/**
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
*
* The contents of this file are subject to the terms
* of the Common Development and Distribution License
* (the License). You may not use this file except in
* compliance with the License.
*
* You can obtain a copy of the License at
* See the License for the specific language governing
* permission and limitations under the License.
*
* When distributing Covered Code, include this CDDL
* Header Notice in each file and include the License file
* at opensso/legal/CDDLv1.0.txt.
* If applicable, add the following below the CDDL Header,
* with the fields enclosed by brackets [] replaced by
* your own identifying information:
* "Portions Copyrighted [year] [name of copyright owner]"
*
* $Id: FSAssertionArtifactHandler.java,v 1.14 2009/11/03 00:49:49 madan_ranganath Exp $
*
* Portions Copyrighted 2015-2016 ForgeRock AS.
*/
/**
* Handler that runs on <code>SP</code> side to receive and process
* <code>AuthnResponse</code>.
*/
public class FSAssertionArtifactHandler {
protected boolean doFederate = false;
static {
}
};
true);
}
/**
* Sets hosted SP entity ID.
* @param entityId hosted SP's entity ID to be set
*/
}
/**
* Sets hosted SP meta descriptor.
* @param desc SP's meta descriptor to be set.
* @see #getHostEntityId()
*/
}
/**
* Sets hosted SP extended meta config.
* @param config SP's extended meta to be set.
*/
hostConfig = config;
}
/**
* Sets hosted SP's meta alias.
* @param metaAlias SP's meta alias to be set
*/
}
/**
* Gets hosted SP's Entity ID.
* @return hosted entity id.
* @see #setHostEntityId(String)
*/
return hostEntityId;
}
/**
* Gets the realm under which the entity resides.
* @return the realm under which the entity resides.
* @see #setRealm(String)
*/
return realm;
}
/**
* Sets the realm under which the entity resides.
* @param realm The realm under which the entity resides.
* @see #getRealm()
*/
}
/**
* Gets <code>FSAuthnRequest</code> object.
* @return <code>FSAuthnRequest</code> object
* @see #setAuthnRequest(FSAuthnRequest)
*/
return authnRequest;
}
/**
* Sets <code>FSAuthnRequest</code> object.
* @param authnRequest <code>FSAuthnRequest</code> object to be set.
* @see #getAuthnRequest()
*/
this.authnRequest = authnRequest;
}
/**
* Default constructor.
*/
protected FSAssertionArtifactHandler(){
}
/**
* Constructs a <code>FSAssertionArtifactHandler</code> object.
* @param request <code>HttpServletRequest</code> object.
* @param response <code>HttpServletResponse</code> object
* @param idpDescriptor <code>IDP</code> provider descriptor
* @param idpEntityId entity ID of the <code>IDP</code>
* @param doFederate a flag indicating if it is a federation request
* @param nameIDPolicy <code>nameIDPolicy</code> used
* @param relayState <code>RelayState</code> url
*/
public FSAssertionArtifactHandler(
boolean doFederate,
)
{
this.relayState = relayState;
this.idpDescriptor = idpDescriptor;
this.idpEntityId = idpEntityId;
this.doFederate = doFederate;
this.nameIDPolicy = nameIDPolicy;
}
/**
* Constructs a <code>FSAssertionArtifactHandler</code> object.
* @param request <code>HttpServletRequest</code> object.
* @param response <code>HttpServletResponse</code> object
* @param idpDescriptor <code>IDP</code> provider descriptor
* @param idpEntityId entity ID of the <code>IDP</code>
* @param authnRequest <code>FSAuthnRequest</code> from soap
* @param doFederate a flag indicating if it is a federation request
* @param relayState <code>RelayState</code> url
*/
public FSAssertionArtifactHandler(
boolean doFederate,
)
{
this.relayState = relayState;
this.idpDescriptor = idpDescriptor;
this.idpEntityId = idpEntityId;
if (authnRequest != null) {
this.authnRequest = authnRequest;
}
this.doFederate = doFederate;
}
/**
* Processes <code>FSAuthnResponse</code>.
* @param authnResponse <code>FSAuthnResponse</code> objec to be processed
*/
"FSAssertionArtifactHandler.ProcessAuthnResponse: Called");
this.authnResponse = authnResponse;
// Call SP adapter SPI
+ " Invokde spAdapter.preSSOFederationProcess");
}
try {
} catch (Exception e) {
// log run time exception in Adapter
// implementation, continue
" SPAdapter.preSSOFederationSuccess", e);
}
}
null,
baseURL);
{
this.relayState =
if ((this.relayState == null) ||
{
this.relayState =
}
}
try {
if (authnResponse == null) {
ssoToken);
+ "processAuthnResponse: "
+ " AuthnRequest Processing Failed at the IDP "
+ "Redirecting to the Framed Login Page");
return;
}
"FSAssertionArtifactHandler.doPost:Received " +
}
if (!valid) {
// clean request map
{ authnResponse.toXMLString() };
ssoToken);
+ " processAuthnResponse: "
+ " AuthnRequest Processing Failed at the IDP"
+ " Redirecting to the Framed Login Page");
{
}
return;
}
// check Assertion
if (validSubject == null) {
ssoToken);
+ "processAuthnResponse: "
+ " AuthnRequest Processing Failed at the IDP"
+ " Redirecting to the Framed Login Page");
return;
}
if (doFederate){
"processAuthnResponse: Initiate Account Federation");
}
"FSAssertionArtifactHandler.processAuthnResponse:" +
" IDPProvided NameIdentifier is null");
}
}
+ "processAuthnResponse: Account federation"
+ " successful");
}
return;
} else {
"AccountFederationFailed")};
data,
ssoToken);
+ "processAuthnResponse: " +
+ " AuthnRequest Processing Failed at the IDP"
+ " Redirecting to the Framed Login Page");
{
}
}
} else {
}
} else {
+ "processAuthnResponse: Initiate SingleSign-On");
}
//check for SPProvidedNameIdentifier
"FSAssertionArtifactHandler.processAuthnResponse:" +
" IDPProvided NameIdentifier is null");
}
}
ssoToken);
+ " processAuthnResponse: "
+ " AuthnRequest Processing Failed at the IDP"
+ " Redirecting to the Framed Login Page");
return;
}
int handleType;
ssoToken);
+ "processAuthnResponse: "
+ " AuthnRequest Processing Failed at the IDP"
+ " Redirecting to the Framed Login Page");
return;
}
} else {
}
int returnCode =
+ "processAuthnResponse: Accountfederation successful");
}
if (isIDPProxyEnabled(requestID)) {
return;
}
ssoToken);
"ArtifactHandler.notfederated, postSSO");
+ " Invoke spAdapter.postSSOFederationSuccess");
}
try {
{
// return if the SP spi redirection happened
return;
}
} catch (Exception e) {
// log run time exception in Adapter
// implementation, continue
+ " SPAdapter.postSSOFederationSuccess:", e);
}
}
redirectToResource(this.relayState);
return;
} else {
ssoToken);
+ "processAuthnResponse: "
+ " AuthnRequest Processing Failed at the IDP"
+ " Redirecting to the Framed Login Page");
{
}
return;
}
}
} catch(Exception e){
+ "processAuthnResponse: Exception Occured: ", e);
try {
+ "processAuthnResponse: "
+ " AuthnRequest Processing Failed at the IDP"
+ " Redirecting to the Framed Login Page");
} catch(IOException ioe){
+ "processAuthnResponse: IOException Occured: ", ioe);
return;
}
return;
}
}
"FSAssertionArtifactHandler.verifyResponseStatus: Called");
// check status of the AuthnResponse
{
+ "Incorrect StatusCode value.");
return false;
}
+ "StatusCode value verified.");
}
return true;
}
"FSAssertionArtifactHandler.validateAssertions: Called");
// loop to check assertions
//check for valid AuthnRequest correspondence
{
+ "validateAssertion:"
+ " assertion does not correspond to any valid request");
return null;
}
if (FSServiceUtils.isSigningOn()){
if (!verifyAssertionSignature(assertion)) {
+ "validateAssertion:"
+ " assertion signature verification failed");
return null;
}
}
+ "validateAssertion: Assertion signature verified");
}
// make sure it's not being used
"FSAssertionArtifactHandler.validateAssertion: Assertion: "
+ aIDString + " is used");
return null;
}
// check issuer of the assertions
try {
if (idpEntityId != null) {
+ "validateAssertion: "
+ "Assertion issuer is not the entity where "
+ "AuthnRequest was sent originally.");
return null;
}
} else {
+ "validateAssertion: "
+ "Assertion issuer is: " + issuer);
+ "validateAssertion:"
+ " Assertion issuer is not on the trust list");
return null;
}
}
+ "validateAssertion: "
+ "Assertion issuer is not on the trust list");
return null;
}
// must be valid(timewise)
if (!assertion.isTimeValid()) {
"FSAssertionArtifactHandler.validateAssertion:"
+ " Assertion's time is not valid.");
return null;
}
// TODO: IssuerInstant of the assertion is within a few minutes
// This is a MAY in spec. Which number to use for the few minutes?
// if present, target of the assertions must == local server IP
if (!forThisServer(conds)) {
+ "validateAssertion: "
+ "assertion is not issued for this site.");
return null;
}
//for each assertion, loop to check each statement
boolean authnStatementFound = false;
authnStatementFound = true;
try {
"FSAssertionArtifactHandler."
+ "validateAssertion: "
+ "validating AuthenticationStatement:"
+ authStatement.toXMLString());
}
} catch(FSException e){
+ "validateAssertion: Exception. "
+ "Invalid AuthenticationStatement: ", e);
return null;
}
//check ReauthenticateOnOrAfter
//process SessionIndex
+ "validateAssertion: Subject is null");
return null;
} else {
try {
"FSAssertionArtifactHandler."
+ "validateAssertion: "
+ "found Authentication Statement. "
+ "Subject = "
+ subject.toXMLString());
}
} catch(FSException e){
"FSAssertionArtifactHandler."
+ "validateAssertion: "
+ " Exception. Invalid subject: ", e);
continue;
}
}
// ConfirmationMethod of each subject must be set to
//bearer
if (((subConf =
((confMethods =
{
+ "validateAssertion: "
+ "missing or extra ConfirmationMethod.");
return null;
}
if (((confMethod =
!((confMethod.equals(
{
+ "validateAssertion: wrong "
+ "ConfirmationMethod");
return null;
}
+ "validateAssertion: Confirmation method: "
+ confMethod);
}
if (!checkForAttributeStatement(attrStatement)) {
}
}
}
}
if (!authnStatementFound){
+ "validateAssertion: "
+ "No Authentication statement found in the Assertion. "
+ "User is not authenticated by the IDP");
}
return null;
}
+ "validateAssertion: Adding "
+ " to idTimeMap.");
}
// add the assertion to idTimeMap
} else {
// it doesn't matter what we store for the value.
}
}
+ " couldn't find Subject.");
return null;
}
return subject;
}
/**
* Checks the attribute statement for boot strap statement or auto fed
* attribute statement.
* @param attrStatement AttributeStatement.
* @return true if the <code>AttributeStatement</code> is of type
* discovery boot strap or the auto federation statement.
*/
private boolean checkForAttributeStatement(
return false;
}
{
return true;
{
try {
} catch (SAMLException se) {
"AttributeStatement: ", se);
}
}
_autoFedValue != null)
{
autoFedSearchMap = new HashMap();
set);
}
return true;
}
return false;
}
"FSAssertionArtifactHandler.verifyAssertionSignature: Called");
try {
+ "verifyAssertionSignature: Assertion is not signed");
}
return false;
}
idpDescriptor, idpEntityId, true);
+ "verifyAssertionSignature: couldn't obtain "
+ "this site's cert.");
}
throw new SAMLResponderException(
}
if (authnResponse != null) {
"verifyAssertionSignature: xml string to be verified:" +
}
return manager.verifyXMLSignature(
} else if(samlResponseElt != null) {
"verifyAssertionSignature: xml string to be verified:" +
}
return manager.verifyXMLSignature(
} else {
return false;
}
} catch(Exception e){
+ "verifyAssertionSignature: "
+ "Exception occured while verifying IDP's signature:", e);
return false;
}
}
"FSAssertionArtifactHandler.forThisServer: Called");
(hostEntityId == null) ||
{
return true;
}
return true;
}
boolean forThis = false;
forThis = true;
+ "forThisServer: Assertion is validated to be"
+ "for this server");
}
break;
}
}
return forThis;
}
protected int generateToken(
int handleType,
)
{
"FSAssertionArtifactHandler.generateToken: Called");
+ "generateToken: Invalid userDN input");
return FederationSPAdapter.SSO_FAILED;
}
try {
}
+ "generateToken: Trying to get userDN for opaqueHandle= "
+ name
+ " ,securityDomain= "
+ " And HandleType="
+ handleType);
}
}
fedInfo = new FSAccountFedInfo(
fedInfo.setAffiliation(true);
} else {
"FSAssertionArtifactHandler.generateToken: " +
"Can't dereference handle. fedKey=" +
return FederationSPAdapter.
}
} else {
// Check if there is any 6.2 format?
idpEntityId, name);
// rewrite it.
}
}
fedInfo = new FSAccountFedInfo(
true);
} else {
"FSAssertionArtifactHandler." +
"generateToken: Can't dereference handle.");
return FederationSPAdapter.
}
} else {
if (enabledStr != null &&
{
new FSAccountFedInfoKey(
hostEntityId, name);
fedInfo =
new FSAccountFedInfo(
null,
ni,
true);
} else {
"FSAssertionArtifactHandler. " +
"generateToken:" +
"Can't dereference handle.");
return
}
} else {
"FSAssertionArtifactHandler." +
"generateToken: Can't dereference handle.");
return FederationSPAdapter.
}
}
} else {
"generateToken: Can't dereference handle.");
return FederationSPAdapter.
}
}
} else {
if (affiliationID != null) {
} else {
}
"FSAssertionArtifactHandler.generateToken: "
+ "User's account is not federated, id=" + userID);
return
}
}
//get AuthnLevel from authnContext
int authnLevel = 0;
if (authnContextStmt != null &&
{
if (authnContextClassRef != null &&
{
+ "generateToken: AuthnContextClassRef "
+ "found in AuthenticationStatement:"
}
if (authnContextInfo != null){
} else {
+ "generateToken: Could not find "
+ "AuthnContextClassInfo for authnContextClassRef: "
+ "Using default authnContextClass");
}
}
} else {
"FSAssertionArtifactHandler.generateToken: " +
"Could not find AuthnContextClassRef in the " +
"AuthenticationStatement. Using default authnContextClass");
}
if (authnContextClassRef == null ||
{
if (authnContextInfo != null){
} else {
+ "generateToken: Could not find authentication level "
+ "for default authentication context class");
return FederationSPAdapter.SSO_FAILED;
}
}
//valueMap.put("resourceOffering",
//valueMap.put("securityToken",
try {
new StringBuffer(this.relayState));
} catch (SessionException se) {
+ "cannot generate token:", se);
{
} else {
}
return failureCode;
}
try {
} catch (Exception e) {
"FSAssertionArtifactHandler.generateToken:" +
"Couldn't add listener to session:", e);
}
}
//Set fed cookie
}
//keep local session ref
+ "generateToken: An Existing session found for userID:"
+ " Adding partner to the Session");
}
idpEntityId, true));
} else {
+ "generateToken: No existing session found for userID:"
+ " Creating a new Session");
}
idpEntityId, true));
if (idpSessionIndex != null){
}
}
// keep authncontext in FSSession.
if (authnContextClassRef != null) {
}
}
// keep the attr statement in FSSession.
if (bootStrapStatement != null) {
}
if (_autoFedStatement != null) {
}
if (realmAttributeMapper != null) {
} else if (attributeMapper != null) {
}
"generateToken: Attribute map :" + attributeMap);
}
if (attributeMap != null) {
}
}
if (securityAssertions != null) {
}
return FederationSPAdapter.SUCCESS;
} catch(Exception e) {
+ "Exception Occured ", e );
return FederationSPAdapter.SSO_FAILED;
}
}
protected void processSAMLRequest() {
}
protected int doSingleSignOn(
int handleType,
)
{
"FSAssertionArtifactHandler.doSingleSignOn: Called");
ssoToken);
}
return returnCode;
}
}
"FSAssertionArtifactHandler.doAccountFederation:Called");
"FSAssertionArtifactHandler.doAccountFederation:" +
return FederationSPAdapter.FEDERATION_FAILED;
}
try {
} catch (SessionException se) {
"FSAssertionArtifactHandler.doAccountFederation: " +
"Couldn't obtain session provider:", se);
return FederationSPAdapter.
}
try {
+ "doAccountFederation: couldn't obtain session from "
+ "cookie");
}
}
} catch(SessionException se) {
+ "doAccountFederation: exception when getting session "
+ "from cookie:");
}
}
// try URL rewriting
/*
String cookieRewriteEnabled = SystemConfigurationUtil.getProperty(
"com.sun.identity.cookieRewritingInPath", "false");
if (Boolean.valueOf(cookieRewriteEnabled).booleanValue()
&& ssoToken == null)
if (Boolean.valueOf(cookieRewriteEnabled).booleanValue()
&& (ssoToken == null)) {
try {
sessionManager = FSSessionManager.getInstance(hostMetaAlias);
ssoToken = sessionManager.getLocalSessionToken(
authnRequest.getRequestID());
if ((ssoToken == null) ||(!sessionProvider.isValid(ssoToken))) {
FSUtils.debug.error("FSAssertionArtifactHandler."
+ "doAccountFederation: "
+ FSUtils.bundle.getString("failGenerateSSOToken"));
String[] data =
{ FSUtils.bundle.getString("failGenerateSSOToken") };
LogUtil.error(
Level.INFO,LogUtil.FAILED_SSO_TOKEN_GENERATION, data);
return FederationSPAdapter.
FEDERATION_FAILED_SSO_TOKEN_GENERATION;
}
this.relayState = sessionProvider.rewriteURL(
ssoToken, this.relayState);
request.setAttribute(
SystemConfigurationUtil.getProperty(
"com.iplanet.am.cookie.name"),
sessionProvider.getSessionID(ssoToken));
} catch (Exception ex) {
FSUtils.debug.error("FSAssertionArtifactHandler."
+ "doAccountFederation: "
+ FSUtils.bundle.getString("failGenerateSSOToken"), ex);
String[] data =
{ FSUtils.bundle.getString("failGenerateSSOToken") };
LogUtil.error(
Level.INFO,LogUtil.FAILED_SSO_TOKEN_GENERATION, data);
return FederationSPAdapter.
FEDERATION_FAILED_SSO_TOKEN_GENERATION;
}
}
*/
{
try {
} catch (SessionException se) {
{
} else {
}
return failureCode;
}
}
"FSAssertionArtifactHandler.doAccountFederation:"
+ "Account federation failed. Invalid session");
}
try {
}
if (affiliationID != null) {
accountInfo.setAffiliation(true);
} else {
}
if (nameIDPolicy == null ||
{
}
//keep local session ref
if (sessionManager == null) {
}
+ "doAccountFederation: No existing session found "
+ " for userID:"
+ " Creating a new Session");
}
new FSSessionPartner(idpEntityId, true));
} else {
+ "doAccountFederation: An Existing session found"
+ "for userID:"
+ " Adding partner to the Session");
}
new FSSessionPartner(idpEntityId, true));
if (idpSessionIndex != null){
}
}
if (nameIDPolicy != null &&
{
session.setOneTime(true);
}
if (authnContextStmt != null) {
}
if ((authnContextClassRef == null) ||
{
}
if (authnContextClassRef != null) {
}
if (bootStrapStatement != null) {
}
if (realmAttributeMapper != null) {
} else if (attributeMapper != null) {
}
"generateToken: Attribute map :" + attributeMap);
}
if (attributeMap != null) {
}
}
if (securityAssertions != null) {
}
"FSAssertionArtifactHandler.doAccountFederation:"
}
ssoToken);
//Set fed cookie
if (nameIDPolicy == null ||
{
}
}
//Name registration
// comment it out for now as the spec doesn't mendate this.
/*
try {
// get if need name registration from sp extended meta
String indicator = IDFFMetaUtils.getFirstAttributeValueFromConfig(
hostConfig, IFSConstants.ENABLE_REGISTRATION_AFTER_SSO);
if (indicator != null && indicator.equalsIgnoreCase("true")) {
FSServiceManager serviceManager =
FSServiceManager.getInstance();
FSNameRegistrationHandler handlerObj =
serviceManager.getNameRegistrationHandler(
realm,
idpEntityId,
IFSConstants.IDP);
if (handlerObj != null) {
handlerObj.setHostedDescriptor(hostDesc);
handlerObj.setHostedDescriptorConfig(hostConfig);
handlerObj.setHostedEntityId(hostEntityId);
handlerObj.setMetaAlias(hostMetaAlias);
handlerObj.setAccountInfo(accountInfo);
handlerObj.handleRegistrationAfterFederation(
this.relayState, response);
}
if (!FSServieUtils.isRegisProfileSOAP(
sessionProvider.getPrincipalName(ssoToken),
idpEntityId,
idpDescriptor,
hostMetaAlias,
hostDesc))
{
return FederationSPAdapter.SUCCESS;
}
}
} catch (SessionException se) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("doAccountFederation: exception:", se);
}
}
*/
// Call SP adapter
try {
{
// return true if service provider SPI redirection happened
return FederationSPAdapter.SUCCESS;
}
} catch (Exception e) {
// log run time exception in Adapter
// implementation, continue
+ " SPAdapter.postSSOFederationSuccess", e);
}
}
try {
redirectToResource(this.relayState);
return FederationSPAdapter.SUCCESS;
} catch(Exception e){
return FederationSPAdapter.FEDERATION_FAILED;
}
}
/**
* Generates an anonymous token for onetime case.
*/
throws SessionException
{
try {
// default auth level to "0" for anonymous
new StringBuffer(this.relayState));
try {
} catch (Exception e) {
"FSAssertionArtifactHandler.generateAnonymousToken:" +
"Couldn't add listener to session:", e);
}
return ssoSession;
} catch (SessionException se) {
"FSAssertionArtifactHandler.genAnonymousToken failed.", se);
throw se;
"FSAssertionArtifactHandler.generateAnonymousToken failed.", ae);
return null;
}
}
"FSBrowserArtifactConsumerHandler.getInResponseToRequest: Called");
}
"FSAssertionArtifactHandler.getProvider: Called");
}
/**
* Sets <code>IDP</code> provider descriptor.
* @param idpDescriptor identity provider descriptor.
*/
this.idpDescriptor = idpDescriptor;
}
/**
* Sets <code>IDP</code> provider entity ID.
* @param idpEntityId identity provider entity id.
*/
this.idpEntityId = idpEntityId;
}
/**
* Gets <code>AuthInstant</code>.
* @return <code>AuthInstant</code> in UTC date format.
*/
}
/**
* Checks if the proxying is enabled. It will be checking if the proxy
* service provider descriptor is set in the session manager for the
* specific request ID.
* @param requestID authentication request id which is created by the
* proxying IDP to the authenticating IDP.
* @return true if the proxying is enabled.
*/
}
/**
* Sends the proxy authentication response to the proxying service
* provider which has originally requested for the authentication.
* @param requestID authnRequest id that is sent to the authenticating
* Identity Provider.
*/
try {
"toString(): Failed.", ex);
}
}
+ ":Original requesting service provider id:"
+ proxySPEntityId);
}
if (authnContextStmt != null) {
}
proxySPEntityId, false));
}
}
}
try {
} catch (Exception e) {
+ "Couldn't obtain proxy sp meta:", e);
}
try {
} catch (Exception e) {
+ "Exception when obtaining local idp meta:", e);
}
}
/**
* Sets the attribute map to the Single sign on token.
*/
"Map: Attribute map is empty");
}
return;
}
" Attribute map that will be populated to ssotoken:" +
}
try {
}
} catch (Exception e) {
"FSAssertionArtifactHandler.setAttributeMap:" +
"Cannot set attributes to session:", e);
}
}
}
private void setAttributeMapper() {
try {
mapperStr).newInstance();
if (mapperClass instanceof FSRealmAttributeMapper) {
} else if (mapperClass instanceof FSAttributeMapper) {
}
} catch (Exception e) {
"FSAssertionArtifactHandler.getAttributeMapper:", e);
}
}
}
}