/*
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
*
* The contents of this file are subject to the terms
* of the Common Development and Distribution License
* (the License). You may not use this file except in
* compliance with the License.
*
* You can obtain a copy of the License at
* See the License for the specific language governing
* permission and limitations under the License.
*
* When distributing Covered Code, include this CDDL
* Header Notice in each file and include the License file
* at opensso/legal/CDDLv1.0.txt.
* If applicable, add the following below the CDDL Header,
* with the fields enclosed by brackets [] replaced by
* your own identifying information:
* "Portions Copyrighted [year] [name of copyright owner]"
*
* $Id: DefaultLibrarySPAccountMapper.java,v 1.12 2009/03/12 20:34:45 huacui Exp $
*
* Portions Copyrighted 2013-2015 ForgeRock AS.
*/
/**
* This class <code>DefaultLibrarySPAccountMapper</code> is the default implementation of the
* <code>SPAccountMapper</code> that is used to map the <code>SAML</code> protocol objects to the user accounts at the
* <code>ServiceProvider</code> side of SAML v2 plugin.
* Custom implementations may extend from this class to override some of these implementations if they choose to do so.
*/
public class DefaultLibrarySPAccountMapper extends DefaultAccountMapper implements SPAccountMapper {
/**
* Default constructor
*/
public DefaultLibrarySPAccountMapper() {
}
/**
* Returns the user's distinguished name or the universal ID for the corresponding <code>SAML Assertion</code>. This
* method will be invoked by the <code>SAML</code> framework while processing the <code>Assertion</code> and
* retrieves the identity information.
* The implementation of this method first checks if the NameID-Format is transient and returns the transient user.
* Otherwise it checks for the user for the corresponding name identifier in the assertion.
* If not found, then it will check if this is an auto federation case.
*
* @param assertion <code>SAML Assertion</code> that needs to be mapped to the user.
* @param hostEntityID <code>EntityID</code> of the hosted provider.
* @param realm Realm or the organization name that may be used to find the user information.
* @return User's distinguished name or the universal ID.
* @throws SAML2Exception If there was any failure.
*/
public String getIdentity(Assertion assertion, String hostEntityID, String realm) throws SAML2Exception {
}
if (hostEntityID == null) {
}
}
if (encryptedID != null) {
} else {
}
if (isTransient) {
}
return userID;
}
// Check if this is an auto federation case.
return userID;
} else {
if (debug.messageEnabled()) {
}
} else {
return null;
}
}
}
}
/**
* Returns the transient user configured in the hosted entity configuration.
*
* @param realm Realm name for the given entity.
* @param entityID Hosted <code>EntityID</code>.
* @return The transient user id configured in entity configuration, or null if not configured or failed for any
* reason.
*/
}
}
}
/**
* Returns user for the auto federate attribute.
*
* @param realm Realm name.
* @param entityID Hosted <code>EntityID</code>.
* @param assertion <code>Assertion</code> from the identity provider.
* @return Auto federation mapped user from the assertion auto federation <code>AttributeStatement</code>. if the
* statement does not have the auto federation attribute then the NameID value will be used if use NameID as SP user
* ID is enabled, otherwise null.
*/
protected String getAutoFedUser(String realm, String entityID, Assertion assertion, String decryptedNameID,
if (debug.messageEnabled()) {
}
return null;
}
"Auto federation is enabled but the auto federation attribute is not configured.");
return null;
}
if (debug.messageEnabled()) {
+ autoFedAttribute);
}
if (debug.messageEnabled()) {
"Assertion does not have any attribute statements.");
}
} else {
if (debug.messageEnabled()) {
"Found auto federation attribute value in Assertion: " + autoFedAttributeValue);
}
break;
}
}
}
if (debug.messageEnabled()) {
debug.message("DefaultLibrarySPAccountMapper.getAutoFedUser: Auto federation attribute is not specified"
+ " as an attribute.");
}
if (debug.messageEnabled()) {
}
return null;
} else {
if (debug.messageEnabled()) {
debug.message("DefaultLibrarySPAccountMapper.getAutoFedUser: Trying now to autofederate with nameID"
+ ", nameID =" + decryptedNameID);
}
}
}
if(debug.messageEnabled()) {
}
} else {
}
if (autoFedMapAttribute == null) {
if (debug.messageEnabled()) {
"Auto federation attribute map is not specified in config.");
}
// assume it is the same as the auto fed attribute name
}
try {
if (debug.messageEnabled()) {
}
return userId;
} else {
// check dynamic profile creation or ignore profile, if enabled,
// return auto-federation attribute value as uid
if (isDynamicalOrIgnoredProfile(realm)) {
if (debug.messageEnabled()) {
"enabled : uid=" + autoFedAttributeValue);
}
// return the first value as uid
}
}
} catch (DataStoreProviderException dse) {
if (debug.warningEnabled()) {
}
}
return null;
}
/**
* Checks if dynamical profile creation or ignore profile is enabled.
*
* @param realm Realm to check the dynamical profile creation attributes.
* @return <code>true</code> if dynamical profile creation or ignore profile is enabled, <code>false</code>
* otherwise.
*/
return true;
}
if (debug.messageEnabled()) {
}
// check it if the attribute needs to be encrypted?
// a new list to hold the union of clear and encrypted attributes
}
try {
} catch (SAML2Exception se) {
return null;
}
}
}
continue;
}
return null;
}
}
return null;
}
}