fedletSSOInit.jsp revision e8721886dbfd32e88cc7077cbee4b6bb1b44b443
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User Copyright (c) 2008 Sun Microsystems Inc. All Rights Reserved
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User The contents of this file are subject to the terms
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User of the Common Development and Distribution License
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User (the License). You may not use this file except in
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User compliance with the License.
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User You can obtain a copy of the License at
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User https://opensso.dev.java.net/public/CDDLv1.0.html or
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User See the License for the specific language governing
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User permission and limitations under the License.
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User When distributing Covered Code, include this CDDL
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User Header Notice in each file and include the License file
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User If applicable, add the following below the CDDL Header,
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User with the fields enclosed by brackets [] replaced by
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User your own identifying information:
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User "Portions Copyrighted [year] [name of copyright owner]"
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User $Id: fedletSSOInit.jsp,v 1.8 2009/06/24 23:05:30 mrudulahg Exp $
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<%@ page import="com.sun.identity.shared.debug.Debug" %>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<%@ page import="com.sun.identity.saml.common.SAMLUtils" %>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<%@ page import="com.sun.identity.saml2.common.SAML2Constants" %>
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User<%@ page import="com.sun.identity.saml2.common.SAML2Utils" %>
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User<%@ page import="com.sun.identity.saml2.common.SAML2Exception" %>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<%@ page import="com.sun.identity.saml2.meta.SAML2MetaManager" %>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<%@ page import="com.sun.identity.saml2.profile.SPCache" %>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<%@ page import="com.sun.identity.saml2.profile.SPSSOFederate" %>
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User<%@ page import="java.util.HashMap" %>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<%@ page import="java.util.ArrayList" %>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<%@ page import="java.util.List" %>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User<%@ page import="java.util.Map" %>
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User<%@ page import="java.util.StringTokenizer" %>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User fedletSSOInit.jsp initiates the Single Sign-On at the Service Provider.
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User Following are the list of supported query parameters :
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User Query Parameter Name Description
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User 1. metaAlias MetaAlias for Service Provider. The format of
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User this parameter is /realm_name/SP name. If unspecified,
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User first available hosted SP is used.
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User 2. idpEntityID Identifier for Identity Provider. If unspecified,
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User first available remote IDP is used.
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User 3. RelayState Target URL on successful complete of SSO/Federation
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User 4. RelayStateAlias Specify the parameter(s) to use as the RelayState.
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User e.g. if the request URL has :
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User ?TARGET=http://server:port/uri&RelayStateAlias=TARGET
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User then the TARGET query parameter will be interpreted as
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User RelayState and on successful completion of
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User SSO/Federation user will be redirected to the TARGET
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User 5. NameIDFormat NameIDPolicy format Identifier Value.
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User urn:oasis:names:tc:SAML:2.0:nameid-format:transient
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User Note : transient will always be used for Fedlet
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User 6. binding URI value that identifies a SAML protocol binding to
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User used when returning the Response message.
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User The supported values are :
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User HTTP-Artifact
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User HTTP-POST (default for Fedlet)
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User 7. AssertionConsumerServiceIndex
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User An integer number indicating the location
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User to which the Response message should be returned to
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User the requester.
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User 8. AttributeConsumingServiceIndex
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User Indirectly specifies information associated
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User with the requester describing the SAML attributes
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User the requester desires or requires to be supplied
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User by the IDP in the generated Response message.
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User Note: This parameter may not be supported for
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User this release.
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User 9. isPassive true or false value indicating whether the IDP
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User should authenticate passively.
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User 10. ForceAuthN true or false value indicating if IDP must
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User force authentication OR false if IDP can rely on
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User reusing existing security contexts.
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User true - force authentication
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User 11.AllowCreate Value indicates if IDP is allowed to created a new
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User identifier for the principal if it does not exist.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User Value of this parameter can be true OR false.
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User true - IDP can dynamically create user.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User 12.Destination A URI Reference indicating the address to which the
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User request has been sent.
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User Specifies the AuthnContext Declaration Reference.
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User The value is a pipe separated value with multiple
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User Specifies the AuthnContext Class References.
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User The value is a pipe separated value with multiple
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User 15 AuthLevel The Authentication Level of the Authentication
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User Context to use for Authentication.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User 16.AuthComparison The comparison method used to evaluate the
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User requested context classes or statements.
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User Allowed values are :
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User 17.Consent Specifies a URI a SAML defined identifier
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User known as Consent Identifiers.These are defined in
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User the SAML 2 Assertions and Protocols Document.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User Note: This parameter may not be supported for
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User this release.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User 18.reqBinding URI value that identifies a SAML protocol binding to
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User used when sending the AuthnRequest.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User The supported values are :
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User 19.affiliationID Affiliation entity ID
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User // Retreive the Request Query Parameters
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User // metaAlias and idpEntiyID are the required query parameters
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User // metaAlias - Service Provider Entity Id
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User // idpEntityID - Identity Provider Identifier
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User // Query parameters supported will be documented.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User String idpEntityID = null;
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User String metaAlias= null;
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User Map paramsMap = null;
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User String reqID = request.getParameter("requestID");
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User if (reqID != null) {
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User //get the preferred idp
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User idpEntityID = SAML2Utils.getPreferredIDP(request);
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User paramsMap = (Map)SPCache.reqParamHash.get(reqID);
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User metaAlias = (String) paramsMap.get("metaAlias");
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User // this is an original request check
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User // get the metaAlias ,idpEntityID
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User // if idpEntityID is null redirect to IDP Discovery
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User // Service to retrieve.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User metaAlias = request.getParameter("metaAlias");
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User if ((metaAlias == null) || (metaAlias.length() == 0)) {
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User SAML2MetaManager manager = new SAML2MetaManager();
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User List spMetaAliases =
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User manager.getAllHostedServiceProviderMetaAliases("/");
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User if ((spMetaAliases != null) && !spMetaAliases.isEmpty()) {
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User // get first one
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User metaAlias = (String) spMetaAliases.get(0);
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User if ((metaAlias == null) || (metaAlias.length() == 0)) {
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User SAMLUtils.sendError(request, response,
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User response.SC_BAD_REQUEST, "nullSPEntityID",
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User SAML2Utils.bundle.getString("nullSPEntityID"));
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User idpEntityID = request.getParameter("idpEntityID");
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User paramsMap = SAML2Utils.getParamsMap(request);
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User // always use transient
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User List list = new ArrayList();
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User list.add(SAML2Constants.NAMEID_TRANSIENT_FORMAT);
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User paramsMap.put(SAML2Constants.NAMEID_POLICY_FORMAT, list);
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User if (paramsMap.get(SAML2Constants.BINDING) == null) {
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User // use POST binding
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User list = new ArrayList();
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User if ((idpEntityID == null) || (idpEntityID.length() == 0)) {
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User // get reader url
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User String readerURL = SAML2Utils.getReaderURL(metaAlias);
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User if (readerURL != null) {
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User String redirectURL =
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User SAML2Utils.getRedirectURL(readerURL,rID,request);
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User if (redirectURL != null) {
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User paramsMap.put("metaAlias",metaAlias);
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User if ((idpEntityID == null) || (idpEntityID.length() == 0)) {
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User SAML2MetaManager manager = new SAML2MetaManager();
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User List idpEntities = manager.getAllRemoteIdentityProviderEntities("/");
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User if ((idpEntities == null) || idpEntities.isEmpty()) {
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User SAMLUtils.sendError(request, response,
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User } else if (idpEntities.size() == 1) {
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User // only one IDP, just use it
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User idpEntityID = (String) idpEntities.get(0);
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User // multiple IDP configured in fedlet
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User SAMLUtils.sendError(request, response,
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User response.SC_BAD_REQUEST, "nullIDPEntityID",
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User SAML2Utils.bundle.getString("nullIDPEntityID"));
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User // get the parameters and put it in a map.
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User SPSSOFederate.initiateAuthnRequest(request,response,metaAlias,
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User idpEntityID, paramsMap);
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User } catch (SAML2Exception sse) {
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User SAML2Utils.debug.error("Error sending AuthnRequest " , sse);
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User SAMLUtils.sendError(request, response,
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User response.SC_BAD_REQUEST, "requestProcessingError",
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User SAML2Utils.bundle.getString("requestProcessingError") + " " +
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User } catch (Exception e) {
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User SAML2Utils.debug.error("Error processing Request ",e);
fae13836a33b474a6aa2c147df8334f5b1ffae45Tinderbox User SAMLUtils.sendError(request, response,
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User response.SC_BAD_REQUEST, "requestProcessingError",
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User SAML2Utils.bundle.getString("requestProcessingError") + " " +