saml2/plugins/DefaultLibrarySPAccountMapper.java

	DefaultLibrarySPAccountMapper.java revision c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster/**
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * The contents of this file are subject to the terms
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * of the Common Development and Distribution License
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * (the License). You may not use this file except in
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * compliance with the License.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * You can obtain a copy of the License at
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * https://opensso.dev.java.net/public/CDDLv1.0.html or
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * opensso/legal/CDDLv1.0.txt
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * See the License for the specific language governing
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * permission and limitations under the License.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * When distributing Covered Code, include this CDDL
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Header Notice in each file and include the License file
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * at opensso/legal/CDDLv1.0.txt.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * If applicable, add the following below the CDDL Header,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * with the fields enclosed by brackets [] replaced by
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * your own identifying information:
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * "Portions Copyrighted [year] [name of copyright owner]"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * $Id: DefaultLibrarySPAccountMapper.java,v 1.12 2009/03/12 20:34:45 huacui Exp $
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major/**
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major * Portions Copyrighted 2013 ForgeRock, Inc.
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterpackage com.sun.identity.saml2.plugins;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport java.security.PrivateKey;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport java.util.Map;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport java.util.HashMap;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport java.util.Set;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport java.util.HashSet;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport java.util.ArrayList;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport java.util.List;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport java.util.Iterator;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.plugin.datastore.DataStoreProviderException;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.assertion.Attribute;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.assertion.AttributeStatement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.assertion.Assertion;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.assertion.EncryptedAttribute;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.assertion.EncryptedID;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.assertion.NameID;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.common.SAML2Exception;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.common.SAML2Constants;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.common.SAML2Utils;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.key.KeyUtil;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster/**
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * This class <code>DefaultLibrarySPAccountMapper</code> is the default
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * implementation of the <code>SPAccountMapper</code> that is used
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * to map the <code>SAML</code> protocol objects to the user accounts.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * at the <code>ServiceProvider</code> side of SAML v2 plugin.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Custom implementations may extend from this class to override some
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * of these implementations if they choose to do so.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterpublic class DefaultLibrarySPAccountMapper extends DefaultAccountMapper
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster       implements SPAccountMapper {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    private PrivateKey decryptionKey = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     /**
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster      * Default constructor
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster      */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     public DefaultLibrarySPAccountMapper() {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster         debug.message("DefaultLibrarySPAccountMapper.constructor: ");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster         role = SP;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    /**
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * Returns the user's disntinguished name or the universal ID for the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * corresponding  <code>SAML</code> <code>Assertion</code>. This method
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * will be invoked by the <code>SAML</code> framework while processing
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * the <code>Assertion</code> and retrieves the identity information.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * The implementation of this method first checks if the nameid format
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * is transient and returns the transient user. Otherwise it checks for
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * the user for the corresponding name identifier in the assertion.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * If not found, then it will check if this is an auto federation case.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * @param assertion <code>SAML</code> <code>Assertion</code> that needs
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     *        to be mapped to the user.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * @param hostEntityID <code>EntityID</code> of the hosted provider.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * @param realm realm or the organization name that may be used to find
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     *        the user information.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * @return user's disntinguished name or the universal ID.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * @exception SAML2Exception if any failure.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    public String getIdentity(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        Assertion assertion,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        String hostEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        String realm
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    ) throws SAML2Exception {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        if(assertion == null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster           throw new SAML2Exception(bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                 "nullAssertion"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        if(hostEntityID == null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster           throw new SAML2Exception(bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                 "nullHostEntityID"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        if(realm == null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster           throw new SAML2Exception(bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                 "nullRealm"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        NameID nameID = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        EncryptedID encryptedID = assertion.getSubject().getEncryptedID();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        if(encryptedID != null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            decryptionKey = KeyUtil.getDecryptionKey(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                SAML2Utils.getSAML2MetaManager().
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                getSPSSOConfig(realm, hostEntityID));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            nameID = encryptedID.decrypt(decryptionKey);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        } else {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            nameID = assertion.getSubject().getNameID();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        String userID = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        String format = nameID.getFormat();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        boolean transientFormat = false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        if(format != null &&
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster               format.equals(SAML2Constants.NAMEID_TRANSIENT_FORMAT)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster           transientFormat = true;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster           userID = getTransientUser(realm, hostEntityID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        if((userID != null) && (userID.length() != 0)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster           return  userID;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        if(!transientFormat) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            String remoteEntityID = assertion.getIssuer().getValue();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            if (debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                 debug.message(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                    "DefaultLibrarySPAccountMapper.getIdentity(Assertion):" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                    " realm = " + realm + " hostEntityID = " + hostEntityID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            try {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                userID = dsProvider.getUserID(realm, SAML2Utils.getNameIDKeyMap(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                    nameID, hostEntityID, remoteEntityID, realm, role));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            } catch(DataStoreProviderException dse) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                debug.error(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                    "DefaultLibrarySPAccountMapper.getIdentity(Assertion): " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                    "DataStoreProviderException", dse);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                throw new SAML2Exception(dse.getMessage());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            if (userID != null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                return userID;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        // Check if this is an auto federation case.
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major        userID = getAutoFedUser(realm, hostEntityID, assertion, nameID.getValue());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        if ((userID != null) && (userID.length() != 0)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            return userID;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        } else {
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major            if (useNameIDAsSPUserID(realm, hostEntityID) && ! isAutoFedEnabled(realm, hostEntityID)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                if (debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                     debug.message("DefaultLibrarySPAccountMapper.getIdentity:"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                         + " use NameID value as userID: " + nameID.getValue());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                return nameID.getValue();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            } else {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                return null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    /**
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * Returns the transient user configured in the hosted entity
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * configuration.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * @param realm realm name for the given entity.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * @param entityID hosted <code>EntityID</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * @return the transient user id configured in entity configuration.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     *         null if not configured or failed for any reason.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    protected String getTransientUser(String realm, String entityID) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        return getAttribute(realm, entityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                 SAML2Constants.TRANSIENT_FED_USER);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major    private boolean useNameIDAsSPUserID(String realm, String entityID) {
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major        return Boolean.valueOf(getAttribute(realm, entityID, SAML2Constants.USE_NAMEID_AS_SP_USERID));
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major    }
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major    private boolean isAutoFedEnabled(String realm, String entityID) {
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major        return Boolean.valueOf(getAttribute(realm, entityID, SAML2Constants.AUTO_FED_ENABLED));
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major    }
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    /**
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * Returns user for the auto federate attribute.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * @param realm realm name.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * @param entityID hosted <code>EntityID</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * @param assertion <code>Assertion</code> from the identity provider.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * @return auto federation mapped user from the assertion
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     *         auto federation <code>AttributeStatement</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     *         null if the statement does not have the auto federation
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     *         attribute.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     */
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major    protected String getAutoFedUser(String realm, String entityID, Assertion assertion, String decryptedNameID)
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major            throws SAML2Exception {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major        List<AttributeStatement> attributeStatements = assertion.getAttributeStatements();
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major        if(attributeStatements == null || attributeStatements.isEmpty()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster           if(debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster              debug.message("DefaultLibrarySPAccountMapper.getAutoFedUser: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster              "Assertion does not have attribute statements.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster           }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster           return null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major        if (!isAutoFedEnabled(realm, entityID)) {
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major            if (debug.messageEnabled()) {
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major                debug.message("DefaultLibrarySPAccountMapper.getAutoFedUser: Auto federation is disabled.");
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major            }
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major            return null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        String autoFedAttribute = getAttribute(realm, entityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster               SAML2Constants.AUTO_FED_ATTRIBUTE);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        if(autoFedAttribute == null || autoFedAttribute.length() == 0) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster           if(debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster              debug.message("DefaultLibrarySPAccountMapper.getAutoFedUser: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster              "Auto federation attribute is not configured.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster           }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster           return null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major        Set<String> autoFedAttributeValue = null;
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major        for (AttributeStatement statement : attributeStatements) {
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major            autoFedAttributeValue = getAttribute(statement, autoFedAttribute, realm, entityID);
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major            if (autoFedAttributeValue != null && !autoFedAttributeValue.isEmpty()) {
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major                break;
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major            }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major        if (autoFedAttributeValue == null || autoFedAttributeValue.isEmpty()) {
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major            if (debug.messageEnabled()) {
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major                debug.message("DefaultLibrarySPAccountMapper.getAutoFedUser: Auto federation attribute is not specified "
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major                        + "as an attribute.");
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major            }
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major            if (!useNameIDAsSPUserID(realm, entityID)) {
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major                return null;
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major            } else {
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major                if (debug.messageEnabled()) {
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major                    debug.message("DefaultLibrarySPAccountMapper.getAutoFedUser: Trying now to autofederate with nameID, "
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major                            + "nameID =" + decryptedNameID);
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major                }
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major                autoFedAttributeValue = new HashSet<String>(1);
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major                autoFedAttributeValue.add(decryptedNameID);
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major            }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        DefaultSPAttributeMapper attributeMapper =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                   new DefaultSPAttributeMapper();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        Map attributeMap = attributeMapper.getConfigAttributeMap(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                   realm, entityID, SP);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        if(attributeMap == null || attributeMap.isEmpty()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster           if(debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster              debug.message("DefaultLibrarySPAccountMapper.getAutoFedUser: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster              "attribute map is not configured.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster           }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        String autoFedMapAttribute = (String)attributeMap.get(autoFedAttribute);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        if(autoFedMapAttribute == null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster           if(debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster              debug.message("DefaultLibrarySPAccountMapper.getAutoFedUser: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster              "Auto federation attribute map is not specified in config.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster           }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster           // assume it is the same as the auto fed attribute name
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster           autoFedMapAttribute = autoFedAttribute;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        try {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            Map map = new HashMap();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            map.put(autoFedMapAttribute, autoFedAttributeValue);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            if(debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster               debug.message("DefaultLibrarySPAccountMapper.getAutoFedUser: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster               "Search map: " + map);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            String userId = dsProvider.getUserID(realm, map);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            if (userId != null && userId.length() != 0) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                return userId;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            } else {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                // check dynamic profile creation or ignore profile, if enabled,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                // return auto-federation attribute value as uid
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                if (isDynamicalOrIgnoredProfile(realm)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                    if(debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                        debug.message(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                            "DefaultLibrarySPAccountMapper: dynamical user " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                            "creation or ignore profile enabled : uid="
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                            + autoFedAttributeValue);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                    }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                    // return the first value as uid
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                    return (String) autoFedAttributeValue.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                           iterator().next();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        } catch (DataStoreProviderException dse) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            if(debug.warningEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster               debug.warning("DefaultLibrarySPAccountMapper.getAutoFedUser: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster               "Datastore provider exception", dse);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        return null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    /**
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * Checks if dynamical profile creation or ignore profile is enabled.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * @param realm realm to check the dynamical profile creation attributes.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * @return true if dynamical profile creation or ignore profile is enabled,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * false otherwise.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    protected boolean isDynamicalOrIgnoredProfile(String realm) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        return true;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    /**
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     * Returns the attribute name.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster     */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    private Set getAttribute(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                AttributeStatement statement,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                String attributeName,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                String realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                String hostEntityID)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        if (debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            debug.message(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                "DefaultLibrarySPAccountMapper.getAttribute: attribute" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                "Name =" + attributeName);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        // check it if the attribute needs to be encrypted?
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        List list = statement.getAttribute();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        List encList = statement.getEncryptedAttribute();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        if (encList != null && encList.size() != 0) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            // a new list to hold the union of clear and encrypted attributes
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            List allList = new ArrayList();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            if (list != null && !list.isEmpty()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                allList.addAll(list);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            list = allList;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            for (Iterator encIter = encList.iterator(); encIter.hasNext();) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                try {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                    if (decryptionKey == null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                        decryptionKey = KeyUtil.getDecryptionKey(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                            SAML2Utils.getSAML2MetaManager().
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                                        getSPSSOConfig(realm, hostEntityID));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                    }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                    list.add(((EncryptedAttribute) encIter.next()).
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                                        decrypt(decryptionKey));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                } catch (SAML2Exception se) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                    debug.error("Decryption error:", se);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                    return null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster                }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        for(Iterator iter=list.iterator(); iter.hasNext();) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            Attribute attribute = (Attribute)iter.next();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            if(!attributeName.equalsIgnoreCase(attribute.getName())) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster               continue;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            List values = attribute.getAttributeValueString();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            if(values == null || values.size() == 0) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster               return null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            Set set = new HashSet();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            set.addAll(values);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster            return set;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster        return null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster    }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster}