a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Copyright (c) 2008 Sun Microsystems Inc. All Rights Reserved
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * The contents of this file are subject to the terms
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * of the Common Development and Distribution License
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * (the License). You may not use this file except in
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * compliance with the License.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * You can obtain a copy of the License at
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * https://opensso.dev.java.net/public/CDDLv1.0.html or
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * See the License for the specific language governing
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * permission and limitations under the License.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * When distributing Covered Code, include this CDDL
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Header Notice in each file and include the License file
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * If applicable, add the following below the CDDL Header,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * with the fields enclosed by brackets [] replaced by
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * your own identifying information:
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * "Portions Copyrighted [year] [name of copyright owner]"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * $Id: AssertionIDRequestUtil.java,v 1.8 2009/06/12 22:21:40 mallas Exp $
ccf9d4a5c6453fa9f8b839baeee25147865fbb7dJames Phillpotts * Portions Copyrighted 2013-2016 ForgeRock AS.
ccf9d4a5c6453fa9f8b839baeee25147865fbb7dJames Phillpottsimport static org.forgerock.openam.utils.Time.*;
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeperimport com.sun.identity.saml2.common.SAML2FailoverUtils;
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbingsimport com.sun.identity.saml2.common.SOAPCommunicator;
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeperimport org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException;
2265cfe8ee36d40dc946cde472ecd12c61f856b2Peter Majorimport com.sun.identity.common.HttpURLConnectionManager;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.xmlsig.KeyProvider;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.assertion.Assertion;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.assertion.AssertionFactory;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.assertion.AssertionIDRef;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.common.SAML2Constants;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.common.SAML2Exception;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.common.SAML2Utils;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.jaxb.entityconfig.BaseConfigType;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.jaxb.metadata.AttributeAuthorityDescriptorElement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.jaxb.metadata.AssertionIDRequestServiceElement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.jaxb.metadata.AuthnAuthorityDescriptorElement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.jaxb.metadata.RoleDescriptorType;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.meta.SAML2MetaException;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.meta.SAML2MetaManager;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.plugins.AssertionIDRequestMapper;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.protocol.AssertionIDRequest;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.protocol.ProtocolFactory;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.protocol.Response;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.protocol.StatusCode;
1b49125c5fbcee4ac3052f0831212bbb6feae221Mark Craig * This class provides methods to send or process
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>AssertionIDRequest</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @supported.api
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static KeyProvider keyProvider = KeyUtil.getKeyProviderInstance();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static SAML2MetaManager metaManager = SAML2Utils.getSAML2MetaManager();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static Hashtable assertionIDRequestMapperCache = new Hashtable();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static final String MIME_TYPE_ASSERTION = "application/samlassertion+xml";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Sends the <code>AssertionIDRequest</code> to specifiied Assertion ID
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Request Service and returns <code>Response</code> coming from the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Assertion ID Request Service.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param assertionIDRequest the <code>AssertionIDRequest</code> object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param samlAuthorityEntityID entity ID of SAML authority
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param role SAML authority role, for example,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>SAML2Constants.ATTR_AUTH_ROLE</code>,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>SAML2Constants.AUTHN_AUTH_ROLE</code> or
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>SAML2Constants.IDP_ROLE</code>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param realm the realm of hosted entity
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param binding the binding
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return the <code>Response</code> object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @exception SAML2Exception if the operation is not successful
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @supported.api
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster AssertionIDRequest assertionIDRequest, String samlAuthorityEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String role, String realm, String binding) throws SAML2Exception {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster RoleDescriptorType roled = getRoleDescriptorAndLocation(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster samlAuthorityEntityID, role, realm, binding, location);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (binding.equalsIgnoreCase(SAML2Constants.SOAP)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster signAssertionIDRequest(assertionIDRequest, realm, false);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return sendAssertionIDRequestBySOAP(assertionIDRequest,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster location.toString(), realm, samlAuthorityEntityID, role, roled);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("unsupportedBinding"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Sends the Assertion ID to specifiied Assertion ID Request Service and
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * returns <code>Assertion</code> coming from the Assertion ID Request
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param assertionID the asssertionID</code> object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param samlAuthorityEntityID entity ID of SAML authority
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param role SAML authority role, for example,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>SAML2Constants.ATTR_AUTH_ROLE</code>,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>SAML2Constants.AUTHN_AUTH_ROLE</code> or
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>SAML2Constants.IDP_ROLE</code>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param realm the realm of hosted entity
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return the <code>Assertion</code> object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @exception SAML2Exception if the operation is not successful
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @supported.api
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static Assertion sendAssertionIDRequestURI(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String assertionID, String samlAuthorityEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String role, String realm) throws SAML2Exception {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster getRoleDescriptorAndLocation(samlAuthorityEntityID, role, realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String location = fillInBasicAuthInfo(locationSB.toString(), realm,
2265cfe8ee36d40dc946cde472ecd12c61f856b2Peter Major HttpURLConnection conn = HttpURLConnectionManager.getConnection(url);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "AssertionIDRequestUtil.sendAssertionIDRequestURI: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "Response code = " + respCode + ", Response message = " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "AssertionIDRequestUtil.sendAssertionIDRequestURI: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (contentType.indexOf(MIME_TYPE_ASSERTION) == -1)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "AssertionIDRequestUtil.sendAssertionIDRequestURI: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster new BufferedInputStream(conn.getInputStream());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster left < content.length ? left : content.length);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // We need to close connection !!
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster contentSB.append(new String(content, 0, read));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster while (true) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster contentSB.append(new String(content, 0, numbytes));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return AssertionFactory.getInstance().createAssertion(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "AssertionIDRequest.sendAssertionIDRequestURI:", ioex);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Gets assertion ID from URI and returns assertion if found.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param request the <code>HttpServletRequest</code> object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param response the <code>HttpServletResponse</code> object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param samlAuthorityEntityID entity ID of SAML authority
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param role SAML authority role
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param realm the realm of hosted entity
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @exception IOException if response can't be sent
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static void processAssertionIDRequestURI(HttpServletRequest request,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster HttpServletResponse response, String samlAuthorityEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String role, String realm) throws IOException {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String assertionID = request.getParameter("ID");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster HttpServletResponse.SC_BAD_REQUEST, "nullAssertionID",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("nullAssertionID"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster aidReqMapper = getAssertionIDRequestMapper(realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "failedToGetAssertionIDRequestMapper", ex.getMessage());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster aidReqMapper.authenticateRequesterURI(request, response,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "failedToAuthenticateRequesterURI", ex.getMessage());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Assertion assertion = (Assertion)IDPCache.assertionByIDCache.get(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((assertion == null) || (!assertion.isTimeValid())) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "invalidAssertionID",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("invalidAssertionID"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster response.addHeader("Cache-Control", "no-cache, no-store");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("AssertionIDRequestUtil." +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("AssertionIDRequestUtil." +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster bos = new BufferedOutputStream(response.getOutputStream());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("AssertionIDRequestUtil." +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("AssertionIDRequestUtil." +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * This method processes the <code>AssertionIDRequest</code> coming
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * from a requester.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param assertionIDRequest the <code>AssertionIDRequest</code> object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param request the <code>HttpServletRequest</code> object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param response the <code>HttpServletResponse</code> object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param samlAuthorityEntityID entity ID of SAML authority
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param role the role of SAML authority
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param realm the realm of SAML authority
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return the <code>Response</code> object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @exception SAML2Exception if the operation is not successful
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static Response processAssertionIDRequest(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster AssertionIDRequest assertionIDRequest, HttpServletRequest request,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster HttpServletResponse response, String samlAuthorityEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String role, String realm) throws SAML2Exception {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster verifyAssertionIDRequest(assertionIDRequest, samlAuthorityEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("AssertionIDRequestUtil." +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return SAML2Utils.getErrorResponse(assertionIDRequest,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Constants.REQUESTER, null, se.getMessage(),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Issuer issuer = assertionIDRequest.getIssuer();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else if (SAML2Constants.AUTHN_AUTH_ROLE.equals(role)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster roled = metaManager.getAuthnAuthorityDescriptor(realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else if (SAML2Constants.ATTR_AUTH_ROLE.equals(role)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster roled = metaManager.getAttributeAuthorityDescriptor(realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("AssertionIDRequestUtil." +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return SAML2Utils.getErrorResponse(assertionIDRequest,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Constants.RESPONDER, null, sme.getMessage(),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return SAML2Utils.getErrorResponse(assertionIDRequest,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Constants.REQUESTER, null, SAML2Utils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "samlAuthorityNotFound"), samlAuthorityEntityID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List assertionIDRefs = assertionIDRequest.getAssertionIDRefs();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster for(Iterator iter = assertionIDRefs.iterator(); iter.hasNext();) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster AssertionIDRef assertionIDRef = (AssertionIDRef)iter.next();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String assertionID = assertionIDRef.getValue();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Assertion assertion = (Assertion)IDPCache.assertionByIDCache.get(
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper if ((assertion == null) && (SAML2FailoverUtils.isSAML2FailoverEnabled())) {
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper SAML2Utils.debug.message("AssertionIDRequestUtil.processAssertionIDRequest: " +
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper "reading assertion from the SAML2 Token Repository using assertionID:" + assertionID);
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper assertionStr = (String) SAML2FailoverUtils.retrieveSAML2Token(assertionID);
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper SAML2Utils.debug.error("AssertionIDRequestUtil.processAssertionIDRequest: " +
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper "There was a problem reading assertion from the SAML2 Token Repository using assertionID:"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster assertion = AssertionFactory.getInstance().createAssertion(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((assertion != null) && (assertion.isTimeValid())) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ProtocolFactory protocolFactory = ProtocolFactory.getInstance();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Response samlResp = protocolFactory.createResponse();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster samlResp.setInResponseTo(assertionIDRequest.getID());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster samlResp.setVersion(SAML2Constants.VERSION_2_0);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Status status = protocolFactory.createStatus();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster StatusCode statusCode = protocolFactory.createStatusCode();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Issuer respIssuer = AssertionFactory.getInstance().createIssuer();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster signResponse(samlResp, samlAuthorityEntityID, role, realm, false);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static RoleDescriptorType getRoleDescriptorAndLocation(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String samlAuthorityEntityID, String role, String realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String binding, StringBuffer location) throws SAML2Exception {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(SAML2Utils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "unsupportedRole"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else if (role.equals(SAML2Constants.IDP_ROLE)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(SAML2Utils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "idpNotFound"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster aIDReqServices = idpd.getAssertionIDRequestService();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else if (role.equals(SAML2Constants.AUTHN_AUTH_ROLE)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(SAML2Utils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "authnAuthorityNotFound"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster aIDReqServices = attrd.getAssertionIDRequestService();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else if (role.equals(SAML2Constants.ATTR_AUTH_ROLE)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster metaManager.getAttributeAuthorityDescriptor(realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(SAML2Utils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "attrAuthorityNotFound"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster aIDReqServices = aad.getAssertionIDRequestService();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(SAML2Utils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "unsupportedRole"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "AssertionIDRequest.getRoleDescriptorAndLocation:", sme);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(SAML2Utils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "metaDataError"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("unsupportedBinding"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((aIDReqServices == null) || (aIDReqServices.isEmpty())) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("aIDReqServiceNotFound"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster for(Iterator iter = aIDReqServices.iterator(); iter.hasNext(); ) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster AssertionIDRequestServiceElement aIDReqService =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (binding.equalsIgnoreCase(aIDReqService.getBinding())) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("unsupportedBinding"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String realm, boolean includeCert) throws SAML2Exception {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String spEntityID = assertionIDRequest.getIssuer().getValue();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String alias = SAML2Utils.getSigningCertAlias(realm, spEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster PrivateKey signingKey = keyProvider.getPrivateKey(alias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster signingCert = keyProvider.getX509Certificate(alias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster assertionIDRequest.sign(signingKey, signingCert);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster AssertionIDRequest assertionIDRequest, String samlAuthorityEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String role, String realm) throws SAML2Exception {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Issuer issuer = assertionIDRequest.getIssuer();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (!SAML2Utils.isSourceSiteValid(issuer, realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(SAML2Utils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "assertionIDRequestIssuerInvalid"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SPSSODescriptorElement spSSODesc = metaManager.getSPSSODescriptor(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(SAML2Utils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "assertionIDRequestIssuerNotFound"));
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings Set<X509Certificate> verificationCerts = KeyUtil.getVerificationCerts(spSSODesc, requestedEntityID,
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings boolean valid = assertionIDRequest.isSignatureValid(verificationCerts);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "AssertionIDRequestUtil.verifyAssertionIDRequest: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(SAML2Utils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "invalidSignatureAssertionIDRequest"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("missingSigningCertAlias"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static void signResponse(Response response,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String samlAuthorityEntityID, String role, String realm,
0cd8368ca65c58915ee90bc73d84e65f3da9e120Mark de Reeper String alias = SAML2Utils.getSigningCertAlias(realm, samlAuthorityEntityID, role);
0cd8368ca65c58915ee90bc73d84e65f3da9e120Mark de Reeper String encryptedKeyPass = SAML2Utils.getSigningCertEncryptedKeyPass(realm, samlAuthorityEntityID, role);
0cd8368ca65c58915ee90bc73d84e65f3da9e120Mark de Reeper if (encryptedKeyPass == null || encryptedKeyPass.isEmpty()) {
0cd8368ca65c58915ee90bc73d84e65f3da9e120Mark de Reeper signingKey = keyProvider.getPrivateKey(alias);
0cd8368ca65c58915ee90bc73d84e65f3da9e120Mark de Reeper signingKey = keyProvider.getPrivateKey(alias, encryptedKeyPass);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster signingCert = keyProvider.getX509Certificate(alias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static String fillInBasicAuthInfo(String location, String realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else if (role.equals(SAML2Constants.AUTHN_AUTH_ROLE)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster config = metaManager.getAuthnAuthorityConfig(realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else if (role.equals(SAML2Constants.ATTR_AUTH_ROLE)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster config = metaManager.getAttributeAuthorityConfig(realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return SAML2Utils.fillInBasicAuthInfo(config, location);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static Response sendAssertionIDRequestBySOAP(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster AssertionIDRequest assertionIDRequest, String location, String realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String samlAuthorityEntityID, String role, RoleDescriptorType roled)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String aIDReqStr = assertionIDRequest.toXMLString(true, true);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "AssertionIDRequestUtil.sendAssertionIDRequestBySOAP: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "AssertionIDRequestUtil.sendAssertionIDRequestBySOAP: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster location = fillInBasicAuthInfo(location, realm, samlAuthorityEntityID,
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings resMsg = SOAPCommunicator.getInstance().sendSOAPMessage(aIDReqStr, location, true);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "AssertionIDRequestUtil.sendAssertionIDRequestBySOAP:", se);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("errorSendingAssertionIDRequest"));
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings Element respElem = SOAPCommunicator.getInstance().getSamlpElement(resMsg, "Response");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ProtocolFactory.getInstance().createResponse(respElem);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "AssertionIDRequestUtil.sendAssertionIDRequestBySOAP: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "response = " + response.toXMLString(true, true));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster verifyResponse(response, assertionIDRequest, samlAuthorityEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static void verifyResponse(Response response,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster AssertionIDRequest assertionIDRequest, String samlAuthorityEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String role, RoleDescriptorType roled) throws SAML2Exception {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (!aIDReqID.equals(response.getInResponseTo()))) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(SAML2Utils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "invalidInResponseToAssertionIDRequest"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (!samlAuthorityEntityID.equals(respIssuer.getValue())) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(SAML2Utils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "responseIssuerMismatch"));
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings Set<X509Certificate> signingCerts = KeyUtil.getVerificationCerts(roled, samlAuthorityEntityID, role);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings boolean valid = response.isSignatureValid(signingCerts);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "AssertionIDRequestUtil .verifyResponse: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(SAML2Utils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "invalidSignatureOnResponse"));
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings throw new SAML2Exception(SAML2Utils.bundle.getString("missingSigningCertAlias"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static AssertionIDRequestMapper getAssertionIDRequestMapper(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String realm, String samlAuthorityEntityID, String role)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster aidReqMapperName = SAML2Utils.getAttributeValueFromSSOConfig(realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Constants.DEFAULT_ASSERTION_ID_REQUEST_MAPPER_CLASS;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "AssertionIDRequestUtil.getAssertionIDRequestMapper:" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster assertionIDRequestMapperCache.get(aidReqMapperName);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster assertionIDRequestMapperCache.put(aidReqMapperName,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "AssertionIDRequestUtil.getAssertionIDRequestMapper:" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster " got the AssertionIDRequestMapper from cache");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "AssertionIDRequestUtil.getAssertionIDRequestMapper:", ex);