IDPSSOUtil.java revision 66133206d795e0ddb43a02d309c75629f2af73eb
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Copyright (c) 2007 Sun Microsystems Inc. All Rights Reserved
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * The contents of this file are subject to the terms
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * of the Common Development and Distribution License
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * (the License). You may not use this file except in
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * compliance with the License.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * You can obtain a copy of the License at
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * https://opensso.dev.java.net/public/CDDLv1.0.html or
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * See the License for the specific language governing
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * permission and limitations under the License.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * When distributing Covered Code, include this CDDL
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Header Notice in each file and include the License file
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * If applicable, add the following below the CDDL Header,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * with the fields enclosed by brackets [] replaced by
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * your own identifying information:
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * "Portions Copyrighted [year] [name of copyright owner]"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * $Id: IDPSSOUtil.java,v 1.56 2009/11/24 21:53:28 madan_ranganath Exp $
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Portions Copyrighted 2010-2016 ForgeRock AS.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Portions Copyrighted 2013 Nomura Research Institute, Ltd
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport static org.forgerock.openam.utils.Time.*;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.common.AccountUtils;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.common.NameIDInfo;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.common.NewBoolean;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.common.SAML2Constants;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.common.SAML2Exception;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.common.SAML2FailoverUtils;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.common.SAML2InvalidNameIDPolicyException;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.common.SAML2Utils;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.common.SOAPCommunicator;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.shared.encode.URLEncDec;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.cot.CircleOfTrustManager;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.cot.CircleOfTrustDescriptor;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.multiprotocol.MultiProtocolUtils;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.multiprotocol.SingleLogoutManager;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.xmlsig.KeyProvider;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.assertion.Assertion;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.assertion.AssertionFactory;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.assertion.Attribute;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.assertion.AttributeStatement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.assertion.AudienceRestriction;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.assertion.AuthnContext;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.assertion.AuthnStatement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.assertion.Conditions;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.assertion.EncryptedAssertion;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.assertion.EncryptedAttribute;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.assertion.EncryptedID;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.assertion.Subject;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.assertion.SubjectConfirmation;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.assertion.SubjectConfirmationData;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.idpdiscovery.IDPDiscoveryConstants;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.jaxb.entityconfig.IDPSSOConfigElement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.jaxb.metadata.AffiliationDescriptorType;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.jaxb.metadata.ArtifactResolutionServiceElement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.jaxb.metadata.AssertionConsumerServiceElement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.meta.SAML2MetaException;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.meta.SAML2MetaManager;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.meta.SAML2MetaUtils;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.plugins.IDPAccountMapper;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.plugins.IDPAttributeMapper;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.plugins.IDPAuthnContextInfo;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.plugins.IDPAuthnContextMapper;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.plugins.IDPECPSessionMapper;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.protocol.Artifact;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.protocol.AuthnRequest;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.protocol.NameIDPolicy;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.protocol.ProtocolFactory;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.protocol.Response;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.protocol.StatusCode;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.plugin.monitoring.FedMonAgent;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.plugin.monitoring.FedMonSAML2Svc;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.plugin.monitoring.MonitorManager;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.plugin.session.SessionProvider;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.plugin.session.SessionManager;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.plugin.session.SessionException;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.plugins.SAML2IdentityProviderAdapter;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport org.forgerock.openam.saml2.audit.SAML2EventLogger;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * The utility class is used by the identity provider to process
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * the authentication request from a service provider and send back
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * a proper response.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * The identity provider can also send unsolicited response to a service
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * provider to do single sign on and/or federation.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // key name for name id format on SSOToken
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static final String NAMEID_FORMAT = "SAML2NameIDFormat";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static final String REDIRECTED = "redirected";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static final String REDIRECTED_TRUE = "redirected=true";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static SAML2MetaManager metaManager = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static CircleOfTrustManager cotManager = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static IDPSessionListener sessionListener = new IDPSessionListener();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("Error retrieving circle of trust");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("Error retrieving metadata", sme);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster sessionProvider = SessionManager.getProvider();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "IDPSSOUtil static block: Error getting SessionProvider.",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Does SSO with existing federation or new federation
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param request the <code>HttpServletRequest</code> object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param response the <code>HttpServletResponse</code> object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param out the print writer for writing out presentation
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param authnReq the <code>AuthnRequest</code> object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param spEntityID the entity id of the service provider
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param idpMetaAlias the meta alias of the identity provider
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param nameIDFormat the <code>NameIDFormat</code>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param relayState the relay state
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param auditor the auditor for logging SAML2 Events - may be null
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SAML2Exception if the operation is not successful
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static void doSSOFederate(HttpServletRequest request,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster doSSOFederate(request, response, out, authnReq,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Does SSO with existing federation or new federation
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param request the <code>HttpServletRequest</code> object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param response the <code>HttpServletResponse</code> object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param out the print writer for writing out presentation
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param authnReq the <code>AuthnRequest</code> object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param spEntityID the entity id of the service provider
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param idpMetaAlias the meta alias of the identity provider
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param nameIDFormat the <code>NameIDFormat</code>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param relayState the relay state
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param newSession Session used in IDP Proxy Case
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param auditor the auditor for logging SAML2 Events
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SAML2Exception if the operation is not successful
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static void doSSOFederate(HttpServletRequest request,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String classMethod = "IDPSSOUtil.doSSOFederate: ";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // log the authnRequest
throw new SAML2Exception(
throw new SAML2Exception(
throw new SAML2Exception(
throw new SAML2Exception(
public static void sendResponseToACS(HttpServletRequest request, HttpServletResponse response, PrintWriter out,
throws SAML2Exception {
throw new SAML2Exception(
throw new SAML2Exception(
//check first if there is already an existing sessionindex associated with this SSOToken, if there is, then
//The remoteServiceURL will be null if there is no sessionindex for this SSOToken, or there is, but it's
//local. If the remoteServiceURL is not null, we can start to send the request to the original server.
remoteServiceURL += SAML2Utils.removeDeployUri(request.getRequestURI()) + "?" + request.getQueryString();
+ remoteServiceURL);
} catch (SessionException e) {
session)) {
throw new SAML2Exception(
private static boolean setCOTCookie(
* @throws SAML2Exception If there was an error while creating or sending the response back to the SP.
Response res = SAML2Utils.getErrorResponse(authnReq, firstlevelStatusCodeValue, secondlevelStatusCodeValue,
sendResponse(request, response, out, acsBinding, spEntityID, idpEntityID, idpMetaAlias, realm, relayState,
public static void sendResponse(
throws SAML2Exception {
throw new SAML2Exception(
public static void sendResponse(
throws SAML2Exception {
boolean signAssertion = true;
boolean signResponse = SAML2Utils.wantPOSTResponseSigned(realm, spEntityID, SAML2Constants.SP_ROLE);
if (signResponse) {
if (signResponse) {
throw saml2E;
throw new SAML2Exception(
* @param matchingAuthnContext the <code>AuthnContext</code> used to find authentication type and scheme.
throws SAML2Exception {
return null;
return null;
return null;
return res;
* @param matchingAuthnContext the <code>AuthnContext</code> used to find authentication type and scheme.
throws SAML2Exception {
synchronized (sessionID) {
authnStatement = getAuthnStatement(request, session, isNewSessionIndex, authnReq, idpEntityID, realm,
return null;
} catch (SessionException e) {
throw new SAML2Exception(
throw new SAML2Exception(
boolean found = false;
found = true;
if (!found) {
throw new SAML2Exception(
synchronized (assertions) {
SAML2Utils.debug.error(classMethod + "Unable to save IDPSession to the SAML2 Token Repository", se);
return assertion;
* @param isNewSessionIndex A returned flag from which the caller knows if the session index in the returned
* @param matchingAuthnContext The <code>AuthnContext</code> used to find authentication type and scheme.
throws SAML2Exception {
} catch (Exception e) {
throw new SAML2Exception(
} catch (Exception e) {
throw new SAML2Exception(
final Response idpResponse = (Response) request.getAttribute(SAML2Constants.SAML_PROXY_IDP_RESPONSE_KEY);
// IdP proxy case: we already received an assertion from the remote IdP and now the IdP proxy is generating
// According to SAML profile 4.1.4.2 each assertion within the SAML Response MUST have the same issuer, so
// this should suffice. We should have at least one assertion, since the IdP proxy's SP already accepted it.
values);
} catch (SessionException e) {
throw new SAML2Exception(
return authnStatement;
throws SAML2Exception {
return null;
return attrStatement;
throws SAML2Exception {
return idpAttributeMapper;
throws SAML2Exception {
return idpAuthnContextMapper;
return idpECPSessionMapper;
int effectiveTime,
throws SAML2Exception {
boolean ignoreProfile = false;
throw new SAML2Exception(
boolean isAffiliation = false;
isAffiliation = true;
isAffiliation = true;
if (!isTransient) {
if (shouldPersistNameID) {
if (isTransient) {
userName);
throw new SAML2Exception(
return subject;
throws SAML2Exception {
return sc;
throw new SAML2Exception(
return conditions;
return ar;
throws SAML2Exception {
public static String getACSurl(String spEntityID, String realm, String acsURL, String binding, Integer index,
int acsIndex;
return acsURL;
return acsURL;
return null;
throws SAML2Exception {
return null;
return acsURL;
int acsIndex,
throws SAML2Exception {
int index;
return null;
return acsURL;
throws SAML2Exception {
throw new SAML2Exception(
throw new SAML2Exception(
throw new SAML2Exception(
null,
+ artStr);
null);
null);
return null;
} catch (SessionException e) {
return null;
return null;
return index;
return authUrl;
return result;
static void redirectAuthentication(
//We are appending redirected=true to the goto URL so that we can tell if the user was already redirected
throws SAML2Exception {
throw new SAML2Exception(
throw new SAML2Exception(
boolean signAssertion)
throws SAML2Exception {
boolean toEncryptAssertion = false;
boolean toEncryptNameID = false;
boolean toEncryptAttribute = false;
if (!toEncryptAssertion) {
&& (!toEncryptAttribute)) {
if (signAssertion) {
throw new SAML2Exception(
if (toEncryptAssertion) {
if (signAssertion) {
throw new SAML2Exception(
if (toEncryptNameID) {
throw new SAML2Exception(
if (toEncryptAttribute) {
throw new SAML2Exception(
if (signAssertion) {
return null;
return null;
return null;
return null;
} catch (Exception e) {
return writerURL;
return effectiveTime;
int notBeforeSkewTime =
return notBeforeSkewTime;
return bytes;
public static long getValidTimeofResponse(
throws SAML2Exception {
return (currentTimeMillis()
throw new SAML2Exception(
return ret;
throw new SAML2Exception(
throw new SAML2Exception(
throws SAML2Exception {
throws SAML2Exception {
boolean isValidACSurl = false;
isValidACSurl = true;
return isValidACSurl;
private static boolean wantAssertionsSigned(String realm, String spEntityID) throws SAML2Exception {
throws SAML2Exception {
SAML2Utils.debug.error(classMethod + "Unable to get SP SSO Descriptor from metadata, descriptor is null.");
return spSSODescriptor;
boolean isValidSessionInRealm = false;
String sessionRealm = SAML2Utils.getSingleValuedSessionProperty(session, SAML2Constants.ORGANIZATION);
isValidSessionInRealm = true;
return isValidSessionInRealm;
return authenticatingAuthorities;