a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Copyright (c) 2007 Sun Microsystems Inc. All Rights Reserved
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * The contents of this file are subject to the terms
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * of the Common Development and Distribution License
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * (the License). You may not use this file except in
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * compliance with the License.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * You can obtain a copy of the License at
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * https://opensso.dev.java.net/public/CDDLv1.0.html or
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * See the License for the specific language governing
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * permission and limitations under the License.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * When distributing Covered Code, include this CDDL
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Header Notice in each file and include the License file
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * If applicable, add the following below the CDDL Header,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * with the fields enclosed by brackets [] replaced by
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * your own identifying information:
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * "Portions Copyrighted [year] [name of copyright owner]"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * $Id: FederationSPAdapter.java,v 1.4 2008/06/25 05:46:50 qcheng Exp $
f948ca04a28ccfeed9633bf4b0fb0d2c59c37478David Luna * Portions Copyrighted 2014 ForgeRock AS
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.common.FederationException;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.message.FSAuthnRequest;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.message.FSAuthnResponse;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.message.FSFederationTerminationNotification;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.message.FSLogoutNotification;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.message.FSLogoutResponse;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.message.FSNameRegistrationRequest;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.message.FSNameRegistrationResponse;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.message.FSResponse;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * The interface <code>FederationSPAdapter</code> could be implemented to
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * perform user specific processing during federation process on the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Liberty Service Provider side.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * A singleton instance of this <code>FederationSPAdapter</code> will be used
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * during runtime, so make sure implementation of the federation
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * processing methods (except initialize() method) are thread safe.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @supported.all.api
f948ca04a28ccfeed9633bf4b0fb0d2c59c37478David Luna * @deprecated since 12.0.0
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Federation or Single Sign on process succeed at <code>SP</code> side.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Response from <code>IDP</code> with Browser POST or LECP profile contains * non-Success status code.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static final int INVALID_AUTHN_RESPONSE = 1;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Response from <code>IDP</code> with Browser Artifact profile contains
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * non-Success status code.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Account federation failed.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Account federation failed because it failed to generate user token.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static final int FEDERATION_FAILED_SSO_TOKEN_GENERATION = 4;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Account federation failed because it failed to generate anonymous
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static final int FEDERATION_FAILED_ANON_TOKEN_GENERATION = 5;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Account federation failed because anonymous user account is inactive.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static final int FEDERATION_FAILED_ANON_AUTH_USER_INACTIVE = 6;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Account federation failed because anonymous user account is locked.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static final int FEDERATION_FAILED_ANON_AUTH_USER_LOCKED = 7;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Account federation failed because anonymous user account is expired.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static final int FEDERATION_FAILED_ANON_AUTH_ACCOUNT_EXPIRED = 8;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Account federation failed because it failed to write account federation
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static final int FEDERATION_FAILED_WRITING_ACCOUNT_INFO = 9;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Single Sign On failed.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Single Sign On failed because federation info does not exist at
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>SP</code> side.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static final int SSO_FAILED_FEDERATION_DOESNOT_EXIST = 11;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Single Sign On failed because it failed to find auto federation user.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static final int SSO_FAILED_AUTO_FED = 12;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Single Sign On failed because the user account is inactive.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static final int SSO_FAILED_AUTH_USER_INACTIVE = 13;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Single Sign On failed because the user account is locked.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static final int SSO_FAILED_AUTH_USER_LOCKED = 14;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Single Sign On failed because the user account is expired.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static final int SSO_FAILED_AUTH_ACCOUNT_EXPIRED = 15;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Single Sign On failed because it failed to generate user token.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static final int SSO_FAILED_TOKEN_GENERATION = 16;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Adapter's initialization parameter name for realm.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static final String ENV_REALM = "REALM=";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Initializes the federation adapter, this method will only be executed
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * once after creation of the adapter instance.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param hostedEntityID entity ID for the hosted SP
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param initParams initial set of parameters(such as REALM) configured
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * in the service provider for this adapter.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public void initialize(String hostedEntityID, Set initParams);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Invokes before federation manager sends the Single-Sing-On and Federation
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * request to IDP.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param hostedEntityID entity ID for the hosted SP
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param idpEntityID entity id for the IDP to which the request will
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param request servlet request
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param response servlet response
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param authnRequest the authentication request to be send to IDP
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Invokes when the FM received the Single-Sign-On and Federation response
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * from the IDP, this is called before any processing started on SP side.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param hostedEntityID entity ID for the hosted SP
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param request servlet request
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param response servlet response
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param authnRequest the original authentication request sent from SP
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param authnResponse response from IDP if Browser POST or LECP profile
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * is used for the request, value will be null if Browser Artifact
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * profile is used.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param samlResponse response from IDP if Browser Artifact profile is used
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * for the request, value will be null if Browser POST or LECP
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * profile is used.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @exception FederationException if user want to fail the process.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Invokes after Single-Sign-On and Federation processing is successful.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param hostedEntityID Entity ID for the hosted SP
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param request servlet request
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param response servlet response
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param ssoToken user's SSO Token
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param authnRequest the original authentication request sent from SP
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param authnResponse response from IDP if Browser POST or LECP profile
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * is used for the request, value will be null if Browser Artifact
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * profile is used.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param samlResponse response from IDP if Browser Artifact profile is used
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * for the request, value will be null if Browser POST or LECP
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * profile is used.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return true if browser redirection happened, false otherwise.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @exception FederationException if user want to fail the process.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Invokes after Single-Sign-On or Federation processing is failed.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param hostedEntityID Entity ID for the hosted SP
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param request servlet request
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param response servlet response
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param authnRequest the original authentication request sent from SP
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param authnResponse response from IDP if Browser POST or LECP profile
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * is used for the request, value will be null if Browser Artifact
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * profile is used.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param samlResponse response from IDP if Browser Artifact profile is used * for the request, value will be null if Browser POST or LECP
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * profile is used.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param failureCode an integer specifies the failure code. Possible
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * failure codes are defined in this interface.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return true if browser redirection happened, false otherwise.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public boolean postSSOFederationFailure(String hostedEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Invokes after Register Name Identifier processing is successful
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param hostedEntityID Entity ID for the hosted SP
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param request servlet request
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param response servlet response
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param userDN DN of the user with whom name identifier registration
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param regRequest register name identifier request, value will be
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * null if the request object is not available
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param regResponse register name identifier response, value will be
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * null if the response object is not available
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param regProfile register name identifier profile used, one of following
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * IFSConstants.NAME_REGISTRATION_SP_HTTP_PROFILE
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * IFSConstants.NAME_REGISTRATION_SP_SOAP_PROFILE
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * IFSConstants.NAME_REGISTRATION_IDP_HTTP_PROFILE
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * IFSConstants.NAME_REGISTRATION_IDP_SOAP_PROFILE
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Invokes after the service provider successfully terminates federation
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param hostedEntityID Entity ID for the hosted SP
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param request servlet request
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param response servlet response
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param userDN DN of the user with whom name identifier registration
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param notification federation termination notification message
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param termProfile federation termination profile used, one of following
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * IFSConstants.TERMINATION_SP_HTTP_PROFILE
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * IFSConstants.TERMINATION_SP_SOAP_PROFILE
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * IFSConstants.TERMINATION_IDP_HTTP_PROFILE
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * IFSConstants.TERMINATION_IDP_SOAP_PROFILE
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public void postTerminationNotificationSuccess(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSFederationTerminationNotification notification,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Invokes before single logout process started on FM side. This method
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * is called before the user token is invalidated on the service provider
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param hostedEntityID Entity ID for the hosted SP
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param request servlet request
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param response servlet response
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param userDN user DN
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param logoutRequest single logout request object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param logoutResponse single logout response, value will be
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * null if the response object is not available
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param sloProfile single logout profile used, one of following
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * IFSConstants.LOGOUT_SP_REDIRECT_PROFILE
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * IFSConstants.LOGOUT_SP_SOAP_PROFILE
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * IFSConstants.LOGOUT_IDP_REDIRECT_PROFILE
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * IFSConstants.LOGOUT_IDP_SOAP_PROFILE
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Invokes after single logout is successful completed, i.e. user token
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * has been invalidated.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param hostedEntityID Entity ID for the hosted SP
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param request servlet request
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param response servlet response
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param userDN user DN
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param logoutRequest single logout request, value will be
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * null if the request object is not available
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param logoutResponse single logout response, value will be
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * null if the response object is not available
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param sloProfile single logout profile used, one of following
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * IFSConstants.LOGOUT_SP_HTTP_PROFILE
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * IFSConstants.LOGOUT_SP_SOAP_PROFILE
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * IFSConstants.LOGOUT_IDP_HTTP_PROFILE
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * IFSConstants.LOGOUT_IDP_SOAP_PROFILE