<%--
DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
The contents of this file are subject to the terms
of the Common Development and Distribution License
(the License). You may not use this file except in
compliance with the License.
You can obtain a copy of the License at
See the License for the specific language governing
permission and limitations under the License.
When distributing Covered Code, include this CDDL
Header Notice in each file and include the License file
If applicable, add the following below the CDDL Header,
with the fields enclosed by brackets [] replaced by
your own identifying information:
"Portions Copyrighted [year] [name of copyright owner]"
$Id: spSSOInit.jsp,v 1.11 2009/06/24 23:05:30 mrudulahg Exp $
Portions Copyright 2013-2016 ForgeRock AS.
--%>
<%@ page import="com.sun.identity.saml.common.SAMLUtils" %>
<%@ page import="com.sun.identity.saml2.common.SAML2Exception" %>
<%@ page import="com.sun.identity.saml2.common.SAML2Utils" %>
<%@ page import="com.sun.identity.saml2.meta.SAML2MetaUtils" %>
<%@ page import="com.sun.identity.saml2.profile.SPCache" %>
<%@ page import="com.sun.identity.saml2.profile.SPSSOFederate" %>
<%@ page import="java.util.Map" %>
<%@ page import="org.forgerock.guice.core.InjectorHolder" %>
<%@ page import="org.forgerock.openam.audit.AuditEventPublisher" %>
<%@ page import="org.forgerock.openam.saml2.audit.SAML2Auditor" %>
<%@ page import="org.forgerock.openam.audit.AuditEventFactory" %>
<%--
spssoinit.jsp initiates the Single Sign-On at the Service Provider.
Following are the list of supported query parameters :
Required parameters to this jsp are :
Query Parameter Name Description
1. metaAlias MetaAlias for Service Provider. The format of
this parameter is /realm_name/SP name.
2. idpEntityID Identifier for Identity Provider
Optional Query Parameters :
Query Parameter Name Description
3. RelayState Target URL on successful complete of SSO/Federation
4. RelayStateAlias Specify the parameter(s) to use as the RelayState.
e.g. if the request URL has :
then the TARGET query parameter will be interpreted as
RelayState and on successful completion of
SSO/Federation user will be redirected to the TARGET URL.
5. NameIDFormat NameIDPolicy format Identifier Value.
For example,
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
6. binding URI value that identifies a SAML protocol binding to
used when returning the Response message.
The supported values are :
HTTP-Artifact
HTTP-POST
7. AssertionConsumerServiceIndex
An integer number indicating the location
to which the Response message should be returned to
the requester.
8. AttributeConsumingServiceIndex
Indirectly specifies information associated
with the requester describing the SAML attributes
the requester desires or requires to be supplied
by the IDP in the generated Response message.
Note: This parameter may not be supported for
this release.
9. isPassive true or false value indicating whether the IDP
should authenticate passively.
10. ForceAuthn true or false value indicating if IDP must
force authentication OR false if IDP can rely on
reusing existing security contexts.
true - force authentication
11.AllowCreate Value indicates if IDP is allowed to created a new
identifier for the principal if it does not exist.
Value of this parameter can be true OR false.
true - IDP can dynamically create user.
12.Destination A URI Reference indicating the address to which the
request has been sent.
13.AuthnContextDeclRef Specifies the AuthnContext Declaration Reference.
The value is a pipe separated value with multiple
references.
14.AuthnContextClassRef Specifies the AuthnContext Class References.
The value is a pipe separated value with multiple
references.
15 AuthLevel The Authentication Level of the Authentication
Context to use for Authentication.
16.AuthComparison The comparison method used to evaluate the
requested context classes or statements.
Allowed values are :
exact
minimum
maximum
better
17.Consent Specifies a URI a SAML defined identifier
known as Consent Identifiers.These are defined in
the SAML 2 Assertions and Protocols Document.
Note: This parameter may not be supported for
this release.
18.reqBinding URI value that identifies a SAML protocol binding to
used when sending the AuthnRequest.
The supported values are :
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
19.affiliationID affiliation entity ID
20.sunamcompositeadvice URLEncoded XML blob that specifies auth level
advice. Here is an example of the xml blob:
<Advice>
<AttributeValuePair>
<Attribute name="AuthLevelConditionAdvice"/>
<Value>/:1</Value>
</AttributeValuePair>
</Advice>
In this advice, the requested auth level is 1.
Note: The ":" before auth level 1 is a must.
21.includeRequestedAuthnContext boolean flag to indicate if the authentication request should include the
Requested Authentication Context element. True by default.
--%>
<%
AuditEventPublisher aep = InjectorHolder.getInstance(AuditEventPublisher.class);
AuditEventFactory aef = InjectorHolder.getInstance(AuditEventFactory.class);
SAML2Auditor saml2Auditor = new SAML2Auditor(aep, aef, request);
saml2Auditor.setMethod("spSSOInit");
// Retrieve the Request Query Parameters
// metaAlias and idpEntiyID are the required query parameters
// metaAlias - Service Provider Entity Id
// idpEntityID - Identity Provider Identifier
// Query parameters supported will be documented.
String idpEntityID = null;
String metaAlias= null;
Map paramsMap = null;
try {
String reqID = request.getParameter("requestID");
if (reqID != null) {
//get the preferred idp
idpEntityID = SAML2Utils.getPreferredIDP(request);
paramsMap = (Map)SPCache.reqParamHash.get(reqID);
metaAlias = (String) paramsMap.get("metaAlias");
saml2Auditor.setRealm(SAML2MetaUtils.getRealmByMetaAlias(metaAlias));
SPCache.reqParamHash.remove(reqID);
} else {
// this is an original request check
// get the metaAlias ,idpEntityID
// if idpEntityID is null redirect to IDP Discovery
// Service to retrieve.
metaAlias = request.getParameter("metaAlias");
saml2Auditor.setRealm(SAML2MetaUtils.getRealmByMetaAlias(metaAlias));
if ((metaAlias == null) || (metaAlias.length() == 0)) {
SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST, "nullSPEntityID",
SAML2Utils.bundle.getString("nullSPEntityID"));
SAML2Utils.bundle.getString("nullSPEntityID"));
return;
}
idpEntityID = request.getParameter("idpEntityID");
paramsMap = SAML2Utils.getParamsMap(request);
if ((idpEntityID == null) || (idpEntityID.length() == 0)) {
// get reader url
String readerURL = SAML2Utils.getReaderURL(metaAlias);
if (readerURL != null) {
String rID = SAML2Utils.generateID();
String redirectURL = SAML2Utils.getRedirectURL(readerURL, rID, request);
if (redirectURL != null) {
paramsMap.put("metaAlias", metaAlias);
SPCache.reqParamHash.put(rID, paramsMap);
response.sendRedirect(redirectURL);
return;
}
}
}
}
if ((idpEntityID == null) || (idpEntityID.length() == 0)) {
SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST, "nullIDPEntityID",
SAML2Utils.bundle.getString("nullIDPEntityID"));
SAML2Utils.bundle.getString("nullIDPEntityID"));
return;
}
// get the parameters and put it in a map.
SPSSOFederate.initiateAuthnRequest(request, response, metaAlias, idpEntityID, paramsMap, saml2Auditor);
} catch (SAML2Exception sse) {
SAML2Utils.debug.error("Error sending AuthnRequest " , sse);
SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST, "requestProcessingError",
SAML2Utils.bundle.getString("requestProcessingError") + " " + sse.getMessage());
SAML2Utils.bundle.getString("requestProcessingError"));
return;
} catch (Exception e) {
SAML2Utils.debug.error("Error processing Request ",e);
SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST, "requestProcessingError",
SAML2Utils.bundle.getString("requestProcessingError") + " " +
e.getMessage());
SAML2Utils.bundle.getString("requestProcessingError"));
return;
}
%>