a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * The contents of this file are subject to the terms
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * of the Common Development and Distribution License
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * (the License). You may not use this file except in
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * compliance with the License.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * You can obtain a copy of the License at
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * https://opensso.dev.java.net/public/CDDLv1.0.html or
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * See the License for the specific language governing
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * permission and limitations under the License.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * When distributing Covered Code, include this CDDL
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Header Notice in each file and include the License file
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * If applicable, add the following below the CDDL Header,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * with the fields enclosed by brackets [] replaced by
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * your own identifying information:
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * "Portions Copyrighted [year] [name of copyright owner]"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * $Id: SPACSUtils.java,v 1.48 2009/11/20 21:41:16 exu Exp $
07856bf23b706ef4e3654388d9ca26a720e0ad6aPeter Major * Portions Copyrighted 2010-2015 ForgeRock AS.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.common.SystemConfigurationUtil;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.liberty.ws.soapbinding.Message;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.liberty.ws.soapbinding.SOAPBindingException;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.liberty.ws.soapbinding.SOAPFaultException;
7fadb5ee267a4d808110b0c3e704de440902cb83Mark de Reeperimport com.sun.identity.plugin.datastore.DataStoreProviderException;
7fadb5ee267a4d808110b0c3e704de440902cb83Mark de Reeperimport com.sun.identity.plugin.monitoring.FedMonAgent;
7fadb5ee267a4d808110b0c3e704de440902cb83Mark de Reeperimport com.sun.identity.plugin.monitoring.FedMonSAML2Svc;
7fadb5ee267a4d808110b0c3e704de440902cb83Mark de Reeperimport com.sun.identity.plugin.monitoring.MonitorManager;
7fadb5ee267a4d808110b0c3e704de440902cb83Mark de Reeperimport com.sun.identity.plugin.session.SessionException;
7fadb5ee267a4d808110b0c3e704de440902cb83Mark de Reeperimport com.sun.identity.plugin.session.SessionManager;
7fadb5ee267a4d808110b0c3e704de440902cb83Mark de Reeperimport com.sun.identity.plugin.session.SessionProvider;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.common.SAMLConstants;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.xmlsig.KeyProvider;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.assertion.Assertion;
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbingsimport com.sun.identity.saml2.assertion.AssertionFactory;
1937848ad641fa32fce52f8570626a635cef6d30David Lunaimport com.sun.identity.saml2.assertion.Attribute;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.assertion.AttributeStatement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.assertion.EncryptedAttribute;
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbingsimport com.sun.identity.saml2.assertion.EncryptedID;
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbingsimport com.sun.identity.saml2.assertion.Issuer;
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbingsimport com.sun.identity.saml2.assertion.NameID;
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbingsimport com.sun.identity.saml2.assertion.Subject;
7fadb5ee267a4d808110b0c3e704de440902cb83Mark de Reeperimport com.sun.identity.saml2.common.AccountUtils;
7fadb5ee267a4d808110b0c3e704de440902cb83Mark de Reeperimport com.sun.identity.saml2.common.NameIDInfo;
7fadb5ee267a4d808110b0c3e704de440902cb83Mark de Reeperimport com.sun.identity.saml2.common.NameIDInfoKey;
7fadb5ee267a4d808110b0c3e704de440902cb83Mark de Reeperimport com.sun.identity.saml2.common.SAML2Constants;
7fadb5ee267a4d808110b0c3e704de440902cb83Mark de Reeperimport com.sun.identity.saml2.common.SAML2Exception;
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbingsimport com.sun.identity.saml2.common.SAML2FailoverUtils;
7fadb5ee267a4d808110b0c3e704de440902cb83Mark de Reeperimport com.sun.identity.saml2.common.SAML2SDKUtils;
7fadb5ee267a4d808110b0c3e704de440902cb83Mark de Reeperimport com.sun.identity.saml2.common.SAML2Utils;
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbingsimport com.sun.identity.saml2.common.SOAPCommunicator;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.ecp.ECPRelayState;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.jaxb.entityconfig.IDPSSOConfigElement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.jaxb.metadata.AffiliationDescriptorType;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.jaxb.metadata.ArtifactResolutionServiceElement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.meta.SAML2MetaException;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.meta.SAML2MetaManager;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.meta.SAML2MetaUtils;
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbingsimport com.sun.identity.saml2.plugins.SAML2PluginsUtils;
7fadb5ee267a4d808110b0c3e704de440902cb83Mark de Reeperimport com.sun.identity.saml2.plugins.SAML2ServiceProviderAdapter;
7fadb5ee267a4d808110b0c3e704de440902cb83Mark de Reeperimport com.sun.identity.saml2.plugins.SPAccountMapper;
7fadb5ee267a4d808110b0c3e704de440902cb83Mark de Reeperimport com.sun.identity.saml2.plugins.SPAttributeMapper;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.protocol.Artifact;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.protocol.ArtifactResolve;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.protocol.ArtifactResponse;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.protocol.AuthnRequest;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.protocol.ProtocolFactory;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.protocol.Response;
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbingsimport com.sun.identity.shared.encode.URLEncDec;
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeperimport org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException;
6ee2adce4b7ba1c7cdee88dce16cc901d1a1e1ceDavid Lunaimport org.forgerock.openam.saml2.audit.SAML2Auditor;
6ee2adce4b7ba1c7cdee88dce16cc901d1a1e1ceDavid Lunaimport org.forgerock.openam.saml2.audit.SAML2EventLogger;
4a5a82da9bbab0a3ea1701c3ae9334c678d24ca5Mark de Reeperimport org.forgerock.openam.utils.ClientUtils;
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbingsimport org.forgerock.openam.utils.CollectionUtils;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * This class is used by a service provider (SP) to process the response from
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * an identity provider for the SP's Assertion Consumer Service.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @supported.api
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static FedMonAgent agent = MonitorManager.getAgent();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static FedMonSAML2Svc saml2Svc = MonitorManager.getSAML2Svc();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Retrieves <code>SAML</code> <code>Response</code> from http request.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * It handles three cases:
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * 1. using http method get using request parameter "resID".
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * This is the case after local login is done.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * 2. using http method get using request parameter "SAMLart".
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * This is the case for artifact profile.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * 3. using http method post. This is the case for post profile.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param request http servlet request
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param response http servlet response
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param orgName realm or organization name the service provider resides in
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param hostEntityId Entity ID of the hosted service provider
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param metaManager <code>SAML2MetaManager</code> instance.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return <code>ResponseInfo</code> instance.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SAML2Exception,IOException if it fails in the process.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster orgName, hostEntityId, SAML2Constants.ACS_SERVICE,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "unsupportedBinding",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("unsupportedBinding"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("unsupportedBinding"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster respInfo = getResponseFromGet(request, response, orgName,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((pathInfo != null) && (pathInfo.startsWith("/ECP"))) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster orgName, hostEntityId, SAML2Constants.ACS_SERVICE,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "unsupportedBinding",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("unsupportedBinding"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("unsupportedBinding"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster respInfo = getResponseFromPostECP(request, response, orgName,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster orgName, hostEntityId, SAML2Constants.ACS_SERVICE,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "unsupportedBinding",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("unsupportedBinding"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("unsupportedBinding"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster respInfo = getResponseFromPost(request, response, orgName,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // not supported
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "notSupportedHTTPMethod",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("notSupportedHTTPMethod"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("notSupportedHTTPMethod"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPACSUtils.getResponse: got response="
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings + respInfo.getResponse().toXMLString(true, true));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Retrieves <code>SAML Response</code> from http Get.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * It first uses parameter resID to retrieve <code>Response</code>. This is
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * the case after local login;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * If resID is not defined, it then uses <code>SAMLart</code> http
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * parameter to retrieve <code>Response</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static ResponseInfo getResponseFromGet(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPACSUtils.getResponseFromGet: resID="
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster respInfo = (ResponseInfo) SPCache.responseHash.remove(resID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPACSUtils.getResponseFromGet: "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "couldn't find Response from resID.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster response.SC_INTERNAL_SERVER_ERROR, "SSOFailed",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String samlArt = request.getParameter(SAML2Constants.SAML_ART);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (samlArt == null || samlArt.trim().length() == 0) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("SPACSUtils.getResponseFromGet: Artifact "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "string is empty.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST,
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings "missingArtifact",
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings SAML2Utils.bundle.getString("missingArtifact"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("missingArtifact"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return new ResponseInfo(getResponseFromArtifact(samlArt, hostEntityId,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Retrieves response using artifact profile.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static Response getResponseFromArtifact(String samlArt,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String hostEntityId, HttpServletRequest request,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2MetaManager sm) throws SAML2Exception,IOException
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Try to get source ID and endpointIndex, and then
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // decide which IDP and which artifact resolution service
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPACSUtils.getResponseFromArtifact: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster art = ProtocolFactory.getInstance().createArtifact(samlArt.trim());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("SPACSUtils.getResponseFromArtifact: "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "Unable to decode and parse artifact string:" + samlArt);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "errorObtainArtifact",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("errorObtainArtifact"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String idpEntityID = getIDPEntityID(art, request, response, orgName, sm);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster idp = sm.getIDPSSODescriptor(orgName, idpEntityID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "failedToGetIDPSSODescriptor", se.getMessage());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String location = getIDPArtifactResolutionServiceUrl(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster art.getEndpointIndex(), idpEntityID, idp, request, response);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // create ArtifactResolve message
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster resolve = ProtocolFactory.getInstance().createArtifactResolve();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster resolve.setVersion(SAML2Constants.VERSION_2_0);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster resolve.setDestination(XMLUtils.escapeSpecialCharacters(location));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Issuer issuer = AssertionFactory.getInstance().createIssuer();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // or save it somewhere?
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String signAlias = getAttributeValueFromSPSSOConfig(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("missingSigningCertAlias"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster KeyProvider kp = KeyUtil.getKeyProviderInstance();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("nullKeyProvider"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String resolveString = resolve.toXMLString(true, true);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPACSUtils.getResponseFromArtifact: "
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings SOAPConnection con = SOAPCommunicator.getInstance().openSOAPConnection();
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings SOAPMessage msg = SOAPCommunicator.getInstance().createSOAPMessage(resolveString, true);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster config = sm.getIDPSSOConfig(orgName, idpEntityID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("SPACSUtils.getResponseFromArtifact: "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data = {hostEntityId, art.getArtifactValue()};
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "errorCreateArtifactResolve",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("errorCreateArtifactResolve"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("SPACSUtils.getResponseFromGet: "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "couldn't get ArtifactResponse. SOAP error:",se);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "errorInSOAPCommunication",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("errorInSOAPCommunication"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Response result = getResponseFromSOAP(resMsg, resolve, request,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster response, idpEntityID, idp, orgName, hostEntityId, sm);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Finds the IDP who sends the artifact;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // find the idp
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster metaManager.getAllRemoteIdentityProviderEntities(orgName).
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster tmpSourceID = SAML2Utils.generateSourceID(idpEntityID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("SPACSUtils.getResponseFromGet: Unable "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "to find the IDP based on the SourceID in the artifact");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data = {art.getArtifactValue(), orgName};
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data = {art.getArtifactValue(), orgName};
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Retrieves the ArtifactResolutionServiceURL for an IDP.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static String getIDPArtifactResolutionServiceUrl(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // find the artifact resolution service url
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List arsList=idp.getArtifactResolutionService();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster boolean isDefault = false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ars = (ArtifactResolutionServiceElement)arsList.get(i);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster //String binding = ars.getBinding();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (location == null || location.length() == 0) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (location == null || location.length() == 0) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (location == null || location.length() == 0) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("SPACSUtils: Unable to get the "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "location of artifact resolution service for "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "cannotFindArtifactResolutionUrl",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "cannotFindArtifactResolutionUrl"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "cannotFindArtifactResolutionUrl"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPACSUtils: IDP artifact resolution "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Obtains <code>SAML Response</code> from <code>SOAPBody</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Used by Artifact profile.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static Response getResponseFromSOAP(SOAPMessage resMsg,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String method = "SPACSUtils.getResponseFromSOAP:";
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings resElem = SOAPCommunicator.getInstance().getSamlpElement(resMsg, "ArtifactResponse");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message(method + "Couldn't create "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "failedToCreateArtifactResponse", se.getMessage());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "missingArtifactResponse",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("missingArtifactResponse"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("missingArtifactResponse"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message(method + "Received ArtifactResponse:"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // verify ArtifactResponse
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String wantArtiRespSigned = getAttributeValueFromSPSSOConfig(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (wantArtiRespSigned != null && wantArtiRespSigned.equals("true")) {
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings Set<X509Certificate> verificationCerts = KeyUtil.getVerificationCerts(idp, idpEntityID,
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings if (!artiResp.isSigned() || !artiResp.isSignatureValid(verificationCerts)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "ArtifactResponse's signature is invalid.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster response.SC_INTERNAL_SERVER_ERROR, "invalidSignature",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("invalidSignature"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("invalidSignature"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String inResponseTo = artiResp.getInResponseTo();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (inResponseTo == null || !inResponseTo.equals(resolve.getID())) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "ArtifactResponse's InResponseTo is invalid.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.ARTIFACT_RESPONSE_INVALID_INRESPONSETO,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster response.SC_INTERNAL_SERVER_ERROR, "invalidInResponseTo",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("invalidInResponseTo"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("invalidInResponseTo"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (idpIssuer == null || !idpIssuer.getValue().equals(idpEntityID)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "ArtifactResponse's Issuer is invalid.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster response.SC_INTERNAL_SERVER_ERROR, "invalidIssuer",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // check time?
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (status == null || !status.getStatusCode().getValue().equals(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (status == null)?"":status.getStatusCode().getValue();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "ArtifactResponse's status code is not success."
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings response.SC_INTERNAL_SERVER_ERROR, "invalidStatusCode",
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings SAML2Utils.bundle.getString("invalidStatusCode"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("invalidStatusCode"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return ProtocolFactory.getInstance().createResponse(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Obtains <code>SAML Response</code> from <code>SOAPBody</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Used by ECP profile.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static ResponseInfo getResponseFromPostECP(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster HttpServletRequest request, HttpServletResponse response,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String orgName, String hostEntityId, SAML2MetaManager metaManager)
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings message = new Message(SOAPCommunicator.getInstance().getSOAPMessage(request));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.CANNOT_INSTANTIATE_SOAP_MESSAGE_ECP, data, null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "failedToCreateSOAPMessage", soapex.getMessage());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.CANNOT_INSTANTIATE_SOAP_MESSAGE_ECP, data, null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "failedToCreateSOAPMessage", soapex.getMessage());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.error(Level.INFO, LogUtil.RECEIVE_SOAP_FAULT_ECP,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster sfex.getSOAPFaultMessage().getSOAPFault().getFaultString();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List soapHeaders = message.getOtherSOAPHeaders();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((soapHeaders != null) && (!soapHeaders.isEmpty())) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster for(Iterator iter = soapHeaders.iterator(); iter.hasNext();) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ECPFactory.getInstance().createECPRelayState(headerEle);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // not ECP RelayState
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((soapBodies == null) || (soapBodies.isEmpty())) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.CANNOT_INSTANTIATE_SAML_RESPONSE_FROM_ECP, data, null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "missingSAMLResponse",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("missingSAMLResponse"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("missingSAMLResponse"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster resp = ProtocolFactory.getInstance().createResponse(resElem);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPACSUtils.getResponseFromPostECP:" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.CANNOT_INSTANTIATE_SAML_RESPONSE_FROM_ECP, data, null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String idpEntityID = resp.getIssuer().getValue();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster idpDesc = metaManager.getIDPSSODescriptor(orgName, idpEntityID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.error(Level.INFO, LogUtil.IDP_META_NOT_FOUND, data, null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "failedToGetIDPSSODescriptor", se.getMessage());
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings Set<X509Certificate> certificates = KeyUtil.getVerificationCerts(idpDesc, idpEntityID, SAML2Constants.IDP_ROLE);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((assertions != null) && (!assertions.isEmpty())) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster for(Iterator iter = assertions.iterator(); iter.hasNext(); ) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "SPACSUtils.getResponseFromPostECP: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster " Assertion is not signed.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "assertionNotSigned",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("assertionNotSigned"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("assertionNotSigned"));
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings } else if (!assertion.isSignatureValid(certificates)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "SPACSUtils.getResponseFromPostECP: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster " Assertion signature is invalid.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.ECP_ASSERTION_INVALID_SIGNATURE, data, null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "invalidSignature",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("invalidSignature"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("invalidSignature"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return new ResponseInfo(resp, SAML2Constants.PAOS, relayState);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Obtains SAML Response from POST.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static ResponseInfo getResponseFromPost(HttpServletRequest request,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster HttpServletResponse response, String orgName, String hostEntityId,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2MetaManager metaManager) throws SAML2Exception,IOException
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String classMethod = "SPACSUtils:getResponseFromPost";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPACSUtils:getResponseFromPost");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String samlArt = request.getParameter(SAML2Constants.SAML_ART);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((samlArt != null) && (samlArt.trim().length() != 0)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return new ResponseInfo(getResponseFromArtifact(samlArt,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster hostEntityId, request, response, orgName, metaManager),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "missingSAMLResponse",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("missingSAMLResponse"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("missingSAMLResponse"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Get Response back
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // decode the Response
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Document doc = XMLUtils.toDOMDocument(bis, SAML2Utils.debug);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("SPACSUtils.getResponse: Exception "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "errorObtainResponse",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("errorObtainResponse"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("errorObtainResponse"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("SPACSUtils.getResponse: Exception "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "when decoding SAMLResponse:", e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster response.SC_INTERNAL_SERVER_ERROR, "errorDecodeResponse",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("errorDecodeResponse"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("errorDecodeResponse"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPACSUtils.getResponse: "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "Exception when close the input stream:", ie);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return (new ResponseInfo(resp, SAML2Constants.HTTP_POST, null));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPACSUtils.getResponse: Decoded response, " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "resp is null");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Authenticates user with <code>Response</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Auth session upgrade will be called if input session is
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Otherwise, saml2 auth module is called. The name of the auth module
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * is retrieved from <code>SPSSOConfig</code>. If not found, "SAML2" will
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param request HTTP Servlet request
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param response HTTP Servlet response.
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest * @param out the print writer for writing out presentation
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param metaAlias metaAlias for the service provider
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param session input session object. It could be null.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param respInfo <code>ResponseInfo</code> to be verified.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param realm realm or organization name of the service provider.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param hostEntityId hosted service provider Entity ID.
6ee2adce4b7ba1c7cdee88dce16cc901d1a1e1ceDavid Luna * @param metaManager <code>SAML2MetaManager</code> instance for meta operation.
6ee2adce4b7ba1c7cdee88dce16cc901d1a1e1ceDavid Luna * @param auditor a <code>SAML2EventLogger</code> auditor object to hook into
6ee2adce4b7ba1c7cdee88dce16cc901d1a1e1ceDavid Luna * tracking information for the saml request
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return <code>Object</code> which holds result of the session.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SAML2Exception if the processing failed.
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest HttpServletRequest request, HttpServletResponse response, PrintWriter out,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String metaAlias, Object session, ResponseInfo respInfo,
6ee2adce4b7ba1c7cdee88dce16cc901d1a1e1ceDavid Luna String realm, String hostEntityId, SAML2MetaManager metaManager, SAML2EventLogger auditor
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String classMethod = "SPACSUtils.processResponse: ";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message(classMethod + "Response : " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // check Response/Assertion and get back a Map of relevant data
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster smap = SAML2Utils.verifyResponse(request, response,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // invoke SPAdapter for failure
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster invokeSPAdapterForSSOFailure(hostEntityId, realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2ServiceProviderAdapter.INVALID_RESPONSE, se);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster com.sun.identity.saml2.assertion.Subject assertionSubject =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster EncryptedID encId = assertionSubject.getEncryptedID();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (Assertion) smap.get(SAML2Constants.POST_ASSERTION);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String sessionIndex = (String)smap.get(SAML2Constants.SESSION_INDEX);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Integer authLevel = (Integer) smap.get(SAML2Constants.AUTH_LEVEL);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Long maxSessionTime = (Long) smap.get(SAML2Constants.MAX_SESSION_TIME);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String inRespToResp = (String) smap.get(SAML2Constants.IN_RESPONSE_TO);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List assertions = (List) smap.get(SAML2Constants.ASSERTIONS);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message(classMethod + "Assertions : " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster metaManager.getSPSSOConfig(realm, hostEntityId);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // get mappers
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Major SPAccountMapper acctMapper = SAML2Utils.getSPAccountMapper(realm, hostEntityId);
882df6887ad52745d38d9bf0d92b3ac6f7703126Peter Major SPAttributeMapper attrMapper = SAML2Utils.getSPAttributeMapper(realm, hostEntityId);
1937848ad641fa32fce52f8570626a635cef6d30David Luna SAML2Utils.getAttributeValueFromSPSSOConfig(spssoconfig, SAML2Constants.WANT_ASSERTION_ENCRYPTED);
1937848ad641fa32fce52f8570626a635cef6d30David Luna boolean needAttributeEncrypted = getNeedAttributeEncrypted(assertionEncryptedAttr, spssoconfig);
1937848ad641fa32fce52f8570626a635cef6d30David Luna boolean needNameIDEncrypted = getNeedNameIDEncrypted(assertionEncryptedAttr, spssoconfig);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings Set<PrivateKey> decryptionKeys = KeyUtil.getDecryptionKeys(spssoconfig);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "process: NameID was not encrypted.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Exception se = new SAML2Exception(SAML2Utils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "nameIDNotEncrypted"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // invoke SPAdapter for failure
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster invokeSPAdapterForSSOFailure(hostEntityId, realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2ServiceProviderAdapter.INVALID_RESPONSE, se);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // invoke SPAdapter for failure
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster invokeSPAdapterForSSOFailure(hostEntityId, realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2ServiceProviderAdapter.INVALID_RESPONSE, se);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster spDesc = metaManager.getSPSSODescriptor(realm, hostEntityId);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Exception se = new SAML2Exception(SAML2Utils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "metaDataError"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster invokeSPAdapterForSSOFailure(hostEntityId, realm, request,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2ServiceProviderAdapter.SSO_FAILED_META_DATA_ERROR, se);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List spNameIDFormatList = spDesc.getNameIDFormat();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((spNameIDFormatList != null) && (!spNameIDFormatList.isEmpty())
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster && (!spNameIDFormatList.contains(nameIDFormat))) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Exception se = new SAML2Exception(SAML2Utils.BUNDLE_NAME,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster invokeSPAdapterForSSOFailure(hostEntityId, realm, request,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2ServiceProviderAdapter.INVALID_RESPONSE, se);
07856bf23b706ef4e3654388d9ca26a720e0ad6aPeter Major boolean isTransient = SAML2Constants.NAMEID_TRANSIENT_FORMAT.equals(nameIDFormat);
07856bf23b706ef4e3654388d9ca26a720e0ad6aPeter Major boolean isPersistent = SAML2Constants.PERSISTENT.equals(nameIDFormat);
7fadb5ee267a4d808110b0c3e704de440902cb83Mark de Reeper boolean ignoreProfile = SAML2PluginsUtils.isIgnoredProfile(realm);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster sessionProvider = SessionManager.getProvider();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // invoke SPAdapter for failure
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster invokeSPAdapterForSSOFailure(hostEntityId, realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2ServiceProviderAdapter.SSO_FAILED_SESSION_ERROR, se2);
278430bd7c2549ff6258c48ef8ee394b6aad5782Peter Major existUserName = sessionProvider.getPrincipalName(session);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // invoke SPAdapter for failure
278430bd7c2549ff6258c48ef8ee394b6aad5782Peter Major invokeSPAdapterForSSOFailure(hostEntityId, realm, request, response, smap, respInfo,
278430bd7c2549ff6258c48ef8ee394b6aad5782Peter Major SAML2ServiceProviderAdapter.SSO_FAILED_SESSION_ERROR, se2);
07856bf23b706ef4e3654388d9ca26a720e0ad6aPeter Major String remoteHostId = authnAssertion.getIssuer().getValue();
07856bf23b706ef4e3654388d9ca26a720e0ad6aPeter Major boolean isNewAccountLink = false;
07856bf23b706ef4e3654388d9ca26a720e0ad6aPeter Major boolean shouldPersistNameID = isPersistent || (!isTransient && !ignoreProfile
07856bf23b706ef4e3654388d9ca26a720e0ad6aPeter Major && acctMapper.shouldPersistNameIDFormat(realm, hostEntityId, remoteHostId, nameIDFormat));
07856bf23b706ef4e3654388d9ca26a720e0ad6aPeter Major SAML2Utils.debug.message(classMethod + "querying data store for existing federation links: realm = "
07856bf23b706ef4e3654388d9ca26a720e0ad6aPeter Major + realm + " hostEntityID = " + hostEntityId + " remoteEntityID = " + remoteHostId);
07856bf23b706ef4e3654388d9ca26a720e0ad6aPeter Major userName = SAML2Utils.getDataStoreProvider().getUserID(realm, SAML2Utils.getNameIDKeyMap(
07856bf23b706ef4e3654388d9ca26a720e0ad6aPeter Major nameId, hostEntityId, remoteHostId, realm, SAML2Constants.SP_ROLE));
07856bf23b706ef4e3654388d9ca26a720e0ad6aPeter Major SAML2Utils.debug.error(classMethod + "DataStoreProviderException whilst retrieving NameID " +
07856bf23b706ef4e3654388d9ca26a720e0ad6aPeter Major userName = acctMapper.getIdentity(authnAssertion, hostEntityId, realm);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // invoke SPAdapter for failure
07856bf23b706ef4e3654388d9ca26a720e0ad6aPeter Major invokeSPAdapterForSSOFailure(hostEntityId, realm, request, response, smap, respInfo,
07856bf23b706ef4e3654388d9ca26a720e0ad6aPeter Major SAML2ServiceProviderAdapter.SSO_FAILED_NO_USER_MAPPING, se);
278430bd7c2549ff6258c48ef8ee394b6aad5782Peter Major if (userName == null && respInfo.isLocalLogin()) {
278430bd7c2549ff6258c48ef8ee394b6aad5782Peter Major // In case we just got authenticated locally, we should accept the freshly authenticated session's principal
278430bd7c2549ff6258c48ef8ee394b6aad5782Peter Major // as the username corresponding to the received assertion.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster classMethod + "process: userName =[" + userName + "]");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster for (Iterator it = assertions.iterator(); it.hasNext(); ) {
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings List origAttrs = getSAMLAttributes(assertion, needAttributeEncrypted, decryptionKeys);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (origAttrs != null && !origAttrs.isEmpty()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attrMap = attrMapper.getAttributes(attrs, userName,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // invoke SPAdapter for failure
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster invokeSPAdapterForSSOFailure(hostEntityId, realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2ServiceProviderAdapter.SSO_FAILED_ATTRIBUTE_MAPPING,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster classMethod + "process: remoteHostId = " + remoteHostId);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster classMethod + "process: attrMap = " + attrMap);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // return error code for local user login
278430bd7c2549ff6258c48ef8ee394b6aad5782Peter Major // If we couldn't determine the username based on the incoming assertion, then we shouldn't automatically
278430bd7c2549ff6258c48ef8ee394b6aad5782Peter Major // map the user to the existing session.
278430bd7c2549ff6258c48ef8ee394b6aad5782Peter Major sessionProvider.invalidateSession(session, request, response);
278430bd7c2549ff6258c48ef8ee394b6aad5782Peter Major SAML2Utils.debug.error("An error occurred while trying to invalidate session", se);
278430bd7c2549ff6258c48ef8ee394b6aad5782Peter Major throw new SAML2Exception(SAML2Utils.bundle.getString("noUserMapping"));
07856bf23b706ef4e3654388d9ca26a720e0ad6aPeter Major boolean writeFedInfo = isNewAccountLink && shouldPersistNameID;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster classMethod + "writeFedInfo : " + writeFedInfo);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (inRespToResp != null && inRespToResp.length() != 0) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster sessionInfoMap.put(SessionProvider.REALM, realm);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster sessionInfoMap.put(SessionProvider.PRINCIPAL_NAME, userName);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // set client info. always use client IP address to prevent
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // reverse host lookup
4a5a82da9bbab0a3ea1701c3ae9334c678d24ca5Mark de Reeper String clientAddr = ClientUtils.getClientIPAddress(request);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster sessionInfoMap.put(SessionProvider.HOST, clientAddr);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster sessionInfoMap.put(SessionProvider.HOST_NAME, clientAddr);
5782a5801b205a5f4225dde7fd580923431fa8b3Peter Major request.setAttribute(SessionProvider.ATTR_MAP, attrMap);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // invoke SPAdapter for failure
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2ServiceProviderAdapter.SSO_FAILED_SESSION_GENERATION;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (sessCode == SessionException.AUTH_USER_INACTIVE) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2ServiceProviderAdapter.SSO_FAILED_AUTH_USER_INACTIVE;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else if (sessCode == SessionException.AUTH_USER_LOCKED) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2ServiceProviderAdapter.SSO_FAILED_AUTH_USER_LOCKED;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else if (sessCode == SessionException.AUTH_ACCOUNT_EXPIRED) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2ServiceProviderAdapter.SSO_FAILED_AUTH_ACCOUNT_EXPIRED;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "SPACSUtils.processResponse : error code=" + sessCode, se);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster invokeSPAdapterForSSOFailure(hostEntityId, realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster request, response, smap, respInfo, failureCode, se2);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // set metaAlias
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster setAttrMapInSession(sessionProvider, attrMap, session);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster setDiscoBootstrapCredsInSSOToken(sessionProvider, authnAssertion,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // invoke SPAdapter for failure
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster invokeSPAdapterForSSOFailure(hostEntityId, realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2ServiceProviderAdapter.SSO_FAILED_SESSION_ERROR, se2);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster boolean isDualRole = SAML2Utils.isDualRole(hostEntityId, realm);
828057d90816871c55a24e161757edb11f09e5ddPeter Major affiDesc = metaManager.getAffiliationDescriptor(realm, affiID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (!affiDesc.getAffiliateMember().contains(hostEntityId)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(SAML2Utils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "spNotAffiliationMember"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster info = new NameIDInfo(affiID, remoteHostId, nameId,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster info = new NameIDInfo(affiID, remoteHostId, nameId,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster info = new NameIDInfo(hostEntityId, remoteHostId, nameId,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster info = new NameIDInfo(hostEntityId, remoteHostId, nameId,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String nameIDValueString = info.getNameIDValue();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster props.put(LogUtil.NAME_ID, info.getNameIDValue());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster userName = sessionProvider.getPrincipalName(session);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // invoke SPAdapter for failure
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster invokeSPAdapterForSSOFailure(hostEntityId, realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2ServiceProviderAdapter.SSO_FAILED_SESSION_ERROR, se2);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data1 = {userName, nameIDValueString};
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.access(Level.INFO, LogUtil.SUCCESS_FED_SSO, data1, session,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // write fed info into data store
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster AccountUtils.setAccountFederation(info, userName);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // invoke SPAdapter for failure
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster invokeSPAdapterForSSOFailure(hostEntityId, realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2ServiceProviderAdapter.FEDERATION_FAILED_WRITING_ACCOUNT_INFO, se);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String requestID = respInfo.getResponse().getInResponseTo();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // save info in memory for logout
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster saveInfoInMemory(sessionProvider, session, sessionIndex, metaAlias,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster info, IDPProxyUtil.isIDPProxyEnabled(requestID), isTransient);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // invoke SP Adapter
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.getSPAdapterClass(hostEntityId, realm);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster boolean redirected = spAdapter.postSingleSignOnSuccess(
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest response, out, session, authnRequest, respInfo.getResponse(),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.warning("SPSingleLogout.processResp", ex);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.warning("SPSingleLogout.processResp", ex);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (respInfo.getProfileBinding().equals(SAML2Constants.HTTP_POST)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SPCache.assertionByIDCache.put(assertionID, SAML2Constants.ONETIME);
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper if (SAML2FailoverUtils.isSAML2FailoverEnabled()) {
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper SAML2FailoverUtils.saveSAML2TokenWithoutSecondaryKey(
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper ((Long) smap.get(SAML2Constants.NOTONORAFTER)).longValue() / 1000);
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper "There was a problem saving the assertionID to the SAML2 Token Repository for assertionID:"
1937848ad641fa32fce52f8570626a635cef6d30David Luna private static boolean getNeedNameIDEncrypted(String assertionEncryptedAttr, SPSSOConfigElement spssoconfig) {
1937848ad641fa32fce52f8570626a635cef6d30David Luna if (Boolean.parseBoolean(assertionEncryptedAttr)) {
1937848ad641fa32fce52f8570626a635cef6d30David Luna String idEncryptedStr = SAML2Utils.getAttributeValueFromSPSSOConfig(spssoconfig,
1937848ad641fa32fce52f8570626a635cef6d30David Luna return true;
1937848ad641fa32fce52f8570626a635cef6d30David Luna return false;
1937848ad641fa32fce52f8570626a635cef6d30David Luna public static boolean getNeedAttributeEncrypted(String assertionEncryptedAttr, SPSSOConfigElement spssoconfig) {
1937848ad641fa32fce52f8570626a635cef6d30David Luna if (Boolean.parseBoolean(assertionEncryptedAttr)) {
1937848ad641fa32fce52f8570626a635cef6d30David Luna SAML2Utils.getAttributeValueFromSPSSOConfig(spssoconfig, SAML2Constants.WANT_ATTRIBUTE_ENCRYPTED);
1937848ad641fa32fce52f8570626a635cef6d30David Luna return true;
1937848ad641fa32fce52f8570626a635cef6d30David Luna return false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static void invokeSPAdapterForSSOFailure(String hostEntityId,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String realm, HttpServletRequest request, HttpServletResponse response,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Map smap, ResponseInfo respInfo, int errorCode,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster spAdapter = SAML2Utils.getSPAdapterClass(hostEntityId, realm);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "SPACSUtils.invokeSPAdapterForSSOFailure", e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster boolean redirected = spAdapter.postSingleSignOnFailure(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster hostEntityId, realm, request, response, authnRequest,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster respInfo.getResponse(), respInfo.getProfileBinding(),
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings public static void saveInfoInMemory(SessionProvider sessionProvider,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Object session, String sessionIndex, String metaAlias,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster NameIDInfo info, boolean isIDPProxy, boolean isTransient)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (fromToken == null || fromToken.length == 0 ||
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster fromToken[0] == null || fromToken[0].length() == 0) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (fromToken[0].indexOf(infoKeyString) == -1) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String infoAttribute = AccountUtils.getNameIDInfoAttribute();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] nameIDInfoStrs = sessionProvider.getProperty(session,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster nameIDInfoStrs = (String[])nameIDInfoStrSet.toArray(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster sessionProvider.setProperty(session, infoAttribute,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String tokenID = sessionProvider.getSessionID(session);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SPCache.fedSessionListsByNameIDInfoKey.get(infoKeyString);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster synchronized (SPCache.fedSessionListsByNameIDInfoKey) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SPCache.fedSessionListsByNameIDInfoKey.get(infoKeyString);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster synchronized (fedSessions) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster fedSessions.add(new SPFedSession(sessionIndex, tokenID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((agent != null) && agent.isRunning() && (saml2Svc != null)){
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (long)SPCache.fedSessionListsByNameIDInfoKey.size());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("Add Session Partner: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster idpSess.addSessionPartner(new SAML2SessionPartner(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // end of IDP Proxy
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster synchronized (fedSessions) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster boolean found = false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SPFedSession temp = (SPFedSession) iter.next();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SPCache.fedSessionListsByNameIDInfoKey.put(infoKeyString,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((agent != null) && agent.isRunning() && (saml2Svc != null)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (long)SPCache.fedSessionListsByNameIDInfoKey.size());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster session, new SPSessionListener(infoKeyString, tokenID));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "SPACSUtils.saveInfoInMemory: "+
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "Unable to add session listener.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster /** Sets the attribute map in the session
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param sessionProvider Session provider
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param attrMap the Attribute Map
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param session the valid session object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws com.sun.identity.plugin.session.SessionException
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster for(Iterator iter = entrySet.iterator(); iter.hasNext();) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if(attrValues != null && !attrValues.isEmpty()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "SPACSUtils.setAttrMapInSessioin: AttrMap:" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster /** Sets Discovery bootstrap credentials in the SSOToken
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param sessionProvider session provider.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param assertion assertion.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param session the valid session object.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static void setDiscoBootstrapCredsInSSOToken(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SessionProvider sessionProvider, Assertion assertion, Object session)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Constants.DISCOVERY_BOOTSTRAP_CREDENTIALS,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Obtains relay state. Retrieves the relay state from relay state cache.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * If input relay state is null, retrieve it from <code>SPSSOConfig</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param relayStateID relay state value received from http request.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param orgName realm or organization name the service provider resides in
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param hostEntityId Entity ID of the hosted service provider
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param sm <code>SAML2MetaManager</code> instance.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return final relay state. Or <code>null</code> if the input
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * relayStateID is null and no default relay state is configured.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((relayStateID != null) && (relayStateID.trim().length() != 0)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster CacheObject cache = (CacheObject)SPCache.relayStateHash.remove(
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper } else if (SAML2FailoverUtils.isSAML2FailoverEnabled()) {
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper // The key is this way to make it unique compared to when
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper // the same key is used to store a copy of the AuthnRequestInfo
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Try and retrieve the value from the SAML2 repository
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper String relayState = (String) SAML2FailoverUtils.retrieveSAML2Token(key);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Get back the relayState
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPACUtils.getRelayState: relayState"
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper + " retrieved from SAML2 repository for key: " + key);
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper SAML2Utils.debug.error("SPACUtils.getRelayState: Unable to retrieve relayState for key "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPACUtils.getRelayState: relayState"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " is null for relayStateID: " + relayStateID + ", SAML2 failover is disabled");
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper if (relayStateUrl == null || relayStateUrl.trim().length() == 0) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (relayStateUrl == null || relayStateUrl.trim().length() == 0) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster relayStateUrl = getAttributeValueFromSPSSOConfig(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster orgName, hostEntityId, sm, SAML2Constants.DEFAULT_RELAY_STATE);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Retrieves intermediate redirect url from SP sso config. This url is used
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * if you want to goto some place before the final relay state.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param orgName realm or organization name the service provider resides in
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param hostEntityId Entity ID of the hosted service provider
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param sm <code>SAML2MetaManager</code> instance.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return intermediate redirect url; or <code>null</code> if the url is
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * is not configured or an error occured during the retrieval
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static String getIntermediateURL(String orgName,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return getAttributeValueFromSPSSOConfig(orgName, hostEntityId, sm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Saves response for later retrieval and retrieves local auth url from
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>SPSSOConfig</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * If the url does not exist, generate one from request URI.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * If still cannot get it, (shouldn't happen), get it from
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param orgName realm or organization name the service provider resides in
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param hostEntityId Entity ID of the hosted service provider
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param sm <code>SAML2MetaManager</code> instance to perform meta
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * operation.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param respInfo to be cached <code>ResponseInfo</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param requestURI http request URI.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return local login url.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String localLoginUrl = getAttributeValueFromSPSSOConfig(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster orgName, hostEntityId, sm, SAML2Constants.LOCAL_AUTH_URL);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((localLoginUrl == null) || (localLoginUrl.length() == 0)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // get it from request
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster int index = requestURI.indexOf("Consumer/metaAlias");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((localLoginUrl == null) || (localLoginUrl.length() == 0)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // shouldn't be here, but in case
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SystemConfigurationUtil.getProperty(SAMLConstants.SERVER_PROTOCOL)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + SystemConfigurationUtil.getProperty(SAMLConstants.SERVER_HOST)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + SystemConfigurationUtil.getProperty(SAMLConstants.SERVER_PORT)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SPCache.responseHash.put(respInfo.getResponse().getID(),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPACSUtils:prepareForLocalLogin: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Retrieves attribute value for a given attribute name from
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>SPSSOConfig</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param orgName realm or organization name the service provider resides in
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param hostEntityId hosted service provider's Entity ID.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param sm <code>SAML2MetaManager</code> instance to perform meta
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * operations.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param attrName name of the attribute whose value ot be retrived.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return value of the attribute; or <code>null</code> if the attribute
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * if not configured, or an error occured in the process.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static String getAttributeValueFromSPSSOConfig(String orgName,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SPSSOConfigElement config = sm.getSPSSOConfig(orgName,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Map attrs = SAML2MetaUtils.getAttributes(config);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster result = ((String) value.iterator().next()).trim();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPACSUtils.getAttributeValueFromSPSSO"
1937848ad641fa32fce52f8570626a635cef6d30David Luna * Gets the attributes from an assert's AttributeStates.
1937848ad641fa32fce52f8570626a635cef6d30David Luna * @param assertion The assertion from which to pull the AttributeStates.
1937848ad641fa32fce52f8570626a635cef6d30David Luna * @param needAttributeEncrypted Whether attributes must be encrypted (or else rejected).
1937848ad641fa32fce52f8570626a635cef6d30David Luna * @param privateKeys Private keys used to decrypt those encrypted attributes.
1937848ad641fa32fce52f8570626a635cef6d30David Luna * @return a list of attributes pulled from the provided assertion.
1937848ad641fa32fce52f8570626a635cef6d30David Luna public static List<Attribute> getSAMLAttributes(Assertion assertion, boolean needAttributeEncrypted,
1937848ad641fa32fce52f8570626a635cef6d30David Luna List<AttributeStatement> statements = assertion.getAttributeStatements();
1937848ad641fa32fce52f8570626a635cef6d30David Luna for (AttributeStatement statement : statements) {
1937848ad641fa32fce52f8570626a635cef6d30David Luna List<Attribute> attributes = statement.getAttribute();
1937848ad641fa32fce52f8570626a635cef6d30David Luna if (needAttributeEncrypted && attributes != null && !attributes.isEmpty()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("Attribute not encrypted.");
1937848ad641fa32fce52f8570626a635cef6d30David Luna List<EncryptedAttribute> encAttrs = statement.getEncryptedAttribute();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("Decryption error:", se);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Processes response from Identity Provider to Fedlet (SP).
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * This will do all required protocol processing, include signature,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * issuer and audience validation etc. A map containing processing
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * result will be returned. <br>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Here is a list of keys and values for the returned map: <br>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * SAML2Constants.ATTRIBUTE_MAP -- Attribute map containing all attributes
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * passed down from IDP inside the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Assertion. The value is a
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>java.util.Map</code> whose keys
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * are attribute names and values are
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>java.util.Set</code> of string
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * values for the attributes. <br>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * SAML2Constants.RELAY_STATE -- Relay state, value is a string <br>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * SAML2Constants.IDPENTITYID -- IDP entity ID, value is a string<br>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * SAML2Constants.RESPONSE -- Response object, value is an instance of
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * com.sun.identity.saml2.protocol.Response
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * SAML2Constants.ASSERTION -- Assertion object, value is an instance of
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * com.sun.identity.saml2.assertion.Assertion
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * SAML2Constants.SUBJECT -- Subject object, value is an instance of
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * com.sun.identity.saml2.assertion.Subject
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * SAML2Constants.NAMEID -- NameID object, value is an instance of
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * com.sun.identity.saml2.assertion.NameID
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param request HTTP Servlet request
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param response HTTP Servlet response.
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest * @param out the print writer for writing out presentation
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return <code>Map</code> which holds result of the processing.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SAML2Exception if the processing failed due to server error.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws IOException if the processing failed due to IO error.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SessionException if the processing failed due to session error.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws ServletException if the processing failed due to request error.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @supported.api
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static Map processResponseForFedlet (HttpServletRequest request,
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest HttpServletResponse response, PrintWriter out) throws SAML2Exception, IOException,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String requestURL = request.getRequestURL().toString();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2MetaManager metaManager = new SAML2MetaManager();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2SDKUtils.bundle.getString("errorMetaManager"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String metaAlias = SAML2MetaUtils.getMetaAliasByUri(requestURL);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((metaAlias == null) || (metaAlias.length() == 0)) {
e516741c905a9cf65a6297d1dbc6612a50a717dcMark de Reeper // Check in case metaAlias has been supplied as a parameter
e516741c905a9cf65a6297d1dbc6612a50a717dcMark de Reeper metaAlias = request.getParameter(SAML2MetaManager.NAME_META_ALIAS_IN_URI);
e516741c905a9cf65a6297d1dbc6612a50a717dcMark de Reeper if (metaAlias == null || metaAlias.length() == 0) {
e516741c905a9cf65a6297d1dbc6612a50a717dcMark de Reeper // pick the first available one
e516741c905a9cf65a6297d1dbc6612a50a717dcMark de Reeper metaManager.getAllHostedServiceProviderMetaAliases("/");
e516741c905a9cf65a6297d1dbc6612a50a717dcMark de Reeper if ((spMetaAliases != null) && !spMetaAliases.isEmpty()) {
e516741c905a9cf65a6297d1dbc6612a50a717dcMark de Reeper // get first one
e516741c905a9cf65a6297d1dbc6612a50a717dcMark de Reeper if ((metaAlias == null) || (metaAlias.length() == 0)) {
e516741c905a9cf65a6297d1dbc6612a50a717dcMark de Reeper SAML2SDKUtils.bundle.getString("nullSPEntityID"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster hostEntityId = metaManager.getEntityByMetaAlias(metaAlias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2SDKUtils.debug.error("SPACSUtils.processResponseForFedlet",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2SDKUtils.bundle.getString("metaDataError"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2SDKUtils.bundle.getString("metaDataError"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // organization is always root org
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String relayState = request.getParameter(SAML2Constants.RELAY_STATE);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster sessionProvider = SessionManager.getProvider();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2SDKUtils.debug.error("SPACSUtils.processResponseForFedlet",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster request, response, orgName, hostEntityId, metaManager);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Throws a SAML2Exception if the response cannot be validated
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // or contains a non-Success StatusCode, invoking the SPAdapter SPI
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // for taking action on the failed validation.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // The resulting exception has its redirectionDone flag set if
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // the SPAdapter issued a HTTP redirect.
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest request, response, out, metaAlias, null, respInfo,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] redirected = sessionProvider.getProperty(newSession,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((redirected != null) && (redirected.length != 0) &&
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2SDKUtils.debug.message("Already redirected in SPAdapter.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // response redirected already in SPAdapter
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return createMapForFedlet(respInfo, null, hostEntityId);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // redirect to relay state
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster relayState, orgName, hostEntityId, metaManager);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (finalUrl != null && finalUrl.length() != 0) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster sessionProvider.rewriteURL(newSession, finalUrl);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2SDKUtils.debug.message("SPACSUtils.processRespForFedlet",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String redirectUrl = SPACSUtils.getIntermediateURL(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (redirectUrl != null && redirectUrl.length() != 0) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (realFinalUrl != null && realFinalUrl.length() != 0) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "SPACSUtils.processRespForFedlet: rewriting failed.", se);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return createMapForFedlet(respInfo, realRedirectUrl, hostEntityId);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ResponseInfo respInfo, String relayUrl, String hostedEntityId) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster map.put(SAML2Constants.SUBJECT, assertion.getSubject());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster map.put(SAML2Constants.IDPENTITYID, assertion.getIssuer().getValue());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster map.put(SAML2Constants.SPENTITYID, hostedEntityId);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster map.put(SAML2Constants.NAMEID, respInfo.getNameId());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster map.put(SAML2Constants.ATTRIBUTE_MAP, respInfo.getAttributeMap());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster map.put(SAML2Constants.SESSION_INDEX, respInfo.getSessionIndex());
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * Returns the username if there was one from the Assertion we were able to map into a local user account. Returns
1937848ad641fa32fce52f8570626a635cef6d30David Luna * null if not. Should only be used from the SP side. Should only be called in conjuncture with the Auth Module.
1937848ad641fa32fce52f8570626a635cef6d30David Luna * In addition, it performs what attribute federation it can.
1937848ad641fa32fce52f8570626a635cef6d30David Luna * This method is a picked apart version of the "processResponse" function.
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings public static String getPrincipalWithoutLogin(Subject assertionSubject, Assertion authnAssertion, String realm,
71dbce1f4a6beaa47887299ee08c1c36d65d3183David Luna String spEntityId, SAML2MetaManager metaManager, String idpEntityId,
1937848ad641fa32fce52f8570626a635cef6d30David Luna final EncryptedID encId = assertionSubject.getEncryptedID();
1937848ad641fa32fce52f8570626a635cef6d30David Luna final SPSSOConfigElement spssoconfig = metaManager.getSPSSOConfig(realm, spEntityId);
1937848ad641fa32fce52f8570626a635cef6d30David Luna final Set<PrivateKey> decryptionKeys = KeyUtil.getDecryptionKeys(spssoconfig);
1937848ad641fa32fce52f8570626a635cef6d30David Luna final SPAccountMapper acctMapper = SAML2Utils.getSPAccountMapper(realm, spEntityId);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings boolean needNameIDEncrypted = false;
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings SAML2Utils.getAttributeValueFromSPSSOConfig(spssoconfig, SAML2Constants.WANT_ASSERTION_ENCRYPTED);
1937848ad641fa32fce52f8570626a635cef6d30David Luna if (assertionEncryptedAttr == null || !Boolean.parseBoolean(assertionEncryptedAttr)) {
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings SAML2Utils.getAttributeValueFromSPSSOConfig(spssoconfig, SAML2Constants.WANT_NAMEID_ENCRYPTED);
1937848ad641fa32fce52f8570626a635cef6d30David Luna if (idEncryptedStr != null && Boolean.parseBoolean(idEncryptedStr)) {
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings throw new SAML2Exception(SAML2Utils.bundle.getString("nameIDNotEncrypted"));
1937848ad641fa32fce52f8570626a635cef6d30David Luna spDesc = metaManager.getSPSSODescriptor(realm, spEntityId);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings SAML2Utils.debug.error("Unable to read SPSSODescription", ex);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings List spNameIDFormatList = spDesc.getNameIDFormat();
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings if (CollectionUtils.isNotEmpty(spNameIDFormatList) && !spNameIDFormatList.contains(nameIDFormat)) {
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings throw new SAML2Exception(SAML2Utils.BUNDLE_NAME, "unsupportedNameIDFormatSP", args);
1937848ad641fa32fce52f8570626a635cef6d30David Luna final boolean isTransient = SAML2Constants.NAMEID_TRANSIENT_FORMAT.equals(nameIDFormat);
1937848ad641fa32fce52f8570626a635cef6d30David Luna final boolean isPersistent = SAML2Constants.PERSISTENT.equals(nameIDFormat);
1937848ad641fa32fce52f8570626a635cef6d30David Luna final boolean ignoreProfile = SAML2PluginsUtils.isIgnoredProfile(realm);
1937848ad641fa32fce52f8570626a635cef6d30David Luna final boolean shouldPersistNameID = isPersistent || (!isTransient && !ignoreProfile
1937848ad641fa32fce52f8570626a635cef6d30David Luna && acctMapper.shouldPersistNameIDFormat(realm, spEntityId, idpEntityId, nameIDFormat));
1937848ad641fa32fce52f8570626a635cef6d30David Luna boolean isNewAccountLink = false;
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings userName = SAML2Utils.getDataStoreProvider().getUserID(realm, SAML2Utils.getNameIDKeyMap(
1937848ad641fa32fce52f8570626a635cef6d30David Luna nameId, spEntityId, idpEntityId, realm, SAML2Constants.SP_ROLE));
1937848ad641fa32fce52f8570626a635cef6d30David Luna //if we can't get an already linked account, see if we'll be generating a new one based on federated data
1937848ad641fa32fce52f8570626a635cef6d30David Luna userName = acctMapper.getIdentity(authnAssertion, spEntityId, realm);
1937848ad641fa32fce52f8570626a635cef6d30David Luna isNewAccountLink = true; //we'll use this later to inform us
1937848ad641fa32fce52f8570626a635cef6d30David Luna //if we're new and we're persistent, store the federation data in the user pref
71dbce1f4a6beaa47887299ee08c1c36d65d3183David Luna writeFedData(nameId, spEntityId, realm, metaManager, idpEntityId, userName, storageKey);
1937848ad641fa32fce52f8570626a635cef6d30David Luna private static void writeFedData(NameID nameId, String spEntityId, String realm, SAML2MetaManager metaManager,
71dbce1f4a6beaa47887299ee08c1c36d65d3183David Luna String idpEntityId, String userName, String storageKey) throws SAML2Exception {
1937848ad641fa32fce52f8570626a635cef6d30David Luna final String affiID = nameId.getSPNameQualifier();
1937848ad641fa32fce52f8570626a635cef6d30David Luna boolean isDualRole = SAML2Utils.isDualRole(spEntityId, realm);
1937848ad641fa32fce52f8570626a635cef6d30David Luna affiDesc = metaManager.getAffiliationDescriptor(realm, affiID);
1937848ad641fa32fce52f8570626a635cef6d30David Luna if (!affiDesc.getAffiliateMember().contains(spEntityId)) {
1937848ad641fa32fce52f8570626a635cef6d30David Luna throw new SAML2Exception("Unable to locate SP Entity ID in the affiliate descriptor.");
1937848ad641fa32fce52f8570626a635cef6d30David Luna info = new NameIDInfo(affiID, idpEntityId, nameId, SAML2Constants.DUAL_ROLE, true);
1937848ad641fa32fce52f8570626a635cef6d30David Luna info = new NameIDInfo(affiID, idpEntityId, nameId, SAML2Constants.SP_ROLE, true);
1937848ad641fa32fce52f8570626a635cef6d30David Luna info = new NameIDInfo(spEntityId, idpEntityId, nameId, SAML2Constants.DUAL_ROLE, false);
1937848ad641fa32fce52f8570626a635cef6d30David Luna info = new NameIDInfo(spEntityId, idpEntityId, nameId, SAML2Constants.SP_ROLE, false);
1937848ad641fa32fce52f8570626a635cef6d30David Luna // write fed info into data store
1937848ad641fa32fce52f8570626a635cef6d30David Luna AccountUtils.setAccountFederation(info, userName);
1937848ad641fa32fce52f8570626a635cef6d30David Luna * Gets the attributes for this assertion in a new List.
1937848ad641fa32fce52f8570626a635cef6d30David Luna * @param authnAssertion Assertion from which to reead the attributes.
1937848ad641fa32fce52f8570626a635cef6d30David Luna * @param needAttributeEncrypted Whether the attributes must be encrypted.
1937848ad641fa32fce52f8570626a635cef6d30David Luna * @param decryptionKeys The keys used to decrypt the attributes, if they're encrypted.
1937848ad641fa32fce52f8570626a635cef6d30David Luna * @return a List of the attributes in this assertion.
1937848ad641fa32fce52f8570626a635cef6d30David Luna public static List<Attribute> getAttrs(Assertion authnAssertion, boolean needAttributeEncrypted,