IDPProxyUtil.java revision 5a94313bda679ecfc84e2605ac3484ad9c69c3cf
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Copyright (c) 2007 Sun Microsystems Inc. All Rights Reserved
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * The contents of this file are subject to the terms
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * of the Common Development and Distribution License
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * (the License). You may not use this file except in
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * compliance with the License.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * You can obtain a copy of the License at
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * https://opensso.dev.java.net/public/CDDLv1.0.html or
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * See the License for the specific language governing
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * permission and limitations under the License.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * When distributing Covered Code, include this CDDL
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Header Notice in each file and include the License file
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * If applicable, add the following below the CDDL Header,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * with the fields enclosed by brackets [] replaced by
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * your own identifying information:
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * "Portions Copyrighted [year] [name of copyright owner]"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * $Id: IDPProxyUtil.java,v 1.18 2009/11/20 21:41:16 exu Exp $
65dd72398dd59ff077aa2d716cd41d2224810fdbJon Jonthomas * Portions Copyrighted 2010-2015 ForgeRock AS.
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeperimport com.sun.identity.saml2.common.SAML2FailoverUtils;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.shared.datastruct.OrderedSet;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.shared.encode.URLEncDec;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.assertion.Assertion;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.assertion.Subject;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.assertion.AssertionFactory;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.common.SAML2Constants;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.common.SAML2Exception;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.common.SAML2Utils;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.jaxb.entityconfig.IDPSSOConfigElement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.meta.SAML2MetaException;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.meta.SAML2MetaManager;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.meta.SAML2MetaUtils;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.plugins.SAML2IDPFinder;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.protocol.AuthnRequest;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.protocol.IDPEntry;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.protocol.LogoutRequest;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.protocol.LogoutResponse;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.protocol.NameIDPolicy;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.protocol.Response;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.protocol.ProtocolFactory;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.plugin.session.SessionManager;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.plugin.session.SessionProvider;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.plugin.session.SessionException;
e560488158a3b31d33f5e5bfe0a33e041b5ecb10Peter Majorimport com.sun.identity.saml2.jaxb.metadata.SingleSignOnServiceElement;
fe64160425f92efd10af752ec615734ade22e9ddPeter Majorimport com.sun.identity.saml2.plugins.SAML2ServiceProviderAdapter;
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeperimport org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException;
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeperimport org.forgerock.openam.utils.StringUtils;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Utility class to be used for IDP Proxying.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // IDP proxy finder
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // private static SAML2IDPFinder proxyFinder = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static SessionProvider sessionProvider = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster sessionProvider = SessionManager.getProvider();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("IDPSSOFederate:Static Init Failed", ex);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Gets the preferred IDP Id to be proxied. This method makes use of an
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * SPI to determine the preferred IDP.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param authnRequest original Authn Request.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param hostedEntityId hosted provider ID
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param realm Realm
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param request HttpServletRequest
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param response HttpServletResponse
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @exception SAML2Exception for any SAML2 failure.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return String Provider id of the preferred IDP to be proxied.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2IDPFinder proxyFinder = getIDPProxyFinder(realm, hostedEntityId);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List idpProviderIDs = proxyFinder.getPreferredIDP(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((idpProviderIDs == null) || idpProviderIDs.isEmpty()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Sends a new AuthnRequest to the authenticating provider.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param authnRequest original AuthnRequest sent by the service provider.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param preferredIDP IDP to be proxied.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param spSSODescriptor SPSSO Descriptor Element
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param hostedEntityId hosted provider ID
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param request HttpServletRequest
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param response HttpServletResponse
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param realm Realm
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param relayState the Relay State
e560488158a3b31d33f5e5bfe0a33e041b5ecb10Peter Major * @param originalBinding The binding used to send the original AuthnRequest.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @exception SAML2Exception for any SAML2 failure.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @exception IOException if there is a failure in redirection.
fe64160425f92efd10af752ec615734ade22e9ddPeter Major public static void sendProxyAuthnRequest(
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest String classMethod = "IDPProxyUtil.sendProxyAuthnRequest: ";
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest SPSSODescriptorElement localDescriptor = null;
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest SPSSOConfigElement localDescriptorConfig = null;
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest IDPSSODescriptorElement idpDescriptor = null;
e560488158a3b31d33f5e5bfe0a33e041b5ecb10Peter Major idpDescriptor = IDPSSOUtil.metaManager.getIDPSSODescriptor(realm, preferredIDP);
e560488158a3b31d33f5e5bfe0a33e041b5ecb10Peter Major List<SingleSignOnServiceElement> ssoServiceList = idpDescriptor.getSingleSignOnService();
e560488158a3b31d33f5e5bfe0a33e041b5ecb10Peter Major SingleSignOnServiceElement endpoint = getMatchingSSOEndpoint(ssoServiceList, originalBinding);
e560488158a3b31d33f5e5bfe0a33e041b5ecb10Peter Major SAML2Utils.debug.error(classMethod + "Single Sign-on service is not found for the proxying IDP.");
e560488158a3b31d33f5e5bfe0a33e041b5ecb10Peter Major throw new SAML2Exception(SAML2Utils.bundle.getString("ssoServiceNotFoundIDPProxy"));
e560488158a3b31d33f5e5bfe0a33e041b5ecb10Peter Major localDescriptor = IDPSSOUtil.metaManager.getSPSSODescriptor(realm, hostedEntityId);
e560488158a3b31d33f5e5bfe0a33e041b5ecb10Peter Major localDescriptorConfig = IDPSSOUtil.metaManager.getSPSSOConfig(realm, hostedEntityId);
420a3bbac5080d4a45b074040d304483273662c4Peter Major AuthnRequest newAuthnRequest = getNewAuthnRequest(hostedEntityId, destination, realm, authnRequest);
420a3bbac5080d4a45b074040d304483273662c4Peter Major // invoke SP Adapter class if registered
420a3bbac5080d4a45b074040d304483273662c4Peter Major SAML2ServiceProviderAdapter spAdapter = SAML2Utils.getSPAdapterClass(hostedEntityId, realm);
420a3bbac5080d4a45b074040d304483273662c4Peter Major spAdapter.preSingleSignOnRequest(hostedEntityId, preferredIDP, realm, request, response, newAuthnRequest);
420a3bbac5080d4a45b074040d304483273662c4Peter Major SAML2Utils.debug.message(classMethod + "New Authentication request:" + newAuthnRequest.toXMLString());
420a3bbac5080d4a45b074040d304483273662c4Peter Major // save the AuthnRequest in the IDPCache so that it can be
420a3bbac5080d4a45b074040d304483273662c4Peter Major // retrieved later when the user successfully authenticates
420a3bbac5080d4a45b074040d304483273662c4Peter Major IDPCache.authnRequestCache.put(requestID, newAuthnRequest);
420a3bbac5080d4a45b074040d304483273662c4Peter Major // save the original AuthnRequest
420a3bbac5080d4a45b074040d304483273662c4Peter Major IDPCache.proxySPAuthnReqCache.put(requestID, authnRequest);
420a3bbac5080d4a45b074040d304483273662c4Peter Major boolean signingNeeded = idpDescriptor.isWantAuthnRequestsSigned() || localDescriptor.isAuthnRequestsSigned();
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest // check if relayState is present and get the unique
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest // id which will be appended to the SSO URL before
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest // redirecting
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (relayState != null && relayState.length()> 0) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster relayStateID = SPSSOFederate.getRelayStateID(relayState,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (binding.equals(SAML2Constants.HTTP_POST)) {
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest SAML2MetaUtils.getAttributes(localDescriptorConfig),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SPSSOFederate.signAuthnRequest(certAlias,newAuthnRequest);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String authXMLString = newAuthnRequest.toXMLString(true,true);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String encodedReqMsg = SAML2Utils.encodeForPOST(authXMLString);
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest SAML2Utils.postToTarget(request, response, "SAMLRequest",
420a3bbac5080d4a45b074040d304483273662c4Peter Major encodedReqMsg, "RelayState", relayStateID, destination);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String authReqXMLString = newAuthnRequest.toXMLString(true,true);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message(classMethod + " AuthnRequest: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String encodedXML = SAML2Utils.encodeForRedirect(authReqXMLString);
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest new StringBuffer().append(SAML2Constants.SAML_REQUEST)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster //TODO: should it be newAuthnRequest???
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (relayStateID != null && relayStateID.length() > 0) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster queryString.append("&").append(SAML2Constants.RELAY_STATE)
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest SAML2MetaUtils.getAttributes(localDescriptorConfig),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String signedQueryStr = SPSSOFederate.signQueryString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.access(Level.INFO, LogUtil.REDIRECT_TO_SP,data, null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster AuthnRequestInfo reqInfo = new AuthnRequestInfo(request, response,
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest realm, hostedEntityId, preferredIDP, newAuthnRequest, relayState,
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper if (SAML2FailoverUtils.isSAML2FailoverEnabled()) {
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest // sessionExpireTime is counted in seconds
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest long sessionExpireTime = System.currentTimeMillis() / 1000 + SPCache.interval;
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper SAML2FailoverUtils.saveSAML2TokenWithoutSecondaryKey(requestID, new AuthnRequestInfoCopy(reqInfo), sessionExpireTime);
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest SAML2Utils.debug.message(classMethod + " SAVE AuthnRequestInfoCopy for requestID " + requestID);
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper SAML2Utils.debug.error(classMethod + " SAVE AuthnRequestInfoCopy for requestID "
e560488158a3b31d33f5e5bfe0a33e041b5ecb10Peter Major private static SingleSignOnServiceElement getMatchingSSOEndpoint(List<SingleSignOnServiceElement> endpoints,
e560488158a3b31d33f5e5bfe0a33e041b5ecb10Peter Major SingleSignOnServiceElement preferredEndpoint = null;
e560488158a3b31d33f5e5bfe0a33e041b5ecb10Peter Major boolean isFirst = true;
e560488158a3b31d33f5e5bfe0a33e041b5ecb10Peter Major for (SingleSignOnServiceElement endpoint : endpoints) {
e560488158a3b31d33f5e5bfe0a33e041b5ecb10Peter Major //If there is no match, we should use the first endpoint in the list
e560488158a3b31d33f5e5bfe0a33e041b5ecb10Peter Major if (preferredBinding.equals(endpoint.getBinding())) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Constructs new authentication request by using the original request
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * that is sent by the service provider to the proxying IDP.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param hostedEntityId hosted provider ID
420a3bbac5080d4a45b074040d304483273662c4Peter Major * @param destination The destination where the new AuthnRequest will be sent to.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param realm Realm
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param origRequest Original Authn Request
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return AuthnRequest new authn request.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @exception SAML2Exception for failure in creating new authn request.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return AuthnRequest object
420a3bbac5080d4a45b074040d304483273662c4Peter Major private static AuthnRequest getNewAuthnRequest(String hostedEntityId, String destination, String realm,
420a3bbac5080d4a45b074040d304483273662c4Peter Major AuthnRequest origRequest) throws SAML2Exception {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String classMethod = "IDPProxyUtil.getNewAuthnRequest: ";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // New Authentication request should only be a single sign-on request.
420a3bbac5080d4a45b074040d304483273662c4Peter Major AuthnRequest newRequest = ProtocolFactory.getInstance().createAuthnRequest();
420a3bbac5080d4a45b074040d304483273662c4Peter Major throw new SAML2Exception(SAML2Utils.bundle.getString("cannotGenerateID"));
420a3bbac5080d4a45b074040d304483273662c4Peter Major SPSSODescriptorElement localDescriptor = IDPSSOUtil.metaManager.getSPSSODescriptor(realm, hostedEntityId);
420a3bbac5080d4a45b074040d304483273662c4Peter Major newRequest.setDestination(XMLUtils.escapeSpecialCharacters(destination));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster newRequest.setConsent(origRequest.getConsent());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster newRequest.setIsPassive(origRequest.isPassive());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster newRequest.setForceAuthn(origRequest.isForceAuthn());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster newRequest.setAttributeConsumingServiceIndex(origRequest.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster newRequest.setAssertionConsumerServiceIndex(origRequest.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String protocolBinding = origRequest.getProtocolBinding();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster newRequest.setProtocolBinding(protocolBinding);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster newRequest.setAssertionConsumerServiceURL(acsURL);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Issuer issuer = AssertionFactory.getInstance().createIssuer();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster NameIDPolicy origNameIDPolicy = origRequest.getNameIDPolicy();
3b705ce0a025821048ff45b348fb10188c46a608Peter Major NameIDPolicy newNameIDPolicy = ProtocolFactory.getInstance().createNameIDPolicy();
3b705ce0a025821048ff45b348fb10188c46a608Peter Major newNameIDPolicy.setFormat(origNameIDPolicy.getFormat());
3b705ce0a025821048ff45b348fb10188c46a608Peter Major newNameIDPolicy.setSPNameQualifier(hostedEntityId);
3b705ce0a025821048ff45b348fb10188c46a608Peter Major newNameIDPolicy.setAllowCreate(origNameIDPolicy.isAllowCreate());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster newRequest.setRequestedAuthnContext(origRequest.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster newRequest.setExtensions(origRequest.getExtensions());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster newRequest.setVersion(SAML2Constants.VERSION_2_0);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Scoping newScoping = ProtocolFactory.getInstance().
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Integer proxyCountInt = scoping.getProxyCount();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster proxyCount = scoping.getProxyCount().intValue();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster newScoping.setProxyCount(new Integer(proxyCount-1));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster //handling the alwaysIdpProxy case -> the incoming request
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster //did not contained a Scoping field
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SPSSOConfigElement spConfig = getSPSSOConfigByAuthnRequest(realm, origRequest);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Map<String, List<String>> spConfigAttrMap = SAML2MetaUtils.getAttributes(spConfig);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster scoping = ProtocolFactory.getInstance().createScoping();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String proxyCountParam = SPSSOFederate.getParameter(spConfigAttrMap,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (proxyCountParam != null && (!proxyCountParam.equals(""))) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster int proxyCount = Integer.valueOf(proxyCountParam);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster //since this is a remote SP configuration, we should
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster //decrement the proxycount by one
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (proxyIdPs != null && !proxyIdPs.isEmpty()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List<IDPEntry> list = new ArrayList<IDPEntry>();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster IDPEntry entry = ProtocolFactory.getInstance().
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster IDPList idpList = ProtocolFactory.getInstance().
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Checks if the identity provider is configured for proxying the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * authentication requests for a requesting service provider.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param authnRequest Authentication Request.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param realm Realm
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return <code>true</code> if the IDP is configured for proxying.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @exception SAML2Exception for any failure.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static boolean isIDPProxyEnabled(AuthnRequest authnRequest,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster //let's check if always IdP proxy and IdP Proxy itself is enabled
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster spConfig = getSPSSOConfigByAuthnRequest(realm, authnRequest);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster spConfigAttrsMap = SAML2MetaUtils.getAttributes(spConfig);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Boolean alwaysEnabled = SPSSOFederate.getAttrValueFromMap(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster spConfigAttrsMap, SAML2Constants.ALWAYS_IDP_PROXY);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Boolean proxyEnabled = SPSSOFederate.getAttrValueFromMap(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster spConfigAttrsMap, SAML2Constants.ENABLE_IDP_PROXY);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return true;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Integer proxyCountInt = scoping.getProxyCount();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster //Proxy count missing, IDP Proxy allowed
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster spConfigAttrsMap = SAML2MetaUtils.getAttributes(spConfig);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Boolean enabledString = SPSSOFederate.getAttrValueFromMap(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster spConfigAttrsMap, SAML2Constants.ENABLE_IDP_PROXY);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Checks if the proxying is enabled. It will be checking if the proxy
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * service provider descriptor is set in the session manager for the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * specific request ID.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param requestID authentication request id which is created by the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * proxying IDP to the authenticating IDP.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return true if the proxying is enabled.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static boolean isIDPProxyEnabled(String requestID) {
34f7fc919553f0b520d0008264f1c5af819a3861Peter Major return IDPCache.proxySPAuthnReqCache.containsKey(requestID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Sends the proxy authentication response to the proxying service
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * provider which has originally requested for the authentication.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param request HttpServletRequest
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param response HttpServletResponse
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest * @param out the print writer for writing out presentation
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param requestID request ID
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param idpMetaAlias meta Alias
34f7fc919553f0b520d0008264f1c5af819a3861Peter Major * @param newSession Session object
34f7fc919553f0b520d0008264f1c5af819a3861Peter Major * @throws SAML2Exception for any SAML2 failure.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static void sendProxyResponse(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String classMethod = "IDPProxyUtil.sendProxyResponse: ";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster IDPCache.proxySPAuthnReqCache.remove(requestID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String proxySPEntityId = origRequest.getIssuer().getValue();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + ":Original requesting service provider id:"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Save the SP provider id based on the token id
34f7fc919553f0b520d0008264f1c5af819a3861Peter Major IDPCache.spSessionPartnerBySessionID.put(sessionProvider.getSessionID(newSession), proxySPEntityId);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster //TODO: set AuthnContext
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster /*AuthnContext authnContextStm;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (authnContextStmt != null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String authnContext = authnContextStmt.getAuthnContextClassRef();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster session.setAuthnContext(authnContext);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster IDPCache.relayStateCache.get(origRequest.getID());
34f7fc919553f0b520d0008264f1c5af819a3861Peter Major * Sends back a NoPassive response for the original AuthnRequest.
34f7fc919553f0b520d0008264f1c5af819a3861Peter Major * @param request The request.
34f7fc919553f0b520d0008264f1c5af819a3861Peter Major * @param response The response.
34f7fc919553f0b520d0008264f1c5af819a3861Peter Major * @param requestID The requestID of the proxied AuthnRequest.
34f7fc919553f0b520d0008264f1c5af819a3861Peter Major * @param idpMetaAlias The IdP's metaAlias.
34f7fc919553f0b520d0008264f1c5af819a3861Peter Major * @param hostEntityID The IdP's entity ID.
34f7fc919553f0b520d0008264f1c5af819a3861Peter Major * @param realm The realm where the IdP belongs to.
34f7fc919553f0b520d0008264f1c5af819a3861Peter Major * @throws SAML2Exception If there was an error while sending the NoPassive response.
34f7fc919553f0b520d0008264f1c5af819a3861Peter Major public static void sendNoPassiveProxyResponse(HttpServletRequest request, HttpServletResponse response,
34f7fc919553f0b520d0008264f1c5af819a3861Peter Major String requestID, String idpMetaAlias, String hostEntityID, String realm) throws SAML2Exception {
34f7fc919553f0b520d0008264f1c5af819a3861Peter Major AuthnRequest origRequest = (AuthnRequest) IDPCache.proxySPAuthnReqCache.remove(requestID);
34f7fc919553f0b520d0008264f1c5af819a3861Peter Major String relayState = (String) IDPCache.relayStateCache.remove(origRequest.getID());
34f7fc919553f0b520d0008264f1c5af819a3861Peter Major IDPSSOUtil.sendNoPassiveResponse(request, response, idpMetaAlias, hostEntityID, realm,
34f7fc919553f0b520d0008264f1c5af819a3861Peter Major origRequest, relayState, origRequest.getIssuer().getValue());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Generates the AuthnResponse by the IDP Proxy and send to the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * service provider.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param request HttpServletRequest
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param response HttpServletResponse
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest * @param out the print writer for writing out presentation
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param metaAlias meta Alias
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param respInfo ResponseInfo object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param newSession Session object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @exception SAML2Exception for any SAML2 failure.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static void generateProxyResponse(
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest HttpServletRequest request, HttpServletResponse response, PrintWriter out,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String requestID = saml2Resp.getInResponseTo();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster //if (isIDPProxyEnabled(requestID)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String nameidFormat = getNameIDFormat(saml2Resp);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (nameidFormat != null && SAML2Utils.debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("NAME ID Format= " + nameidFormat );
0fdab8904a8fe223f6934b878769fe45e7651c60Andrew Forrest sendProxyResponse(request, response, out, requestID, metaAlias,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static String getNameIDFormat(Response res)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((assertions == null) || (assertions.size() == 0)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Assertion assertion = (Assertion)assertions.get(0);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Initiates the Single logout request by the IDP Proxy to the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * authenticating identity provider.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param request HttpServletRequest
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param response HttpServletResponse
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param partner Authenticating identity provider
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param spMetaAlias IDP proxy's meta alias acting as SP
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param realm Realm
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static void initiateSPLogoutRequest(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "nullSSOToken",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] values = SessionManager.getProvider().
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster getProperty(ssoToken, SAML2Constants.SP_METAALIAS);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster paramsMap.put(SAML2Constants.ROLE, SAML2Constants.SP_ROLE);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster paramsMap.put(SAML2Constants.BINDING, binding);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String dest = getLocation(realm, partner, binding);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "sloResponseServiceLocationNotfound"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster paramsMap.put("Consent", request.getParameter("Consent"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster paramsMap.put("Extension", request.getParameter("Extension"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster paramsMap.put(SAML2Constants.RELAY_STATE, relayState);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SPSingleLogout.initiateLogoutRequest(request,response,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("Error sending Logout Request " , sse);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "LogoutRequestCreationError",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "LogoutRequestCreationError"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("Error initializing Request ",e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "LogoutRequestCreationError",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "LogoutRequestCreationError"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Gets the SLO response service location of the authenticating
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * identity provider
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param realm Realm
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param idpEntityID authenticating identity provider.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return location URL of the SLO response service, return null
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * if not found.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static String getLocation (String realm, String idpEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // get IDPSSODescriptor
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.error(Level.INFO,LogUtil.IDP_METADATA_ERROR,data,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List slosList = idpsso.getSingleLogoutService();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.error(Level.INFO,LogUtil.SLO_NOT_FOUND,data,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("sloServiceListNotfound"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster location = LogoutUtil.getSLOServiceLocation(slosList,binding);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SAML2Utils.debug.messageEnabled() && (location != null)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static List getSessionPartners(HttpServletRequest request)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Object tmpsession = sessionProvider.getSession(request);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String tokenID = sessionProvider.getSessionID(tmpsession);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "SESSION PARTNER's Provider ID: "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static void sendProxyLogoutRequest(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Object tmpsession = sessionProvider.getSession(request);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String tokenID = sessionProvider.getSessionID(tmpsession);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "CURRENT PARTNER's provider ID: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("Starting IDP proxy logout.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2MetaUtils.getMetaAliasByUri(request.getRequestURI()) ;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster getRealm(SAML2MetaUtils.getRealmByMetaAlias(metaAlias));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster IDPCache.idpSessionsBySessionID.remove(tokenID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster initiateSPLogoutRequest(request,response, party, metaAlias, realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster logoutReq, null, idpSession, binding, relayState);
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper public static void sendProxyLogoutResponse(
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper throw new SAML2Exception(SAML2Utils.bundle.getString("nullIDPEntityID"));
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper SAML2Utils.debug.message("Proxy IDP EntityID=" + entityID);
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper String realm = infoMap.get(SAML2Constants.REALM);
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper SAML2Utils.debug.message("Proxy IDP Realm=" + realm);
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper LogoutResponse logoutRes = LogoutUtil.generateResponse(null, originatingRequestID,
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper SAML2Utils.createIssuer(entityID), realm, SAML2Constants.IDP_ROLE, remoteEntity);
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper String location = IDPSingleLogout.getSingleLogoutLocation(remoteEntity, realm, SAML2Constants.HTTP_REDIRECT);
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper SAML2Utils.debug.message("Proxy to: " + location);
5a94313bda679ecfc84e2605ac3484ad9c69c3cfMark de Reeper logoutRes.setDestination(XMLUtils.escapeSpecialCharacters(location));
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper String relayState = infoMap.get(SAML2Constants.RELAY_STATE);
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper LogoutUtil.sendSLOResponse(response, request, logoutRes, location, relayState, realm, entityID,
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper SAML2Constants.IDP_ROLE, remoteEntity, binding);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static void sendProxyLogoutRequestSOAP(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "CURRENT PARTNER's provider ID: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("Starting IDP proxy logout.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2MetaUtils.getMetaAliasByUri(request.getRequestURI()) ;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster getRealm(SAML2MetaUtils.getRealmByMetaAlias(metaAlias));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster initiateSPLogoutRequest(request,response, party, metaAlias, realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster null, msg ,idpSession, SAML2Constants.SOAP, null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static Map getSessionPartners(SOAPMessage message) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Element reqElem = SAML2Utils.getSamlpElement(message,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "LogoutRequest");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ProtocolFactory.getInstance().createLogoutRequest(reqElem);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "Number of session indices in the logout request is "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("getSessionPartners: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster IDPCache.idpSessionsByIndices.get(sessionIndex);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // session is in another server
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster sessMap.put(SAML2Constants.SESSION_INDEX, sessionIndex);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster sessMap.put(SAML2Constants.IDP_SESSION, idpSession);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String tokenId = sessionProvider.getSessionID(session);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "SESSION PARTNER's Provider ID: "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster sessMap.put(SAML2Constants.PARTNERS, partners);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("getSessionPartners: Number of " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "session indices in the logout request is null");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("getSessionPartners: ", se);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static void sendProxyLogoutResponseBySOAP(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Need to call saveChanges because we're
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // going to use the MimeHeaders to set HTTP
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // response information. These MimeHeaders
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // are generated as part of the save.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.putHeaders(reply.getMimeHeaders(), resp);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Write out the message on the response stream
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("sendProxyLogoutResponseBySOAP: ", se);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("sendProxyLogoutResponseBySOAP: ", ie);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static void sendIDPInitProxyLogoutRequest(
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper String logoutAll = request.getParameter(SAML2Constants.LOGOUT_ALL);
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper IDPSSOConfigElement config = sm.getIDPSSOConfig(realm, spEntityID);
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper paramsMap.put("metaAlias", config.getMetaAlias());
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper paramsMap.put(SAML2Constants.ROLE, SAML2Constants.IDP_ROLE);
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper paramsMap.put(SAML2Constants.BINDING, SAML2Constants.HTTP_REDIRECT);
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper paramsMap.put("Destination", request.getParameter("Destination"));
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper paramsMap.put("Consent", request.getParameter("Consent"));
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper paramsMap.put("Extension", request.getParameter("Extension"));
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper logoutResponseMap.put("LogoutResponse", logoutResponse);
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper if (location != null && !location.equals("")) {
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper if (spEntityID != null && !spEntityID.equals("")) {
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper logoutResponseMap.put("spEntityID", spEntityID);
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper if (idpEntityID != null && !idpEntityID.equals("")) {
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper logoutResponseMap.put("idpEntityID", idpEntityID);
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper paramsMap.put("LogoutMap", logoutResponseMap);
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper paramsMap.put(SAML2Constants.LOGOUT_ALL, logoutAll);
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper IDPSingleLogout.initiateLogoutRequest(request, response, out, binding, paramsMap);
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper if (binding.equalsIgnoreCase(SAML2Constants.SOAP)) {
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper if (RelayState != null) {
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper response.sendRedirect(RelayState);
31995e9edcce4393cdab93d80f27d5ab54ff5264Mark de Reeper page="/saml2/jsp/default.jsp?message=idpSloSuccess" />
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static List getSPSessionPartners(HttpServletRequest request)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Object tmpsession = sessionProvider.getSession(request);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String tokenID = sessionProvider.getSessionID(tmpsession);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster pid=(String)IDPCache.spSessionPartnerBySessionID.get(tokenID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster IDPCache.spSessionPartnerBySessionID.remove(tokenID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Returns an <code>IDPProxyFinder</code>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param realm the realm name
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param idpEntityID the entity id of the identity provider
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return the <code>IDPProxyFinder</code>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @exception SAML2Exception if the operation is not successful
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String classMethod = "IDPProxyUtil.getIDPProxyFinder: ";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster idpProxyFinderName = IDPSSOUtil.getAttributeValueFromIDPSSOConfig(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster realm, idpEntityID, SAML2Constants.PROXY_IDP_FINDER_CLASS);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (idpProxyFinderName == null || idpProxyFinderName.isEmpty()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message(classMethod + "use " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Class.forName(idpProxyFinderName).newInstance();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "got the IDPProxyFinder from cache");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static SPSSOConfigElement getSPSSOConfigByAuthnRequest(