a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Copyright (c) 2007 Sun Microsystems Inc. All Rights Reserved
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * The contents of this file are subject to the terms
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * of the Common Development and Distribution License
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * (the License). You may not use this file except in
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * compliance with the License.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * You can obtain a copy of the License at
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * https://opensso.dev.java.net/public/CDDLv1.0.html or
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * See the License for the specific language governing
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * permission and limitations under the License.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * When distributing Covered Code, include this CDDL
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Header Notice in each file and include the License file
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * If applicable, add the following below the CDDL Header,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * with the fields enclosed by brackets [] replaced by
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * your own identifying information:
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * "Portions Copyrighted [year] [name of copyright owner]"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * $Id: SAML2ServiceProviderAdapter.java,v 1.5 2008/08/19 19:11:15 veiming Exp $
a4544a5a0e622ef69e38641f87ab1b5685e05911Phill Cunnington * Portions Copyrighted 2013-2015 ForgeRock AS.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.common.SAML2Exception;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.protocol.AuthnRequest;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.protocol.LogoutRequest;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.protocol.LogoutResponse;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.protocol.ManageNameIDRequest;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.protocol.ManageNameIDResponse;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.protocol.Response;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * The <code>SAML2ServiceProviderAdapter</code> abstract class provides methods
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * that could be extended to perform user specific logics during SAMLv2
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * protocol processing on the Service Provider side. The implementation class
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * could be configured on a per service provider basis in the extended
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * metadata configuration.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * A singleton instance of this <code>SAML2ServiceProviderAdapter</code>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * class will be used per Service Provider during runtime, so make sure
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * implementation of the methods are thread safe.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @supported.all.api
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterpublic abstract class SAML2ServiceProviderAdapter {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Status code for Single Sign-on success.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Status code for invalid response from <code>IDP</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Status code for federation failure due to unable to write account
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * federation info.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static final int FEDERATION_FAILED_WRITING_ACCOUNT_INFO = 3;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Status code for Single Sign-On failure due to internal session error.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static final int SSO_FAILED_SESSION_ERROR = 4;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Status code for Single Sign-On failure due attribute mapping error.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static final int SSO_FAILED_ATTRIBUTE_MAPPING = 5;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Status code for Single Sign-On failure due to no user mapping.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static final int SSO_FAILED_NO_USER_MAPPING = 6;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Status code for Single Sign-On failure due to inactive user account.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static final int SSO_FAILED_AUTH_USER_INACTIVE = 7;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Status code for Single Sign-On failure due to locked user account.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static final int SSO_FAILED_AUTH_USER_LOCKED = 8;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Status code for Single Sign-On failure due to expired user account.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static final int SSO_FAILED_AUTH_ACCOUNT_EXPIRED = 9;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Status code for Single Sign-On failure due to unable to generate
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * user session.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static final int SSO_FAILED_SESSION_GENERATION = 10;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Status code for Single Sign-On failure due to unable to retrieve
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * meta data.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static final int SSO_FAILED_META_DATA_ERROR = 11;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Constants for hosted entity id parameter
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static final String HOSTED_ENTITY_ID = "HOSTED_ENTITY_ID";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Constants for the realm of the hosted entity parameter.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Initializes the federation adapter, this method will only be executed
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * once after creation of the adapter instance.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param initParams initial set of parameters configured in the service
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * provider for this adapter. One of the parameters named
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>HOSTED_ENTITY_ID</code> refers to the ID of this
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * hosted service provider entity, one of the parameters named
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>REALM</code> refers to the realm of the hosted entity.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public abstract void initialize(Map initParams);
8d3140b524c0e28c0a49dc7c7d481123ef3cfe11Chris Lee * Invokes before OpenAM sends the
8d3140b524c0e28c0a49dc7c7d481123ef3cfe11Chris Lee * Single-Sign-On request to IDP.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param hostedEntityID entity ID for the hosted SP
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param idpEntityID entity id for the IDP to which the request will
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * be sent. This will be null in ECP case.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param realm Realm of the hosted SP.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param request servlet request
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param response servlet response
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param authnRequest the authentication request to be send to IDP
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @exception SAML2Exception if user want to fail the process.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Invokes when the <code>FAM</code> received the Single-Sign-On response
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * from the IDP, this is called before any processing started on SP side.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param hostedEntityID entity ID for the hosted SP
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param realm Realm of the hosted SP.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param request servlet request
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param response servlet response
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param authnRequest the original authentication request sent from SP,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * null if this is IDP initiated SSO.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param ssoResponse response from IDP
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param profile protocol profile used, one of the following values:
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>SAML2Constants.HTTP_POST</code>,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>SAML2Constants.HTTP_ARTIFACT</code>,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>SAML2Constants.PAOS</code>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @exception SAML2Exception if user want to fail the process.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Invokes after Single-Sign-On processing succeeded.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param hostedEntityID Entity ID for the hosted SP
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param realm Realm of the hosted SP.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param request servlet request
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param response servlet response
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest * @param out the print writer for writing out presentation
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param session user's session
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param authnRequest the original authentication request sent from SP,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * null if this is IDP initiated SSO.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param ssoResponse response from IDP
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param profile protocol profile used, one of the following values:
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>SAML2Constants.HTTP_POST</code>,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>SAML2Constants.HTTP_ARTIFACT</code>,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>SAML2Constants.PAOS</code>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param isFederation true if this is federation case, false otherwise.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return true if browser redirection happened after processing,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * false otherwise. Default to false.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @exception SAML2Exception if user want to fail the process.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Invokes after Single Sign-On processing failed.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param hostedEntityID Entity ID for the hosted SP
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param realm Realm of the hosted SP.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param request servlet request
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param response servlet response
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param authnRequest the original authentication request sent from SP,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * null if this is IDP initiated SSO.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param ssoResponse response from IDP
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param profile protocol profile used, one of the following values:
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>SAML2Constants.HTTP_POST</code>,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>SAML2Constants.HTTP_ARTIFACT</code>,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>SAML2Constants.PAOS</code>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param failureCode an integer specifies the failure code. Possible
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * failure codes are defined in this interface.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return true if browser redirection happened, false otherwise. Default to
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Invokes after new Name Identifier processing succeeded.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param hostedEntityID Entity ID for the hosted SP
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param realm Realm of the hosted SP.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param request servlet request
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param response servlet response
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param userID Universal ID of the user with whom the new name identifier
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * request performed
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param idRequest New name identifier request, value will be
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * null if the request object is not available
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param idResponse New name identifier response, value will be
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * null if the response object is not available
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param binding Binding used for new name identifier request,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * one of following values:
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>SAML2Constants.SOAP</code>,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>SAML2Constants.HTTP_REDIRECT</code>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Invokes after Terminate Name Identifier processing succeeded.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param hostedEntityID Entity ID for the hosted SP
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param realm Realm of the hosted SP.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param request servlet request
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param response servlet response
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param userID Universal ID of the user with whom name id termination
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * performed.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param idRequest Terminate name identifier request.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param idResponse Terminate name identifier response, value will be
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * null if the response object is not available
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param binding binding used for Terminate Name Identifier request,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * one of following values:
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>SAML2Constants.SOAP</code>,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>SAML2Constants.HTTP_REDIRECT</code>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Invokes before single logout process started on <code>SP</code> side.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * This method is called before the user session is invalidated on the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * service provider side.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param hostedEntityID Entity ID for the hosted SP
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param realm Realm of the hosted SP.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param request servlet request
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param response servlet response
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param userID universal ID of the user
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param logoutRequest single logout request object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param logoutResponse single logout response, value will be
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * null if the response object is not available
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param binding binding used for Single Logout request,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * one of following values:
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>SAML2Constants.SOAP</code>,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>SAML2Constants.HTTP_REDIRECT</code>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @exception SAML2Exception if user want to fail the process.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Invokes after single logout process succeeded, i.e. user session
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * has been invalidated.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param hostedEntityID Entity ID for the hosted SP
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param realm Realm of the hosted SP.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param request servlet request
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param response servlet response
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param userID universal ID of the user
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param logoutRequest single logout request, value will be
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * null if the request object is not available
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param logoutResponse single logout response, value will be
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * null if the response object is not available
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param binding binding used for Single Logout request,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * one of following values:
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>SAML2Constants.SOAP</code>,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>SAML2Constants.HTTP_REDIRECT</code>