ccf9d4a5c6453fa9f8b839baeee25147865fbb7dJames Phillpotts/*
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Copyright (c) 2007 Sun Microsystems Inc. All Rights Reserved
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * The contents of this file are subject to the terms
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * of the Common Development and Distribution License
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * (the License). You may not use this file except in
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * compliance with the License.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * You can obtain a copy of the License at
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * https://opensso.dev.java.net/public/CDDLv1.0.html or
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * opensso/legal/CDDLv1.0.txt
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * See the License for the specific language governing
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * permission and limitations under the License.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * When distributing Covered Code, include this CDDL
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Header Notice in each file and include the License file
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * at opensso/legal/CDDLv1.0.txt.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * If applicable, add the following below the CDDL Header,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * with the fields enclosed by brackets [] replaced by
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * your own identifying information:
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * "Portions Copyrighted [year] [name of copyright owner]"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * $Id: IDPProxyUtil.java,v 1.18 2009/11/20 21:41:16 exu Exp $
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
ccf9d4a5c6453fa9f8b839baeee25147865fbb7dJames Phillpotts * Portions Copyrighted 2010-2016 ForgeRock AS.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster */
ccf9d4a5c6453fa9f8b839baeee25147865fbb7dJames Phillpotts
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterpackage com.sun.identity.saml2.profile;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
ccf9d4a5c6453fa9f8b839baeee25147865fbb7dJames Phillpottsimport static org.forgerock.openam.utils.Time.*;
ccf9d4a5c6453fa9f8b839baeee25147865fbb7dJames Phillpotts
c36b3d48cd721148c2ed02c273ecf4f38e1add70Mark de Reeperimport java.io.ByteArrayOutputStream;
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrestimport java.io.PrintWriter;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport java.util.logging.Level;
80849398a45dca1fb917716907d6ec99be6222c2Peter Major
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeperimport com.sun.identity.saml2.common.SAML2FailoverUtils;
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbingsimport com.sun.identity.saml2.common.SOAPCommunicator;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.logging.LogUtil;
fc6d568154347c9dab7917072f6097389534c6a1Quentin CASTELimport com.sun.identity.saml2.protocol.RequesterID;
fc6d568154347c9dab7917072f6097389534c6a1Quentin CASTELimport com.sun.identity.saml2.protocol.impl.RequesterIDImpl;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.shared.debug.Debug;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.shared.datastruct.OrderedSet;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.shared.encode.URLEncDec;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.shared.xml.XMLUtils;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.common.SAMLUtils;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.assertion.Assertion;
79511c8d648d5b9dc613719c690b9fc4ffcd1043Sam Fraserimport com.sun.identity.saml2.assertion.EncryptedAssertion;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.assertion.NameID;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.assertion.Subject;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.assertion.AssertionFactory;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.assertion.Issuer;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.common.SAML2Constants;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.common.SAML2Exception;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.common.SAML2Utils;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.jaxb.entityconfig.IDPSSOConfigElement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement;
79511c8d648d5b9dc613719c690b9fc4ffcd1043Sam Fraserimport com.sun.identity.saml2.key.KeyUtil;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.meta.SAML2MetaException;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.meta.SAML2MetaManager;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.meta.SAML2MetaUtils;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.plugins.SAML2IDPFinder;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.protocol.AuthnRequest;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.protocol.IDPEntry;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.protocol.LogoutRequest;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.protocol.LogoutResponse;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.protocol.NameIDPolicy;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.protocol.Response;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.protocol.ProtocolFactory;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.protocol.Scoping;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport java.io.IOException;
79511c8d648d5b9dc613719c690b9fc4ffcd1043Sam Fraserimport java.security.PrivateKey;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport java.util.Date;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport java.util.Iterator;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport java.util.List;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport java.util.ArrayList;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport java.util.Map;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport java.util.HashMap;
79511c8d648d5b9dc613719c690b9fc4ffcd1043Sam Fraserimport java.util.Set;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport javax.servlet.http.HttpServletRequest;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport javax.servlet.http.HttpServletResponse;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport javax.xml.soap.SOAPMessage;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport javax.xml.soap.SOAPException;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.plugin.session.SessionManager;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.plugin.session.SessionProvider;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.plugin.session.SessionException;
e560488158a3b31d33f5e5bfe0a33e041b5ecb10Peter Majorimport com.sun.identity.saml2.jaxb.metadata.SingleSignOnServiceElement;
fe64160425f92efd10af752ec615734ade22e9ddPeter Majorimport com.sun.identity.saml2.plugins.SAML2ServiceProviderAdapter;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.protocol.IDPList;
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeperimport org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException;
dba874fb22099c605a3accab4c26632208dfa15aJon Thomasimport org.forgerock.openam.saml2.audit.SAML2EventLogger;
79511c8d648d5b9dc613719c690b9fc4ffcd1043Sam Fraserimport org.forgerock.openam.utils.CollectionUtils;
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeperimport org.forgerock.openam.utils.StringUtils;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport org.w3c.dom.Element;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster/**
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Utility class to be used for IDP Proxying.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterpublic class IDPProxyUtil {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // IDP proxy finder
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // private static SAML2IDPFinder proxyFinder = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static SAML2MetaManager sm = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static Debug debug = SAML2Utils.debug;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static SessionProvider sessionProvider = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster try {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster sm = new SAML2MetaManager();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster sessionProvider = SessionManager.getProvider();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch (Exception ex) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("IDPSSOFederate:Static Init Failed", ex);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
c36b3d48cd721148c2ed02c273ecf4f38e1add70Mark de Reeper
c36b3d48cd721148c2ed02c273ecf4f38e1add70Mark de Reeper private IDPProxyUtil() {
c36b3d48cd721148c2ed02c273ecf4f38e1add70Mark de Reeper }
c36b3d48cd721148c2ed02c273ecf4f38e1add70Mark de Reeper
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster /**
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Gets the preferred IDP Id to be proxied. This method makes use of an
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * SPI to determine the preferred IDP.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param authnRequest original Authn Request.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param hostedEntityId hosted provider ID
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param realm Realm
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param request HttpServletRequest
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param response HttpServletResponse
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @exception SAML2Exception for any SAML2 failure.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return String Provider id of the preferred IDP to be proxied.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static String getPreferredIDP(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster AuthnRequest authnRequest,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String hostedEntityId,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster HttpServletRequest request,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster HttpServletResponse response)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throws SAML2Exception
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2IDPFinder proxyFinder = getIDPProxyFinder(realm, hostedEntityId);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List idpProviderIDs = proxyFinder.getPreferredIDP(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster authnRequest, hostedEntityId, realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster request, response);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((idpProviderIDs == null) || idpProviderIDs.isEmpty()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return (String)idpProviderIDs.get(0);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster /**
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Sends a new AuthnRequest to the authenticating provider.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param authnRequest original AuthnRequest sent by the service provider.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param preferredIDP IDP to be proxied.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param spSSODescriptor SPSSO Descriptor Element
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param hostedEntityId hosted provider ID
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param request HttpServletRequest
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param response HttpServletResponse
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param realm Realm
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param relayState the Relay State
e560488158a3b31d33f5e5bfe0a33e041b5ecb10Peter Major * @param originalBinding The binding used to send the original AuthnRequest.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @exception SAML2Exception for any SAML2 failure.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @exception IOException if there is a failure in redirection.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster */
fe64160425f92efd10af752ec615734ade22e9ddPeter Major public static void sendProxyAuthnRequest(
fe64160425f92efd10af752ec615734ade22e9ddPeter Major AuthnRequest authnRequest,
fe64160425f92efd10af752ec615734ade22e9ddPeter Major String preferredIDP,
fe64160425f92efd10af752ec615734ade22e9ddPeter Major SPSSODescriptorElement spSSODescriptor,
fe64160425f92efd10af752ec615734ade22e9ddPeter Major String hostedEntityId,
fe64160425f92efd10af752ec615734ade22e9ddPeter Major HttpServletRequest request,
fe64160425f92efd10af752ec615734ade22e9ddPeter Major HttpServletResponse response,
fe64160425f92efd10af752ec615734ade22e9ddPeter Major String realm,
fe64160425f92efd10af752ec615734ade22e9ddPeter Major String relayState,
e560488158a3b31d33f5e5bfe0a33e041b5ecb10Peter Major String originalBinding)
fe64160425f92efd10af752ec615734ade22e9ddPeter Major throws SAML2Exception, IOException {
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest String classMethod = "IDPProxyUtil.sendProxyAuthnRequest: ";
420a3bbac5080d4a45b074040d304483273662c4Peter Major String destination = null;
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest SPSSODescriptorElement localDescriptor = null;
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest SPSSOConfigElement localDescriptorConfig = null;
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest IDPSSODescriptorElement idpDescriptor = null;
e560488158a3b31d33f5e5bfe0a33e041b5ecb10Peter Major String binding;
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest try {
e560488158a3b31d33f5e5bfe0a33e041b5ecb10Peter Major idpDescriptor = IDPSSOUtil.metaManager.getIDPSSODescriptor(realm, preferredIDP);
e560488158a3b31d33f5e5bfe0a33e041b5ecb10Peter Major List<SingleSignOnServiceElement> ssoServiceList = idpDescriptor.getSingleSignOnService();
e560488158a3b31d33f5e5bfe0a33e041b5ecb10Peter Major SingleSignOnServiceElement endpoint = getMatchingSSOEndpoint(ssoServiceList, originalBinding);
e560488158a3b31d33f5e5bfe0a33e041b5ecb10Peter Major if (endpoint == null) {
e560488158a3b31d33f5e5bfe0a33e041b5ecb10Peter Major SAML2Utils.debug.error(classMethod + "Single Sign-on service is not found for the proxying IDP.");
e560488158a3b31d33f5e5bfe0a33e041b5ecb10Peter Major throw new SAML2Exception(SAML2Utils.bundle.getString("ssoServiceNotFoundIDPProxy"));
e560488158a3b31d33f5e5bfe0a33e041b5ecb10Peter Major }
e560488158a3b31d33f5e5bfe0a33e041b5ecb10Peter Major binding = endpoint.getBinding();
420a3bbac5080d4a45b074040d304483273662c4Peter Major destination = endpoint.getLocation();
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest
e560488158a3b31d33f5e5bfe0a33e041b5ecb10Peter Major localDescriptor = IDPSSOUtil.metaManager.getSPSSODescriptor(realm, hostedEntityId);
e560488158a3b31d33f5e5bfe0a33e041b5ecb10Peter Major localDescriptorConfig = IDPSSOUtil.metaManager.getSPSSOConfig(realm, hostedEntityId);
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest } catch (SAML2MetaException e) {
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest SAML2Utils.debug.error(classMethod, e);
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest throw new SAML2Exception(e.getMessage());
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest }
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest
420a3bbac5080d4a45b074040d304483273662c4Peter Major AuthnRequest newAuthnRequest = getNewAuthnRequest(hostedEntityId, destination, realm, authnRequest);
420a3bbac5080d4a45b074040d304483273662c4Peter Major // invoke SP Adapter class if registered
420a3bbac5080d4a45b074040d304483273662c4Peter Major SAML2ServiceProviderAdapter spAdapter = SAML2Utils.getSPAdapterClass(hostedEntityId, realm);
420a3bbac5080d4a45b074040d304483273662c4Peter Major if (spAdapter != null) {
420a3bbac5080d4a45b074040d304483273662c4Peter Major spAdapter.preSingleSignOnRequest(hostedEntityId, preferredIDP, realm, request, response, newAuthnRequest);
420a3bbac5080d4a45b074040d304483273662c4Peter Major }
420a3bbac5080d4a45b074040d304483273662c4Peter Major if (SAML2Utils.debug.messageEnabled()) {
420a3bbac5080d4a45b074040d304483273662c4Peter Major SAML2Utils.debug.message(classMethod + "New Authentication request:" + newAuthnRequest.toXMLString());
420a3bbac5080d4a45b074040d304483273662c4Peter Major }
420a3bbac5080d4a45b074040d304483273662c4Peter Major String requestID = newAuthnRequest.getID();
420a3bbac5080d4a45b074040d304483273662c4Peter Major
420a3bbac5080d4a45b074040d304483273662c4Peter Major // save the AuthnRequest in the IDPCache so that it can be
420a3bbac5080d4a45b074040d304483273662c4Peter Major // retrieved later when the user successfully authenticates
420a3bbac5080d4a45b074040d304483273662c4Peter Major IDPCache.authnRequestCache.put(requestID, newAuthnRequest);
420a3bbac5080d4a45b074040d304483273662c4Peter Major
420a3bbac5080d4a45b074040d304483273662c4Peter Major // save the original AuthnRequest
420a3bbac5080d4a45b074040d304483273662c4Peter Major IDPCache.proxySPAuthnReqCache.put(requestID, authnRequest);
420a3bbac5080d4a45b074040d304483273662c4Peter Major
420a3bbac5080d4a45b074040d304483273662c4Peter Major
420a3bbac5080d4a45b074040d304483273662c4Peter Major boolean signingNeeded = idpDescriptor.isWantAuthnRequestsSigned() || localDescriptor.isAuthnRequestsSigned();
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest // check if relayState is present and get the unique
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest // id which will be appended to the SSO URL before
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest // redirecting
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String relayStateID = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (relayState != null && relayState.length()> 0) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster relayStateID = SPSSOFederate.getRelayStateID(relayState,
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest authnRequest.getID());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (binding.equals(SAML2Constants.HTTP_POST)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (signingNeeded) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String certAlias = SPSSOFederate.getParameter(
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest SAML2MetaUtils.getAttributes(localDescriptorConfig),
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest SAML2Constants.SIGNING_CERT_ALIAS);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SPSSOFederate.signAuthnRequest(certAlias,newAuthnRequest);
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String authXMLString = newAuthnRequest.toXMLString(true,true);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String encodedReqMsg = SAML2Utils.encodeForPOST(authXMLString);
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest SAML2Utils.postToTarget(request, response, "SAMLRequest",
420a3bbac5080d4a45b074040d304483273662c4Peter Major encodedReqMsg, "RelayState", relayStateID, destination);
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest } else {
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String authReqXMLString = newAuthnRequest.toXMLString(true,true);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SAML2Utils.debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message(classMethod + " AuthnRequest: " +
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest authReqXMLString);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
420a3bbac5080d4a45b074040d304483273662c4Peter Major
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String encodedXML = SAML2Utils.encodeForRedirect(authReqXMLString);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster StringBuffer queryString =
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest new StringBuffer().append(SAML2Constants.SAML_REQUEST)
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest .append(SAML2Constants.EQUAL)
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest .append(encodedXML);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster //TODO: should it be newAuthnRequest???
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (relayStateID != null && relayStateID.length() > 0) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster queryString.append("&").append(SAML2Constants.RELAY_STATE)
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest .append("=")
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest .append(URLEncDec.encode(relayStateID));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster StringBuffer redirectURL =
420a3bbac5080d4a45b074040d304483273662c4Peter Major new StringBuffer().append(destination)
420a3bbac5080d4a45b074040d304483273662c4Peter Major .append(destination.contains("?") ? "&" : "?");
420a3bbac5080d4a45b074040d304483273662c4Peter Major
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (signingNeeded) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String certAlias = SPSSOFederate.getParameter(
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest SAML2MetaUtils.getAttributes(localDescriptorConfig),
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest SAML2Constants.SIGNING_CERT_ALIAS);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String signedQueryStr = SPSSOFederate.signQueryString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster queryString.toString(),certAlias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster redirectURL.append(signedQueryStr);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster redirectURL.append(queryString);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster response.sendRedirect(redirectURL.toString());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
420a3bbac5080d4a45b074040d304483273662c4Peter Major String[] data = { destination };
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.access(Level.INFO, LogUtil.REDIRECT_TO_SP,data, null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster AuthnRequestInfo reqInfo = new AuthnRequestInfo(request, response,
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest realm, hostedEntityId, preferredIDP, newAuthnRequest, relayState,
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster synchronized(SPCache.requestHash) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SPCache.requestHash.put(requestID, reqInfo);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper if (SAML2FailoverUtils.isSAML2FailoverEnabled()) {
80849398a45dca1fb917716907d6ec99be6222c2Peter Major try {
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest // sessionExpireTime is counted in seconds
ccf9d4a5c6453fa9f8b839baeee25147865fbb7dJames Phillpotts long sessionExpireTime = currentTimeMillis() / 1000 + SPCache.interval;
c36b3d48cd721148c2ed02c273ecf4f38e1add70Mark de Reeper SAML2FailoverUtils.saveSAML2TokenWithoutSecondaryKey(requestID, new AuthnRequestInfoCopy(reqInfo),
c36b3d48cd721148c2ed02c273ecf4f38e1add70Mark de Reeper sessionExpireTime);
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest if (SAML2Utils.debug.messageEnabled()) {
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest SAML2Utils.debug.message(classMethod + " SAVE AuthnRequestInfoCopy for requestID " + requestID);
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest }
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper } catch(SAML2TokenRepositoryException se) {
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper SAML2Utils.debug.error(classMethod + " SAVE AuthnRequestInfoCopy for requestID "
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper + requestID + ", failed!", se);
80849398a45dca1fb917716907d6ec99be6222c2Peter Major }
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
e560488158a3b31d33f5e5bfe0a33e041b5ecb10Peter Major private static SingleSignOnServiceElement getMatchingSSOEndpoint(List<SingleSignOnServiceElement> endpoints,
e560488158a3b31d33f5e5bfe0a33e041b5ecb10Peter Major String preferredBinding) {
e560488158a3b31d33f5e5bfe0a33e041b5ecb10Peter Major SingleSignOnServiceElement preferredEndpoint = null;
e560488158a3b31d33f5e5bfe0a33e041b5ecb10Peter Major boolean isFirst = true;
e560488158a3b31d33f5e5bfe0a33e041b5ecb10Peter Major for (SingleSignOnServiceElement endpoint : endpoints) {
e560488158a3b31d33f5e5bfe0a33e041b5ecb10Peter Major if (isFirst) {
e560488158a3b31d33f5e5bfe0a33e041b5ecb10Peter Major //If there is no match, we should use the first endpoint in the list
e560488158a3b31d33f5e5bfe0a33e041b5ecb10Peter Major preferredEndpoint = endpoint;
e560488158a3b31d33f5e5bfe0a33e041b5ecb10Peter Major isFirst = false;
e560488158a3b31d33f5e5bfe0a33e041b5ecb10Peter Major }
e560488158a3b31d33f5e5bfe0a33e041b5ecb10Peter Major if (preferredBinding.equals(endpoint.getBinding())) {
e560488158a3b31d33f5e5bfe0a33e041b5ecb10Peter Major preferredEndpoint = endpoint;
e560488158a3b31d33f5e5bfe0a33e041b5ecb10Peter Major break;
e560488158a3b31d33f5e5bfe0a33e041b5ecb10Peter Major }
e560488158a3b31d33f5e5bfe0a33e041b5ecb10Peter Major }
e560488158a3b31d33f5e5bfe0a33e041b5ecb10Peter Major
e560488158a3b31d33f5e5bfe0a33e041b5ecb10Peter Major return preferredEndpoint;
e560488158a3b31d33f5e5bfe0a33e041b5ecb10Peter Major }
e560488158a3b31d33f5e5bfe0a33e041b5ecb10Peter Major
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster /**
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Constructs new authentication request by using the original request
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * that is sent by the service provider to the proxying IDP.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param hostedEntityId hosted provider ID
420a3bbac5080d4a45b074040d304483273662c4Peter Major * @param destination The destination where the new AuthnRequest will be sent to.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param realm Realm
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param origRequest Original Authn Request
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return AuthnRequest new authn request.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @exception SAML2Exception for failure in creating new authn request.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return AuthnRequest object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster */
420a3bbac5080d4a45b074040d304483273662c4Peter Major private static AuthnRequest getNewAuthnRequest(String hostedEntityId, String destination, String realm,
420a3bbac5080d4a45b074040d304483273662c4Peter Major AuthnRequest origRequest) throws SAML2Exception {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String classMethod = "IDPProxyUtil.getNewAuthnRequest: ";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // New Authentication request should only be a single sign-on request.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster try {
420a3bbac5080d4a45b074040d304483273662c4Peter Major AuthnRequest newRequest = ProtocolFactory.getInstance().createAuthnRequest();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String requestID = SAML2Utils.generateID();
420a3bbac5080d4a45b074040d304483273662c4Peter Major if (requestID == null || requestID.isEmpty()) {
420a3bbac5080d4a45b074040d304483273662c4Peter Major throw new SAML2Exception(SAML2Utils.bundle.getString("cannotGenerateID"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster newRequest.setID(requestID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
420a3bbac5080d4a45b074040d304483273662c4Peter Major SPSSODescriptorElement localDescriptor = IDPSSOUtil.metaManager.getSPSSODescriptor(realm, hostedEntityId);
420a3bbac5080d4a45b074040d304483273662c4Peter Major
420a3bbac5080d4a45b074040d304483273662c4Peter Major newRequest.setDestination(XMLUtils.escapeSpecialCharacters(destination));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster newRequest.setConsent(origRequest.getConsent());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster newRequest.setIsPassive(origRequest.isPassive());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster newRequest.setForceAuthn(origRequest.isForceAuthn());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster newRequest.setAttributeConsumingServiceIndex(origRequest.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster getAttributeConsumingServiceIndex());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster newRequest.setAssertionConsumerServiceIndex(origRequest.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster getAssertionConsumerServiceIndex());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String protocolBinding = origRequest.getProtocolBinding();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster newRequest.setProtocolBinding(protocolBinding);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster OrderedSet acsSet = SPSSOFederate.getACSUrl(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster localDescriptor,protocolBinding);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String acsURL = (String) acsSet.get(0);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster newRequest.setAssertionConsumerServiceURL(acsURL);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Issuer issuer = AssertionFactory.getInstance().createIssuer();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster issuer.setValue(hostedEntityId);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster newRequest.setIssuer(issuer);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster NameIDPolicy origNameIDPolicy = origRequest.getNameIDPolicy();
3b705ce0a025821048ff45b348fb10188c46a608Peter Major if (origNameIDPolicy != null) {
3b705ce0a025821048ff45b348fb10188c46a608Peter Major NameIDPolicy newNameIDPolicy = ProtocolFactory.getInstance().createNameIDPolicy();
3b705ce0a025821048ff45b348fb10188c46a608Peter Major newNameIDPolicy.setFormat(origNameIDPolicy.getFormat());
3b705ce0a025821048ff45b348fb10188c46a608Peter Major newNameIDPolicy.setSPNameQualifier(hostedEntityId);
3b705ce0a025821048ff45b348fb10188c46a608Peter Major newNameIDPolicy.setAllowCreate(origNameIDPolicy.isAllowCreate());
3b705ce0a025821048ff45b348fb10188c46a608Peter Major
3b705ce0a025821048ff45b348fb10188c46a608Peter Major newRequest.setNameIDPolicy(newNameIDPolicy);
3b705ce0a025821048ff45b348fb10188c46a608Peter Major }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster newRequest.setRequestedAuthnContext(origRequest.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster getRequestedAuthnContext());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster newRequest.setExtensions(origRequest.getExtensions());
ccf9d4a5c6453fa9f8b839baeee25147865fbb7dJames Phillpotts newRequest.setIssueInstant(newDate());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster newRequest.setVersion(SAML2Constants.VERSION_2_0);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Scoping scoping = origRequest.getScoping();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (scoping != null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Scoping newScoping = ProtocolFactory.getInstance().
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster createScoping();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Integer proxyCountInt = scoping.getProxyCount();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster int proxyCount = 1;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (proxyCountInt != null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster proxyCount = scoping.getProxyCount().intValue();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster newScoping.setProxyCount(new Integer(proxyCount-1));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster newScoping.setIDPList(scoping.getIDPList());
fc6d568154347c9dab7917072f6097389534c6a1Quentin CASTEL
fc6d568154347c9dab7917072f6097389534c6a1Quentin CASTEL //Set the requesterIDs
fc6d568154347c9dab7917072f6097389534c6a1Quentin CASTEL newScoping.setRequesterIDs(scoping.getRequesterIDs());
fc6d568154347c9dab7917072f6097389534c6a1Quentin CASTEL addRequesterIDToScope(newScoping, origRequest.getIssuer().getValue());
fc6d568154347c9dab7917072f6097389534c6a1Quentin CASTEL
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster newRequest.setScoping(newScoping);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster //handling the alwaysIdpProxy case -> the incoming request
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster //did not contained a Scoping field
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SPSSOConfigElement spConfig = getSPSSOConfigByAuthnRequest(realm, origRequest);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Map<String, List<String>> spConfigAttrMap = SAML2MetaUtils.getAttributes(spConfig);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster scoping = ProtocolFactory.getInstance().createScoping();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String proxyCountParam = SPSSOFederate.getParameter(spConfigAttrMap,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Constants.IDP_PROXY_COUNT);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (proxyCountParam != null && (!proxyCountParam.equals(""))) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster int proxyCount = Integer.valueOf(proxyCountParam);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (proxyCount <= 0) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster scoping.setProxyCount(0);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster //since this is a remote SP configuration, we should
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster //decrement the proxycount by one
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster scoping.setProxyCount(proxyCount - 1);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
fc6d568154347c9dab7917072f6097389534c6a1Quentin CASTEL
fc6d568154347c9dab7917072f6097389534c6a1Quentin CASTEL //Set the requesterIDs
fc6d568154347c9dab7917072f6097389534c6a1Quentin CASTEL addRequesterIDToScope(scoping, origRequest.getIssuer().getValue());
fc6d568154347c9dab7917072f6097389534c6a1Quentin CASTEL
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List<String> proxyIdPs = spConfigAttrMap.get(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Constants.IDP_PROXY_LIST);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (proxyIdPs != null && !proxyIdPs.isEmpty()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List<IDPEntry> list = new ArrayList<IDPEntry>();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster for (String proxyIdP : proxyIdPs) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster IDPEntry entry = ProtocolFactory.getInstance().
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster createIDPEntry();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster entry.setProviderID(proxyIdP);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster list.add(entry);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster IDPList idpList = ProtocolFactory.getInstance().
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster createIDPList();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster idpList.setIDPEntries(list);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster scoping.setIDPList(idpList);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster newRequest.setScoping(scoping);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return newRequest;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch (Exception ex) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error(classMethod +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "Error in creating new authn request.", ex);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(ex);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
fc6d568154347c9dab7917072f6097389534c6a1Quentin CASTEL
fc6d568154347c9dab7917072f6097389534c6a1Quentin CASTEL public static void addRequesterIDToScope(Scoping scoping, String requesterId) throws SAML2Exception {
fc6d568154347c9dab7917072f6097389534c6a1Quentin CASTEL List<RequesterID> requesterIDs = new ArrayList<>();
fc6d568154347c9dab7917072f6097389534c6a1Quentin CASTEL if (scoping.getRequesterIDs() != null) {
fc6d568154347c9dab7917072f6097389534c6a1Quentin CASTEL requesterIDs.addAll(scoping.getRequesterIDs());
fc6d568154347c9dab7917072f6097389534c6a1Quentin CASTEL }
fc6d568154347c9dab7917072f6097389534c6a1Quentin CASTEL
fc6d568154347c9dab7917072f6097389534c6a1Quentin CASTEL RequesterID requesterID = new RequesterIDImpl();
fc6d568154347c9dab7917072f6097389534c6a1Quentin CASTEL requesterID.setValue(requesterId);
fc6d568154347c9dab7917072f6097389534c6a1Quentin CASTEL requesterIDs.add(requesterID);
fc6d568154347c9dab7917072f6097389534c6a1Quentin CASTEL
fc6d568154347c9dab7917072f6097389534c6a1Quentin CASTEL scoping.setRequesterIDs(requesterIDs);
fc6d568154347c9dab7917072f6097389534c6a1Quentin CASTEL }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster /**
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Checks if the identity provider is configured for proxying the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * authentication requests for a requesting service provider.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param authnRequest Authentication Request.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param realm Realm
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return <code>true</code> if the IDP is configured for proxying.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @exception SAML2Exception for any failure.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static boolean isIDPProxyEnabled(AuthnRequest authnRequest,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String realm)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throws SAML2Exception
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SPSSOConfigElement spConfig;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Map spConfigAttrsMap = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Scoping scoping = authnRequest.getScoping();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (scoping == null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster //let's check if always IdP proxy and IdP Proxy itself is enabled
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster spConfig = getSPSSOConfigByAuthnRequest(realm, authnRequest);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (spConfig != null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster spConfigAttrsMap = SAML2MetaUtils.getAttributes(spConfig);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Boolean alwaysEnabled = SPSSOFederate.getAttrValueFromMap(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster spConfigAttrsMap, SAML2Constants.ALWAYS_IDP_PROXY);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Boolean proxyEnabled = SPSSOFederate.getAttrValueFromMap(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster spConfigAttrsMap, SAML2Constants.ENABLE_IDP_PROXY);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (alwaysEnabled != null && alwaysEnabled
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster && proxyEnabled != null && proxyEnabled) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return true;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Integer proxyCountInt = scoping.getProxyCount();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster int proxyCount = 0;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (proxyCountInt == null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster //Proxy count missing, IDP Proxy allowed
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster proxyCount = 1;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster proxyCount = proxyCountInt.intValue();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (proxyCount <= 0) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster spConfig =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster IDPSSOUtil.metaManager.getSPSSOConfig(realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster authnRequest.getIssuer().getValue());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (spConfig != null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster spConfigAttrsMap = SAML2MetaUtils.getAttributes(spConfig);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Boolean enabledString = SPSSOFederate.getAttrValueFromMap(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster spConfigAttrsMap, SAML2Constants.ENABLE_IDP_PROXY);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (enabledString == null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return (enabledString.booleanValue());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster /**
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Checks if the proxying is enabled. It will be checking if the proxy
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * service provider descriptor is set in the session manager for the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * specific request ID.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param requestID authentication request id which is created by the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * proxying IDP to the authenticating IDP.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return true if the proxying is enabled.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static boolean isIDPProxyEnabled(String requestID) {
34f7fc919553f0b520d0008264f1c5af819a3861Peter Major return IDPCache.proxySPAuthnReqCache.containsKey(requestID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster /**
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Sends the proxy authentication response to the proxying service
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * provider which has originally requested for the authentication.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param request HttpServletRequest
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param response HttpServletResponse
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest * @param out the print writer for writing out presentation
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param requestID request ID
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param idpMetaAlias meta Alias
34f7fc919553f0b520d0008264f1c5af819a3861Peter Major * @param newSession Session object
dba874fb22099c605a3accab4c26632208dfa15aJon Thomas * @param nameIDFormat name identifier format
dba874fb22099c605a3accab4c26632208dfa15aJon Thomas * @param saml2Auditor a <code>SAML2EventLogger</code> auditor object to hook into
dba874fb22099c605a3accab4c26632208dfa15aJon Thomas * tracking information for the saml request
34f7fc919553f0b520d0008264f1c5af819a3861Peter Major * @throws SAML2Exception for any SAML2 failure.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static void sendProxyResponse(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster HttpServletRequest request,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster HttpServletResponse response,
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest PrintWriter out,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String requestID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String idpMetaAlias,
34f7fc919553f0b520d0008264f1c5af819a3861Peter Major Object newSession,
dba874fb22099c605a3accab4c26632208dfa15aJon Thomas String nameIDFormat,
dba874fb22099c605a3accab4c26632208dfa15aJon Thomas SAML2EventLogger saml2Auditor)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throws SAML2Exception
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String classMethod = "IDPProxyUtil.sendProxyResponse: ";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster AuthnRequest origRequest = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster origRequest = (AuthnRequest)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster IDPCache.proxySPAuthnReqCache.get(requestID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SAML2Utils.debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster try {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message(classMethod +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster origRequest.toXMLString());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch (Exception ex) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error(classMethod +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "toString(): Failed.", ex);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster IDPCache.proxySPAuthnReqCache.remove(requestID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String proxySPEntityId = origRequest.getIssuer().getValue();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SAML2Utils.debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message( classMethod
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + ":Original requesting service provider id:"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + proxySPEntityId);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Save the SP provider id based on the token id
34f7fc919553f0b520d0008264f1c5af819a3861Peter Major IDPCache.spSessionPartnerBySessionID.put(sessionProvider.getSessionID(newSession), proxySPEntityId);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster //TODO: set AuthnContext
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster /*AuthnContext authnContextStm;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (authnContextStmt != null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String authnContext = authnContextStmt.getAuthnContextClassRef();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster session.setAuthnContext(authnContext);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }*/
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String relayState = (String)
c2ef82503e46505b74eb802c0dcf41c303d18779Peter Major IDPCache.relayStateCache.get(origRequest.getID());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster IDPSSOUtil.doSSOFederate( request,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster response,
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest out,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster origRequest,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster origRequest.getIssuer().getValue(),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster idpMetaAlias,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster nameIDFormat,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster relayState,
6ee2adce4b7ba1c7cdee88dce16cc901d1a1e1ceDavid Luna newSession,
dba874fb22099c605a3accab4c26632208dfa15aJon Thomas saml2Auditor);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
34f7fc919553f0b520d0008264f1c5af819a3861Peter Major
94c4282963f7db4f8703c196fecb5826a6c9b729Kamal Sivanandam /**
94c4282963f7db4f8703c196fecb5826a6c9b729Kamal Sivanandam * Sends back response with firstlevel and secondlevel status code if available for the original AuthnRequest.
34f7fc919553f0b520d0008264f1c5af819a3861Peter Major *
34f7fc919553f0b520d0008264f1c5af819a3861Peter Major * @param request The request.
34f7fc919553f0b520d0008264f1c5af819a3861Peter Major * @param response The response.
c36b3d48cd721148c2ed02c273ecf4f38e1add70Mark de Reeper * @param out The print writer for writing out presentation.
34f7fc919553f0b520d0008264f1c5af819a3861Peter Major * @param requestID The requestID of the proxied AuthnRequest.
34f7fc919553f0b520d0008264f1c5af819a3861Peter Major * @param idpMetaAlias The IdP's metaAlias.
34f7fc919553f0b520d0008264f1c5af819a3861Peter Major * @param hostEntityID The IdP's entity ID.
34f7fc919553f0b520d0008264f1c5af819a3861Peter Major * @param realm The realm where the IdP belongs to.
94c4282963f7db4f8703c196fecb5826a6c9b729Kamal Sivanandam * @param firstlevelStatusCodeValue First-level status code value passed.
94c4282963f7db4f8703c196fecb5826a6c9b729Kamal Sivanandam * @param secondlevelStatusCodeValue Second-level status code value passed.
94c4282963f7db4f8703c196fecb5826a6c9b729Kamal Sivanandam * @throws SAML2Exception If there was an error while sending the response with second-level status-code.
34f7fc919553f0b520d0008264f1c5af819a3861Peter Major */
94c4282963f7db4f8703c196fecb5826a6c9b729Kamal Sivanandam public static void sendResponseWithStatus(HttpServletRequest request, HttpServletResponse response,
94c4282963f7db4f8703c196fecb5826a6c9b729Kamal Sivanandam PrintWriter out, String requestID, String idpMetaAlias,
94c4282963f7db4f8703c196fecb5826a6c9b729Kamal Sivanandam String hostEntityID, String realm,
94c4282963f7db4f8703c196fecb5826a6c9b729Kamal Sivanandam String firstlevelStatusCodeValue,
94c4282963f7db4f8703c196fecb5826a6c9b729Kamal Sivanandam String secondlevelStatusCodeValue)
c36b3d48cd721148c2ed02c273ecf4f38e1add70Mark de Reeper throws SAML2Exception {
c36b3d48cd721148c2ed02c273ecf4f38e1add70Mark de Reeper
34f7fc919553f0b520d0008264f1c5af819a3861Peter Major AuthnRequest origRequest = (AuthnRequest) IDPCache.proxySPAuthnReqCache.remove(requestID);
34f7fc919553f0b520d0008264f1c5af819a3861Peter Major String relayState = (String) IDPCache.relayStateCache.remove(origRequest.getID());
34f7fc919553f0b520d0008264f1c5af819a3861Peter Major
94c4282963f7db4f8703c196fecb5826a6c9b729Kamal Sivanandam IDPSSOUtil.sendResponseWithStatus(request, response, out, idpMetaAlias, hostEntityID, realm, origRequest,
94c4282963f7db4f8703c196fecb5826a6c9b729Kamal Sivanandam relayState, origRequest.getIssuer().getValue(), firstlevelStatusCodeValue, secondlevelStatusCodeValue);
34f7fc919553f0b520d0008264f1c5af819a3861Peter Major }
34f7fc919553f0b520d0008264f1c5af819a3861Peter Major
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster /**
c2ef82503e46505b74eb802c0dcf41c303d18779Peter Major * Generates the AuthnResponse by the IDP Proxy and send to the service provider.
c2ef82503e46505b74eb802c0dcf41c303d18779Peter Major *
c2ef82503e46505b74eb802c0dcf41c303d18779Peter Major * @param request HttpServletRequest The HTTP request.
c2ef82503e46505b74eb802c0dcf41c303d18779Peter Major * @param response HttpServletResponse The HTTP response.
c2ef82503e46505b74eb802c0dcf41c303d18779Peter Major * @param out The print writer for writing out presentation.
c2ef82503e46505b74eb802c0dcf41c303d18779Peter Major * @param metaAlias The meta alias.
c2ef82503e46505b74eb802c0dcf41c303d18779Peter Major * @param respInfo ResponseInfo object.
c2ef82503e46505b74eb802c0dcf41c303d18779Peter Major * @param newSession Session object.
dba874fb22099c605a3accab4c26632208dfa15aJon Thomas * @param auditor a <code>SAML2EventLogger</code> auditor
c2ef82503e46505b74eb802c0dcf41c303d18779Peter Major * @throws SAML2Exception for any SAML2 failure.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster */
c2ef82503e46505b74eb802c0dcf41c303d18779Peter Major public static void generateProxyResponse(HttpServletRequest request, HttpServletResponse response, PrintWriter out,
dba874fb22099c605a3accab4c26632208dfa15aJon Thomas String metaAlias, ResponseInfo respInfo, Object newSession, SAML2EventLogger auditor) throws SAML2Exception {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Response saml2Resp = respInfo.getResponse();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String requestID = saml2Resp.getInResponseTo();
79511c8d648d5b9dc613719c690b9fc4ffcd1043Sam Fraser String nameidFormat = getNameIDFormat(saml2Resp, metaAlias);
c2ef82503e46505b74eb802c0dcf41c303d18779Peter Major if (nameidFormat != null && SAML2Utils.debug.messageEnabled()) {
c2ef82503e46505b74eb802c0dcf41c303d18779Peter Major SAML2Utils.debug.message("NAME ID Format= " + nameidFormat);
c2ef82503e46505b74eb802c0dcf41c303d18779Peter Major }
c2ef82503e46505b74eb802c0dcf41c303d18779Peter Major
c2ef82503e46505b74eb802c0dcf41c303d18779Peter Major // Save the SAML response received from the IdP in the request object, so that we can access the original
c2ef82503e46505b74eb802c0dcf41c303d18779Peter Major // assertion when generating the new one.
c2ef82503e46505b74eb802c0dcf41c303d18779Peter Major request.setAttribute(SAML2Constants.SAML_PROXY_IDP_RESPONSE_KEY, saml2Resp);
dba874fb22099c605a3accab4c26632208dfa15aJon Thomas sendProxyResponse(request, response, out, requestID, metaAlias, newSession, nameidFormat, auditor);
c2ef82503e46505b74eb802c0dcf41c303d18779Peter Major }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
79511c8d648d5b9dc613719c690b9fc4ffcd1043Sam Fraser private static String getNameIDFormat(Response res, String metaAlias) {
79511c8d648d5b9dc613719c690b9fc4ffcd1043Sam Fraser
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (res == null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
79511c8d648d5b9dc613719c690b9fc4ffcd1043Sam Fraser Assertion assertion = null;
79511c8d648d5b9dc613719c690b9fc4ffcd1043Sam Fraser List<Assertion> assertions = res.getAssertion();
79511c8d648d5b9dc613719c690b9fc4ffcd1043Sam Fraser
79511c8d648d5b9dc613719c690b9fc4ffcd1043Sam Fraser if(CollectionUtils.isEmpty(assertions)){
79511c8d648d5b9dc613719c690b9fc4ffcd1043Sam Fraser // Check for Encrypted Assertions
79511c8d648d5b9dc613719c690b9fc4ffcd1043Sam Fraser List<EncryptedAssertion> encryptedAssertions = res.getEncryptedAssertion();
79511c8d648d5b9dc613719c690b9fc4ffcd1043Sam Fraser if(CollectionUtils.isEmpty(encryptedAssertions)){
79511c8d648d5b9dc613719c690b9fc4ffcd1043Sam Fraser return null;
79511c8d648d5b9dc613719c690b9fc4ffcd1043Sam Fraser } else {
79511c8d648d5b9dc613719c690b9fc4ffcd1043Sam Fraser String realm = SAML2Utils.getRealm(SAML2MetaUtils.getRealmByMetaAlias(metaAlias));
79511c8d648d5b9dc613719c690b9fc4ffcd1043Sam Fraser try {
79511c8d648d5b9dc613719c690b9fc4ffcd1043Sam Fraser String hostEntityId = sm.getEntityByMetaAlias(metaAlias);
79511c8d648d5b9dc613719c690b9fc4ffcd1043Sam Fraser Set<PrivateKey> decryptionKeys = KeyUtil.getDecryptionKeys(sm.getSPSSOConfig(realm, hostEntityId));
79511c8d648d5b9dc613719c690b9fc4ffcd1043Sam Fraser assertion = encryptedAssertions.get(0).decrypt(decryptionKeys);
79511c8d648d5b9dc613719c690b9fc4ffcd1043Sam Fraser } catch (SAML2Exception ex) {
79511c8d648d5b9dc613719c690b9fc4ffcd1043Sam Fraser SAML2Utils.debug.error("getNameIDFormat failed decrypting EncryptedAssertion", ex);
79511c8d648d5b9dc613719c690b9fc4ffcd1043Sam Fraser return null;
79511c8d648d5b9dc613719c690b9fc4ffcd1043Sam Fraser }
79511c8d648d5b9dc613719c690b9fc4ffcd1043Sam Fraser }
79511c8d648d5b9dc613719c690b9fc4ffcd1043Sam Fraser } else {
79511c8d648d5b9dc613719c690b9fc4ffcd1043Sam Fraser assertion = assertions.get(0);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Subject subject = assertion.getSubject();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (subject == null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster NameID nameID = subject.getNameID();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (nameID == null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String format = nameID.getFormat();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return format;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster /**
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Initiates the Single logout request by the IDP Proxy to the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * authenticating identity provider.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param request HttpServletRequest
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param response HttpServletResponse
c36b3d48cd721148c2ed02c273ecf4f38e1add70Mark de Reeper * @param out The print writer for writing out presentation.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param partner Authenticating identity provider
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param spMetaAlias IDP proxy's meta alias acting as SP
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param realm Realm
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static void initiateSPLogoutRequest(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster HttpServletRequest request,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster HttpServletResponse response,
c36b3d48cd721148c2ed02c273ecf4f38e1add70Mark de Reeper PrintWriter out,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String partner,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String spMetaAlias,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogoutRequest logoutReq,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SOAPMessage msg,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster IDPSession idpSession,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String binding,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String relayState
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster )
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Object ssoToken = idpSession.getSession();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster try {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (ssoToken == null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "nullSSOToken",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("nullSSOToken"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] values = SessionManager.getProvider().
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster getProperty(ssoToken, SAML2Constants.SP_METAALIAS);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String metaAlias = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (values != null && values.length > 0) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster metaAlias = values[0];
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (metaAlias == null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster metaAlias = spMetaAlias;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster HashMap paramsMap = new HashMap();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster paramsMap.put("spMetaAlias", metaAlias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster paramsMap.put("idpEntityID", partner);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster paramsMap.put(SAML2Constants.ROLE, SAML2Constants.SP_ROLE);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster paramsMap.put(SAML2Constants.BINDING, binding);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String dest = getLocation(realm, partner, binding);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (dest != null && !dest.equals("")) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster paramsMap.put("Destination", dest);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "sloResponseServiceLocationNotfound"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster paramsMap.put("Consent", request.getParameter("Consent"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster paramsMap.put("Extension", request.getParameter("Extension"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (relayState != null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster paramsMap.put(SAML2Constants.RELAY_STATE, relayState);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster idpSession.removeSessionPartner(partner);
c36b3d48cd721148c2ed02c273ecf4f38e1add70Mark de Reeper SPSingleLogout.initiateLogoutRequest(request,response, out,
6ee2adce4b7ba1c7cdee88dce16cc901d1a1e1ceDavid Luna binding, paramsMap, logoutReq, msg, ssoToken, null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch (SAML2Exception sse) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("Error sending Logout Request " , sse);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster try {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "LogoutRequestCreationError",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "LogoutRequestCreationError"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch(Exception se) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("IDPProxyUtil." +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "initiateSPLogoutRequest: ", se);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return ;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch (Exception e) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("Error initializing Request ",e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster try {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "LogoutRequestCreationError",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "LogoutRequestCreationError"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch(Exception mme) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("IDPProxyUtil." +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "initiateSPLogoutRequest: ", mme);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster /**
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Gets the SLO response service location of the authenticating
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * identity provider
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param realm Realm
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param idpEntityID authenticating identity provider.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return location URL of the SLO response service, return null
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * if not found.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static String getLocation (String realm, String idpEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String binding)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster try {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String location = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // get IDPSSODescriptor
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster IDPSSODescriptorElement idpsso =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster sm.getIDPSSODescriptor(realm,idpEntityID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (idpsso == null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data = {idpEntityID};
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.error(Level.INFO,LogUtil.IDP_METADATA_ERROR,data,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("metaDataError"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List slosList = idpsso.getSingleLogoutService();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (slosList == null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data = {idpEntityID};
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.error(Level.INFO,LogUtil.SLO_NOT_FOUND,data,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("sloServiceListNotfound"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster location = LogoutUtil.getSLOServiceLocation(slosList,binding);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SAML2Utils.debug.messageEnabled() && (location != null)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster && (!location.equals(""))) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("Location URL: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster location);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return location;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch (SAML2Exception se) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static List getSessionPartners(HttpServletRequest request)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster try {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Object tmpsession = sessionProvider.getSession(request);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String tokenID = sessionProvider.getSessionID(tmpsession);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster IDPSession idpSession = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (tokenID != null && !tokenID.equals("")) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster idpSession = (IDPSession)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster IDPCache.idpSessionsBySessionID.get(tokenID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List partners= null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (idpSession != null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster partners = idpSession.getSessionPartners();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SAML2Utils.debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (partners != null && !partners.isEmpty()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Iterator iter = partners.iterator();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster while(iter.hasNext()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2SessionPartner partner =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (SAML2SessionPartner)iter.next();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SAML2Utils.debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "SESSION PARTNER's Provider ID: "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + partner.getPartner());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return partners;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch (SessionException se) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static void sendProxyLogoutRequest(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster HttpServletRequest request,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster HttpServletResponse response,
c36b3d48cd721148c2ed02c273ecf4f38e1add70Mark de Reeper PrintWriter out,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogoutRequest logoutReq,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List partners,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String binding,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String relayState)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster try {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Object tmpsession = sessionProvider.getSession(request);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String tokenID = sessionProvider.getSessionID(tmpsession);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster IDPSession idpSession = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (tokenID != null && !tokenID.equals("")) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster idpSession = (IDPSession)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster IDPCache.idpSessionsBySessionID.get(tokenID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Iterator iter = partners.iterator();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2SessionPartner partner =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (SAML2SessionPartner)iter.next();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SAML2Utils.debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "CURRENT PARTNER's provider ID: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster partner.getPartner());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("Starting IDP proxy logout.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String metaAlias =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2MetaUtils.getMetaAliasByUri(request.getRequestURI()) ;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String realm = SAML2Utils.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster getRealm(SAML2MetaUtils.getRealmByMetaAlias(metaAlias));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String party = partner.getPartner();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (idpSession != null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster idpSession.removeSessionPartner(party);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster IDPCache.idpSessionsBySessionID.remove(tokenID);
c36b3d48cd721148c2ed02c273ecf4f38e1add70Mark de Reeper initiateSPLogoutRequest(request,response, out, party, metaAlias, realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster logoutReq, null, idpSession, binding, relayState);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch (SessionException se) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "sendProxyLogoutRequest: ", se);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper public static void sendProxyLogoutResponse(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster HttpServletResponse response,
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest HttpServletRequest request,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String originatingRequestID,
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper Map<String, String> infoMap,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String remoteEntity,
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper String binding) throws SAML2Exception {
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper String entityID = infoMap.get("entityid");
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper if (StringUtils.isEmpty(entityID)) {
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper throw new SAML2Exception(SAML2Utils.bundle.getString("nullIDPEntityID"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SAML2Utils.debug.messageEnabled()) {
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper SAML2Utils.debug.message("Proxy IDP EntityID=" + entityID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper String realm = infoMap.get(SAML2Constants.REALM);
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper if (StringUtils.isEmpty(realm)) {
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper realm = "/";
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SAML2Utils.debug.messageEnabled()) {
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper SAML2Utils.debug.message("Proxy IDP Realm=" + realm);
65dd72398dd59ff077aa2d716cd41d2224810fdbJon Jonthomas }
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper LogoutResponse logoutRes = LogoutUtil.generateResponse(null, originatingRequestID,
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper SAML2Utils.createIssuer(entityID), realm, SAML2Constants.IDP_ROLE, remoteEntity);
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper String location = IDPSingleLogout.getSingleLogoutLocation(remoteEntity, realm, SAML2Constants.HTTP_REDIRECT);
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper if (SAML2Utils.debug.messageEnabled()) {
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper SAML2Utils.debug.message("Proxy to: " + location);
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper }
5a94313bda679ecfc84e2605ac3484ad9c69c3cfMark de Reeper logoutRes.setDestination(XMLUtils.escapeSpecialCharacters(location));
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper String relayState = infoMap.get(SAML2Constants.RELAY_STATE);
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper LogoutUtil.sendSLOResponse(response, request, logoutRes, location, relayState, realm, entityID,
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper SAML2Constants.IDP_ROLE, remoteEntity, binding);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static void sendProxyLogoutRequestSOAP(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster HttpServletRequest request,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster HttpServletResponse response,
c36b3d48cd721148c2ed02c273ecf4f38e1add70Mark de Reeper PrintWriter out,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SOAPMessage msg,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List partners,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster IDPSession idpSession)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Iterator iter = partners.iterator();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2SessionPartner partner =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (SAML2SessionPartner)iter.next();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SAML2Utils.debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "CURRENT PARTNER's provider ID: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster partner.getPartner());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("Starting IDP proxy logout.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String metaAlias =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2MetaUtils.getMetaAliasByUri(request.getRequestURI()) ;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String realm = SAML2Utils.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster getRealm(SAML2MetaUtils.getRealmByMetaAlias(metaAlias));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String party = partner.getPartner();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster idpSession.removeSessionPartner(party);
c36b3d48cd721148c2ed02c273ecf4f38e1add70Mark de Reeper initiateSPLogoutRequest(request,response, out, party, metaAlias, realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster null, msg ,idpSession, SAML2Constants.SOAP, null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static Map getSessionPartners(SOAPMessage message) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster try {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Map sessMap = new HashMap();
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings Element reqElem = SOAPCommunicator.getInstance().getSamlpElement(message,
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings "LogoutRequest");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogoutRequest logoutReq =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ProtocolFactory.getInstance().createLogoutRequest(reqElem);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List siList = logoutReq.getSessionIndex();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster int numSI = 0;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (siList != null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster numSI = siList.size();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "Number of session indices in the logout request is "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + numSI);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String sessionIndex = (String)siList.get(0);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SAML2Utils.debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("getSessionPartners: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "SessionIndex= " + sessionIndex);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster IDPSession idpSession = (IDPSession)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster IDPCache.idpSessionsByIndices.get(sessionIndex);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (idpSession == null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // session is in another server
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return sessMap;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster sessMap.put(SAML2Constants.SESSION_INDEX, sessionIndex);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster sessMap.put(SAML2Constants.IDP_SESSION, idpSession);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Object session = idpSession.getSession();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String tokenId = sessionProvider.getSessionID(session);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster IDPSession newIdpSession = (IDPSession)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster IDPCache.idpSessionsBySessionID.get(tokenId);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List partners= null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (newIdpSession != null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster partners = newIdpSession.getSessionPartners();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SAML2Utils.debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (partners != null && !partners.isEmpty()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Iterator iter = partners.iterator();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster while(iter.hasNext()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2SessionPartner partner =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (SAML2SessionPartner)iter.next();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SAML2Utils.debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "SESSION PARTNER's Provider ID: "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + partner.getPartner());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster sessMap.put(SAML2Constants.PARTNERS, partners);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return sessMap;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SAML2Utils.debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("getSessionPartners: Number of " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "session indices in the logout request is null");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch (SAML2Exception se) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("getSessionPartners: ", se);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
c36b3d48cd721148c2ed02c273ecf4f38e1add70Mark de Reeper public static void sendProxyLogoutResponseBySOAP(SOAPMessage reply, HttpServletResponse resp, PrintWriter out) {
c36b3d48cd721148c2ed02c273ecf4f38e1add70Mark de Reeper
c36b3d48cd721148c2ed02c273ecf4f38e1add70Mark de Reeper try {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Need to call saveChanges because we're
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // going to use the MimeHeaders to set HTTP
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // response information. These MimeHeaders
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // are generated as part of the save.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (reply.saveRequired()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster reply.saveChanges();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster resp.setStatus(HttpServletResponse.SC_OK);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.putHeaders(reply.getMimeHeaders(), resp);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Write out the message on the response stream
c36b3d48cd721148c2ed02c273ecf4f38e1add70Mark de Reeper ByteArrayOutputStream stream = new ByteArrayOutputStream();
c36b3d48cd721148c2ed02c273ecf4f38e1add70Mark de Reeper reply.writeTo(stream);
c36b3d48cd721148c2ed02c273ecf4f38e1add70Mark de Reeper out.println(stream.toString());
c36b3d48cd721148c2ed02c273ecf4f38e1add70Mark de Reeper out.flush();
c36b3d48cd721148c2ed02c273ecf4f38e1add70Mark de Reeper } catch (SOAPException se) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("sendProxyLogoutResponseBySOAP: ", se);
c36b3d48cd721148c2ed02c273ecf4f38e1add70Mark de Reeper } catch (IOException ie) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("sendProxyLogoutResponseBySOAP: ", ie);
c36b3d48cd721148c2ed02c273ecf4f38e1add70Mark de Reeper }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static void sendIDPInitProxyLogoutRequest(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster HttpServletRequest request,
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest HttpServletResponse response,
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest PrintWriter out,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogoutResponse logoutResponse,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String location,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String spEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String idpEntityID,
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper String binding,
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper String realm) throws SAML2Exception {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper String logoutAll = request.getParameter(SAML2Constants.LOGOUT_ALL);
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper HashMap paramsMap = new HashMap();
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper IDPSSOConfigElement config = sm.getIDPSSOConfig(realm, spEntityID);
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper paramsMap.put("metaAlias", config.getMetaAlias());
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper paramsMap.put(SAML2Constants.ROLE, SAML2Constants.IDP_ROLE);
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper paramsMap.put(SAML2Constants.BINDING, SAML2Constants.HTTP_REDIRECT);
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper paramsMap.put("Destination", request.getParameter("Destination"));
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper paramsMap.put("Consent", request.getParameter("Consent"));
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper paramsMap.put("Extension", request.getParameter("Extension"));
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper Map logoutResponseMap = new HashMap();
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper if (logoutResponse != null) {
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper logoutResponseMap.put("LogoutResponse", logoutResponse);
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper }
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper if (location != null && !location.equals("")) {
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper logoutResponseMap.put("Location", location);
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper }
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper if (spEntityID != null && !spEntityID.equals("")) {
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper logoutResponseMap.put("spEntityID", spEntityID);
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper }
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper if (idpEntityID != null && !idpEntityID.equals("")) {
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper logoutResponseMap.put("idpEntityID", idpEntityID);
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper }
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper paramsMap.put("LogoutMap", logoutResponseMap);
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper if (logoutAll != null) {
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper paramsMap.put(SAML2Constants.LOGOUT_ALL, logoutAll);
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper }
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper IDPSingleLogout.initiateLogoutRequest(request, response, out, binding, paramsMap);
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper /*TODO:
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper if (binding.equalsIgnoreCase(SAML2Constants.SOAP)) {
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper if (RelayState != null) {
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper response.sendRedirect(RelayState);
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper } else {
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper %>
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper <jsp:forward
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper page="/saml2/jsp/default.jsp?message=idpSloSuccess" />
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper <%
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper }
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper }
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static List getSPSessionPartners(HttpServletRequest request)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster try {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Object tmpsession = sessionProvider.getSession(request);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String tokenID = sessionProvider.getSessionID(tmpsession);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String pid = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (tokenID != null && !tokenID.equals("")) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster pid=(String)IDPCache.spSessionPartnerBySessionID.get(tokenID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster IDPCache.spSessionPartnerBySessionID.remove(tokenID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List partners= null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (pid != null && !pid.equals("")) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster partners = new ArrayList();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "SP SESSION PARTNER's Provider ID: " + pid);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster partners.add(pid);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return partners;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch (SessionException se) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster /**
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Returns an <code>IDPProxyFinder</code>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param realm the realm name
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param idpEntityID the entity id of the identity provider
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return the <code>IDPProxyFinder</code>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @exception SAML2Exception if the operation is not successful
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static SAML2IDPFinder getIDPProxyFinder(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String realm, String idpEntityID)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throws SAML2Exception {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String classMethod = "IDPProxyUtil.getIDPProxyFinder: ";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String idpProxyFinderName = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2IDPFinder idpProxyFinder = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster try {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster idpProxyFinderName = IDPSSOUtil.getAttributeValueFromIDPSSOConfig(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster realm, idpEntityID, SAML2Constants.PROXY_IDP_FINDER_CLASS);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (idpProxyFinderName == null || idpProxyFinderName.isEmpty()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster idpProxyFinderName =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Constants.DEFAULT_IDP_PROXY_FINDER;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SAML2Utils.debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message(classMethod + "use " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Constants.DEFAULT_IDP_PROXY_FINDER);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster idpProxyFinder = (SAML2IDPFinder)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster IDPCache.idpProxyFinderCache.get(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster idpProxyFinderName);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (idpProxyFinder == null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster idpProxyFinder = (SAML2IDPFinder)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Class.forName(idpProxyFinderName).newInstance();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster IDPCache.idpProxyFinderCache.put(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster idpProxyFinderName, idpProxyFinder);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SAML2Utils.debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message(classMethod +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "got the IDPProxyFinder from cache");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch (Exception ex) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error(classMethod +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "Unable to get IDP Proxy Finder.", ex);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(ex);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return idpProxyFinder;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static SPSSOConfigElement getSPSSOConfigByAuthnRequest(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String realm, AuthnRequest request) throws SAML2MetaException {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return IDPSSOUtil.metaManager.getSPSSOConfig(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster realm, request.getIssuer().getValue());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster}