Example 16 with ExternalIdPConfig
use of org.wso2.carbon.identity.application.authentication.framework.config.model.ExternalIdPConfig in project carbon-identity-framework by wso2.
the class JsClaims method getRemoteClaimMappedToLocalClaim.
/**
* Gets the remote claim that is mapped to the given local claim
*
* @param localClaim local claim URI
* @param remoteClaimsMap Remote claim URI - value map
* @return Mapped remote claim URI if present. null otherwise
*/
private String getRemoteClaimMappedToLocalClaim(String localClaim, Map<String, String> remoteClaimsMap) {
String authenticatorDialect = null;
Map<String, String> localToIdpClaimMapping = null;
String tenantDomain = getContext().getTenantDomain();
try {
// Check if the IDP use an standard dialect (like oidc), If it does, dialect claim mapping are
// prioritized over IdP claim mapping
ApplicationAuthenticator authenticator = getContext().getSequenceConfig().getStepMap().get(step).getAuthenticatedAutenticator().getApplicationAuthenticator();
authenticatorDialect = authenticator.getClaimDialectURI();
ExternalIdPConfig idPConfig = ConfigurationFacade.getInstance().getIdPConfigByName(idp, tenantDomain);
boolean useDefaultIdpDialect = idPConfig.useDefaultLocalIdpDialect();
if (authenticatorDialect != null || useDefaultIdpDialect) {
if (authenticatorDialect == null) {
authenticatorDialect = ApplicationConstants.LOCAL_IDP_DEFAULT_CLAIM_DIALECT;
}
localToIdpClaimMapping = ClaimMetadataHandler.getInstance().getMappingsMapFromOtherDialectToCarbon(authenticatorDialect, remoteClaimsMap.keySet(), tenantDomain, true);
} else {
localToIdpClaimMapping = IdentityProviderManager.getInstance().getMappedIdPClaimsMap(idp, tenantDomain, Collections.singletonList(localClaim));
}
if (localToIdpClaimMapping != null) {
return localToIdpClaimMapping.get(localClaim);
}
} catch (IdentityProviderManagementException e) {
LOG.error(String.format("Error when getting claim : %s of user: %s", localClaim, authenticatedUser), e);
} catch (ClaimMetadataException e) {
LOG.error("Error when getting claim mappings from " + authenticatorDialect + " for tenant domain: " + tenantDomain);
}
return null;
}
Also used :
ClaimMetadataException(org.wso2.carbon.identity.claim.metadata.mgt.exception.ClaimMetadataException)
ApplicationAuthenticator(org.wso2.carbon.identity.application.authentication.framework.ApplicationAuthenticator)
ExternalIdPConfig(org.wso2.carbon.identity.application.authentication.framework.config.model.ExternalIdPConfig)
IdentityProviderManagementException(org.wso2.carbon.idp.mgt.IdentityProviderManagementException)
Example 17 with ExternalIdPConfig
use of org.wso2.carbon.identity.application.authentication.framework.config.model.ExternalIdPConfig in project carbon-identity-framework by wso2.
the class DefaultStepBasedSequenceHandler method handlePostAuthentication.
@SuppressWarnings("unchecked")
protected void handlePostAuthentication(HttpServletRequest request, HttpServletResponse response, AuthenticationContext context) throws FrameworkException {
if (log.isDebugEnabled()) {
log.debug("Handling Post Authentication tasks");
}
SequenceConfig sequenceConfig = context.getSequenceConfig();
StringBuilder jsonBuilder = new StringBuilder();
boolean subjectFoundInStep = false;
boolean subjectAttributesFoundInStep = false;
int stepCount = 1;
Map<String, String> mappedAttrs = new HashMap<>();
Map<ClaimMapping, String> authenticatedUserAttributes = new HashMap<>();
boolean isAuthenticatorExecuted = false;
for (Map.Entry<Integer, StepConfig> entry : sequenceConfig.getStepMap().entrySet()) {
StepConfig stepConfig = entry.getValue();
AuthenticatorConfig authenticatorConfig = stepConfig.getAuthenticatedAutenticator();
if (authenticatorConfig == null) {
// ex: Different authentication sequences evaluated by the script
continue;
}
ApplicationAuthenticator authenticator = authenticatorConfig.getApplicationAuthenticator();
if (!(authenticator instanceof AuthenticationFlowHandler)) {
isAuthenticatorExecuted = true;
}
// build the authenticated idps JWT to send to the calling servlet.
if (stepCount == 1) {
jsonBuilder.append("\"idps\":");
jsonBuilder.append("[");
}
// build the JSON object for this step
jsonBuilder.append("{");
jsonBuilder.append("\"idp\":\"").append(stepConfig.getAuthenticatedIdP()).append("\",");
jsonBuilder.append("\"authenticator\":\"").append(authenticator.getName()).append("\"");
if (stepCount != sequenceConfig.getStepMap().size()) {
jsonBuilder.append("},");
} else {
// wrap up the JSON object
jsonBuilder.append("}");
jsonBuilder.append("]");
sequenceConfig.setAuthenticatedIdPs(IdentityApplicationManagementUtil.getSignedJWT(jsonBuilder.toString(), sequenceConfig.getApplicationConfig().getServiceProvider()));
stepConfig.setSubjectIdentifierStep(!subjectFoundInStep);
stepConfig.setSubjectAttributeStep(!subjectAttributesFoundInStep);
}
stepCount++;
if (authenticator instanceof FederatedApplicationAuthenticator) {
ExternalIdPConfig externalIdPConfig = null;
try {
externalIdPConfig = ConfigurationFacade.getInstance().getIdPConfigByName(stepConfig.getAuthenticatedIdP(), context.getTenantDomain());
} catch (IdentityProviderManagementException e) {
log.error("Exception while getting IdP by name", e);
}
context.setExternalIdP(externalIdPConfig);
String originalExternalIdpSubjectValueForThisStep = stepConfig.getAuthenticatedUser().getAuthenticatedSubjectIdentifier();
if (externalIdPConfig == null) {
String errorMsg = "An External IdP cannot be null for a FederatedApplicationAuthenticator";
log.error(errorMsg);
throw new FrameworkException(errorMsg);
}
Map<ClaimMapping, String> extAttrs;
Map<String, String> extAttibutesValueMap;
Map<String, String> localClaimValues = null;
Map<String, String> idpClaimValues = null;
extAttrs = stepConfig.getAuthenticatedUser().getUserAttributes();
extAttibutesValueMap = FrameworkUtils.getClaimMappings(extAttrs, false);
if (stepConfig.isSubjectAttributeStep()) {
subjectAttributesFoundInStep = true;
String idpRoleClaimUri = getIdpRoleClaimUri(stepConfig, context);
// Get the mapped user roles according to the mapping in the IDP configuration.
// Include the unmapped roles as it is.
List<String> identityProviderMappedUserRolesUnmappedInclusive = getIdentityProvideMappedUserRoles(externalIdPConfig, extAttibutesValueMap, idpRoleClaimUri, returnOnlyMappedLocalRoles);
String serviceProviderMappedUserRoles = getServiceProviderMappedUserRoles(sequenceConfig, identityProviderMappedUserRolesUnmappedInclusive);
if (StringUtils.isNotBlank(idpRoleClaimUri) && StringUtils.isNotBlank(serviceProviderMappedUserRoles)) {
extAttibutesValueMap.put(idpRoleClaimUri, serviceProviderMappedUserRoles);
}
if (mappedAttrs == null || mappedAttrs.isEmpty()) {
// do claim handling
mappedAttrs = handleClaimMappings(stepConfig, context, extAttibutesValueMap, true);
// external claim values mapped to local claim uris.
localClaimValues = (Map<String, String>) context.getProperty(FrameworkConstants.UNFILTERED_LOCAL_CLAIM_VALUES);
idpClaimValues = (Map<String, String>) context.getProperty(FrameworkConstants.UNFILTERED_IDP_CLAIM_VALUES);
}
}
if (stepConfig.isSubjectIdentifierStep()) {
if (!stepConfig.isSubjectAttributeStep()) {
/*
Do claim mapping inorder to get subject claim uri requested. This is done only if the
step is not a subject attribute step. Because it is already done in the previous flow if
the step is a subject attribute step.
*/
handleClaimMappings(stepConfig, context, extAttibutesValueMap, true);
}
subjectFoundInStep = true;
sequenceConfig.setAuthenticatedUser(new AuthenticatedUser(stepConfig.getAuthenticatedUser()));
}
if (stepConfig.isSubjectAttributeStep()) {
if (!sequenceConfig.getApplicationConfig().isMappedSubjectIDSelected()) {
// if we found the mapped subject - then we do not need to worry about
// finding attributes.
// if no requested claims are selected and sp claim dialect is not a standard dialect,
// send all local mapped claim values or idp claim values
ApplicationConfig appConfig = context.getSequenceConfig().getApplicationConfig();
if (MapUtils.isEmpty(appConfig.getRequestedClaimMappings()) && !isSPStandardClaimDialect(context.getRequestType())) {
if (MapUtils.isNotEmpty(localClaimValues)) {
mappedAttrs = localClaimValues;
} else if (MapUtils.isNotEmpty(idpClaimValues)) {
mappedAttrs = idpClaimValues;
}
}
authenticatedUserAttributes = FrameworkUtils.buildClaimMappings(mappedAttrs);
}
}
} else {
if (stepConfig.isSubjectIdentifierStep()) {
if (!stepConfig.isSubjectAttributeStep()) {
/*
Do claim mapping inorder to get subject claim uri requested. This is done only if the
step is not a subject attribute step. Because it is already done in the previous flow if
the step is a subject attribute step.
*/
handleClaimMappings(stepConfig, context, null, false);
}
subjectFoundInStep = true;
sequenceConfig.setAuthenticatedUser(new AuthenticatedUser(stepConfig.getAuthenticatedUser()));
if (log.isDebugEnabled()) {
log.debug("Authenticated User: " + sequenceConfig.getAuthenticatedUser().getLoggableUserId());
log.debug("Authenticated User Tenant Domain: " + sequenceConfig.getAuthenticatedUser().getTenantDomain());
}
}
if (stepConfig.isSubjectAttributeStep()) {
subjectAttributesFoundInStep = true;
// local authentications
mappedAttrs = handleClaimMappings(stepConfig, context, null, false);
handleRoleMapping(context, sequenceConfig, mappedAttrs);
authenticatedUserAttributes = FrameworkUtils.buildClaimMappings(mappedAttrs);
}
}
}
if (!isAuthenticatorExecuted) {
String errorMsg = String.format("No authenticator have been executed in the authentication flow of " + "application: %s in tenant-domain: %s", sequenceConfig.getApplicationConfig().getApplicationName(), context.getTenantDomain());
log.error(errorMsg);
throw new MisconfigurationException(errorMsg);
}
if (isSPStandardClaimDialect(context.getRequestType()) && authenticatedUserAttributes.isEmpty() && sequenceConfig.getAuthenticatedUser() != null) {
sequenceConfig.getAuthenticatedUser().setUserAttributes(authenticatedUserAttributes);
}
if (!authenticatedUserAttributes.isEmpty() && sequenceConfig.getAuthenticatedUser() != null) {
sequenceConfig.getAuthenticatedUser().setUserAttributes(authenticatedUserAttributes);
}
}
Also used :
AuthenticatorConfig(org.wso2.carbon.identity.application.authentication.framework.config.model.AuthenticatorConfig)
FrameworkException(org.wso2.carbon.identity.application.authentication.framework.exception.FrameworkException)
HashMap(java.util.HashMap)
MisconfigurationException(org.wso2.carbon.identity.application.authentication.framework.exception.MisconfigurationException)
StepConfig(org.wso2.carbon.identity.application.authentication.framework.config.model.StepConfig)
FederatedApplicationAuthenticator(org.wso2.carbon.identity.application.authentication.framework.FederatedApplicationAuthenticator)
AuthenticatedUser(org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser)
ClaimMapping(org.wso2.carbon.identity.application.common.model.ClaimMapping)
FederatedApplicationAuthenticator(org.wso2.carbon.identity.application.authentication.framework.FederatedApplicationAuthenticator)
ApplicationAuthenticator(org.wso2.carbon.identity.application.authentication.framework.ApplicationAuthenticator)
ApplicationConfig(org.wso2.carbon.identity.application.authentication.framework.config.model.ApplicationConfig)
AuthenticationFlowHandler(org.wso2.carbon.identity.application.authentication.framework.AuthenticationFlowHandler)
SequenceConfig(org.wso2.carbon.identity.application.authentication.framework.config.model.SequenceConfig)
ExternalIdPConfig(org.wso2.carbon.identity.application.authentication.framework.config.model.ExternalIdPConfig)
HashMap(java.util.HashMap)
Map(java.util.Map)
IdentityProviderManagementException(org.wso2.carbon.idp.mgt.IdentityProviderManagementException)
Example 18 with ExternalIdPConfig
use of org.wso2.carbon.identity.application.authentication.framework.config.model.ExternalIdPConfig in project carbon-identity-framework by wso2.
the class DefaultStepHandler method handleHomeRealmDiscovery.
protected void handleHomeRealmDiscovery(HttpServletRequest request, HttpServletResponse response, AuthenticationContext context) throws FrameworkException {
if (LOG.isDebugEnabled()) {
LOG.debug("Request contains fidp parameter. Initiating Home Realm Discovery");
}
String domain = request.getParameter(FrameworkConstants.RequestParams.FEDERATED_IDP);
if (LOG.isDebugEnabled()) {
LOG.debug("Received domain: " + domain);
}
SequenceConfig sequenceConfig = context.getSequenceConfig();
StepConfig stepConfig = sequenceConfig.getStepMap().get(context.getCurrentStep());
List<AuthenticatorConfig> authConfigList = stepConfig.getAuthenticatorList();
String authenticatorNames = FrameworkUtils.getAuthenticatorIdPMappingString(authConfigList);
String redirectURL = ConfigurationFacade.getInstance().getAuthenticationEndpointURL();
if (domain.trim().length() == 0) {
// SP hasn't specified a domain. We assume it wants to get the domain from the user
try {
request.setAttribute(FrameworkConstants.RequestParams.FLOW_STATUS, AuthenticatorFlowStatus.INCOMPLETE);
response.sendRedirect(redirectURL + ("?" + context.getContextIdIncludedQueryParams()) + "&authenticators=" + URLEncoder.encode(authenticatorNames, "UTF-8") + "&hrd=true");
} catch (IOException e) {
throw new FrameworkException(e.getMessage(), e);
}
return;
}
// call home realm discovery handler to retrieve the realm
String homeRealm = FrameworkUtils.getHomeRealmDiscoverer().discover(domain);
if (LOG.isDebugEnabled()) {
LOG.debug("Home realm discovered: " + homeRealm);
}
// try to find an IdP with the retrieved realm
ExternalIdPConfig externalIdPConfig = null;
try {
externalIdPConfig = ConfigurationFacade.getInstance().getIdPConfigByRealm(homeRealm, context.getTenantDomain());
} catch (IdentityProviderManagementException e) {
LOG.error("Exception while getting IdP by realm", e);
}
// if an IdP exists
if (externalIdPConfig != null) {
String idpName = externalIdPConfig.getIdPName();
if (LOG.isDebugEnabled()) {
LOG.debug("Found IdP of the realm: " + idpName);
}
Map<String, AuthenticatedIdPData> authenticatedIdPs = context.getPreviousAuthenticatedIdPs();
Map<String, AuthenticatorConfig> authenticatedStepIdps = FrameworkUtils.getAuthenticatedStepIdPs(stepConfig, authenticatedIdPs);
if (authenticatedStepIdps.containsKey(idpName) && !(context.isForceAuthenticate() || stepConfig.isForced()) && !context.isReAuthenticate()) {
// skip the step if this is a normal request
AuthenticatedIdPData authenticatedIdPData = authenticatedIdPs.get(idpName);
populateStepConfigWithAuthenticationDetails(stepConfig, authenticatedIdPData, authenticatedStepIdps.get(idpName));
stepConfig.setCompleted(true);
// add authenticated idp data to the session wise map
context.getCurrentAuthenticatedIdPs().put(idpName, authenticatedIdPData);
return;
}
// try to find an authenticator of the current step, that is mapped to the IdP
for (AuthenticatorConfig authConfig : authConfigList) {
// if found
if (authConfig.getIdpNames().contains(idpName)) {
context.setExternalIdP(externalIdPConfig);
doAuthentication(request, response, context, authConfig);
return;
}
}
}
if (LOG.isDebugEnabled()) {
LOG.debug("An IdP was not found for the sent domain. Sending to the domain page");
}
String errorMsg = "domain.unknown";
try {
request.setAttribute(FrameworkConstants.RequestParams.FLOW_STATUS, AuthenticatorFlowStatus.INCOMPLETE);
response.sendRedirect(redirectURL + ("?" + context.getContextIdIncludedQueryParams()) + "&authenticators=" + URLEncoder.encode(authenticatorNames, "UTF-8") + "&authFailure=true" + "&authFailureMsg=" + errorMsg + "&hrd=true");
} catch (IOException e) {
throw new FrameworkException(e.getMessage(), e);
}
}
Also used :
AuthenticatorConfig(org.wso2.carbon.identity.application.authentication.framework.config.model.AuthenticatorConfig)
FrameworkException(org.wso2.carbon.identity.application.authentication.framework.exception.FrameworkException)
StepConfig(org.wso2.carbon.identity.application.authentication.framework.config.model.StepConfig)
SequenceConfig(org.wso2.carbon.identity.application.authentication.framework.config.model.SequenceConfig)
IOException(java.io.IOException)
ExternalIdPConfig(org.wso2.carbon.identity.application.authentication.framework.config.model.ExternalIdPConfig)
IdentityProviderManagementException(org.wso2.carbon.idp.mgt.IdentityProviderManagementException)
AuthenticatedIdPData(org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedIdPData)
Example 19 with ExternalIdPConfig
use of org.wso2.carbon.identity.application.authentication.framework.config.model.ExternalIdPConfig in project carbon-identity-framework by wso2.
the class DefaultStepHandler method handleRequestFromLoginPage.
protected void handleRequestFromLoginPage(HttpServletRequest request, HttpServletResponse response, AuthenticationContext context) throws FrameworkException {
if (LOG.isDebugEnabled()) {
LOG.debug("Relieved a request from the multi option page");
}
SequenceConfig sequenceConfig = context.getSequenceConfig();
int currentStep = context.getCurrentStep();
StepConfig stepConfig = sequenceConfig.getStepMap().get(currentStep);
// if request from the login page with a selected IdP
String selectedIdp = request.getParameter(FrameworkConstants.RequestParams.IDP);
if (selectedIdp != null) {
if (LOG.isDebugEnabled()) {
LOG.debug("User has selected IdP: " + selectedIdp);
}
try {
ExternalIdPConfig externalIdPConfig = ConfigurationFacade.getInstance().getIdPConfigByName(selectedIdp, context.getTenantDomain());
// TODO [IMPORTANT] validate the idp is inside the step.
context.setExternalIdP(externalIdPConfig);
} catch (IdentityProviderManagementException e) {
LOG.error("Exception while getting IdP by name", e);
}
}
for (AuthenticatorConfig authenticatorConfig : stepConfig.getAuthenticatorList()) {
ApplicationAuthenticator authenticator = authenticatorConfig.getApplicationAuthenticator();
if (authenticator != null && authenticator.getName().equalsIgnoreCase(request.getParameter(FrameworkConstants.RequestParams.AUTHENTICATOR))) {
if (StringUtils.isNotBlank(selectedIdp) && authenticatorConfig.getIdps().get(selectedIdp) == null) {
// this is an invalid case.
throw new FrameworkException("Authenticators configured for application and user selected idp " + "does not match. Possible tampering of parameters in login page.");
}
doAuthentication(request, response, context, authenticatorConfig);
return;
}
}
}
Also used :
AuthenticatorConfig(org.wso2.carbon.identity.application.authentication.framework.config.model.AuthenticatorConfig)
FederatedApplicationAuthenticator(org.wso2.carbon.identity.application.authentication.framework.FederatedApplicationAuthenticator)
LocalApplicationAuthenticator(org.wso2.carbon.identity.application.authentication.framework.LocalApplicationAuthenticator)
ApplicationAuthenticator(org.wso2.carbon.identity.application.authentication.framework.ApplicationAuthenticator)
FrameworkException(org.wso2.carbon.identity.application.authentication.framework.exception.FrameworkException)
StepConfig(org.wso2.carbon.identity.application.authentication.framework.config.model.StepConfig)
SequenceConfig(org.wso2.carbon.identity.application.authentication.framework.config.model.SequenceConfig)
ExternalIdPConfig(org.wso2.carbon.identity.application.authentication.framework.config.model.ExternalIdPConfig)
IdentityProviderManagementException(org.wso2.carbon.idp.mgt.IdentityProviderManagementException)
Example 20 with ExternalIdPConfig
use of org.wso2.carbon.identity.application.authentication.framework.config.model.ExternalIdPConfig in project carbon-identity-framework by wso2.
the class JITProvisioningPostAuthenticationHandlerTest method setupSuite.
@BeforeClass
protected void setupSuite() throws XMLStreamException, IdentityProviderManagementException {
configurationLoader = new UIBasedConfigurationLoader();
mockStatic(FrameworkUtils.class);
mockStatic(ConfigurationFacade.class);
ConfigurationFacade configurationFacade = mock(ConfigurationFacade.class);
PowerMockito.when(ConfigurationFacade.getInstance()).thenReturn(configurationFacade);
IdentityProvider identityProvider = getTestIdentityProvider("default-tp-1.xml");
ExternalIdPConfig externalIdPConfig = new ExternalIdPConfig(identityProvider);
Mockito.doReturn(externalIdPConfig).when(configurationFacade).getIdPConfigByName(Mockito.anyString(), Mockito.anyString());
when(FrameworkUtils.isStepBasedSequenceHandlerExecuted(Mockito.any(AuthenticationContext.class))).thenCallRealMethod();
request = mock(HttpServletRequest.class);
response = mock(HttpServletResponse.class);
postJITProvisioningHandler = JITProvisioningPostAuthenticationHandler.getInstance();
sp = getTestServiceProvider("default-sp-1.xml");
}
Also used :
HttpServletRequest(javax.servlet.http.HttpServletRequest)
UIBasedConfigurationLoader(org.wso2.carbon.identity.application.authentication.framework.config.loader.UIBasedConfigurationLoader)
AuthenticationContext(org.wso2.carbon.identity.application.authentication.framework.context.AuthenticationContext)
ConfigurationFacade(org.wso2.carbon.identity.application.authentication.framework.config.ConfigurationFacade)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
IdentityProvider(org.wso2.carbon.identity.application.common.model.IdentityProvider)
ExternalIdPConfig(org.wso2.carbon.identity.application.authentication.framework.config.model.ExternalIdPConfig)
BeforeClass(org.testng.annotations.BeforeClass)
Aggregations
ExternalIdPConfig (org.wso2.carbon.identity.application.authentication.framework.config.model.ExternalIdPConfig)18
ApplicationAuthenticator (org.wso2.carbon.identity.application.authentication.framework.ApplicationAuthenticator)8
SequenceConfig (org.wso2.carbon.identity.application.authentication.framework.config.model.SequenceConfig)8
StepConfig (org.wso2.carbon.identity.application.authentication.framework.config.model.StepConfig)7
IdentityProviderManagementException (org.wso2.carbon.idp.mgt.IdentityProviderManagementException)7
HashMap (java.util.HashMap)6
FederatedApplicationAuthenticator (org.wso2.carbon.identity.application.authentication.framework.FederatedApplicationAuthenticator)6
AuthenticatorConfig (org.wso2.carbon.identity.application.authentication.framework.config.model.AuthenticatorConfig)6
ClaimMapping (org.wso2.carbon.identity.application.common.model.ClaimMapping)6
Map (java.util.Map)5
FrameworkException (org.wso2.carbon.identity.application.authentication.framework.exception.FrameworkException)5
IdentityProvider (org.wso2.carbon.identity.application.common.model.IdentityProvider)5
IOException (java.io.IOException)3
Matchers.anyString (org.mockito.Matchers.anyString)3
PrepareForTest (org.powermock.core.classloader.annotations.PrepareForTest)3
Test (org.testng.annotations.Test)3
ApplicationConfig (org.wso2.carbon.identity.application.authentication.framework.config.model.ApplicationConfig)3
AuthenticatedUser (org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser)3
HttpServletRequest (javax.servlet.http.HttpServletRequest)2
HttpServletResponse (javax.servlet.http.HttpServletResponse)2
