DefaultLibrarySPAccountMapper.java revision c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * The contents of this file are subject to the terms
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * of the Common Development and Distribution License
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * (the License). You may not use this file except in
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * compliance with the License.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * You can obtain a copy of the License at
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * https://opensso.dev.java.net/public/CDDLv1.0.html or
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * See the License for the specific language governing
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * permission and limitations under the License.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * When distributing Covered Code, include this CDDL
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Header Notice in each file and include the License file
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * If applicable, add the following below the CDDL Header,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * with the fields enclosed by brackets [] replaced by
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * your own identifying information:
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * "Portions Copyrighted [year] [name of copyright owner]"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * $Id: DefaultLibrarySPAccountMapper.java,v 1.12 2009/03/12 20:34:45 huacui Exp $
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major * Portions Copyrighted 2013 ForgeRock, Inc.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.plugin.datastore.DataStoreProviderException;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.assertion.Attribute;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.assertion.AttributeStatement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.assertion.Assertion;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.assertion.EncryptedAttribute;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.assertion.EncryptedID;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.common.SAML2Exception;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.common.SAML2Constants;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.common.SAML2Utils;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * This class <code>DefaultLibrarySPAccountMapper</code> is the default
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * implementation of the <code>SPAccountMapper</code> that is used
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * to map the <code>SAML</code> protocol objects to the user accounts.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * at the <code>ServiceProvider</code> side of SAML v2 plugin.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Custom implementations may extend from this class to override some
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * of these implementations if they choose to do so.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterpublic class DefaultLibrarySPAccountMapper extends DefaultAccountMapper
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Default constructor
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message("DefaultLibrarySPAccountMapper.constructor: ");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Returns the user's disntinguished name or the universal ID for the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * corresponding <code>SAML</code> <code>Assertion</code>. This method
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * will be invoked by the <code>SAML</code> framework while processing
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * the <code>Assertion</code> and retrieves the identity information.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * The implementation of this method first checks if the nameid format
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * is transient and returns the transient user. Otherwise it checks for
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * the user for the corresponding name identifier in the assertion.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * If not found, then it will check if this is an auto federation case.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param assertion <code>SAML</code> <code>Assertion</code> that needs
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * to be mapped to the user.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param hostEntityID <code>EntityID</code> of the hosted provider.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param realm realm or the organization name that may be used to find
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * the user information.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return user's disntinguished name or the universal ID.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @exception SAML2Exception if any failure.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "nullAssertion"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "nullHostEntityID"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "nullRealm"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster EncryptedID encryptedID = assertion.getSubject().getEncryptedID();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster boolean transientFormat = false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster format.equals(SAML2Constants.NAMEID_TRANSIENT_FORMAT)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster userID = getTransientUser(realm, hostEntityID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if((userID != null) && (userID.length() != 0)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String remoteEntityID = assertion.getIssuer().getValue();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "DefaultLibrarySPAccountMapper.getIdentity(Assertion):" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster " realm = " + realm + " hostEntityID = " + hostEntityID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster userID = dsProvider.getUserID(realm, SAML2Utils.getNameIDKeyMap(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster nameID, hostEntityID, remoteEntityID, realm, role));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "DefaultLibrarySPAccountMapper.getIdentity(Assertion): " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Check if this is an auto federation case.
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major userID = getAutoFedUser(realm, hostEntityID, assertion, nameID.getValue());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((userID != null) && (userID.length() != 0)) {
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major if (useNameIDAsSPUserID(realm, hostEntityID) && ! isAutoFedEnabled(realm, hostEntityID)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message("DefaultLibrarySPAccountMapper.getIdentity:"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " use NameID value as userID: " + nameID.getValue());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Returns the transient user configured in the hosted entity
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * configuration.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param realm realm name for the given entity.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param entityID hosted <code>EntityID</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return the transient user id configured in entity configuration.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * null if not configured or failed for any reason.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster protected String getTransientUser(String realm, String entityID) {
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major private boolean useNameIDAsSPUserID(String realm, String entityID) {
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major return Boolean.valueOf(getAttribute(realm, entityID, SAML2Constants.USE_NAMEID_AS_SP_USERID));
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major private boolean isAutoFedEnabled(String realm, String entityID) {
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major return Boolean.valueOf(getAttribute(realm, entityID, SAML2Constants.AUTO_FED_ENABLED));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Returns user for the auto federate attribute.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param realm realm name.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param entityID hosted <code>EntityID</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param assertion <code>Assertion</code> from the identity provider.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return auto federation mapped user from the assertion
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * auto federation <code>AttributeStatement</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * null if the statement does not have the auto federation
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * attribute.
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major protected String getAutoFedUser(String realm, String entityID, Assertion assertion, String decryptedNameID)
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major List<AttributeStatement> attributeStatements = assertion.getAttributeStatements();
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major if(attributeStatements == null || attributeStatements.isEmpty()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message("DefaultLibrarySPAccountMapper.getAutoFedUser: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "Assertion does not have attribute statements.");
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major debug.message("DefaultLibrarySPAccountMapper.getAutoFedUser: Auto federation is disabled.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String autoFedAttribute = getAttribute(realm, entityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if(autoFedAttribute == null || autoFedAttribute.length() == 0) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message("DefaultLibrarySPAccountMapper.getAutoFedUser: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "Auto federation attribute is not configured.");
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major for (AttributeStatement statement : attributeStatements) {
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major autoFedAttributeValue = getAttribute(statement, autoFedAttribute, realm, entityID);
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major if (autoFedAttributeValue != null && !autoFedAttributeValue.isEmpty()) {
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major if (autoFedAttributeValue == null || autoFedAttributeValue.isEmpty()) {
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major debug.message("DefaultLibrarySPAccountMapper.getAutoFedUser: Auto federation attribute is not specified "
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major + "as an attribute.");
c69d65cfa0d6a6aa71407ec342c0f677ad46ebe6Peter Major debug.message("DefaultLibrarySPAccountMapper.getAutoFedUser: Trying now to autofederate with nameID, "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Map attributeMap = attributeMapper.getConfigAttributeMap(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if(attributeMap == null || attributeMap.isEmpty()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message("DefaultLibrarySPAccountMapper.getAutoFedUser: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "attribute map is not configured.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String autoFedMapAttribute = (String)attributeMap.get(autoFedAttribute);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message("DefaultLibrarySPAccountMapper.getAutoFedUser: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "Auto federation attribute map is not specified in config.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // assume it is the same as the auto fed attribute name
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster map.put(autoFedMapAttribute, autoFedAttributeValue);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message("DefaultLibrarySPAccountMapper.getAutoFedUser: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String userId = dsProvider.getUserID(realm, map);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // check dynamic profile creation or ignore profile, if enabled,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // return auto-federation attribute value as uid
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "DefaultLibrarySPAccountMapper: dynamical user " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "creation or ignore profile enabled : uid="
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // return the first value as uid
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.warning("DefaultLibrarySPAccountMapper.getAutoFedUser: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Checks if dynamical profile creation or ignore profile is enabled.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param realm realm to check the dynamical profile creation attributes.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return true if dynamical profile creation or ignore profile is enabled,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * false otherwise.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster protected boolean isDynamicalOrIgnoredProfile(String realm) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return true;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Returns the attribute name.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "DefaultLibrarySPAccountMapper.getAttribute: attribute" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // check it if the attribute needs to be encrypted?
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List encList = statement.getEncryptedAttribute();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // a new list to hold the union of clear and encrypted attributes
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster for (Iterator encIter = encList.iterator(); encIter.hasNext();) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster list.add(((EncryptedAttribute) encIter.next()).
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster for(Iterator iter=list.iterator(); iter.hasNext();) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if(!attributeName.equalsIgnoreCase(attribute.getName())) {