idpSSOInit.jsp revision 6ee2adce4b7ba1c7cdee88dce16cc901d1a1e1ce
97a9a944b5887e91042b019776c41d5dd74557aferikabele DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
a945f35eff8b6a88009ce73de6d4c862ce58de3cslive Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
a945f35eff8b6a88009ce73de6d4c862ce58de3cslive The contents of this file are subject to the terms
b686b6a420bde7f78c416b90be11db94cb789979nd of the Common Development and Distribution License
b686b6a420bde7f78c416b90be11db94cb789979nd (the License). You may not use this file except in
b686b6a420bde7f78c416b90be11db94cb789979nd compliance with the License.
b686b6a420bde7f78c416b90be11db94cb789979nd You can obtain a copy of the License at
b686b6a420bde7f78c416b90be11db94cb789979nd See the License for the specific language governing
b686b6a420bde7f78c416b90be11db94cb789979nd permission and limitations under the License.
b686b6a420bde7f78c416b90be11db94cb789979nd When distributing Covered Code, include this CDDL
b686b6a420bde7f78c416b90be11db94cb789979nd Header Notice in each file and include the License file
4b5981e276e93df97c34e4da05ca5cf8bbd937dand If applicable, add the following below the CDDL Header,
b686b6a420bde7f78c416b90be11db94cb789979nd with the fields enclosed by brackets [] replaced by
b686b6a420bde7f78c416b90be11db94cb789979nd your own identifying information:
3b3b7fc78d1f5bfc2769903375050048ff41ff26nd "Portions Copyrighted [year] [name of copyright owner]"
7f5b59ccc63c0c0e3e678a168f09ee6a2f51f9d0nd $Id: idpSSOInit.jsp,v 1.9 2009/06/24 23:05:30 mrudulahg Exp $
b686b6a420bde7f78c416b90be11db94cb789979nd Portions Copyrighted 2013-2015 ForgeRock AS.
b686b6a420bde7f78c416b90be11db94cb789979nd<%@ page import="com.sun.identity.saml2.common.SAML2Constants" %>
b686b6a420bde7f78c416b90be11db94cb789979nd<%@ page import="com.sun.identity.saml2.common.SAML2Exception" %>
b686b6a420bde7f78c416b90be11db94cb789979nd<%@ page import="com.sun.identity.saml2.common.SAML2Utils" %>
b686b6a420bde7f78c416b90be11db94cb789979nd<%@ page import="com.sun.identity.saml.common.SAMLUtils" %>
b686b6a420bde7f78c416b90be11db94cb789979nd<%@ page import="com.sun.identity.saml2.profile.IDPSSOUtil" %>
06ba4a61654b3763ad65f52283832ebf058fdf1cslive<%@ page import="java.io.PrintWriter" %>
06ba4a61654b3763ad65f52283832ebf058fdf1cslive<%@ page import="org.forgerock.guice.core.InjectorHolder" %>
491856cfdee8ce7c5eb4d4886784713bebad2e80nd<%@ page import="org.forgerock.openam.audit.AuditEventPublisher" %>
491856cfdee8ce7c5eb4d4886784713bebad2e80nd<%@ page import="org.forgerock.openam.saml2.audit.SAML2Auditor" %>
06ba4a61654b3763ad65f52283832ebf058fdf1cslive<%@ page import="org.forgerock.openam.audit.AuditEventFactory" %>
b686b6a420bde7f78c416b90be11db94cb789979nd idpssoinit.jsp initiates Unsolicited SSO at the Identity Provider.
b686b6a420bde7f78c416b90be11db94cb789979nd Following are the list of supported query parameters :
117c1f888a14e73cdd821dc6c23eb0411144a41cnd Required parameters to this jsp are :
117c1f888a14e73cdd821dc6c23eb0411144a41cnd Query Parameter Name Description
b686b6a420bde7f78c416b90be11db94cb789979nd 1. metaAlias MetaAlias for Identity Provider. The format of
b686b6a420bde7f78c416b90be11db94cb789979nd this parameter is /realm_name/IDP name.
b686b6a420bde7f78c416b90be11db94cb789979nd 2. spEntityID Identifier for Service Provider.
b686b6a420bde7f78c416b90be11db94cb789979nd Optional Query Parameters :
b686b6a420bde7f78c416b90be11db94cb789979nd Query Parameter Name Description
b686b6a420bde7f78c416b90be11db94cb789979nd 3. RelayState Target URL on successful complete of SSO/Federation
b686b6a420bde7f78c416b90be11db94cb789979nd 4. RelayStateAlias Specify the parameter(s) to use as the RelayState.
b686b6a420bde7f78c416b90be11db94cb789979nd e.g. if the request URL has :
b686b6a420bde7f78c416b90be11db94cb789979nd then the TARGET query parameter will be interpreted as
b686b6a420bde7f78c416b90be11db94cb789979nd RelayState and on successful completion of
b686b6a420bde7f78c416b90be11db94cb789979nd SSO/Federation user will be redirected to the TARGET URL.
06ba4a61654b3763ad65f52283832ebf058fdf1cslive 5. NameIDFormat NameID format Identifier Value.
06ba4a61654b3763ad65f52283832ebf058fdf1cslive For example,
06ba4a61654b3763ad65f52283832ebf058fdf1cslive urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
06ba4a61654b3763ad65f52283832ebf058fdf1cslive urn:oasis:names:tc:SAML:2.0:nameid-format:transient
06ba4a61654b3763ad65f52283832ebf058fdf1cslive 6. binding URI value that identifies a SAML protocol binding to
06ba4a61654b3763ad65f52283832ebf058fdf1cslive used when returning the Response message.
06ba4a61654b3763ad65f52283832ebf058fdf1cslive The supported values are :
06ba4a61654b3763ad65f52283832ebf058fdf1cslive HTTP-Artifact
06ba4a61654b3763ad65f52283832ebf058fdf1cslive NOTE: There are other SAML defined values for these
97a9a944b5887e91042b019776c41d5dd74557aferikabele which are not supported by FM/AM.
06ba4a61654b3763ad65f52283832ebf058fdf1cslive 7. affiliationID affiliation entity ID
491856cfdee8ce7c5eb4d4886784713bebad2e80nd AuditEventPublisher aep = InjectorHolder.getInstance(AuditEventPublisher.class);
491856cfdee8ce7c5eb4d4886784713bebad2e80nd AuditEventFactory aef = InjectorHolder.getInstance(AuditEventFactory.class);
491856cfdee8ce7c5eb4d4886784713bebad2e80nd SAML2Auditor saml2Auditor = new SAML2Auditor(aep, aef, request);
491856cfdee8ce7c5eb4d4886784713bebad2e80nd saml2Auditor.setMethod("idpSSOInit");
06ba4a61654b3763ad65f52283832ebf058fdf1cslive saml2Auditor.setRealm(SAML2Utils.getRealm(request.getParameterMap()));
97a9a944b5887e91042b019776c41d5dd74557aferikabele saml2Auditor.setSessionTrackingId(session.getId());
97a9a944b5887e91042b019776c41d5dd74557aferikabele // Retrieve the Request Query Parameters
06ba4a61654b3763ad65f52283832ebf058fdf1cslive // metaAlias and spEntiyID are the required query parameters
06ba4a61654b3763ad65f52283832ebf058fdf1cslive // metaAlias - Identity Provider Entity Id
06ba4a61654b3763ad65f52283832ebf058fdf1cslive // spEntityID - Service Provider Identifier
06ba4a61654b3763ad65f52283832ebf058fdf1cslive String cachedResID = request.getParameter(SAML2Constants.RES_INFO_ID);
06ba4a61654b3763ad65f52283832ebf058fdf1cslive // if this id is set, then this is a redirect from the COT
06ba4a61654b3763ad65f52283832ebf058fdf1cslive // cookie writer. There is already an assertion response
06ba4a61654b3763ad65f52283832ebf058fdf1cslive // cached in this provider. Send it back directly.
491856cfdee8ce7c5eb4d4886784713bebad2e80nd if ((cachedResID != null) && (cachedResID.length() != 0)) {
b686b6a420bde7f78c416b90be11db94cb789979nd IDPSSOUtil.sendResponse(request, response, new PrintWriter(out, true), cachedResID);
491856cfdee8ce7c5eb4d4886784713bebad2e80nd String metaAlias = request.getParameter("metaAlias");
491856cfdee8ce7c5eb4d4886784713bebad2e80nd if ((metaAlias == null) || (metaAlias.length() == 0)) {
491856cfdee8ce7c5eb4d4886784713bebad2e80nd request, response, response.SC_BAD_REQUEST, "nullIDPEntityID",
491856cfdee8ce7c5eb4d4886784713bebad2e80nd SAML2Utils.bundle.getString("nullIDPEntityID"));
b686b6a420bde7f78c416b90be11db94cb789979nd saml2Auditor.auditAccessFailure(String.valueOf(response.SC_BAD_REQUEST),
b686b6a420bde7f78c416b90be11db94cb789979nd SAML2Utils.bundle.getString("nullSPEntityID"));
06ba4a61654b3763ad65f52283832ebf058fdf1cslive String spEntityID = request.getParameter("spEntityID");
97a9a944b5887e91042b019776c41d5dd74557aferikabele if ((spEntityID == null) || (spEntityID.length() == 0)) {
491856cfdee8ce7c5eb4d4886784713bebad2e80nd request, response, response.SC_BAD_REQUEST, "nullSPEntityID",
97a9a944b5887e91042b019776c41d5dd74557aferikabele SAML2Utils.bundle.getString("nullSPEntityID"));
06ba4a61654b3763ad65f52283832ebf058fdf1cslive saml2Auditor.auditAccessFailure(String.valueOf(response.SC_BAD_REQUEST),
491856cfdee8ce7c5eb4d4886784713bebad2e80nd SAML2Utils.bundle.getString("nullSPEntityID"));
491856cfdee8ce7c5eb4d4886784713bebad2e80nd // get the nameIDPolicy
4d1373ab409b4f731e42113cb1137ae3fdedeb4and String nameIDFormat = request.getParameter(SAML2Constants.NAMEID_POLICY_FORMAT);
4d1373ab409b4f731e42113cb1137ae3fdedeb4and String relayState = SAML2Utils.getRelayState(request);
4d1373ab409b4f731e42113cb1137ae3fdedeb4and IDPSSOUtil.doSSOFederate(request, response, new PrintWriter(out, true), null, spEntityID, metaAlias,
4d1373ab409b4f731e42113cb1137ae3fdedeb4and nameIDFormat, relayState, saml2Auditor);
491856cfdee8ce7c5eb4d4886784713bebad2e80nd } catch (SAML2Exception sse) {
491856cfdee8ce7c5eb4d4886784713bebad2e80nd SAML2Utils.debug.error("Error processing request " , sse);
67c026fea89b4faf173772b5944b6aa006ca6eb0nd SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST,
491856cfdee8ce7c5eb4d4886784713bebad2e80nd "requestProcessingError",
67c026fea89b4faf173772b5944b6aa006ca6eb0nd SAML2Utils.bundle.getString("requestProcessingError") + " " +
67c026fea89b4faf173772b5944b6aa006ca6eb0nd saml2Auditor.auditAccessFailure(String.valueOf(response.SC_BAD_REQUEST),
491856cfdee8ce7c5eb4d4886784713bebad2e80nd SAML2Utils.bundle.getString("requestProcessingError"));
491856cfdee8ce7c5eb4d4886784713bebad2e80nd } catch (Exception e) {
67c026fea89b4faf173772b5944b6aa006ca6eb0nd SAML2Utils.debug.error("Error processing request ",e);
491856cfdee8ce7c5eb4d4886784713bebad2e80nd SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST,
67c026fea89b4faf173772b5944b6aa006ca6eb0nd "requestProcessingError",
491856cfdee8ce7c5eb4d4886784713bebad2e80nd SAML2Utils.bundle.getString("requestProcessingError") + " " +
491856cfdee8ce7c5eb4d4886784713bebad2e80nd saml2Auditor.auditAccessFailure(String.valueOf(response.SC_BAD_REQUEST),
67c026fea89b4faf173772b5944b6aa006ca6eb0nd SAML2Utils.bundle.getString("requestProcessingError"));