a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * The contents of this file are subject to the terms
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * of the Common Development and Distribution License
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * (the License). You may not use this file except in
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * compliance with the License.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * You can obtain a copy of the License at
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * https://opensso.dev.java.net/public/CDDLv1.0.html or
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * See the License for the specific language governing
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * permission and limitations under the License.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * When distributing Covered Code, include this CDDL
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Header Notice in each file and include the License file
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * If applicable, add the following below the CDDL Header,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * with the fields enclosed by brackets [] replaced by
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * your own identifying information:
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * "Portions Copyrighted [year] [name of copyright owner]"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * $Id: DefaultLibrarySPAccountMapper.java,v 1.12 2009/03/12 20:34:45 huacui Exp $
38b7b1c39dd6f4e59679a526311605fa5a04dc14Mark de Reeper * Portions Copyrighted 2013-2015 ForgeRock AS.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.plugin.datastore.DataStoreProviderException;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.assertion.Attribute;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.assertion.AttributeStatement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.assertion.Assertion;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.assertion.EncryptedAttribute;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.assertion.EncryptedID;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.common.SAML2Exception;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.common.SAML2Constants;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.common.SAML2Utils;
03796c5de88f33fc11651a032f0889c6c37d08f5Peter Majorimport org.forgerock.openam.utils.CollectionUtils;
03796c5de88f33fc11651a032f0889c6c37d08f5Peter Major * This class <code>DefaultLibrarySPAccountMapper</code> is the default implementation of the
03796c5de88f33fc11651a032f0889c6c37d08f5Peter Major * <code>SPAccountMapper</code> that is used to map the <code>SAML</code> protocol objects to the user accounts at the
03796c5de88f33fc11651a032f0889c6c37d08f5Peter Major * <code>ServiceProvider</code> side of SAML v2 plugin.
03796c5de88f33fc11651a032f0889c6c37d08f5Peter Major * Custom implementations may extend from this class to override some of these implementations if they choose to do so.
38b7b1c39dd6f4e59679a526311605fa5a04dc14Mark de Reeperpublic class DefaultLibrarySPAccountMapper extends DefaultAccountMapper implements SPAccountMapper {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Default constructor
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message("DefaultLibrarySPAccountMapper.constructor: ");
03796c5de88f33fc11651a032f0889c6c37d08f5Peter Major * Returns the user's distinguished name or the universal ID for the corresponding <code>SAML Assertion</code>. This
03796c5de88f33fc11651a032f0889c6c37d08f5Peter Major * method will be invoked by the <code>SAML</code> framework while processing the <code>Assertion</code> and
03796c5de88f33fc11651a032f0889c6c37d08f5Peter Major * retrieves the identity information.
03796c5de88f33fc11651a032f0889c6c37d08f5Peter Major * The implementation of this method first checks if the NameID-Format is transient and returns the transient user.
03796c5de88f33fc11651a032f0889c6c37d08f5Peter Major * Otherwise it checks for the user for the corresponding name identifier in the assertion.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * If not found, then it will check if this is an auto federation case.
03796c5de88f33fc11651a032f0889c6c37d08f5Peter Major * @param assertion <code>SAML Assertion</code> that needs to be mapped to the user.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param hostEntityID <code>EntityID</code> of the hosted provider.
03796c5de88f33fc11651a032f0889c6c37d08f5Peter Major * @param realm Realm or the organization name that may be used to find the user information.
03796c5de88f33fc11651a032f0889c6c37d08f5Peter Major * @return User's distinguished name or the universal ID.
03796c5de88f33fc11651a032f0889c6c37d08f5Peter Major * @throws SAML2Exception If there was any failure.
03796c5de88f33fc11651a032f0889c6c37d08f5Peter Major public String getIdentity(Assertion assertion, String hostEntityID, String realm) throws SAML2Exception {
03796c5de88f33fc11651a032f0889c6c37d08f5Peter Major throw new SAML2Exception(bundle.getString("nullAssertion"));
03796c5de88f33fc11651a032f0889c6c37d08f5Peter Major throw new SAML2Exception(bundle.getString("nullHostEntityID"));
03796c5de88f33fc11651a032f0889c6c37d08f5Peter Major throw new SAML2Exception(bundle.getString("nullRealm"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster EncryptedID encryptedID = assertion.getSubject().getEncryptedID();
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings decryptionKeys = KeyUtil.getDecryptionKeys(getSSOConfig(realm, hostEntityID));
07856bf23b706ef4e3654388d9ca26a720e0ad6aPeter Major boolean isTransient = SAML2Constants.NAMEID_TRANSIENT_FORMAT.equals(format);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Check if this is an auto federation case.
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings userID = getAutoFedUser(realm, hostEntityID, assertion, nameID.getValue(), decryptionKeys);
03796c5de88f33fc11651a032f0889c6c37d08f5Peter Major if (useNameIDAsSPUserID(realm, hostEntityID) && !isAutoFedEnabled(realm, hostEntityID)) {
03796c5de88f33fc11651a032f0889c6c37d08f5Peter Major debug.message("DefaultLibrarySPAccountMapper.getIdentity: use NameID value as userID: "
07856bf23b706ef4e3654388d9ca26a720e0ad6aPeter Major public boolean shouldPersistNameIDFormat(String realm, String hostEntityID, String remoteEntityID,
07856bf23b706ef4e3654388d9ca26a720e0ad6aPeter Major return !Boolean.parseBoolean(SAML2Utils.getAttributeValueFromSSOConfig(realm, hostEntityID,
07856bf23b706ef4e3654388d9ca26a720e0ad6aPeter Major SAML2Constants.SP_ROLE, SAML2Constants.SP_DO_NOT_WRITE_FEDERATION_INFO));
03796c5de88f33fc11651a032f0889c6c37d08f5Peter Major * Returns the transient user configured in the hosted entity configuration.
03796c5de88f33fc11651a032f0889c6c37d08f5Peter Major * @param realm Realm name for the given entity.
03796c5de88f33fc11651a032f0889c6c37d08f5Peter Major * @param entityID Hosted <code>EntityID</code>.
03796c5de88f33fc11651a032f0889c6c37d08f5Peter Major * @return The transient user id configured in entity configuration, or null if not configured or failed for any
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster protected String getTransientUser(String realm, String entityID) {
03796c5de88f33fc11651a032f0889c6c37d08f5Peter Major return getAttribute(realm, entityID, SAML2Constants.TRANSIENT_FED_USER);
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major private boolean useNameIDAsSPUserID(String realm, String entityID) {
03796c5de88f33fc11651a032f0889c6c37d08f5Peter Major return Boolean.parseBoolean(getAttribute(realm, entityID, SAML2Constants.USE_NAMEID_AS_SP_USERID));
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major private boolean isAutoFedEnabled(String realm, String entityID) {
03796c5de88f33fc11651a032f0889c6c37d08f5Peter Major return Boolean.parseBoolean(getAttribute(realm, entityID, SAML2Constants.AUTO_FED_ENABLED));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Returns user for the auto federate attribute.
03796c5de88f33fc11651a032f0889c6c37d08f5Peter Major * @param realm Realm name.
03796c5de88f33fc11651a032f0889c6c37d08f5Peter Major * @param entityID Hosted <code>EntityID</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param assertion <code>Assertion</code> from the identity provider.
03796c5de88f33fc11651a032f0889c6c37d08f5Peter Major * @return Auto federation mapped user from the assertion auto federation <code>AttributeStatement</code>. if the
03796c5de88f33fc11651a032f0889c6c37d08f5Peter Major * statement does not have the auto federation attribute then the NameID value will be used if use NameID as SP user
03796c5de88f33fc11651a032f0889c6c37d08f5Peter Major * ID is enabled, otherwise null.
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings protected String getAutoFedUser(String realm, String entityID, Assertion assertion, String decryptedNameID,
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings Set<PrivateKey> decryptionKeys) throws SAML2Exception {
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major debug.message("DefaultLibrarySPAccountMapper.getAutoFedUser: Auto federation is disabled.");
38b7b1c39dd6f4e59679a526311605fa5a04dc14Mark de Reeper String autoFedAttribute = getAttribute(realm, entityID, SAML2Constants.AUTO_FED_ATTRIBUTE);
38b7b1c39dd6f4e59679a526311605fa5a04dc14Mark de Reeper if (autoFedAttribute == null || autoFedAttribute.isEmpty()) {
38b7b1c39dd6f4e59679a526311605fa5a04dc14Mark de Reeper debug.error("DefaultLibrarySPAccountMapper.getAutoFedUser: " +
38b7b1c39dd6f4e59679a526311605fa5a04dc14Mark de Reeper "Auto federation is enabled but the auto federation attribute is not configured.");
38b7b1c39dd6f4e59679a526311605fa5a04dc14Mark de Reeper debug.message("DefaultLibrarySPAccountMapper.getAutoFedUser: Auto federation attribute is set to: "
38b7b1c39dd6f4e59679a526311605fa5a04dc14Mark de Reeper List<AttributeStatement> attributeStatements = assertion.getAttributeStatements();
38b7b1c39dd6f4e59679a526311605fa5a04dc14Mark de Reeper if (attributeStatements == null || attributeStatements.isEmpty()) {
38b7b1c39dd6f4e59679a526311605fa5a04dc14Mark de Reeper debug.message("DefaultLibrarySPAccountMapper.getAutoFedUser: " +
38b7b1c39dd6f4e59679a526311605fa5a04dc14Mark de Reeper "Assertion does not have any attribute statements.");
38b7b1c39dd6f4e59679a526311605fa5a04dc14Mark de Reeper for (AttributeStatement statement : attributeStatements) {
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings autoFedAttributeValue = getAttribute(statement, autoFedAttribute, decryptionKeys);
38b7b1c39dd6f4e59679a526311605fa5a04dc14Mark de Reeper if (autoFedAttributeValue != null && !autoFedAttributeValue.isEmpty()) {
38b7b1c39dd6f4e59679a526311605fa5a04dc14Mark de Reeper debug.message("DefaultLibrarySPAccountMapper.getAutoFedUser: " +
38b7b1c39dd6f4e59679a526311605fa5a04dc14Mark de Reeper "Found auto federation attribute value in Assertion: " + autoFedAttributeValue);
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major if (autoFedAttributeValue == null || autoFedAttributeValue.isEmpty()) {
38b7b1c39dd6f4e59679a526311605fa5a04dc14Mark de Reeper debug.message("DefaultLibrarySPAccountMapper.getAutoFedUser: Auto federation attribute is not specified"
38b7b1c39dd6f4e59679a526311605fa5a04dc14Mark de Reeper + " as an attribute.");
38b7b1c39dd6f4e59679a526311605fa5a04dc14Mark de Reeper debug.message("DefaultLibrarySPAccountMapper.getAutoFedUser: NameID as SP UserID was not enabled "
38b7b1c39dd6f4e59679a526311605fa5a04dc14Mark de Reeper + " and auto federation attribute " + autoFedAttribute + " was not found in the Assertion");
38b7b1c39dd6f4e59679a526311605fa5a04dc14Mark de Reeper debug.message("DefaultLibrarySPAccountMapper.getAutoFedUser: Trying now to autofederate with nameID"
03796c5de88f33fc11651a032f0889c6c37d08f5Peter Major autoFedAttributeValue = CollectionUtils.asSet(decryptedNameID);
38b7b1c39dd6f4e59679a526311605fa5a04dc14Mark de Reeper DefaultSPAttributeMapper attributeMapper = new DefaultSPAttributeMapper();
38b7b1c39dd6f4e59679a526311605fa5a04dc14Mark de Reeper Map<String, String> attributeMap = attributeMapper.getConfigAttributeMap(realm, entityID, SP);
38b7b1c39dd6f4e59679a526311605fa5a04dc14Mark de Reeper if (attributeMap == null || attributeMap.isEmpty()) {
38b7b1c39dd6f4e59679a526311605fa5a04dc14Mark de Reeper debug.message("DefaultLibrarySPAccountMapper.getAutoFedUser: attribute map is not configured.");
38b7b1c39dd6f4e59679a526311605fa5a04dc14Mark de Reeper autoFedMapAttribute = attributeMap.get(autoFedAttribute);
38b7b1c39dd6f4e59679a526311605fa5a04dc14Mark de Reeper debug.message("DefaultLibrarySPAccountMapper.getAutoFedUser: " +
38b7b1c39dd6f4e59679a526311605fa5a04dc14Mark de Reeper "Auto federation attribute map is not specified in config.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // assume it is the same as the auto fed attribute name
03796c5de88f33fc11651a032f0889c6c37d08f5Peter Major Map<String, Set<String>> map = new HashMap<>(1);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster map.put(autoFedMapAttribute, autoFedAttributeValue);
38b7b1c39dd6f4e59679a526311605fa5a04dc14Mark de Reeper debug.message("DefaultLibrarySPAccountMapper.getAutoFedUser: Search map: " + map);
07856bf23b706ef4e3654388d9ca26a720e0ad6aPeter Major String userId = dsProvider.getUserID(realm, map);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // check dynamic profile creation or ignore profile, if enabled,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // return auto-federation attribute value as uid
38b7b1c39dd6f4e59679a526311605fa5a04dc14Mark de Reeper debug.message("DefaultLibrarySPAccountMapper: dynamical user creation or ignore profile " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // return the first value as uid
38b7b1c39dd6f4e59679a526311605fa5a04dc14Mark de Reeper return autoFedAttributeValue.iterator().next();
38b7b1c39dd6f4e59679a526311605fa5a04dc14Mark de Reeper debug.warning("DefaultLibrarySPAccountMapper.getAutoFedUser: Datastore provider exception", dse);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Checks if dynamical profile creation or ignore profile is enabled.
03796c5de88f33fc11651a032f0889c6c37d08f5Peter Major * @param realm Realm to check the dynamical profile creation attributes.
03796c5de88f33fc11651a032f0889c6c37d08f5Peter Major * @return <code>true</code> if dynamical profile creation or ignore profile is enabled, <code>false</code>
03796c5de88f33fc11651a032f0889c6c37d08f5Peter Major * otherwise.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster protected boolean isDynamicalOrIgnoredProfile(String realm) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return true;
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings private Set<String> getAttribute(AttributeStatement statement, String attributeName,
03796c5de88f33fc11651a032f0889c6c37d08f5Peter Major debug.message("DefaultLibrarySPAccountMapper.getAttribute: attribute Name =" + attributeName);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // check it if the attribute needs to be encrypted?
03796c5de88f33fc11651a032f0889c6c37d08f5Peter Major List<Attribute> list = statement.getAttribute();
03796c5de88f33fc11651a032f0889c6c37d08f5Peter Major List<EncryptedAttribute> encList = statement.getEncryptedAttribute();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // a new list to hold the union of clear and encrypted attributes
03796c5de88f33fc11651a032f0889c6c37d08f5Peter Major for (EncryptedAttribute encryptedAttribute : encList) {
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings list.add(encryptedAttribute.decrypt(decryptionKeys));
03796c5de88f33fc11651a032f0889c6c37d08f5Peter Major if (!attributeName.equalsIgnoreCase(attribute.getName())) {