provisioning.
 *
 * @param request        HttpServlet request.
 * @param context        Authentication context
 * @return Status of PostAuthnHandler flow.
 * @throws PostAuthenticationFailedException Post Authentication Failed Exception
 */
@SuppressWarnings("unchecked")
private PostAuthnHandlerFlowStatus handleResponseFlow(HttpServletRequest request, AuthenticationContext context) throws PostAuthenticationFailedException {
    SequenceConfig sequenceConfig = context.getSequenceConfig();
    for (Map.Entry<Integer, StepConfig> entry : sequenceConfig.getStepMap().entrySet()) {
        StepConfig stepConfig = entry.getValue();
        AuthenticatorConfig authenticatorConfig = stepConfig.getAuthenticatedAutenticator();
        ApplicationAuthenticator authenticator = authenticatorConfig.getApplicationAuthenticator();
        if (authenticator instanceof FederatedApplicationAuthenticator) {
            String externalIdPConfigName = stepConfig.getAuthenticatedIdP();
            ExternalIdPConfig externalIdPConfig = getExternalIdpConfig(externalIdPConfigName, context);
            context.setExternalIdP(externalIdPConfig);
            if (externalIdPConfig != null && externalIdPConfig.isProvisioningEnabled()) {
                if (log.isDebugEnabled()) {
                    log.debug("JIT provisioning response flow has hit for the IDP " + externalIdPConfigName + " " + "for the user, " + sequenceConfig.getAuthenticatedUser().getLoggableUserId());
                }
                final Map<String, String> localClaimValues;
                Object unfilteredLocalClaimValues = context.getProperty(FrameworkConstants.UNFILTERED_LOCAL_CLAIM_VALUES);
                localClaimValues = unfilteredLocalClaimValues == null ? new HashMap<>() : (Map<String, String>) unfilteredLocalClaimValues;
                Map<String, String> combinedLocalClaims = getCombinedClaims(request, localClaimValues, context);
                if (externalIdPConfig.isPasswordProvisioningEnabled()) {
                    combinedLocalClaims.put(FrameworkConstants.PASSWORD, request.getParameter(FrameworkConstants.PASSWORD));
                }
                String username = getUsernameFederatedUser(stepConfig, sequenceConfig, externalIdPConfigName, context, localClaimValues, externalIdPConfig);
                if (context.getProperty(FrameworkConstants.CHANGING_USERNAME_ALLOWED) != null) {
                    username = request.getParameter(FrameworkConstants.USERNAME);
                    try {
                        /*
                            Checks whether the provided user is already existing in the system. If so an exception
                            will be thrown.
                            */
                        UserRealm realm = getUserRealm(context.getTenantDomain());
                        UserStoreManager userStoreManager = getUserStoreManager(context.getExternalIdP().getProvisioningUserStoreId(), realm, username);
                        String sanitizedUserName = UserCoreUtil.removeDomainFromName(MultitenantUtils.getTenantAwareUsername(username));
                        if (userStoreManager.isExistingUser(sanitizedUserName)) {
                            // Logging the error because the thrown exception is handled in the UI.
                            log.error(ErrorMessages.USER_ALREADY_EXISTS_ERROR.getCode() + " - " + ErrorMessages.USER_ALREADY_EXISTS_ERROR.getMessage());
                            handleExceptions(ErrorMessages.USER_ALREADY_EXISTS_ERROR.getMessage(), "provided.username.already.exists", null);
                        }
                    } catch (UserStoreException e) {
                        handleExceptions(ErrorMessages.ERROR_WHILE_CHECKING_USERNAME_EXISTENCE.getMessage(), "error.user.existence", e);
                    }
                }
                callDefaultProvisioningHandler(username, context, externalIdPConfig, combinedLocalClaims, stepConfig);
                handleConsents(request, stepConfig, context.getTenantDomain());
            }
        }
    }
    return SUCCESS_COMPLETED;
}
Also used : AuthenticatorConfig(org.wso2.carbon.identity.application.authentication.framework.config.model.AuthenticatorConfig) HashMap(java.util.HashMap) StepConfig(org.wso2.carbon.identity.application.authentication.framework.config.model.StepConfig) UserStoreManager(org.wso2.carbon.user.core.UserStoreManager) FederatedApplicationAuthenticator(org.wso2.carbon.identity.application.authentication.framework.FederatedApplicationAuthenticator) FederatedApplicationAuthenticator(org.wso2.carbon.identity.application.authentication.framework.FederatedApplicationAuthenticator) ApplicationAuthenticator(org.wso2.carbon.identity.application.authentication.framework.ApplicationAuthenticator) UserRealm(org.wso2.carbon.user.core.UserRealm) UserStoreException(org.wso2.carbon.user.api.UserStoreException) SequenceConfig(org.wso2.carbon.identity.application.authentication.framework.config.model.SequenceConfig) JSONObject(org.json.JSONObject) ExternalIdPConfig(org.wso2.carbon.identity.application.authentication.framework.config.model.ExternalIdPConfig) Map(java.util.Map) HashMap(java.util.HashMap)

Example 5 with ExternalIdPConfig

use of org.wso2.carbon.identity.application.authentication.framework.config.model.ExternalIdPConfig in project carbon-identity-framework by wso2.

the class JITProvisioningPostAuthenticationHandler method handleRequestFlow.

/**
 * To handle the request flow of the post authentication handler.
 *
 * @param response       HttpServlet response.
 * @param context        Authentication context
 * @return Status of this post authentication handler flow.
 * @throws PostAuthenticationFailedException Exception that will be thrown in case of failure.
 */
@SuppressWarnings("unchecked")
private PostAuthnHandlerFlowStatus handleRequestFlow(HttpServletRequest request, HttpServletResponse response, AuthenticationContext context) throws PostAuthenticationFailedException {
    String retryURL = ConfigurationFacade.getInstance().getAuthenticationEndpointRetryURL();
    SequenceConfig sequenceConfig = context.getSequenceConfig();
    for (Map.Entry<Integer, StepConfig> entry : sequenceConfig.getStepMap().entrySet()) {
        StepConfig stepConfig = entry.getValue();
        AuthenticatorConfig authenticatorConfig = stepConfig.getAuthenticatedAutenticator();
        if (authenticatorConfig == null) {
            // ex: Different authentication sequences evaluated by the script
            continue;
        }
        ApplicationAuthenticator authenticator = authenticatorConfig.getApplicationAuthenticator();
        if (authenticator instanceof FederatedApplicationAuthenticator) {
            String externalIdPConfigName = stepConfig.getAuthenticatedIdP();
            ExternalIdPConfig externalIdPConfig = getExternalIdpConfig(externalIdPConfigName, context);
            context.setExternalIdP(externalIdPConfig);
            Map<String, String> localClaimValues;
            if (stepConfig.isSubjectAttributeStep()) {
                localClaimValues = (Map<String, String>) context.getProperty(FrameworkConstants.UNFILTERED_LOCAL_CLAIM_VALUES);
            } else {
                localClaimValues = getLocalClaimValuesOfIDPInNonAttributeSelectionStep(context, stepConfig, externalIdPConfig);
            }
            if (localClaimValues == null || localClaimValues.size() == 0) {
                Map<ClaimMapping, String> userAttributes = stepConfig.getAuthenticatedUser().getUserAttributes();
                localClaimValues = FrameworkUtils.getClaimMappings(userAttributes, false);
            }
            if (externalIdPConfig != null && externalIdPConfig.isProvisioningEnabled()) {
                if (localClaimValues == null) {
                    localClaimValues = new HashMap<>();
                }
                String associatedLocalUser = getLocalUserAssociatedForFederatedIdentifier(stepConfig.getAuthenticatedIdP(), stepConfig.getAuthenticatedUser().getAuthenticatedSubjectIdentifier(), context.getTenantDomain());
                String username = associatedLocalUser;
                // If associatedLocalUser is null, that means relevant association not exist already.
                if (StringUtils.isEmpty(associatedLocalUser)) {
                    if (log.isDebugEnabled()) {
                        log.debug(sequenceConfig.getAuthenticatedUser().getLoggableUserId() + " coming from " + externalIdPConfig.getIdPName() + " do not have a local account, hence redirecting" + " to the UI to sign up.");
                    }
                    if (externalIdPConfig.isPromptConsentEnabled()) {
                        username = getUsernameFederatedUser(stepConfig, sequenceConfig, externalIdPConfigName, context, localClaimValues, externalIdPConfig);
                        redirectToAccountCreateUI(externalIdPConfig, context, localClaimValues, response, username, request);
                        // Set the property to make sure the request is a returning one.
                        context.setProperty(FrameworkConstants.PASSWORD_PROVISION_REDIRECTION_TRIGGERED, true);
                        return PostAuthnHandlerFlowStatus.INCOMPLETE;
                    }
                }
                if (StringUtils.isEmpty(username)) {
                    username = getUsernameFederatedUser(stepConfig, sequenceConfig, externalIdPConfigName, context, localClaimValues, externalIdPConfig);
                }
                if (StringUtils.isNotBlank(associatedLocalUser)) {
                    // Check if the associated local account is locked.
                    if (isAccountLocked(username, context.getTenantDomain())) {
                        if (log.isDebugEnabled()) {
                            log.debug(String.format("The account is locked for the user: %s in the " + "tenant domain: %s ", username, context.getTenantDomain()));
                        }
                        String retryParam = "&authFailure=true&authFailureMsg=error.user.account.locked&errorCode=" + UserCoreConstants.ErrorCode.USER_IS_LOCKED;
                        handleAccountLockLoginFailure(retryURL, context, response, retryParam);
                        return PostAuthnHandlerFlowStatus.INCOMPLETE;
                    }
                    // Check if the associated local account is disabled.
                    if (isAccountDisabled(associatedLocalUser, context.getTenantDomain())) {
                        if (log.isDebugEnabled()) {
                            log.debug(String.format("The account is disabled for the user: %s in the " + "tenant domain: %s ", username, context.getTenantDomain()));
                        }
                        String retryParam = "&authFailure=true&authFailureMsg=error.user.account.disabled&errorCode=" + IdentityCoreConstants.USER_ACCOUNT_DISABLED_ERROR_CODE;
                        handleAccountLockLoginFailure(retryURL, context, response, retryParam);
                        return PostAuthnHandlerFlowStatus.INCOMPLETE;
                    }
                }
                if (log.isDebugEnabled()) {
                    log.debug("User : " + sequenceConfig.getAuthenticatedUser().getLoggableUserId() + " coming from " + externalIdPConfig.getIdPName() + " do have a local account, with the username " + username);
                }
                callDefaultProvisioningHandler(username, context, externalIdPConfig, localClaimValues, stepConfig);
            }
        }
    }
    return SUCCESS_COMPLETED;
}
Also used : AuthenticatorConfig(org.wso2.carbon.identity.application.authentication.framework.config.model.AuthenticatorConfig) StepConfig(org.wso2.carbon.identity.application.authentication.framework.config.model.StepConfig) FederatedApplicationAuthenticator(org.wso2.carbon.identity.application.authentication.framework.FederatedApplicationAuthenticator) ClaimMapping(org.wso2.carbon.identity.application.common.model.ClaimMapping) FederatedApplicationAuthenticator(org.wso2.carbon.identity.application.authentication.framework.FederatedApplicationAuthenticator) ApplicationAuthenticator(org.wso2.carbon.identity.application.authentication.framework.ApplicationAuthenticator) SequenceConfig(org.wso2.carbon.identity.application.authentication.framework.config.model.SequenceConfig) ExternalIdPConfig(org.wso2.carbon.identity.application.authentication.framework.config.model.ExternalIdPConfig) Map(java.util.Map) HashMap(java.util.HashMap)

Aggregations

ExternalIdPConfig (org.wso2.carbon.identity.application.authentication.framework.config.model.ExternalIdPConfig)16 ApplicationAuthenticator (org.wso2.carbon.identity.application.authentication.framework.ApplicationAuthenticator)8 SequenceConfig (org.wso2.carbon.identity.application.authentication.framework.config.model.SequenceConfig)7 StepConfig (org.wso2.carbon.identity.application.authentication.framework.config.model.StepConfig)7 IdentityProviderManagementException (org.wso2.carbon.idp.mgt.IdentityProviderManagementException)7 HashMap (java.util.HashMap)6 FederatedApplicationAuthenticator (org.wso2.carbon.identity.application.authentication.framework.FederatedApplicationAuthenticator)6 AuthenticatorConfig (org.wso2.carbon.identity.application.authentication.framework.config.model.AuthenticatorConfig)6 ClaimMapping (org.wso2.carbon.identity.application.common.model.ClaimMapping)6 Map (java.util.Map)5 FrameworkException (org.wso2.carbon.identity.application.authentication.framework.exception.FrameworkException)5 IdentityProvider (org.wso2.carbon.identity.application.common.model.IdentityProvider)5 IOException (java.io.IOException)3 Matchers.anyString (org.mockito.Matchers.anyString)3 PrepareForTest (org.powermock.core.classloader.annotations.PrepareForTest)3 Test (org.testng.annotations.Test)3 ApplicationConfig (org.wso2.carbon.identity.application.authentication.framework.config.model.ApplicationConfig)3 HttpServletRequest (javax.servlet.http.HttpServletRequest)2 HttpServletResponse (javax.servlet.http.HttpServletResponse)2 ConfigurationFacade (org.wso2.carbon.identity.application.authentication.framework.config.ConfigurationFacade)2