a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Copyright (c) 2007 Sun Microsystems Inc. All Rights Reserved
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * The contents of this file are subject to the terms
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * of the Common Development and Distribution License
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * (the License). You may not use this file except in
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * compliance with the License.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * You can obtain a copy of the License at
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * https://opensso.dev.java.net/public/CDDLv1.0.html or
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * See the License for the specific language governing
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * permission and limitations under the License.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * When distributing Covered Code, include this CDDL
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Header Notice in each file and include the License file
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * If applicable, add the following below the CDDL Header,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * with the fields enclosed by brackets [] replaced by
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * your own identifying information:
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * "Portions Copyrighted [year] [name of copyright owner]"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * $Id: IDPProxyUtil.java,v 1.18 2009/11/20 21:41:16 exu Exp $
ccf9d4a5c6453fa9f8b839baeee25147865fbb7dJames Phillpotts * Portions Copyrighted 2010-2016 ForgeRock AS.
ccf9d4a5c6453fa9f8b839baeee25147865fbb7dJames Phillpottsimport static org.forgerock.openam.utils.Time.*;
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeperimport com.sun.identity.saml2.common.SAML2FailoverUtils;
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbingsimport com.sun.identity.saml2.common.SOAPCommunicator;
fc6d568154347c9dab7917072f6097389534c6a1Quentin CASTELimport com.sun.identity.saml2.protocol.RequesterID;
fc6d568154347c9dab7917072f6097389534c6a1Quentin CASTELimport com.sun.identity.saml2.protocol.impl.RequesterIDImpl;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.shared.datastruct.OrderedSet;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.shared.encode.URLEncDec;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.assertion.Assertion;
79511c8d648d5b9dc613719c690b9fc4ffcd1043Sam Fraserimport com.sun.identity.saml2.assertion.EncryptedAssertion;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.assertion.Subject;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.assertion.AssertionFactory;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.common.SAML2Constants;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.common.SAML2Exception;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.common.SAML2Utils;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.jaxb.entityconfig.IDPSSOConfigElement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.meta.SAML2MetaException;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.meta.SAML2MetaManager;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.meta.SAML2MetaUtils;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.plugins.SAML2IDPFinder;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.protocol.AuthnRequest;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.protocol.IDPEntry;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.protocol.LogoutRequest;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.protocol.LogoutResponse;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.protocol.NameIDPolicy;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.protocol.Response;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.protocol.ProtocolFactory;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.plugin.session.SessionManager;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.plugin.session.SessionProvider;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.plugin.session.SessionException;
e560488158a3b31d33f5e5bfe0a33e041b5ecb10Peter Majorimport com.sun.identity.saml2.jaxb.metadata.SingleSignOnServiceElement;
fe64160425f92efd10af752ec615734ade22e9ddPeter Majorimport com.sun.identity.saml2.plugins.SAML2ServiceProviderAdapter;
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeperimport org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException;
dba874fb22099c605a3accab4c26632208dfa15aJon Thomasimport org.forgerock.openam.saml2.audit.SAML2EventLogger;
79511c8d648d5b9dc613719c690b9fc4ffcd1043Sam Fraserimport org.forgerock.openam.utils.CollectionUtils;
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeperimport org.forgerock.openam.utils.StringUtils;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Utility class to be used for IDP Proxying.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // IDP proxy finder
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // private static SAML2IDPFinder proxyFinder = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static SessionProvider sessionProvider = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster sessionProvider = SessionManager.getProvider();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("IDPSSOFederate:Static Init Failed", ex);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Gets the preferred IDP Id to be proxied. This method makes use of an
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * SPI to determine the preferred IDP.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param authnRequest original Authn Request.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param hostedEntityId hosted provider ID
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param realm Realm
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param request HttpServletRequest
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param response HttpServletResponse
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @exception SAML2Exception for any SAML2 failure.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return String Provider id of the preferred IDP to be proxied.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2IDPFinder proxyFinder = getIDPProxyFinder(realm, hostedEntityId);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List idpProviderIDs = proxyFinder.getPreferredIDP(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((idpProviderIDs == null) || idpProviderIDs.isEmpty()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Sends a new AuthnRequest to the authenticating provider.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param authnRequest original AuthnRequest sent by the service provider.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param preferredIDP IDP to be proxied.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param spSSODescriptor SPSSO Descriptor Element
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param hostedEntityId hosted provider ID
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param request HttpServletRequest
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param response HttpServletResponse
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param realm Realm
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param relayState the Relay State
e560488158a3b31d33f5e5bfe0a33e041b5ecb10Peter Major * @param originalBinding The binding used to send the original AuthnRequest.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @exception SAML2Exception for any SAML2 failure.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @exception IOException if there is a failure in redirection.
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest String classMethod = "IDPProxyUtil.sendProxyAuthnRequest: ";
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest SPSSODescriptorElement localDescriptor = null;
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest SPSSOConfigElement localDescriptorConfig = null;
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest IDPSSODescriptorElement idpDescriptor = null;
e560488158a3b31d33f5e5bfe0a33e041b5ecb10Peter Major idpDescriptor = IDPSSOUtil.metaManager.getIDPSSODescriptor(realm, preferredIDP);
e560488158a3b31d33f5e5bfe0a33e041b5ecb10Peter Major List<SingleSignOnServiceElement> ssoServiceList = idpDescriptor.getSingleSignOnService();
e560488158a3b31d33f5e5bfe0a33e041b5ecb10Peter Major SingleSignOnServiceElement endpoint = getMatchingSSOEndpoint(ssoServiceList, originalBinding);
e560488158a3b31d33f5e5bfe0a33e041b5ecb10Peter Major SAML2Utils.debug.error(classMethod + "Single Sign-on service is not found for the proxying IDP.");
e560488158a3b31d33f5e5bfe0a33e041b5ecb10Peter Major throw new SAML2Exception(SAML2Utils.bundle.getString("ssoServiceNotFoundIDPProxy"));
e560488158a3b31d33f5e5bfe0a33e041b5ecb10Peter Major localDescriptor = IDPSSOUtil.metaManager.getSPSSODescriptor(realm, hostedEntityId);
e560488158a3b31d33f5e5bfe0a33e041b5ecb10Peter Major localDescriptorConfig = IDPSSOUtil.metaManager.getSPSSOConfig(realm, hostedEntityId);
420a3bbac5080d4a45b074040d304483273662c4Peter Major AuthnRequest newAuthnRequest = getNewAuthnRequest(hostedEntityId, destination, realm, authnRequest);
420a3bbac5080d4a45b074040d304483273662c4Peter Major // invoke SP Adapter class if registered
420a3bbac5080d4a45b074040d304483273662c4Peter Major SAML2ServiceProviderAdapter spAdapter = SAML2Utils.getSPAdapterClass(hostedEntityId, realm);
420a3bbac5080d4a45b074040d304483273662c4Peter Major spAdapter.preSingleSignOnRequest(hostedEntityId, preferredIDP, realm, request, response, newAuthnRequest);
420a3bbac5080d4a45b074040d304483273662c4Peter Major SAML2Utils.debug.message(classMethod + "New Authentication request:" + newAuthnRequest.toXMLString());
420a3bbac5080d4a45b074040d304483273662c4Peter Major // save the AuthnRequest in the IDPCache so that it can be
420a3bbac5080d4a45b074040d304483273662c4Peter Major // retrieved later when the user successfully authenticates
420a3bbac5080d4a45b074040d304483273662c4Peter Major IDPCache.authnRequestCache.put(requestID, newAuthnRequest);
420a3bbac5080d4a45b074040d304483273662c4Peter Major // save the original AuthnRequest
420a3bbac5080d4a45b074040d304483273662c4Peter Major IDPCache.proxySPAuthnReqCache.put(requestID, authnRequest);
420a3bbac5080d4a45b074040d304483273662c4Peter Major boolean signingNeeded = idpDescriptor.isWantAuthnRequestsSigned() || localDescriptor.isAuthnRequestsSigned();
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest // check if relayState is present and get the unique
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest // id which will be appended to the SSO URL before
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest // redirecting
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (relayState != null && relayState.length()> 0) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster relayStateID = SPSSOFederate.getRelayStateID(relayState,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (binding.equals(SAML2Constants.HTTP_POST)) {
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest SAML2MetaUtils.getAttributes(localDescriptorConfig),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SPSSOFederate.signAuthnRequest(certAlias,newAuthnRequest);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String authXMLString = newAuthnRequest.toXMLString(true,true);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String encodedReqMsg = SAML2Utils.encodeForPOST(authXMLString);
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest SAML2Utils.postToTarget(request, response, "SAMLRequest",
420a3bbac5080d4a45b074040d304483273662c4Peter Major encodedReqMsg, "RelayState", relayStateID, destination);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String authReqXMLString = newAuthnRequest.toXMLString(true,true);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message(classMethod + " AuthnRequest: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String encodedXML = SAML2Utils.encodeForRedirect(authReqXMLString);
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest new StringBuffer().append(SAML2Constants.SAML_REQUEST)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster //TODO: should it be newAuthnRequest???
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (relayStateID != null && relayStateID.length() > 0) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster queryString.append("&").append(SAML2Constants.RELAY_STATE)
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest SAML2MetaUtils.getAttributes(localDescriptorConfig),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String signedQueryStr = SPSSOFederate.signQueryString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.access(Level.INFO, LogUtil.REDIRECT_TO_SP,data, null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster AuthnRequestInfo reqInfo = new AuthnRequestInfo(request, response,
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest realm, hostedEntityId, preferredIDP, newAuthnRequest, relayState,
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper if (SAML2FailoverUtils.isSAML2FailoverEnabled()) {
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest // sessionExpireTime is counted in seconds
ccf9d4a5c6453fa9f8b839baeee25147865fbb7dJames Phillpotts long sessionExpireTime = currentTimeMillis() / 1000 + SPCache.interval;
c36b3d48cd721148c2ed02c273ecf4f38e1add70Mark de Reeper SAML2FailoverUtils.saveSAML2TokenWithoutSecondaryKey(requestID, new AuthnRequestInfoCopy(reqInfo),
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest SAML2Utils.debug.message(classMethod + " SAVE AuthnRequestInfoCopy for requestID " + requestID);
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper SAML2Utils.debug.error(classMethod + " SAVE AuthnRequestInfoCopy for requestID "
e560488158a3b31d33f5e5bfe0a33e041b5ecb10Peter Major private static SingleSignOnServiceElement getMatchingSSOEndpoint(List<SingleSignOnServiceElement> endpoints,
e560488158a3b31d33f5e5bfe0a33e041b5ecb10Peter Major SingleSignOnServiceElement preferredEndpoint = null;
e560488158a3b31d33f5e5bfe0a33e041b5ecb10Peter Major boolean isFirst = true;
e560488158a3b31d33f5e5bfe0a33e041b5ecb10Peter Major for (SingleSignOnServiceElement endpoint : endpoints) {
e560488158a3b31d33f5e5bfe0a33e041b5ecb10Peter Major //If there is no match, we should use the first endpoint in the list
e560488158a3b31d33f5e5bfe0a33e041b5ecb10Peter Major if (preferredBinding.equals(endpoint.getBinding())) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Constructs new authentication request by using the original request
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * that is sent by the service provider to the proxying IDP.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param hostedEntityId hosted provider ID
420a3bbac5080d4a45b074040d304483273662c4Peter Major * @param destination The destination where the new AuthnRequest will be sent to.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param realm Realm
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param origRequest Original Authn Request
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return AuthnRequest new authn request.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @exception SAML2Exception for failure in creating new authn request.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return AuthnRequest object
420a3bbac5080d4a45b074040d304483273662c4Peter Major private static AuthnRequest getNewAuthnRequest(String hostedEntityId, String destination, String realm,
420a3bbac5080d4a45b074040d304483273662c4Peter Major AuthnRequest origRequest) throws SAML2Exception {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String classMethod = "IDPProxyUtil.getNewAuthnRequest: ";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // New Authentication request should only be a single sign-on request.
420a3bbac5080d4a45b074040d304483273662c4Peter Major AuthnRequest newRequest = ProtocolFactory.getInstance().createAuthnRequest();
420a3bbac5080d4a45b074040d304483273662c4Peter Major throw new SAML2Exception(SAML2Utils.bundle.getString("cannotGenerateID"));
420a3bbac5080d4a45b074040d304483273662c4Peter Major SPSSODescriptorElement localDescriptor = IDPSSOUtil.metaManager.getSPSSODescriptor(realm, hostedEntityId);
420a3bbac5080d4a45b074040d304483273662c4Peter Major newRequest.setDestination(XMLUtils.escapeSpecialCharacters(destination));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster newRequest.setConsent(origRequest.getConsent());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster newRequest.setIsPassive(origRequest.isPassive());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster newRequest.setForceAuthn(origRequest.isForceAuthn());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster newRequest.setAttributeConsumingServiceIndex(origRequest.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster newRequest.setAssertionConsumerServiceIndex(origRequest.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String protocolBinding = origRequest.getProtocolBinding();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster newRequest.setProtocolBinding(protocolBinding);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster newRequest.setAssertionConsumerServiceURL(acsURL);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Issuer issuer = AssertionFactory.getInstance().createIssuer();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster NameIDPolicy origNameIDPolicy = origRequest.getNameIDPolicy();
3b705ce0a025821048ff45b348fb10188c46a608Peter Major NameIDPolicy newNameIDPolicy = ProtocolFactory.getInstance().createNameIDPolicy();
3b705ce0a025821048ff45b348fb10188c46a608Peter Major newNameIDPolicy.setFormat(origNameIDPolicy.getFormat());
3b705ce0a025821048ff45b348fb10188c46a608Peter Major newNameIDPolicy.setSPNameQualifier(hostedEntityId);
3b705ce0a025821048ff45b348fb10188c46a608Peter Major newNameIDPolicy.setAllowCreate(origNameIDPolicy.isAllowCreate());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster newRequest.setRequestedAuthnContext(origRequest.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster newRequest.setExtensions(origRequest.getExtensions());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster newRequest.setVersion(SAML2Constants.VERSION_2_0);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Scoping newScoping = ProtocolFactory.getInstance().
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Integer proxyCountInt = scoping.getProxyCount();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster proxyCount = scoping.getProxyCount().intValue();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster newScoping.setProxyCount(new Integer(proxyCount-1));
fc6d568154347c9dab7917072f6097389534c6a1Quentin CASTEL //Set the requesterIDs
fc6d568154347c9dab7917072f6097389534c6a1Quentin CASTEL newScoping.setRequesterIDs(scoping.getRequesterIDs());
fc6d568154347c9dab7917072f6097389534c6a1Quentin CASTEL addRequesterIDToScope(newScoping, origRequest.getIssuer().getValue());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster //handling the alwaysIdpProxy case -> the incoming request
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster //did not contained a Scoping field
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SPSSOConfigElement spConfig = getSPSSOConfigByAuthnRequest(realm, origRequest);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Map<String, List<String>> spConfigAttrMap = SAML2MetaUtils.getAttributes(spConfig);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster scoping = ProtocolFactory.getInstance().createScoping();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String proxyCountParam = SPSSOFederate.getParameter(spConfigAttrMap,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (proxyCountParam != null && (!proxyCountParam.equals(""))) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster int proxyCount = Integer.valueOf(proxyCountParam);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster //since this is a remote SP configuration, we should
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster //decrement the proxycount by one
fc6d568154347c9dab7917072f6097389534c6a1Quentin CASTEL //Set the requesterIDs
fc6d568154347c9dab7917072f6097389534c6a1Quentin CASTEL addRequesterIDToScope(scoping, origRequest.getIssuer().getValue());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (proxyIdPs != null && !proxyIdPs.isEmpty()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List<IDPEntry> list = new ArrayList<IDPEntry>();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster IDPEntry entry = ProtocolFactory.getInstance().
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster IDPList idpList = ProtocolFactory.getInstance().
fc6d568154347c9dab7917072f6097389534c6a1Quentin CASTEL public static void addRequesterIDToScope(Scoping scoping, String requesterId) throws SAML2Exception {
fc6d568154347c9dab7917072f6097389534c6a1Quentin CASTEL List<RequesterID> requesterIDs = new ArrayList<>();
fc6d568154347c9dab7917072f6097389534c6a1Quentin CASTEL requesterIDs.addAll(scoping.getRequesterIDs());
fc6d568154347c9dab7917072f6097389534c6a1Quentin CASTEL RequesterID requesterID = new RequesterIDImpl();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Checks if the identity provider is configured for proxying the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * authentication requests for a requesting service provider.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param authnRequest Authentication Request.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param realm Realm
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return <code>true</code> if the IDP is configured for proxying.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @exception SAML2Exception for any failure.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static boolean isIDPProxyEnabled(AuthnRequest authnRequest,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster //let's check if always IdP proxy and IdP Proxy itself is enabled
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster spConfig = getSPSSOConfigByAuthnRequest(realm, authnRequest);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster spConfigAttrsMap = SAML2MetaUtils.getAttributes(spConfig);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Boolean alwaysEnabled = SPSSOFederate.getAttrValueFromMap(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster spConfigAttrsMap, SAML2Constants.ALWAYS_IDP_PROXY);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Boolean proxyEnabled = SPSSOFederate.getAttrValueFromMap(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster spConfigAttrsMap, SAML2Constants.ENABLE_IDP_PROXY);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return true;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Integer proxyCountInt = scoping.getProxyCount();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster //Proxy count missing, IDP Proxy allowed
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster spConfigAttrsMap = SAML2MetaUtils.getAttributes(spConfig);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Boolean enabledString = SPSSOFederate.getAttrValueFromMap(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster spConfigAttrsMap, SAML2Constants.ENABLE_IDP_PROXY);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Checks if the proxying is enabled. It will be checking if the proxy
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * service provider descriptor is set in the session manager for the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * specific request ID.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param requestID authentication request id which is created by the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * proxying IDP to the authenticating IDP.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return true if the proxying is enabled.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static boolean isIDPProxyEnabled(String requestID) {
34f7fc919553f0b520d0008264f1c5af819a3861Peter Major return IDPCache.proxySPAuthnReqCache.containsKey(requestID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Sends the proxy authentication response to the proxying service
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * provider which has originally requested for the authentication.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param request HttpServletRequest
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param response HttpServletResponse
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest * @param out the print writer for writing out presentation
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param requestID request ID
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param idpMetaAlias meta Alias
34f7fc919553f0b520d0008264f1c5af819a3861Peter Major * @param newSession Session object
dba874fb22099c605a3accab4c26632208dfa15aJon Thomas * @param nameIDFormat name identifier format
dba874fb22099c605a3accab4c26632208dfa15aJon Thomas * @param saml2Auditor a <code>SAML2EventLogger</code> auditor object to hook into
dba874fb22099c605a3accab4c26632208dfa15aJon Thomas * tracking information for the saml request
34f7fc919553f0b520d0008264f1c5af819a3861Peter Major * @throws SAML2Exception for any SAML2 failure.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String classMethod = "IDPProxyUtil.sendProxyResponse: ";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster IDPCache.proxySPAuthnReqCache.remove(requestID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String proxySPEntityId = origRequest.getIssuer().getValue();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + ":Original requesting service provider id:"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Save the SP provider id based on the token id
34f7fc919553f0b520d0008264f1c5af819a3861Peter Major IDPCache.spSessionPartnerBySessionID.put(sessionProvider.getSessionID(newSession), proxySPEntityId);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster //TODO: set AuthnContext
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster /*AuthnContext authnContextStm;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (authnContextStmt != null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String authnContext = authnContextStmt.getAuthnContextClassRef();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster session.setAuthnContext(authnContext);
c2ef82503e46505b74eb802c0dcf41c303d18779Peter Major IDPCache.relayStateCache.get(origRequest.getID());
94c4282963f7db4f8703c196fecb5826a6c9b729Kamal Sivanandam * Sends back response with firstlevel and secondlevel status code if available for the original AuthnRequest.
34f7fc919553f0b520d0008264f1c5af819a3861Peter Major * @param request The request.
34f7fc919553f0b520d0008264f1c5af819a3861Peter Major * @param response The response.
c36b3d48cd721148c2ed02c273ecf4f38e1add70Mark de Reeper * @param out The print writer for writing out presentation.
34f7fc919553f0b520d0008264f1c5af819a3861Peter Major * @param requestID The requestID of the proxied AuthnRequest.
34f7fc919553f0b520d0008264f1c5af819a3861Peter Major * @param idpMetaAlias The IdP's metaAlias.
34f7fc919553f0b520d0008264f1c5af819a3861Peter Major * @param hostEntityID The IdP's entity ID.
34f7fc919553f0b520d0008264f1c5af819a3861Peter Major * @param realm The realm where the IdP belongs to.
94c4282963f7db4f8703c196fecb5826a6c9b729Kamal Sivanandam * @param firstlevelStatusCodeValue First-level status code value passed.
94c4282963f7db4f8703c196fecb5826a6c9b729Kamal Sivanandam * @param secondlevelStatusCodeValue Second-level status code value passed.
94c4282963f7db4f8703c196fecb5826a6c9b729Kamal Sivanandam * @throws SAML2Exception If there was an error while sending the response with second-level status-code.
94c4282963f7db4f8703c196fecb5826a6c9b729Kamal Sivanandam public static void sendResponseWithStatus(HttpServletRequest request, HttpServletResponse response,
94c4282963f7db4f8703c196fecb5826a6c9b729Kamal Sivanandam PrintWriter out, String requestID, String idpMetaAlias,
34f7fc919553f0b520d0008264f1c5af819a3861Peter Major AuthnRequest origRequest = (AuthnRequest) IDPCache.proxySPAuthnReqCache.remove(requestID);
34f7fc919553f0b520d0008264f1c5af819a3861Peter Major String relayState = (String) IDPCache.relayStateCache.remove(origRequest.getID());
94c4282963f7db4f8703c196fecb5826a6c9b729Kamal Sivanandam IDPSSOUtil.sendResponseWithStatus(request, response, out, idpMetaAlias, hostEntityID, realm, origRequest,
94c4282963f7db4f8703c196fecb5826a6c9b729Kamal Sivanandam relayState, origRequest.getIssuer().getValue(), firstlevelStatusCodeValue, secondlevelStatusCodeValue);
c2ef82503e46505b74eb802c0dcf41c303d18779Peter Major * Generates the AuthnResponse by the IDP Proxy and send to the service provider.
c2ef82503e46505b74eb802c0dcf41c303d18779Peter Major * @param request HttpServletRequest The HTTP request.
c2ef82503e46505b74eb802c0dcf41c303d18779Peter Major * @param response HttpServletResponse The HTTP response.
c2ef82503e46505b74eb802c0dcf41c303d18779Peter Major * @param out The print writer for writing out presentation.
c2ef82503e46505b74eb802c0dcf41c303d18779Peter Major * @param metaAlias The meta alias.
c2ef82503e46505b74eb802c0dcf41c303d18779Peter Major * @param respInfo ResponseInfo object.
c2ef82503e46505b74eb802c0dcf41c303d18779Peter Major * @param newSession Session object.
dba874fb22099c605a3accab4c26632208dfa15aJon Thomas * @param auditor a <code>SAML2EventLogger</code> auditor
c2ef82503e46505b74eb802c0dcf41c303d18779Peter Major * @throws SAML2Exception for any SAML2 failure.
c2ef82503e46505b74eb802c0dcf41c303d18779Peter Major public static void generateProxyResponse(HttpServletRequest request, HttpServletResponse response, PrintWriter out,
dba874fb22099c605a3accab4c26632208dfa15aJon Thomas String metaAlias, ResponseInfo respInfo, Object newSession, SAML2EventLogger auditor) throws SAML2Exception {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String requestID = saml2Resp.getInResponseTo();
79511c8d648d5b9dc613719c690b9fc4ffcd1043Sam Fraser String nameidFormat = getNameIDFormat(saml2Resp, metaAlias);
c2ef82503e46505b74eb802c0dcf41c303d18779Peter Major if (nameidFormat != null && SAML2Utils.debug.messageEnabled()) {
c2ef82503e46505b74eb802c0dcf41c303d18779Peter Major SAML2Utils.debug.message("NAME ID Format= " + nameidFormat);
c2ef82503e46505b74eb802c0dcf41c303d18779Peter Major // Save the SAML response received from the IdP in the request object, so that we can access the original
c2ef82503e46505b74eb802c0dcf41c303d18779Peter Major // assertion when generating the new one.
c2ef82503e46505b74eb802c0dcf41c303d18779Peter Major request.setAttribute(SAML2Constants.SAML_PROXY_IDP_RESPONSE_KEY, saml2Resp);
dba874fb22099c605a3accab4c26632208dfa15aJon Thomas sendProxyResponse(request, response, out, requestID, metaAlias, newSession, nameidFormat, auditor);
79511c8d648d5b9dc613719c690b9fc4ffcd1043Sam Fraser private static String getNameIDFormat(Response res, String metaAlias) {
79511c8d648d5b9dc613719c690b9fc4ffcd1043Sam Fraser // Check for Encrypted Assertions
79511c8d648d5b9dc613719c690b9fc4ffcd1043Sam Fraser List<EncryptedAssertion> encryptedAssertions = res.getEncryptedAssertion();
79511c8d648d5b9dc613719c690b9fc4ffcd1043Sam Fraser if(CollectionUtils.isEmpty(encryptedAssertions)){
79511c8d648d5b9dc613719c690b9fc4ffcd1043Sam Fraser String realm = SAML2Utils.getRealm(SAML2MetaUtils.getRealmByMetaAlias(metaAlias));
79511c8d648d5b9dc613719c690b9fc4ffcd1043Sam Fraser String hostEntityId = sm.getEntityByMetaAlias(metaAlias);
79511c8d648d5b9dc613719c690b9fc4ffcd1043Sam Fraser Set<PrivateKey> decryptionKeys = KeyUtil.getDecryptionKeys(sm.getSPSSOConfig(realm, hostEntityId));
79511c8d648d5b9dc613719c690b9fc4ffcd1043Sam Fraser assertion = encryptedAssertions.get(0).decrypt(decryptionKeys);
79511c8d648d5b9dc613719c690b9fc4ffcd1043Sam Fraser SAML2Utils.debug.error("getNameIDFormat failed decrypting EncryptedAssertion", ex);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Initiates the Single logout request by the IDP Proxy to the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * authenticating identity provider.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param request HttpServletRequest
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param response HttpServletResponse
c36b3d48cd721148c2ed02c273ecf4f38e1add70Mark de Reeper * @param out The print writer for writing out presentation.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param partner Authenticating identity provider
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param spMetaAlias IDP proxy's meta alias acting as SP
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param realm Realm
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "nullSSOToken",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] values = SessionManager.getProvider().
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster getProperty(ssoToken, SAML2Constants.SP_METAALIAS);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster paramsMap.put(SAML2Constants.ROLE, SAML2Constants.SP_ROLE);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster paramsMap.put(SAML2Constants.BINDING, binding);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String dest = getLocation(realm, partner, binding);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "sloResponseServiceLocationNotfound"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster paramsMap.put("Consent", request.getParameter("Consent"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster paramsMap.put("Extension", request.getParameter("Extension"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster paramsMap.put(SAML2Constants.RELAY_STATE, relayState);
c36b3d48cd721148c2ed02c273ecf4f38e1add70Mark de Reeper SPSingleLogout.initiateLogoutRequest(request,response, out,
6ee2adce4b7ba1c7cdee88dce16cc901d1a1e1ceDavid Luna binding, paramsMap, logoutReq, msg, ssoToken, null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("Error sending Logout Request " , sse);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "LogoutRequestCreationError",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "LogoutRequestCreationError"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("Error initializing Request ",e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "LogoutRequestCreationError",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "LogoutRequestCreationError"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Gets the SLO response service location of the authenticating
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * identity provider
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param realm Realm
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param idpEntityID authenticating identity provider.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return location URL of the SLO response service, return null
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * if not found.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static String getLocation (String realm, String idpEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // get IDPSSODescriptor
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.error(Level.INFO,LogUtil.IDP_METADATA_ERROR,data,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List slosList = idpsso.getSingleLogoutService();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.error(Level.INFO,LogUtil.SLO_NOT_FOUND,data,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("sloServiceListNotfound"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster location = LogoutUtil.getSLOServiceLocation(slosList,binding);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SAML2Utils.debug.messageEnabled() && (location != null)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static List getSessionPartners(HttpServletRequest request)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Object tmpsession = sessionProvider.getSession(request);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String tokenID = sessionProvider.getSessionID(tmpsession);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "SESSION PARTNER's Provider ID: "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Object tmpsession = sessionProvider.getSession(request);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String tokenID = sessionProvider.getSessionID(tmpsession);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "CURRENT PARTNER's provider ID: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("Starting IDP proxy logout.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2MetaUtils.getMetaAliasByUri(request.getRequestURI()) ;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster getRealm(SAML2MetaUtils.getRealmByMetaAlias(metaAlias));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster IDPCache.idpSessionsBySessionID.remove(tokenID);
c36b3d48cd721148c2ed02c273ecf4f38e1add70Mark de Reeper initiateSPLogoutRequest(request,response, out, party, metaAlias, realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster logoutReq, null, idpSession, binding, relayState);
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper throw new SAML2Exception(SAML2Utils.bundle.getString("nullIDPEntityID"));
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper SAML2Utils.debug.message("Proxy IDP EntityID=" + entityID);
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper String realm = infoMap.get(SAML2Constants.REALM);
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper SAML2Utils.debug.message("Proxy IDP Realm=" + realm);
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper LogoutResponse logoutRes = LogoutUtil.generateResponse(null, originatingRequestID,
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper SAML2Utils.createIssuer(entityID), realm, SAML2Constants.IDP_ROLE, remoteEntity);
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper String location = IDPSingleLogout.getSingleLogoutLocation(remoteEntity, realm, SAML2Constants.HTTP_REDIRECT);
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper SAML2Utils.debug.message("Proxy to: " + location);
5a94313bda679ecfc84e2605ac3484ad9c69c3cfMark de Reeper logoutRes.setDestination(XMLUtils.escapeSpecialCharacters(location));
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper String relayState = infoMap.get(SAML2Constants.RELAY_STATE);
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper LogoutUtil.sendSLOResponse(response, request, logoutRes, location, relayState, realm, entityID,
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper SAML2Constants.IDP_ROLE, remoteEntity, binding);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "CURRENT PARTNER's provider ID: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("Starting IDP proxy logout.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2MetaUtils.getMetaAliasByUri(request.getRequestURI()) ;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster getRealm(SAML2MetaUtils.getRealmByMetaAlias(metaAlias));
c36b3d48cd721148c2ed02c273ecf4f38e1add70Mark de Reeper initiateSPLogoutRequest(request,response, out, party, metaAlias, realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster null, msg ,idpSession, SAML2Constants.SOAP, null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static Map getSessionPartners(SOAPMessage message) {
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings Element reqElem = SOAPCommunicator.getInstance().getSamlpElement(message,
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings "LogoutRequest");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ProtocolFactory.getInstance().createLogoutRequest(reqElem);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "Number of session indices in the logout request is "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("getSessionPartners: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster IDPCache.idpSessionsByIndices.get(sessionIndex);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // session is in another server
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster sessMap.put(SAML2Constants.SESSION_INDEX, sessionIndex);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster sessMap.put(SAML2Constants.IDP_SESSION, idpSession);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String tokenId = sessionProvider.getSessionID(session);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "SESSION PARTNER's Provider ID: "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster sessMap.put(SAML2Constants.PARTNERS, partners);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("getSessionPartners: Number of " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "session indices in the logout request is null");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("getSessionPartners: ", se);
c36b3d48cd721148c2ed02c273ecf4f38e1add70Mark de Reeper public static void sendProxyLogoutResponseBySOAP(SOAPMessage reply, HttpServletResponse resp, PrintWriter out) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Need to call saveChanges because we're
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // going to use the MimeHeaders to set HTTP
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // response information. These MimeHeaders
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // are generated as part of the save.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.putHeaders(reply.getMimeHeaders(), resp);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Write out the message on the response stream
c36b3d48cd721148c2ed02c273ecf4f38e1add70Mark de Reeper ByteArrayOutputStream stream = new ByteArrayOutputStream();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("sendProxyLogoutResponseBySOAP: ", se);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("sendProxyLogoutResponseBySOAP: ", ie);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static void sendIDPInitProxyLogoutRequest(
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper String logoutAll = request.getParameter(SAML2Constants.LOGOUT_ALL);
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper IDPSSOConfigElement config = sm.getIDPSSOConfig(realm, spEntityID);
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper paramsMap.put("metaAlias", config.getMetaAlias());
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper paramsMap.put(SAML2Constants.ROLE, SAML2Constants.IDP_ROLE);
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper paramsMap.put(SAML2Constants.BINDING, SAML2Constants.HTTP_REDIRECT);
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper paramsMap.put("Destination", request.getParameter("Destination"));
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper paramsMap.put("Consent", request.getParameter("Consent"));
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper paramsMap.put("Extension", request.getParameter("Extension"));
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper logoutResponseMap.put("LogoutResponse", logoutResponse);
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper if (location != null && !location.equals("")) {
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper if (spEntityID != null && !spEntityID.equals("")) {
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper logoutResponseMap.put("spEntityID", spEntityID);
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper if (idpEntityID != null && !idpEntityID.equals("")) {
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper logoutResponseMap.put("idpEntityID", idpEntityID);
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper paramsMap.put("LogoutMap", logoutResponseMap);
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper paramsMap.put(SAML2Constants.LOGOUT_ALL, logoutAll);
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper IDPSingleLogout.initiateLogoutRequest(request, response, out, binding, paramsMap);
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper if (binding.equalsIgnoreCase(SAML2Constants.SOAP)) {
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper if (RelayState != null) {
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper response.sendRedirect(RelayState);
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper page="/saml2/jsp/default.jsp?message=idpSloSuccess" />
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static List getSPSessionPartners(HttpServletRequest request)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Object tmpsession = sessionProvider.getSession(request);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String tokenID = sessionProvider.getSessionID(tmpsession);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster pid=(String)IDPCache.spSessionPartnerBySessionID.get(tokenID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster IDPCache.spSessionPartnerBySessionID.remove(tokenID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Returns an <code>IDPProxyFinder</code>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param realm the realm name
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param idpEntityID the entity id of the identity provider
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return the <code>IDPProxyFinder</code>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @exception SAML2Exception if the operation is not successful
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String classMethod = "IDPProxyUtil.getIDPProxyFinder: ";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster idpProxyFinderName = IDPSSOUtil.getAttributeValueFromIDPSSOConfig(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster realm, idpEntityID, SAML2Constants.PROXY_IDP_FINDER_CLASS);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (idpProxyFinderName == null || idpProxyFinderName.isEmpty()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message(classMethod + "use " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Class.forName(idpProxyFinderName).newInstance();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "got the IDPProxyFinder from cache");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static SPSSOConfigElement getSPSSOConfigByAuthnRequest(