spMNIRequestInit.jsp revision 0fdab8904a8fe223f6934b878769fe45e7651c60
1df6105803c4c56c020a56301c7c9c4890fd4158mathog DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
1df6105803c4c56c020a56301c7c9c4890fd4158mathog Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
1df6105803c4c56c020a56301c7c9c4890fd4158mathog The contents of this file are subject to the terms
1df6105803c4c56c020a56301c7c9c4890fd4158mathog of the Common Development and Distribution License
1df6105803c4c56c020a56301c7c9c4890fd4158mathog (the License). You may not use this file except in
089baf4cc94d795399ba8edb7c0a7807af901f1dmathog compliance with the License.
1df6105803c4c56c020a56301c7c9c4890fd4158mathog You can obtain a copy of the License at
1df6105803c4c56c020a56301c7c9c4890fd4158mathog See the License for the specific language governing
1df6105803c4c56c020a56301c7c9c4890fd4158mathog permission and limitations under the License.
1df6105803c4c56c020a56301c7c9c4890fd4158mathog When distributing Covered Code, include this CDDL
1df6105803c4c56c020a56301c7c9c4890fd4158mathog Header Notice in each file and include the License file
1df6105803c4c56c020a56301c7c9c4890fd4158mathog If applicable, add the following below the CDDL Header,
1df6105803c4c56c020a56301c7c9c4890fd4158mathog with the fields enclosed by brackets [] replaced by
1df6105803c4c56c020a56301c7c9c4890fd4158mathog your own identifying information:
1df6105803c4c56c020a56301c7c9c4890fd4158mathog "Portions Copyrighted [year] [name of copyright owner]"
1df6105803c4c56c020a56301c7c9c4890fd4158mathog $Id: spMNIRequestInit.jsp,v 1.12 2009/10/15 00:00:41 exu Exp $
1df6105803c4c56c020a56301c7c9c4890fd4158mathog Portions Copyrighted 2013 ForgeRock AS
1df6105803c4c56c020a56301c7c9c4890fd4158mathog<%@ page import="com.sun.identity.federation.common.FSUtils" %>
1df6105803c4c56c020a56301c7c9c4890fd4158mathog<%@ page import="com.sun.identity.saml2.common.SAML2Constants" %>
1df6105803c4c56c020a56301c7c9c4890fd4158mathog<%@ page import="com.sun.identity.saml2.common.SAML2Utils" %>
06517eb74772b7c18a8ab8d703405646d9ec05d3mathog<%@ page import="com.sun.identity.saml.common.SAMLUtils" %>
06517eb74772b7c18a8ab8d703405646d9ec05d3mathog<%@ page import="com.sun.identity.saml2.common.SAML2Exception" %>
06517eb74772b7c18a8ab8d703405646d9ec05d3mathog<%@ page import="com.sun.identity.saml2.meta.SAML2MetaManager" %>
06517eb74772b7c18a8ab8d703405646d9ec05d3mathog<%@ page import="com.sun.identity.saml2.meta.SAML2MetaUtils" %>
06517eb74772b7c18a8ab8d703405646d9ec05d3mathog<%@ page import="com.sun.identity.saml2.profile.DoManageNameID" %>
06517eb74772b7c18a8ab8d703405646d9ec05d3mathog<%@ page import="java.util.HashMap" %>
06517eb74772b7c18a8ab8d703405646d9ec05d3mathog<%@ page import="org.owasp.esapi.ESAPI" %>
1df6105803c4c56c020a56301c7c9c4890fd4158mathog idpMNIRequestInit.jsp initiates the ManageNameIDRequest at
06517eb74772b7c18a8ab8d703405646d9ec05d3mathog the Identity Provider.
06517eb74772b7c18a8ab8d703405646d9ec05d3mathog Required parameters to this jsp are :
06517eb74772b7c18a8ab8d703405646d9ec05d3mathog - metaAlias - identifier for Service Provider
06517eb74772b7c18a8ab8d703405646d9ec05d3mathog - idpEntityID - identifier for Identity Provider
06517eb74772b7c18a8ab8d703405646d9ec05d3mathog - requestType - the request type of ManageNameIDRequest (Terminate / NewID)
06517eb74772b7c18a8ab8d703405646d9ec05d3mathog Somce of the other optional parameters are :
06517eb74772b7c18a8ab8d703405646d9ec05d3mathog - relayState - the target URL on successful complete of the Request
06517eb74772b7c18a8ab8d703405646d9ec05d3mathog Check the SAML2 Documentation for supported parameters.
06517eb74772b7c18a8ab8d703405646d9ec05d3mathog // Retreive the Request Query Parameters
06517eb74772b7c18a8ab8d703405646d9ec05d3mathog // metaAlias, idpEntiyID and RequestType are the required query parameters
06517eb74772b7c18a8ab8d703405646d9ec05d3mathog // metaAlias - Hosted Entity Id
06517eb74772b7c18a8ab8d703405646d9ec05d3mathog // idpEntityID - Identity Provider Identifier
06517eb74772b7c18a8ab8d703405646d9ec05d3mathog // requestType - the request type of ManageNameIDRequest (Terminate / NewID)
06517eb74772b7c18a8ab8d703405646d9ec05d3mathog // affiliationID - affiliation entity ID
1df6105803c4c56c020a56301c7c9c4890fd4158mathog // Query parameters supported will be documented.
06517eb74772b7c18a8ab8d703405646d9ec05d3mathog if (FSUtils.needSetLBCookieAndRedirect(request, response, false)) {
06517eb74772b7c18a8ab8d703405646d9ec05d3mathog String metaAlias = request.getParameter("metaAlias");
06517eb74772b7c18a8ab8d703405646d9ec05d3mathog if ((metaAlias == null) || (metaAlias.length() == 0)) {
06517eb74772b7c18a8ab8d703405646d9ec05d3mathog SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST,
06517eb74772b7c18a8ab8d703405646d9ec05d3mathog "nullIDPEntityID",
06517eb74772b7c18a8ab8d703405646d9ec05d3mathog SAML2Utils.bundle.getString("nullIDPEntityID"));
1df6105803c4c56c020a56301c7c9c4890fd4158mathog String idpEntityID = request.getParameter("idpEntityID");
06517eb74772b7c18a8ab8d703405646d9ec05d3mathog if ((idpEntityID == null) || (idpEntityID.length() == 0)) {
06517eb74772b7c18a8ab8d703405646d9ec05d3mathog SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST,
1df6105803c4c56c020a56301c7c9c4890fd4158mathog "nullIDPEntityID",
1df6105803c4c56c020a56301c7c9c4890fd4158mathog SAML2Utils.bundle.getString("nullIDPEntityID"));
06517eb74772b7c18a8ab8d703405646d9ec05d3mathog String binding = DoManageNameID.getMNIBindingInfo(request, metaAlias,
06517eb74772b7c18a8ab8d703405646d9ec05d3mathog SAML2MetaManager metaManager= new SAML2MetaManager();
06517eb74772b7c18a8ab8d703405646d9ec05d3mathog String hostEntity = metaManager.getEntityByMetaAlias(metaAlias);
06517eb74772b7c18a8ab8d703405646d9ec05d3mathog String realm = SAML2MetaUtils.getRealmByMetaAlias(metaAlias);
1df6105803c4c56c020a56301c7c9c4890fd4158mathog realm, hostEntity, SAML2Constants.MNI_SERVICE, binding))
06517eb74772b7c18a8ab8d703405646d9ec05d3mathog SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST,
06517eb74772b7c18a8ab8d703405646d9ec05d3mathog "unsupportedBinding",
06517eb74772b7c18a8ab8d703405646d9ec05d3mathog SAML2Utils.bundle.getString("unsupportedBinding"));
06517eb74772b7c18a8ab8d703405646d9ec05d3mathog String requestType = request.getParameter("requestType");
06517eb74772b7c18a8ab8d703405646d9ec05d3mathog if ((requestType == null) || (requestType.length() == 0)) {
06517eb74772b7c18a8ab8d703405646d9ec05d3mathog SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST,
1df6105803c4c56c020a56301c7c9c4890fd4158mathog "nullRequestType",
1df6105803c4c56c020a56301c7c9c4890fd4158mathog SAML2Utils.bundle.getString("nullRequestType"));
1df6105803c4c56c020a56301c7c9c4890fd4158mathog String relayState = request.getParameter(SAML2Constants.RELAY_STATE);
1df6105803c4c56c020a56301c7c9c4890fd4158mathog if (!ESAPI.validator().isValidInput("HTTP Query String: " + relayState, relayState, "HTTPQueryString", 2000, true)) {
1df6105803c4c56c020a56301c7c9c4890fd4158mathog relayState = null;
1df6105803c4c56c020a56301c7c9c4890fd4158mathog if ((relayState == null) || (relayState.isEmpty())) {
1df6105803c4c56c020a56301c7c9c4890fd4158mathog relayState = SAML2Utils.getAttributeValueFromSSOConfig(
1df6105803c4c56c020a56301c7c9c4890fd4158mathog realm, hostEntity, SAML2Constants.SP_ROLE,
1df6105803c4c56c020a56301c7c9c4890fd4158mathog String affiliationID =
1df6105803c4c56c020a56301c7c9c4890fd4158mathog HashMap paramsMap = new HashMap();
1df6105803c4c56c020a56301c7c9c4890fd4158mathog paramsMap.put("metaAlias", metaAlias);
1df6105803c4c56c020a56301c7c9c4890fd4158mathog paramsMap.put("idpEntityID", idpEntityID);
06517eb74772b7c18a8ab8d703405646d9ec05d3mathog paramsMap.put("requestType", requestType);
1df6105803c4c56c020a56301c7c9c4890fd4158mathog paramsMap.put(SAML2Constants.ROLE, SAML2Constants.SP_ROLE);
1df6105803c4c56c020a56301c7c9c4890fd4158mathog if (relayState != null && !relayState.isEmpty()) {
1df6105803c4c56c020a56301c7c9c4890fd4158mathog paramsMap.put(SAML2Constants.RELAY_STATE, relayState);
1df6105803c4c56c020a56301c7c9c4890fd4158mathog if (affiliationID != null) {
1df6105803c4c56c020a56301c7c9c4890fd4158mathog paramsMap.put(SAML2Constants.AFFILIATION_ID, affiliationID);
1df6105803c4c56c020a56301c7c9c4890fd4158mathog Object sess = SAML2Utils.checkSession(request,response,
1df6105803c4c56c020a56301c7c9c4890fd4158mathog metaAlias, paramsMap);
1df6105803c4c56c020a56301c7c9c4890fd4158mathog if (sess == null) {
1df6105803c4c56c020a56301c7c9c4890fd4158mathog DoManageNameID.initiateManageNameIDRequest(request,response,
1df6105803c4c56c020a56301c7c9c4890fd4158mathog metaAlias, idpEntityID, paramsMap);
1df6105803c4c56c020a56301c7c9c4890fd4158mathog if (relayState != null && !relayState.isEmpty() &&
1df6105803c4c56c020a56301c7c9c4890fd4158mathog SAML2Utils.isRelayStateURLValid(request, relayState, SAML2Constants.SP_ROLE) &&
1df6105803c4c56c020a56301c7c9c4890fd4158mathog ESAPI.validator().isValidInput("HTTP URL Value: " + relayState, relayState, "URL", 2000, true)) {
1df6105803c4c56c020a56301c7c9c4890fd4158mathog <jsp:forward page="/saml2/jsp/default.jsp?message=mniSuccess" />
1df6105803c4c56c020a56301c7c9c4890fd4158mathog } catch (SAML2Exception e) {
1df6105803c4c56c020a56301c7c9c4890fd4158mathog SAML2Utils.debug.error("Error sending ManageNameIDRequest " , e);
1df6105803c4c56c020a56301c7c9c4890fd4158mathog SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST,
1df6105803c4c56c020a56301c7c9c4890fd4158mathog "requestProcessingMNIError",
1df6105803c4c56c020a56301c7c9c4890fd4158mathog SAML2Utils.bundle.getString("requestProcessingMNIError") + " " +