a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Copyright (c) 2007 Sun Microsystems Inc. All Rights Reserved
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * The contents of this file are subject to the terms
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * of the Common Development and Distribution License
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * (the License). You may not use this file except in
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * compliance with the License.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * You can obtain a copy of the License at
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * https://opensso.dev.java.net/public/CDDLv1.0.html or
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * See the License for the specific language governing
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * permission and limitations under the License.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * When distributing Covered Code, include this CDDL
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Header Notice in each file and include the License file
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * If applicable, add the following below the CDDL Header,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * with the fields enclosed by brackets [] replaced by
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * your own identifying information:
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * "Portions Copyrighted [year] [name of copyright owner]"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * $Id: WSFederationUtils.java,v 1.6 2009/10/28 23:58:58 exu Exp $
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL * Portions Copyrighted 2015-2016 ForgeRock AS.
ccf9d4a5c6453fa9f8b839baeee25147865fbb7dJames Phillpottsimport static org.forgerock.openam.utils.Time.*;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.multiprotocol.SingleLogoutManager;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.plugin.datastore.DataStoreProvider;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.plugin.datastore.DataStoreProviderException;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.plugin.datastore.DataStoreProviderManager;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.plugin.session.SessionException;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.plugin.session.SessionManager;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.plugin.session.SessionProvider;
0748565aad6a8878aecb88a26081c9bb10c00279Peter Majorimport com.sun.identity.saml.assertion.NameIdentifier;
0748565aad6a8878aecb88a26081c9bb10c00279Peter Majorimport com.sun.identity.saml2.common.SAML2Constants;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.common.SAML2Utils;
0748565aad6a8878aecb88a26081c9bb10c00279Peter Majorimport com.sun.identity.wsfederation.jaxb.entityconfig.IDPSSOConfigElement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.wsfederation.meta.WSFederationMetaException;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.assertion.Assertion;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.xmlsig.XMLSignatureManager;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.common.SAML2Exception;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.xmlsig.SigManager;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.wsfederation.jaxb.wsfederation.FederationElement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.wsfederation.key.KeyUtil;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.wsfederation.logging.LogUtil;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.wsfederation.meta.WSFederationMetaManager;
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTELimport com.sun.identity.wsfederation.meta.WSFederationMetaUtils;
0748565aad6a8878aecb88a26081c9bb10c00279Peter Majorimport com.sun.identity.wsfederation.plugins.IDPAccountMapper;
0748565aad6a8878aecb88a26081c9bb10c00279Peter Majorimport com.sun.identity.wsfederation.plugins.IDPAttributeMapper;
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTELimport com.sun.identity.wsfederation.plugins.whitelist.ValidWReplyExtractor;
0748565aad6a8878aecb88a26081c9bb10c00279Peter Majorimport com.sun.identity.wsfederation.profile.SAML11RequestedSecurityToken;
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTELimport org.forgerock.openam.shared.security.whitelist.RedirectUrlValidator;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Utility methods for WS-Federation implementation.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>Debug</code> instance for use by WS-Federation implementation.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Debug.getInstance(WSFederationConstants.AM_WSFEDERATION);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Resource bundle for the WS-Federation implementation.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster getInstallResourceBundle(WSFederationConstants.BUNDLE_NAME);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Map from reply URL to wctx parameter.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static HashMap wctxMap = new HashMap();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static WSFederationMetaManager metaManager = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static SessionProvider sessionProvider = null;
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL private static final RedirectUrlValidator<ValidWReplyExtractor.WSFederationEntityInfo> WREPLY_VALIDATOR =
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL new RedirectUrlValidator<ValidWReplyExtractor.WSFederationEntityInfo>(new ValidWReplyExtractor());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String classMethod = "WSFederationUtils static initializer: ";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.error(classMethod + "DataStoreProviderException : ", dse);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster sessionProvider = SessionManager.getProvider();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.error( classMethod + "Error getting SessionProvider.", se);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.error( classMethod + "Error getting meta service.", we);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Private constructor ensure that no instance is ever created
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Returns an instance of <code>WSFederationMetaManager</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return an instance of <code>WSFederationMetaManager</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static WSFederationMetaManager getMetaManager() {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Extracts the home account realm from the user agent HTTP header.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param uaHeader user agent HTTP header. User agent header must be
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * semi-colon separated, of the form <code>Mozilla/4.0 (compatible;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; InfoPath.1;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * amWSFederationAccountRealm:Adatum Corp)</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param accountRealmCookieName identifier with which to search user agent
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * HTTP header.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return the home account realm name.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static String accountRealmFromUserAgent( String uaHeader,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String classMethod = "WSFederationUtils.accountRealmFromUserAgent";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // UA String is of form "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // 5.1; SV1; .NET CLR 1.1.4322; InfoPath.1;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // amWSFederationAccountRealm:Adatum Corp)"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.warning(classMethod + "Can't find left bracket");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ( rightBracket == -1 || rightBracket < leftBracket ) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.warning(classMethod + "Can't find right bracket");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String insideBrackets = uaHeader.substring(leftBracket+1,rightBracket);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.warning(classMethod + "zero length between brackets");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // insideBrackets is of form "compatible; MSIE 6.0; Windows NT 5.1; SV1;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // .NET CLR 1.1.4322; InfoPath.1;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // amWSFederationAccountRealm:Adatum Corp"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Split string on matches of any amount of whitespace surrounding a
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // semicolon
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String uaFields[] = insideBrackets.split("[\\s]*;[\\s]*");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.warning(classMethod + "zero length between brackets");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // uaFields[] is of form {"compatible", "MSIE 6.0", "Windows NT 5.1",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // "SV1", ".NET CLR 1.1.4322", "InfoPath.1",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // "amWSFederationAccountRealm:Adatum Corp"}
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ( uaFields[i].indexOf(accountRealmCookieName) != -1 ) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Split this field on matches of any amount of whitespace
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // surrounding a colon
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String keyValue[] = uaFields[i].split("[\\s]*:[\\s]*");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ( ! keyValue[0].equals(accountRealmCookieName)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.warning(classMethod + "can't understand " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Put a reply URL in the wctx->wreply map.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param wreply reply URL
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return value for WS-Federation context parameter (wctx).
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static String putReplyURL(String wreply) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster synchronized (wctxMap)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Remove and return a reply URL from the wctx->wreply map.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param wctx WS-Federation context parameter
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return reply URL
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static String removeReplyURL(String wctx) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster synchronized (wctxMap)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Determine the validity of the signature on the <code>Assertion</code>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param assertion SAML 1.1 Assertion
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param realm Realm for the issuer
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param issuer Assertion issuer - used to retrieve certificate for
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * signature validation.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return true if the signature on the object is valid; false otherwise.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static boolean isSignatureValid(Assertion assertion, String realm,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster boolean valid = false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String signedXMLString = assertion.toString(true,true);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster metaManager.getEntityDescriptor(realm, issuer);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster X509Certificate cert = KeyUtil.getVerificationCert(idp, issuer,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster XMLSignatureManager manager = XMLSignatureManager.getInstance();
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings signedXMLString, id, Collections.singleton(cert));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data = {LogUtil.isErrorLoggable(Level.FINER) ?
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Determines the timeliness of the assertion.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param assertion SAML 1.1 Assertion
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param timeskew in seconds
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return true if the current time is after the Assertion's notBefore time
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * - timeskew AND the current time is before the Assertion's notOnOrAfter
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * time + timeskew
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static boolean isTimeValid(Assertion assertion, int timeskew)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String classMethod = "WSFederationUtils.isTimeValid: ";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Date notOnOrAfter = assertion.getConditions().getNotOnorAfter();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String assertionID = assertion.getAssertionID();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data = {LogUtil.isErrorLoggable(Level.FINER) ?
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else if ((notOnOrAfter.getTime() + timeskew * 1000) < timeNow ) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data = {LogUtil.isErrorLoggable(Level.FINER) ?
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Date notBefore = assertion.getConditions().getNotBefore();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data = {LogUtil.isErrorLoggable(Level.FINER) ?
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else if ((notBefore.getTime() - timeskew * 1000) > timeNow ) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data = {LogUtil.isErrorLoggable(Level.FINER) ?
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return true;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Processes Single Logout cross multiple federation protocols
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param request HttpServletRequest object.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param response HttpServletResponse object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static void processMultiProtocolLogout(HttpServletRequest request,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster HttpServletResponse response, Object userSession) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message("WSFederationUtils.processMPSingleLogout");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster request.getAttribute(WSFederationConstants.LOGOUT_WREPLY);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster request.getAttribute(WSFederationConstants.REALM_PARAM);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster request.getAttribute(WSFederationConstants.ENTITYID_PARAM);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SessionManager.getProvider().getPrincipalName(userSession);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // assume WS-Federation logout always succeed as there is not
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // logout status from the specification
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SingleLogoutManager manager = SingleLogoutManager.getInstance();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // TODO : find out spEntityID/logout request if any
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster int status = manager.doIDPSingleLogout(sessSet, sessUser,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster request, response, false, true, SingleLogoutManager.WS_FED,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (status != SingleLogoutManager.LOGOUT_REDIRECTED_STATUS) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message("WSFederationUtils.processMultiProtocolLogout", ex);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message("WSFederationUtils.processMultiProtocolLogout", ex);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message("WSFederationUtils.processMultiProtocolLogout", ex);
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL * Convenience method to validate a WSFederation wreply URL, often called from a JSP.
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL * @param request Used to help establish the realm and hostEntityID.
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL * @param relayState The URL to validate.
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL * @return <code>true</code> if the wreply is valid.
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL public static boolean isWReplyURLValid(HttpServletRequest request, String relayState) {
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL String metaAlias = WSFederationMetaUtils.getMetaAliasByUri(request.getRequestURI());
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL WSFederationMetaManager metaManager = new WSFederationMetaManager();
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL return isWReplyURLValid(metaAlias, relayState, metaManager.getRoleByMetaAlias(metaAlias));
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL return false;
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL * Convenience method to validate a WSFederation wreply URL, often called from a JSP.
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL * @param metaAlias The metaAlias of the hosted entity.
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL * @param wreply The URL to validate.
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL * @param role The role of the caller.
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL * @return <code>true</code> if the wreply is valid.
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL public static boolean isWReplyURLValid(String metaAlias, String wreply, String role) {
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL boolean result = false;
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL String realm = WSFederationMetaUtils.getRealmByMetaAlias(metaAlias);
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL String hostEntityID = WSFederationUtils.getMetaManager().getEntityByMetaAlias(metaAlias);
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL validateWReplyURL(realm, hostEntityID, wreply, role);
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL debug.message("WSFederationUtils.isWReplyURLValid(): wreply " + wreply +
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL " for role " + role + " triggered an exception: " + e.getMessage(), e);
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL debug.message("WSFederationUtils.isWReplyURLValid(): wreply " + wreply +
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL " for role " + role + " was valid? " + result);
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL * Validates the Wreply URL against a list of wreply State
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL * URLs created on the hosted service provider.
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL * @param orgName realm or organization name the provider resides in.
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL * @param hostEntityId Entity ID of the hosted provider.
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL * @param wreply wreply URL.
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL * @param role IDP/SP Role.
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL * @throws WSFederationException if the processing failed.
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL // Check for the validity of the RelayState URL.
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL if (!WREPLY_VALIDATOR.isRedirectUrlValid(wreply,
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL ValidWReplyExtractor.WSFederationEntityInfo.from(orgName, hostEntityId, role))) {
3b9ddb3b45c7f1cf575932bfcac2df50f3172f1aQuentin CASTEL throw new WSFederationException(WSFederationUtils.bundle.getString("invalidWReplyUrl"));
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major * Creates a SAML 1.1 token object based on the provided details.
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major * @param realm The realm of the WS-Fed entities
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major * @param idpEntityId The WS-Fed IdP (IP) entity ID.
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major * @param spEntityId The WS-Fed SP (RP) entity ID.
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major * @param session The authenticated session object.
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major * @param spTokenIssuerName The name of the token issuer corresponding to the SP (RP).
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major * @param authMethod The authentication method to specify in the AuthenticationStatement.
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major * @param wantAssertionSigned Whether the assertion should be signed.
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major * @return A SAML1.1 token.
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major * @throws WSFederationException If there was an error while creating the SAML1.1 token.
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major public static SAML11RequestedSecurityToken createSAML11Token(String realm, String idpEntityId, String spEntityId,
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major Object session, String spTokenIssuerName, String authMethod, boolean wantAssertionSigned)
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major final IDPSSOConfigElement idpConfig = metaManager.getIDPSSOConfig(realm, idpEntityId);
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major debug.error("Cannot find configuration for IdP " + idpEntityId);
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major throw new WSFederationException(WSFederationUtils.bundle.getString("unableToFindIDPConfiguration"));
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major authSSOInstant = WSFederationUtils.sessionProvider.getProperty(session, SessionProvider.AUTH_INSTANT)[0];
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major IDPAttributeMapper attrMapper = getIDPAttributeMapper(WSFederationMetaUtils.getAttributes(idpConfig));
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major IDPAccountMapper accountMapper = getIDPAccountMapper(WSFederationMetaUtils.getAttributes(idpConfig));
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major List attributes = attrMapper.getAttributes(session, idpEntityId, spEntityId, realm);
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major authInstant = DateUtils.stringToDate(authSSOInstant);
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major NameIdentifier nameIdentifier = accountMapper.getNameID(session, realm, idpEntityId, spEntityId);
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major int notBeforeSkew = WSFederationMetaUtils.getIntAttribute(idpConfig,
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major SAML2Constants.ASSERTION_NOTBEFORE_SKEW_ATTRIBUTE, SAML2Constants.NOTBEFORE_ASSERTION_SKEW_DEFAULT);
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major int effectiveTime = WSFederationMetaUtils.getIntAttribute(idpConfig,
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major SAML2Constants.ASSERTION_EFFECTIVE_TIME_ATTRIBUTE, SAML2Constants.ASSERTION_EFFECTIVE_TIME);
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major String certAlias = WSFederationMetaUtils.getAttribute(idpConfig, SAML2Constants.SIGNING_CERT_ALIAS);
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major // SP wants us to sign the assertion, but we don't have a signing cert
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major debug.error("SP wants signed assertion, but no signing cert is configured");
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major throw new WSFederationException(WSFederationUtils.bundle.getString("noIdPCertAlias"));
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major // SP doesn't want us to sign the assertion, so pass null certAlias to indicate no assertion signature
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major return new SAML11RequestedSecurityToken(realm, spTokenIssuerName, idpEntityId,
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major notBeforeSkew, effectiveTime, certAlias, authMethod, authInstant,
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major private static IDPAccountMapper getIDPAccountMapper(Map<String, List<String>> attributes)
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major List<String> accountMapperList = attributes.get( SAML2Constants.IDP_ACCOUNT_MAPPER);
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major accountMapper = Class.forName(accountMapperList.get(0)).asSubclass(IDPAccountMapper.class)
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major throw new WSFederationException(WSFederationUtils.bundle.getString("failedAcctMapper"));
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major private static IDPAttributeMapper getIDPAttributeMapper(Map<String, List<String>> attributes)
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major List<String> attrMapperList = attributes.get(SAML2Constants.IDP_ATTRIBUTE_MAPPER);
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major attrMapper = Class.forName(attrMapperList.get(0)).asSubclass(IDPAttributeMapper.class).newInstance();
0748565aad6a8878aecb88a26081c9bb10c00279Peter Major throw new WSFederationException(WSFederationUtils.bundle.getString("failedAttrMapper"));