saml2AuthAssertionConsumer.jsp revision 449854c2a07b50ea64d9d6a8b03d18d4afeeee43
e59faf65ce864fe95dc00f5d52b8323cdbd0608aTimo Sirainen<%--
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen The contents of this file are subject to the terms
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen of the Common Development and Distribution License
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen (the License). You may not use this file except in
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen compliance with the License.
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen You can obtain a copy of the License at
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen https://opensso.dev.java.net/public/CDDLv1.0.html or
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen opensso/legal/CDDLv1.0.txt
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen See the License for the specific language governing
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen permission and limitations under the License.
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen When distributing Covered Code, include this CDDL
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen Header Notice in each file and include the License file
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen at opensso/legal/CDDLv1.0.txt.
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen If applicable, add the following below the CDDL Header,
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen with the fields enclosed by brackets [] replaced by
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen your own identifying information:
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen "Portions Copyrighted [year] [name of copyright owner]"
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen $Id: spAssertionConsumer.jsp,v 1.17 2010/01/23 00:07:06 exu Exp $
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen Portions Copyrighted 2012-2015 ForgeRock AS.
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen--%>
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen<%@page
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen import="com.sun.identity.federation.common.FSUtils,
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen com.sun.identity.plugin.session.SessionException,
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen com.sun.identity.saml.common.SAMLUtils,
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen com.sun.identity.saml2.assertion.Assertion,
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen com.sun.identity.saml2.assertion.Subject,
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen com.sun.identity.saml2.common.SAML2Constants,
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen com.sun.identity.saml2.common.SAML2Exception,
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen com.sun.identity.saml2.common.SAML2FailoverUtils,
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen com.sun.identity.saml2.common.SAML2Utils,
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen com.sun.identity.saml2.meta.SAML2MetaException,
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen com.sun.identity.saml2.meta.SAML2MetaManager,
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen com.sun.identity.saml2.meta.SAML2MetaUtils,
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen com.sun.identity.saml2.profile.ResponseInfo,
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen com.sun.identity.saml2.profile.SPACSUtils"
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen %>
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen<%@ page import="com.sun.identity.saml2.profile.SPCache" %>
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen<%@ page import="java.io.IOException" %>
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen<%@ page import="java.util.Map" %>
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen<%@ page import="java.util.UUID" %>
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen<%@ page import="org.forgerock.openam.authentication.modules.saml2.SAML2Proxy" %>
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen<%@ page import="org.forgerock.openam.authentication.modules.saml2.SAML2ResponseData" %>
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen<%@ page import="org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException" %>
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen<%@ page import="org.forgerock.openam.saml2.SAML2Store" %>
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen<html>
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen<head>
9a02317c852face76737763fa6ec43b444688de5Timo Sirainen <title>SP Authenticator Assertion Consumer Service</title>
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen</head>
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen<%!
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen private String generateKey() {
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen return UUID.randomUUID().toString();
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen }
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen private String getForwardForm(HttpServletRequest request, HttpServletResponse response)
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen throws IOException, SessionException, SAML2Exception {
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen if ((request == null) || (response == null)) {
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen //logging?
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen return SAML2Proxy.toPostWithErrorForm(request, SAML2Proxy.BAD_REQUEST);
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen }
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen try {
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen SAMLUtils.checkHTTPContentLength(request);
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen } catch (ServletException se) {
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen //logging?
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen return SAML2Proxy.toPostWithErrorForm(request, SAML2Proxy.BAD_REQUEST);
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen }
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen if (FSUtils.needSetLBCookieAndRedirect(request, response, false)) {
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen //logging?
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen return SAML2Proxy.toPostWithErrorForm(request, SAML2Proxy.MISSING_COOKIE);
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen }
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen // get entity id and orgName
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen String requestURL = request.getRequestURL().toString();
9955f6cba7652469b1d600a3674e8d27dd4e61bdTimo Sirainen String metaAlias = SAML2MetaUtils.getMetaAliasByUri(requestURL);
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen SAML2MetaManager metaManager = SAML2Utils.getSAML2MetaManager();
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen String hostEntityId;
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen if (metaManager == null) {
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen // logging?
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen return SAML2Proxy.toPostWithErrorForm(request, SAML2Proxy.MISSING_META_MANAGER);
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen }
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen try {
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen hostEntityId = metaManager.getEntityByMetaAlias(metaAlias);
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen if (hostEntityId == null ){
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen throw new SAML2MetaException("Caught Instantly");
5e702db5540b2303e25554dee21bbf35a4813381Timo Sirainen }
5e702db5540b2303e25554dee21bbf35a4813381Timo Sirainen } catch (SAML2MetaException sme) {
5e702db5540b2303e25554dee21bbf35a4813381Timo Sirainen // logging?
5e702db5540b2303e25554dee21bbf35a4813381Timo Sirainen return SAML2Proxy.toPostWithErrorForm(request, SAML2Proxy.META_DATA_ERROR); // configuration problem ?
5e702db5540b2303e25554dee21bbf35a4813381Timo Sirainen }
5e702db5540b2303e25554dee21bbf35a4813381Timo Sirainen
5e702db5540b2303e25554dee21bbf35a4813381Timo Sirainen String realm = SAML2MetaUtils.getRealmByMetaAlias(metaAlias);
5e702db5540b2303e25554dee21bbf35a4813381Timo Sirainen
5e702db5540b2303e25554dee21bbf35a4813381Timo Sirainen if (realm == null || realm.length() == 0) {
5e702db5540b2303e25554dee21bbf35a4813381Timo Sirainen realm = "/";
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen }
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen
e6440616c02bb1404dc35debf45d9741260c7831Timo Sirainen ResponseInfo respInfo;
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen try {
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen respInfo = SPACSUtils.getResponse(request, response, realm, hostEntityId, metaManager);
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen } catch (SAML2Exception se) {
e6440616c02bb1404dc35debf45d9741260c7831Timo Sirainen //logging?
e6440616c02bb1404dc35debf45d9741260c7831Timo Sirainen return SAML2Proxy.toPostWithErrorForm(request, SAML2Proxy.SAML_GET_RESPONSE_ERROR,
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen se.getL10NMessage(request.getLocale()));
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen }
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen Map smap;
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen try {
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen // check Response/Assertion and get back a Map of relevant data
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen smap = SAML2Utils.verifyResponse(request, response, respInfo.getResponse(), realm, hostEntityId,
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen respInfo.getProfileBinding());
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen } catch (SAML2Exception se) {
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen //logging?
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen return SAML2Proxy.toPostWithErrorForm(request, SAML2Proxy.SAML_VERIFY_RESPONSE_ERROR,
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen se.getL10NMessage(request.getLocale()));
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen }
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen String key = generateKey();
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen //survival time is one hour
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen SAML2ResponseData data = new SAML2ResponseData((String) smap.get(SAML2Constants.SESSION_INDEX),
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen (Subject) smap.get(SAML2Constants.SUBJECT),
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen (Assertion) smap.get(SAML2Constants.POST_ASSERTION));
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen
e6440616c02bb1404dc35debf45d9741260c7831Timo Sirainen if (SAML2FailoverUtils.isSAML2FailoverEnabled()) {
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen try {
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen long sessionExpireTime = System.currentTimeMillis() / 1000 + SPCache.interval; //counted in seconds
e6440616c02bb1404dc35debf45d9741260c7831Timo Sirainen SAML2FailoverUtils.saveSAML2TokenWithoutSecondaryKey(key, data ,sessionExpireTime);
d22301419109ed4a38351715e6760011421dadecTimo Sirainen } catch (SAML2TokenRepositoryException e) {
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen //logging?
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen return SAML2Proxy.toPostWithErrorForm(request, SAML2Proxy.SAML_FAILOVER_DISABLED_ERROR);
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen }
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen } else {
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen SAML2Store.saveTokenWithKey(key, data);
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen }
e6440616c02bb1404dc35debf45d9741260c7831Timo Sirainen
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen return SAML2Proxy.toPostForm(request, key);
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen }
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen%>
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen<body>
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen<%= getForwardForm(request, response)%>
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen</body>
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen</html>
1ac7c8e9040e0d0b7e9f849e45b94bfe919595a9Timo Sirainen