Example #1
0
  /**
   * If the SAMLRequest is a Logout request then IDP will send logout requests to other session
   * participants and then sends the logout Response back to the initiator. In case of
   * authentication request, check if there is a valid session for the user, if there is, the user
   * will be redirected directly to the Service Provider, if not the user will be redirected to the
   * login page.
   *
   * @param req
   * @param resp
   * @param sessionId
   * @param samlRequest
   * @param relayState
   * @param authMode
   * @throws IdentityException
   * @throws IOException
   * @throws ServletException
   * @throws org.wso2.carbon.identity.base.IdentityException
   */
  private void handleSPInitSSO(
      HttpServletRequest req,
      HttpServletResponse resp,
      String queryString,
      String relayState,
      String authMode,
      String samlRequest,
      String sessionId,
      boolean isPost)
      throws UserStoreException, IdentityException, IOException, ServletException {

    String rpSessionId =
        CharacterEncoder.getSafeText(req.getParameter(MultitenantConstants.SSO_AUTH_SESSION_ID));
    SAMLSSOService samlSSOService = new SAMLSSOService();

    SAMLSSOReqValidationResponseDTO signInRespDTO =
        samlSSOService.validateSPInitSSORequest(
            samlRequest, queryString, sessionId, rpSessionId, authMode, isPost);

    if (!signInRespDTO.isLogOutReq()) { // an <AuthnRequest> received
      if (signInRespDTO.isValid()) {
        sendToFrameworkForAuthentication(req, resp, signInRespDTO, relayState, isPost);
      } else {
        // TODO send invalid response to SP
        if (log.isDebugEnabled()) {
          log.debug("Invalid SAML SSO Request : " + samlRequest);
        }
        String errorResp = signInRespDTO.getResponse();
        sendNotification(
            errorResp,
            SAMLSSOConstants.Notification.EXCEPTION_STATUS,
            SAMLSSOConstants.Notification.EXCEPTION_MESSAGE,
            signInRespDTO.getAssertionConsumerURL(),
            req,
            resp);
      }
    } else { // a <LogoutRequest> received
      if (signInRespDTO.isValid()) {
        sendToFrameworkForLogout(req, resp, signInRespDTO, relayState, sessionId, false, isPost);
      } else {
        if (log.isDebugEnabled()) {
          log.debug("Invalid SAML SSO Logout Request : " + samlRequest);
        }
        if (signInRespDTO.isLogoutFromAuthFramework()) {
          sendToFrameworkForLogout(req, resp, null, null, sessionId, true, isPost);
        } else {
          // TODO send invalid response to SP
          String errorResp = signInRespDTO.getResponse();
          sendNotification(
              errorResp,
              SAMLSSOConstants.Notification.EXCEPTION_STATUS,
              SAMLSSOConstants.Notification.EXCEPTION_MESSAGE,
              signInRespDTO.getAssertionConsumerURL(),
              req,
              resp);
        }
      }
    }
  }
Example #2
0
  private void handleIdPInitSSO(
      HttpServletRequest req,
      HttpServletResponse resp,
      String relayState,
      String queryString,
      String authMode,
      String sessionId,
      boolean isPost,
      boolean isLogout)
      throws UserStoreException, IdentityException, IOException, ServletException {

    String rpSessionId =
        CharacterEncoder.getSafeText(req.getParameter(MultitenantConstants.SSO_AUTH_SESSION_ID));
    SAMLSSOService samlSSOService = new SAMLSSOService();

    SAMLSSOReqValidationResponseDTO signInRespDTO =
        samlSSOService.validateIdPInitSSORequest(
            relayState,
            queryString,
            getQueryParams(req),
            CarbonUIUtil.getAdminConsoleURL(req),
            sessionId,
            rpSessionId,
            authMode,
            isLogout);

    if (!signInRespDTO.isLogOutReq()) {
      if (signInRespDTO.isValid()) {
        sendToFrameworkForAuthentication(req, resp, signInRespDTO, relayState, false);
      } else {
        if (log.isDebugEnabled()) {
          log.debug("Invalid IdP initiated SAML SSO Request");
        }

        String errorResp = signInRespDTO.getResponse();
        sendNotification(
            errorResp,
            SAMLSSOConstants.Notification.EXCEPTION_STATUS,
            SAMLSSOConstants.Notification.EXCEPTION_MESSAGE,
            signInRespDTO.getAssertionConsumerURL(),
            req,
            resp);
      }
    } else {
      if (signInRespDTO.isValid()) {
        sendToFrameworkForLogout(req, resp, signInRespDTO, relayState, sessionId, false, isPost);
      } else {
        if (log.isDebugEnabled()) {
          log.debug("Invalid IdP initiated SAML Single Logout Request");
        }

        if (signInRespDTO.isLogoutFromAuthFramework()) {
          sendToFrameworkForLogout(req, resp, null, null, sessionId, true, isPost);
        } else {
          String errorResp = signInRespDTO.getResponse();
          sendNotification(
              errorResp,
              SAMLSSOConstants.Notification.INVALID_MESSAGE_STATUS,
              SAMLSSOConstants.Notification.EXCEPTION_MESSAGE,
              signInRespDTO.getAssertionConsumerURL(),
              req,
              resp);
        }
      }
    }
  }