Example 1 with SAML2
use of org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants.StandardInboundProtocols.SAML2 in project identity-test-integration by wso2-incubator.
the class SSOAgentSampleFilter method doFilter.
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
String httpBinding = servletRequest.getParameter(SSOAgentConstants.SSOAgentConfig.SAML2.HTTP_BINDING);
if (httpBinding != null && !httpBinding.isEmpty()) {
if ("HTTP-POST".equals(httpBinding)) {
httpBinding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST";
} else if ("HTTP-Redirect".equals(httpBinding)) {
httpBinding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect";
} else {
LOGGER.log(Level.INFO, "Unknown SAML2 HTTP Binding. Defaulting to HTTP-POST");
httpBinding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST";
}
} else {
LOGGER.log(Level.INFO, "SAML2 HTTP Binding not found in request. Defaulting to HTTP-POST");
httpBinding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST";
}
SSOAgentConfig config = (SSOAgentConfig) filterConfig.getServletContext().getAttribute(SSOAgentConstants.CONFIG_BEAN_NAME);
config.getSAML2().setHttpBinding(httpBinding);
config.getOpenId().setClaimedId(servletRequest.getParameter(SSOAgentConstants.SSOAgentConfig.OpenID.CLAIMED_ID));
config.getOpenId().setMode(servletRequest.getParameter(SSOAgentConstants.OpenID.OPENID_MODE));
if (StringUtils.isNotEmpty(servletRequest.getParameter(USERNAME)) && StringUtils.isNotEmpty(servletRequest.getParameter(PASSWORD))) {
String authorization = servletRequest.getParameter(USERNAME) + ":" + servletRequest.getParameter(PASSWORD);
// Base64 encoded username:password value
authorization = new String(Base64.encode(authorization.getBytes(CHARACTER_ENCODING)));
String htmlPayload = "<html>\n" + "<body>\n" + "<p>You are now redirected back to " + properties.getProperty("SAML2.IdPURL") + " \n" + "If the redirection fails, please click the post button.</p>\n" + "<form method='post' action='" + properties.getProperty("SAML2.IdPURL") + "'>\n" + "<input type='hidden' name='sectoken' value='" + authorization + "'/>\n" + "<p>\n" + "<!--$saml_params-->\n" + "<button type='submit'>POST</button>\n" + "</p>\n" + "</form>\n" + "<script type='text/javascript'>\n" + "document.forms[0].submit();\n" + "</script>\n" + "</body>\n" + "</html>";
config.getSAML2().setPostBindingRequestHTMLPayload(htmlPayload);
} else {
// Reset previously sent HTML payload
config.getSAML2().setPostBindingRequestHTMLPayload(null);
}
servletRequest.setAttribute(SSOAgentConstants.CONFIG_BEAN_NAME, config);
super.doFilter(servletRequest, servletResponse, filterChain);
}
Also used :
SSOAgentConfig(org.wso2.carbon.identity.sso.agent.bean.SSOAgentConfig)
Example 2 with SAML2
use of org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants.StandardInboundProtocols.SAML2 in project carbon-identity-framework by wso2.
the class IdentityProviderManager method getResidentIdP.
/**
* Retrieves resident Identity provider for a given tenant.
*
* @param tenantDomain Tenant domain whose resident IdP is requested
* @return <code>LocalIdentityProvider</code>
* @throws IdentityProviderManagementException Error when getting Resident Identity Providers
*/
@Override
public IdentityProvider getResidentIdP(String tenantDomain) throws IdentityProviderManagementException {
IdPManagementUtil.setTenantSpecifiers(tenantDomain);
String openIdUrl;
String oauth1RequestTokenUrl;
String oauth1AuthorizeUrl;
String oauth1AccessTokenUrl;
String oauth2AuthzEPUrl;
String oauth2TokenEPUrl;
String oauth2RevokeEPUrl;
String oauth2IntrospectEpUrl;
String oauth2UserInfoEPUrl;
String oidcCheckSessionEPUrl;
String oidcLogoutEPUrl;
String oIDCWebFingerEPUrl;
String oAuth2DCREPUrl;
String oAuth2JWKSPage;
String oIDCDiscoveryEPUrl;
String passiveStsUrl;
String stsUrl;
String scimUsersEndpoint;
String scimGroupsEndpoint;
String scim2UsersEndpoint;
String scim2GroupsEndpoint;
openIdUrl = IdentityUtil.getProperty(IdentityConstants.ServerConfig.OPENID_SERVER_URL);
oauth1RequestTokenUrl = IdentityUtil.getProperty(IdentityConstants.OAuth.OAUTH1_REQUEST_TOKEN_URL);
oauth1AuthorizeUrl = IdentityUtil.getProperty(IdentityConstants.OAuth.OAUTH1_AUTHORIZE_URL);
oauth1AccessTokenUrl = IdentityUtil.getProperty(IdentityConstants.OAuth.OAUTH1_ACCESSTOKEN_URL);
oauth2AuthzEPUrl = IdentityUtil.getProperty(IdentityConstants.OAuth.OAUTH2_AUTHZ_EP_URL);
oauth2TokenEPUrl = IdentityUtil.getProperty(IdentityConstants.OAuth.OAUTH2_TOKEN_EP_URL);
oauth2UserInfoEPUrl = IdentityUtil.getProperty(IdentityConstants.OAuth.OAUTH2_USERINFO_EP_URL);
oidcCheckSessionEPUrl = IdentityUtil.getProperty(IdentityConstants.OAuth.OIDC_CHECK_SESSION_EP_URL);
oidcLogoutEPUrl = IdentityUtil.getProperty(IdentityConstants.OAuth.OIDC_LOGOUT_EP_URL);
passiveStsUrl = IdentityUtil.getProperty(IdentityConstants.STS.PSTS_IDENTITY_PROVIDER_URL);
stsUrl = IdentityUtil.getProperty(IdentityConstants.STS.STS_IDENTITY_PROVIDER_URL);
scimUsersEndpoint = IdentityUtil.getProperty(IdentityConstants.SCIM.USER_EP_URL);
scimGroupsEndpoint = IdentityUtil.getProperty(IdentityConstants.SCIM.GROUP_EP_URL);
scim2UsersEndpoint = IdentityUtil.getProperty(IdentityConstants.SCIM2.USER_EP_URL);
scim2GroupsEndpoint = IdentityUtil.getProperty(IdentityConstants.SCIM2.GROUP_EP_URL);
oauth2RevokeEPUrl = IdentityUtil.getProperty(IdentityConstants.OAuth.OAUTH2_REVOKE_EP_URL);
oauth2IntrospectEpUrl = IdentityUtil.getProperty(IdentityConstants.OAuth.OAUTH2_INTROSPECT_EP_URL);
oIDCWebFingerEPUrl = IdentityUtil.getProperty(IdentityConstants.OAuth.OIDC_WEB_FINGER_EP_URL);
oAuth2DCREPUrl = IdentityUtil.getProperty(IdentityConstants.OAuth.OAUTH2_DCR_EP_URL);
oAuth2JWKSPage = IdentityUtil.getProperty(IdentityConstants.OAuth.OAUTH2_JWKS_EP_URL);
oIDCDiscoveryEPUrl = IdentityUtil.getProperty(IdentityConstants.OAuth.OIDC_DISCOVERY_EP_URL);
if (StringUtils.isBlank(openIdUrl)) {
openIdUrl = IdentityUtil.getServerURL(IdentityConstants.OpenId.OPENID, true, true);
}
if (StringUtils.isBlank(oauth1RequestTokenUrl)) {
oauth1RequestTokenUrl = IdentityUtil.getServerURL(IdentityConstants.OAuth.REQUEST_TOKEN, true, true);
}
if (StringUtils.isBlank(oauth1AuthorizeUrl)) {
oauth1AuthorizeUrl = IdentityUtil.getServerURL(IdentityConstants.OAuth.AUTHORIZE_URL, true, true);
}
if (StringUtils.isBlank(oauth1AccessTokenUrl)) {
oauth1AccessTokenUrl = IdentityUtil.getServerURL(IdentityConstants.OAuth.ACCESS_TOKEN, true, true);
}
oauth2AuthzEPUrl = resolveAbsoluteURL(IdentityConstants.OAuth.AUTHORIZE, oauth2AuthzEPUrl, tenantDomain);
oauth2TokenEPUrl = resolveAbsoluteURL(IdentityConstants.OAuth.TOKEN, oauth2TokenEPUrl, tenantDomain);
oauth2RevokeEPUrl = resolveAbsoluteURL(IdentityConstants.OAuth.REVOKE, oauth2RevokeEPUrl, tenantDomain);
oauth2IntrospectEpUrl = resolveAbsoluteURL(IdentityConstants.OAuth.INTROSPECT, oauth2IntrospectEpUrl, tenantDomain);
oauth2IntrospectEpUrl = addTenantPathParamInLegacyMode(oauth2IntrospectEpUrl, tenantDomain);
oauth2UserInfoEPUrl = resolveAbsoluteURL(IdentityConstants.OAuth.USERINFO, oauth2UserInfoEPUrl, tenantDomain);
oidcCheckSessionEPUrl = resolveAbsoluteURL(IdentityConstants.OAuth.CHECK_SESSION, oidcCheckSessionEPUrl, tenantDomain);
oidcLogoutEPUrl = resolveAbsoluteURL(IdentityConstants.OAuth.LOGOUT, oidcLogoutEPUrl, tenantDomain);
oAuth2DCREPUrl = resolveAbsoluteURL(IdentityConstants.OAuth.DCR, oAuth2DCREPUrl, tenantDomain);
oAuth2DCREPUrl = addTenantPathParamInLegacyMode(oAuth2DCREPUrl, tenantDomain);
oAuth2JWKSPage = resolveAbsoluteURL(IdentityConstants.OAuth.JWKS, oAuth2JWKSPage, tenantDomain);
oAuth2JWKSPage = addTenantPathParamInLegacyMode(oAuth2JWKSPage, tenantDomain);
oIDCDiscoveryEPUrl = resolveAbsoluteURL(IdentityConstants.OAuth.DISCOVERY, oIDCDiscoveryEPUrl, tenantDomain);
oIDCDiscoveryEPUrl = addTenantPathParamInLegacyMode(oIDCDiscoveryEPUrl, tenantDomain);
passiveStsUrl = resolveAbsoluteURL(IdentityConstants.STS.PASSIVE_STS, passiveStsUrl, tenantDomain);
// If sts url is configured in file, change it according to tenant domain. If not configured, add a default url
if (StringUtils.isNotBlank(stsUrl)) {
stsUrl = stsUrl.replace(IdentityConstants.STS.WSO2_CARBON_STS, getTenantContextFromTenantDomain(tenantDomain) + IdentityConstants.STS.WSO2_CARBON_STS);
} else {
stsUrl = IdentityUtil.getServerURL("services/" + getTenantContextFromTenantDomain(tenantDomain) + IdentityConstants.STS.WSO2_CARBON_STS, true, true);
}
if (StringUtils.isBlank(scimUsersEndpoint)) {
scimUsersEndpoint = IdentityUtil.getServerURL(IdentityConstants.SCIM.USER_EP, true, false);
}
if (StringUtils.isBlank(scimGroupsEndpoint)) {
scimGroupsEndpoint = IdentityUtil.getServerURL(IdentityConstants.SCIM.GROUP_EP, true, false);
}
if (StringUtils.isBlank(scim2UsersEndpoint)) {
scim2UsersEndpoint = IdentityUtil.getServerURL(IdentityConstants.SCIM2.USER_EP, true, false);
}
try {
if (StringUtils.isNotBlank(tenantDomain) && !MultitenantConstants.SUPER_TENANT_DOMAIN_NAME.equals(tenantDomain)) {
scim2UsersEndpoint = getTenantUrl(scim2UsersEndpoint, tenantDomain);
}
} catch (URISyntaxException e) {
log.error("SCIM 2.0 Users endpoint is malformed");
}
if (StringUtils.isBlank(scim2GroupsEndpoint)) {
scim2GroupsEndpoint = IdentityUtil.getServerURL(IdentityConstants.SCIM2.GROUP_EP, true, false);
}
try {
if (StringUtils.isNotBlank(tenantDomain) && !MultitenantConstants.SUPER_TENANT_DOMAIN_NAME.equals(tenantDomain)) {
scim2GroupsEndpoint = getTenantUrl(scim2GroupsEndpoint, tenantDomain);
}
} catch (URISyntaxException e) {
log.error("SCIM 2.0 Groups endpoint is malformed");
}
IdentityProvider identityProvider = dao.getIdPByName(null, IdentityApplicationConstants.RESIDENT_IDP_RESERVED_NAME, IdentityTenantUtil.getTenantId(tenantDomain), tenantDomain);
if (identityProvider == null) {
String message = "Could not find Resident Identity Provider for tenant " + tenantDomain;
throw new IdentityProviderManagementException(message);
}
int tenantId = -1;
try {
tenantId = IdPManagementServiceComponent.getRealmService().getTenantManager().getTenantId(tenantDomain);
} catch (UserStoreException e) {
throw new IdentityProviderManagementException("Exception occurred while retrieving Tenant ID from Tenant Domain " + tenantDomain, e);
}
X509Certificate cert = null;
try {
IdentityTenantUtil.initializeRegistry(tenantId);
PrivilegedCarbonContext.startTenantFlow();
PrivilegedCarbonContext carbonContext = PrivilegedCarbonContext.getThreadLocalCarbonContext();
carbonContext.setTenantDomain(tenantDomain, true);
KeyStoreManager keyStoreManager = KeyStoreManager.getInstance(tenantId);
if (!MultitenantConstants.SUPER_TENANT_DOMAIN_NAME.equals(tenantDomain)) {
// derive key store name
String ksName = tenantDomain.trim().replace(".", "-");
// derive JKS name
String jksName = ksName + ".jks";
KeyStore keyStore = keyStoreManager.getKeyStore(jksName);
cert = (X509Certificate) keyStore.getCertificate(tenantDomain);
} else {
cert = keyStoreManager.getDefaultPrimaryCertificate();
}
} catch (Exception e) {
String msg = "Error retrieving primary certificate for tenant : " + tenantDomain;
throw new IdentityProviderManagementException(msg, e);
} finally {
PrivilegedCarbonContext.endTenantFlow();
}
if (cert == null) {
throw new IdentityProviderManagementException("Cannot find the primary certificate for tenant " + tenantDomain);
}
try {
identityProvider.setCertificate(Base64.encode(cert.getEncoded()));
} catch (CertificateEncodingException e) {
String msg = "Error occurred while encoding primary certificate for tenant domain " + tenantDomain;
throw new IdentityProviderManagementException(msg, e);
}
List<FederatedAuthenticatorConfig> fedAuthnCofigs = new ArrayList<FederatedAuthenticatorConfig>();
List<Property> propertiesList = null;
FederatedAuthenticatorConfig openIdFedAuthn = IdentityApplicationManagementUtil.getFederatedAuthenticator(identityProvider.getFederatedAuthenticatorConfigs(), IdentityApplicationConstants.Authenticator.OpenID.NAME);
if (openIdFedAuthn == null) {
openIdFedAuthn = new FederatedAuthenticatorConfig();
openIdFedAuthn.setName(IdentityApplicationConstants.Authenticator.OpenID.NAME);
}
propertiesList = new ArrayList<Property>(Arrays.asList(openIdFedAuthn.getProperties()));
if (IdentityApplicationManagementUtil.getProperty(openIdFedAuthn.getProperties(), IdentityApplicationConstants.Authenticator.OpenID.OPEN_ID_URL) == null) {
Property openIdUrlProp = new Property();
openIdUrlProp.setName(IdentityApplicationConstants.Authenticator.OpenID.OPEN_ID_URL);
openIdUrlProp.setValue(openIdUrl);
propertiesList.add(openIdUrlProp);
}
openIdFedAuthn.setProperties(propertiesList.toArray(new Property[propertiesList.size()]));
fedAuthnCofigs.add(openIdFedAuthn);
// SAML2 related endpoints.
FederatedAuthenticatorConfig saml2SSOFedAuthn = buildSAMLProperties(identityProvider, tenantDomain);
fedAuthnCofigs.add(saml2SSOFedAuthn);
FederatedAuthenticatorConfig oauth1FedAuthn = IdentityApplicationManagementUtil.getFederatedAuthenticator(identityProvider.getFederatedAuthenticatorConfigs(), IdentityApplicationConstants.OAuth10A.NAME);
if (oauth1FedAuthn == null) {
oauth1FedAuthn = new FederatedAuthenticatorConfig();
oauth1FedAuthn.setName(IdentityApplicationConstants.OAuth10A.NAME);
}
propertiesList = new ArrayList<Property>(Arrays.asList(oauth1FedAuthn.getProperties()));
if (IdentityApplicationManagementUtil.getProperty(oauth1FedAuthn.getProperties(), IdentityApplicationConstants.OAuth10A.OAUTH1_REQUEST_TOKEN_URL) == null) {
Property oauth1ReqTokUrlProp = new Property();
oauth1ReqTokUrlProp.setName(IdentityApplicationConstants.OAuth10A.OAUTH1_REQUEST_TOKEN_URL);
oauth1ReqTokUrlProp.setValue(oauth1RequestTokenUrl);
propertiesList.add(oauth1ReqTokUrlProp);
}
if (IdentityApplicationManagementUtil.getProperty(oauth1FedAuthn.getProperties(), IdentityApplicationConstants.OAuth10A.OAUTH1_AUTHORIZE_URL) == null) {
Property oauth1AuthzUrlProp = new Property();
oauth1AuthzUrlProp.setName(IdentityApplicationConstants.OAuth10A.OAUTH1_AUTHORIZE_URL);
oauth1AuthzUrlProp.setValue(oauth1AuthorizeUrl);
propertiesList.add(oauth1AuthzUrlProp);
}
if (IdentityApplicationManagementUtil.getProperty(oauth1FedAuthn.getProperties(), IdentityApplicationConstants.OAuth10A.OAUTH1_ACCESS_TOKEN_URL) == null) {
Property oauth1AccessTokUrlProp = new Property();
oauth1AccessTokUrlProp.setName(IdentityApplicationConstants.OAuth10A.OAUTH1_ACCESS_TOKEN_URL);
oauth1AccessTokUrlProp.setValue(oauth1AccessTokenUrl);
propertiesList.add(oauth1AccessTokUrlProp);
}
oauth1FedAuthn.setProperties(propertiesList.toArray(new Property[propertiesList.size()]));
fedAuthnCofigs.add(oauth1FedAuthn);
FederatedAuthenticatorConfig oidcFedAuthn = IdentityApplicationManagementUtil.getFederatedAuthenticator(identityProvider.getFederatedAuthenticatorConfigs(), IdentityApplicationConstants.Authenticator.OIDC.NAME);
if (oidcFedAuthn == null) {
oidcFedAuthn = new FederatedAuthenticatorConfig();
oidcFedAuthn.setName(IdentityApplicationConstants.Authenticator.OIDC.NAME);
}
propertiesList = new ArrayList<Property>();
Property idPEntityIdProp;
// When the tenant qualified urls are enabled, we need to see the oauth2 token endpoint.
if (IdentityTenantUtil.isTenantQualifiedUrlsEnabled()) {
idPEntityIdProp = resolveFedAuthnProperty(oauth2TokenEPUrl, oidcFedAuthn, OPENID_IDP_ENTITY_ID);
} else {
idPEntityIdProp = resolveFedAuthnProperty(getOIDCResidentIdPEntityId(), oidcFedAuthn, OPENID_IDP_ENTITY_ID);
}
propertiesList.add(idPEntityIdProp);
Property authzUrlProp = resolveFedAuthnProperty(oauth2AuthzEPUrl, oidcFedAuthn, IdentityApplicationConstants.Authenticator.OIDC.OAUTH2_AUTHZ_URL);
propertiesList.add(authzUrlProp);
Property tokenUrlProp = resolveFedAuthnProperty(oauth2TokenEPUrl, oidcFedAuthn, IdentityApplicationConstants.Authenticator.OIDC.OAUTH2_TOKEN_URL);
propertiesList.add(tokenUrlProp);
Property revokeUrlProp = resolveFedAuthnProperty(oauth2RevokeEPUrl, oidcFedAuthn, IdentityApplicationConstants.Authenticator.OIDC.OAUTH2_REVOKE_URL);
propertiesList.add(revokeUrlProp);
Property instropsectUrlProp = resolveFedAuthnProperty(oauth2IntrospectEpUrl, oidcFedAuthn, IdentityApplicationConstants.Authenticator.OIDC.OAUTH2_INTROSPECT_URL);
propertiesList.add(instropsectUrlProp);
Property userInfoUrlProp = resolveFedAuthnProperty(oauth2UserInfoEPUrl, oidcFedAuthn, IdentityApplicationConstants.Authenticator.OIDC.OAUTH2_USER_INFO_EP_URL);
propertiesList.add(userInfoUrlProp);
Property checkSessionUrlProp = resolveFedAuthnProperty(oidcCheckSessionEPUrl, oidcFedAuthn, IdentityApplicationConstants.Authenticator.OIDC.OIDC_CHECK_SESSION_URL);
propertiesList.add(checkSessionUrlProp);
Property logoutUrlProp = resolveFedAuthnProperty(oidcLogoutEPUrl, oidcFedAuthn, IdentityApplicationConstants.Authenticator.OIDC.OIDC_LOGOUT_URL);
propertiesList.add(logoutUrlProp);
Property dcrUrlProp = resolveFedAuthnProperty(oAuth2DCREPUrl, oidcFedAuthn, IdentityApplicationConstants.Authenticator.OIDC.OAUTH2_DCR_EP_URL);
propertiesList.add(dcrUrlProp);
Property webFingerUrlProp = resolveFedAuthnProperty(oIDCWebFingerEPUrl, oidcFedAuthn, IdentityApplicationConstants.Authenticator.OIDC.OIDC_WEB_FINGER_EP_URL);
propertiesList.add(webFingerUrlProp);
Property jwksUrlProp = resolveFedAuthnProperty(oAuth2JWKSPage, oidcFedAuthn, IdentityApplicationConstants.Authenticator.OIDC.OAUTH2_JWKS_EP_URL);
propertiesList.add(jwksUrlProp);
Property discoveryUrlProp = resolveFedAuthnProperty(oIDCDiscoveryEPUrl, oidcFedAuthn, IdentityApplicationConstants.Authenticator.OIDC.OIDC_DISCOVERY_EP_URL);
propertiesList.add(discoveryUrlProp);
oidcFedAuthn.setProperties(propertiesList.toArray(new Property[propertiesList.size()]));
fedAuthnCofigs.add(oidcFedAuthn);
FederatedAuthenticatorConfig passiveSTSFedAuthn = IdentityApplicationManagementUtil.getFederatedAuthenticator(identityProvider.getFederatedAuthenticatorConfigs(), IdentityApplicationConstants.Authenticator.PassiveSTS.NAME);
if (passiveSTSFedAuthn == null) {
passiveSTSFedAuthn = new FederatedAuthenticatorConfig();
passiveSTSFedAuthn.setName(IdentityApplicationConstants.Authenticator.PassiveSTS.NAME);
}
propertiesList = new ArrayList<>();
Property passiveSTSUrlProperty = IdentityApplicationManagementUtil.getProperty(passiveSTSFedAuthn.getProperties(), IdentityApplicationConstants.Authenticator.PassiveSTS.IDENTITY_PROVIDER_URL);
if (passiveSTSUrlProperty == null) {
passiveSTSUrlProperty = new Property();
passiveSTSUrlProperty.setName(IdentityApplicationConstants.Authenticator.PassiveSTS.IDENTITY_PROVIDER_URL);
}
passiveSTSUrlProperty.setValue(passiveStsUrl);
propertiesList.add(passiveSTSUrlProperty);
Property stsIdPEntityIdProperty = IdentityApplicationManagementUtil.getProperty(passiveSTSFedAuthn.getProperties(), IdentityApplicationConstants.Authenticator.PassiveSTS.IDENTITY_PROVIDER_ENTITY_ID);
if (stsIdPEntityIdProperty == null) {
stsIdPEntityIdProperty = new Property();
stsIdPEntityIdProperty.setName(IdentityApplicationConstants.Authenticator.PassiveSTS.IDENTITY_PROVIDER_ENTITY_ID);
stsIdPEntityIdProperty.setValue(IdPManagementUtil.getResidentIdPEntityId());
}
propertiesList.add(stsIdPEntityIdProperty);
for (Property property : passiveSTSFedAuthn.getProperties()) {
if (property != null && !IdentityApplicationConstants.Authenticator.PassiveSTS.IDENTITY_PROVIDER_URL.equals(property.getName()) && !IdentityApplicationConstants.Authenticator.PassiveSTS.IDENTITY_PROVIDER_ENTITY_ID.equals(property.getName())) {
propertiesList.add(property);
}
}
passiveSTSFedAuthn.setProperties(propertiesList.toArray(new Property[propertiesList.size()]));
fedAuthnCofigs.add(passiveSTSFedAuthn);
FederatedAuthenticatorConfig stsFedAuthn = IdentityApplicationManagementUtil.getFederatedAuthenticator(identityProvider.getFederatedAuthenticatorConfigs(), IdentityApplicationConstants.Authenticator.WSTrust.NAME);
if (stsFedAuthn == null) {
stsFedAuthn = new FederatedAuthenticatorConfig();
stsFedAuthn.setName(IdentityApplicationConstants.Authenticator.WSTrust.NAME);
}
propertiesList = new ArrayList<Property>(Arrays.asList(stsFedAuthn.getProperties()));
if (IdentityApplicationManagementUtil.getProperty(stsFedAuthn.getProperties(), IdentityApplicationConstants.Authenticator.WSTrust.IDENTITY_PROVIDER_URL) == null) {
Property stsUrlProp = new Property();
stsUrlProp.setName(IdentityApplicationConstants.Authenticator.WSTrust.IDENTITY_PROVIDER_URL);
stsUrlProp.setValue(stsUrl);
propertiesList.add(stsUrlProp);
}
stsFedAuthn.setProperties(propertiesList.toArray(new Property[propertiesList.size()]));
fedAuthnCofigs.add(stsFedAuthn);
List<IdentityProviderProperty> identityProviderProperties = new ArrayList<IdentityProviderProperty>();
FederatedAuthenticatorConfig sessionTimeoutConfig = new FederatedAuthenticatorConfig();
sessionTimeoutConfig.setName(IdentityApplicationConstants.NAME);
propertiesList = new ArrayList<Property>(Arrays.asList(sessionTimeoutConfig.getProperties()));
Property cleanUpPeriodProp = new Property();
cleanUpPeriodProp.setName(IdentityApplicationConstants.CLEAN_UP_PERIOD);
String cleanUpPeriod = IdentityUtil.getProperty(IdentityConstants.ServerConfig.CLEAN_UP_PERIOD);
if (StringUtils.isBlank(cleanUpPeriod)) {
cleanUpPeriod = IdentityApplicationConstants.CLEAN_UP_PERIOD_DEFAULT;
} else if (!StringUtils.isNumeric(cleanUpPeriod)) {
log.warn("PersistanceCleanUpPeriod in identity.xml should be a numeric value");
cleanUpPeriod = IdentityApplicationConstants.CLEAN_UP_PERIOD_DEFAULT;
}
cleanUpPeriodProp.setValue(cleanUpPeriod);
propertiesList.add(cleanUpPeriodProp);
sessionTimeoutConfig.setProperties(propertiesList.toArray(new Property[propertiesList.size()]));
fedAuthnCofigs.add(sessionTimeoutConfig);
identityProvider.setFederatedAuthenticatorConfigs(fedAuthnCofigs.toArray(new FederatedAuthenticatorConfig[fedAuthnCofigs.size()]));
ProvisioningConnectorConfig scimProvConn = IdentityApplicationManagementUtil.getProvisioningConnector(identityProvider.getProvisioningConnectorConfigs(), "scim");
if (scimProvConn == null) {
scimProvConn = new ProvisioningConnectorConfig();
scimProvConn.setName("scim");
}
propertiesList = new ArrayList<>(Arrays.asList(scimProvConn.getProvisioningProperties()));
Property scimUserEndpointProperty = IdentityApplicationManagementUtil.getProperty(scimProvConn.getProvisioningProperties(), IdentityApplicationConstants.SCIM.USERS_EP_URL);
if (scimUserEndpointProperty == null) {
Property property = new Property();
property.setName(IdentityApplicationConstants.SCIM.USERS_EP_URL);
property.setValue(scimUsersEndpoint);
propertiesList.add(property);
} else if (!scimUsersEndpoint.equalsIgnoreCase(scimUserEndpointProperty.getValue())) {
scimUserEndpointProperty.setValue(scimUsersEndpoint);
}
Property scimGroupEndpointProperty = IdentityApplicationManagementUtil.getProperty(scimProvConn.getProvisioningProperties(), IdentityApplicationConstants.SCIM.GROUPS_EP_URL);
if (scimGroupEndpointProperty == null) {
Property property = new Property();
property.setName(IdentityApplicationConstants.SCIM.GROUPS_EP_URL);
property.setValue(scimGroupsEndpoint);
propertiesList.add(property);
} else if (!scimGroupsEndpoint.equalsIgnoreCase(scimGroupEndpointProperty.getValue())) {
scimGroupEndpointProperty.setValue(scimGroupsEndpoint);
}
Property scim2UserEndpointProperty = IdentityApplicationManagementUtil.getProperty(scimProvConn.getProvisioningProperties(), IdentityApplicationConstants.SCIM2.USERS_EP_URL);
if (scim2UserEndpointProperty == null) {
Property property = new Property();
property.setName(IdentityApplicationConstants.SCIM2.USERS_EP_URL);
property.setValue(scim2UsersEndpoint);
propertiesList.add(property);
} else if (!scim2UsersEndpoint.equalsIgnoreCase(scim2UserEndpointProperty.getValue())) {
scim2UserEndpointProperty.setValue(scim2UsersEndpoint);
}
Property scim2GroupEndpointProperty = IdentityApplicationManagementUtil.getProperty(scimProvConn.getProvisioningProperties(), IdentityApplicationConstants.SCIM2.GROUPS_EP_URL);
if (scim2GroupEndpointProperty == null) {
Property property = new Property();
property.setName(IdentityApplicationConstants.SCIM2.GROUPS_EP_URL);
property.setValue(scim2GroupsEndpoint);
propertiesList.add(property);
} else if (!scim2GroupsEndpoint.equalsIgnoreCase(scim2GroupEndpointProperty.getValue())) {
scim2GroupEndpointProperty.setValue(scim2GroupsEndpoint);
}
scimProvConn.setProvisioningProperties(propertiesList.toArray(new Property[propertiesList.size()]));
identityProvider.setProvisioningConnectorConfigs(new ProvisioningConnectorConfig[] { scimProvConn });
return identityProvider;
}
Also used :
FederatedAuthenticatorConfig(org.wso2.carbon.identity.application.common.model.FederatedAuthenticatorConfig)
ArrayList(java.util.ArrayList)
IdentityProvider(org.wso2.carbon.identity.application.common.model.IdentityProvider)
PrivilegedCarbonContext(org.wso2.carbon.context.PrivilegedCarbonContext)
CertificateEncodingException(java.security.cert.CertificateEncodingException)
URISyntaxException(java.net.URISyntaxException)
KeyStore(java.security.KeyStore)
X509Certificate(java.security.cert.X509Certificate)
URISyntaxException(java.net.URISyntaxException)
IdentityRoleManagementException(org.wso2.carbon.identity.role.mgt.core.IdentityRoleManagementException)
NotImplementedException(org.apache.commons.lang.NotImplementedException)
XMLStreamException(javax.xml.stream.XMLStreamException)
URLBuilderException(org.wso2.carbon.identity.core.URLBuilderException)
UnsupportedEncodingException(java.io.UnsupportedEncodingException)
IdentityException(org.wso2.carbon.identity.base.IdentityException)
CertificateEncodingException(java.security.cert.CertificateEncodingException)
UserStoreException(org.wso2.carbon.user.api.UserStoreException)
IOException(java.io.IOException)
KeyStoreManager(org.wso2.carbon.core.util.KeyStoreManager)
IdentityProviderProperty(org.wso2.carbon.identity.application.common.model.IdentityProviderProperty)
UserStoreException(org.wso2.carbon.user.api.UserStoreException)
IdentityProviderProperty(org.wso2.carbon.identity.application.common.model.IdentityProviderProperty)
Property(org.wso2.carbon.identity.application.common.model.Property)
ProvisioningConnectorConfig(org.wso2.carbon.identity.application.common.model.ProvisioningConnectorConfig)
Example 3 with SAML2
use of org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants.StandardInboundProtocols.SAML2 in project carbon-identity-framework by wso2.
the class FileBasedIdPMgtDAO method getIdPByAuthenticatorPropertyValue.
public IdentityProvider getIdPByAuthenticatorPropertyValue(String property, String value, String tenantDomain, String authenticatorName) {
Map<String, IdentityProvider> identityProviders = IdPManagementServiceComponent.getFileBasedIdPs();
for (Entry<String, IdentityProvider> entry : identityProviders.entrySet()) {
FederatedAuthenticatorConfig[] federatedAuthenticatorConfigs = entry.getValue().getFederatedAuthenticatorConfigs();
// Get SAML2 Web SSO authenticator
FederatedAuthenticatorConfig samlAuthenticatorConfig = IdentityApplicationManagementUtil.getFederatedAuthenticator(federatedAuthenticatorConfigs, authenticatorName);
if (samlAuthenticatorConfig != null) {
Property samlProperty = IdentityApplicationManagementUtil.getProperty(samlAuthenticatorConfig.getProperties(), property);
if (samlProperty != null) {
if (value.equalsIgnoreCase(samlProperty.getValue())) {
return entry.getValue();
}
}
}
}
return null;
}
Also used :
FederatedAuthenticatorConfig(org.wso2.carbon.identity.application.common.model.FederatedAuthenticatorConfig)
IdentityProvider(org.wso2.carbon.identity.application.common.model.IdentityProvider)
Property(org.wso2.carbon.identity.application.common.model.Property)
IdentityProviderProperty(org.wso2.carbon.identity.application.common.model.IdentityProviderProperty)
Example 4 with SAML2
use of org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants.StandardInboundProtocols.SAML2 in project identity-inbound-auth-oauth by wso2-extensions.
the class OAuth2TokenEndpointTest method testGetAccessToken.
@Test(dataProvider = "testGetAccessTokenDataProvider")
public void testGetAccessToken(String grantType, String additionalParameters) throws Exception {
Map<String, String[]> requestParams = new HashMap<>();
requestParams.put(OAuth.OAUTH_CLIENT_ID, new String[] { CLIENT_ID_VALUE });
requestParams.put(OAuth.OAUTH_GRANT_TYPE, new String[] { grantType });
requestParams.put(OAuth.OAUTH_SCOPE, new String[] { "scope1" });
// Required params for authorization_code grant type
requestParams.put(OAuth.OAUTH_REDIRECT_URI, new String[] { APP_REDIRECT_URL });
requestParams.put(OAuth.OAUTH_CODE, new String[] { "auth_code" });
// Required params for password grant type
requestParams.put(OAuth.OAUTH_USERNAME, new String[] { USERNAME });
requestParams.put(OAuth.OAUTH_PASSWORD, new String[] { "password" });
// Required params for refresh token grant type
requestParams.put(OAuth.OAUTH_REFRESH_TOKEN, new String[] { REFRESH_TOKEN });
// Required params for saml2 bearer grant type
requestParams.put(OAuth.OAUTH_ASSERTION, new String[] { "dummyAssertion" });
// Required params for IWA_NLTM grant type
requestParams.put(OAuthConstants.WINDOWS_TOKEN, new String[] { "dummyWindowsToken" });
HttpServletRequest request = mockHttpRequest(requestParams, new HashMap<String, Object>());
when(request.getHeader(OAuthConstants.HTTP_REQ_HEADER_AUTHZ)).thenReturn(AUTHORIZATION_HEADER);
when(request.getHeaderNames()).thenReturn(Collections.enumeration(new ArrayList<String>() {
{
add(OAuthConstants.HTTP_REQ_HEADER_AUTHZ);
}
}));
Map<String, Class<? extends OAuthValidator<HttpServletRequest>>> grantTypeValidators = new Hashtable<>();
grantTypeValidators.put(GrantType.PASSWORD.toString(), PasswordValidator.class);
grantTypeValidators.put(GrantType.CLIENT_CREDENTIALS.toString(), ClientCredentialValidator.class);
grantTypeValidators.put(GrantType.AUTHORIZATION_CODE.toString(), AuthorizationCodeValidator.class);
grantTypeValidators.put(GrantType.REFRESH_TOKEN.toString(), RefreshTokenValidator.class);
grantTypeValidators.put(org.wso2.carbon.identity.oauth.common.GrantType.IWA_NTLM.toString(), NTLMAuthenticationValidator.class);
grantTypeValidators.put(org.wso2.carbon.identity.oauth.common.GrantType.SAML20_BEARER.toString(), SAML2GrantValidator.class);
mockOAuthServerConfiguration();
when(oAuthServerConfiguration.getSupportedGrantTypeValidators()).thenReturn(grantTypeValidators);
spy(EndpointUtil.class);
doReturn(oAuth2Service).when(EndpointUtil.class, "getOAuth2Service");
final Map<String, String> parametersSetToRequest = new HashMap<>();
doAnswer(new Answer<Object>() {
@Override
public Object answer(InvocationOnMock invocation) throws Throwable {
OAuth2AccessTokenReqDTO request = (OAuth2AccessTokenReqDTO) invocation.getArguments()[0];
parametersSetToRequest.put(OAuth.OAUTH_CODE, request.getAuthorizationCode());
parametersSetToRequest.put(OAuth.OAUTH_USERNAME, request.getResourceOwnerUsername());
parametersSetToRequest.put(OAuth.OAUTH_PASSWORD, request.getResourceOwnerPassword());
parametersSetToRequest.put(OAuth.OAUTH_REFRESH_TOKEN, request.getRefreshToken());
parametersSetToRequest.put(OAuth.OAUTH_ASSERTION, request.getAssertion());
parametersSetToRequest.put(OAuthConstants.WINDOWS_TOKEN, request.getWindowsToken());
parametersSetToRequest.put(OAuth.OAUTH_GRANT_TYPE, request.getGrantType());
OAuth2AccessTokenRespDTO tokenRespDTO = new OAuth2AccessTokenRespDTO();
return tokenRespDTO;
}
}).when(oAuth2Service).issueAccessToken(any(OAuth2AccessTokenReqDTO.class));
CarbonOAuthTokenRequest oauthRequest = new CarbonOAuthTokenRequest(request);
HttpServletRequestWrapper httpServletRequestWrapper = new HttpServletRequestWrapper(request);
Class<?> clazz = OAuth2TokenEndpoint.class;
Object tokenEndpointObj = clazz.newInstance();
Method getAccessToken = tokenEndpointObj.getClass().getDeclaredMethod("issueAccessToken", CarbonOAuthTokenRequest.class, HttpServletRequestWrapper.class);
getAccessToken.setAccessible(true);
OAuth2AccessTokenRespDTO tokenRespDTO = (OAuth2AccessTokenRespDTO) getAccessToken.invoke(tokenEndpointObj, oauthRequest, httpServletRequestWrapper);
assertNotNull(tokenRespDTO, "ResponseDTO is null");
String[] paramsToCheck = additionalParameters.split(",");
for (String param : paramsToCheck) {
assertNotNull(parametersSetToRequest.get(param), "Required parameter " + param + " is not set for " + grantType + "grant type");
}
}
Also used :
HashMap(java.util.HashMap)
MultivaluedHashMap(javax.ws.rs.core.MultivaluedHashMap)
Hashtable(java.util.Hashtable)
ArrayList(java.util.ArrayList)
Matchers.anyString(org.mockito.Matchers.anyString)
Method(java.lang.reflect.Method)
HttpMethod(javax.ws.rs.HttpMethod)
CarbonOAuthTokenRequest(org.wso2.carbon.identity.oauth2.model.CarbonOAuthTokenRequest)
OAuth2AccessTokenReqDTO(org.wso2.carbon.identity.oauth2.dto.OAuth2AccessTokenReqDTO)
HttpServletRequest(javax.servlet.http.HttpServletRequest)
OAuthValidator(org.apache.oltu.oauth2.common.validators.OAuthValidator)
OAuth2AccessTokenRespDTO(org.wso2.carbon.identity.oauth2.dto.OAuth2AccessTokenRespDTO)
HttpServletRequestWrapper(javax.servlet.http.HttpServletRequestWrapper)
InvocationOnMock(org.mockito.invocation.InvocationOnMock)
Test(org.testng.annotations.Test)
AfterTest(org.testng.annotations.AfterTest)
BeforeTest(org.testng.annotations.BeforeTest)
PrepareForTest(org.powermock.core.classloader.annotations.PrepareForTest)
Example 5 with SAML2
use of org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants.StandardInboundProtocols.SAML2 in project identity-inbound-auth-oauth by wso2-extensions.
the class SAML2BearerGrantHandler method setLocalUser.
/**
* Set the local user to the token req message context after validating the user.
*
* @param tokReqMsgCtx Token Request Message Context
* @param assertion SAML2 Assertion
* @param spTenantDomain Service Provider tenant domain
* @throws UserStoreException
* @throws IdentityOAuth2Exception
*/
protected void setLocalUser(OAuthTokenReqMessageContext tokReqMsgCtx, Assertion assertion, String spTenantDomain) throws UserStoreException, IdentityOAuth2Exception {
RealmService realmService = OAuthComponentServiceHolder.getInstance().getRealmService();
UserStoreManager userStoreManager = null;
ServiceProvider serviceProvider = null;
try {
if (log.isDebugEnabled()) {
log.debug("Retrieving service provider for client id : " + tokReqMsgCtx.getOauth2AccessTokenReqDTO().getClientId() + ". Tenant domain : " + spTenantDomain);
}
serviceProvider = OAuth2ServiceComponentHolder.getApplicationMgtService().getServiceProviderByClientId(tokReqMsgCtx.getOauth2AccessTokenReqDTO().getClientId(), OAuthConstants.Scope.OAUTH2, spTenantDomain);
} catch (IdentityApplicationManagementException e) {
throw new IdentityOAuth2Exception("Error while retrieving service provider for client id : " + tokReqMsgCtx.getOauth2AccessTokenReqDTO().getClientId() + " in tenant domain " + spTenantDomain);
}
AuthenticatedUser authenticatedUser = buildLocalUser(tokReqMsgCtx, assertion, serviceProvider, spTenantDomain);
if (log.isDebugEnabled()) {
log.debug("Setting local user with username :" + authenticatedUser.getUserName() + ". User store domain :" + authenticatedUser.getUserStoreDomain() + ". Tenant domain : " + authenticatedUser.getTenantDomain() + " . Authenticated subjectIdentifier : " + authenticatedUser.getAuthenticatedSubjectIdentifier());
}
if (!spTenantDomain.equalsIgnoreCase(authenticatedUser.getTenantDomain()) && !serviceProvider.isSaasApp()) {
throw new IdentityOAuth2Exception("Non SaaS app tries to issue token for a different tenant domain. User " + "tenant domain : " + authenticatedUser.getTenantDomain() + ". SP tenant domain : " + spTenantDomain);
}
userStoreManager = realmService.getTenantUserRealm(IdentityTenantUtil.getTenantId(authenticatedUser.getTenantDomain())).getUserStoreManager();
if (log.isDebugEnabled()) {
log.debug("Checking whether the user exists in local user store");
}
if (userDoesNotExist(userStoreManager, authenticatedUser)) {
if (log.isDebugEnabled()) {
log.debug("User " + authenticatedUser.getUsernameAsSubjectIdentifier(true, false) + " doesn't exist in local user store.");
}
throw new IdentityOAuth2Exception("User not found in local user store");
}
tokReqMsgCtx.setAuthorizedUser(authenticatedUser);
}
Also used :
IdentityOAuth2Exception(org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception)
RealmService(org.wso2.carbon.user.core.service.RealmService)
ServiceProvider(org.wso2.carbon.identity.application.common.model.ServiceProvider)
IdentityApplicationManagementException(org.wso2.carbon.identity.application.common.IdentityApplicationManagementException)
UserStoreManager(org.wso2.carbon.user.api.UserStoreManager)
AuthenticatedUser(org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser)
Aggregations
Test (org.testng.annotations.Test)16
InboundAuthenticationRequestConfig (org.wso2.carbon.identity.application.common.model.xsd.InboundAuthenticationRequestConfig)14
HttpResponse (org.apache.http.HttpResponse)11
IOException (java.io.IOException)10
RemoteException (java.rmi.RemoteException)9
ParserConfigurationException (javax.xml.parsers.ParserConfigurationException)9
ServiceProvider (org.wso2.carbon.identity.application.common.model.xsd.ServiceProvider)9
IdentitySAMLSSOConfigServiceIdentityException (org.wso2.carbon.identity.sso.saml.stub.IdentitySAMLSSOConfigServiceIdentityException)9
SAXException (org.xml.sax.SAXException)9
UnsupportedEncodingException (java.io.UnsupportedEncodingException)8
ArrayList (java.util.ArrayList)7
XPathExpressionException (javax.xml.xpath.XPathExpressionException)7
ConfigurationException (org.opensaml.xml.ConfigurationException)7
ValidationException (org.opensaml.xml.validation.ValidationException)7
IdentityProvider (org.wso2.carbon.identity.application.common.model.IdentityProvider)7
ISIntegrationTest (org.wso2.identity.integration.common.utils.ISIntegrationTest)7
Property (org.wso2.carbon.identity.application.common.model.idp.xsd.Property)5
BufferedReader (java.io.BufferedReader)4
InputStreamReader (java.io.InputStreamReader)4
AuthenticatedUser (org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser)4
