dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk * Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk * The contents of this file are subject to the terms
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk * of the Common Development and Distribution License
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk * (the License). You may not use this file except in
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk * compliance with the License.
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk * You can obtain a copy of the License at
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk * https://opensso.dev.java.net/public/CDDLv1.0.html or
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk * See the License for the specific language governing
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk * permission and limitations under the License.
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk * When distributing Covered Code, include this CDDL
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk * Header Notice in each file and include the License file
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk * If applicable, add the following below the CDDL Header,
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk * with the fields enclosed by brackets [] replaced by
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk * your own identifying information:
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk * "Portions Copyrighted [year] [name of copyright owner]"
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk * $Id: DefaultIDPAccountMapper.java,v 1.9 2008/11/10 22:57:02 veiming Exp $
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk * Portions Copyrighted 2015 ForgeRock AS.
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenkimport com.sun.identity.plugin.datastore.DataStoreProviderException;
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenkimport com.sun.identity.plugin.session.SessionManager;
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenkimport com.sun.identity.plugin.session.SessionProvider;
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenkimport com.sun.identity.plugin.session.SessionException;
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenkimport com.sun.identity.saml2.common.SAML2Exception;
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenkimport com.sun.identity.saml2.common.SAML2Constants;
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenkimport com.sun.identity.saml2.assertion.AssertionFactory;
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenkimport com.sun.identity.saml2.profile.IDPSession;
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenkimport com.sun.identity.saml2.profile.IDPSSOUtil;
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenkimport com.sun.identity.saml2.profile.NameIDandSPpair;
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk * This class <code>DefaultIDPAccountMapper</code> is the default implementation of the <code>IDPAccountMapper</code>
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk * that is used to map the <code>SAML</code> protocol objects to the user accounts at the <code>IdentityProvider</code>
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk * side of SAML v2 plugin.
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk * Custom implementations may extend from this class to override some of these implementations if they choose to do so.
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenkpublic class DefaultIDPAccountMapper extends DefaultAccountMapper implements IDPAccountMapper {
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk debug.message("DefaultIDPAccountMapper.constructor");
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk public NameID getNameID(Object session, String hostEntityID, String remoteEntityID, String realm,
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk SessionProvider sessionProv = SessionManager.getProvider();
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSSOToken"));
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk if (nameIDFormat.equals(SAML2Constants.NAMEID_TRANSIENT_FORMAT)) {
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk String sessionIndex = IDPSSOUtil.getSessionIndex(session);
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk IDPSession idpSession = IDPCache.idpSessionsByIndices.get(sessionIndex);
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk List<NameIDandSPpair> list = idpSession.getNameIDandSPpairs();
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk if (pair.getSPEntityID().equals(remoteEntityID)) {
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk nameIDValue = getNameIDValueFromUserProfile(realm, hostEntityID, userID, nameIDFormat);
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk nameIDValue = SAML2Utils.createNameIdentifier();
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk nameIDValue = getNameIDValueFromUserProfile(realm, hostEntityID, userID, nameIDFormat);
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk if (nameIDFormat.equals(SAML2Constants.PERSISTENT)) {
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk nameIDValue = SAML2Utils.createNameIdentifier();
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk throw new SAML2Exception(bundle.getString("unableToGenerateNameIDValue"));
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk NameID nameID = AssertionFactory.getInstance().createNameID();
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk public String getIdentity(NameID nameID, String hostEntityID, String remoteEntityID, String realm)
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk throw new SAML2Exception(bundle.getString("nullHostEntityID"));
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk throw new SAML2Exception(bundle.getString("nullRemoteEntityID"));
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk throw new SAML2Exception(bundle.getString("nullRealm"));
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk debug.message("DefaultIDPAccountMapper.getIdentity: realm = " + realm + ", hostEntityID = " + hostEntityID
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk return dsProvider.getUserID(realm, SAML2Utils.getNameIDKeyMap(nameID, hostEntityID, remoteEntityID, realm,
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk debug.error("DefaultIDPAccountMapper.getIdentity(NameIDMappingRequest): ", dse);
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk * {@inheritDoc}
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk * This implementation first checks whether NameID persistence has been completely disabled at the IdP level
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk * (idpDisableNameIDPersistence setting), and if not, it will look at the SP configuration as well
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk * (spDoNotWriteFederationInfo setting).
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk * @param realm {@inheritDoc}
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk * @param hostEntityID {@inheritDoc}
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk * @param remoteEntityID {@inheritDoc}
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk * @param nameIDFormat {@inheritDoc}
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk * @return {@inheritDoc}
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk public boolean shouldPersistNameIDFormat(String realm, String hostEntityID, String remoteEntityID,
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk final boolean disableNameIDPersistence = Boolean.parseBoolean(SAML2Utils.getAttributeValueFromSSOConfig(realm,
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk hostEntityID, SAML2Constants.IDP_ROLE, SAML2Constants.IDP_DISABLE_NAMEID_PERSISTENCE));
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk return false;
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk return !Boolean.parseBoolean(SAML2Utils.getAttributeValueFromSSOConfig(realm, remoteEntityID,
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk SAML2Constants.SP_ROLE, SAML2Constants.SP_DO_NOT_WRITE_FEDERATION_INFO));
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk protected String getNameIDValueFromUserProfile(String realm, String hostEntityID, String userID,
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk Map<String, String> formatAttrMap = getFormatAttributeMap(realm, hostEntityID);
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk String attrName = formatAttrMap.get(nameIDFormat);
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk Set<String> attrValues = dsProvider.getAttribute(userID, attrName);
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk if (attrValues != null && !attrValues.isEmpty()) {
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk debug.warning("DefaultIDPAccountMapper.getNameIDValueFromUserProfile:", dspe);
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk private Map<String, String> getFormatAttributeMap(String realm, String hostEntityID) {
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk Map<String, String> formatAttributeMap = IDPCache.formatAttributeHash.get(key);
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk List<String> values = SAML2Utils.getAllAttributeValueFromSSOConfig(realm, hostEntityID, role,
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk String format = value.substring(0, index).trim();
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk String attrName = value.substring(index + 1).trim();