SPSSOFederate.java revision 7be5aa496ae10e8d30aa6675df55e074cbb5cfed
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * The contents of this file are subject to the terms
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * of the Common Development and Distribution License
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * (the License). You may not use this file except in
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * compliance with the License.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * You can obtain a copy of the License at
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * https://opensso.dev.java.net/public/CDDLv1.0.html or
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * See the License for the specific language governing
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * permission and limitations under the License.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * When distributing Covered Code, include this CDDL
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Header Notice in each file and include the License file
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * If applicable, add the following below the CDDL Header,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * with the fields enclosed by brackets [] replaced by
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * your own identifying information:
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * "Portions Copyrighted [year] [name of copyright owner]"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * $Id: SPSSOFederate.java,v 1.29 2009/11/24 21:53:28 madan_ranganath Exp $
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper * Portions Copyrighted 2011-2014 ForgeRock AS.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.liberty.ws.paos.PAOSException;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.liberty.ws.paos.PAOSConstants;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.liberty.ws.paos.PAOSHeader;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.liberty.ws.paos.PAOSRequest;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.common.FSUtils;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.xmlsig.KeyProvider;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.assertion.AssertionFactory;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.ecp.ECPRelayState;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.plugins.SAML2IDPFinder;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.plugins.SAML2ServiceProviderAdapter;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.protocol.AuthnRequest;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.protocol.Extensions;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.protocol.GetComplete;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.protocol.NameIDPolicy;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.protocol.ProtocolFactory;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.protocol.RequestedAuthnContext;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.jaxb.metadata.AffiliationDescriptorType;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.jaxb.metadata.AssertionConsumerServiceElement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.jaxb.metadata.EntityDescriptorElement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.jaxb.metadata.SingleSignOnServiceElement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.meta.SAML2MetaException;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.meta.SAML2MetaManager;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.meta.SAML2MetaUtils;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.plugins.SPAuthnContextMapper;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.protocol.IDPEntry;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.shared.datastruct.OrderedSet;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.shared.encode.URLEncDec;
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeperimport org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * This class reads the query parameters and performs the required
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * processing logic for sending Authentication Request
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * from SP to IDP.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("SPSSOFederate: Error retreiving metadata"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Parses the request parameters and builds the Authentication
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Request to sent to the IDP.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param request the HttpServletRequest.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param response the HttpServletResponse.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param metaAlias metaAlias to locate the service providers.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param idpEntityID entityID of Identity Provider.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param paramsMap Map of all other parameters.The key in the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * map are of the type String. The values in the paramsMap
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * are of the type List.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Some of the possible keys are:RelayState,NameIDFormat,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * reqBinding, binding, AssertionConsumerServiceIndex,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * AttributeConsumingServiceIndex (currently not supported),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * isPassive, ForceAuthN, AllowCreate, Destination,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * AuthnContextDeclRef, AuthnContextClassRef,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * AuthComparison, Consent (currently not supported),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * AuthLevel, and sunamcompositeadvice.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SAML2Exception if error initiating request to IDP.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static void initiateAuthnRequest(HttpServletRequest request,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // get the sp entity ID from the metaAlias
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String spEntityID = sm.getEntityByMetaAlias(metaAlias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String realm = SAML2MetaUtils.getRealmByMetaAlias(metaAlias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPSSOFederate : spEntityID is :"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPSSOFederate realm is :" + realm);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster initiateAuthnRequest(request,response,spEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("SPSSOFederate: Error retreiving spEntityID"+
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("metaAliasError"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Parses the request parameters and builds the Authentication
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Request to sent to the IDP.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param request the HttpServletRequest.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param response the HttpServletResponse.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param spEntityID entityID of Service Provider.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param idpEntityID entityID of Identity Provider.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param paramsMap Map of all other parameters.The key in the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * map are the parameter names of the type String.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * The values in the paramsMap are of the type List.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Some of the possible keys are:RelayState,NameIDFormat,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * reqBinding, binding, AssertionConsumerServiceIndex,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * AttributeConsumingServiceIndex (currently not supported),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * isPassive, ForceAuthN, AllowCreate, Destination,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * AuthnContextDeclRef, AuthnContextClassRef,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * AuthComparison, Consent (currently not supported),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * AuthLevel, and sunamcompositeadvice.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SAML2Exception if error initiating request to IDP.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static void initiateAuthnRequest(HttpServletRequest request,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (FSUtils.needSetLBCookieAndRedirect(request, response, false)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("SPSSOFederate:Service Provider ID "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " is missing.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.error(Level.INFO,LogUtil.INVALID_SP,data,null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("nullSPEntityID"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("SPSSOFederate: Identity Provider ID "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "is missing .");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.error(Level.INFO,LogUtil.INVALID_IDP,data,null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("nullIDPEntityID"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String binding = getParameter(paramsMap,SAML2Constants.REQ_BINDING);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPSSOFederate: in initiateSSOFed");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPSSOFederate: spEntityID is : "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPSSOFederate: idpEntityID : "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Retreive MetaData
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("errorMetaManager"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster spConfigAttrsMap = SAML2MetaUtils.getAttributes(spEntityCfg);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // get SPSSODescriptor
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.error(Level.INFO,LogUtil.SP_METADATA_ERROR,data,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List extensionsList = getExtensionsList(sm,spEntityID,realm);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // get IDP Descriptor
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.error(Level.INFO,LogUtil.IDP_METADATA_ERROR,data,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List ssoServiceList = idpsso.getSingleSignOnService();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String ssoURL = getSSOURL(ssoServiceList, binding);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.error(Level.INFO,LogUtil.SSO_NOT_FOUND,data,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("ssoServiceNotfound"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // create AuthnRequest
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster AuthnRequest authnRequest = createAuthnRequest(realm,spEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster paramsMap,spConfigAttrsMap,extensionsList,spsso, idpsso,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // invoke SP Adapter class if registered
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.getSPAdapterClass(spEntityID, realmName);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster spAdapter.preSingleSignOnRequest(spEntityID, idpEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String authReqXMLString = authnRequest.toXMLString(true,true);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPSSOFederate: AuthnRequest:"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Default URL if relayState not present? in providerConfig?
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // TODO get Default URL from metadata
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Validate the RelayState URL.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // check if relayState is present and get the unique
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // id which will be appended to the SSO URL before
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // redirecting.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (relayState != null && relayState.length()> 0) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (binding.equals(SAML2Constants.HTTP_POST)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (((idpsso != null) && idpsso.isWantAuthnRequestsSigned()) ||
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ((spsso != null) && spsso.isAuthnRequestsSigned()) ) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String certAlias = getParameter(spConfigAttrsMap,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String authXMLString = authnRequest.toXMLString(true,true);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "SPSSOFederate.initiateAuthnRequest: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String encodedReqMsg = SAML2Utils.encodeForPOST(authXMLString);
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest SAML2Utils.postToTarget(request, response, "SAMLRequest",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster encodedReqMsg, "RelayState", relayStateID, ssoURL);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // encode the xml string
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String encodedXML = SAML2Utils.encodeForRedirect(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster queryString.append(SAML2Constants.SAML_REQUEST)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster .append(SAML2Constants.EQUAL).append(encodedXML);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((relayStateID != null) && (relayStateID.length() > 0)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster queryString.append("&").append(SAML2Constants.RELAY_STATE)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster new StringBuffer().append(ssoURL).append(ssoURL.contains("?") ? "&" : "?");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // sign the query string
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (((idpsso != null) && idpsso.isWantAuthnRequestsSigned()) ||
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ((spsso != null) && spsso.isAuthnRequestsSigned()) ) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String certAlias = getParameter(spConfigAttrsMap,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.access(Level.INFO,LogUtil.REDIRECT_TO_IDP,data,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster new AuthnRequestInfo(request,response,realm,spEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SPCache.requestHash.put(authnRequest.getID(),reqInfo);
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper if (SAML2FailoverUtils.isSAML2FailoverEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // sessionExpireTime is counted in seconds
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper long sessionExpireTime = System.currentTimeMillis() / 1000 + SPCache.interval;
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper SAML2FailoverUtils.saveSAML2TokenWithoutSecondaryKey(key, new AuthnRequestInfoCopy(reqInfo), sessionExpireTime);
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper SAML2Utils.debug.message("SPSSOFederate.initiateAuthnRequest:"
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper + " SAVE AuthnRequestInfoCopy for requestID " + key);
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper SAML2Utils.debug.error("SPSSOFederate.initiateAuthnRequest: There was a problem saving the " +
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper "AuthnRequestInfoCopy in the SAML2 Token Repository for requestID " + key, e);
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("SPSSOFederate: Exception :",ioe);
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper throw new SAML2Exception(SAML2Utils.bundle.getString("errorCreatingAuthnRequest"));
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper SAML2Utils.debug.error("SPSSOFederate:Error retrieving metadata", sme);
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Parses the request parameters and builds ECP Request to sent to the IDP.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param request the HttpServletRequest.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param response the HttpServletResponse.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SAML2Exception if error creating AuthnRequest.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws IOException if error sending AuthnRequest to ECP.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static void initiateECPRequest(HttpServletRequest request,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("SPSSOFederate.initiateECPRequest: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "invalid HTTP request from ECP.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "invalidHttpRequestFromECP",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("invalidHttpRequestFromECP"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String metaAlias = request.getParameter("metaAlias");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Map paramsMap = SAML2Utils.getParamsMap(request);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // get the sp entity ID from the metaAlias
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String spEntityID = sm.getEntityByMetaAlias(metaAlias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String realm = getRealm(SAML2MetaUtils.getRealmByMetaAlias(metaAlias));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPSSOFederate.initiateECPRequest: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "spEntityID is " + spEntityID + ", realm is " + realm);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Retreive MetaData
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("errorMetaManager"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster spConfigAttrsMap = SAML2MetaUtils.getAttributes(spEntityCfg);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // get SPSSODescriptor
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.error(Level.INFO,LogUtil.SP_METADATA_ERROR,data, null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.access(Level.INFO, LogUtil.RECEIVED_HTTP_REQUEST_ECP, data,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List extensionsList = getExtensionsList(sm,spEntityID,realm);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // create AuthnRequest
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster AuthnRequest authnRequest = createAuthnRequest(realm, spEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster paramsMap, spConfigAttrsMap, extensionsList, spsso, null, null,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // invoke SP Adapter class if registered
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.getSPAdapterClass(spEntityID, realm);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster spAdapter.preSingleSignOnRequest(spEntityID, realm, null,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String alias = SAML2Utils.getSigningCertAlias(realm, spEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster KeyUtil.getKeyProviderInstance().getPrivateKey(alias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("SPSSOFederate.initiateECPRequest: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "Unable to find signing key.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ECPFactory ecpFactory = ECPFactory.getInstance();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Default URL if relayState not present? in providerConfig?
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // TODO get Default URL from metadata
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (relayState != null && relayState.length()> 0) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String relayStateID = getRelayStateID(relayState,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ECPRelayState ecpRelayState = ecpFactory.createECPRelayState();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ecpRelayState.setActor(SAML2Constants.SOAP_ACTOR_NEXT);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ecpRelayStateXmlStr = ecpRelayState.toXMLString(true, true);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ECPRequest ecpRequest = ecpFactory.createECPRequest();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ecpRequest.setIssuer(createIssuer(spEntityID));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ecpRequest.setActor(SAML2Constants.SOAP_ACTOR_NEXT);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ecpRequest.setIsPassive(authnRequest.isPassive());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List idps = ecpIDPFinder.getPreferredIDP(authnRequest,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster for(Iterator iter = idps.iterator(); iter.hasNext();) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster IDPSSODescriptorElement idpDesc = saml2MetaManager
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster IDPEntry idpEntry = ProtocolFactory.getInstance()
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster IDPList idpList = ProtocolFactory.getInstance()
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Map attrs = SAML2MetaUtils.getAttributes(spEntityCfg);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Constants.ECP_REQUEST_IDP_LIST_GET_COMPLETE);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Constants.PAOS_ECP_SERVICE, null, Boolean.TRUE,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster paosRequestXmlStr = paosRequest.toXMLString(true, true);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("SPSSOFederate.initiateECPRequest:",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ecpRequest.toXMLString(true, true) + ecpRelayStateXmlStr;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String body = authnRequest.toXMLString(true, true);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SOAPMessage reply = SAML2Utils.createSOAPMessage(header, body,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster data2[2] = SAML2Utils.soapMessageToString(reply);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.access(Level.INFO, LogUtil.SEND_ECP_PAOS_REQUEST, data2,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Need to call saveChanges because we're
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // going to use the MimeHeaders to set HTTP
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // response information. These MimeHeaders
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // are generated as part of the save.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.putHeaders(reply.getMimeHeaders(), response);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster response.setContentType(PAOSConstants.PAOS_MIME_TYPE);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Write out the message on the response stream
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("SPSSOFederate.initiateECPRequest",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.error(Level.INFO, LogUtil.SEND_ECP_PAOS_REQUEST_FAILED,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster new AuthnRequestInfo(request,response,realm,spEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SPCache.requestHash.put(authnRequest.getID(),reqInfo);
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper if (SAML2FailoverUtils.isSAML2FailoverEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // sessionExpireTime is counted in seconds
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper long sessionExpireTime = System.currentTimeMillis() / 1000 + SPCache.interval;
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper SAML2FailoverUtils.saveSAML2TokenWithoutSecondaryKey(key, new AuthnRequestInfoCopy(reqInfo), sessionExpireTime);
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper SAML2Utils.debug.message("SPSSOFederate.initiateECPRequest:"
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper + " SAVE AuthnRequestInfoCopy for requestID " + key);
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper SAML2Utils.debug.error("SPSSOFederate.initiateECPRequest: There was a problem saving the " +
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper "AuthnRequestInfoCopy in the SAML2 Token Repository for requestID " + key, e);
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper SAML2Utils.debug.error("SPSSOFederate:Error retrieving metadata" ,sme);
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Checks if the request is from ECP.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param request the HttpServletRequest.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return true if the request is from ECP.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static boolean isFromECP(HttpServletRequest request) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPSSOFederate.initiateECPRequest:" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "no PAOS header");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Map svcOpts = paosHeader.getServicesAndOptions();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (!svcOpts.containsKey(SAML2Constants.PAOS_ECP_SERVICE))) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPSSOFederate.initiateECPRequest:" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "PAOS header doesn't contain ECP service");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String acceptHeader = request.getHeader("Accept");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return (acceptHeader.indexOf(PAOSConstants.PAOS_MIME_TYPE) != -1);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster /* Create NameIDPolicy Element */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static NameIDPolicy createNameIDPolicy(String spEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String format, boolean allowCreate, SPSSODescriptorElement spsso,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster IDPSSODescriptorElement idpsso, String realm, Map paramsMap)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster format = SAML2Utils.verifyNameIDFormat(format, spsso, idpsso);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ProtocolFactory.getInstance().createNameIDPolicy();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster sm.getAffiliationDescriptor(realm, affiliationID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(SAML2Utils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "affiliationNotFound"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (!affiDesc.getAffiliateMember().contains(spEntityID)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(SAML2Utils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "spNotAffiliationMember"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster nameIDPolicy.setSPNameQualifier(affiliationID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster /* Create Issuer */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static Issuer createIssuer(String spEntityID)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Issuer issuer = AssertionFactory.getInstance().createIssuer();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster /* Create AuthnRequest */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static AuthnRequest createAuthnRequest(String realmName,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // generate unique request ID
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((requestID == null) || (requestID.length() == 0)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("cannotGenerateID"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // retrieve data from the params map and if not found get
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // default values from the SPConfig Attributes
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // destinationURI required if message is signed.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Boolean isPassive = doPassive(paramsMap,spConfigMap);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Boolean isforceAuthn= isForceAuthN(paramsMap,spConfigMap);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster boolean allowCreate=isAllowCreate(paramsMap,spConfigMap);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String consent = getParameter(paramsMap,SAML2Constants.CONSENT);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Extensions extensions = createExtensions(extensionsList);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String nameIDPolicyFormat = getParameter(paramsMap,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // get NameIDPolicy Element
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster NameIDPolicy nameIDPolicy = createNameIDPolicy(spEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster nameIDPolicyFormat, allowCreate, spsso, idpsso, realmName,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Integer acsIndex = getIndex(paramsMap,SAML2Constants.ACS_URL_INDEX);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Integer attrIndex = getIndex(paramsMap,SAML2Constants.ATTR_INDEX);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String protocolBinding = isForECP ? SAML2Constants.PAOS :
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster OrderedSet acsSet = getACSUrl(spsso,protocolBinding);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster realmName, spEntityID, SAML2Constants.ACS_SERVICE,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("SPSSOFederate.createAuthnRequest:" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data = { spEntityID, protocolBinding };
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Level.INFO, LogUtil.BINDING_NOT_SUPPORTED, data, null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("unsupportedBinding"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ProtocolFactory.getInstance().createAuthnRequest();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((destinationURI == null) || (destinationURI.length() == 0)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster authnReq.setDestination(XMLUtils.escapeSpecialCharacters(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster authnReq.setDestination(XMLUtils.escapeSpecialCharacters(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster authnReq.setAttributeConsumingServiceIndex(attrIndex);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster authnReq.setAssertionConsumerServiceIndex(acsIndex);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster authnReq.setRequestedAuthnContext(reqAuthnContext);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Required attributes in authn request
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster authnReq.setVersion(SAML2Constants.VERSION_2_0);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((enableIDPProxy != null) && enableIDPProxy.booleanValue())
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String proxyCountParam = getParameter(spConfigMap,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (proxyCountParam != null && (!proxyCountParam.equals(""))) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster scoping.setProxyCount(new Integer(proxyCountParam));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (proxyIDPs != null && !proxyIDPs.isEmpty()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster IDPEntry entry = ProtocolFactory.getInstance().
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster IDPList idpList = ProtocolFactory.getInstance().
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster /* Returns value of parameter in the SP SSO Config */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static Boolean getAttrValueFromMap(Map attrMap,String attrName) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String attrVal = getParameter(attrMap,attrName);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster /* Returns the SingleSignOnService URL */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static String getSSOURL(List ssoServiceList, String binding) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((ssoServiceList != null) && (!ssoServiceList.isEmpty())) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster while (i.hasNext()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " SingleSignOnService URL :"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Returns an Ordered Set containing the AssertionConsumerServiceURL
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * and AssertionConsumerServiceIndex.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static OrderedSet getACSUrl(SPSSODescriptorElement spsso,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((binding != null) && (binding.length() > 0) &&
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (binding.indexOf(SAML2Constants.BINDING_PREFIX) == -1)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster new StringBuffer().append(SAML2Constants.BINDING_PREFIX)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List acsList = spsso.getAssertionConsumerService();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (responseBinding == null || responseBinding.length() ==0 )) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPSSOFederate: AssertionConsumerService :"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPSSOFederate: AssertionConsumerService :"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPSSOFederate: AssertionConsumerService :"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster /* Returns the realm */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return ((realm == null) || (realm.length() == 0)) ? "/" : realm;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster /* Returns value of isPassive attribute */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static Boolean doPassive(Map paramsMap,Map spConfigAttrsMap){
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // get isPassive
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster getParameter(paramsMap,SAML2Constants.ISPASSIVE);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (isPassiveStr.equals(SAML2Constants.FALSE))))) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster isPassive = getAttrValueFromMap(spConfigAttrsMap,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPSSOFederate: isPassive : " + isPassive);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return (isPassive == null) ? Boolean.FALSE : isPassive;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster /* Returns value of ForceAuthn */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static Boolean isForceAuthN(Map paramsMap,Map spConfigAttrsMap) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String forceAuthn = getParameter(paramsMap,SAML2Constants.FORCEAUTHN);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster isforceAuthn = getAttrValueFromMap(spConfigAttrsMap,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPSSOFederate:ForceAuthn: " + forceAuthn);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return (isforceAuthn == null) ? Boolean.FALSE : isforceAuthn;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster /* get value of AllowCreate */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static boolean isAllowCreate(Map paramsMap,Map spConfigAttrsMap) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster //assuming default true?
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ((allowCreateStr.equals(SAML2Constants.TRUE) ||
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (allowCreateStr.equals(SAML2Constants.FALSE))))
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster allowCreate = new Boolean(allowCreateStr).booleanValue();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Boolean val = getAttrValueFromMap(spConfigAttrsMap,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPSSOFederate:AllowCreate:"+ allowCreate);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster /* Returns the AssertionConsumerServiceURL Index */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static Integer getIndex(Map paramsMap,String attrName) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String index = getParameter(paramsMap,attrName);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster /* Returns the query parameter value for the param specified */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static String getParameter(Map paramsMap,String attrName) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((paramsMap != null) && (!paramsMap.isEmpty())) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List attrValList = (List)paramsMap.get(attrName);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (attrValList != null && !attrValList.isEmpty()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attrVal = (String) attrValList.iterator().next();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster /* Returns the extensions list */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static List getExtensionsList(SAML2MetaManager sm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster EntityDescriptorElement ed = sm.getEntityDescriptor(realm,entityID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster com.sun.identity.saml2.jaxb.metadata.ExtensionsType ext =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("SPSSOFederate:Error retrieving " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "EntityDescriptor");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static com.sun.identity.saml2.protocol.Extensions
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster createExtensions(List extensionsList) throws SAML2Exception {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster com.sun.identity.saml2.protocol.Extensions extensions=null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (extensionsList != null && !extensionsList.isEmpty()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ProtocolFactory.getInstance().createExtensions();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static String getRelayStateID(String relayState, String requestID) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SPCache.relayStateHash.put(requestID, new CacheObject(relayState));
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper if (SAML2FailoverUtils.isSAML2FailoverEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // sessionExpireTime is counted in seconds
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper long sessionExpireTime = System.currentTimeMillis() / 1000 + SPCache.interval;
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper // Need to make the key unique due to the requestID also being used to
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper // store a copy of the AuthnRequestInfo
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper SAML2FailoverUtils.saveSAML2TokenWithoutSecondaryKey(key, relayState, sessionExpireTime);
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper SAML2Utils.debug.message("SPSSOFederate.getRelayStateID: SAVE relayState for requestID "
80849398a45dca1fb917716907d6ec99be6222c2Peter Major SAML2Utils.debug.error("SPSSOFederate.getRelayStateID: Unable to SAVE relayState for requestID "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster /* Creates RequestedAuthnContext Object */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static RequestedAuthnContext createReqAuthnContext(String realmName,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((spConfigMap != null) && (!spConfigMap.isEmpty())) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster className = ((String) listVal.iterator().next()).trim();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.getSPAuthnContextMapper(realmName,spEntityID,className);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPSSOFederate:Error creating " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "RequestedAuthnContext",e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Signs the query string.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static String signQueryString(String queryString,String certAlias)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPSSOFederate:queryString:"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPSSOFederate: certAlias :"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster KeyProvider kp = KeyUtil.getKeyProviderInstance();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster PrivateKey privateKey = kp.getPrivateKey(certAlias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return QuerySignatureUtil.sign(queryString,privateKey);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static void signAuthnRequest(String certAlias,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster AuthnRequest authnRequest) throws SAML2Exception {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster KeyProvider kp = KeyUtil.getKeyProviderInstance();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("SPSSOFederate:signAuthnRequest: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "Unable to get a key provider instance.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(SAML2Utils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "nullKeyProvider"));