SPACSUtils.java revision 0fdab8904a8fe223f6934b878769fe45e7651c60
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * The contents of this file are subject to the terms
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * of the Common Development and Distribution License
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * (the License). You may not use this file except in
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * compliance with the License.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * You can obtain a copy of the License at
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * https://opensso.dev.java.net/public/CDDLv1.0.html or
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * See the License for the specific language governing
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * permission and limitations under the License.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * When distributing Covered Code, include this CDDL
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Header Notice in each file and include the License file
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * If applicable, add the following below the CDDL Header,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * with the fields enclosed by brackets [] replaced by
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * your own identifying information:
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * "Portions Copyrighted [year] [name of copyright owner]"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * $Id: SPACSUtils.java,v 1.48 2009/11/20 21:41:16 exu Exp $
abd02248a498b673140dafdeeed67e0112bd5026Peter Major * Portions Copyrighted 2010-2013 ForgeRock AS
80849398a45dca1fb917716907d6ec99be6222c2Peter Majorimport com.iplanet.dpro.session.exceptions.StoreException;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.common.SystemConfigurationUtil;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.liberty.ws.soapbinding.Message;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.liberty.ws.soapbinding.SOAPBindingException;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.liberty.ws.soapbinding.SOAPFaultException;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.shared.encode.URLEncDec;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.common.SAMLConstants;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.xmlsig.KeyProvider;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.assertion.AssertionFactory;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.assertion.Assertion;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.assertion.AttributeStatement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.assertion.EncryptedID;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.assertion.EncryptedAttribute;
89503929c8983c48e2049c77284b52e79ad37c32jeff.schenkimport com.sun.identity.saml2.common.SAML2RepositoryFactory;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.ecp.ECPRelayState;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.jaxb.entityconfig.IDPSSOConfigElement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.jaxb.metadata.AffiliationDescriptorType;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.jaxb.metadata.ArtifactResolutionServiceElement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.meta.SAML2MetaException;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.meta.SAML2MetaManager;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.meta.SAML2MetaUtils;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.protocol.Artifact;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.protocol.ArtifactResolve;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.protocol.ArtifactResponse;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.protocol.AuthnRequest;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.protocol.ProtocolFactory;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.protocol.Response;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.plugins.SAML2ServiceProviderAdapter;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.plugins.SPAccountMapper;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.plugins.SPAttributeMapper;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.plugin.monitoring.FedMonAgent;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.plugin.monitoring.FedMonSAML2Svc;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.plugin.monitoring.MonitorManager;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.plugin.session.SessionException;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.plugin.session.SessionManager;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.plugin.session.SessionProvider;
4a5a82da9bbab0a3ea1701c3ae9334c678d24ca5Mark de Reeperimport org.forgerock.openam.utils.ClientUtils;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * This class is used by a service provider (SP) to process the response from
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * an identity provider for the SP's Assertion Consumer Service.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @supported.api
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static FedMonAgent agent = MonitorManager.getAgent();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static FedMonSAML2Svc saml2Svc = MonitorManager.getSAML2Svc();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Retrieves <code>SAML</code> <code>Response</code> from http request.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * It handles three cases:
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * 1. using http method get using request parameter "resID".
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * This is the case after local login is done.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * 2. using http method get using request parameter "SAMLart".
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * This is the case for artifact profile.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * 3. using http method post. This is the case for post profile.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param request http servlet request
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param response http servlet response
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param orgName realm or organization name the service provider resides in
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param hostEntityId Entity ID of the hosted service provider
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param metaManager <code>SAML2MetaManager</code> instance.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return <code>ResponseInfo</code> instance.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SAML2Exception,IOException if it fails in the process.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster orgName, hostEntityId, SAML2Constants.ACS_SERVICE,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "unsupportedBinding",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("unsupportedBinding"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("unsupportedBinding"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster respInfo = getResponseFromGet(request, response, orgName,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((pathInfo != null) && (pathInfo.startsWith("/ECP"))) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster orgName, hostEntityId, SAML2Constants.ACS_SERVICE,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "unsupportedBinding",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("unsupportedBinding"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("unsupportedBinding"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster respInfo = getResponseFromPostECP(request, response, orgName,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster orgName, hostEntityId, SAML2Constants.ACS_SERVICE,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "unsupportedBinding",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("unsupportedBinding"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("unsupportedBinding"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster respInfo = getResponseFromPost(request, response, orgName,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // not supported
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "notSupportedHTTPMethod",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("notSupportedHTTPMethod"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("notSupportedHTTPMethod"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPACSUtils.getResponse: got response="
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + respInfo.getResponse().toXMLString(true, true));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Retrieves <code>SAML Response</code> from http Get.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * It first uses parameter resID to retrieve <code>Response</code>. This is
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * the case after local login;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * If resID is not defined, it then uses <code>SAMLart</code> http
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * parameter to retrieve <code>Response</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static ResponseInfo getResponseFromGet(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPACSUtils.getResponseFromGet: resID="
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster respInfo = (ResponseInfo) SPCache.responseHash.remove(resID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPACSUtils.getResponseFromGet: "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "couldn't find Response from resID.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster response.SC_INTERNAL_SERVER_ERROR, "SSOFailed",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String samlArt = request.getParameter(SAML2Constants.SAML_ART);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (samlArt == null || samlArt.trim().length() == 0) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("SPACSUtils.getResponseFromGet: Artifact "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "string is empty.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "missingArtifact",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("missingArtifact"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("missingArtifact"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return new ResponseInfo(getResponseFromArtifact(samlArt, hostEntityId,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Retrieves response using artifact profile.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static Response getResponseFromArtifact(String samlArt,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String hostEntityId, HttpServletRequest request,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2MetaManager sm) throws SAML2Exception,IOException
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Try to get source ID and endpointIndex, and then
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // decide which IDP and which artifact resolution service
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPACSUtils.getResponseFromArtifact: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster art = ProtocolFactory.getInstance().createArtifact(samlArt.trim());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("SPACSUtils.getResponseFromArtifact: "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "Unable to decode and parse artifact string:" + samlArt);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "errorObtainArtifact",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("errorObtainArtifact"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String idpEntityID = getIDPEntityID(art, request, response, orgName, sm);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster idp = sm.getIDPSSODescriptor(orgName, idpEntityID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "failedToGetIDPSSODescriptor", se.getMessage());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String location = getIDPArtifactResolutionServiceUrl(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster art.getEndpointIndex(), idpEntityID, idp, request, response);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // create ArtifactResolve message
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster resolve = ProtocolFactory.getInstance().createArtifactResolve();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster resolve.setVersion(SAML2Constants.VERSION_2_0);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster resolve.setDestination(XMLUtils.escapeSpecialCharacters(location));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Issuer issuer = AssertionFactory.getInstance().createIssuer();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // or save it somewhere?
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String signAlias = getAttributeValueFromSPSSOConfig(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("missingSigningCertAlias"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster KeyProvider kp = KeyUtil.getKeyProviderInstance();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("nullKeyProvider"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String resolveString = resolve.toXMLString(true, true);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPACSUtils.getResponseFromArtifact: "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SOAPConnection con = SAML2Utils.scf.createConnection();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SOAPMessage msg = SAML2Utils.createSOAPMessage(resolveString, true);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster config = sm.getIDPSSOConfig(orgName, idpEntityID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("SPACSUtils.getResponseFromArtifact: "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data = {hostEntityId, art.getArtifactValue()};
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "errorCreateArtifactResolve",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("errorCreateArtifactResolve"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("SPACSUtils.getResponseFromGet: "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "couldn't get ArtifactResponse. SOAP error:",se);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "errorInSOAPCommunication",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("errorInSOAPCommunication"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Response result = getResponseFromSOAP(resMsg, resolve, request,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster response, idpEntityID, idp, orgName, hostEntityId, sm);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Finds the IDP who sends the artifact;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // find the idp
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster metaManager.getAllRemoteIdentityProviderEntities(orgName).
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster tmpSourceID = SAML2Utils.generateSourceID(idpEntityID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("SPACSUtils.getResponseFromGet: Unable "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "to find the IDP based on the SourceID in the artifact");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data = {art.getArtifactValue(), orgName};
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data = {art.getArtifactValue(), orgName};
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Retrieves the ArtifactResolutionServiceURL for an IDP.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static String getIDPArtifactResolutionServiceUrl(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // find the artifact resolution service url
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List arsList=idp.getArtifactResolutionService();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster boolean isDefault = false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ars = (ArtifactResolutionServiceElement)arsList.get(i);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster //String binding = ars.getBinding();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (location == null || location.length() == 0) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (location == null || location.length() == 0) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (location == null || location.length() == 0) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("SPACSUtils: Unable to get the "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "location of artifact resolution service for "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "cannotFindArtifactResolutionUrl",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "cannotFindArtifactResolutionUrl"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "cannotFindArtifactResolutionUrl"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPACSUtils: IDP artifact resolution "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Obtains <code>SAML Response</code> from <code>SOAPBody</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Used by Artifact profile.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static Response getResponseFromSOAP(SOAPMessage resMsg,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String method = "SPACSUtils.getResponseFromSOAP:";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster resElem = SAML2Utils.getSamlpElement(resMsg, "ArtifactResponse");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message(method + "Couldn't create "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "failedToCreateArtifactResponse", se.getMessage());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "missingArtifactResponse",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("missingArtifactResponse"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("missingArtifactResponse"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message(method + "Received ArtifactResponse:"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // verify ArtifactResponse
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String wantArtiRespSigned = getAttributeValueFromSPSSOConfig(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (wantArtiRespSigned != null && wantArtiRespSigned.equals("true")) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster X509Certificate cert = KeyUtil.getVerificationCert(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (!artiResp.isSigned() || !artiResp.isSignatureValid(cert)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "ArtifactResponse's signature is invalid.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster response.SC_INTERNAL_SERVER_ERROR, "invalidSignature",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("invalidSignature"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("invalidSignature"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String inResponseTo = artiResp.getInResponseTo();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (inResponseTo == null || !inResponseTo.equals(resolve.getID())) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "ArtifactResponse's InResponseTo is invalid.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.ARTIFACT_RESPONSE_INVALID_INRESPONSETO,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster response.SC_INTERNAL_SERVER_ERROR, "invalidInResponseTo",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("invalidInResponseTo"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("invalidInResponseTo"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (idpIssuer == null || !idpIssuer.getValue().equals(idpEntityID)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "ArtifactResponse's Issuer is invalid.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster response.SC_INTERNAL_SERVER_ERROR, "invalidIssuer",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // check time?
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (status == null || !status.getStatusCode().getValue().equals(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (status == null)?"":status.getStatusCode().getValue();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "ArtifactResponse's status code is not success."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster response.SC_INTERNAL_SERVER_ERROR, "invalidStatusCode",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("invalidStatusCode"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("invalidStatusCode"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return ProtocolFactory.getInstance().createResponse(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Obtains <code>SAML Response</code> from <code>SOAPBody</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Used by ECP profile.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static ResponseInfo getResponseFromPostECP(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster HttpServletRequest request, HttpServletResponse response,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String orgName, String hostEntityId, SAML2MetaManager metaManager)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster message = new Message(SAML2Utils.getSOAPMessage(request));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.CANNOT_INSTANTIATE_SOAP_MESSAGE_ECP, data, null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "failedToCreateSOAPMessage", soapex.getMessage());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.CANNOT_INSTANTIATE_SOAP_MESSAGE_ECP, data, null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "failedToCreateSOAPMessage", soapex.getMessage());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.error(Level.INFO, LogUtil.RECEIVE_SOAP_FAULT_ECP,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster sfex.getSOAPFaultMessage().getSOAPFault().getFaultString();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List soapHeaders = message.getOtherSOAPHeaders();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((soapHeaders != null) && (!soapHeaders.isEmpty())) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster for(Iterator iter = soapHeaders.iterator(); iter.hasNext();) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ECPFactory.getInstance().createECPRelayState(headerEle);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // not ECP RelayState
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((soapBodies == null) || (soapBodies.isEmpty())) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.CANNOT_INSTANTIATE_SAML_RESPONSE_FROM_ECP, data, null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "missingSAMLResponse",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("missingSAMLResponse"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("missingSAMLResponse"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster resp = ProtocolFactory.getInstance().createResponse(resElem);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPACSUtils.getResponseFromPostECP:" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.CANNOT_INSTANTIATE_SAML_RESPONSE_FROM_ECP, data, null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String idpEntityID = resp.getIssuer().getValue();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster idpDesc = metaManager.getIDPSSODescriptor(orgName, idpEntityID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.error(Level.INFO, LogUtil.IDP_META_NOT_FOUND, data, null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "failedToGetIDPSSODescriptor", se.getMessage());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster X509Certificate cert = KeyUtil.getVerificationCert(idpDesc,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((assertions != null) && (!assertions.isEmpty())) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster for(Iterator iter = assertions.iterator(); iter.hasNext(); ) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "SPACSUtils.getResponseFromPostECP: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster " Assertion is not signed.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "assertionNotSigned",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("assertionNotSigned"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("assertionNotSigned"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else if (!assertion.isSignatureValid(cert)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "SPACSUtils.getResponseFromPostECP: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster " Assertion signature is invalid.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.ECP_ASSERTION_INVALID_SIGNATURE, data, null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "invalidSignature",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("invalidSignature"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("invalidSignature"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return new ResponseInfo(resp, SAML2Constants.PAOS, relayState);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Obtains SAML Response from POST.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static ResponseInfo getResponseFromPost(HttpServletRequest request,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster HttpServletResponse response, String orgName, String hostEntityId,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2MetaManager metaManager) throws SAML2Exception,IOException
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String classMethod = "SPACSUtils:getResponseFromPost";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPACSUtils:getResponseFromPost");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String samlArt = request.getParameter(SAML2Constants.SAML_ART);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((samlArt != null) && (samlArt.trim().length() != 0)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return new ResponseInfo(getResponseFromArtifact(samlArt,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster hostEntityId, request, response, orgName, metaManager),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "missingSAMLResponse",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("missingSAMLResponse"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("missingSAMLResponse"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Get Response back
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // decode the Response
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Document doc = XMLUtils.toDOMDocument(bis, SAML2Utils.debug);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("SPACSUtils.getResponse: Exception "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "errorObtainResponse",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("errorObtainResponse"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("errorObtainResponse"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("SPACSUtils.getResponse: Exception "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "when decoding SAMLResponse:", e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster response.SC_INTERNAL_SERVER_ERROR, "errorDecodeResponse",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("errorDecodeResponse"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("errorDecodeResponse"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPACSUtils.getResponse: "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "Exception when close the input stream:", ie);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // verify signature in Response
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((assertions != null) && (!assertions.isEmpty())) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster idpEntityID = assertion.getIssuer().getValue();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster idp = metaManager.getIDPSSODescriptor(orgName,idpEntityID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data = {orgName,hostEntityId,idpEntityID};
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "failedToGetIDPSSODescriptor", se.getMessage());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster X509Certificate cert = KeyUtil.getVerificationCert(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (!resp.isSigned() || !resp.isSignatureValid(cert)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster " Signature in Response is invalid ");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data = { orgName , hostEntityId , idpEntityID };
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.POST_RESPONSE_INVALID_SIGNATURE,data,null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster response.SC_INTERNAL_SERVER_ERROR, "invalidSignature",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("invalidSignature"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("invalidSignInResponse"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return (new ResponseInfo(resp, SAML2Constants.HTTP_POST, null));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPACSUtils.getResponse: Decoded response, " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "resp is null");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Authenticates user with <code>Response</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Auth session upgrade will be called if input session is
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Otherwise, saml2 auth module is called. The name of the auth module
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * is retrieved from <code>SPSSOConfig</code>. If not found, "SAML2" will
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param request HTTP Servlet request
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param response HTTP Servlet response.
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest * @param out the print writer for writing out presentation
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param metaAlias metaAlias for the service provider
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param session input session object. It could be null.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param respInfo <code>ResponseInfo</code> to be verified.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param realm realm or organization name of the service provider.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param hostEntityId hosted service provider Entity ID.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param metaManager <code>SAML2MetaManager</code> instance for meta
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * operation.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return <code>Object</code> which holds result of the session.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SAML2Exception if the processing failed.
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest HttpServletRequest request, HttpServletResponse response, PrintWriter out,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String metaAlias, Object session, ResponseInfo respInfo,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String realm, String hostEntityId, SAML2MetaManager metaManager
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String classMethod = "SPACSUtils.processResponse: ";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message(classMethod + "Response : " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // check Response/Assertion and get back a Map of relevant data
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster smap = SAML2Utils.verifyResponse(request, response,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // invoke SPAdapter for failure
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster invokeSPAdapterForSSOFailure(hostEntityId, realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2ServiceProviderAdapter.INVALID_RESPONSE, se);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster com.sun.identity.saml2.assertion.Subject assertionSubject =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster EncryptedID encId = assertionSubject.getEncryptedID();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (Assertion) smap.get(SAML2Constants.POST_ASSERTION);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String sessionIndex = (String)smap.get(SAML2Constants.SESSION_INDEX);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Integer authLevel = (Integer) smap.get(SAML2Constants.AUTH_LEVEL);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Long maxSessionTime = (Long) smap.get(SAML2Constants.MAX_SESSION_TIME);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String inRespToResp = (String) smap.get(SAML2Constants.IN_RESPONSE_TO);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List assertions = (List) smap.get(SAML2Constants.ASSERTIONS);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message(classMethod + "Assertions : " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster metaManager.getSPSSOConfig(realm, hostEntityId);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Map attributes = SAML2MetaUtils.getAttributes(spssoconfig);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // get mappers
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SPAccountMapper acctMapper = getSPAccountMapper(attributes);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster boolean needNameIDEncrypted = false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster PrivateKey decryptionKey = KeyUtil.getDecryptionKey(spssoconfig);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "process: NameID was not encrypted.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Exception se = new SAML2Exception(SAML2Utils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "nameIDNotEncrypted"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // invoke SPAdapter for failure
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster invokeSPAdapterForSSOFailure(hostEntityId, realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2ServiceProviderAdapter.INVALID_RESPONSE, se);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // invoke SPAdapter for failure
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster invokeSPAdapterForSSOFailure(hostEntityId, realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2ServiceProviderAdapter.INVALID_RESPONSE, se);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster spDesc = metaManager.getSPSSODescriptor(realm, hostEntityId);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Exception se = new SAML2Exception(SAML2Utils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "metaDataError"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster invokeSPAdapterForSSOFailure(hostEntityId, realm, request,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2ServiceProviderAdapter.SSO_FAILED_META_DATA_ERROR, se);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List spNameIDFormatList = spDesc.getNameIDFormat();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((spNameIDFormatList != null) && (!spNameIDFormatList.isEmpty())
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster && (!spNameIDFormatList.contains(nameIDFormat))) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Exception se = new SAML2Exception(SAML2Utils.BUNDLE_NAME,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster invokeSPAdapterForSSOFailure(hostEntityId, realm, request,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2ServiceProviderAdapter.INVALID_RESPONSE, se);
3240047b6ae47ab759fac9d4be1a597669394e46Mark de Reeper boolean ignoreProfile = false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster sessionProvider = SessionManager.getProvider();
3240047b6ae47ab759fac9d4be1a597669394e46Mark de Reeper ignoreProfile = SAML2Utils.isIgnoreProfileSet(session);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // invoke SPAdapter for failure
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster invokeSPAdapterForSSOFailure(hostEntityId, realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2ServiceProviderAdapter.SSO_FAILED_SESSION_ERROR, se2);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // invoke SPAdapter for failure
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster invokeSPAdapterForSSOFailure(hostEntityId, realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2ServiceProviderAdapter.SSO_FAILED_SESSION_ERROR, se2);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // invoke SPAdapter for failure
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster invokeSPAdapterForSSOFailure(hostEntityId, realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2ServiceProviderAdapter.SSO_FAILED_NO_USER_MAPPING, se);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster classMethod + "process: userName =[" + userName + "]");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster for (Iterator it = assertions.iterator(); it.hasNext(); ) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster remoteHostId = assertion.getIssuer().getValue();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (origAttrs != null && !origAttrs.isEmpty()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attrMap = attrMapper.getAttributes(attrs, userName,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // invoke SPAdapter for failure
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster invokeSPAdapterForSSOFailure(hostEntityId, realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2ServiceProviderAdapter.SSO_FAILED_ATTRIBUTE_MAPPING,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster classMethod + "process: remoteHostId = " + remoteHostId);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster classMethod + "process: attrMap = " + attrMap);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // return error code for local user login
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((userName == null) || (userName.length() == 0)) {
3240047b6ae47ab759fac9d4be1a597669394e46Mark de Reeper // Even if the user profile is set to ignore, we must attempt to persist
3240047b6ae47ab759fac9d4be1a597669394e46Mark de Reeper // if the NameIDFormat is set to persistent.
3240047b6ae47ab759fac9d4be1a597669394e46Mark de Reeper if (ignoreProfile && SAML2Constants.PERSISTENT.equals(nameIDFormat)) {
3240047b6ae47ab759fac9d4be1a597669394e46Mark de Reeper + "ignoreProfile was true but NameIDFormat is Persistent => setting ignoreProfile to false"); }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster boolean isTransient = SAML2Constants.NAMEID_TRANSIENT_FORMAT.equals(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster boolean spDoNotWriteFedInfo = isSPDoNotWriteFedInfo(realm, hostEntityId, metaManager) &&
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Constants.UNSPECIFIED.equals(nameId.getFormat());
3240047b6ae47ab759fac9d4be1a597669394e46Mark de Reeper boolean writeFedInfo = ( (!ignoreProfile && !isTransient && !spDoNotWriteFedInfo) &&
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster userName, hostEntityId, remoteHostId, nameId)));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // TODO: check if this few lines are needed
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster DN dnObject = new DN(userName);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String [] array = dnObject.explodeDN(true);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster userName = array[0];
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster classMethod + "writeFedInfo : " + writeFedInfo);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (inRespToResp != null && inRespToResp.length() != 0) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster sessionInfoMap.put(SessionProvider.REALM, realm);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster sessionInfoMap.put(SessionProvider.PRINCIPAL_NAME, userName);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // set client info. always use client IP address to prevent
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // reverse host lookup
4a5a82da9bbab0a3ea1701c3ae9334c678d24ca5Mark de Reeper String clientAddr = ClientUtils.getClientIPAddress(request);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster sessionInfoMap.put(SessionProvider.HOST, clientAddr);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster sessionInfoMap.put(SessionProvider.HOST_NAME, clientAddr);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // invoke SPAdapter for failure
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2ServiceProviderAdapter.SSO_FAILED_SESSION_GENERATION;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (sessCode == SessionException.AUTH_USER_INACTIVE) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2ServiceProviderAdapter.SSO_FAILED_AUTH_USER_INACTIVE;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else if (sessCode == SessionException.AUTH_USER_LOCKED) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2ServiceProviderAdapter.SSO_FAILED_AUTH_USER_LOCKED;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else if (sessCode == SessionException.AUTH_ACCOUNT_EXPIRED) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2ServiceProviderAdapter.SSO_FAILED_AUTH_ACCOUNT_EXPIRED;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "SPACSUtils.processResponse : error code=" + sessCode, se);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster invokeSPAdapterForSSOFailure(hostEntityId, realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster request, response, smap, respInfo, failureCode, se2);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // set metaAlias
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster setAttrMapInSession(sessionProvider, attrMap, session);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster setDiscoBootstrapCredsInSSOToken(sessionProvider, authnAssertion,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // invoke SPAdapter for failure
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster invokeSPAdapterForSSOFailure(hostEntityId, realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2ServiceProviderAdapter.SSO_FAILED_SESSION_ERROR, se2);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster metaManager.getAffiliationDescriptor(realm, affiID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster boolean isDualRole = SAML2Utils.isDualRole(hostEntityId, realm);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (!affiDesc.getAffiliateMember().contains(hostEntityId)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(SAML2Utils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "spNotAffiliationMember"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster info = new NameIDInfo(affiID, remoteHostId, nameId,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster info = new NameIDInfo(affiID, remoteHostId, nameId,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster info = new NameIDInfo(hostEntityId, remoteHostId, nameId,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster info = new NameIDInfo(hostEntityId, remoteHostId, nameId,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String nameIDValueString = info.getNameIDValue();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster props.put(LogUtil.NAME_ID, info.getNameIDValue());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster userName = sessionProvider.getPrincipalName(session);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // invoke SPAdapter for failure
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster invokeSPAdapterForSSOFailure(hostEntityId, realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2ServiceProviderAdapter.SSO_FAILED_SESSION_ERROR, se2);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data1 = {userName, nameIDValueString};
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.access(Level.INFO, LogUtil.SUCCESS_FED_SSO, data1, session,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // write fed info into data store
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster AccountUtils.setAccountFederation(info, userName);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // invoke SPAdapter for failure
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster invokeSPAdapterForSSOFailure(hostEntityId, realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2ServiceProviderAdapter.FEDERATION_FAILED_WRITING_ACCOUNT_INFO, se);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String requestID = respInfo.getResponse().getInResponseTo();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // save info in memory for logout
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster saveInfoInMemory(sessionProvider, session, sessionIndex, metaAlias,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster info, IDPProxyUtil.isIDPProxyEnabled(requestID), isTransient);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // invoke SP Adapter
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.getSPAdapterClass(hostEntityId, realm);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster boolean redirected = spAdapter.postSingleSignOnSuccess(
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest response, out, session, authnRequest, respInfo.getResponse(),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.warning("SPSingleLogout.processResp", ex);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.warning("SPSingleLogout.processResp", ex);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (respInfo.getProfileBinding().equals(SAML2Constants.HTTP_POST)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SPCache.assertionByIDCache.put(assertionID, SAML2Constants.ONETIME);
abd02248a498b673140dafdeeed67e0112bd5026Peter Major SAML2RepositoryFactory.getInstance().saveSAML2Token(
abd02248a498b673140dafdeeed67e0112bd5026Peter Major ((Long) smap.get(SAML2Constants.NOTONORAFTER)).longValue() / 1000,
80849398a45dca1fb917716907d6ec99be6222c2Peter Major SAML2Utils.debug.error(classMethod + "DB error!", se);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error(classMethod + "DB error!", e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static void invokeSPAdapterForSSOFailure(String hostEntityId,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String realm, HttpServletRequest request, HttpServletResponse response,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Map smap, ResponseInfo respInfo, int errorCode,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster spAdapter = SAML2Utils.getSPAdapterClass(hostEntityId, realm);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "SPACSUtils.invokeSPAdapterForSSOFailure", e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster boolean redirected = spAdapter.postSingleSignOnFailure(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster hostEntityId, realm, request, response, authnRequest,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster respInfo.getResponse(), respInfo.getProfileBinding(),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Gets the <code>SPAccountMapper</code>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param attributes the Attribute Map
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return the <code>SPAccountMapper
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SAML2Exception if the processing failed.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static SPAccountMapper getSPAccountMapper(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "SPACSUtils.getSPAccountMapper: mapper = " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("failedAcctMapper"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Gets the <code>SPAttributeMapper</code>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param attributes the Attribute Map
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return the <code>SPAttributeMapper
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SAML2Exception if the processing failed.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static SPAttributeMapper getSPAttributeMapper(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("failedAttrMapper"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static void saveInfoInMemory(SessionProvider sessionProvider,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Object session, String sessionIndex, String metaAlias,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster NameIDInfo info, boolean isIDPProxy, boolean isTransient)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (fromToken == null || fromToken.length == 0 ||
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster fromToken[0] == null || fromToken[0].length() == 0) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (fromToken[0].indexOf(infoKeyString) == -1) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String infoAttribute = AccountUtils.getNameIDInfoAttribute();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] nameIDInfoStrs = sessionProvider.getProperty(session,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster nameIDInfoStrs = (String[])nameIDInfoStrSet.toArray(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster sessionProvider.setProperty(session, infoAttribute,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String tokenID = sessionProvider.getSessionID(session);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SPCache.fedSessionListsByNameIDInfoKey.get(infoKeyString);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster synchronized (SPCache.fedSessionListsByNameIDInfoKey) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SPCache.fedSessionListsByNameIDInfoKey.get(infoKeyString);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster synchronized (fedSessions) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster fedSessions.add(new SPFedSession(sessionIndex, tokenID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((agent != null) && agent.isRunning() && (saml2Svc != null)){
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (long)SPCache.fedSessionListsByNameIDInfoKey.size());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("Add Session Partner: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster idpSess.addSessionPartner(new SAML2SessionPartner(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // end of IDP Proxy
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster synchronized (fedSessions) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster boolean found = false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SPFedSession temp = (SPFedSession) iter.next();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SPCache.fedSessionListsByNameIDInfoKey.put(infoKeyString,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((agent != null) && agent.isRunning() && (saml2Svc != null)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (long)SPCache.fedSessionListsByNameIDInfoKey.size());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster session, new SPSessionListener(infoKeyString, tokenID));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "SPACSUtils.saveInfoInMemory: "+
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "Unable to add session listener.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster /** Sets the attribute map in the session
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param sessionProvider Session provider
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param attrMap the Attribute Map
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param session the valid session object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws com.sun.identity.plugin.session.SessionException
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static void setAttrMapInSession(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster for(Iterator iter = entrySet.iterator(); iter.hasNext();) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if(attrValues != null && !attrValues.isEmpty()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "SPACSUtils.setAttrMapInSessioin: AttrMap:" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster /** Sets Discovery bootstrap credentials in the SSOToken
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param sessionProvider session provider.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param assertion assertion.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param session the valid session object.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static void setDiscoBootstrapCredsInSSOToken(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SessionProvider sessionProvider, Assertion assertion, Object session)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Constants.DISCOVERY_BOOTSTRAP_CREDENTIALS,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Obtains relay state. Retrieves the relay state from relay state cache.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * If input relay state is null, retrieve it from <code>SPSSOConfig</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param relayStateID relay state value received from http request.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param orgName realm or organization name the service provider resides in
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param hostEntityId Entity ID of the hosted service provider
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param sm <code>SAML2MetaManager</code> instance.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return final relay state. Or <code>null</code> if the input
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * relayStateID is null and no default relay state is configured.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((relayStateID != null) && (relayStateID.trim().length() != 0)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster CacheObject cache = (CacheObject)SPCache.relayStateHash.remove(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else if (SAML2Utils.isSAML2FailOverEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Try and retrieve the value from the SAML2 repository
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // The key is this way to make it unique compared to when
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // the same key is used to store a copy of the AuthnRequestInfo
80849398a45dca1fb917716907d6ec99be6222c2Peter Major String relayState = (String) SAML2RepositoryFactory.getInstance().retrieveSAML2Token(relayStateID + relayStateID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Get back the relayState
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPACUtils.getRelayState: relayState"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " retrieved from SAML2 repository for relayStateID: " + relayStateID);
80849398a45dca1fb917716907d6ec99be6222c2Peter Major SAML2Utils.debug.error("SPACUtils.getRelayState: Unable to retrieve relayState for relayStateID "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("SPACUtils.getRelayState: Unable to retrieve relayState for relayStateID "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // !SAML2Utils.isSAML2FailOverEnabled()
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPACUtils.getRelayState: relayState"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " is null for relayStateID: " + relayStateID + ", SAML2 failover is disabled");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((relayStateUrl == null) || (relayStateUrl.trim().length() == 0)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (relayStateUrl == null || relayStateUrl.trim().length() == 0) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster relayStateUrl = getAttributeValueFromSPSSOConfig(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster orgName, hostEntityId, sm, SAML2Constants.DEFAULT_RELAY_STATE);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Retrieves intermediate redirect url from SP sso config. This url is used
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * if you want to goto some place before the final relay state.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param orgName realm or organization name the service provider resides in
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param hostEntityId Entity ID of the hosted service provider
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param sm <code>SAML2MetaManager</code> instance.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return intermediate redirect url; or <code>null</code> if the url is
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * is not configured or an error occured during the retrieval
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static String getIntermediateURL(String orgName,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return getAttributeValueFromSPSSOConfig(orgName, hostEntityId, sm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Saves response for later retrieval and retrieves local auth url from
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>SPSSOConfig</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * If the url does not exist, generate one from request URI.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * If still cannot get it, (shouldn't happen), get it from
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param orgName realm or organization name the service provider resides in
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param hostEntityId Entity ID of the hosted service provider
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param sm <code>SAML2MetaManager</code> instance to perform meta
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * operation.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param respInfo to be cached <code>ResponseInfo</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param requestURI http request URI.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return local login url.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String localLoginUrl = getAttributeValueFromSPSSOConfig(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster orgName, hostEntityId, sm, SAML2Constants.LOCAL_AUTH_URL);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((localLoginUrl == null) || (localLoginUrl.length() == 0)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // get it from request
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster int index = requestURI.indexOf("Consumer/metaAlias");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((localLoginUrl == null) || (localLoginUrl.length() == 0)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // shouldn't be here, but in case
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SystemConfigurationUtil.getProperty(SAMLConstants.SERVER_PROTOCOL)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + SystemConfigurationUtil.getProperty(SAMLConstants.SERVER_HOST)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + SystemConfigurationUtil.getProperty(SAMLConstants.SERVER_PORT)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SPCache.responseHash.put(respInfo.getResponse().getID(),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPACSUtils:prepareForLocalLogin: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Retrieves attribute value for a given attribute name from
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>SPSSOConfig</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param orgName realm or organization name the service provider resides in
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param hostEntityId hosted service provider's Entity ID.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param sm <code>SAML2MetaManager</code> instance to perform meta
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * operations.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param attrName name of the attribute whose value ot be retrived.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return value of the attribute; or <code>null</code> if the attribute
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * if not configured, or an error occured in the process.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static String getAttributeValueFromSPSSOConfig(String orgName,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SPSSOConfigElement config = sm.getSPSSOConfig(orgName,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Map attrs = SAML2MetaUtils.getAttributes(config);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster result = ((String) value.iterator().next()).trim();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPACSUtils.getAttributeValueFromSPSSO"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // gets the attributes from AttibuteStates in the assertions.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static List getSAMLAttributes(Assertion assertion,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List statements = assertion.getAttributeStatements();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (statements != null && statements.size() > 0 ) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster for (Iterator it = statements.iterator(); it.hasNext(); ) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("Attribute not encrypted.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List encAttrs = statement.getEncryptedAttribute();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("Decryption error:", se);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Processes response from Identity Provider to Fedlet (SP).
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * This will do all required protocol processing, include signature,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * issuer and audience validation etc. A map containing processing
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * result will be returned. <br>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Here is a list of keys and values for the returned map: <br>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * SAML2Constants.ATTRIBUTE_MAP -- Attribute map containing all attributes
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * passed down from IDP inside the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Assertion. The value is a
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>java.util.Map</code> whose keys
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * are attribute names and values are
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>java.util.Set</code> of string
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * values for the attributes. <br>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * SAML2Constants.RELAY_STATE -- Relay state, value is a string <br>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * SAML2Constants.IDPENTITYID -- IDP entity ID, value is a string<br>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * SAML2Constants.RESPONSE -- Response object, value is an instance of
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * com.sun.identity.saml2.protocol.Response
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * SAML2Constants.ASSERTION -- Assertion object, value is an instance of
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * com.sun.identity.saml2.assertion.Assertion
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * SAML2Constants.SUBJECT -- Subject object, value is an instance of
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * com.sun.identity.saml2.assertion.Subject
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * SAML2Constants.NAMEID -- NameID object, value is an instance of
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * com.sun.identity.saml2.assertion.NameID
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param request HTTP Servlet request
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param response HTTP Servlet response.
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest * @param out the print writer for writing out presentation
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return <code>Map</code> which holds result of the processing.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SAML2Exception if the processing failed due to server error.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws IOException if the processing failed due to IO error.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SessionException if the processing failed due to session error.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws ServletException if the processing failed due to request error.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @supported.api
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static Map processResponseForFedlet (HttpServletRequest request,
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest HttpServletResponse response, PrintWriter out) throws SAML2Exception, IOException,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String requestURL = request.getRequestURL().toString();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2MetaManager metaManager = new SAML2MetaManager();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2SDKUtils.bundle.getString("errorMetaManager"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String metaAlias = SAML2MetaUtils.getMetaAliasByUri(requestURL);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((metaAlias == null) || (metaAlias.length() == 0)) {
e516741c905a9cf65a6297d1dbc6612a50a717dcMark de Reeper // Check in case metaAlias has been supplied as a parameter
e516741c905a9cf65a6297d1dbc6612a50a717dcMark de Reeper metaAlias = request.getParameter(SAML2MetaManager.NAME_META_ALIAS_IN_URI);
e516741c905a9cf65a6297d1dbc6612a50a717dcMark de Reeper if (metaAlias == null || metaAlias.length() == 0) {
e516741c905a9cf65a6297d1dbc6612a50a717dcMark de Reeper // pick the first available one
e516741c905a9cf65a6297d1dbc6612a50a717dcMark de Reeper metaManager.getAllHostedServiceProviderMetaAliases("/");
e516741c905a9cf65a6297d1dbc6612a50a717dcMark de Reeper if ((spMetaAliases != null) && !spMetaAliases.isEmpty()) {
e516741c905a9cf65a6297d1dbc6612a50a717dcMark de Reeper // get first one
e516741c905a9cf65a6297d1dbc6612a50a717dcMark de Reeper if ((metaAlias == null) || (metaAlias.length() == 0)) {
e516741c905a9cf65a6297d1dbc6612a50a717dcMark de Reeper SAML2SDKUtils.bundle.getString("nullSPEntityID"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster hostEntityId = metaManager.getEntityByMetaAlias(metaAlias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2SDKUtils.debug.error("SPACSUtils.processResponseForFedlet",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2SDKUtils.bundle.getString("metaDataError"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2SDKUtils.bundle.getString("metaDataError"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // organization is always root org
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String relayState = request.getParameter(SAML2Constants.RELAY_STATE);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster sessionProvider = SessionManager.getProvider();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2SDKUtils.debug.error("SPACSUtils.processResponseForFedlet",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster request, response, orgName, hostEntityId, metaManager);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Throws a SAML2Exception if the response cannot be validated
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // or contains a non-Success StatusCode, invoking the SPAdapter SPI
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // for taking action on the failed validation.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // The resulting exception has its redirectionDone flag set if
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // the SPAdapter issued a HTTP redirect.
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest request, response, out, metaAlias, null, respInfo,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] redirected = sessionProvider.getProperty(newSession,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((redirected != null) && (redirected.length != 0) &&
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2SDKUtils.debug.message("Already redirected in SPAdapter.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // response redirected already in SPAdapter
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return createMapForFedlet(respInfo, null, hostEntityId);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // redirect to relay state
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster relayState, orgName, hostEntityId, metaManager);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (finalUrl != null && finalUrl.length() != 0) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster sessionProvider.rewriteURL(newSession, finalUrl);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2SDKUtils.debug.message("SPACSUtils.processRespForFedlet",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String redirectUrl = SPACSUtils.getIntermediateURL(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (redirectUrl != null && redirectUrl.length() != 0) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (realFinalUrl != null && realFinalUrl.length() != 0) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "SPACSUtils.processRespForFedlet: rewriting failed.", se);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return createMapForFedlet(respInfo, realRedirectUrl, hostEntityId);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Returns <code>true</code> or <code>false</code>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * depending if the flag spDoNotWriteFederationInfo is set in the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * SP Extended metadata
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param realm the realm name
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param spEntityID the entity id of the Service Provider
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param metaManager the SAML2MetaMAnager used to read the extendede metadata
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return the <code>true/false</code>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @exception SAML2Exception if the operation is not successful
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String realm, String spEntityID, SAML2MetaManager metaManager)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2SDKUtils.debug.message("SPACSUtils." + methodName + "Entering");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String SPDoNotWriteFedInfo = getAttributeValueFromSPSSOConfig(realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Constants.SP_DO_NOT_WRITE_FEDERATION_INFO);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SPDoNotWriteFedInfo != null && !SPDoNotWriteFedInfo.isEmpty()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2SDKUtils.debug.message("SPACSUtils." + methodName +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ": SPDoNotWriteFedInfo is: " + SPDoNotWriteFedInfo);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster isSPDoNotWriteFedInfoEnabled = SPDoNotWriteFedInfo.equalsIgnoreCase("true");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2SDKUtils.debug.message("SPACSUtils." + methodName +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ": SPDoNotWriteFedInfo is: not configured");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "Unable to get the SPDoNotWriteFedInfo flag.", ex);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ResponseInfo respInfo, String relayUrl, String hostedEntityId) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster map.put(SAML2Constants.SUBJECT, assertion.getSubject());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster map.put(SAML2Constants.IDPENTITYID, assertion.getIssuer().getValue());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster map.put(SAML2Constants.SPENTITYID, hostedEntityId);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster map.put(SAML2Constants.NAMEID, respInfo.getNameId());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster map.put(SAML2Constants.ATTRIBUTE_MAP, respInfo.getAttributeMap());