idpSSOInit.jsp revision 29c224f7ddc9f659d7d6b87b68c08ef8a8833804
51e09bf791b4d3a6fd76f752df3f47d05ef6becdMichael Sawyer<%--
499b34cea04a46823d003d4c0520c8b03e8513cbBrian Wellington DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
40f53fa8d9c6a4fc38c0014495e7a42b08f52481David Lawrence
51e09bf791b4d3a6fd76f752df3f47d05ef6becdMichael Sawyer Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
51e09bf791b4d3a6fd76f752df3f47d05ef6becdMichael Sawyer
51e09bf791b4d3a6fd76f752df3f47d05ef6becdMichael Sawyer The contents of this file are subject to the terms
40f53fa8d9c6a4fc38c0014495e7a42b08f52481David Lawrence of the Common Development and Distribution License
15a44745412679c30a6d022733925af70a38b715David Lawrence (the License). You may not use this file except in
15a44745412679c30a6d022733925af70a38b715David Lawrence compliance with the License.
15a44745412679c30a6d022733925af70a38b715David Lawrence
15a44745412679c30a6d022733925af70a38b715David Lawrence You can obtain a copy of the License at
15a44745412679c30a6d022733925af70a38b715David Lawrence https://opensso.dev.java.net/public/CDDLv1.0.html or
15a44745412679c30a6d022733925af70a38b715David Lawrence opensso/legal/CDDLv1.0.txt
15a44745412679c30a6d022733925af70a38b715David Lawrence See the License for the specific language governing
15a44745412679c30a6d022733925af70a38b715David Lawrence permission and limitations under the License.
51e09bf791b4d3a6fd76f752df3f47d05ef6becdMichael Sawyer
51e09bf791b4d3a6fd76f752df3f47d05ef6becdMichael Sawyer When distributing Covered Code, include this CDDL
922a15c7c07b876c7ca1dbfa871da86ddaae8d4dDanny Mayer Header Notice in each file and include the License file
51e09bf791b4d3a6fd76f752df3f47d05ef6becdMichael Sawyer at opensso/legal/CDDLv1.0.txt.
51e09bf791b4d3a6fd76f752df3f47d05ef6becdMichael Sawyer If applicable, add the following below the CDDL Header,
ea32d34e58cc4f6104004d06fa35367e580b8103Brian Wellington with the fields enclosed by brackets [] replaced by
8af0b86ade4c15a7db207bd7643f8a9f6cb5a648David Lawrence your own identifying information:
8af0b86ade4c15a7db207bd7643f8a9f6cb5a648David Lawrence "Portions Copyrighted [year] [name of copyright owner]"
8af0b86ade4c15a7db207bd7643f8a9f6cb5a648David Lawrence
8af0b86ade4c15a7db207bd7643f8a9f6cb5a648David Lawrence $Id: idpSSOInit.jsp,v 1.9 2009/06/24 23:05:30 mrudulahg Exp $
8af0b86ade4c15a7db207bd7643f8a9f6cb5a648David Lawrence
8af0b86ade4c15a7db207bd7643f8a9f6cb5a648David Lawrence Portions Copyrighted 2013-2016 ForgeRock AS.
8af0b86ade4c15a7db207bd7643f8a9f6cb5a648David Lawrence--%>
9e72582b8ebdbc27af7bce9ebdd9be7b97b259b8Brian Wellington
7b19817cb8128b75df04d7eacaa93002bbf877b1Michael Sawyer<%@ page import="com.sun.identity.saml.common.SAMLUtils" %>
c9defbf4b968e8a61f391246431ac63d0d6a39abMichael Sawyer<%@ page import="com.sun.identity.saml2.common.SAML2Constants" %>
ea32d34e58cc4f6104004d06fa35367e580b8103Brian Wellington<%@ page import="com.sun.identity.saml2.common.SAML2Exception" %>
7b19817cb8128b75df04d7eacaa93002bbf877b1Michael Sawyer<%@ page import="com.sun.identity.saml2.common.SAML2Utils" %>
9e72582b8ebdbc27af7bce9ebdd9be7b97b259b8Brian Wellington<%@ page import="com.sun.identity.saml2.meta.SAML2MetaUtils" %>
c9defbf4b968e8a61f391246431ac63d0d6a39abMichael Sawyer<%@ page import="com.sun.identity.saml2.profile.IDPSSOUtil" %>
51e09bf791b4d3a6fd76f752df3f47d05ef6becdMichael Sawyer<%@ page import="java.io.PrintWriter" %>
51e09bf791b4d3a6fd76f752df3f47d05ef6becdMichael Sawyer<%@ page import="org.forgerock.guice.core.InjectorHolder" %>
c9defbf4b968e8a61f391246431ac63d0d6a39abMichael Sawyer<%@ page import="org.forgerock.openam.audit.AuditEventPublisher" %>
c9defbf4b968e8a61f391246431ac63d0d6a39abMichael Sawyer<%@ page import="org.forgerock.openam.saml2.audit.SAML2Auditor" %>
517950ae99fa271b034a5cfec1c9fbb62696f975Mark Andrews<%@ page import="org.forgerock.openam.audit.AuditEventFactory" %>
51e09bf791b4d3a6fd76f752df3f47d05ef6becdMichael Sawyer
c9defbf4b968e8a61f391246431ac63d0d6a39abMichael Sawyer<%--
51e09bf791b4d3a6fd76f752df3f47d05ef6becdMichael Sawyer idpssoinit.jsp initiates Unsolicited SSO at the Identity Provider.
7b19817cb8128b75df04d7eacaa93002bbf877b1Michael Sawyer
c9defbf4b968e8a61f391246431ac63d0d6a39abMichael Sawyer Following are the list of supported query parameters :
51e09bf791b4d3a6fd76f752df3f47d05ef6becdMichael Sawyer
ea32d34e58cc4f6104004d06fa35367e580b8103Brian Wellington Required parameters to this jsp are :
ea32d34e58cc4f6104004d06fa35367e580b8103Brian Wellington
ea32d34e58cc4f6104004d06fa35367e580b8103Brian Wellington Query Parameter Name Description
e4bd5f690729e93a624ab82b69bfe4d9ccac3a64Brian Wellington
668f8d91db59f4dd89a0b54206f87879354339f5Brian Wellington 1. metaAlias MetaAlias for Identity Provider. The format of
ea32d34e58cc4f6104004d06fa35367e580b8103Brian Wellington this parameter is /realm_name/IDP name.
ea32d34e58cc4f6104004d06fa35367e580b8103Brian Wellington
ea32d34e58cc4f6104004d06fa35367e580b8103Brian Wellington 2. spEntityID Identifier for Service Provider.
ea32d34e58cc4f6104004d06fa35367e580b8103Brian Wellington
ea32d34e58cc4f6104004d06fa35367e580b8103Brian Wellington Optional Query Parameters :
ea32d34e58cc4f6104004d06fa35367e580b8103Brian Wellington
ea32d34e58cc4f6104004d06fa35367e580b8103Brian Wellington Query Parameter Name Description
ea32d34e58cc4f6104004d06fa35367e580b8103Brian Wellington
ea32d34e58cc4f6104004d06fa35367e580b8103Brian Wellington 3. RelayState Target URL on successful complete of SSO/Federation
ea32d34e58cc4f6104004d06fa35367e580b8103Brian Wellington
ea32d34e58cc4f6104004d06fa35367e580b8103Brian Wellington 4. RelayStateAlias Specify the parameter(s) to use as the RelayState.
9a68d61341cbe7a953d437cb6e607dea587f6bc3Brian Wellington e.g. if the request URL has :
ea32d34e58cc4f6104004d06fa35367e580b8103Brian Wellington ?TARGET=http://server:port/uri&RelayStateAlias=TARGET
ea32d34e58cc4f6104004d06fa35367e580b8103Brian Wellington then the TARGET query parameter will be interpreted as
81dcbe87a7d6ae6fe3228bc183a8b726853dc87cBrian Wellington RelayState and on successful completion of
cbc6e835978507c5243ceb0a2afca03943c7df64Brian Wellington SSO/Federation user will be redirected to the TARGET URL.
81dcbe87a7d6ae6fe3228bc183a8b726853dc87cBrian Wellington
703e1c0bb66f3cd3d300358ca0c1fdf3cb5fb1c5Brian Wellington
703e1c0bb66f3cd3d300358ca0c1fdf3cb5fb1c5Brian Wellington 5. NameIDFormat NameID format Identifier Value.
703e1c0bb66f3cd3d300358ca0c1fdf3cb5fb1c5Brian Wellington For example,
703e1c0bb66f3cd3d300358ca0c1fdf3cb5fb1c5Brian Wellington urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
703e1c0bb66f3cd3d300358ca0c1fdf3cb5fb1c5Brian Wellington urn:oasis:names:tc:SAML:2.0:nameid-format:transient
703e1c0bb66f3cd3d300358ca0c1fdf3cb5fb1c5Brian Wellington
703e1c0bb66f3cd3d300358ca0c1fdf3cb5fb1c5Brian Wellington 6. binding URI value that identifies a SAML protocol binding to
703e1c0bb66f3cd3d300358ca0c1fdf3cb5fb1c5Brian Wellington used when returning the Response message.
922a15c7c07b876c7ca1dbfa871da86ddaae8d4dDanny Mayer The supported values are :
922a15c7c07b876c7ca1dbfa871da86ddaae8d4dDanny Mayer HTTP-Artifact
703e1c0bb66f3cd3d300358ca0c1fdf3cb5fb1c5Brian Wellington HTTP-POST
703e1c0bb66f3cd3d300358ca0c1fdf3cb5fb1c5Brian Wellington
922a15c7c07b876c7ca1dbfa871da86ddaae8d4dDanny Mayer NOTE: There are other SAML defined values for these
703e1c0bb66f3cd3d300358ca0c1fdf3cb5fb1c5Brian Wellington which are not supported by FM/AM.
389ec663f262cc219e986d6600eec9707ef2cb24Brian Wellington 7. affiliationID affiliation entity ID
f6b507b4c94e39d852fecc1a3140c220ede3d3ecAndreas Gustafsson--%>
62bdc8a738a26f3a427691cde39e0d9e9e38e458Michael Sawyer<%
51e09bf791b4d3a6fd76f752df3f47d05ef6becdMichael Sawyer AuditEventPublisher aep = InjectorHolder.getInstance(AuditEventPublisher.class);
3b7ddac82abc190861f663beb5b890d110e9010dBrian Wellington AuditEventFactory aef = InjectorHolder.getInstance(AuditEventFactory.class);
62bdc8a738a26f3a427691cde39e0d9e9e38e458Michael Sawyer SAML2Auditor saml2Auditor = new SAML2Auditor(aep, aef, request);
62bdc8a738a26f3a427691cde39e0d9e9e38e458Michael Sawyer saml2Auditor.setMethod("idpSSOInit");
62bdc8a738a26f3a427691cde39e0d9e9e38e458Michael Sawyer saml2Auditor.setSessionTrackingId(session.getId());
51e09bf791b4d3a6fd76f752df3f47d05ef6becdMichael Sawyer saml2Auditor.auditAccessAttempt();
8af0b86ade4c15a7db207bd7643f8a9f6cb5a648David Lawrence // Retrieve the Request Query Parameters
51e09bf791b4d3a6fd76f752df3f47d05ef6becdMichael Sawyer // metaAlias and spEntiyID are the required query parameters
54b9dc7739090bf3f3822f9852c48bcbe24492fbBrian Wellington // metaAlias - Identity Provider Entity Id
54b9dc7739090bf3f3822f9852c48bcbe24492fbBrian Wellington // spEntityID - Service Provider Identifier
51e09bf791b4d3a6fd76f752df3f47d05ef6becdMichael Sawyer
51e09bf791b4d3a6fd76f752df3f47d05ef6becdMichael Sawyer try {
ea32d34e58cc4f6104004d06fa35367e580b8103Brian Wellington String cachedResID = request.getParameter(SAML2Constants.RES_INFO_ID);
96a6f4c77f357ec5a88bfa646fea659a43d84daeBrian Wellington // if this id is set, then this is a redirect from the COT
7ba05518c7ee2f38cd9eedbafb43cf6e7db76aefBrian Wellington // cookie writer. There is already an assertion response
ea32d34e58cc4f6104004d06fa35367e580b8103Brian Wellington // cached in this provider. Send it back directly.
ea32d34e58cc4f6104004d06fa35367e580b8103Brian Wellington if ((cachedResID != null) && (cachedResID.length() != 0)) {
835658d2bee884e0ac619ee4519172050dee3800Brian Wellington IDPSSOUtil.sendResponse(request, response, new PrintWriter(out, true), cachedResID);
ea32d34e58cc4f6104004d06fa35367e580b8103Brian Wellington return;
ea32d34e58cc4f6104004d06fa35367e580b8103Brian Wellington }
9e72582b8ebdbc27af7bce9ebdd9be7b97b259b8Brian Wellington
ea32d34e58cc4f6104004d06fa35367e580b8103Brian Wellington String metaAlias = request.getParameter("metaAlias");
ea32d34e58cc4f6104004d06fa35367e580b8103Brian Wellington saml2Auditor.setRealm(SAML2MetaUtils.getRealmByMetaAlias(metaAlias));
ea32d34e58cc4f6104004d06fa35367e580b8103Brian Wellington if ((metaAlias == null) || (metaAlias.length() == 0)) {
ea32d34e58cc4f6104004d06fa35367e580b8103Brian Wellington SAMLUtils.sendError(
ea32d34e58cc4f6104004d06fa35367e580b8103Brian Wellington request, response, response.SC_BAD_REQUEST, "nullIDPEntityID",
ea32d34e58cc4f6104004d06fa35367e580b8103Brian Wellington SAML2Utils.bundle.getString("nullIDPEntityID"));
95e47f45521ffbf194b377882cf1bcae51b7baceBrian Wellington saml2Auditor.auditAccessFailure(String.valueOf(response.SC_BAD_REQUEST),
ea32d34e58cc4f6104004d06fa35367e580b8103Brian Wellington SAML2Utils.bundle.getString("nullSPEntityID"));
ea32d34e58cc4f6104004d06fa35367e580b8103Brian Wellington return;
54b9dc7739090bf3f3822f9852c48bcbe24492fbBrian Wellington }
54b9dc7739090bf3f3822f9852c48bcbe24492fbBrian Wellington String spEntityID = request.getParameter("spEntityID");
54b9dc7739090bf3f3822f9852c48bcbe24492fbBrian Wellington
ea32d34e58cc4f6104004d06fa35367e580b8103Brian Wellington if ((spEntityID == null) || (spEntityID.length() == 0)) {
81dcbe87a7d6ae6fe3228bc183a8b726853dc87cBrian Wellington SAMLUtils.sendError(
81dcbe87a7d6ae6fe3228bc183a8b726853dc87cBrian Wellington request, response, response.SC_BAD_REQUEST, "nullSPEntityID",
54b9dc7739090bf3f3822f9852c48bcbe24492fbBrian Wellington SAML2Utils.bundle.getString("nullSPEntityID"));
ea32d34e58cc4f6104004d06fa35367e580b8103Brian Wellington saml2Auditor.auditAccessFailure(String.valueOf(response.SC_BAD_REQUEST),
54b9dc7739090bf3f3822f9852c48bcbe24492fbBrian Wellington SAML2Utils.bundle.getString("nullSPEntityID"));
54b9dc7739090bf3f3822f9852c48bcbe24492fbBrian Wellington return;
9785f602c81189f0b8346c5bcad85d8a7f763bfaMark Andrews }
9a68d61341cbe7a953d437cb6e607dea587f6bc3Brian Wellington
ea32d34e58cc4f6104004d06fa35367e580b8103Brian Wellington // get the nameIDPolicy
dbc41c829031c1ba7a4bade35b10474fab02b0a1Brian Wellington String nameIDFormat = request.getParameter(SAML2Constants.NAMEID_POLICY_FORMAT);
517950ae99fa271b034a5cfec1c9fbb62696f975Mark Andrews String relayState = SAML2Utils.getRelayState(request);
6417ba84400fcae1bd92e66c992e4641b515d8daAndreas Gustafsson IDPSSOUtil.doSSOFederate(request, response, new PrintWriter(out, true), null, spEntityID, metaAlias,
09de21079e902c7356d936ef4f2a31060b36e5f3Brian Wellington nameIDFormat, relayState, saml2Auditor);
45847c3039e0fbeeabc43dc381772acdb59f8fc0Danny Mayer saml2Auditor.auditAccessSuccess();
6d88b27c89d4d720010d5f8932bcb18b89877cb1Brian Wellington } catch (SAML2Exception sse) {
ea32d34e58cc4f6104004d06fa35367e580b8103Brian Wellington SAML2Utils.debug.error("Error processing request " , sse);
54b9dc7739090bf3f3822f9852c48bcbe24492fbBrian Wellington SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST,
54b9dc7739090bf3f3822f9852c48bcbe24492fbBrian Wellington "requestProcessingError",
54b9dc7739090bf3f3822f9852c48bcbe24492fbBrian Wellington SAML2Utils.bundle.getString("requestProcessingError") + " " +
54b9dc7739090bf3f3822f9852c48bcbe24492fbBrian Wellington sse.getMessage());
54b9dc7739090bf3f3822f9852c48bcbe24492fbBrian Wellington saml2Auditor.auditAccessFailure(String.valueOf(response.SC_BAD_REQUEST),
a64c84272dbd7dc490f276ef58e0441ed40f1e26David Lawrence SAML2Utils.bundle.getString("requestProcessingError"));
9785f602c81189f0b8346c5bcad85d8a7f763bfaMark Andrews return;
9785f602c81189f0b8346c5bcad85d8a7f763bfaMark Andrews } catch (Exception e) {
51e09bf791b4d3a6fd76f752df3f47d05ef6becdMichael Sawyer SAML2Utils.debug.error("Error processing request ",e);
a64c84272dbd7dc490f276ef58e0441ed40f1e26David Lawrence SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST,
a64c84272dbd7dc490f276ef58e0441ed40f1e26David Lawrence "requestProcessingError",
a64c84272dbd7dc490f276ef58e0441ed40f1e26David Lawrence SAML2Utils.bundle.getString("requestProcessingError") + " " +
a64c84272dbd7dc490f276ef58e0441ed40f1e26David Lawrence e.getMessage());
51e09bf791b4d3a6fd76f752df3f47d05ef6becdMichael Sawyer saml2Auditor.auditAccessFailure(String.valueOf(response.SC_BAD_REQUEST),
51e09bf791b4d3a6fd76f752df3f47d05ef6becdMichael Sawyer SAML2Utils.bundle.getString("requestProcessingError"));
51e09bf791b4d3a6fd76f752df3f47d05ef6becdMichael Sawyer return;
51e09bf791b4d3a6fd76f752df3f47d05ef6becdMichael Sawyer }
51e09bf791b4d3a6fd76f752df3f47d05ef6becdMichael Sawyer%>
40f53fa8d9c6a4fc38c0014495e7a42b08f52481David Lawrence