SPSSOFederate.java revision ccf9d4a5c6453fa9f8b839baeee25147865fbb7d
/*
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
*
* The contents of this file are subject to the terms
* of the Common Development and Distribution License
* (the License). You may not use this file except in
* compliance with the License.
*
* You can obtain a copy of the License at
* See the License for the specific language governing
* permission and limitations under the License.
*
* When distributing Covered Code, include this CDDL
* Header Notice in each file and include the License file
* at opensso/legal/CDDLv1.0.txt.
* If applicable, add the following below the CDDL Header,
* with the fields enclosed by brackets [] replaced by
* your own identifying information:
* "Portions Copyrighted [year] [name of copyright owner]"
*
* $Id: SPSSOFederate.java,v 1.29 2009/11/24 21:53:28 madan_ranganath Exp $
*
* Portions Copyrighted 2011-2016 ForgeRock AS.
*/
/**
* This class reads the query parameters and performs the required
* processing logic for sending Authentication Request
* from SP to IDP.
*
*/
public class SPSSOFederate {
static {
try {
sm = new SAML2MetaManager();
} catch (SAML2MetaException sme) {
,sme);
}
}
/**
* Parses the request parameters and builds the Authentication
* Request to sent to the IDP.
*
* @param request the HttpServletRequest.
* @param response the HttpServletResponse.
* @param metaAlias metaAlias to locate the service providers.
* @param idpEntityID entityID of Identity Provider.
* @param paramsMap Map of all other parameters.The key in the
* map are of the type String. The values in the paramsMap
* are of the type List.
* Some of the possible keys are:RelayState,NameIDFormat,
* reqBinding, binding, AssertionConsumerServiceIndex,
* AttributeConsumingServiceIndex (currently not supported),
* isPassive, ForceAuthN, AllowCreate, Destination,
* AuthnContextDeclRef, AuthnContextClassRef,
* AuthComparison, Consent (currently not supported),
* AuthLevel, and sunamcompositeadvice.
* @param auditor the SAML2EventLogger to use to log the saml request - may be null
* @throws SAML2Exception if error initiating request to IDP.
*/
final HttpServletResponse response,
final String idpEntityID,
try {
// get the sp entity ID from the metaAlias
}
} catch (SAML2MetaException sme) {
}
}
/**
* Gets the SP Entity ID from the metaAlias.
*
* @param metaAlias the metaAlias String
* @return the EntityId of the SP from the meta Alias
* @throws SAML2MetaException if there was a problem extracting
*/
}
/**
* Parses the request parameters and builds the Authentication
* Request to sent to the IDP.
*
* @param request the HttpServletRequest.
* @param response the HttpServletResponse.
* @param spEntityID entityID of Service Provider.
* @param idpEntityID entityID of Identity Provider.
* @param paramsMap Map of all other parameters.The key in the
* map are the parameter names of the type String.
* The values in the paramsMap are of the type List.
* Some of the possible keys are:RelayState,NameIDFormat,
* reqBinding, binding, AssertionConsumerServiceIndex,
* AttributeConsumingServiceIndex (currently not supported),
* isPassive, ForceAuthN, AllowCreate, Destination,
* AuthnContextDeclRef, AuthnContextClassRef,
* AuthComparison, Consent (currently not supported),
* AuthLevel, and sunamcompositeadvice.
* @param auditor the auditor for logging SAML2 Events - may be null
* @throws SAML2Exception if error initiating request to IDP.
*/
private static void initiateAuthnRequest(
final String idpEntityID, final String realmName, final Map paramsMap, final SAML2EventLogger auditor)
throws SAML2Exception {
return;
}
if (spEntityID == null) {
}
if (idpEntityID == null) {
}
}
}
try {
// Retreive MetaData
}
// get SPSSODescriptor
}
// get IDP Descriptor
}
}
// create AuthnRequest
}
// invoke SP Adapter class if registered
spAdapter.preSingleSignOnRequest(spEntityID, idpEntityID, realmName, request, response, authnRequest);
}
}
// Default URL if relayState not present? in providerConfig?
// TODO get Default URL from metadata
// Validate the RelayState URL.
// check if relayState is present and get the unique
// id which will be appended to the SSO URL before
// redirecting.
}
SAML2Utils.postToTarget(request, response, "SAMLRequest", encodedReqMsg, "RelayState", relayStateID, ssoURL);
} else {
String redirect = getRedirect(authReqXMLString, relayStateID, ssoURL, idpsso, spsso, spConfigAttrsMap);
}
synchronized(SPCache.requestHash) {
}
if (SAML2FailoverUtils.isSAML2FailoverEnabled()) {
// sessionExpireTime is counted in seconds
try {
SAML2FailoverUtils.saveSAML2TokenWithoutSecondaryKey(key, new AuthnRequestInfoCopy(reqInfo), sessionExpireTime);
+ " SAVE AuthnRequestInfoCopy for requestID " + key);
}
} catch (SAML2TokenRepositoryException e) {
"AuthnRequestInfoCopy in the SAML2 Token Repository for requestID " + key, e);
}
}
} catch (IOException ioe) {
} catch (SAML2MetaException sme) {
}
}
/**
* Gets the redirect String.
*
* @param authReqXMLString Auth Request XML.
* @param relayStateID the id of the relay state
* @param ssoURL the url for the reidrect
* @param idpsso the idp descriptor to use
* @param spsso the sp descriptor to use
* @param spConfigAttrsMap the sp configuration details
* @return a String to use for the redirect request.
* @throws SAML2Exception if there is a problem creating the redirect string
*/
throws SAML2Exception {
// encode the xml string
.append("=")
}
// sign the query string
} else {
}
return redirectURL.toString();
}
/**
* Gets the SP SSO Descriptor for the given sp entity id in the given realm.
*
* @param realm the realm the sp is configured in
* @param spEntityID the entity id of the sp to get the Descriptor for
* @return the SPSSODescriptorElement for the requested sp entity
* @throws SAML2MetaException if there is a problem looking up the SPSSODescriptorElement.
*/
throws SAML2MetaException {
}
/**
* Gets the Configuration attributes for the given sp entity id in the given realm.
* @param realm the realm the sp is configured in
* @param spEntityID the entity id of the sp to get the attributes map for
* @return a map of SAML2 Attributes with String keys mapped to a collection of values
* @throws SAML2MetaException
*/
public static Map<String, Collection<String>> getAttrsMapForAuthnReq(String realm, String spEntityID)
throws SAML2MetaException {
if (spEntityCfg != null) {
}
return spConfigAttrsMap;
}
/**
* Gets the IDP SSO Descriptor for the given sp entity id in the given realm.
*
* @param realm the realm the idp is configured in
* @param idpEntityID the entity id of the idp[ to get the Descriptor for
* @return the SPSSODescriptorElement for the requested idp entity
* @throws SAML2MetaException if there is a problem looking up the IDPSSODescriptorElement.
*/
throws SAML2MetaException {
}
/**
* Gets the Post Binding message
*
* @param idpsso
* @param spsso
* @param spConfigAttrsMap
* @param authnRequest
* @return
* @throws SAML2Exception
*/
public static String getPostBindingMsg(IDPSSODescriptorElement idpsso, SPSSODescriptorElement spsso,
throws SAML2Exception {
}
SAML2Utils.debug.message("SPSSOFederate.initiateAuthnRequest: SAML Response content :\n" + authXMLString);
}
}
/**
* Parses the request parameters and builds ECP Request to sent to the IDP.
*
* @param request the HttpServletRequest.
* @param response the HttpServletResponse.
*
* @throws SAML2Exception if error creating AuthnRequest.
* @throws IOException if error sending AuthnRequest to ECP.
*/
throws SAML2Exception, IOException {
"invalid HTTP request from ECP.");
"invalidHttpRequestFromECP",
return;
}
// get the sp entity ID from the metaAlias
}
try {
// Retreive MetaData
throw new SAML2Exception(
}
if (spEntityCfg != null) {
}
// get SPSSODescriptor
throw new SAML2Exception(
}
null);
// create AuthnRequest
true);
// invoke SP Adapter class if registered
}
if (signingKey != null) {
} else {
"Unable to find signing key.");
throw new SAML2Exception(
}
// Default URL if relayState not present? in providerConfig?
// TODO get Default URL from metadata
authnRequest.getID());
}
if (ecpIDPFinder != null) {
.createIDPEntry();
if (idpEntries == null) {
idpEntries = new ArrayList();
}
}
}
if (idpEntries != null) {
.createIDPList();
}
}
}
}
try {
} catch (PAOSException paosex) {
paosex);
}
try {
false);
}
null);
// Need to call saveChanges because we're
// going to use the MimeHeaders to set HTTP
// response information. These MimeHeaders
// are generated as part of the save.
if (reply.saveRequired()) {
reply.saveChanges();
}
// Write out the message on the response stream
} catch (SOAPException soapex) {
soapex);
return;
}
synchronized(SPCache.requestHash) {
}
if (SAML2FailoverUtils.isSAML2FailoverEnabled()) {
// sessionExpireTime is counted in seconds
try {
SAML2FailoverUtils.saveSAML2TokenWithoutSecondaryKey(key, new AuthnRequestInfoCopy(reqInfo), sessionExpireTime);
+ " SAVE AuthnRequestInfoCopy for requestID " + key);
}
} catch (SAML2TokenRepositoryException e) {
"AuthnRequestInfoCopy in the SAML2 Token Repository for requestID " + key, e);
}
}
} catch (SAML2MetaException sme) {
}
}
/**
* Checks if the request is from ECP.
*
* @param request the HttpServletRequest.
* @return true if the request is from ECP.
*/
try {
} catch (PAOSException pex) {
"no PAOS header");
}
return false;
}
"PAOS header doesn't contain ECP service");
}
return false;
}
if (acceptHeader == null) {
return false;
}
}
/* Create NameIDPolicy Element */
throws SAML2Exception {
if (affiliationID != null) {
"affiliationNotFound"));
}
"spNotAffiliationMember"));
}
} else {
}
return nameIDPolicy;
}
/* Create Issuer */
throws SAML2Exception {
return issuer;
}
/**
* Create an AuthnRequest.
*
* @param realmName the authentication realm for this request
* @param spEntityID the entity id for the service provider
* @param paramsMap the map of parameters for the authentication request
* @param spConfigMap the configuration map for the service provider
* @param extensionsList a list of extendsions for the authentication request
* @param spsso the SPSSODescriptorElement for theservcie provider
* @param idpsso the IDPSSODescriptorElement for the identity provider
* @param ssourl the url for the single sign on request
* @param isForECP boolean to indicatge if the request originated from an ECP
* @return a new AuthnRequest object
* @throws SAML2Exception
*/
final String spEntityID,
final Map spConfigMap,
final List extensionsList,
final SPSSODescriptorElement spsso,
final IDPSSODescriptorElement idpsso,
final boolean isForECP) throws SAML2Exception {
// generate unique request ID
throw new SAML2Exception(
}
// retrieve data from the params map and if not found get
// default values from the SPConfig Attributes
// destinationURI required if message is signed.
// get NameIDPolicy Element
{
"is not supported for " + spEntityID);
throw new SAML2Exception(
}
if (!isForECP) {
ssourl));
} else {
}
}
authnReq.setRequestedAuthnContext(createReqAuthnContext(realmName, spEntityID, paramsMap, spConfigMap));
}
if (extensions != null) {
}
// Required attributes in authn request
//IDP Proxy
{
}
}
}
}
return authnReq;
}
/**
* Returns value of an boolean parameter in the SP SSO Config.
* @param attrMap the map of attributes for the sso config
* @param attrName the key to get the boolean value for
* @return the value of the parameter in the sso config or null if the attribute was not found or was
* not a boolean parameter
*/
}
}
return boolVal;
}
/**
* Returns the SingleSignOnService URL.
*
* @param ssoServiceList list of sso services
* @param binding binding of the sso service to get the url for
* @return a string url for the sso service
*/
while (i.hasNext()) {
(SingleSignOnServiceElement) i.next();
break;
}
}
}
+ " SingleSignOnService URL :"
+ ssoURL);
}
return ssoURL;
}
/**
* Returns an Ordered Set containing the AssertionConsumerServiceURL
* and AssertionConsumerServiceIndex.
*/
}
break;
break;
}
}
}
+ " URL :" + acsURL);
+ " Binding Passed in Query: " + binding);
+ " Binding : " + responseBinding);
}
return ol;
}
/**
* Fills in the realm with the default top level realm if it does not contain a more specific subrealm.
* i.e. if it is null or empty it becomes "/"
* @param realm the current realm
* @return the realm to use
*/
}
/**
* Gets isPassive attribute from the config map and parameters map.
*
* @param paramsMap the map of the parameters
* @param spConfigAttrsMap the map of the configuration
* @return boolean to indicate if the request should be passive
*/
// get isPassive
if ((isPassiveStr != null) &&
} else {
}
}
}
/* Returns value of ForceAuthn */
if ((forceAuthn != null) &&
} else {
}
}
}
/* get value of AllowCreate */
//assuming default true?
boolean allowCreate=true;
if ((allowCreateStr != null) &&
) {
} else {
}
}
}
return allowCreate;
}
// Default to true if this flag is not found to be backwards compatible.
boolean result = true;
// Check the parameters first in case the request wants to override the metadata value.
} else {
}
}
}
return result;
}
/* Returns the AssertionConsumerServiceURL Index */
}
return attrIndex;
}
/**
* Gets the query parameter value for the param specified.
* @param paramsMap the map of parameters
* @param attrName the parameter name to get the value for
* @return the string value for the given parameter
*/
}
}
return attrVal;
}
/**
* Gets the extensions list for the sp entity.
*
* @param entityID the entity of the id for get the extensions list for
* @param realm the realm that the entity is configured in
* @return a List ofd the extensions for the sso request
*/
try {
ed.getExtensions();
}
}
} catch (SAML2Exception e) {
"EntityDescriptor");
}
return extensionsList;
}
}
return extensions;
}
/**
* Gets the Relay State ID for the request.
*
* @param relayState the relay state
* @param requestID the request id
* @return the relay state id
*/
if (SAML2FailoverUtils.isSAML2FailoverEnabled()) {
// sessionExpireTime is counted in seconds
// Need to make the key unique due to the requestID also being used to
// store a copy of the AuthnRequestInfo
try {
+ key);
}
} catch (SAML2TokenRepositoryException se) {
}
}
return requestID;
}
/* Creates RequestedAuthnContext Object */
Map spConfigMap) {
}
}
try {
reqCtx =
} catch (SAML2Exception e) {
"RequestedAuthnContext",e);
}
}
return reqCtx;
}
/**
* Signs the query string.
*
* @param queryString the query string
* @param certAlias the certificate alias
* @return the signed query string
* @throws SAML2Exception
*/
throws SAML2Exception {
+ queryString);
+ certAlias);
}
}
/**
* Sign an authentication request.
*
* @param certAlias the certificate alias
* @param authnRequest the authentication request to sign
* @throws SAML2Exception the signed authentication request
*/
"Unable to get a key provider instance.");
"nullKeyProvider"));
}
}
}