4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * Copyright (c) 2007 Sun Microsystems Inc. All Rights Reserved
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * The contents of this file are subject to the terms
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * of the Common Development and Distribution License
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * (the License). You may not use this file except in
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * compliance with the License.
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * You can obtain a copy of the License at
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * https://opensso.dev.java.net/public/CDDLv1.0.html or
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * See the License for the specific language governing
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * permission and limitations under the License.
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * When distributing Covered Code, include this CDDL
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * Header Notice in each file and include the License file
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * If applicable, add the following below the CDDL Header,
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * with the fields enclosed by brackets [] replaced by
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * your own identifying information:
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * "Portions Copyrighted [year] [name of copyright owner]"
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * $Id: DefaultPartnerAccountMapper.java,v 1.7 2010/01/09 19:41:52 qcheng Exp $
bee2440354b4bc8796e1de0b6cbd60e1f68deba0Phill Cunnington * Portions Copyright 2015 ForgeRock AS.
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Fosterimport com.sun.identity.saml.assertion.Assertion;
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Fosterimport com.sun.identity.saml.assertion.NameIdentifier;
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Fosterimport com.sun.identity.saml.assertion.Statement;
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Fosterimport com.sun.identity.saml.assertion.SubjectConfirmation;
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Fosterimport com.sun.identity.saml.assertion.SubjectStatement;
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Fosterimport com.sun.identity.saml.common.SAMLConstants;
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Fosterimport com.sun.identity.saml.protocol.SubjectQuery;
bee2440354b4bc8796e1de0b6cbd60e1f68deba0Phill Cunningtonimport org.forgerock.opendj.ldap.SearchScope;
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * The class <code>DefaultPartnerAccountMapper</code> provide a default
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * implementation of the <code>PartnerAccountMapper</code> interface.
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * The implementation assumes two sites have exactly the same DIT structure,
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * and it maps remote user to the anonymous user by default if the DIT
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * structure could not be determined.
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Fosterpublic class DefaultPartnerAccountMapper implements PartnerAccountMapper {
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * Default Constructor
8d3140b524c0e28c0a49dc7c7d481123ef3cfe11Chris Lee * Returns user account in OpenAM to which the
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * subject in the assertion is mapped. This method will be called in POST
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * profile, ARTIFACT profile, AttributeQuery and AuthorizationDecisionQuery.
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * @param assertions a list of authentication assertions returned from
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * partner side, this will contains user's identity in
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * the partner side. The object in the list will be
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * <code>com.sun.identity.saml.assertion.Assertion</code>
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * @param sourceID source ID for the site from which the subject
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * originated.
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * @param targetURL value for TARGET query parameter when the user
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * accessing the SAML aware servlet or post profile
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * @return Map which contains NAME, ORG and ATTRIBUTE keys, value of the
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * NAME key is the user DN, value of the ORG is the user
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * organization DN, value of the ATTRIBUTE is a Map
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * containing key/value pairs which will be set as properties
8d3140b524c0e28c0a49dc7c7d481123ef3cfe11Chris Lee * on the OpenAM SSO token, the key is the SSO
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * property name, the value is a String value of the property.
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * Returns empty map if the mapped user could not be obtained
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * from the subject.
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster public Map getUser(List assertions, String sourceID, String targetURL) {
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster SAMLUtils.debug.message("DefaultPartnerAccountMapper:getUser(" +
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster Assertion assertion = (Assertion)assertions.get(0);
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster Iterator iter = assertion.getStatement().iterator();
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster Subject sub = ((SubjectStatement)statement).getSubject();
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster SubjectConfirmation subConf = sub.getSubjectConfirmation();
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster (cm.equals(SAMLConstants.CONFIRMATION_METHOD_ARTIFACT)||
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster SAMLConstants.DEPRECATED_CONFIRMATION_METHOD_ARTIFACT)||
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster cm.equals(SAMLConstants.CONFIRMATION_METHOD_BEARER))) {
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster SAMLUtils.addEnvParamsFromAssertion(attrMap, assertion, subject);
8d3140b524c0e28c0a49dc7c7d481123ef3cfe11Chris Lee * Returns user account in OpenAM to which the
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * subject in the query is mapped. This method will be called in
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * AttributeQuery.The returned Map is subject to changes per SAML
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * specification.
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * @param subjectQuery subject query returned from partner side,
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * this will contains user's identity in the partner side.
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * @param sourceID source ID for the site from which the subject
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * originated.
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * @return Map which contains NAME and ORG keys, value of the
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * NAME key is the user DN, value of the ORG is the user
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * organization DN. Returns empty map if the mapped user
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * could not be obtained from the subject.
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster public Map getUser(SubjectQuery subjectQuery,String sourceID) {
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster SAMLUtils.debug.message("DefaultPartnerAccountMapper:getUser(" +
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster "SubjectQuery)");
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster getUser(subjectQuery.getSubject(), sourceID, map);
bee2440354b4bc8796e1de0b6cbd60e1f68deba0Phill Cunnington protected void getUser(Subject subject, String sourceID, Map<String, String> map) {
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster // No need to check SSO in SubjectConfirmation here
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster // since AssertionManager will handle it without calling account mapper
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster NameIdentifier nameIdentifier = subject.getNameIdentifier();
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster String org = nameIdentifier.getNameQualifier();
bee2440354b4bc8796e1de0b6cbd60e1f68deba0Phill Cunnington if (dn1.isInScopeOf(dn2, SearchScope.SUBORDINATES)) {
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster SAMLUtils.debug.message("DefaultPAccountMapper: "
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster SAMLUtils.debug.warning("DefaultPAMapper:to anonymous");
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster // map to anonymous user
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster SAMLUtils.debug.warning("DefaultAccountMapper: Org null.");
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster // map to anonymous user
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster SAMLUtils.debug.warning("DefaultAccountMapper: Name is null");
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster // map to anonymous user