a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * The contents of this file are subject to the terms
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * of the Common Development and Distribution License
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * (the License). You may not use this file except in
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * compliance with the License.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * You can obtain a copy of the License at
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * https://opensso.dev.java.net/public/CDDLv1.0.html or
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * See the License for the specific language governing
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * permission and limitations under the License.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * When distributing Covered Code, include this CDDL
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Header Notice in each file and include the License file
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * If applicable, add the following below the CDDL Header,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * with the fields enclosed by brackets [] replaced by
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * your own identifying information:
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * "Portions Copyrighted [year] [name of copyright owner]"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * $Id: FSSSOBrowserArtifactProfileHandler.java,v 1.6 2008/12/19 06:50:46 exu Exp $
4a5a82da9bbab0a3ea1701c3ae9334c678d24ca5Mark de Reeper * Portions Copyrighted 2013 ForgeRock, Inc.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterpackage com.sun.identity.federation.services.fednsso;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.services.FSAssertionManager;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.services.util.FSServiceUtils;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.message.FSResponse;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.message.FSSAMLRequest;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.message.FSAuthnRequest;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.message.FSAssertionArtifact;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.common.FSUtils;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.common.FSException;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.common.IFSConstants;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.common.LogUtil;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.federation.jaxb.entityconfig.BaseConfigType;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.liberty.ws.meta.jaxb.SPDescriptorType;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.plugin.session.SessionException;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.plugin.session.SessionManager;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.xmlsig.XMLSignatureManager;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.assertion.Assertion;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.assertion.NameIdentifier;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.assertion.Conditions;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.assertion.AudienceRestrictionCondition;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.protocol.StatusCode;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.protocol.AssertionArtifact;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.common.SAMLException;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.common.SAMLResponderException;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.shared.encode.URLEncDec;
4a5a82da9bbab0a3ea1701c3ae9334c678d24ca5Mark de Reeperimport org.forgerock.openam.utils.ClientUtils;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>IDP</code> single sign on service handler handles browser artifact
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterpublic class FSSSOBrowserArtifactProfileHandler extends FSSSOAndFedHandler {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Sets <code>SOAP</code> message.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param msg <code>SOAPMessage</code> object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Sets <code>SAML</code> request element.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param root <code>SAML</code> request element
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public void setSAMLRequestElement(Element root) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSBrowserArtifactConsumerHandler.setSAMLRequestElement: Called");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster protected FSSSOBrowserArtifactProfileHandler() {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Constructor.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param request <code>HttpServletRequest</code> object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param response <code>HttpServletResponse</code> object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param authnRequest authentication request
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param spDescriptor <code>SP</code>'s provider descriptor
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param spConfig <code>SP</code>'s extended meta config
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param spEntityId <code>SP</code>'s entity id
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param relayState where to go after single sign on is done
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster super(request, response, authnRequest, spDescriptor,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Constructor.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param request <code>HttpServletRequest</code> object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param response <code>HttpServletResponse</code> object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param samlRequest <code>Request</code> object that contains artifact
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster //this.samlRequest = samlRequest;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Processes authentication request.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param authnRequest authentication request
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param bPostAuthn <code>true</code> indicates it's post authentication;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>false</code> indicates it's pre authentication.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSSSOBrowserArtifactProfileHandler.processAuthnRequest: Called");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "processAuthnRequest: AuthnRequest Processing"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "successful");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "processAuthnRequest: AuthnRequest Processing "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "failed");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.bundle.getString("AuthnRequestProcessingFailed")
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "processAuthnRequest: ProviderID : "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " AuthnRequestSigned : "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "processAuthnRequest: "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "AuthnRequest Signature Verification Failed");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "signatureVerificationFailed") };
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "processAuthnRequest: "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "AuthnRequest Signature Verified");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "processAuthnRequest: AuthnRequest Processing "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " successful");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "processAuthnRequest: AuthnRequest Processing "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "failed");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.bundle.getString("AuthnRequestProcessingFailed")
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "processAuthnRequest: Exception Occured: ", e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Processes request with artifacts.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param samlRequest <code>FSSAMLRequest</code> object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return <code>FSResponse</code> object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public FSResponse processSAMLRequest(FSSAMLRequest samlRequest) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSSSOBrowserArtifactProfileHandler.processSAMLRequest: Called");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "processSAMLRequest: Fatal error, "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "cannot create status or response: ", e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private FSResponse createSAMLResponse(FSSAMLRequest samlRequest)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSSSOBrowserArtifactProfileHandler.createSAMLResponse: Called");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String inResponseTo= samlRequest.getRequestID();
4a5a82da9bbab0a3ea1701c3ae9334c678d24ca5Mark de Reeper String remoteAddr = ClientUtils.getClientIPAddress(request);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.bundle.getString("responseLogMessage") + " " + remoteAddr;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "createSAMLResponse: "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "Found element in the request which are not supported");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster message = FSUtils.bundle.getString("unsupportedElement");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster new StatusCode("samlp:Responder"),message, null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster retResponse.setMinorVersion(samlRequest.getMinorVersion());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "createSAMLResponse: "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "Fatal error, cannot create status or response: ", se);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data = { respPrefix , retResponse.toString() };
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.access(Level.FINER,LogUtil.CREATE_SAML_RESPONSE,data);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.bundle.getString("inResponseTo") + "=" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.access(Level.INFO,LogUtil.CREATE_SAML_RESPONSE,data);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster am = FSAssertionManager.getInstance(metaAlias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "createSAMLResponse: Cannot instantiate "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "FSAssertionManager");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster new StatusCode("samlp:Responder"), message, null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster retResponse.setMinorVersion(samlRequest.getMinorVersion());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "createSAMLResponse: "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "Fatal error, cannot create status or response: ", sse);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data = { respPrefix , retResponse.toString() };
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.access(Level.FINER,LogUtil.CREATE_SAML_RESPONSE,data);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.bundle.getString("inResponseTo") + "=" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.access(Level.INFO,LogUtil.CREATE_SAML_RESPONSE,data);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster artifacts = samlRequest.getAssertionArtifact();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // ensure that all the artifacts have the same sourceID
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "createSAMLResponse: Artifacts not from "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "the same source");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster message = FSUtils.bundle.getString("mismatchSourceID");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Need a second level status for the federation
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * does not exist.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "createSAMLResponse: Fatal error, "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.bundle.getString("inResponseTo") + "=" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Level.INFO, LogUtil.CREATE_SAML_RESPONSE,data);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else { //sourceids are equal
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else {// sourceID == null
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } // while loop to go through artifacts to check for sourceID
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "createSAMLResponse: FSException Occured while "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "retrieving sp's providerID for the artifact: ", ex);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "createSAMLResponse: "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "artifact received does not correspond to any SP");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster message = FSUtils.bundle.getString("invalidSource");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Need a second level status for the federation
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * does not exist.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * First, let's check we haven't recorded a status
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * beforehand (by another call) related to this
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * artifact. If so, use it.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "createSAMLResponse:Fatal error, "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster //return error response
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSSSOAndFedHandler.processAuthnRequest: "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "RemoteProvider is not trusted");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "AuthnRequestProcessingFailed");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "createSAMLResponse: "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "FSAllianceManagementException "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "createSAMLResponse:Fatal error, "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster //Verify signature
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "createSAMLResponse: "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "SAMLRequest signature verification failed");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "signatureVerificationFailed");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "createSAMLResponse:Fatal error, "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "cannot create status or response: "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSSSOBrowserArtProfileHandler.createSAMLResp:"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " SAMLRequest signature verified");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster //end signature verification
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "createSAMLResponse: No artifact found in samlRequest");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster message = FSUtils.bundle.getString("missingArtifact");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster new StatusCode("samlp:Requester"), message, null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster retResponse.setMinorVersion(samlRequest.getMinorVersion());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "createSAMLResponse:Fatal error, "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster AssertionArtifact artifact =(AssertionArtifact)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster assertion = am.getAssertion(artifact, spEntityId);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSSSOBrowserArtifactProfileHandler.createSAML"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "Response:could not find matching assertion:", e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster new StatusCode("samlp:Success"), message, null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "createSAMLResponse:Fatal error, "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data = { respPrefix , retResponse.toString() };
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Level.FINER,LogUtil.CREATE_SAML_RESPONSE,data);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.bundle.getString("inResponseTo") + "=" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Level.INFO, LogUtil.CREATE_SAML_RESPONSE,data);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "createSAMLResponse: found " + assertionSize + "assertions.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // check that the target restriction condition
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // inside the assertion has the calling host's address in it.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Set trcs = conds.getAudienceRestrictionCondition();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "createSAMLResponse: checking to see if assertions"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (!((AudienceRestrictionCondition)trcsIterator.next())
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "createSAMLResponse: removing TRC not"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "meant for this host");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "createSAMLResponse: Matching Assertions(s) not "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "created for this host");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster message = FSUtils.bundle.getString("mismatchDest");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster new Status(new StatusCode("samlp:Success"), message, null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster retResponse.setMinorVersion(samlRequest.getMinorVersion());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "createSAMLResponse: Fatal error, "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data = { respPrefix , retResponse.toString() };
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.access(Level.FINER,LogUtil.CREATE_SAML_RESPONSE,data);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.bundle.getString("inResponseTo") + "=" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Level.INFO, LogUtil.CREATE_SAML_RESPONSE,data);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "createSAMLResponse: Matching Assertion found");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster new StatusCode("samlp:Success"), message, null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster retResponse.setMinorVersion(samlRequest.getMinorVersion());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "createSAMLResponse: Fatal error, "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "createSAMLResponse: Fatal error, "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "cannot create status or response:", e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data = { respPrefix , retResponse.toString() };
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Level.FINER,LogUtil.CREATE_SAML_RESPONSE, data);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.bundle.getString("inResponseTo") + "=" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Level.INFO, LogUtil.CREATE_SAML_RESPONSE,data);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster message = FSUtils.bundle.getString("unequalMatch");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster new StatusCode("samlp:Success"), message, null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster retResponse.setMinorVersion(samlRequest.getMinorVersion());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "createSAMLResponse: Fatal error, "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data = { respPrefix , retResponse.toString() };
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Level.FINER,LogUtil.CREATE_SAML_RESPONSE,data);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.bundle.getString("inResponseTo") + "=" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Level.INFO, LogUtil.CREATE_SAML_RESPONSE,data);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else { // build response for all the other type of request
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster new StatusCode("samlp:Success"), message, null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster retResponse.setMinorVersion(samlRequest.getMinorVersion());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "createSAMLResponse: Fatal error, "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data = { respPrefix , retResponse.toString() };
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.access(Level.FINER,LogUtil.CREATE_SAML_RESPONSE, data);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.bundle.getString("inResponseTo") + "=" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.access(Level.INFO, LogUtil.CREATE_SAML_RESPONSE,data);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Generates artifact and sends it to <code>SP</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return <code>true</code> always.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSSSOBrowserArtifactProfileHandler.doSingleSignOn: Called");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List artList = createSAMLAssertionArtifact(ssoToken,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return true;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Creates assertion and assertion artifact.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "createSAMLAssertionArtifact: Called");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster AssertionArtifact artifact = am.createFSAssertionArtifact(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SessionManager.getProvider().getSessionID(ssoToken),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message("AssertionArtifact id = " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String artid = artifact.getAssertionArtifact();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSSSOBrowserArtifactProfileHandler.sendSAMLArtifacts: Called");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String targetURL = FSServiceUtils.getAssertionConsumerServiceURL(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster spDescriptor, authnRequest.getAssertionConsumerServiceID());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "sendSAMLArtifacts: Sending null artifact");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String art = URLEncDec.encode((String)iter.next());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String relayURL = authnRequest.getRelayState();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster response.setStatus(HttpServletResponse.SC_MOVED_TEMPORARILY);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "sendSAMLArtifacts: Sending artifacts to: " + redirecto);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.access(Level.FINER,LogUtil.REDIRECT_TO, data, ssoToken);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Generates a valid SAML artifact, in response
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * to a single sign on request for a non federated user.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSSSOBrowserArtifactProfileHandler. In createFaultSAMLArtifacts");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // create assertion id and artifact
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String handle = SAMLUtils.generateAssertionHandle();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler." +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "create FaultSAMLArtifacts: couldn't generate assertion " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String sourceSuccinctID = FSUtils.generateSourceID(hostedEntityId);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster AssertionArtifact art = new FSAssertionArtifact(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster handle.getBytes(IFSConstants.SOURCEID_ENCODING));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "FSBrowserArtifactProfileHandler.createFaultSAMLArtifacts: ", e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "verifySAMLRequestSignature: Called");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster X509Certificate cert = KeyUtil.getVerificationCert(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "verifySAMLRequestSignature: couldn't obtain "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "this site's cert.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.bundle.getString(IFSConstants.NO_CERT));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster XMLSignatureManager manager = XMLSignatureManager.getInstance();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Document doc = (Document)FSServiceUtils.createSOAPDOM(msg);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler."
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "verifySAMLRequestSignature: Exception occured while "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + "verifying IDP's signature:" , e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return false;