/** * Extracts the forced IDP list from the session. * * @param session The authentication session. * @return The forced IDPs. * @throws OAException If organization storage exist check can't be performed. */ @SuppressWarnings("unchecked") private List<String> getForcedIDPs(ISession session) throws OAException { List<String> retval = new Vector<String>(); IUser oUser = session.getUser(); if (oUser instanceof SAMLRemoteUser) { SAMLRemoteUser remoteUser = (SAMLRemoteUser) oUser; String sRemoteIdP = remoteUser.getOrganization(); if (sRemoteIdP != null && _organizationStorage.exists(sRemoteIdP)) { StringBuffer sbDebug = new StringBuffer(); sbDebug.append("There is a Remote SAML User available in session with ID '"); sbDebug.append(session.getId()); sbDebug.append("' that is known at remote IdP '"); sbDebug.append(sRemoteIdP); sbDebug.append("' so this IdP will be forced"); _logger.debug(sbDebug.toString()); retval.add(sRemoteIdP); return retval; } } ISessionAttributes atts = session.getAttributes(); String sGetComplete = (String) atts.get(ProxyAttributes.class, ProxyAttributes.IDPLIST_GETCOMPLETE); if (sGetComplete != null) { _logger.debug( "Using proxy attribute: " + ProxyAttributes.IDPLIST_GETCOMPLETE + ": " + sGetComplete); // getcomplete IDPList idpList = null; try { if (_mRemoteIDPLists.containsKey(sGetComplete)) { idpList = _mRemoteIDPLists.get(sGetComplete).getList(); } else { RemoteIDPListEntry entry = new RemoteIDPListEntry(sGetComplete, 1000); idpList = entry.getList(); // DD Add the RemoteIDPListEntry to a map for caching purposes; The getEntry() retrieves // the list from the url. _mRemoteIDPLists.put(sGetComplete, entry); } if (idpList != null) { for (IDPEntry entry : idpList.getIDPEntrys()) { retval.add(entry.getProviderID()); } } } catch (ResourceException e) { _logger.warn("Failed retrieval of IDPList from GetComplete URL: " + sGetComplete, e); } } List<SAML2IDPEntry> idpList = (List<SAML2IDPEntry>) atts.get(ProxyAttributes.class, ProxyAttributes.IDPLIST); if (idpList != null) { if (_logger.isDebugEnabled()) { StringBuffer sbMessage = new StringBuffer("Using proxy attribute "); sbMessage.append(ProxyAttributes.IDPLIST); sbMessage.append(": ").append(idpList); _logger.debug(sbMessage); } for (SAML2IDPEntry entry : idpList) { // DD We currently ignore the proxied SAML2IDPEntry.getName() (friendlyname) and // SAML2IDPEntry.getLoc() String sID = entry.getProviderID(); if (sID != null) { if (!retval.contains(sID)) retval.add(sID); } } } Collection cForcedOrganizations = (Collection) atts.get( com.alfaariss.oa.util.session.ProxyAttributes.class, com.alfaariss.oa.util.session.ProxyAttributes.FORCED_ORGANIZATIONS); if (cForcedOrganizations != null) { if (_logger.isDebugEnabled()) { StringBuffer sbMessage = new StringBuffer("Using proxy attribute "); sbMessage.append(com.alfaariss.oa.util.session.ProxyAttributes.FORCED_ORGANIZATIONS); sbMessage.append(": ").append(cForcedOrganizations); _logger.debug(sbMessage); } for (Object oForceOrganization : cForcedOrganizations) { String sForceOrganization = (String) oForceOrganization; if (!retval.contains(sForceOrganization)) retval.add(sForceOrganization); } } return retval; }
/** * Requestor selection based on RemoteASelectMethod.authenticate. * * <p>When implementing Synchronous (querying) authentication, this method should be adapted. - * Warnings * * @see * com.alfaariss.oa.sso.authentication.web.IWebAuthenticationMethod#authenticate(javax.servlet.http.HttpServletRequest, * javax.servlet.http.HttpServletResponse, com.alfaariss.oa.api.session.ISession) */ @SuppressWarnings("unchecked") public UserEvent authenticate( HttpServletRequest request, HttpServletResponse response, ISession session) throws OAException { try { ISessionAttributes oAttributes = session.getAttributes(); // check proxy att: Integer intCnt = (Integer) oAttributes.get(ProxyAttributes.class, ProxyAttributes.PROXYCOUNT); if (intCnt != null && intCnt <= 0) { _logger.debug("No more authentication proxying allowed: " + intCnt); _eventLogger.info( new UserEventLogItem( session, request.getRemoteAddr(), UserEvent.AUTHN_METHOD_FAILED, this, "ProxyCount <= 0")); return UserEvent.AUTHN_METHOD_FAILED; } SAML2IDP organization = null; List<Warnings> warnings = null; // Figure out whether there exists a pre-selected organization in the URLPath context URLPathContext oURLPathContext = (URLPathContext) oAttributes.get( com.alfaariss.oa.util.session.ProxyAttributes.class, com.alfaariss.oa.util.session.ProxyAttributes.PROXY_URLPATH_CONTEXT); if (oURLPathContext != null) { organization = processURLPathContext(oAttributes, oURLPathContext); } if (organization != null) { _logger.info("Established organization from URLPathContext: " + organization.getID()); // Add to Session context if it is not there yet if (!oAttributes.contains( SAML2AuthenticationMethod.class, _sMethodId + "." + SELECTED_ORGANIZATION)) { oAttributes.put( SAML2AuthenticationMethod.class, _sMethodId, SELECTED_ORGANIZATION, organization); } } else { if (oAttributes.contains( SAML2AuthenticationMethod.class, _sMethodId + "." + SELECTED_ORGANIZATION)) { organization = (SAML2IDP) oAttributes.get( SAML2AuthenticationMethod.class, _sMethodId + "." + SELECTED_ORGANIZATION); } else { List<SAML2IDP> listSelectableOrganizations = null; if (oAttributes.contains( SAML2AuthenticationMethod.class, _sMethodId + "." + LIST_AVAILABLE_ORGANIZATIONS)) { // The selected organization was not available, select again: listSelectableOrganizations = (List<SAML2IDP>) oAttributes.get( SAML2AuthenticationMethod.class, _sMethodId + "." + LIST_AVAILABLE_ORGANIZATIONS); warnings = new Vector<Warnings>(); warnings.add(Warnings.WARNING_ORGANIZATION_UNAVAILABLE); } else { IUser oUser = session.getUser(); if (oUser != null) { // verify if user that was identified in previous authn method may use this SAML2 // authn method if (!oUser.isAuthenticationRegistered(_sMethodId)) { _eventLogger.info( new UserEventLogItem( session, request.getRemoteAddr(), UserEvent.AUTHN_METHOD_NOT_REGISTERED, this, null)); return UserEvent.AUTHN_METHOD_NOT_REGISTERED; } } listSelectableOrganizations = new Vector<SAML2IDP>(); Vector fallbackList = new Vector<String>(); Collection<String> cForcedOrganizations = getForcedIDPs(session); if (cForcedOrganizations != null && !cForcedOrganizations.isEmpty()) oAttributes.put( SAML2AuthNConstants.class, SAML2AuthNConstants.FORCED_ORGANIZATIONS, cForcedOrganizations); List<SAML2IDP> listIDPs = _organizationStorage.getAll(); for (SAML2IDP saml2IDP : listIDPs) { fallbackList.add(saml2IDP); if (cForcedOrganizations == null || cForcedOrganizations.contains(saml2IDP.getID())) { // if no forced organizations are defined or organization is in the forced // organization list: Add to select organization list. listSelectableOrganizations.add(saml2IDP); } } if (listSelectableOrganizations.isEmpty()) { // DD if no forced orgs are known locally, add all and let user decide. // Make sure proxy orgs are send with AuthN request listSelectableOrganizations = fallbackList; } } if (listSelectableOrganizations.size() == 0) { _logger.debug("No organizations available to choose from"); _eventLogger.info( new UserEventLogItem( session, request.getRemoteAddr(), UserEvent.AUTHN_METHOD_NOT_SUPPORTED, this, null)); return UserEvent.AUTHN_METHOD_NOT_SUPPORTED; } if (_oSelector == null) { organization = listSelectableOrganizations.get(0); _logger.debug("No selector configured, using: " + organization.getID()); } else { try { // Select requestor organization = _oSelector.resolve( request, response, session, listSelectableOrganizations, _sFriendlyName, warnings); } catch (OAException e) { _eventLogger.info( new UserEventLogItem( session, request.getRemoteAddr(), UserEvent.INTERNAL_ERROR, this, "selecting organization")); throw e; } } if (organization == null) { // Page is shown _eventLogger.info( new UserEventLogItem( session, request.getRemoteAddr(), UserEvent.AUTHN_METHOD_IN_PROGRESS, this, null)); return UserEvent.AUTHN_METHOD_IN_PROGRESS; } oAttributes.put( SAML2AuthenticationMethod.class, _sMethodId, SELECTED_ORGANIZATION, organization); listSelectableOrganizations.remove(organization); oAttributes.put( SAML2AuthenticationMethod.class, _sMethodId, LIST_AVAILABLE_ORGANIZATIONS, listSelectableOrganizations); } } UserEvent event = null; if (_profileWebBrowserSSO != null) { event = _profileWebBrowserSSO.process( request, response, session, organization, _htAttributeMapper); _eventLogger.info( new UserEventLogItem(session, request.getRemoteAddr(), event, this, null)); } else { _eventLogger.info( new UserEventLogItem( session, request.getRemoteAddr(), UserEvent.AUTHN_METHOD_FAILED, this, "No suitable SAML2 profile could be found for authentication")); event = UserEvent.AUTHN_METHOD_FAILED; } if (event == UserEvent.AUTHN_METHOD_FAILED && _bEnableFallback) { // fallback event = UserEvent.AUTHN_METHOD_IN_PROGRESS; oAttributes.remove( SAML2AuthenticationMethod.class, _sMethodId + "." + SELECTED_ORGANIZATION); _eventLogger.info( new UserEventLogItem( session, request.getRemoteAddr(), UserEvent.AUTHN_METHOD_IN_PROGRESS, this, "Fallback mechanism activated")); event = authenticate(request, response, session); } return event; } catch (OAException oae) { _eventLogger.info( new UserEventLogItem( session, request.getRemoteAddr(), UserEvent.AUTHN_METHOD_FAILED, this, oae.getLocalizedMessage())); throw oae; } }