/**
* Read the list of supported IDPs that the SP sent and determine if the chosen IdP is supported.
* Request = opensaml ECP request header.
*
* @param header
* @return
*/
public URL determineIdP(Header header, IDPEntry idpEntry) {
IDPList idpList = null;
List<XMLObject> list = header.getUnknownXMLObjects();
for (XMLObject xmlObject : list) {
if (xmlObject.getElementQName().equals(Request.DEFAULT_ELEMENT_NAME)) {
idpList = ((Request) xmlObject).getIDPList();
}
}
// If the list from the SP contains the same entry that
// was chosen by the client...
if (idpList != null) {
for (IDPEntry spIdpEntry : idpList.getIDPEntrys()) {
if (spIdpEntry.getName() != null
&& spIdpEntry.getLoc() != null
&& idpEntry.getProviderID() != null)
if (spIdpEntry.getName().equals(idpEntry.getName()))
if (spIdpEntry.getLoc().equals(idpEntry.getLoc()))
if (spIdpEntry.getProviderID().equals(idpEntry.getProviderID()))
return getURL(spIdpEntry.getLoc());
}
}
return null;
}
/**
* Return a SOAP Envelope Body that contains the Response the IdP sent, if there is one.
*
* <p>Returns null if the IdP returned no response at all. Nothing.
*
* @return
*/
private Body getResponseBody(
ExchangeContent spContent, IDPEntry idpEntry, PaosClient paosClient, ClientOptions options) {
String spAssertionConsumerURL = "";
ExchangeContent idpContent = null;
Envelope idpEnvelope = null;
URL idpURL = null;
// Extract idplist from authnrequest and check if the SP supports
// the one that was chosen. If not, complain.
idpURL = determineIdP(spContent.getResponseParts().getHeader(), idpEntry);
spAssertionConsumerURL =
ExtractField.extractAssertionConsumerURL(spContent.getResponseParts().getHeader());
// If no matching idp was found from the list the SP sent...
if (idpURL == null) {
logger.info("The SP did not indicate support for the chosen IdP.");
idpURL = getURL(idpEntry.getLoc()); // Get an assertion from the IdP
// and let the SP trust an
// unknown IdP.
}
// Create the envelope with the AuthnRequest that will be sent to the
// IdP
idpEnvelope = EnvelopeCreator.createIdpEnvelope(spContent.getResponseParts());
// Get the Assertion from the IdP (send AuthnRequest to IdP)
idpContent = getAssertion(paosClient, idpEnvelope, idpURL, options);
// If the IdP sent back anything at all as a response:
if (idpContent != null) {
// Check assertionConsumerURL. If it does not match, send a SOAP
// fault to the SP/endpoint
if (consumerUrlsMatch(idpContent, spAssertionConsumerURL)) {
return idpContent.getResponseParts().getBody();
} else {
logger.debug("AssertionConsumerURLs from AuthnRequest and Response did not match.");
logger.debug("Returning a SOAP fault message to the endpoint.");
return EnvelopeCreator.createSoapFaultBody("AssertionConsumerURLs did not match.");
}
} // else the paosclient has complained about this.
return null;
}
