a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * The contents of this file are subject to the terms
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * of the Common Development and Distribution License
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * (the License). You may not use this file except in
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * compliance with the License.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * You can obtain a copy of the License at
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * https://opensso.dev.java.net/public/CDDLv1.0.html or
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * See the License for the specific language governing
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * permission and limitations under the License.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * When distributing Covered Code, include this CDDL
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Header Notice in each file and include the License file
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * If applicable, add the following below the CDDL Header,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * with the fields enclosed by brackets [] replaced by
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * your own identifying information:
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * "Portions Copyrighted [year] [name of copyright owner]"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * $Id: DoManageNameID.java,v 1.26 2009/11/24 21:53:27 madan_ranganath Exp $
ccf9d4a5c6453fa9f8b839baeee25147865fbb7dJames Phillpotts * Portions copyright 2013-2016 ForgeRock AS.
ccf9d4a5c6453fa9f8b839baeee25147865fbb7dJames Phillpottsimport static org.forgerock.openam.utils.Time.*;
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbingsimport com.sun.identity.saml2.common.SOAPCommunicator;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.plugin.monitoring.FedMonAgent;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.plugin.monitoring.FedMonSAML2Svc;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.plugin.monitoring.MonitorManager;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.plugin.session.SessionException;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.plugin.session.SessionManager;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.plugin.session.SessionProvider;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.xmlsig.KeyProvider;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.assertion.AssertionFactory;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.assertion.EncryptedID;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.common.AccountUtils;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.common.NameIDInfo;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.common.SAML2Constants;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.common.SAML2Exception;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.common.SAML2SDKUtils;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.common.SAML2Utils;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.jaxb.entityconfig.BaseConfigType;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.jaxb.metadata.AffiliationDescriptorType;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.jaxb.metadata.ManageNameIDServiceElement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.meta.SAML2MetaException;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.meta.SAML2MetaManager;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.meta.SAML2MetaUtils;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.plugins.IDPAccountMapper;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.plugins.SAML2ServiceProviderAdapter;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.plugins.SPAccountMapper;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.protocol.ManageNameIDRequest;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.protocol.ManageNameIDResponse;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.protocol.NewEncryptedID;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.protocol.ProtocolFactory;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.shared.encode.URLEncDec;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * This class reads the query parameters and the required
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * processing logic for sending ManageNameIDRequest
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * from SP to IDP.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster final static String className = "DoManageNameID:";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static ProtocolFactory pf = ProtocolFactory.getInstance();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static AssertionFactory af = AssertionFactory.getInstance();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static KeyProvider keyProvider = KeyUtil.getKeyProviderInstance();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster sessionProvider = SessionManager.getProvider();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.error(SAML2Utils.bundle.getString("errorSOAPFactory"), se);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.error(SAML2Utils.bundle.getString("errorMetaManager"), se);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.error("Error retrieving session provider.", sessE);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static void logError(String msgID, String key, String value) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.error(SAML2Utils.bundle.getString(msgID));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static void logAccess(String msgID, String key, String value) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message(SAML2Utils.bundle.getString(msgID));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Parses the request parameters and builds the ManageNameID
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Request to sent to remote Entity.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param request the HttpServletRequest.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param response the HttpServletResponse.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param metaAlias entityID of hosted entity.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param remoteEntityID entityID of remote entity.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param paramsMap Map of all other parameters.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SAML2Exception if error initiating request to remote entity.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static void initiateManageNameIDRequest(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String method = "DoManageNameID.initiateManageNameIDRequest: ";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2SDKUtils.bundle.getString("errorMetaManager"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("nullRemoteEntityID"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster session = SessionManager.getProvider().getSession(request);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String realm = SAML2MetaUtils.getRealmByMetaAlias(metaAlias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String hostEntityID = metaManager.getEntityByMetaAlias(metaAlias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String hostEntityRole = SAML2Utils.getHostEntityRole(paramsMap);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "redirect to the authentication service");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // the user has not logged in yet,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // redirect to the authentication service
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.redirectAuthentication(request, response,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message(method + "Meta Alias is : "+ metaAlias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message(method + "Remote EntityID is : " + remoteEntityID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message(method + "Host EntityID is : " + hostEntityID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.getParameter(paramsMap, SAML2Constants.BINDING);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster logError("UnableTofindBinding", LogUtil.METADATA_ERROR, null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("UnableTofindBinding"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster logError("mniServiceNotFound", LogUtil.METADATA_ERROR, null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("mniServiceNotFound"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String requestType = (String)paramsMap.get("requestType");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster boolean changeID = "NewID".equals(requestType);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String affiliationID = SAML2Utils.getParameter(paramsMap,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ManageNameIDRequest mniRequest = createManageNameIDRequest(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster session, realm, hostEntityID, hostEntityRole, remoteEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String relayState = SAML2Utils.getParameter(paramsMap,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((relayState == null) || (relayState.equals(""))) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster relayState = SAML2Utils.getAttributeValueFromSSOConfig(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Validate the RelayState URL.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster mniRequest.setDestination(XMLUtils.escapeSpecialCharacters(mniURL));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster saveMNIRequestInfo(request, response, paramsMap, mniRequest,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (binding.equalsIgnoreCase(SAML2Constants.HTTP_REDIRECT)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster mniRequestXMLString = mniRequest.toXMLString(true,true);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster doMNIByHttpRedirect(mniRequestXMLString, mniURL, relayState,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster realm, hostEntityID, hostEntityRole, remoteEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else if (binding.equalsIgnoreCase(SAML2Constants.SOAP)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster signMNIRequest(mniRequest, realm, hostEntityID, hostEntityRole,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (hostEntityRole.equalsIgnoreCase(SAML2Constants.SP_ROLE)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster config = metaManager.getIDPSSOConfig(realm, remoteEntityID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster config = metaManager.getSPSSOConfig(realm, remoteEntityID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster mniURL = SAML2Utils.fillInBasicAuthInfo(config, mniURL);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (!doMNIBySOAP(mniRequest, mniURL, metaAlias, hostEntityRole,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else if (binding.equalsIgnoreCase(SAML2Constants.HTTP_POST)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster signMNIRequest(mniRequest, realm, hostEntityID, hostEntityRole,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster mniRequestXMLString= mniRequest.toXMLString(true,true);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster doMNIByPOST(mniRequestXMLString, mniURL, relayState, realm,
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest hostEntityID, hostEntityRole, remoteEntityID, response, request);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("errorCreatingMNIRequest"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster logError("metaDataError", LogUtil.METADATA_ERROR, null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster logError("invalidSSOToken", LogUtil.INVALID_SSOTOKEN, null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("invalidSSOToken"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static void postTerminationSuccess(String hostEntityId,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String realm, HttpServletRequest request, HttpServletResponse response,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ManageNameIDResponse idResponse, String binding) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster spAdapter = SAML2Utils.getSPAdapterClass(hostEntityId, realm);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message("DoManageNameID.postTerminationSuccess:", e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster spAdapter.postTerminateNameIDSuccess(hostEntityId, realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster request, response, userId, idRequest, idResponse, binding);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Returns binding information of MNI Service for remote entity
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * from request or meta configuration.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param request the HttpServletRequest.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param metaAlias entityID of hosted entity.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param hostEntityRole Role of hosted entity.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param remoteEntityID entityID of remote entity.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return return true if the processing is successful.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SAML2Exception if no binding information is configured.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static String getMNIBindingInfo(HttpServletRequest request,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String binding = request.getParameter(SAML2Constants.BINDING);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String realm = SAML2MetaUtils.getRealmByMetaAlias(metaAlias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster logError("invalidSSOToken", LogUtil.INVALID_SSOTOKEN, null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("invalidSSOToken"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("UnableTofindBinding"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static void signMNIRequest(ManageNameIDRequest mniRequest,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static void signMNIRequest(ManageNameIDRequest mniRequest,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster boolean needRequestSign = false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (hostEntityRole.equalsIgnoreCase(SAML2Constants.IDP_ROLE)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.getWantMNIRequestSigned(realm, remoteEntity,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.getWantMNIRequestSigned(realm, remoteEntity,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message(method + "MNIRequest doesn't need to be signed.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.getSigningCertAlias(realm, hostEntity, hostEntityRole);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message(method + "hostEntity is : " + hostEntity);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message(method + "Host Entity role is : " + hostEntityRole);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message(method + "remoteEntity is : " + remoteEntity);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message(method + "Cert Alias is : " + alias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message(method + "MNI Request before sign : "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster PrivateKey signingKey = keyProvider.getPrivateKey(alias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster signingCert = keyProvider.getX509Certificate(alias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("missingSigningCertAlias"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message(method + "MNI Request after sign : "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static boolean verifyMNIRequest(ManageNameIDRequest mniRequest,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String realm, String remoteEntity, String hostEntity,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String hostEntityRole, String destination) throws SAML2Exception {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message(method + "remoteEntity is : " + remoteEntity);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message(method + "Host Entity role is : " + hostEntityRole);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.getWantMNIRequestSigned(realm, hostEntity,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message(method+"MNIRequest doesn't need to be verified.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return true;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (hostEntityRole.equalsIgnoreCase(SAML2Constants.IDP_ROLE)) {
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings SPSSODescriptorElement spSSODesc = metaManager.getSPSSODescriptor(realm, remoteEntity);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings signingCerts = KeyUtil.getVerificationCerts(spSSODesc, remoteEntity, SAML2Constants.SP_ROLE);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings IDPSSODescriptorElement idpSSODesc = metaManager.getIDPSSODescriptor(realm, remoteEntity);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings signingCerts = KeyUtil.getVerificationCerts(idpSSODesc, remoteEntity, SAML2Constants.IDP_ROLE);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings valid = mniRequest.isSignatureValid(signingCerts);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message(method + "Signature is : " + valid);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("missingSigningCertAlias"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static void signMNIResponse(ManageNameIDResponse mniResponse,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster signMNIResponse(mniResponse, realm, hostEntity,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static void signMNIResponse(ManageNameIDResponse mniResponse,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster boolean needResponseSign = false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (hostEntityRole.equalsIgnoreCase(SAML2Constants.IDP_ROLE)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.getWantMNIResponseSigned(realm, remoteEntity,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.getWantMNIResponseSigned(realm, remoteEntity,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message(method+"MNIResponse doesn't need to be signed.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.getSigningCertAlias(realm, hostEntity, hostEntityRole);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message(method + "hostEntity is : " + hostEntity);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message(method + "Host Entity role is : " + hostEntityRole);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message(method + "Cert Alias is : " + alias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message(method + "MNI Response before sign : "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster PrivateKey signingKey = keyProvider.getPrivateKey(alias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster signingCert = keyProvider.getX509Certificate(alias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("missingSigningCertAlias"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message(method + "MNI Response after sign : "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static boolean verifyMNIResponse(ManageNameIDResponse mniResponse,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message(method + "remoteEntity is : " + remoteEntity);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message(method + "Host Entity role is : " + hostEntityRole);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.getWantMNIResponseSigned(realm, hostEntity,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "MNIResponse doesn't need to be verified.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return true;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (hostEntityRole.equalsIgnoreCase(SAML2Constants.IDP_ROLE)) {
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings SPSSODescriptorElement spSSODesc = metaManager.getSPSSODescriptor(realm, remoteEntity);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings signingCerts = KeyUtil.getVerificationCerts(spSSODesc, remoteEntity, SAML2Constants.SP_ROLE);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings IDPSSODescriptorElement idpSSODesc = metaManager.getIDPSSODescriptor(realm, remoteEntity);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings signingCerts = KeyUtil.getVerificationCerts(idpSSODesc, remoteEntity, SAML2Constants.IDP_ROLE);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings valid = mniResponse.isSignatureValid(signingCerts);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message(method + "Signature is : " + valid);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings throw new SAML2Exception(SAML2Utils.bundle.getString("missingSigningCertAlias"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static void saveMNIRequestInfo(HttpServletRequest request,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ManageNameIDRequest mniRequest, String relayState,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String hostEntityRole, Object session) throws SAML2Exception {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message(method + "hostEntityRole : " + hostEntityRole);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster EncryptedID encryptedID = mniRequest.getEncryptedID();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster NewEncryptedID newEncryptedID = mniRequest.getNewEncryptedID();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster reqForSave = (ManageNameIDRequest)pf.createManageNameIDRequest(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster paramsMap.put(SAML2Constants.SESSION, session);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ManageNameIDRequestInfo reqInfo = new ManageNameIDRequestInfo(request,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster response, reqForSave, relayState, paramsMap, session);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (hostEntityRole.equalsIgnoreCase(SAML2Constants.SP_ROLE)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SPCache.mniRequestHash.put(mniRequest.getID(), reqInfo);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster IDPCache.mniRequestHash.put(mniRequest.getID(), reqInfo);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Parses the request parameters and process the ManageNameID
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Request from the remote entity.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param request the HttpServletRequest.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param response the HttpServletResponse.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param paramsMap Map of all other parameters.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SAML2Exception if error occurred while processing the request.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SessionException if error processing the request from remote entity.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws ServletException if request length is invalid.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static void processHttpRequest(HttpServletRequest request,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throws SAML2Exception, SessionException, ServletException {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // handle DOS attack
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster metaAlias = SAML2MetaUtils.getMetaAliasByUri(requestURL);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("MetaAliasNotFound"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String realm = SAML2MetaUtils.getRealmByMetaAlias(metaAlias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String hostEntity = metaManager.getEntityByMetaAlias(metaAlias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String hostRole = SAML2Utils.getHostEntityRole(paramsMap);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster boolean isSupported = false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SAML2Constants.IDP_ROLE.equals(hostRole)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster isSupported = SAML2Utils.isIDPProfileBindingSupported(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Constants.MNI_SERVICE, SAML2Constants.HTTP_REDIRECT);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster isSupported = SAML2Utils.isSPProfileBindingSupported(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Constants.MNI_SERVICE, SAML2Constants.HTTP_REDIRECT);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "MNI binding: Redirect is not supported for " + hostEntity);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data = { hostEntity, SAML2Constants.HTTP_REDIRECT };
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Level.INFO, LogUtil.BINDING_NOT_SUPPORTED, data, null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(SAML2Utils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "unsupportedBinding"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Retrieve ManageNameIDRequest
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ManageNameIDRequest mniRequest = getMNIRequest(request);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster remoteEntityID = mniRequest.getIssuer().getValue();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("nullRemoteEntityID"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.getWantMNIRequestSigned(realm, hostEntity, hostRole);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.verifyQueryString(queryString, realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("invalidSignInRequest"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster request.getParameter(SAML2Constants.RELAY_STATE);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message(method + "Meta Alias is : "+ metaAlias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message(method + "Remote EntityID is : " + remoteEntityID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message(method + "Host Entity role is : " + hostRole);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message(method + "Relay state is : " + relayState);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String mniURL = mniService.getResponseLocation();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ManageNameIDResponse mniResponse = processManageNameIDRequest(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster mniRequest, metaAlias, remoteEntityID, paramsMap, mniURL,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Constants.HTTP_REDIRECT, request, response);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster sendMNIResponse(response, mniResponse, mniURL, relayState, realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster logError("metaDataError", LogUtil.METADATA_ERROR, null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Parses the request parameters and process the ManageNameID
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Request from the remote entity.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param request the HttpServletRequest.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param response the HttpServletResponse.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param paramsMap Map of all other parameters.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SAML2Exception if error occurred while processing the request.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws IOException if error generation DOM from input stream.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SOAPException if error generating soap message.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws ServletException if request length is invalid.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static void processSOAPRequest(HttpServletRequest request,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throws SAML2Exception, IOException, SOAPException, ServletException {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String hostEntityRole = SAML2Utils.getHostEntityRole(paramsMap);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // handle DOS attack
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster metaAlias = SAML2MetaUtils.getMetaAliasByUri(requestURL);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("MetaAliasNotFound"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String realm = SAML2MetaUtils.getRealmByMetaAlias(metaAlias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String hostEntity = metaManager.getEntityByMetaAlias(metaAlias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster boolean isSupported = false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SAML2Constants.IDP_ROLE.equals(hostEntityRole)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster isSupported = SAML2Utils.isIDPProfileBindingSupported(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Constants.MNI_SERVICE, SAML2Constants.SOAP);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster isSupported = SAML2Utils.isSPProfileBindingSupported(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Constants.MNI_SERVICE, SAML2Constants.SOAP);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "MNI binding: SOAP is not supported for " + hostEntity);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data = { hostEntity, SAML2Constants.SOAP };
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Level.INFO, LogUtil.BINDING_NOT_SUPPORTED, data, null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(SAML2Utils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "unsupportedBinding"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Retrieve a SOAPMessage
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings SOAPMessage message = SOAPCommunicator.getInstance().getSOAPMessage(request);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ManageNameIDRequest mniRequest = getMNIRequest(message);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster remoteEntityID = mniRequest.getIssuer().getValue();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("nullRemoteEntityID"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message(method + "Meta Alias is : "+ metaAlias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message(method + "Host EntityID is : " + hostEntity);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message(method + "Remote EntityID is : " + remoteEntityID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster boolean valid = verifyMNIRequest(mniRequest, realm, remoteEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.MNI_REQUEST_INVALID_SIGNATURE, metaAlias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("invalidSignInRequest"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ManageNameIDResponse mniResponse = processManageNameIDRequest(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster mniRequest, metaAlias, remoteEntityID, paramsMap, null,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster signMNIResponse(mniResponse, realm, hostEntity,
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings SOAPMessage reply = SOAPCommunicator.getInstance().createSOAPMessage(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster /* Need to call saveChanges because we're
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * going to use the MimeHeaders to set HTTP
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * response information. These MimeHeaders
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * are generated as part of the save. */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.putHeaders(reply.getMimeHeaders(), response);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Write out the message on the response stream
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.CANNOT_INSTANTIATE_MNI_RESPONSE, null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("errorObtainResponse"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Parses the request parameters and builds the Authentication
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Request to sent to the IDP.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param request the HttpServletRequest.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param response the HttpServletResponse.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param paramsMap Map of all other parameters.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return return true if the processing is successful.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SAML2Exception if error initiating request to IDP.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static boolean processManageNameIDResponse(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String method = "processManageNameIDResponse: ";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster boolean success = false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String metaAlias = SAML2MetaUtils.getMetaAliasByUri(requestURL);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster logError("MetaAliasNotFound", LogUtil.MISSING_META_ALIAS, null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("MetaAliasNotFound"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String realm = SAML2MetaUtils.getRealmByMetaAlias(metaAlias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String hostEntityID = metaManager.getEntityByMetaAlias(metaAlias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String hostRole = SAML2Utils.getHostEntityRole(paramsMap);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster boolean isSupported = false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SAML2Constants.IDP_ROLE.equals(hostRole)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster isSupported = SAML2Utils.isIDPProfileBindingSupported(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Constants.MNI_SERVICE, SAML2Constants.HTTP_REDIRECT);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster isSupported = SAML2Utils.isSPProfileBindingSupported(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Constants.MNI_SERVICE, SAML2Constants.HTTP_REDIRECT);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "MNI binding: Redirect is not supported for " + hostEntityID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data = { hostEntityID, SAML2Constants.HTTP_REDIRECT };
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Level.INFO, LogUtil.BINDING_NOT_SUPPORTED, data, null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(SAML2Utils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "unsupportedBinding"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster request.getParameter(SAML2Constants.RELAY_STATE);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster request.getParameter(SAML2Constants.SAML_RESPONSE);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String mniResStr = SAML2Utils.decodeFromRedirect(mniRes);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("nullDecodedStrFromSamlResponse"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message(method + "Meta Alias is : "+ metaAlias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message(method + "Host role is : " + hostRole);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message(method + "Relay state is : " + relayState);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message(method + "MNI Response : " + mniResStr);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Validate the RelayState URL.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster mniResponse = pf.createManageNameIDResponse(mniResStr);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String remoteEntityID = mniResponse.getIssuer().getValue();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String requestId = mniResponse.getInResponseTo();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.verifyResponseIssuer(realm, hostEntityID, resIssuer,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster boolean needToVerify = SAML2Utils.getWantMNIResponseSigned(realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster boolean valid = SAML2Utils.verifyQueryString(queryString, realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(SAML2Utils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "invalidSignInResponse"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster success = checkMNIResponse(mniResponse, realm, hostEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // invoke SPAdapter for termination success
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster postTerminationSuccess(hostEntityID, realm, request, response,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("invalidSSOToken"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message(method + "Request success : " + success);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static Status processManageNameIDRequest(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ManageNameIDRequest mniRequest, String realm, String hostEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String remoteEntityID, String hostRole, String userID)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String method = "processManageNameIDRequest: ";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message(method + "Host EntityID is : "+ hostEntityID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message(method + "Host role is : " + hostRole);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster NameID nameID = getNameIDFromMNIRequest(mniRequest, realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster NameIDInfo oldNameIDInfo = getNameIDInfo(userID, hostEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster remoteEntityID, hostRole, realm, nameID.getSPNameQualifier(),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // log manage name id failure
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster logError("unknownPrinciapl", LogUtil.UNKNOWN_PRINCIPAL,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return SAML2Utils.generateStatus(SAML2Constants.REQUESTER,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Terminate
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (hostRole.equalsIgnoreCase(SAML2Constants.IDP_ROLE)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster removeIDPFedSession(remoteEntityID, oldNameID.getValue());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster spFedSessions = (List)SPCache.fedSessionListsByNameIDInfoKey.remove(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster oldNameIDInfo.getNameIDInfoKey().toValueString());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((agent != null) && agent.isRunning() && (saml2Svc != null)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (long)SPCache.fedSessionListsByNameIDInfoKey.size());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (!AccountUtils.removeAccountFederation(oldNameIDInfo, userID)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // log termination failure
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster logError("unableToTerminate", LogUtil.UNABLE_TO_TERMINATE, userID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return SAML2Utils.generateStatus(SAML2Constants.RESPONDER,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("unableToTerminate"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // log termination success
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster logAccess("requestSuccess", LogUtil.SUCCESS_FED_TERMINATION,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return SAML2Utils.generateStatus(SAML2Constants.SUCCESS,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("requestSuccess"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // newID case
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster NewID newID = getNewIDFromMNIRequest(mniRequest, realm, hostEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster boolean isAffiliation = oldNameIDInfo.isAffiliation();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String spNameQualifier = oldNameID.getSPNameQualifier();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (hostRole.equalsIgnoreCase(SAML2Constants.IDP_ROLE)){
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster NameID newNameID = AssertionFactory.getInstance().createNameID();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster newNameID.setNameQualifier(oldNameID.getNameQualifier());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster NameIDInfo newNameIDinfo = new NameIDInfo(hostEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (isAffiliation ? spNameQualifier : remoteEntityID), newNameID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster AccountUtils.setAccountFederation(newNameIDinfo, userID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // there are active session using this Name id
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster NameIDandSPpair pair = new NameIDandSPpair(newNameID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List list = (List) idpSession.getNameIDandSPpairs();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // log new name id success
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster logAccess("requestSuccess", LogUtil.SUCCESS_NEW_NAMEID, userID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return SAML2Utils.generateStatus(SAML2Constants.SUCCESS,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("requestSuccess"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster NameID newNameID = AssertionFactory.getInstance().createNameID();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster newNameID.setNameQualifier(oldNameID.getNameQualifier());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster newNameID.setSPProvidedID(oldNameID.getSPProvidedID());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (isAffiliation ? spNameQualifier : hostEntityID), remoteEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster AccountUtils.setAccountFederation(newNameIDInfo, userID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster newNameIDInfo.getNameIDInfoKey().toValueString();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String infoKeyAttribute = AccountUtils.getNameIDInfoKeyAttribute();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster synchronized (spFedSessions) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster for(Iterator iter = spFedSessions.iterator(); iter.hasNext();){
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SPFedSession spFedSession = (SPFedSession)iter.next();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Object session = sessionProvider.getSession(tokenID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] fromToken = sessionProvider.getProperty(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((fromToken == null) || (fromToken.length == 0) ||
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (fromToken[0].indexOf(newInfoKeyStr) == -1) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SPCache.fedSessionListsByNameIDInfoKey.put(newInfoKeyStr,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((agent != null) && agent.isRunning() && (saml2Svc != null)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (long)SPCache.fedSessionListsByNameIDInfoKey.size());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // log new name id success
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster logAccess("requestSuccess", LogUtil.SUCCESS_NEW_NAMEID, userID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return SAML2Utils.generateStatus(SAML2Constants.SUCCESS,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("requestSuccess"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static ManageNameIDResponse processManageNameIDRequest(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String realm = SAML2MetaUtils.getRealmByMetaAlias(metaAlias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster hostEntityID = metaManager.getEntityByMetaAlias(metaAlias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster hostRole = SAML2Utils.getHostEntityRole(paramsMap);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.verifyRequestIssuer(realm, hostEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (hostRole.equalsIgnoreCase(SAML2Constants.IDP_ROLE)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster IDPAccountMapper idpAcctMapper = SAML2Utils.getIDPAccountMapper(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster userID = idpAcctMapper.getIdentity(mniRequest, hostEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else if (hostRole.equalsIgnoreCase(SAML2Constants.SP_ROLE)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SPAccountMapper spAcctMapper = SAML2Utils.getSPAccountMapper(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster userID = spAcctMapper.getIdentity(mniRequest, hostEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster status = SAML2Utils.generateStatus(SAML2Constants.REQUESTER,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster status = processManageNameIDRequest(mniRequest, realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster hostEntityID, remoteEntityID, hostRole, userID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message("DoManageNameID.processManageNameIDRequest:", e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster status = SAML2Utils.generateStatus(SAML2Constants.RESPONDER,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("failedToGenResponseID"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster mniResponse.setInResponseTo(mniRequest.getID());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster mniResponse.setVersion(SAML2Constants.VERSION_2_0);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster mniResponse.setIssuer(SAML2Utils.createIssuer(hostEntityID));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (destination != null && (destination.length() != 0)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster XMLUtils.escapeSpecialCharacters(destination));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (hostRole.equalsIgnoreCase(SAML2Constants.SP_ROLE) &&
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster mniResponse.getStatus().getStatusCode().getValue().equals(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // invoke SPAdapter for post temination success
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster postTerminationSuccess(hostEntityID, realm, request, response,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static void sendMNIResponse(HttpServletResponse response,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String mniResXMLString = mniResponse.toXMLString(true, true);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // encode the xml string
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String encodedXML = SAML2Utils.encodeForRedirect(mniResXMLString);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster new StringBuffer().append(SAML2Constants.SAML_RESPONSE)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (relayState != null && relayState.length() > 0
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster && relayState.getBytes("UTF-8").length <= 80) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster queryString.append("&").append(SAML2Constants.RELAY_STATE)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster .append("=").append(URLEncDec.encode(relayState));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message(method + "Relay State is : " + relayState);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster mniResponse.setDestination(XMLUtils.escapeSpecialCharacters(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster boolean needToSign = false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (hostEntityRole.equalsIgnoreCase(SAML2Constants.IDP_ROLE)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.getWantMNIResponseSigned(realm, remoteEntity,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.getWantMNIResponseSigned(realm, remoteEntity,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String signedQueryString = queryString.toString();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "QueryString has need to be signed.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.signQueryString(signedQueryString, realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String redirectURL = mniURL + (mniURL.contains("?") ? "&" : "?") +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message(method + "redirectURL is : " + redirectURL);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message("Exception when redirecting to " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static private ManageNameIDRequest createManageNameIDRequest(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Object session, String realm, String hostEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String hostEntityRole, String remoteEntityID, String destination,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster boolean changeID, String affiliationID) throws SAML2Exception {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String method = "DoManageNameID.createManageNameIDRequest: ";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster userID = sessionProvider.getPrincipalName(session);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster nameID = getNameID(userID, hostEntityID, remoteEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster logError("invalidSSOToken", LogUtil.INVALID_SSOTOKEN, null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(SAML2Utils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "invalidSSOToken"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message(method + "NameID : " + nameID.toXMLString());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ManageNameIDRequest mniRequest = pf.createManageNameIDRequest();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster mniRequest.setVersion(SAML2Constants.VERSION_2_0);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster mniRequest.setDestination(XMLUtils.escapeSpecialCharacters(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster mniRequest.setIssuer(SAML2Utils.createIssuer(hostEntityID));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster setNameIDForMNIRequest(mniRequest, nameID, changeID, realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static private ManageNameIDRequest getMNIRequest(HttpServletRequest request)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String binding = request.getParameter("binding");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String samlRequest = request.getParameter(SAML2Constants.SAML_REQUEST);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message("DoManageNameID.getMNIRequest: SAMLRequest = " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.CANNOT_INSTANTIATE_MNI_REQUEST , samlRequest);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(SAML2Utils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "nullManageIDRequest"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((binding != null) && binding.equals(SAML2Constants.HTTP_POST)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String decodedStr = SAML2Utils.decodeFromRedirect(samlRequest);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(SAML2Utils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "nullDecodedStrFromSamlRequest"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return pf.createManageNameIDRequest(decodedStr);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // This is the application code for handling the message.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static private ManageNameIDRequest getMNIRequest(SOAPMessage message)
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings Element reqElem = SOAPCommunicator.getInstance().getSamlpElement(message,
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings "ManageNameIDRequest");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster HttpServletResponse response) throws SAML2Exception, IOException {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // encode the xml string
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String encodedXML = SAML2Utils.encodeForRedirect(mniRequestXMLString);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster new StringBuffer().append(SAML2Constants.SAML_REQUEST)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (relayState != null && relayState.length() > 0
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster && relayState.getBytes("UTF-8").length <= 80) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster queryString.append("&").append(SAML2Constants.RELAY_STATE)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster .append("=").append(URLEncDec.encode(relayState));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster boolean needToSign = false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (hostEntityRole.equalsIgnoreCase(SAML2Constants.IDP_ROLE)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.getWantMNIRequestSigned(realm, remoteEntity,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.getWantMNIRequestSigned(realm, remoteEntity,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String signedQueryString = queryString.toString();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster signedQueryString = SAML2Utils.signQueryString(signedQueryString,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String redirectURL = mniURL + (mniURL.contains("?") ? "&" : "?") +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message(method + "MNIRequestXMLString : "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message(method + "MNIRedirectURL : " + mniURL);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message(method + "MNIRedirectURL : " + redirectURL);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster HttpServletResponse response) throws SAML2Exception {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster boolean success = false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String mniRequestXMLString= mniRequest.toXMLString(true,true);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message(method + "MNIRequestXMLString : "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message(method + "MNIRedirectURL : " + mniURL);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings resMsg = SOAPCommunicator.getInstance().sendSOAPMessage(mniRequestXMLString, mniURL,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.error(SAML2Utils.bundle.getString("invalidSOAPMessge"), se);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return false;
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings Element mniRespElem = SOAPCommunicator.getInstance().getSamlpElement(resMsg,
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings "ManageNameIDResponse");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster mniResponse = pf.createManageNameIDResponse(mniRespElem);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message(method + "ManageNameIDResponse without "+
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "SOAP envelope:\n" + mniResponse.toXMLString());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message(method + "ManageNameIDResponse is null ");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String realm = SAML2MetaUtils.getRealmByMetaAlias(metaAlias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String hostEntityID = metaManager.getEntityByMetaAlias(metaAlias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String remoteEntityID = mniResponse.getIssuer().getValue();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String requestId = mniResponse.getInResponseTo();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.verifyResponseIssuer(realm, hostEntityID, resIssuer,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster boolean validSign = verifyMNIResponse(mniResponse, realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.CANNOT_INSTANTIATE_MNI_RESPONSE , null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("invalidSignInResponse"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster success = checkMNIResponse(mniResponse, realm, hostEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (success && hostRole.equals(SAML2Constants.SP_ROLE)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // invoke SPAdapter for termination success, SP initied SOAP
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster postTerminationSuccess(hostEntityID, realm, request, response,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.error(SAML2Utils.bundle.getString("invalidSSOToken"), e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message(method + "Request success : " + success);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static boolean checkMNIResponse(ManageNameIDResponse mniResponse,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String realm, String hostEntityID, String hostRole,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster StringBuffer mniUserId) throws SAML2Exception, SessionException {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster boolean success = false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String remoteEntityID = mniResponse.getIssuer().getValue();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String requestID = mniResponse.getInResponseTo();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ManageNameIDRequestInfo reqInfo = getMNIRequestInfo(requestID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("invalidInResponseToInResponse"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String retCode = mniResponse.getStatus().getStatusCode().getValue();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (retCode.equalsIgnoreCase(SAML2Constants.SUCCESS)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster logError("nullSSOToken", LogUtil.INVALID_SSOTOKEN , null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String userID = sessionProvider.getPrincipalName(session);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ManageNameIDRequest origMniReq = reqInfo.getManageNameIDRequest();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster NameIDInfo oldNameIDInfo = getNameIDInfo(userID, hostEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.error("DoManageNameID.checkMNIResponse: NameIDInfo " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "not found.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Terminate
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (hostRole.equalsIgnoreCase(SAML2Constants.SP_ROLE)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster oldNameIDInfo.getNameIDInfoKey().toValueString();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster spFedSessions = (List)SPCache.fedSessionListsByNameIDInfoKey.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((agent != null) && agent.isRunning() && (saml2Svc != null)){
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (long)SPCache.fedSessionListsByNameIDInfoKey.size());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster removeIDPFedSession(remoteEntityID, oldNameID.getValue());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (!AccountUtils.removeAccountFederation(oldNameIDInfo, userID)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // log termination failure
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster logError("unableToTerminate", LogUtil.UNABLE_TO_TERMINATE,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // log termination success
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster logAccess("requestSuccess", LogUtil.SUCCESS_FED_TERMINATION,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return true;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // newID case
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String newIDValue = origMniReq.getNewID().getValue();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster boolean isAffiliation = oldNameIDInfo.isAffiliation();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String spNameQualifier = oldNameID.getSPNameQualifier();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (hostRole.equalsIgnoreCase(SAML2Constants.SP_ROLE)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster NameID newNameID = AssertionFactory.getInstance().
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster newNameID.setNameQualifier(oldNameID.getNameQualifier());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (isAffiliation ? spNameQualifier : hostEntityID),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster remoteEntityID, newNameID, hostRole, isAffiliation);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster newNameIDInfo.getNameIDInfoKey().toValueString();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster AccountUtils.setAccountFederation(newNameIDInfo, userID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] fromToken = sessionProvider.getProperty(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((fromToken == null) || (fromToken.length == 0) ||
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (fromToken[0].indexOf(newInfoKeyStr) == -1) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message("DoManageNameID.checkMNIResponse:",e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else if (hostRole.equalsIgnoreCase(SAML2Constants.IDP_ROLE)){
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster NameID newNameID = AssertionFactory.getInstance().
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster newNameID.setSPProvidedID(oldNameID.getSPProvidedID());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster NameIDInfo newNameIDInfo = new NameIDInfo(hostEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (isAffiliation ? spNameQualifier : remoteEntityID),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster newNameID, SAML2Constants.IDP_ROLE, isAffiliation);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster AccountUtils.setAccountFederation(newNameIDInfo, userID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster NameIDandSPpair pair = new NameIDandSPpair(newNameID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List list = (List)idpSession.getNameIDandSPpairs();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // log manage name id success
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster logAccess("newNameIDSuccess", LogUtil.SUCCESS_NEW_NAMEID, userID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster logError("mniFailed", LogUtil.INVALID_MNI_RESPONSE , null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(SAML2Utils.bundle.getString("mniFailed"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static ManageNameIDRequestInfo getMNIRequestInfo(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (hostRole.equalsIgnoreCase(SAML2Constants.SP_ROLE)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else if (hostRole.equalsIgnoreCase(SAML2Constants.IDP_ROLE)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static NameIDInfo getNameIDInfo(String userID, String hostEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String remoteEntityID, String hostRole, String realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String affiliationID, boolean invalidAffiIDAllowed)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster metaManager.getAffiliationDescriptor(realm, affiliationID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (!affiDesc.getAffiliateMember().contains(hostEntityID)){
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(SAML2Utils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "spNotAffiliationMember"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster nameInfo = AccountUtils.getAccountFederation(userID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(SAML2Utils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "spNotAffiliationMember"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster nameInfo = AccountUtils.getAccountFederation(userID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster nameInfo = AccountUtils.getAccountFederation(userID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(SAML2Utils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "affiliationNotFound"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster nameInfo = AccountUtils.getAccountFederation(userID, hostEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static boolean removeFedAccount(String userID, String hostEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String remoteEntityID, String hostRole, String realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster NameIDInfo nameInfo = getNameIDInfo(userID, hostEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster remoteEntityID, hostRole, realm, affiliationID, true);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return AccountUtils.removeAccountFederation(nameInfo, userID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static ManageNameIDServiceElement getMNIServiceElement(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throws SAML2MetaException, SessionException, SAML2Exception {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message(method + "Entity ID : " + entityID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message(method + "Host Entity Role : " + hostEntityRole);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (hostEntityRole.equalsIgnoreCase(SAML2Constants.SP_ROLE)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster mniService = getIDPManageNameIDConfig(realm, entityID, binding);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else if (hostEntityRole.equalsIgnoreCase(SAML2Constants.IDP_ROLE)){
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster mniService = getSPManageNameIDConfig(realm, entityID, binding);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("nullHostEntityRole"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static private NameID getNameID(String userID, String hostEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String remoteEntityID, String hostEntityRole, String affiliationID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster NameIDInfo nameIDInfo = getNameIDInfo(userID, hostEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster remoteEntityID, hostEntityRole, realm, affiliationID, false);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message("DoManageNameID.getNameID: userID = " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster userID + ", nameID = " + nameID.toXMLString());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(SAML2Utils.bundle.getString("nullNameID"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static private void setNameIDForMNIRequest(ManageNameIDRequest mniRequest,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster NameID nameID, boolean changeID, String realm, String hostEntity,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String hostEntityRole, String remoteEntity) throws SAML2Exception {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String method = "DoManageNameID.setNameIDForMNIRequest: ";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster boolean needEncryptIt = false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (hostEntityRole.equalsIgnoreCase(SAML2Constants.IDP_ROLE)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster needEncryptIt = SAML2Utils.getWantNameIDEncrypted(realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster needEncryptIt = SAML2Utils.getWantNameIDEncrypted(realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String newIDValue = SAML2Utils.createNameIdentifier();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster newID = ProtocolFactory.getInstance().createNewID(newIDValue);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message(method + "NamID doesn't need to be encrypted.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (hostEntityRole.equalsIgnoreCase(SAML2Constants.IDP_ROLE)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster metaManager.getSPSSODescriptor(realm, remoteEntity);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster encInfo = KeyUtil.getEncInfo(spSSODesc, remoteEntity,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster metaManager.getIDPSSODescriptor(realm, remoteEntity);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster encInfo = KeyUtil.getEncInfo(idpSSODesc, remoteEntity,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message(method + "hostEntity is : " + hostEntity);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message(method + "Host Entity role is : " + hostEntityRole);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message(method + "remoteEntity is : " + remoteEntity);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster logError("UnableToFindEncryptKeyInfo", LogUtil.METADATA_ERROR,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(SAML2Utils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "UnableToFindEncryptKeyInfo"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster EncryptedID encryptedID = nameID.encrypt(encInfo.getWrappingKey(),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster encInfo.getDataEncAlgorithm(), encInfo.getDataEncStrength(),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // This non-encrypted NameID will be removed just
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // after saveMNIRequestInfo and just before it send to
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster NewEncryptedID newEncID = newID.encrypt(encInfo.getWrappingKey(),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster encInfo.getDataEncAlgorithm(), encInfo.getDataEncStrength(),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // This non-encrypted newID will be removed just
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // after saveMNIRequestInfo and just before it send to
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static private NewID getNewIDFromMNIRequest(ManageNameIDRequest request,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String realm, String hostEntityID, String hostEntityRole)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster boolean needDecryptIt = SAML2Utils.getWantNameIDEncrypted(realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message("DoManageNameID.getNewIDFromMNIRequest: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "NamID doesn't need to be decrypted.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message("DoManageNameID.getNewIDFromMNIRequest: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message("DoManageNameID.getNewIDFromMNIRequest: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster NewEncryptedID encryptedID = request.getNewEncryptedID();
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings return encryptedID.decrypt(KeyUtil.getDecryptionKeys(realm, hostEntityID, hostEntityRole));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static private NameID getNameIDFromMNIRequest(ManageNameIDRequest request,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String realm, String hostEntity, String hostEntityRole)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String method = "DoManageNameID.getNameIDFromMNIRequest: ";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster boolean needDecryptIt = SAML2Utils.getWantNameIDEncrypted(realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message(method + "NamID doesn't need to be decrypted.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message(method + "hostEntity is : " + hostEntity);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message(method + "Host Entity role is : " + hostEntityRole);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster EncryptedID encryptedID = request.getEncryptedID();
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings return encryptedID.decrypt(KeyUtil.getDecryptionKeys(realm, hostEntity, hostEntityRole));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Returns first ManageNameID configuration in an entity under
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * the realm.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param realm The realm under which the entity resides.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param entityId ID of the entity to be retrieved.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param binding bind type need to has to be matched.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return <code>ManageNameIDServiceElement</code> for the entity or null
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SAML2MetaException if unable to retrieve the first identity
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * provider's SSO configuration.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SessionException invalid or expired single-sign-on session
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static public ManageNameIDServiceElement getIDPManageNameIDConfig(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster metaManager.getIDPSSODescriptor(realm, entityId);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.error(SAML2Utils.bundle.getString("noIDPEntry"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List list = idpSSODesc.getManageNameIDService();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return (ManageNameIDServiceElement)list.get(0);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (binding.equalsIgnoreCase(mni.getBinding())) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Returns first ManageNameID configuration in an entity under
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * the realm.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param realm The realm under which the entity resides.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param entityId ID of the entity to be retrieved.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param binding bind type need to has to be matched.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return <code>ManageNameIDServiceElement</code> for the entity or null
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SAML2MetaException if unable to retrieve the first identity
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * provider's SSO configuration.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SessionException invalid or expired single-sign-on session.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static public ManageNameIDServiceElement getSPManageNameIDConfig(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster metaManager.getSPSSODescriptor(realm, entityId);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List list = spSSODesc.getManageNameIDService();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return (ManageNameIDServiceElement)list.get(0);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (binding.equalsIgnoreCase(mni.getBinding())) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static IDPSession removeIDPFedSession(String spEntity, String nameID) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String method = "DoManageNameID.removeIDPFedSession ";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message(method + " trying to remove entity=" + spEntity
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + ", nameID=" + nameID + " from IDP session cache");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message(method+"IDPCache.idpSessionsByIndices is null.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "IDPCache.idpSessionsByIndices return null.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List nameIDSPlist = idpSession.getNameIDandSPpairs();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // synchronize to avoid con-current modification
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster synchronized (nameIDSPlist) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (spID.equalsIgnoreCase(spEntity) && nameIDPair.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Object session, String infoKey) throws SessionException {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster session, AccountUtils.getNameIDInfoKeyAttribute());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message(method+"InfoKeyString from session is null.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message(method+"InfoKeyString from session : "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message(method+"InfoKey need to delete : " + infoKey);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster new StringTokenizer(infoKeyString, SAML2Constants.SECOND_DELIM);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message(method+"InfoKey from session : " + tmpInfoKey);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster newInfoKey.append(SAML2Constants.SECOND_DELIM);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message(method+"New InfoKey to session : "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster session, AccountUtils.getNameIDInfoKeyAttribute(), v);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message(method+"New InfoKey from session : " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster session, AccountUtils.getNameIDInfoKeyAttribute()));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static void doMNIByPOST(String mniXMLString, String mniURL,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String relayState, String realm, String hostEntity,
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest HttpServletResponse response, HttpServletRequest request) throws SAML2Exception {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String encMsg = SAML2Utils.encodeForPOST(mniXMLString);
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest SAML2Utils.postToTarget(request, response, "SAMLRequest", encMsg, "RelayState",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static void signMNIRequest(String certAlias,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ManageNameIDRequest mniRequest) throws SAML2Exception {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster KeyProvider kp = KeyUtil.getKeyProviderInstance();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("DoManageNameID.signMNIRequest: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "Unable to get a key provider instance.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(SAML2Utils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "nullKeyProvider"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static void processPOSTRequest(HttpServletRequest request,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throws SAML2Exception, IOException, SOAPException, SessionException,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String classMethod = "DoManageNameID.processPOSTRequest:";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String samlRequest = request.getParameter(SAML2Constants.SAML_REQUEST);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "MissingSAMLRequest",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("MissingSAMLRequest"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(SAML2Utils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "MissingSAMLRequest"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2MetaUtils.getMetaAliasByUri(request.getRequestURI());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster logError("MetaAliasNotFound", LogUtil.MISSING_META_ALIAS,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(SAML2Utils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "MetaAliasNotFound"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String realm = SAML2MetaUtils.getRealmByMetaAlias(metaAlias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String hostEntityID = metaManager.getEntityByMetaAlias(metaAlias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String hostEntityRole = SAML2Utils.getHostEntityRole(paramsMap);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster boolean isSupported = false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SAML2Constants.IDP_ROLE.equals(hostEntityRole)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster isSupported = SAML2Utils.isIDPProfileBindingSupported(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Constants.MNI_SERVICE, SAML2Constants.HTTP_POST);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster isSupported = SAML2Utils.isSPProfileBindingSupported(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Constants.MNI_SERVICE, SAML2Constants.HTTP_POST);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "MNI binding: POST is not supported for " + hostEntityID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data = { hostEntityID, SAML2Constants.HTTP_POST };
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Level.INFO, LogUtil.BINDING_NOT_SUPPORTED, data, null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(SAML2Utils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "unsupportedBinding"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Document doc = XMLUtils.toDOMDocument(bis, SAML2Utils.debug);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster createManageNameIDRequest(doc.getDocumentElement());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.error("DoManageNameID.processPOSTRequest:", se);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "nullDecodedStrFromSamlResponse",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("nullDecodedStrFromSamlResponse") +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(SAML2Utils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "nullDecodedStrFromSamlResponse"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.error("DoManageNameID.processPOSTRequest:", e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "nullDecodedStrFromSamlResponse",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("nullDecodedStrFromSamlResponse") +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(SAML2Utils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "nullDecodedStrFromSamlResponse"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message("DoManageNameID.processPOSTRequest:",ie);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String remoteEntityID = mniRequest.getIssuer().getValue();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster logError("nullRemoteEntityID", LogUtil.MISSING_ENTITY, metaAlias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(SAML2Utils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "nullRemoteEntityID"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message("DoManageNameID.processPOSTRequest: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message("DoManageNameID.processPOSTRequest: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message("DoManageNameID.processPOSTRequest: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster boolean valid = verifyMNIRequest(mniRequest, realm, remoteEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.MNI_REQUEST_INVALID_SIGNATURE, metaAlias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(SAML2Utils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "invalidSignInRequest"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ManageNameIDServiceElement mniService = getMNIServiceElement(realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster remoteEntityID, hostEntityRole, SAML2Constants.HTTP_POST);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String mniURL = mniService.getResponseLocation();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ///common for post, redirect, soap
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ManageNameIDResponse mniResponse = processManageNameIDRequest(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster mniRequest, metaAlias, remoteEntityID,paramsMap, null,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster signMNIResponse(mniResponse, realm, hostEntityID, hostEntityRole,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster //send MNI Response by POST
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String mniRespString = mniResponse.toXMLString(true, true);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String encMsg = SAML2Utils.encodeForPOST(mniRespString);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String relayState = request.getParameter(SAML2Constants.RELAY_STATE);
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest SAML2Utils.postToTarget(request, response, "SAMLResponse", encMsg,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message("DoManageNameID.processPOSTRequest:", e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception("Error posting to target");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static String getMNIResponseFromPost(String samlResponse,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster HttpServletResponse response) throws SAML2Exception {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(SAML2Utils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "missingSAMLResponse"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Document doc = XMLUtils.toDOMDocument(bis, debug);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster createManageNameIDResponse(doc.getDocumentElement());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.error("DoManageNameID.getMNIResponseFromPost:", se);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(SAML2Utils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "nullDecodedStrFromSamlResponse"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.error("DoManageNameID.getMNIResponseFromPost:", e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(SAML2Utils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "nullDecodedStrFromSamlResponse"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message("DoManageNameID.getMNIResponseFromPost:",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message("DoManageNameID.getMNIResponseFromPost: " + respStr);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static boolean processMNIResponsePOST(HttpServletRequest request,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster boolean success = false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String metaAlias = SAML2MetaUtils.getMetaAliasByUri(requestURL);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster logError("MetaAliasNotFound", LogUtil.MISSING_META_ALIAS, null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(SAML2Utils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "MetaAliasNotFound"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String realm = SAML2MetaUtils.getRealmByMetaAlias(metaAlias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String hostEntityID = metaManager.getEntityByMetaAlias(metaAlias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String hostRole = SAML2Utils.getHostEntityRole(paramsMap);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster boolean isSupported = false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SAML2Constants.IDP_ROLE.equals(hostRole)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster isSupported = SAML2Utils.isIDPProfileBindingSupported(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Constants.MNI_SERVICE, SAML2Constants.HTTP_POST);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster isSupported = SAML2Utils.isSPProfileBindingSupported(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Constants.MNI_SERVICE, SAML2Constants.HTTP_POST);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "MNI binding: POST is not supported for " + hostEntityID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data = { hostEntityID, SAML2Constants.HTTP_POST };
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Level.INFO, LogUtil.BINDING_NOT_SUPPORTED, data, null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(SAML2Utils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "unsupportedBinding"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String relayState = request.getParameter(SAML2Constants.RELAY_STATE);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String mniRes = request.getParameter(SAML2Constants.SAML_RESPONSE);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String mniResStr = getMNIResponseFromPost(mniRes,response);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(SAML2Utils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "nullDecodedStrFromSamlResponse"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message("DoManageNameID.processMNIResponsePOST: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message("DoManageNameID.processMNIResponsePOST: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message("DoManageNameID.processMNIResponsePOST: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message("DoManageNameID.processMNIResponsePOST: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Validate the RelayState URL.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster mniResponse = pf.createManageNameIDResponse(mniResStr);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String remoteEntityID = mniResponse.getIssuer().getValue();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String requestId = mniResponse.getInResponseTo();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.verifyResponseIssuer(realm, hostEntityID, resIssuer,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster boolean needToVerify = SAML2Utils.getWantMNIResponseSigned(realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster boolean valid = verifyMNIResponse(mniResponse, realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(SAML2Utils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "invalidSignInResponse"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster success = checkMNIResponse(mniResponse, realm, hostEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster logError("invalidSSOToken", LogUtil.INVALID_SSOTOKEN, null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(SAML2Utils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "invalidSSOToken"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message("DoManageNameID.processMNIResponsePOST: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static ManageNameIDRequest getMNIRequestFromPost(String samlRequest)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message("DoManageNameID.getMNIRequestFromPost: samlRequest = " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Document doc = XMLUtils.toDOMDocument(bis, SAML2Utils.debug);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster createManageNameIDRequest(doc.getDocumentElement());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.error("DoManageNameID.getMNIRequestFromPost:", se);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(SAML2Utils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "nullDecodedStrFromSamlResponse"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.error("DoManageNameID.getMNIRequestFromPost:", e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(SAML2Utils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "nullDecodedStrFromSamlResponse"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message("DoManageNameID.getMNIRequestFromPost:",