public static String getAuthenticatorIdPMappingString(List<AuthenticatorConfig> authConfigList) {
StringBuilder authenticatorIdPStr = new StringBuilder("");
for (AuthenticatorConfig authConfig : authConfigList) {
StringBuilder idpsOfAuthenticatorStr = new StringBuilder("");
for (String idpName : authConfig.getIdpNames()) {
if (idpName != null) {
if (idpsOfAuthenticatorStr.length() != 0) {
idpsOfAuthenticatorStr.append(":");
}
IdentityProvider idp = authConfig.getIdps().get(idpName);
if (idp.isFederationHub()) {
idpName += ".hub";
}
idpsOfAuthenticatorStr.append(idpName);
}
}
if (authenticatorIdPStr.length() != 0) {
authenticatorIdPStr.append(";");
}
authenticatorIdPStr.append(authConfig.getName()).append(":").append(idpsOfAuthenticatorStr);
}
return authenticatorIdPStr.toString();
}
/** @param identityProvider */
public ExternalIdPConfig(IdentityProvider identityProvider) {
this.identityProvider = identityProvider;
claimConfiguration = identityProvider.getClaimConfig();
roleConfiguration = identityProvider.getPermissionAndRoleConfig();
justInTimeProConfig = identityProvider.getJustInTimeProvisioningConfig();
RoleMapping[] mappings = roleConfiguration.getRoleMappings();
if (mappings != null && mappings.length > 0) {
for (RoleMapping roleMapping : mappings) {
this.roleMappings.put(
roleMapping.getRemoteRole(), roleMapping.getLocalRole().getLocalRoleName());
}
}
}
/**
* Add the default Resident Identity Provider entry when a new tenant is registered.
*
* @param tenantInfo Information about the newly created tenant
*/
public void onTenantCreate(TenantInfoBean tenantInfo) throws StratosException {
try {
String tenantDomain = tenantInfo.getTenantDomain();
IdentityProvider identityProvider = new IdentityProvider();
identityProvider.setIdentityProviderName(
IdentityApplicationConstants.RESIDENT_IDP_RESERVED_NAME);
identityProvider.setHomeRealmId("localhost");
identityProvider.setPrimary(true);
IdentityProviderManager.getInstance().addResidentIdP(identityProvider, tenantDomain);
} catch (IdentityApplicationManagementException e) {
String message =
"Error when adding Resident Identity Provider entry for tenant "
+ tenantInfo.getTenantDomain();
log.error(message, e);
throw new StratosException(message);
}
}
/*
* Find the Subject identifier among federated claims
*/
public static String getFederatedSubjectFromClaims(
IdentityProvider identityProvider, Map<ClaimMapping, String> claimMappings) {
String userIdClaimURI = identityProvider.getClaimConfig().getUserClaimURI();
ClaimMapping claimMapping = new ClaimMapping();
Claim claim = new Claim();
claim.setClaimUri(userIdClaimURI);
claimMapping.setRemoteClaim(claim);
claimMapping.setLocalClaim(claim);
return claimMappings.get(claimMapping);
}
private void removeRandomPasswords(IdentityProvider identityProvider) {
for (ProvisioningConnectorConfig provisioningConnectorConfig :
identityProvider.getProvisioningConnectorConfigs()) {
Property[] properties = provisioningConnectorConfig.getProvisioningProperties();
if (ArrayUtils.isEmpty(properties)) {
continue;
}
properties = RandomPasswordProcessor.getInstance().removeRandomPasswords(properties);
provisioningConnectorConfig.setProvisioningProperties(properties);
}
}
/**
* Adds an Identity Provider to the logged-in tenant
*
* @param identityProvider <code>IdentityProvider</code> new Identity Provider information
* @throws IdentityProviderManagementException Error when adding Identity Provider
*/
public void addIdP(IdentityProvider identityProvider) throws IdentityProviderManagementException {
// The following check is applicable only for the IdPs added from UI/Service call and should not
// be
// applicable for IdPs added from file. hence the check is moved from listener to the service
if (identityProvider != null
&& identityProvider.getIdentityProviderName() != null
&& identityProvider
.getIdentityProviderName()
.startsWith(IdPManagementConstants.SHARED_IDP_PREFIX)) {
throw new IdentityProviderManagementException(
"Identity provider name cannot have "
+ IdPManagementConstants.SHARED_IDP_PREFIX
+ " as prefix.");
}
String tenantDomain = "";
try {
tenantDomain = CarbonContext.getThreadLocalCarbonContext().getTenantDomain();
IdentityProviderManager.getInstance().addIdP(identityProvider, tenantDomain);
} catch (IdentityProviderManagementException idpException) {
log.error(
"Error while adding Identity provider in tenantDomain : " + tenantDomain, idpException);
throw idpException;
}
}
/**
* Validate the signature of a SAML2 Response and Assertion
*
* @param response SAML2 Response
* @return true, if signature is valid.
*/
private void validateSignature(Response response, Assertion assertion) throws SAMLSSOException {
if (SSOUtils.isAuthnResponseSigned(properties)) {
if (identityProvider.getCertificate() == null
|| identityProvider.getCertificate().isEmpty()) {
throw new SAMLSSOException(
"SAMLResponse signing is enabled, but IdP doesn't have a certificate");
}
if (response.getSignature() == null) {
throw new SAMLSSOException(
"SAMLResponse signing is enabled, but signature element "
+ "not found in SAML Response element.");
} else {
try {
X509Credential credential =
new X509CredentialImpl(tenantDomain, identityProvider.getCertificate());
SignatureValidator validator = new SignatureValidator(credential);
validator.validate(response.getSignature());
} catch (ValidationException e) {
throw new SAMLSSOException("Signature validation failed for SAML Response", e);
}
}
}
if (SSOUtils.isAssertionSigningEnabled(properties)) {
if (identityProvider.getCertificate() == null
|| identityProvider.getCertificate().isEmpty()) {
throw new SAMLSSOException(
"SAMLAssertion signing is enabled, but IdP doesn't have a certificate");
}
if (assertion.getSignature() == null) {
throw new SAMLSSOException(
"SAMLAssertion signing is enabled, but signature element "
+ "not found in SAML Assertion element.");
} else {
try {
X509Credential credential =
new X509CredentialImpl(tenantDomain, identityProvider.getCertificate());
SignatureValidator validator = new SignatureValidator(credential);
validator.validate(assertion.getSignature());
} catch (ValidationException e) {
throw new SAMLSSOException("Signature validation failed for SAML Assertion", e);
}
}
}
}
/** @return */
public String getDomain() {
return identityProvider.getHomeRealmId();
}
/** @return */
public String getName() {
return identityProvider.getIdentityProviderName();
}
/** @return */
public boolean isPrimary() {
return identityProvider.isPrimary();
}
/** @return */
public String getPublicCert() {
return identityProvider.getCertificate();
}
/** @return */
public String getUserIdClaimUri() {
if (identityProvider.getClaimConfig() != null) {
return identityProvider.getClaimConfig().getUserClaimURI();
}
return null;
}
/** @return */
public String getTokenEndpointAlias() {
return identityProvider.getAlias();
}
public boolean isFederationHubIdP() {
return identityProvider.isFederationHub();
}
