a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * The contents of this file are subject to the terms
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * of the Common Development and Distribution License
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * (the License). You may not use this file except in
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * compliance with the License.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * You can obtain a copy of the License at
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * https://opensso.dev.java.net/public/CDDLv1.0.html or
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * See the License for the specific language governing
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * permission and limitations under the License.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * When distributing Covered Code, include this CDDL
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Header Notice in each file and include the License file
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * If applicable, add the following below the CDDL Header,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * with the fields enclosed by brackets [] replaced by
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * your own identifying information:
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * "Portions Copyrighted [year] [name of copyright owner]"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * $Id: FSAssertionArtifactHandler.java,v 1.14 2009/11/03 00:49:49 madan_ranganath Exp $
6cf99bcf5206a0fcc9dd9296fc46ac28c3fe8adePeter Major * Portions Copyrighted 2015-2016 ForgeRock AS.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterpackage com.sun.identity.federation.services.fednsso;
ccf9d4a5c6453fa9f8b839baeee25147865fbb7dJames Phillpottsimport static org.forgerock.openam.utils.Time.*;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.common.PeriodicGroupRunnable;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.common.ScheduleableGroupAction;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.common.SystemConfigurationUtil;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.accountmgmt.FSAccountFedInfo;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.accountmgmt.FSAccountFedInfoKey;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.accountmgmt.FSAccountManager;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.accountmgmt.FSAccountMgmtException;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.common.FSException;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.common.FSUtils;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.common.IFSConstants;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.common.LogUtil;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.jaxb.entityconfig.BaseConfigType;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.message.FSAssertion;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.message.FSAuthenticationStatement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.message.FSAuthnRequest;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.message.FSAuthnResponse;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.message.FSResponse;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.message.FSSubject;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.message.common.AuthnContext;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.meta.IDFFMetaException;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.meta.IDFFMetaManager;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.meta.IDFFMetaUtils;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.plugins.FederationSPAdapter;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.services.FSSPAuthenticationContextInfo;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.services.FSAttributeMapper;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.services.FSRealmAttributeMapper;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.services.FSServiceManager;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.services.FSSession;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.services.FSSessionManager;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.services.FSSessionPartner;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.services.logout.FSTokenListener;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.services.registration.FSNameRegistrationHandler;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.services.util.FSServiceUtils;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.liberty.ws.meta.jaxb.IDPDescriptorType;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.liberty.ws.meta.jaxb.SPDescriptorType;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.plugin.session.SessionException;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.plugin.session.SessionManager;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.plugin.session.SessionProvider;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.assertion.Attribute;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.assertion.AttributeStatement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.assertion.AudienceRestrictionCondition;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.assertion.Conditions;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.assertion.NameIdentifier;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.assertion.Statement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.assertion.SubjectConfirmation;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.common.SAMLConstants;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.common.SAMLException;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.common.SAMLResponderException;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.common.SAMLServiceManager;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.servlet.POSTCleanUpRunnable;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.xmlsig.XMLSignatureManager;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.shared.encode.CookieUtils;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Handler that runs on <code>SP</code> side to receive and process
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>AuthnResponse</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private Date reAuthnOnOrAfterDate = null; // TODO: not used currently
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster protected IDPDescriptorType idpDescriptor = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster protected static Map idTimeMap = Collections.synchronizedMap(new HashMap());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster protected AttributeStatement bootStrapStatement = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster protected AttributeStatement _autoFedStatement = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster protected FSAuthnResponse authnResponse = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster protected List attrStatements = new ArrayList();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster protected static String ANONYMOUS_PRINCIPAL = "anonymous";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster protected FSAttributeMapper attributeMapper = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster protected FSRealmAttributeMapper realmAttributeMapper = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster long period = ((Integer) SAMLServiceManager.getAttribute(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLConstants.CLEANUP_INTERVAL_NAME)).intValue() * 1000;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster cGoThrough = new POSTCleanUpRunnable(period, idTimeMap);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster TimerPool timerPool = SystemTimerPool.getTimerPool();
ccf9d4a5c6453fa9f8b839baeee25147865fbb7dJames Phillpotts timerPool.schedule(cGoThrough, new Date(((currentTimeMillis()
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ScheduleableGroupAction periodicAction = new ScheduleableGroupAction() {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster cPeriodic = new PeriodicGroupRunnable(periodicAction, period, 180000,
ccf9d4a5c6453fa9f8b839baeee25147865fbb7dJames Phillpotts timerPool.schedule(cPeriodic, new Date(((currentTimeMillis() +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Sets hosted SP entity ID.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param entityId hosted SP's entity ID to be set
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Sets hosted SP meta descriptor.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param desc SP's meta descriptor to be set.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @see #getHostEntityId()
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public void setHostDescriptor(SPDescriptorType desc) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Sets hosted SP extended meta config.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param config SP's extended meta to be set.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public void setHostDescriptorConfig(BaseConfigType config) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Sets hosted SP's meta alias.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param metaAlias SP's meta alias to be set
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Gets hosted SP's Entity ID.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return hosted entity id.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @see #setHostEntityId(String)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Gets the realm under which the entity resides.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return the realm under which the entity resides.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @see #setRealm(String)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Sets the realm under which the entity resides.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param realm The realm under which the entity resides.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @see #getRealm()
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Gets <code>FSAuthnRequest</code> object.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return <code>FSAuthnRequest</code> object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @see #setAuthnRequest(FSAuthnRequest)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Sets <code>FSAuthnRequest</code> object.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param authnRequest <code>FSAuthnRequest</code> object to be set.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @see #getAuthnRequest()
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public void setAuthnRequest(FSAuthnRequest authnRequest) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Default constructor.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Constructs a <code>FSAssertionArtifactHandler</code> object.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param request <code>HttpServletRequest</code> object.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param response <code>HttpServletResponse</code> object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param idpDescriptor <code>IDP</code> provider descriptor
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param idpEntityId entity ID of the <code>IDP</code>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param doFederate a flag indicating if it is a federation request
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param nameIDPolicy <code>nameIDPolicy</code> used
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param relayState <code>RelayState</code> url
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Constructs a <code>FSAssertionArtifactHandler</code> object.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param request <code>HttpServletRequest</code> object.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param response <code>HttpServletResponse</code> object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param idpDescriptor <code>IDP</code> provider descriptor
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param idpEntityId entity ID of the <code>IDP</code>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param authnRequest <code>FSAuthnRequest</code> from soap
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param doFederate a flag indicating if it is a federation request
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param relayState <code>RelayState</code> url
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster this.nameIDPolicy = authnRequest.getNameIDPolicy();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Processes <code>FSAuthnResponse</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param authnResponse <code>FSAuthnResponse</code> objec to be processed
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public void processAuthnResponse(FSAuthnResponse authnResponse) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSAssertionArtifactHandler.ProcessAuthnResponse: Called");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Call SP adapter SPI
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FederationSPAdapter spAdapter = FSServiceUtils.getSPAdapter(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message("FSAssertionArtifactHandler, POST"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " Invokde spAdapter.preSSOFederationProcess");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster spAdapter.preSSOFederationProcess(hostEntityId,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster request, response, authnRequest, authnResponse, null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // log run time exception in Adapter
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // implementation, continue
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("FSAssertionArtifactHandler" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster " SPAdapter.preSSOFederationSuccess", e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String baseURL = FSServiceUtils.getBaseURL(request);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String framedLoginPageURL = FSServiceUtils.getCommonLoginPageURL(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster this.relayState = authnRequest.getRelayState();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((this.relayState == null) || (this.relayState.trim().length() == 0))
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster IDFFMetaUtils.getFirstAttributeValueFromConfig(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster hostConfig, IFSConstants.PROVIDER_HOME_PAGE_URL);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster { FSUtils.bundle.getString("missingAuthnResponse") };
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.error(Level.INFO,LogUtil.MISSING_AUTHN_RESPONSE,data,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("FSAssertionArtifactHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "processAuthnResponse: "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + FSUtils.bundle.getString("missingAuthnResponse")
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " AuthnRequest Processing Failed at the IDP "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "Redirecting to the Framed Login Page");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSAssertionArtifactHandler.doPost:Received " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster boolean valid = verifyResponseStatus(authnResponse);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // clean request map
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String inResponseTo = authnResponse.getInResponseTo();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster sessionManager.removeAuthnRequest(inResponseTo);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.error(Level.INFO,LogUtil.INVALID_AUTHN_RESPONSE,data,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.warning("FSAssertionArtifactHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " processAuthnResponse: "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " AuthnRequest Processing Failed at the IDP"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " Redirecting to the Framed Login Page");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((spAdapter == null) || !(spAdapter.postSSOFederationFailure(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // check Assertion
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List assertions = authnResponse.getAssertion();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSSubject validSubject =(FSSubject)validateAssertions(assertions);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data = { FSUtils.bundle.getString("invalidAssertion")};
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.error(Level.INFO,LogUtil.INVALID_ASSERTION,data,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("FSAssertionArtifactHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "processAuthnResponse: "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " AuthnRequest Processing Failed at the IDP"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " Redirecting to the Framed Login Page");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message("FSAssertionArtifactHandler." +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "processAuthnResponse: Initiate Account Federation");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster NameIdentifier ni = validSubject.getIDPProvidedNameIdentifier();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSAssertionArtifactHandler.processAuthnResponse:" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster " IDPProvided NameIdentifier is null");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (returnCode == FederationSPAdapter.SUCCESS) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message("FSAssertionArtifactHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "processAuthnResponse: Account federation"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " successful");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String inResponseTo = authnResponse.getInResponseTo();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster sessionManager.removeAuthnRequest(inResponseTo);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster sessionManager.removeLocalSessionToken(inResponseTo);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "AccountFederationFailed")};
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("FSAssertionArtifactHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "processAuthnResponse: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.bundle.getString("AccountFederationFailed")
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " AuthnRequest Processing Failed at the IDP"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " Redirecting to the Framed Login Page");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new FSException("missingNIofSubject", null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message("FSAssertionArtifactHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "processAuthnResponse: Initiate SingleSign-On");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster //check for SPProvidedNameIdentifier
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster NameIdentifier ni = validSubject.getNameIdentifier();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSAssertionArtifactHandler.processAuthnResponse:" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster " IDPProvided NameIdentifier is null");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster { FSUtils.bundle.getString("invalidResponse")};
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Level.INFO,LogUtil.INVALID_AUTHN_RESPONSE, data,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("FSAssertionArtifactHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " processAuthnResponse: "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " AuthnRequest Processing Failed at the IDP"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " Redirecting to the Framed Login Page");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((idpHandle == null) || (spHandle == null)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster { FSUtils.bundle.getString("invalidResponse")};
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Level.INFO,LogUtil.INVALID_AUTHN_RESPONSE,data,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("FSAssertionArtifactHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "processAuthnResponse: "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " AuthnRequest Processing Failed at the IDP"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " Redirecting to the Framed Login Page");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster handleType = IFSConstants.REMOTE_OPAQUE_HANDLE;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster env.put(IFSConstants.FS_USER_PROVIDER_ENV_AUTHNRESPONSE_KEY,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (returnCode == FederationSPAdapter.SUCCESS){
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message("FSAssertionArtifactHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "processAuthnResponse: Accountfederation successful");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String requestID = authnResponse.getInResponseTo();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Level.INFO,LogUtil.ACCESS_GRANTED_REDIRECT_TO, data,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "ArtifactHandler.notfederated, postSSO");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message("FSAssertionArtifactHandler,"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " Invoke spAdapter.postSSOFederationSuccess");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // return if the SP spi redirection happened
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // log run time exception in Adapter
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // implementation, continue
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("FSAssertionArtifadctHandler"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " SPAdapter.postSSOFederationSuccess:", e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data = { FSUtils.bundle.getString("SSOfailed") };
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.error(Level.INFO,LogUtil.SINGLE_SIGNON_FAILED,data,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("FSAssertionArtifactHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "processAuthnResponse: "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " AuthnRequest Processing Failed at the IDP"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " Redirecting to the Framed Login Page");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster authnRequest, authnResponse, null, returnCode))
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("FSAssertionArtifactHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "processAuthnResponse: Exception Occured: ", e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("FSAssertionArtifactHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "processAuthnResponse: "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " AuthnRequest Processing Failed at the IDP"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " Redirecting to the Framed Login Page");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("FSAssertionArtifactHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "processAuthnResponse: IOException Occured: ", ioe);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster protected boolean verifyResponseStatus(Response resp) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSAssertionArtifactHandler.verifyResponseStatus: Called");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // check status of the AuthnResponse
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (!resp.getStatus().getStatusCode().getValue().endsWith(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.warning("FSAssertionArtifactHandler.verifyResponse: "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "Incorrect StatusCode value.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message("FSAssertionArtifactHandler.verifyResponse: "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "StatusCode value verified.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return true;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster protected Subject validateAssertions(List assertions) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSAssertionArtifactHandler.validateAssertions: Called");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // loop to check assertions
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster //check for valid AuthnRequest correspondence
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("FSAssertionArtifactHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "validateAssertion:"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " assertion does not correspond to any valid request");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("FSAssertionArtifactHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "validateAssertion:"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " assertion signature verification failed");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message("FSAssertionArtifactHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "validateAssertion: Assertion signature verified");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // make sure it's not being used
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSAssertionArtifactHandler.validateAssertion: Assertion: "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // check issuer of the assertions
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("FSAssertionArtifactHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "validateAssertion: "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "Assertion issuer is not the entity where "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "AuthnRequest was sent originally.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("FSAssertionArtifactHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "validateAssertion: "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("FSAssertionArtifactHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "validateAssertion:"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " Assertion issuer is not on the trust list");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("FSAssertionArtifactHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "validateAssertion: "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "Assertion issuer is not on the trust list");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // must be valid(timewise)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSAssertionArtifactHandler.validateAssertion:"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " Assertion's time is not valid.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // TODO: IssuerInstant of the assertion is within a few minutes
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // This is a MAY in spec. Which number to use for the few minutes?
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // if present, target of the assertions must == local server IP
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("FSAssertionArtifactHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "validateAssertion: "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "assertion is not issued for this site.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster //for each assertion, loop to check each statement
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster boolean authnStatementFound = false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster stmtIter = assertion.getStatement().iterator();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (stmtType == Statement.AUTHENTICATION_STATEMENT) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSAssertionArtifactHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "validateAssertion: "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "validating AuthenticationStatement:"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("FSAssertionArtifactHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "validateAssertion: Exception. "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "Invalid AuthenticationStatement: ", e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster //check ReauthenticateOnOrAfter
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster //process SessionIndex
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster idpSessionIndex = authStatement.getSessionIndex();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster authnContextStmt = authStatement.getAuthnContext();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster subject =(FSSubject)authStatement.getSubject();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("FSAssertionArtifactHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "validateAssertion: Subject is null");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSAssertionArtifactHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "validateAssertion: "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "found Authentication Statement. "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "Subject = "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSAssertionArtifactHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "validateAssertion: "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " Exception. Invalid subject: ", e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // ConfirmationMethod of each subject must be set to
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("FSAssertionArtifactHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "validateAssertion: "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "missing or extra ConfirmationMethod.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (String)confMethods.iterator().next()) == null) ||
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLConstants.CONFIRMATION_METHOD_ARTIFACT)) ||
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("FSAssertionArtifactHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "validateAssertion: wrong "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "ConfirmationMethod");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message("FSAssertionArtifactHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "validateAssertion: Confirmation method: "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else if (stmtType == Statement.ATTRIBUTE_STATEMENT) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (!checkForAttributeStatement(attrStatement)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message("FSAssertionArtifactHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "validateAssertion: "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "No Authentication statement found in the Assertion. "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "User is not authenticated by the IDP");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message("FSAssertionArtifactHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "validateAssertion: Adding "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " to idTimeMap.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // add the assertion to idTimeMap
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((date = conds.getNotOnorAfter()) != null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster idTimeMap.put(aIDString, new Long(date.getTime()));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // it doesn't matter what we store for the value.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster securityAssertions = assertion.getDiscoveryCredential();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("FSAssertionArtifactHandler.validateAssertion:"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " couldn't find Subject.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Checks the attribute statement for boot strap statement or auto fed
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * attribute statement.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param attrStatement AttributeStatement.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return true if the <code>AttributeStatement</code> is of type
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * discovery boot strap or the auto federation statement.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List attributes = attrStatement.getAttribute();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (attributes == null || attributes.size() == 0) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return true;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("FSAssertionArtifactHandler.checkFor" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (attrValue != null && attrValue.size() != 0) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster _autoFedValue = XMLUtils.getElementValue(elem);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String enabledStr = IDFFMetaUtils.getFirstAttributeValueFromConfig(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster hostConfig, IFSConstants.ENABLE_AUTO_FEDERATION);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (enabledStr != null && enabledStr.equalsIgnoreCase("true") &&
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster IDFFMetaUtils.getFirstAttributeValueFromConfig(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster hostConfig, IFSConstants.AUTO_FEDERATION_ATTRIBUTE),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return true;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster protected boolean verifyAssertionSignature(FSAssertion assertion) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSAssertionArtifactHandler.verifyAssertionSignature: Called");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message("FSAssertionArtifactHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "verifyAssertionSignature: Assertion is not signed");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster X509Certificate cert = KeyUtil.getVerificationCert(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message("FSAssertionArtifactHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "verifyAssertionSignature: couldn't obtain "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "this site's cert.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.bundle.getString(IFSConstants.NO_CERT));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster XMLSignatureManager manager = XMLSignatureManager.getInstance();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message("FSAssertionArtifactHander." +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "verifyAssertionSignature: xml string to be verified:" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster authnResponse.getDOMElement().getOwnerDocument()));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster authnResponse.getDOMElement().getOwnerDocument(),cert);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message("FSAssertionArtifactHander." +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "verifyAssertionSignature: xml string to be verified:" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster XMLUtils.print((Node) samlResponseElt.getOwnerDocument()));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("FSAssertionArtifactHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "verifyAssertionSignature: "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "Exception occured while verifying IDP's signature:", e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster protected boolean forThisServer(Conditions conds) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSAssertionArtifactHandler.forThisServer: Called");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return true;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Set targetConds = conds.getAudienceRestrictionCondition();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((targetConds == null) ||(targetConds.isEmpty())) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return true;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster boolean forThis = false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster AudienceRestrictionCondition targetCond = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster targetCond =(AudienceRestrictionCondition) tcIter.next();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (targetCond.containsAudience(hostEntityId)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message("FSAssertionArtifactHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "forThisServer: Assertion is validated to be"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "for this server");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSAssertionArtifactHandler.generateToken: Called");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("FSAssertionArtifactHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "generateToken: Invalid userDN input");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((nameSpace == null) || (nameSpace.length() == 0)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message("FSAssertionArtifactHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "generateToken: Trying to get userDN for opaqueHandle= "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " ,securityDomain= "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " And HandleType="
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String affiliationID = authnRequest.getAffiliationID();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSAccountManager accountManager = FSAccountManager.getInstance(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String userID = accountManager.getUserID(fedKey, realm, env);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (niIdp != null && nameSpace.equals(affiliationID)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster fedKey = new FSAccountFedInfoKey(affiliationID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster userID = accountManager.getUserID(fedKey, realm, env);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster fedKey = new FSAccountFedInfoKey(nameSpace, name);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSAssertionArtifactHandler.generateToken: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "Can't dereference handle. fedKey=" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Check if there is any 6.2 format?
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSAccountFedInfoKey oldKey = new FSAccountFedInfoKey(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster userID = accountManager.getUserID(oldKey, realm, env);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (fedInfo != null && fedInfo.isFedStatusActive()){
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // rewrite it.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSAssertionArtifactHandler." +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "generateToken: Can't dereference handle.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster IDFFMetaUtils.getFirstAttributeValueFromConfig(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSAssertionArtifactHandler. " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "generateToken:" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "Can't dereference handle.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSAssertionArtifactHandler." +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "generateToken: Can't dereference handle.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("FSAssertionArtifactHandler." +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "generateToken: Can't dereference handle.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSAssertionArtifactHandler.generateToken: "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "User's account is not federated, id=" + userID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FederationSPAdapter.SSO_FAILED_FEDERATION_DOESNOT_EXIST;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster //get AuthnLevel from authnContext
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSServiceUtils.getSPAuthContextInfo(hostConfig);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster authnContextStmt.getAuthnContextClassRef() != null &&
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster authnContextStmt.getAuthnContextClassRef().length() != 0)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message("FSAssertionArtifactHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "generateToken: AuthnContextClassRef "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "found in AuthenticationStatement:"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSSPAuthenticationContextInfo authnContextInfo =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (FSSPAuthenticationContextInfo)authnContextInfoMap
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster authnLevel = authnContextInfo.getAuthenticationLevel();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("FSAssertionArtifactHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "generateToken: Could not find "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "AuthnContextClassInfo for authnContextClassRef: "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "Using default authnContextClass");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSAssertionArtifactHandler.generateToken: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "Could not find AuthnContextClassRef in the " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "AuthenticationStatement. Using default authnContextClass");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster IDFFMetaUtils.getFirstAttributeValueFromConfig(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster hostConfig, IFSConstants.DEFAULT_AUTHNCONTEXT);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSSPAuthenticationContextInfo authnContextInfo =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (FSSPAuthenticationContextInfo)authnContextInfoMap
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster authnLevel = authnContextInfo.getAuthenticationLevel();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("FSAssertionArtifactHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "generateToken: Could not find authentication level "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "for default authentication context class");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster valueMap.put(SessionProvider.PRINCIPAL_NAME, userID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SessionProvider.AUTH_LEVEL, String.valueOf(authnLevel));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster valueMap.put(SessionProvider.AUTH_INSTANT, getAuthInstant());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster //valueMap.put("resourceOffering",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster //valueMap.put("securityToken",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SessionProvider sessionProvider = SessionManager.getProvider();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("FSAssertionArtifactHandler.generateToken:"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (failureCode == SessionException.AUTH_USER_INACTIVE) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FederationSPAdapter.SSO_FAILED_AUTH_USER_INACTIVE;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else if (failureCode == SessionException.AUTH_USER_LOCKED) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FederationSPAdapter.SSO_FAILED_AUTH_USER_LOCKED;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else if (failureCode == SessionException.AUTH_ACCOUNT_EXPIRED)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FederationSPAdapter.SSO_FAILED_AUTH_ACCOUNT_EXPIRED;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ssoSession, new FSTokenListener(hostMetaAlias));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSAssertionArtifactHandler.generateToken:" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "Couldn't add listener to session:", e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String value = sessionProvider.getSessionID(ssoSession);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster //Set fed cookie
6cf99bcf5206a0fcc9dd9296fc46ac28c3fe8adePeter Major String fedCookieName = SystemConfigurationUtil.getProperty(IFSConstants.FEDERATE_COOKIE_NAME);
6cf99bcf5206a0fcc9dd9296fc46ac28c3fe8adePeter Major for (String domain : SystemConfigurationUtil.getCookieDomainsForRequest(request)) {
6cf99bcf5206a0fcc9dd9296fc46ac28c3fe8adePeter Major CookieUtils.addCookieToResponse(response, CookieUtils.newCookie(fedCookieName, fedCookieValue,
6cf99bcf5206a0fcc9dd9296fc46ac28c3fe8adePeter Major IFSConstants.PERSISTENT_COOKIE_AGE, "/", domain));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster //keep local session ref
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSSession session = sessionManager.getSession(userID, value);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message("FSAssertionArtifactHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "generateToken: An Existing session found for userID:"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " Adding partner to the Session");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster session.addSessionPartner(new FSSessionPartner(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message("FSAssertionArtifactHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "generateToken: No existing session found for userID:"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " Creating a new Session");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster session.addSessionPartner(new FSSessionPartner(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // keep authncontext in FSSession.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // keep the attr statement in FSSession.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster session.setBootStrapAttributeStatement(bootStrapStatement);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster session.setAutoFedStatement(_autoFedStatement);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster session.setAttributeStatements(attrStatements);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attributeMap = realmAttributeMapper.getAttributes(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message("FSAssertionArtifactHandler." +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "generateToken: Attribute map :" + attributeMap);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster session.setBootStrapCredential(securityAssertions);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("FSAssertionArtifactHandler.generateToken: "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "Exception Occured ", e );
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSAssertionArtifactHandler.doSingleSignOn: Called");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster int returnCode = generateToken(ni, handleType, niIdp, env);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (returnCode != FederationSPAdapter.SUCCESS) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster { FSUtils.bundle.getString("failGenerateSSOToken") };
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.error(Level.INFO,LogUtil.FAILED_SSO_TOKEN_GENERATION, data,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster protected void redirectToResource(String resourceURL) throws FSException {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster protected int doAccountFederation(NameIdentifier ni) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSAssertionArtifactHandler.doAccountFederation:Called");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSAssertionArtifactHandler.doAccountFederation:" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster sessionProvider = SessionManager.getProvider();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSAssertionArtifactHandler.doAccountFederation: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster { FSUtils.bundle.getString("failGenerateSSOToken") };
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.error(Level.INFO,LogUtil.FAILED_SSO_TOKEN_GENERATION, data);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ssoToken = sessionProvider.getSession(request);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((ssoToken == null) ||(!sessionProvider.isValid(ssoToken))) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message("FSAssertionArtifactHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "doAccountFederation: couldn't obtain session from "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "cookie");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message("FSAssertionArtifactHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "doAccountFederation: exception when getting session "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "from cookie:");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // try URL rewriting
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String cookieRewriteEnabled = SystemConfigurationUtil.getProperty(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "com.sun.identity.cookieRewritingInPath", "false");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (Boolean.valueOf(cookieRewriteEnabled).booleanValue()
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster && ssoToken == null)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (Boolean.valueOf(cookieRewriteEnabled).booleanValue()
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster && (ssoToken == null)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster sessionManager = FSSessionManager.getInstance(hostMetaAlias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ssoToken = sessionManager.getLocalSessionToken(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster authnRequest.getRequestID());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((ssoToken == null) ||(!sessionProvider.isValid(ssoToken))) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("FSAssertionArtifactHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "doAccountFederation: "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + FSUtils.bundle.getString("failGenerateSSOToken"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster { FSUtils.bundle.getString("failGenerateSSOToken") };
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.error(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Level.INFO,LogUtil.FAILED_SSO_TOKEN_GENERATION, data);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return FederationSPAdapter.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FEDERATION_FAILED_SSO_TOKEN_GENERATION;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster this.relayState = sessionProvider.rewriteURL(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ssoToken, this.relayState);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster request.setAttribute(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SystemConfigurationUtil.getProperty(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "com.iplanet.am.cookie.name"),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster sessionProvider.getSessionID(ssoToken));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch (Exception ex) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("FSAssertionArtifactHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "doAccountFederation: "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + FSUtils.bundle.getString("failGenerateSSOToken"), ex);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster { FSUtils.bundle.getString("failGenerateSSOToken") };
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.error(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Level.INFO,LogUtil.FAILED_SSO_TOKEN_GENERATION, data);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return FederationSPAdapter.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FEDERATION_FAILED_SSO_TOKEN_GENERATION;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (ssoToken == null && nameIDPolicy != null &&
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster nameIDPolicy.equals(IFSConstants.NAME_ID_POLICY_ONETIME))
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (failureCode == SessionException.AUTH_USER_INACTIVE) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else if (failureCode == SessionException.AUTH_USER_LOCKED) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else if (failureCode == SessionException.AUTH_ACCOUNT_EXPIRED)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSAssertionArtifactHandler.doAccountFederation:"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "Account federation failed. Invalid session");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return FederationSPAdapter.FEDERATION_FAILED_ANON_TOKEN_GENERATION;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String userID = sessionProvider.getPrincipalName(ssoToken);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((securityDomain == null) || (securityDomain.length() == 0)){
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSAccountFedInfo accountInfo = new FSAccountFedInfo(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSAccountManager accountManager = FSAccountManager.getInstance(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String affiliationID = authnRequest.getAffiliationID();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster fedKey = new FSAccountFedInfoKey(affiliationID, opaqueHandle);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster fedKey = new FSAccountFedInfoKey(securityDomain, opaqueHandle);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster !nameIDPolicy.equals(IFSConstants.NAME_ID_POLICY_ONETIME))
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster accountManager.writeAccountFedInfo(userID, fedKey, accountInfo);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster //keep local session ref
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster sessionManager = FSSessionManager.getInstance(hostMetaAlias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String sessionID = sessionProvider.getSessionID(ssoToken);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message("FSAssertionArtifactHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "doAccountFederation: No existing session found "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " for userID:"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " Creating a new Session");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message("FSAssertionArtifactHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "doAccountFederation: An Existing session found"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "for userID:"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " Adding partner to the Session");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster nameIDPolicy.equals(IFSConstants.NAME_ID_POLICY_ONETIME))
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster IDFFMetaUtils.getFirstAttributeValueFromConfig(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster hostConfig, IFSConstants.DEFAULT_AUTHNCONTEXT);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster session.setBootStrapAttributeStatement(bootStrapStatement);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attributeMap = realmAttributeMapper.getAttributes(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message("FSAssertionArtifactHandler." +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "generateToken: Attribute map :" + attributeMap);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster session.setBootStrapCredential(securityAssertions);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSAssertionArtifactHandler.doAccountFederation:"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + FSUtils.bundle.getString("ExceptionOccured") , ex);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return FederationSPAdapter.FEDERATION_FAILED_WRITING_ACCOUNT_INFO;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.access(Level.INFO,LogUtil.ACCESS_GRANTED_REDIRECT_TO,data,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster //Set fed cookie
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster !nameIDPolicy.equals(IFSConstants.NAME_ID_POLICY_ONETIME))
6cf99bcf5206a0fcc9dd9296fc46ac28c3fe8adePeter Major String fedCookieName = SystemConfigurationUtil.getProperty(IFSConstants.FEDERATE_COOKIE_NAME);
6cf99bcf5206a0fcc9dd9296fc46ac28c3fe8adePeter Major for (String domain : SystemConfigurationUtil.getCookieDomainsForRequest(request)) {
6cf99bcf5206a0fcc9dd9296fc46ac28c3fe8adePeter Major CookieUtils.addCookieToResponse(response, CookieUtils.newCookie(fedCookieName, fedCookieValue,
6cf99bcf5206a0fcc9dd9296fc46ac28c3fe8adePeter Major IFSConstants.PERSISTENT_COOKIE_AGE, "/", domain));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster //Name registration
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // comment it out for now as the spec doesn't mendate this.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // get if need name registration from sp extended meta
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String indicator = IDFFMetaUtils.getFirstAttributeValueFromConfig(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster hostConfig, IFSConstants.ENABLE_REGISTRATION_AFTER_SSO);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (indicator != null && indicator.equalsIgnoreCase("true")) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSServiceManager serviceManager =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSServiceManager.getInstance();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSNameRegistrationHandler handlerObj =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster serviceManager.getNameRegistrationHandler(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster idpEntityId,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster IFSConstants.IDP);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (handlerObj != null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster handlerObj.setHostedDescriptor(hostDesc);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster handlerObj.setHostedDescriptorConfig(hostConfig);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster handlerObj.setHostedEntityId(hostEntityId);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster handlerObj.setMetaAlias(hostMetaAlias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster handlerObj.setAccountInfo(accountInfo);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster handlerObj.handleRegistrationAfterFederation(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster this.relayState, response);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (!FSServieUtils.isRegisProfileSOAP(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster sessionProvider.getPrincipalName(ssoToken),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster idpEntityId,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster idpDescriptor,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster hostMetaAlias,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return FederationSPAdapter.SUCCESS;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch (SessionException se) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (FSUtils.debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message("doAccountFederation: exception:", se);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Call SP adapter
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FederationSPAdapter spAdapter = FSServiceUtils.getSPAdapter(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster authnRequest, authnResponse, (FSResponse)samlResponse))
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // return true if service provider SPI redirection happened
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // log run time exception in Adapter
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // implementation, continue
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("FSAssertionArtifactHandler"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " SPAdapter.postSSOFederationSuccess", e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Generates an anonymous token for onetime case.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster protected Object generateAnonymousToken(HttpServletResponse response)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message("FSAssertionArtifactHandler.generateAnonymous");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster valueMap.put(SessionProvider.PRINCIPAL_NAME, ANONYMOUS_PRINCIPAL);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // default auth level to "0" for anonymous
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster valueMap.put(SessionProvider.AUTH_INSTANT, getAuthInstant());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SessionProvider sessionProvider = SessionManager.getProvider();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Object ssoSession = sessionProvider.createSession(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ssoSession, new FSTokenListener(hostMetaAlias));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSAssertionArtifactHandler.generateAnonymousToken:" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "Couldn't add listener to session:", e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSAssertionArtifactHandler.genAnonymousToken failed.", se);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSAssertionArtifactHandler.generateAnonymousToken failed.", ae);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster protected FSAuthnRequest getInResponseToRequest(String requestID) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSBrowserArtifactConsumerHandler.getInResponseToRequest: Called");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return authnRequest = sessionManager.getAuthnRequest(requestID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster protected String getProvider(String requestID) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSAssertionArtifactHandler.getProvider: Called");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return sessionManager.getIDPEntityID(requestID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Sets <code>IDP</code> provider descriptor.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param idpDescriptor identity provider descriptor.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public void setProviderDescriptor(IDPDescriptorType idpDescriptor) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Sets <code>IDP</code> provider entity ID.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param idpEntityId identity provider entity id.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public void setProviderEntityId(String idpEntityId) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Gets <code>AuthInstant</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return <code>AuthInstant</code> in UTC date format.
ccf9d4a5c6453fa9f8b839baeee25147865fbb7dJames Phillpotts return DateUtils.toUTCDateFormat(newDate());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Checks if the proxying is enabled. It will be checking if the proxy
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * service provider descriptor is set in the session manager for the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * specific request ID.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param requestID authentication request id which is created by the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * proxying IDP to the authenticating IDP.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return true if the proxying is enabled.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster protected boolean isIDPProxyEnabled(String requestID) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return (sessionManager.getProxySPDescriptor(requestID) != null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Sends the proxy authentication response to the proxying service
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * provider which has originally requested for the authentication.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param requestID authnRequest id that is sent to the authenticating
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Identity Provider.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster protected void sendProxyResponse(String requestID) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message("FSAssertionArtifactHandler.sendProxyResponse::");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster sessionManager.getProxySPAuthnRequest(requestID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message("FSAssertionHandler.sendProxyResponse:" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("FSAssertionHandler.sendProxyResponse:" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster sessionManager.getProxySPDescriptor(requestID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String proxySPEntityId = origRequest.getProviderId();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message("FSAssertionArtifactHandler.sendProxyResponse"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + ":Original requesting service provider id:"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSSession session = sessionManager.getSession(ssoToken);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String authnContext = authnContextStmt.getAuthnContextClassRef();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster session.addSessionPartner(new FSSessionPartner(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Iterator partners = session.getSessionPartners().iterator();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSSessionPartner part = (FSSessionPartner)partners.next();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message("PARTNERS" + part.getPartner());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster IDFFMetaManager metaManager = FSUtils.getIDFFMetaManager();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster proxySPConfig = metaManager.getSPDescriptorConfig(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("FSAssertionArtifactHandler.sendProxyResponse:"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "Couldn't obtain proxy sp meta:", e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster request, response, origRequest, proxyDescriptor,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster localIDPDesc = metaManager.getIDPDescriptor(realm, hostEntityId);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster localIDPConfig = metaManager.getIDPDescriptorConfig(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster localIDPMetaAlias = localIDPConfig.getMetaAlias();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("FSAssertionartifactHandler.sendProxyResponse:"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "Exception when obtaining local idp meta:", e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster handler.setHostedDescriptorConfig(localIDPConfig);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster handler.processAuthnRequest(origRequest, true);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Sets the attribute map to the Single sign on token.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private void setAttributeMap(Object token, Map attributeMap) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (attributeMap == null || attributeMap.isEmpty()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message("FSAssertionArtifactHandler.setAttribute"+
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "Map: Attribute map is empty");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message("FSAssertionArtifactHandler.setAttributeMap:"+
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster " Attribute map that will be populated to ssotoken:" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SessionProvider sessionProvider = SessionManager.getProvider();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster for (Iterator iter = entrySet.iterator(); iter.hasNext();) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] values = { (String)entry.getValue() };
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSAssertionArtifactHandler.setAttributeMap:" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "Cannot set attributes to session:", e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String mapperStr = IDFFMetaUtils.getFirstAttributeValueFromConfig(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster hostConfig, IFSConstants.ATTRIBUTE_MAPPER_CLASS);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((mapperStr != null) && (mapperStr.length() != 0)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Thread.currentThread().getContextClassLoader().loadClass(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (mapperClass instanceof FSRealmAttributeMapper) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster realmAttributeMapper = (FSRealmAttributeMapper) mapperClass;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else if (mapperClass instanceof FSAttributeMapper) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attributeMapper = (FSAttributeMapper) mapperClass;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSAssertionArtifactHandler.getAttributeMapper:", e);