spSSOInit.jsp revision 29c224f7ddc9f659d7d6b87b68c08ef8a8833804
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy<%--
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy The contents of this file are subject to the terms
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy of the Common Development and Distribution License
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy (the License). You may not use this file except in
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy compliance with the License.
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy You can obtain a copy of the License at
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy https://opensso.dev.java.net/public/CDDLv1.0.html or
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy opensso/legal/CDDLv1.0.txt
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy See the License for the specific language governing
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy permission and limitations under the License.
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy When distributing Covered Code, include this CDDL
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy Header Notice in each file and include the License file
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy at opensso/legal/CDDLv1.0.txt.
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy If applicable, add the following below the CDDL Header,
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy with the fields enclosed by brackets [] replaced by
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy your own identifying information:
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy "Portions Copyrighted [year] [name of copyright owner]"
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy $Id: spSSOInit.jsp,v 1.11 2009/06/24 23:05:30 mrudulahg Exp $
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy
4b5c8e93cab28d3c65ba9d407fd8f46e3be1db1cMatthew Ahrens Portions Copyright 2013-2016 ForgeRock AS.
4b5c8e93cab28d3c65ba9d407fd8f46e3be1db1cMatthew Ahrens--%>
1d32ba663e202c24a5a1f2e5aef83fffb447cb7fJohn Wren Kennedy
4b5c8e93cab28d3c65ba9d407fd8f46e3be1db1cMatthew Ahrens<%@ page import="com.sun.identity.saml.common.SAMLUtils" %>
4b5c8e93cab28d3c65ba9d407fd8f46e3be1db1cMatthew Ahrens<%@ page import="com.sun.identity.saml2.common.SAML2Exception" %>
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy<%@ page import="com.sun.identity.saml2.common.SAML2Utils" %>
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy<%@ page import="com.sun.identity.saml2.meta.SAML2MetaUtils" %>
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy<%@ page import="com.sun.identity.saml2.profile.SPCache" %>
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy<%@ page import="com.sun.identity.saml2.profile.SPSSOFederate" %>
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy<%@ page import="java.util.Map" %>
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy<%@ page import="org.forgerock.guice.core.InjectorHolder" %>
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy<%@ page import="org.forgerock.openam.audit.AuditEventPublisher" %>
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy<%@ page import="org.forgerock.openam.saml2.audit.SAML2Auditor" %>
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy<%@ page import="org.forgerock.openam.audit.AuditEventFactory" %>
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy<%--
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy spssoinit.jsp initiates the Single Sign-On at the Service Provider.
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy Following are the list of supported query parameters :
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy Required parameters to this jsp are :
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy Query Parameter Name Description
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy
1d32ba663e202c24a5a1f2e5aef83fffb447cb7fJohn Wren Kennedy 1. metaAlias MetaAlias for Service Provider. The format of
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy this parameter is /realm_name/SP name.
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy
1d32ba663e202c24a5a1f2e5aef83fffb447cb7fJohn Wren Kennedy 2. idpEntityID Identifier for Identity Provider
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy Optional Query Parameters :
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy Query Parameter Name Description
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy 3. RelayState Target URL on successful complete of SSO/Federation
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy 4. RelayStateAlias Specify the parameter(s) to use as the RelayState.
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy e.g. if the request URL has :
1d32ba663e202c24a5a1f2e5aef83fffb447cb7fJohn Wren Kennedy ?TARGET=http://server:port/uri&RelayStateAlias=TARGET
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy then the TARGET query parameter will be interpreted as
1d32ba663e202c24a5a1f2e5aef83fffb447cb7fJohn Wren Kennedy RelayState and on successful completion of
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy SSO/Federation user will be redirected to the TARGET URL.
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy 5. NameIDFormat NameIDPolicy format Identifier Value.
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy For example,
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy urn:oasis:names:tc:SAML:2.0:nameid-format:transient
1d32ba663e202c24a5a1f2e5aef83fffb447cb7fJohn Wren Kennedy
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy 6. binding URI value that identifies a SAML protocol binding to
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy used when returning the Response message.
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy The supported values are :
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy HTTP-Artifact
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy HTTP-POST
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy 7. AssertionConsumerServiceIndex
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy An integer number indicating the location
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy to which the Response message should be returned to
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy the requester.
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy
1d32ba663e202c24a5a1f2e5aef83fffb447cb7fJohn Wren Kennedy 8. AttributeConsumingServiceIndex
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy Indirectly specifies information associated
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy with the requester describing the SAML attributes
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy the requester desires or requires to be supplied
1d32ba663e202c24a5a1f2e5aef83fffb447cb7fJohn Wren Kennedy by the IDP in the generated Response message.
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy Note: This parameter may not be supported for
1d32ba663e202c24a5a1f2e5aef83fffb447cb7fJohn Wren Kennedy this release.
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy
1d32ba663e202c24a5a1f2e5aef83fffb447cb7fJohn Wren Kennedy 9. isPassive true or false value indicating whether the IDP
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy should authenticate passively.
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy 10. ForceAuthn true or false value indicating if IDP must
force authentication OR false if IDP can rely on
reusing existing security contexts.
true - force authentication
11.AllowCreate Value indicates if IDP is allowed to created a new
identifier for the principal if it does not exist.
Value of this parameter can be true OR false.
true - IDP can dynamically create user.
12.Destination A URI Reference indicating the address to which the
request has been sent.
13.AuthnContextDeclRef Specifies the AuthnContext Declaration Reference.
The value is a pipe separated value with multiple
references.
14.AuthnContextClassRef Specifies the AuthnContext Class References.
The value is a pipe separated value with multiple
references.
15 AuthLevel The Authentication Level of the Authentication
Context to use for Authentication.
16.AuthComparison The comparison method used to evaluate the
requested context classes or statements.
Allowed values are :
exact
minimum
maximum
better
17.Consent Specifies a URI a SAML defined identifier
known as Consent Identifiers.These are defined in
the SAML 2 Assertions and Protocols Document.
Note: This parameter may not be supported for
this release.
18.reqBinding URI value that identifies a SAML protocol binding to
used when sending the AuthnRequest.
The supported values are :
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
19.affiliationID affiliation entity ID
20.sunamcompositeadvice URLEncoded XML blob that specifies auth level
advice. Here is an example of the xml blob:
<Advice>
<AttributeValuePair>
<Attribute name="AuthLevelConditionAdvice"/>
<Value>/:1</Value>
</AttributeValuePair>
</Advice>
In this advice, the requested auth level is 1.
Note: The ":" before auth level 1 is a must.
21.includeRequestedAuthnContext boolean flag to indicate if the authentication request should include the
Requested Authentication Context element. True by default.
--%>
<%
AuditEventPublisher aep = InjectorHolder.getInstance(AuditEventPublisher.class);
AuditEventFactory aef = InjectorHolder.getInstance(AuditEventFactory.class);
SAML2Auditor saml2Auditor = new SAML2Auditor(aep, aef, request);
saml2Auditor.setMethod("spSSOInit");
saml2Auditor.setSessionTrackingId(session.getId());
saml2Auditor.auditAccessAttempt();
// Retrieve the Request Query Parameters
// metaAlias and idpEntiyID are the required query parameters
// metaAlias - Service Provider Entity Id
// idpEntityID - Identity Provider Identifier
// Query parameters supported will be documented.
String idpEntityID = null;
String metaAlias= null;
Map paramsMap = null;
try {
String reqID = request.getParameter("requestID");
if (reqID != null) {
//get the preferred idp
idpEntityID = SAML2Utils.getPreferredIDP(request);
paramsMap = (Map)SPCache.reqParamHash.get(reqID);
metaAlias = (String) paramsMap.get("metaAlias");
saml2Auditor.setRealm(SAML2MetaUtils.getRealmByMetaAlias(metaAlias));
SPCache.reqParamHash.remove(reqID);
} else {
// this is an original request check
// get the metaAlias ,idpEntityID
// if idpEntityID is null redirect to IDP Discovery
// Service to retrieve.
metaAlias = request.getParameter("metaAlias");
saml2Auditor.setRealm(SAML2MetaUtils.getRealmByMetaAlias(metaAlias));
if ((metaAlias == null) || (metaAlias.length() == 0)) {
SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST, "nullSPEntityID",
SAML2Utils.bundle.getString("nullSPEntityID"));
saml2Auditor.auditAccessFailure(String.valueOf(response.SC_BAD_REQUEST),
SAML2Utils.bundle.getString("nullSPEntityID"));
return;
}
idpEntityID = request.getParameter("idpEntityID");
paramsMap = SAML2Utils.getParamsMap(request);
if ((idpEntityID == null) || (idpEntityID.length() == 0)) {
// get reader url
String readerURL = SAML2Utils.getReaderURL(metaAlias);
if (readerURL != null) {
String rID = SAML2Utils.generateID();
String redirectURL = SAML2Utils.getRedirectURL(readerURL, rID, request);
if (redirectURL != null) {
paramsMap.put("metaAlias", metaAlias);
SPCache.reqParamHash.put(rID, paramsMap);
response.sendRedirect(redirectURL);
return;
}
}
}
}
if ((idpEntityID == null) || (idpEntityID.length() == 0)) {
SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST, "nullIDPEntityID",
SAML2Utils.bundle.getString("nullIDPEntityID"));
saml2Auditor.auditAccessFailure(String.valueOf(response.SC_BAD_REQUEST),
SAML2Utils.bundle.getString("nullIDPEntityID"));
return;
}
// get the parameters and put it in a map.
SPSSOFederate.initiateAuthnRequest(request, response, metaAlias, idpEntityID, paramsMap, saml2Auditor);
saml2Auditor.auditAccessSuccess();
} catch (SAML2Exception sse) {
SAML2Utils.debug.error("Error sending AuthnRequest " , sse);
SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST, "requestProcessingError",
SAML2Utils.bundle.getString("requestProcessingError") + " " + sse.getMessage());
saml2Auditor.auditAccessFailure(String.valueOf(response.SC_BAD_REQUEST),
SAML2Utils.bundle.getString("requestProcessingError"));
return;
} catch (Exception e) {
SAML2Utils.debug.error("Error processing Request ",e);
SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST, "requestProcessingError",
SAML2Utils.bundle.getString("requestProcessingError") + " " +
e.getMessage());
saml2Auditor.auditAccessFailure(String.valueOf(response.SC_BAD_REQUEST),
SAML2Utils.bundle.getString("requestProcessingError"));
return;
}
%>