449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings/*
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Copyright (c) 2007 Sun Microsystems Inc. All Rights Reserved
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * The contents of this file are subject to the terms
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * of the Common Development and Distribution License
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * (the License). You may not use this file except in
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * compliance with the License.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * You can obtain a copy of the License at
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * https://opensso.dev.java.net/public/CDDLv1.0.html or
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * opensso/legal/CDDLv1.0.txt
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * See the License for the specific language governing
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * permission and limitations under the License.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * When distributing Covered Code, include this CDDL
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Header Notice in each file and include the License file
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * at opensso/legal/CDDLv1.0.txt.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * If applicable, add the following below the CDDL Header,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * with the fields enclosed by brackets [] replaced by
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * your own identifying information:
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * "Portions Copyrighted [year] [name of copyright owner]"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * $Id: AttributeQueryUtil.java,v 1.11 2009/07/24 22:51:48 madan_ranganath Exp $
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * Portions copyright 2010-2015 ForgeRock AS.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterpackage com.sun.identity.saml2.profile;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport java.util.ArrayList;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport java.util.Date;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport java.util.HashMap;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport java.util.HashSet;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport java.util.Hashtable;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport java.util.Iterator;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport java.util.List;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport java.util.Map;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport java.util.Set;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport java.security.PrivateKey;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport java.security.cert.X509Certificate;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport javax.crypto.SecretKey;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport javax.servlet.http.HttpServletRequest;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport javax.servlet.http.HttpServletResponse;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport javax.xml.soap.SOAPException;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport javax.xml.soap.SOAPMessage;
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbingsimport com.sun.identity.saml2.common.SOAPCommunicator;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport org.w3c.dom.Element;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.plugin.datastore.DataStoreProviderException;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.plugin.datastore.DataStoreProvider;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.xmlsig.KeyProvider;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.assertion.Assertion;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.assertion.AssertionFactory;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.assertion.Attribute;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.assertion.AttributeStatement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.assertion.Conditions;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.assertion.EncryptedAssertion;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.assertion.Issuer;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.assertion.NameID;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.assertion.EncryptedID;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.assertion.Subject;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.common.SAML2Constants;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.common.SAML2Exception;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.common.SAML2Utils;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.jaxb.assertion.AttributeElement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.jaxb.assertion.AttributeValueElement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.jaxb.entityconfig.AttributeAuthorityConfigElement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.jaxb.entityconfig.AttributeQueryConfigElement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.jaxb.entityconfig.IDPSSOConfigElement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.jaxb.metadata.AttributeAuthorityDescriptorElement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.jaxb.metadata.AttributeServiceElement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.jaxb.metadataextquery.AttributeQueryDescriptorElement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.key.EncInfo;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.key.KeyUtil;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.meta.SAML2MetaException;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.meta.SAML2MetaManager;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.meta.SAML2MetaUtils;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.plugins.AttributeAuthorityMapper;
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Majorimport com.sun.identity.saml2.plugins.SPAttributeMapper;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.protocol.AttributeQuery;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.protocol.ProtocolFactory;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.protocol.Response;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.protocol.Status;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.protocol.StatusCode;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.xmlenc.EncManager;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster/**
1b49125c5fbcee4ac3052f0831212bbb6feae221Mark Craig * This class provides methods to send or process <code>AttributeQuery</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @supported.api
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterpublic class AttributeQueryUtil {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
bc818e2a5b564c0ec040da33fb6aba526dda40f6Peter Major private static final String DEFAULT_ATTRIBUTE_NAME_FORMAT =
bc818e2a5b564c0ec040da33fb6aba526dda40f6Peter Major "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static KeyProvider keyProvider = KeyUtil.getKeyProviderInstance();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static Hashtable attrAuthorityMapperCache = new Hashtable();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static DataStoreProvider dsProvider = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static SAML2MetaManager metaManager = SAML2Utils.getSAML2MetaManager();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster try {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster dsProvider = SAML2Utils.getDataStoreProvider();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch (SAML2Exception se) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("AttributeQueryUtil.static:", se);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private AttributeQueryUtil() {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster /**
b563881b581c69ca884d14003b550c77e01ae057Mark Craig * Sends the <code>AttributeQuery</code> to specified
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * attribute authority and returns <code>Response</code> coming
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * from the attribute authority.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param attrQuery the <code>AttributeQuery</code> object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param attrAuthorityEntityID entity ID of attribute authority
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param realm the realm of hosted entity
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param attrQueryProfile the attribute query profile or null to ignore
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param attrProfile the attribute profile
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param binding the binding
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return the <code>Response</code> object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @exception SAML2Exception if the operation is not successful
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @supported.api
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static Response sendAttributeQuery(AttributeQuery attrQuery,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String attrAuthorityEntityID, String realm, String attrQueryProfile,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String attrProfile, String binding) throws SAML2Exception {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster AttributeAuthorityDescriptorElement aad = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster try {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster aad = metaManager.getAttributeAuthorityDescriptor(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster realm, attrAuthorityEntityID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch (SAML2MetaException sme) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("AttributeQueryUtil.sendAttributeQuery:",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster sme);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("metaDataError"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (aad == null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("attrAuthorityNotFound"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (binding == null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("unsupportedBinding"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String location = findLocation(aad, binding, attrQueryProfile,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attrProfile);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (location == null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("attrAuthorityNotFound"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (binding.equalsIgnoreCase(SAML2Constants.SOAP)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster signAttributeQuery(attrQuery, realm, false);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return sendAttributeQuerySOAP(attrQuery, location,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attrAuthorityEntityID, aad);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("unsupportedBinding"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster /**
b563881b581c69ca884d14003b550c77e01ae057Mark Craig * Sends the <code>AttributeQuery</code> to specified
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * attribute authority and returns <code>Response</code> coming
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * from the attribute authority.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param attrQuery the <code>AttributeQuery</code> object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param request the HTTP Request
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param response the HTTP Response
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param attrAuthorityEntityID entity ID of attribute authority
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param realm the realm of hosted entity
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param attrQueryProfile the attribute query profile or null to ignore
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param attrProfile the attribute profile
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param binding the binding
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @exception SAML2Exception if the operation is not successful
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @supported.api
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static void sendAttributeQuery(AttributeQuery attrQuery,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster HttpServletRequest request, HttpServletResponse response,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String attrAuthorityEntityID, String realm, String attrQueryProfile,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String attrProfile, String binding) throws SAML2Exception {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster AttributeAuthorityDescriptorElement aad = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster try {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster aad = metaManager.getAttributeAuthorityDescriptor(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster realm, attrAuthorityEntityID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch (SAML2MetaException sme) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("AttributeQueryUtil.sendAttributeQuery:",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster sme);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("metaDataError"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (aad == null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("attrAuthorityNotFound"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (binding == null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("unsupportedBinding"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String location = findLocation(aad, binding, attrQueryProfile,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attrProfile);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (location == null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("attrAuthorityNotFound"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (binding.equalsIgnoreCase(SAML2Constants.HTTP_POST)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster signAttributeQuery(attrQuery, realm, false);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String encodedReqMsg = SAML2Utils.encodeForPOST(attrQuery.toXMLString(true, true));
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest SAML2Utils.postToTarget(request, response, "SAMLRequest", encodedReqMsg, null, null, location);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("unsupportedBinding"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster /**
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Processes the <code>AttributeQuery</code> coming
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * from a requester.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param attrQuery the <code>AttributeQuery</code> object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param request the <code>HttpServletRequest</code> object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param response the <code>HttpServletResponse</code> object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param attrAuthorityEntityID entity ID of attribute authority
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param realm the realm of hosted entity
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param attrQueryProfileAlias the attribute query profile alias
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return the <code>Response</code> object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @exception SAML2Exception if the operation is not successful
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static Response processAttributeQuery(AttributeQuery attrQuery,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster HttpServletRequest request, HttpServletResponse response,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String attrAuthorityEntityID, String realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String attrQueryProfileAlias) throws SAML2Exception {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster AttributeAuthorityMapper attrAuthorityMapper =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster getAttributeAuthorityMapper(realm, attrAuthorityEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attrQueryProfileAlias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String attrQueryProfile = AttributeQueryUtil.getAttributeQueryProfile(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attrQueryProfileAlias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster try {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attrAuthorityMapper.authenticateRequester(request, response,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attrQuery, attrAuthorityEntityID, realm);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch(SAML2Exception se) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SAML2Utils.debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("AttributeQueryUtil." +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "processAttributeQuery: ", se);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return SAML2Utils.getErrorResponse(attrQuery,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Constants.REQUESTER, null, se.getMessage(), null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster try {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attrAuthorityMapper.validateAttributeQuery(request, response,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attrQuery, attrAuthorityEntityID, realm);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch(SAML2Exception se) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("AttributeQueryUtil.processAttributeQuery:",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster se);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return SAML2Utils.getErrorResponse(attrQuery,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Constants.REQUESTER, null, se.getMessage(), null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Issuer issuer = attrQuery.getIssuer();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String requesterEntityID = issuer.getValue();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster AttributeAuthorityDescriptorElement aad = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster try {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster aad = metaManager.getAttributeAuthorityDescriptor(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster realm, attrAuthorityEntityID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch (SAML2MetaException sme) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("AttributeQueryUtil.processAttributeQuery:",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster sme);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return SAML2Utils.getErrorResponse(attrQuery,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Constants.RESPONDER, null,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("metaDataError"), null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (aad == null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return SAML2Utils.getErrorResponse(attrQuery,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Constants.REQUESTER, null,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("attrAuthorityNotFound"), null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Object identity = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster try {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster identity = attrAuthorityMapper.getIdentity(request, response,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attrQuery, attrAuthorityEntityID, realm);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch (SAML2Exception se) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SAML2Utils.debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("AttributeQueryUtil." +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "processAttributeQuery: ", se);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return SAML2Utils.getErrorResponse(attrQuery,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Constants.REQUESTER, SAML2Constants.UNKNOWN_PRINCIPAL,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster se.getMessage(), null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (identity == null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SAML2Utils.debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("AttributeQueryUtil." +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "processAttributeQuery: unable to find identity.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return SAML2Utils.getErrorResponse(attrQuery,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Constants.REQUESTER, SAML2Constants.UNKNOWN_PRINCIPAL,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster null, null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Addition to support changing of desired attributes list
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List desiredAttrs = (List)request.getAttribute("AttributeQueryUtil-desiredAttrs");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (desiredAttrs == null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster desiredAttrs = attrQuery.getAttributes();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster try {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster desiredAttrs = verifyDesiredAttributes(aad.getAttribute(),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster desiredAttrs);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch (SAML2Exception se) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return SAML2Utils.getErrorResponse(attrQuery,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Constants.REQUESTER,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Constants.INVALID_ATTR_NAME_OR_VALUE, null, null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List attributes = attrAuthorityMapper.getAttributes(identity,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attrQuery, attrAuthorityEntityID, realm);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (request.getAttribute("AttributeQueryUtil-storeAllAttributes") != null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster request.setAttribute("AttributeQueryUtil-allAttributes", attributes);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attributes = filterAttributes(attributes, desiredAttrs);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ProtocolFactory protocolFactory = ProtocolFactory.getInstance();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Response samlResp = protocolFactory.createResponse();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List assertionList = new ArrayList();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Assertion assertion = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster try {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster assertion = getAssertion(attrQuery, attrAuthorityEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster requesterEntityID, realm, attrQueryProfileAlias, attributes);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch (SAML2Exception se) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SAML2Utils.debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "AttributeQueryUtil.processAttributeQuery:", se);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return SAML2Utils.getErrorResponse(attrQuery,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Constants.RESPONDER, null, se.getMessage(), null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster EncryptedID encryptedID = attrQuery.getSubject().getEncryptedID();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (encryptedID != null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster EncryptedAssertion encryptedAssertion = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster try {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster signAssertion(assertion, realm, attrAuthorityEntityID, false);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster encryptedAssertion = encryptAssertion(assertion,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster encryptedID, attrAuthorityEntityID, requesterEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster realm, attrQueryProfileAlias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch (SAML2Exception se) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SAML2Utils.debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "AttributeQueryUtil.processAttributeQuery:", se);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return SAML2Utils.getErrorResponse(attrQuery,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Constants.RESPONDER, null, se.getMessage(), null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster assertionList.add(encryptedAssertion);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster samlResp.setEncryptedAssertion(assertionList);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster assertionList.add(assertion);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster samlResp.setAssertion(assertionList);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster samlResp.setID(SAML2Utils.generateID());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster samlResp.setInResponseTo(attrQuery.getID());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster samlResp.setVersion(SAML2Constants.VERSION_2_0);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster samlResp.setIssueInstant(new Date());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Status status = protocolFactory.createStatus();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster StatusCode statusCode = protocolFactory.createStatusCode();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster statusCode.setValue(SAML2Constants.SUCCESS);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster status.setStatusCode(statusCode);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster samlResp.setStatus(status);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Issuer respIssuer = AssertionFactory.getInstance().createIssuer();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster respIssuer.setValue(attrAuthorityEntityID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster samlResp.setIssuer(respIssuer);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster signResponse(samlResp, attrAuthorityEntityID, realm, false);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return samlResp;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster /**
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Converts attribute query profile alias to attribute query profile.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param attrQueryProfileAlias attribute query profile alias
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return attribute query profile
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static String getAttributeQueryProfile(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String attrQueryProfileAlias) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (attrQueryProfileAlias == null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else if (attrQueryProfileAlias.equals(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Constants.DEFAULT_ATTR_QUERY_PROFILE_ALIAS)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return SAML2Constants.DEFAULT_ATTR_QUERY_PROFILE;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else if (attrQueryProfileAlias.equals(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Constants.X509_SUBJECT_ATTR_QUERY_PROFILE_ALIAS)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return SAML2Constants.X509_SUBJECT_ATTR_QUERY_PROFILE;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static void signAttributeQuery(AttributeQuery attrQuery,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String realm, boolean includeCert) throws SAML2Exception {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String requesterEntityID = attrQuery.getIssuer().getValue();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String alias = SAML2Utils.getSigningCertAlias(realm, requesterEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Constants.ATTR_QUERY_ROLE);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster PrivateKey signingKey = keyProvider.getPrivateKey(alias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (signingKey == null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("missingSigningCertAlias"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster X509Certificate signingCert = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (includeCert) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster signingCert = keyProvider.getX509Certificate(alias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (signingKey != null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attrQuery.sign(signingKey, signingCert);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static void validateEntityRequester(AttributeQuery attrQuery,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String attrAuthorityEntityID, String realm) throws SAML2Exception {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Issuer issuer = attrQuery.getIssuer();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String format = issuer.getFormat();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((format == null) || (format.length() == 0) ||
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (format.equals(SAML2Constants.UNSPECIFIED)) ||
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (format.equals(SAML2Constants.ENTITY))) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String requestedEntityID = issuer.getValue();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (!SAML2Utils.isSourceSiteValid(issuer, realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attrAuthorityEntityID)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(SAML2Utils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "attrQueryIssuerInvalid"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(SAML2Utils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "attrQueryIssuerInvalid"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster /**
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Checks if the attribute query signature is valid.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param attrQuery attribute query
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param attrAuthorityEntityID entity ID of attribute authority
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param realm the realm of hosted entity
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @exception SAML2Exception if the attribute query signature is not valid.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static void verifyAttrQuerySignature(AttributeQuery attrQuery,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String attrAuthorityEntityID, String realm)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throws SAML2Exception {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (!attrQuery.isSigned()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(SAML2Utils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "attrQueryNotSigned"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String requestedEntityID = attrQuery.getIssuer().getValue();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster AttributeQueryDescriptorElement attrqDesc =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster metaManager.getAttributeQueryDescriptor(realm, requestedEntityID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (attrqDesc == null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(SAML2Utils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "attrQueryIssuerNotFound"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings Set<X509Certificate> signingCerts = KeyUtil.getVerificationCerts(attrqDesc, requestedEntityID,
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings SAML2Constants.ATTR_QUERY_ROLE);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings if (!signingCerts.isEmpty()) {
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings boolean valid = attrQuery.isSignatureValid(signingCerts);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SAML2Utils.debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "AttributeQueryUtil.verifyAttributeQuery: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "Signature validity is : " + valid);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (!valid) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(SAML2Utils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "invalidSignatureAttrQuery"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("missingSigningCertAlias"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static String getIdentityFromDataStoreX509Subject(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster AttributeQuery attrQuery, String attrAuthorityEntityID, String realm)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throws SAML2Exception {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Subject subject = attrQuery.getSubject();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster NameID nameID = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster EncryptedID encryptedID = subject.getEncryptedID();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (encryptedID != null) {
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings nameID = encryptedID.decrypt(KeyUtil.getDecryptionKeys(realm, attrAuthorityEntityID,
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings SAML2Constants.ATTR_AUTH_ROLE));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster nameID = subject.getNameID();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (!SAML2Constants.X509_SUBJECT_NAME.equals(nameID.getFormat())) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(SAML2Utils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "unsupportedAttrQuerySubjectNameID"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String mappingAttrName = getAttributeValueFromAttrAuthorityConfig(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster realm, attrAuthorityEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Constants.X509_SUBJECT_DATA_STORE_ATTR_NAME);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((mappingAttrName == null) || (mappingAttrName.length() == 0)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(SAML2Utils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "x509SubjectMappingNotConfigured"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String x509SubjectDN = nameID.getValue();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Map attrMap = new HashMap();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Set values = new HashSet();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster values.add(x509SubjectDN);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attrMap.put(mappingAttrName, values);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SAML2Utils.debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "AttributeQueryUtil.getIdentityFromDataStoreX509Subject: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "mappingAttrName = " + mappingAttrName +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ", X509 subject DN = " + x509SubjectDN);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster try {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return dsProvider.getUserID(realm, attrMap);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch (DataStoreProviderException dse) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "AttributeQueryUtil.getIdentityFromDataStoreX509Subject:",dse);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(dse.getMessage());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static String getIdentity(AttributeQuery attrQuery,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String attrAuthorityEntityID, String realm) throws SAML2Exception {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Subject subject = attrQuery.getSubject();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster NameID nameID = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster EncryptedID encryptedID = subject.getEncryptedID();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (encryptedID != null) {
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings nameID = encryptedID.decrypt(KeyUtil.getDecryptionKeys(realm, attrAuthorityEntityID,
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings SAML2Constants.ATTR_AUTH_ROLE));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster nameID = subject.getNameID();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String nameIDFormat = nameID.getFormat();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // NameIDFormat is "transient"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SAML2Constants.NAMEID_TRANSIENT_FORMAT.equals(nameIDFormat)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return (String)IDPCache.userIDByTransientNameIDValue.get(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster nameID.getValue());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // NameIDFormat is "unspecified"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SAML2Constants.UNSPECIFIED.equals(nameIDFormat)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Map userIDsSearchMap = new HashMap();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Set userIDValuesSet = new HashSet();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster userIDValuesSet.add(nameID.getValue());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String userId = "uid";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster IDPSSOConfigElement config = SAML2Utils.getSAML2MetaManager().getIDPSSOConfig(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster realm, attrAuthorityEntityID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Map attrs = SAML2MetaUtils.getAttributes(config);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List nimAttrs = (List)attrs.get(SAML2Constants.NAME_ID_FORMAT_MAP);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster for (Iterator i = nimAttrs.iterator(); i.hasNext(); ) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String attrName = (String)i.next();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (attrName != null && attrName.length()>2 && attrName.startsWith(nameIDFormat)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster int eqPos = attrName.indexOf('=');
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (eqPos != -1 && eqPos<attrName.length()-2) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster userId = attrName.substring(eqPos+1);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("AttributeQueryUtil.getIdentity: NameID attribute from map: " + userId);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster break;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster userIDsSearchMap.put(userId, userIDValuesSet);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster try {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return dsProvider.getUserID(realm, userIDsSearchMap);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch (DataStoreProviderException dse) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "AttributeQueryUtil.getIdentityFromDataStore1:", dse);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(dse.getMessage());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String requestedEntityID = attrQuery.getIssuer().getValue();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster try {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return dsProvider.getUserID(realm, SAML2Utils.getNameIDKeyMap(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster nameID, attrAuthorityEntityID, requestedEntityID, realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Constants.IDP_ROLE));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch (DataStoreProviderException dse) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "AttributeQueryUtil.getIdentityFromDataStore:", dse);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(dse.getMessage());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static List getUserAttributes(String userId,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster AttributeQuery attrQuery, String attrAuthorityEntityID, String realm)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throws SAML2Exception {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String requestedEntityID = attrQuery.getIssuer().getValue();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Map configMap = SAML2Utils.getConfigAttributeMap(realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster requestedEntityID, SAML2Constants.SP_ROLE);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SAML2Utils.debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "AttributeQueryUtil.getUserAttributes: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "remote SP attribute map = " + configMap);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (configMap == null || configMap.isEmpty()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster configMap = SAML2Utils.getConfigAttributeMap(realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attrAuthorityEntityID, SAML2Constants.IDP_ROLE);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (configMap == null || configMap.isEmpty()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SAML2Utils.debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "AttributeQueryUtil.getUserAttributes:" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "Configuration map is not defined.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SAML2Utils.debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "AttributeQueryUtil.getUserAttributes: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "hosted IDP attribute map=" + configMap);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List attributes = new ArrayList();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Set localAttributes = new HashSet();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster localAttributes.addAll(configMap.values());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Map valueMap = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster try {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster valueMap = dsProvider.getAttributes(userId, localAttributes);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch (DataStoreProviderException dse) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SAML2Utils.debug.warningEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.warning(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "AttributeQueryUtil.getUserAttributes:", dse);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Iterator iter = configMap.keySet().iterator();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster while(iter.hasNext()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String samlAttribute = (String)iter.next();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String localAttribute = (String)configMap.get(samlAttribute);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] localAttributeValues = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((valueMap != null) && (!valueMap.isEmpty())) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Set values = (Set)valueMap.get(localAttribute);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((values == null) || values.isEmpty()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SAML2Utils.debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "AttributeQueryUtil.getUserAttributes:" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster " user profile does not have value for " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster localAttribute);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster localAttributeValues = (String[])
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster values.toArray(new String[values.size()]);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((localAttributeValues == null) ||
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (localAttributeValues.length == 0)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SAML2Utils.debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "AttributeQueryUtil.getUserAttributes:" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster " user does not have " + localAttribute);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster continue;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Attribute attr = SAML2Utils.getSAMLAttribute(samlAttribute,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster localAttributeValues);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attributes.add(attr);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return attributes;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static void signResponse(Response response,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String attrAuthorityEntityID, String realm, boolean includeCert)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throws SAML2Exception {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String alias = SAML2Utils.getSigningCertAlias(realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attrAuthorityEntityID, SAML2Constants.ATTR_AUTH_ROLE);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster PrivateKey signingKey = keyProvider.getPrivateKey(alias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (signingKey == null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("missingSigningCertAlias"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster X509Certificate signingCert = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (includeCert) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster signingCert = keyProvider.getX509Certificate(alias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (signingKey != null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster response.sign(signingKey, signingCert);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static Assertion getAssertion(AttributeQuery attrQuery,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String attrAuthorityEntityID, String requesterEntityID, String realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String attrQueryProfileAlias, List attributes) throws SAML2Exception {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster AssertionFactory assertionFactory = AssertionFactory.getInstance();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Assertion assertion = assertionFactory.createAssertion();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster assertion.setID(SAML2Utils.generateID());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster assertion.setVersion(SAML2Constants.VERSION_2_0);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster assertion.setIssueInstant(new Date());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Issuer issuer = assertionFactory.createIssuer();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster issuer.setValue(attrAuthorityEntityID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster assertion.setIssuer(issuer);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Subject subjectQ = attrQuery.getSubject();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Subject subject = assertionFactory.createSubject();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster subject.setEncryptedID(subjectQ.getEncryptedID());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster subject.setNameID(subjectQ.getNameID());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster subject.setBaseID(subjectQ.getBaseID());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster subject.setSubjectConfirmation(subjectQ.getSubjectConfirmation());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster assertion.setSubject(subject);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((attributes != null) && (!attributes.isEmpty())) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster AttributeStatement attrStatement =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster assertionFactory.createAttributeStatement();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attrStatement.setAttribute(attributes);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List attrStatementList = new ArrayList();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attrStatementList.add(attrStatement);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster assertion.setAttributeStatements(attrStatementList);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster int effectiveTime = IDPSSOUtil.getEffectiveTime(realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attrAuthorityEntityID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster int notBeforeSkewTime = IDPSSOUtil.getNotBeforeSkewTime(realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attrAuthorityEntityID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Conditions conditions = IDPSSOUtil.getConditions(requesterEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster notBeforeSkewTime, effectiveTime);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster assertion.setConditions(conditions);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return assertion;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static void signAssertion(Assertion assertion, String realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String attrAuthorityEntityID, boolean includeCert)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throws SAML2Exception {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String alias = SAML2Utils.getSigningCertAlias(realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attrAuthorityEntityID, SAML2Constants.ATTR_AUTH_ROLE);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster PrivateKey signingKey = keyProvider.getPrivateKey(alias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster X509Certificate signingCert = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (includeCert) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster signingCert = keyProvider.getX509Certificate(alias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (signingKey != null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster assertion.sign(signingKey, signingCert);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings private static EncryptedAssertion encryptAssertion(Assertion assertion, EncryptedID encryptedID,
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings String attrAuthorityEntityID, String requesterEntityID, String realm, String attrQueryProfileAlias)
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings throws SAML2Exception {
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings SecretKey secretKey = EncManager.getEncInstance().getSecretKey(encryptedID.toXMLString(true, true),
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings KeyUtil.getDecryptionKeys(realm, attrAuthorityEntityID, SAML2Constants.ATTR_AUTH_ROLE));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster AttributeQueryDescriptorElement aqd =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster metaManager.getAttributeQueryDescriptor(realm, requesterEntityID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster EncInfo encInfo = KeyUtil.getEncInfo(aqd, requesterEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Constants.ATTR_QUERY_ROLE);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Element el = EncManager.getEncInstance().encrypt(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster assertion.toXMLString(true, true), encInfo.getWrappingKey(),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster secretKey, encInfo.getDataEncAlgorithm(),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster encInfo.getDataEncStrength(), requesterEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "EncryptedAssertion");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return AssertionFactory.getInstance().createEncryptedAssertion(el);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
bc818e2a5b564c0ec040da33fb6aba526dda40f6Peter Major private static List<Attribute> verifyDesiredAttributes(List<AttributeElement> supportedAttrs,
bc818e2a5b564c0ec040da33fb6aba526dda40f6Peter Major List<Attribute> desiredAttrs) throws SAML2Exception {
bc818e2a5b564c0ec040da33fb6aba526dda40f6Peter Major if (supportedAttrs == null || supportedAttrs.isEmpty()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return desiredAttrs;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
bc818e2a5b564c0ec040da33fb6aba526dda40f6Peter Major if (desiredAttrs == null || desiredAttrs.isEmpty()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return convertAttributes(supportedAttrs);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
bc818e2a5b564c0ec040da33fb6aba526dda40f6Peter Major for (Attribute desiredAttr : desiredAttrs) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster boolean isAttrValid = false;
bc818e2a5b564c0ec040da33fb6aba526dda40f6Peter Major Iterator<AttributeElement> supportedAttrIterator = supportedAttrs.iterator();
bc818e2a5b564c0ec040da33fb6aba526dda40f6Peter Major while (supportedAttrIterator.hasNext()) {
bc818e2a5b564c0ec040da33fb6aba526dda40f6Peter Major AttributeElement supportedAttr = supportedAttrIterator.next();
bc818e2a5b564c0ec040da33fb6aba526dda40f6Peter Major if (isSameAttribute(desiredAttr, supportedAttr)) {
bc818e2a5b564c0ec040da33fb6aba526dda40f6Peter Major if (isValueValid(desiredAttr, supportedAttr)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster isAttrValid = true;
bc818e2a5b564c0ec040da33fb6aba526dda40f6Peter Major //By removing the attribute from the supported list we make sure that an AttributeQuery can
bc818e2a5b564c0ec040da33fb6aba526dda40f6Peter Major //not request the same Attribute more than once, see SAML core 3.3.2.3.
bc818e2a5b564c0ec040da33fb6aba526dda40f6Peter Major supportedAttrIterator.remove();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster break;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else {
bc818e2a5b564c0ec040da33fb6aba526dda40f6Peter Major throw new SAML2Exception("Attribute value not supported");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
bc818e2a5b564c0ec040da33fb6aba526dda40f6Peter Major if (!isAttrValid) {
bc818e2a5b564c0ec040da33fb6aba526dda40f6Peter Major throw new SAML2Exception("Attribute name not supported");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return desiredAttrs;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static List convertAttributes(List jaxbAttrs)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throws SAML2Exception {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List resultAttrs = new ArrayList();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster for(Iterator iter = jaxbAttrs.iterator(); iter.hasNext(); ) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster AttributeElement jaxbAttr = (AttributeElement)iter.next();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Attribute attr = AssertionFactory.getInstance().createAttribute();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attr.setName(jaxbAttr.getName());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attr.setNameFormat(jaxbAttr.getNameFormat());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attr.setFriendlyName(jaxbAttr.getFriendlyName());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List jaxbValues = jaxbAttr.getAttributeValue();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((jaxbValues != null) && (!jaxbValues.isEmpty())) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List newValues = new ArrayList();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster for(Iterator iterV = jaxbValues.iterator(); iterV.hasNext();) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster AttributeValueElement jaxbValeu =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (AttributeValueElement)iter.next();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List content = jaxbValeu.getContent();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((content != null) && (!content.isEmpty())) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster newValues.add(content.get(0));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (!newValues.isEmpty()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attr.setAttributeValueString(newValues);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster resultAttrs.add(attr);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return resultAttrs;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
bc818e2a5b564c0ec040da33fb6aba526dda40f6Peter Major private static List<Attribute> filterAttributes(List<Attribute> attributes, List<Attribute> desiredAttrs) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
bc818e2a5b564c0ec040da33fb6aba526dda40f6Peter Major if (attributes == null || attributes.isEmpty()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("AttributeQueryUtil.filterAttributes: attributes are null");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return attributes;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
bc818e2a5b564c0ec040da33fb6aba526dda40f6Peter Major if (desiredAttrs == null || desiredAttrs.isEmpty()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("AttributeQueryUtil.filterAttributes: desired attributes are null");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return attributes;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
bc818e2a5b564c0ec040da33fb6aba526dda40f6Peter Major List<Attribute> returnAttributes = new ArrayList<Attribute>();
bc818e2a5b564c0ec040da33fb6aba526dda40f6Peter Major if (!desiredAttrs.isEmpty()) {
bc818e2a5b564c0ec040da33fb6aba526dda40f6Peter Major for (Attribute attrD : desiredAttrs) {
bc818e2a5b564c0ec040da33fb6aba526dda40f6Peter Major for (Attribute attr : attributes) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (isSameAttribute(attr, attrD) ) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attr = filterAttributeValues(attr, attrD);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (attr != null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster //let's copy FriendlyName if exists
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String fName = attrD.getFriendlyName();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (fName != null && fName.length() > 0){
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster try {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attr.setFriendlyName(fName);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch (SAML2Exception e) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster //do nothing, attribute will be sent without
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster //friendlyName set
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster returnAttributes.add(attr);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster break;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return returnAttributes;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
bc818e2a5b564c0ec040da33fb6aba526dda40f6Peter Major private static boolean isSameAttribute(Attribute attribute, Attribute desired) {
bc818e2a5b564c0ec040da33fb6aba526dda40f6Peter Major return desired.getName().equals(attribute.getName())
bc818e2a5b564c0ec040da33fb6aba526dda40f6Peter Major && isNameFormatMatching(desired.getNameFormat(), attribute.getNameFormat());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static Attribute filterAttributeValues(Attribute attr,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Attribute desiredAttr) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List valuesD = desiredAttr.getAttributeValueString();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((valuesD == null) || (valuesD.isEmpty())) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return attr;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List values = attr.getAttributeValueString();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((values == null) || (values.isEmpty())) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List newValuesD = new ArrayList();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster for(Iterator iter = valuesD.iterator(); iter.hasNext(); ) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String valueD = (String)iter.next();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (values.contains(valueD)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster newValuesD.add(valueD);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (newValuesD.isEmpty()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (newValuesD.size() == valuesD.size()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return desiredAttr;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster try {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Attribute newAttr =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster AssertionFactory.getInstance().createAttribute();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster newAttr.setName(desiredAttr.getName());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster newAttr.setNameFormat(desiredAttr.getNameFormat());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster newAttr.setFriendlyName(desiredAttr.getFriendlyName());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster newAttr.setAnyAttribute(desiredAttr.getAnyAttribute());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster newAttr.setAttributeValueString(newValuesD);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return newAttr;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch(SAML2Exception se) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SAML2Utils.debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "AttributeQueryUtil.filterAttributeValues:", se);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
bc818e2a5b564c0ec040da33fb6aba526dda40f6Peter Major private static boolean isSameAttribute(Attribute desired, AttributeElement supported) {
bc818e2a5b564c0ec040da33fb6aba526dda40f6Peter Major return desired.getName().equals(supported.getName())
bc818e2a5b564c0ec040da33fb6aba526dda40f6Peter Major && isNameFormatMatching(desired.getNameFormat(), supported.getNameFormat());
bc818e2a5b564c0ec040da33fb6aba526dda40f6Peter Major }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
bc818e2a5b564c0ec040da33fb6aba526dda40f6Peter Major /**
bc818e2a5b564c0ec040da33fb6aba526dda40f6Peter Major * Determines whether the desired Attribute NameFormat matches with the available attribute's NameFormat. When
bc818e2a5b564c0ec040da33fb6aba526dda40f6Peter Major * the NameFormat isn't specified in the request, the
bc818e2a5b564c0ec040da33fb6aba526dda40f6Peter Major * <code>urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified</code> default NameFormat needs to be used (see
bc818e2a5b564c0ec040da33fb6aba526dda40f6Peter Major * SAML core spec 2.7.3.1).
bc818e2a5b564c0ec040da33fb6aba526dda40f6Peter Major * The different attribute profiles (SAML profiles spec section 8) each determine how the attribute comparison
bc818e2a5b564c0ec040da33fb6aba526dda40f6Peter Major * should be performed, however there is no clear way to actually determine which attribute profile is being used
bc818e2a5b564c0ec040da33fb6aba526dda40f6Peter Major * when the Attribute Authority supports more than one profile. Because of this, the unspecified Attribute
bc818e2a5b564c0ec040da33fb6aba526dda40f6Peter Major * NameFormat has been implemented as a wildcard match, much similarly to how requesting the unspecified
bc818e2a5b564c0ec040da33fb6aba526dda40f6Peter Major * NameID-Format allows the IdP to choose an arbitrary NameID-Format when generating the assertion for an SP.
bc818e2a5b564c0ec040da33fb6aba526dda40f6Peter Major *
bc818e2a5b564c0ec040da33fb6aba526dda40f6Peter Major * @param desiredNameFormat The NameFormat of the Attribute defined in the AttributeQuery request.
bc818e2a5b564c0ec040da33fb6aba526dda40f6Peter Major * @param availableNameFormat The NameFormat of the Attribute defined in the server configuration.
bc818e2a5b564c0ec040da33fb6aba526dda40f6Peter Major * @return <code>true</code> if the desired NameFormat is unspecified, or if it is the same as the NameFormat
bc818e2a5b564c0ec040da33fb6aba526dda40f6Peter Major * defined in the server configuration.
bc818e2a5b564c0ec040da33fb6aba526dda40f6Peter Major */
bc818e2a5b564c0ec040da33fb6aba526dda40f6Peter Major private static boolean isNameFormatMatching(String desiredNameFormat, String availableNameFormat) {
bc818e2a5b564c0ec040da33fb6aba526dda40f6Peter Major return desiredNameFormat == null || DEFAULT_ATTRIBUTE_NAME_FORMAT.equals(desiredNameFormat)
bc818e2a5b564c0ec040da33fb6aba526dda40f6Peter Major || desiredNameFormat.equals(availableNameFormat);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static boolean isValueValid(Attribute desiredAttr,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster AttributeElement supportedAttr) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List valuesD = desiredAttr.getAttributeValueString();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((valuesD == null) || (valuesD.isEmpty())) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return true;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List attrValuesS = supportedAttr.getAttributeValue();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((attrValuesS == null) || (attrValuesS.isEmpty())) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return true;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List valuesS = new ArrayList();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster for(Iterator iter = attrValuesS.iterator(); iter.hasNext(); ) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster AttributeValueElement attrValueElem =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (AttributeValueElement)iter.next();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster valuesS.addAll(attrValueElem.getContent());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster try {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return valuesS.containsAll(valuesD);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch (Exception ex) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SAML2Utils.debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "AttributeQueryUtil.isValueValid:", ex);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static Response sendAttributeQuerySOAP(AttributeQuery attrQuery,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String attributeServiceURL, String attrAuthorityEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster AttributeAuthorityDescriptorElement aad) throws SAML2Exception {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String attrQueryXMLString = attrQuery.toXMLString(true, true);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SAML2Utils.debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "AttributeQueryUtil.sendAttributeQuerySOAP: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "attrQueryXMLString = " + attrQueryXMLString);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "AttributeQueryUtil.sendAttributeQuerySOAP: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "attributeServiceURL = " + attributeServiceURL);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SOAPMessage resMsg = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster try {
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings resMsg = SOAPCommunicator.getInstance().sendSOAPMessage(attrQueryXMLString,
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings attributeServiceURL, true);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch (SOAPException se) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "AttributeQueryUtil.sendAttributeQuerySOAP: ", se);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("errorSendingAttributeQuery"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings Element respElem = SOAPCommunicator.getInstance().getSamlpElement(resMsg, "Response");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Response response =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ProtocolFactory.getInstance().createResponse(respElem);
bb0cd7e5f585ccad7d9396314d27d72fb1c16d93Mark de Reeper
bb0cd7e5f585ccad7d9396314d27d72fb1c16d93Mark de Reeper Status status = response.getStatus();
bb0cd7e5f585ccad7d9396314d27d72fb1c16d93Mark de Reeper if (!SAML2Constants.SUCCESS.equals(status.getStatusCode().getValue())) {
bb0cd7e5f585ccad7d9396314d27d72fb1c16d93Mark de Reeper String message = status.getStatusMessage() == null ? "" : status.getStatusMessage();
bb0cd7e5f585ccad7d9396314d27d72fb1c16d93Mark de Reeper String detail = status.getStatusDetail() == null ? "" : status.getStatusDetail().toXMLString();
bb0cd7e5f585ccad7d9396314d27d72fb1c16d93Mark de Reeper
bb0cd7e5f585ccad7d9396314d27d72fb1c16d93Mark de Reeper SAML2Utils.debug.error(
bb0cd7e5f585ccad7d9396314d27d72fb1c16d93Mark de Reeper "AttributeQueryUtil.sendAttributeQuerySOAP: " +
bb0cd7e5f585ccad7d9396314d27d72fb1c16d93Mark de Reeper "Non-Success status " + status.getStatusCode().getValue() +
bb0cd7e5f585ccad7d9396314d27d72fb1c16d93Mark de Reeper ", message: " + message + ", detail: " + detail);
bb0cd7e5f585ccad7d9396314d27d72fb1c16d93Mark de Reeper
bb0cd7e5f585ccad7d9396314d27d72fb1c16d93Mark de Reeper Object[] args = { status.getStatusCode().getValue(), message, detail };
bb0cd7e5f585ccad7d9396314d27d72fb1c16d93Mark de Reeper throw new SAML2Exception(SAML2Utils.BUNDLE_NAME, "failureStatusAttributeQuery", args);
bb0cd7e5f585ccad7d9396314d27d72fb1c16d93Mark de Reeper }
bb0cd7e5f585ccad7d9396314d27d72fb1c16d93Mark de Reeper
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SAML2Utils.debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "AttributeQueryUtil.sendAttributeQuerySOAP: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "response = " + response.toXMLString(true, true));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster verifyResponse(response, attrQuery, attrAuthorityEntityID, aad);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return response;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static void verifyResponse(Response response,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster AttributeQuery attrQuery, String attrAuthorityEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster AttributeAuthorityDescriptorElement aad)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throws SAML2Exception {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String attrQueryID = attrQuery.getID();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((attrQueryID != null) &&
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (!attrQueryID.equals(response.getInResponseTo()))) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("invalidInResponseToAttrQuery"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Issuer respIssuer = response.getIssuer();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (respIssuer == null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (!attrAuthorityEntityID.equals(respIssuer.getValue())) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(SAML2Utils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "responseIssuerMismatch"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (!response.isSigned()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(SAML2Utils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "responseNotSigned"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings Set<X509Certificate> signingCerts = KeyUtil.getVerificationCerts(aad, attrAuthorityEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Constants.ATTR_AUTH_ROLE);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings if (!signingCerts.isEmpty()) {
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings boolean valid = response.isSignatureValid(signingCerts);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SAML2Utils.debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "AttributeQueryUtil.verifyResponse: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "Signature validity is : " + valid);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (!valid) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(SAML2Utils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "invalidSignatureOnResponse"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("missingSigningCertAlias"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static String findLocation(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster AttributeAuthorityDescriptorElement aad, String binding,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String attrQueryProfile, String attrProfile) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("AttributeQueryUtil.findLocation entering...");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List attrProfiles = aad.getAttributeProfile();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((attrProfiles == null) || (attrProfiles.isEmpty())) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("AttributeQueryUtil.findLocation: attrProfiles is null or empty");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (attrProfile != null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("AttributeQueryUtil.findLocation: attrProfiles is null or empty and attrProfile is null");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else if (!attrProfiles.contains(attrProfile)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("AttributeQueryUtil.findLocation: attrProfile not found in the attrProfiles");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("AttributeQueryUtil.findLocation: entering...");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List attrServices = aad.getAttributeService();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster for(Iterator iter = attrServices.iterator(); iter.hasNext(); ) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster AttributeServiceElement attrService =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (AttributeServiceElement)iter.next();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (isValidAttributeService(binding, attrService,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attrQueryProfile)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("AttributeQueryUtil.findLocation: found valid service");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return attrService.getLocation();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("AttributeQueryUtil.findLocation: nothing found, leaving last line with null");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static boolean isValidAttributeService(String binding,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster AttributeServiceElement attrService, String attrQueryProfile) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (!binding.equalsIgnoreCase(attrService.getBinding())) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (attrQueryProfile == null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return ((attrQueryProfile.equals(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Constants.DEFAULT_ATTR_QUERY_PROFILE)) ||
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (SAML2Constants.X509_SUBJECT_ATTR_QUERY_PROFILE.equals(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attrQueryProfile) && attrService.isSupportsX509Query()));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster /**
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Returns an <code>AttributeAuthorityMapper</code>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param realm the realm name
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param attrAuthorityEntityID the entity id of the attribute authority
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param attrQueryProfileAlias attribute profile alias
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return the <code>AttributeAuthorityMapper</code>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @exception SAML2Exception if the operation is not successful
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static AttributeAuthorityMapper getAttributeAuthorityMapper(String realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String attrAuthorityEntityID, String attrQueryProfileAlias)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throws SAML2Exception {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String attrAuthorityMapperName = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster AttributeAuthorityMapper attrAuthorityMapper = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster try {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attrAuthorityMapperName = getAttributeValueFromAttrAuthorityConfig(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster realm, attrAuthorityEntityID, attrQueryProfileAlias + "_" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Constants.ATTRIBUTE_AUTHORITY_MAPPER);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (attrAuthorityMapperName == null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attrAuthorityMapperName =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Constants.DEFAULT_ATTRIBUTE_AUTHORITY_MAPPER_CLASS;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SAML2Utils.debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "AttributeQueryUtil.getAttributeAuthorityMapper: use "+
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attrAuthorityMapperName);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attrAuthorityMapper = (AttributeAuthorityMapper)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attrAuthorityMapperCache.get(attrAuthorityMapperName);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (attrAuthorityMapper == null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attrAuthorityMapper = (AttributeAuthorityMapper)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Class.forName(attrAuthorityMapperName).newInstance();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attrAuthorityMapperCache.put(attrAuthorityMapperName,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attrAuthorityMapper);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SAML2Utils.debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "AttributeQueryUtil.getAttributeAuthorityMapper: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "got the AttributeAuthorityMapper from cache");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch (Exception ex) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "AttributeQueryUtil.getAttributeAuthorityMapper: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "Unable to get IDP Attribute Mapper.", ex);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(ex);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return attrAuthorityMapper;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static String getAttributeValueFromAttrAuthorityConfig(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String realm, String attrAuthorityEntityID, String attrName)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster try {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster AttributeAuthorityConfigElement config =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster metaManager.getAttributeAuthorityConfig(realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attrAuthorityEntityID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Map attrs = SAML2MetaUtils.getAttributes(config);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String value = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List values = (List) attrs.get(attrName);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((values != null) && (!values.isEmpty())) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster value = ((String)values.iterator().next()).trim();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return value;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch (SAML2MetaException sme) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SAML2Utils.debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("AttributeQueryUtil." +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "getAttributeValueFromAttrAuthorityConfig: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "get AttributeAuthorityConfig failed", sme);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster /**
b563881b581c69ca884d14003b550c77e01ae057Mark Craig * Sends the AttributeQuery to specified attribute authority,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * validates the response and returns the attribute map
b563881b581c69ca884d14003b550c77e01ae057Mark Craig * <code>Map&lt;String, String&gt;</code> to the Fedlet
4200bb8dd4c9333d2263fd312bf27069f9875f13Sachiko Wallace *
4200bb8dd4c9333d2263fd312bf27069f9875f13Sachiko Wallace * @param spEntityID SP entity ID
4200bb8dd4c9333d2263fd312bf27069f9875f13Sachiko Wallace * @param idpEntityID IDP entity ID
4200bb8dd4c9333d2263fd312bf27069f9875f13Sachiko Wallace * @param nameIDValue NameID value
b563881b581c69ca884d14003b550c77e01ae057Mark Craig * @param attrsList The list of attributes whose values need to be
4200bb8dd4c9333d2263fd312bf27069f9875f13Sachiko Wallace * fetched from IDP
4200bb8dd4c9333d2263fd312bf27069f9875f13Sachiko Wallace * @param attrQueryProfileAlias Attribute Query Profile Alias
4200bb8dd4c9333d2263fd312bf27069f9875f13Sachiko Wallace * @param subjectDN Attribute name which contains X.509 subject DN
4200bb8dd4c9333d2263fd312bf27069f9875f13Sachiko Wallace *
4200bb8dd4c9333d2263fd312bf27069f9875f13Sachiko Wallace * @return the <code>Map</code> object
4200bb8dd4c9333d2263fd312bf27069f9875f13Sachiko Wallace * @exception SAML2Exception if the operation is not successful
4200bb8dd4c9333d2263fd312bf27069f9875f13Sachiko Wallace *
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Major * @deprecated Use {@link #getAttributesForFedlet(String, String, String, List, String, String)}
4200bb8dd4c9333d2263fd312bf27069f9875f13Sachiko Wallace */
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Major public static Map<String, String> getAttributeMapForFedlet(String spEntityID, String idpEntityID,
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Major String nameIDValue, List<String> attrsList, String attrQueryProfileAlias, String subjectDN)
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Major throws SAML2Exception {
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Major Map<String, Set<String>> attrMap = getAttributesForFedlet(spEntityID, idpEntityID, nameIDValue, attrsList,
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Major attrQueryProfileAlias, subjectDN);
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Major
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Major Map<String, String> newAttrMap = new HashMap<String, String>();
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Major for (Map.Entry<String, Set<String>> entry : attrMap.entrySet()) {
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Major String attrName = entry.getKey();
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Major Set<String> attrValue = entry.getValue();
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Major StringBuilder pipedValue = new StringBuilder();
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Major for (String value : attrValue) {
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Major // Multiple attribute values
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Major // are seperated with "|"
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Major if (pipedValue.length() > 0) {
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Major pipedValue.append('|');
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Major }
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Major pipedValue.append(value);
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Major }
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Major newAttrMap.put(attrName, pipedValue.toString());
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Major }
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Major
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Major return newAttrMap;
4200bb8dd4c9333d2263fd312bf27069f9875f13Sachiko Wallace }
4200bb8dd4c9333d2263fd312bf27069f9875f13Sachiko Wallace
4200bb8dd4c9333d2263fd312bf27069f9875f13Sachiko Wallace /**
b563881b581c69ca884d14003b550c77e01ae057Mark Craig * Sends the AttributeQuery to specified attribute authority,
4200bb8dd4c9333d2263fd312bf27069f9875f13Sachiko Wallace * validates the response and returns the attribute map
b563881b581c69ca884d14003b550c77e01ae057Mark Craig * <code>Map&lt;String, Set&lt;String&gt;&gt;</code> to the Fedlet
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param spEntityID SP entity ID
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param idpEntityID IDP entity ID
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param nameIDValue NameID value
b563881b581c69ca884d14003b550c77e01ae057Mark Craig * @param attrsList The list of attributes whose values need to be
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * fetched from IDP
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param attrQueryProfileAlias Attribute Query Profile Alias
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param subjectDN Attribute name which contains X.509 subject DN
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return the <code>Map</code> object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @exception SAML2Exception if the operation is not successful
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @supported.api
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster */
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Major public static Map<String, Set<String>> getAttributesForFedlet(String spEntityID, String idpEntityID,
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Major String nameIDValue, List<String> attrsList, String attrQueryProfileAlias, String subjectDN)
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Major throws SAML2Exception {
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Major final String classMethod = "AttributeQueryUtil.getAttributesForFedlet: ";
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Major
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Major AttributeQueryConfigElement attrQueryConfig = metaManager.getAttributeQueryConfig("/", spEntityID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (attrQueryConfig == null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SAML2Utils.debug.messageEnabled()) {
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Major SAML2Utils.debug.message(classMethod + "Attribute Query Config is null");
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Major }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String attrqMetaAlias = attrQueryConfig.getMetaAlias();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (attrqMetaAlias == null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SAML2Utils.debug.messageEnabled()) {
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Major SAML2Utils.debug.message(classMethod + "Attribute Query MetaAlias is null");
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Major }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Major
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Major boolean wantNameIDEncrypted = SAML2Utils.getWantNameIDEncrypted("/", spEntityID,
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Major SAML2Constants.ATTR_QUERY_ROLE);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Major AttributeQuery attrQuery = constructAttrQueryForFedlet(spEntityID, idpEntityID, nameIDValue, attrsList,
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Major attrqMetaAlias, attrQueryProfileAlias, subjectDN, wantNameIDEncrypted);
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Major
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String attrQueryProfile = null;
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Major if (attrQueryProfileAlias.equals(SAML2Constants.DEFAULT_ATTR_QUERY_PROFILE_ALIAS)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attrQueryProfile = SAML2Constants.DEFAULT_ATTR_QUERY_PROFILE;
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Major } else if (attrQueryProfileAlias.equals(SAML2Constants.X509_SUBJECT_ATTR_QUERY_PROFILE_ALIAS)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attrQueryProfile = SAML2Constants.X509_SUBJECT_ATTR_QUERY_PROFILE;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Major Response samlResp = sendAttributeQuery(attrQuery, idpEntityID, "/", attrQueryProfile,
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Major SAML2Constants.BASIC_ATTRIBUTE_PROFILE, SAML2Constants.SOAP);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Validate the response
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Major boolean validResp = validateSAMLResponseForFedlet(samlResp, spEntityID, wantNameIDEncrypted);
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Major
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Major Map<String, Set<String>> attrMap = new HashMap<String, Set<String>>();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (validResp) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Return back the AttributeMap
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (samlResp != null) {
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Major List<Object> assertions;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (wantNameIDEncrypted) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster assertions = samlResp.getEncryptedAssertion();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster assertions = samlResp.getAssertion();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Major
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Major for (Object currentAssertion : assertions) {
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Major Assertion assertion;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (wantNameIDEncrypted) {
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Major assertion = getDecryptedAssertion((EncryptedAssertion) currentAssertion, spEntityID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else {
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Major assertion = (Assertion) currentAssertion;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (assertion != null) {
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Major List<AttributeStatement> statements = assertion.getAttributeStatements();
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Major if (statements != null && statements.size() > 0) {
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Major for (AttributeStatement statement : statements) {
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Major List<Attribute> attributes = statement.getAttribute();
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Major attrMap.putAll(mapAttributes("/", spEntityID, idpEntityID, nameIDValue, attributes));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SAML2Utils.debug.messageEnabled()) {
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Major SAML2Utils.debug.message(classMethod + "Empty Statement present in SAML response");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SAML2Utils.debug.messageEnabled()) {
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Major SAML2Utils.debug.message(classMethod + "Empty Assertion present in SAML response");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Major if (SAML2Utils.debug.messageEnabled()) {
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Major SAML2Utils.debug.message(classMethod + "attributes received from Attribute Query: " + attrMap);
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Major }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SAML2Utils.debug.messageEnabled()) {
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Major SAML2Utils.debug.message(classMethod + "Invalid response obtained from Attribute Authority");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Return the attribute map and to the fedlet
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return attrMap;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Major private static Map<String, Set<String>> mapAttributes(String realm, String spEntityID, String idpEntityID,
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Major String userID, List<Attribute> attributes) throws SAML2Exception {
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Major SPAttributeMapper spAttributeMapper = SAML2Utils.getSPAttributeMapper(realm, spEntityID);
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Major return spAttributeMapper.getAttributes(attributes, userID, spEntityID, idpEntityID, realm);
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Major }
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Major
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster /**
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Constructs the Attribute Query used by the Fedlet to retrieve the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * values from IDP
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param samlResp saml response
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @exception SAML2Exception if the operation is not successful
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @supported.api
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static AttributeQuery constructAttrQueryForFedlet(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String spEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String idpEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String nameIDValue,
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Major List<String> attrsList,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String attrqMetaAlias,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String attrProfileNameAlias,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String subjectDN,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster boolean wantNameIDEncrypted) throws SAML2Exception
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String attrqEntityID =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.getSAML2MetaManager().getEntityByMetaAlias(attrqMetaAlias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ProtocolFactory protocolFactory = ProtocolFactory.getInstance();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster AssertionFactory assertionFactory = AssertionFactory.getInstance();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster AttributeQuery attrQuery = protocolFactory.createAttributeQuery();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Issuer issuer = assertionFactory.createIssuer();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster issuer.setValue(attrqEntityID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attrQuery.setIssuer(issuer);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attrQuery.setID(SAML2Utils.generateID());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attrQuery.setVersion(SAML2Constants.VERSION_2_0);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attrQuery.setIssueInstant(new Date());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List attrs = new ArrayList();
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Major for (String attributeName : attrsList) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Attribute attr = assertionFactory.createAttribute();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attr.setName(attributeName);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attr.setNameFormat(SAML2Constants.BASIC_NAME_FORMAT);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attrs.add(attr);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attrQuery.setAttributes(attrs);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Subject subject = assertionFactory.createSubject();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster NameID nameID = assertionFactory.createNameID();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster nameID.setNameQualifier(idpEntityID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster nameID.setSPNameQualifier(spEntityID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (attrProfileNameAlias.equals(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Constants.DEFAULT_ATTR_QUERY_PROFILE_ALIAS)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster nameID.setFormat(SAML2Constants.NAMEID_TRANSIENT_FORMAT);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster nameID.setValue(nameIDValue);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (attrProfileNameAlias.equals(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Constants.X509_SUBJECT_ATTR_QUERY_PROFILE_ALIAS)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster nameID.setFormat(SAML2Constants.X509_SUBJECT_NAME);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster nameID.setValue(subjectDN);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (!wantNameIDEncrypted) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster subject.setNameID(nameID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster AttributeAuthorityDescriptorElement aad =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster metaManager.getAttributeAuthorityDescriptor("/", idpEntityID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster EncInfo encInfo = KeyUtil.getEncInfo(aad, idpEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Constants.ATTR_AUTH_ROLE);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster EncryptedID encryptedID = nameID.encrypt(encInfo.getWrappingKey(),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster encInfo.getDataEncAlgorithm(),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster encInfo.getDataEncStrength(),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster idpEntityID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster subject.setEncryptedID(encryptedID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attrQuery.setSubject(subject);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return attrQuery;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster /**
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Validates the SAML response obtained from Attribute Authortity
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param samlResp saml response
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @exception SAML2Exception if the operation is not successful
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @supported.api
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static boolean validateSAMLResponseForFedlet(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Response samlResp,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String spEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster boolean wantNameIDEncrypted) throws SAML2Exception
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster boolean resp = true;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (samlResp != null && samlResp.isSigned()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List assertions = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (wantNameIDEncrypted) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster assertions = samlResp.getEncryptedAssertion();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster assertions = samlResp.getAssertion();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (assertions == null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster for (Iterator asserIter = assertions.iterator();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster asserIter.hasNext();) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Assertion assertion = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (wantNameIDEncrypted) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster assertion = getDecryptedAssertion(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (EncryptedAssertion)asserIter.next(),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster spEntityID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster assertion = (Assertion)asserIter.next();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (assertion != null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Conditions conditions = assertion.getConditions();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (conditions != null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List audienceRes = conditions.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster getAudienceRestrictions();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (audienceRes.size() > 1) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster resp = false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster break;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List statements = assertion.getAttributeStatements();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (statements.size() > 1) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster resp = false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster break;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster resp = false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return resp;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster /**
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Returns the decrypted assertion
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param samlResp saml response
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @exception SAML2Exception if the operation is not successful
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @supported.api
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static Assertion getDecryptedAssertion(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster EncryptedAssertion eAssertion,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String spEntityID) throws SAML2Exception
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (eAssertion != null) {
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings return eAssertion.decrypt(KeyUtil.getDecryptionKeys("/", spEntityID, SAML2Constants.ATTR_QUERY_ROLE));
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster}