SPSSOFederate.java revision a688bcbb4bcff5398fdd29b86f83450257dc0df4
/**
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
*
* The contents of this file are subject to the terms
* of the Common Development and Distribution License
* (the License). You may not use this file except in
* compliance with the License.
*
* You can obtain a copy of the License at
* See the License for the specific language governing
* permission and limitations under the License.
*
* When distributing Covered Code, include this CDDL
* Header Notice in each file and include the License file
* at opensso/legal/CDDLv1.0.txt.
* If applicable, add the following below the CDDL Header,
* with the fields enclosed by brackets [] replaced by
* your own identifying information:
* "Portions Copyrighted [year] [name of copyright owner]"
*
* $Id: SPSSOFederate.java,v 1.29 2009/11/24 21:53:28 madan_ranganath Exp $
*
*/
/*
* Portions Copyrighted 2011 ForgeRock AS
*/
/**
* This class reads the query parameters and performs the required
* processing logic for sending Authentication Request
* from SP to IDP.
*
*/
public class SPSSOFederate {
static {
try {
sm = new SAML2MetaManager();
} catch (SAML2MetaException sme) {
,sme);
}
}
/**
* Parses the request parameters and builds the Authentication
* Request to sent to the IDP.
*
* @param request the HttpServletRequest.
* @param response the HttpServletResponse.
* @param metaAlias metaAlias to locate the service providers.
* @param idpEntityID entityID of Identity Provider.
* @param paramsMap Map of all other parameters.The key in the
* map are of the type String. The values in the paramsMap
* are of the type List.
* Some of the possible keys are:RelayState,NameIDFormat,
* reqBinding, binding, AssertionConsumerServiceIndex,
* AttributeConsumingServiceIndex (currently not supported),
* isPassive, ForceAuthN, AllowCreate, Destination,
* AuthnContextDeclRef, AuthnContextClassRef,
* AuthComparison, Consent (currently not supported),
* AuthLevel, and sunamcompositeadvice.
* @throws SAML2Exception if error initiating request to IDP.
*/
throws SAML2Exception {
try {
// get the sp entity ID from the metaAlias
+ spEntityID);
}
} catch (SAML2MetaException sme) {
" from MetaAlias",sme);
throw new SAML2Exception(
}
}
/**
* Parses the request parameters and builds the Authentication
* Request to sent to the IDP.
*
* @param request the HttpServletRequest.
* @param response the HttpServletResponse.
* @param spEntityID entityID of Service Provider.
* @param idpEntityID entityID of Identity Provider.
* @param paramsMap Map of all other parameters.The key in the
* map are the parameter names of the type String.
* The values in the paramsMap are of the type List.
* Some of the possible keys are:RelayState,NameIDFormat,
* reqBinding, binding, AssertionConsumerServiceIndex,
* AttributeConsumingServiceIndex (currently not supported),
* isPassive, ForceAuthN, AllowCreate, Destination,
* AuthnContextDeclRef, AuthnContextClassRef,
* AuthComparison, Consent (currently not supported),
* AuthLevel, and sunamcompositeadvice.
* @throws SAML2Exception if error initiating request to IDP.
*/
throws SAML2Exception {
return;
}
if (spEntityID == null) {
+ " is missing.");
throw new SAML2Exception(
}
if (idpEntityID == null) {
+ "is missing .");
throw new SAML2Exception(
}
}
+ spEntityID);
+ idpEntityID);
}
try {
// Retreive MetaData
throw new SAML2Exception(
}
if (spEntityCfg != null) {
}
// get SPSSODescriptor
null);
throw new SAML2Exception(
}
// get IDP Descriptor
null);
throw new SAML2Exception(
}
null);
throw new SAML2Exception(
}
// create AuthnRequest
ssoURL, false);
// invoke SP Adapter class if registered
}
}
// Default URL if relayState not present? in providerConfig?
// TODO get Default URL from metadata
// Validate the RelayState URL.
// check if relayState is present and get the unique
// id which will be appended to the SSO URL before
// redirecting.
authnRequest.getID());
}
}
"SPSSOFederate.initiateAuthnRequest: " +
"SAML Response content :\n" + authXMLString);
}
} else {
// encode the xml string
.append("=")
}
// sign the query string
} else {
}
}
null);
synchronized(SPCache.requestHash) {
}
if (SAML2Utils.isSAML2FailOverEnabled()) {
// sessionExpireTime is counted in seconds
SAML2Repository.getInstance().save(authnRequest.getID(), new AuthnRequestInfoCopy(reqInfo), sessionExpireTime, null);
}
}
} catch (IOException ioe) {
throw new SAML2Exception(
} catch (SAML2MetaException sme) {
,sme);
throw new SAML2Exception(
}
}
/**
* Parses the request parameters and builds ECP Request to sent to the IDP.
*
* @param request the HttpServletRequest.
* @param response the HttpServletResponse.
*
* @throws SAML2Exception if error creating AuthnRequest.
* @throws IOException if error sending AuthnRequest to ECP.
*/
throws SAML2Exception, IOException {
"invalid HTTP request from ECP.");
"invalidHttpRequestFromECP",
return;
}
// get the sp entity ID from the metaAlias
}
try {
// Retreive MetaData
throw new SAML2Exception(
}
if (spEntityCfg != null) {
}
// get SPSSODescriptor
throw new SAML2Exception(
}
null);
// create AuthnRequest
true);
// invoke SP Adapter class if registered
}
if (signingKey != null) {
} else {
"Unable to find signing key.");
throw new SAML2Exception(
}
// Default URL if relayState not present? in providerConfig?
// TODO get Default URL from metadata
authnRequest.getID());
}
if (ecpIDPFinder != null) {
.createIDPEntry();
if (idpEntries == null) {
idpEntries = new ArrayList();
}
}
}
if (idpEntries != null) {
.createIDPList();
}
}
}
}
try {
} catch (PAOSException paosex) {
paosex);
}
try {
false);
}
null);
// Need to call saveChanges because we're
// going to use the MimeHeaders to set HTTP
// response information. These MimeHeaders
// are generated as part of the save.
if (reply.saveRequired()) {
reply.saveChanges();
}
// Write out the message on the response stream
} catch (SOAPException soapex) {
soapex);
return;
}
synchronized(SPCache.requestHash) {
}
if (SAML2Utils.isSAML2FailOverEnabled()) {
// sessionExpireTime is counted in seconds
}
}
} catch (SAML2MetaException sme) {
,sme);
throw new SAML2Exception(
}
}
/**
* Checks if the request is from ECP.
* @param request the HttpServletRequest.
* @return true if the request is from ECP.
*/
try {
} catch (PAOSException pex) {
"no PAOS header");
}
return false;
}
"PAOS header doesn't contain ECP service");
}
return false;
}
if (acceptHeader == null) {
return false;
}
}
/* Create NameIDPolicy Element */
throws SAML2Exception {
if (affiliationID != null) {
"affiliationNotFound"));
}
"spNotAffiliationMember"));
}
} else {
}
return nameIDPolicy;
}
/* Create Issuer */
throws SAML2Exception {
return issuer;
}
/* Create AuthnRequest */
boolean isForECP
) throws SAML2Exception {
// generate unique request ID
throw new SAML2Exception(
}
// retrieve data from the params map and if not found get
// default values from the SPConfig Attributes
// destinationURI required if message is signed.
// get NameIDPolicy Element
{
"is not supported for " + spEntityID);
throw new SAML2Exception(
}
if (!isForECP) {
ssourl));
} else {
}
}
if (extensions != null) {
}
// Required attributes in authn request
//IDP Proxy
{
}
}
}
}
return authnReq;
}
/* Returns value of parameter in the SP SSO Config */
}
}
return boolVal;
}
/* Returns the SingleSignOnService URL */
while (i.hasNext()) {
(SingleSignOnServiceElement) i.next();
break;
}
}
}
+ " SingleSignOnService URL :"
+ ssoURL);
}
return ssoURL;
}
/**
* Returns an Ordered Set containing the AssertionConsumerServiceURL
* and AssertionConsumerServiceIndex.
*/
}
break;
break;
}
}
}
+ " URL :" + acsURL);
+ " Binding Passed in Query: " + binding);
+ " Binding : " + responseBinding);
}
return ol;
}
/* Returns the realm */
}
/* Returns value of isPassive attribute */
// get isPassive
if ((isPassiveStr != null) &&
} else {
}
}
}
/* Returns value of ForceAuthn */
if ((forceAuthn != null) &&
} else {
}
}
}
/* get value of AllowCreate */
//assuming default true?
boolean allowCreate=true;
if ((allowCreateStr != null) &&
) {
} else {
}
}
}
return allowCreate;
}
/* Returns the AssertionConsumerServiceURL Index */
}
return attrIndex;
}
/* Returns the query parameter value for the param specified */
}
}
return attrVal;
}
/* Returns the extensions list */
try {
ed.getExtensions();
}
}
} catch (SAML2Exception e) {
"EntityDescriptor");
}
return extensionsList;
}
}
return extensions;
}
if (SAML2Utils.isSAML2FailOverEnabled()) {
// sessionExpireTime is counted in seconds
try {
// Need to make the key unique due to the requestID also being used to
// store a copy of the AuthnRequestInfo
} catch (SAML2Exception ex) {
}
}
SAML2Utils.debug.message("SPSSOFederate.getRelayStateID: SAVE relayState for requestID " + requestID);
}
}
return requestID;
}
/* Creates RequestedAuthnContext Object */
Map spConfigMap) {
}
}
try {
reqCtx =
} catch (SAML2Exception e) {
"RequestedAuthnContext",e);
}
}
return reqCtx;
}
/**
* Signs the query string.
*/
throws SAML2Exception {
+ queryString);
+ certAlias);
}
}
"Unable to get a key provider instance.");
"nullKeyProvider"));
}
}
}