コード例 #1
0
  public Response buildResponse(SAMLSSOAuthnReqDTO authReqDTO, String sessionId)
      throws IdentityException {

    if (log.isDebugEnabled()) {
      log.debug(
          "Building SAML Response for the consumer '" + authReqDTO.getAssertionConsumerURL() + "'");
    }
    Response response = new org.opensaml.saml2.core.impl.ResponseBuilder().buildObject();
    response.setIssuer(SAMLSSOUtil.getIssuer());
    response.setID(SAMLSSOUtil.createID());
    response.setInResponseTo(authReqDTO.getId());
    response.setDestination(authReqDTO.getAssertionConsumerURL());
    response.setStatus(buildStatus(SAMLSSOConstants.StatusCodes.SUCCESS_CODE, null));
    response.setVersion(SAMLVersion.VERSION_20);
    DateTime issueInstant = new DateTime();
    DateTime notOnOrAfter =
        new DateTime(
            issueInstant.getMillis() + SAMLSSOUtil.getSAMLResponseValidityPeriod() * 60 * 1000);
    response.setIssueInstant(issueInstant);
    Assertion assertion = buildSAMLAssertion(authReqDTO, notOnOrAfter, sessionId);
    response.getAssertions().add(assertion);
    if (authReqDTO.isDoSignResponse()) {
      SAMLSSOUtil.setSignature(
          response,
          XMLSignature.ALGO_ID_SIGNATURE_RSA,
          new SignKeyDataHolder(authReqDTO.getUsername()));
    }
    return response;
  }
 /**
  * Builds the SAML error response and sets the compressed value to the reqValidationResponseDTO
  *
  * @param id
  * @param status
  * @param statMsg
  * @param destination
  * @return
  * @throws IdentityException
  */
 private SAMLSSOReqValidationResponseDTO buildErrorResponse(
     String id,
     String status,
     String statMsg,
     String destination,
     String responseSigningAlgorithmUri,
     String responseDigestAlgorithmUri)
     throws IdentityException {
   SAMLSSOReqValidationResponseDTO reqValidationResponseDTO =
       new SAMLSSOReqValidationResponseDTO();
   LogoutResponse logoutResp =
       new SingleLogoutMessageBuilder()
           .buildLogoutResponse(
               id,
               status,
               statMsg,
               destination,
               false,
               null,
               responseSigningAlgorithmUri,
               responseDigestAlgorithmUri);
   reqValidationResponseDTO.setLogOutReq(true);
   reqValidationResponseDTO.setValid(false);
   try {
     reqValidationResponseDTO.setResponse(
         SAMLSSOUtil.compressResponse(SAMLSSOUtil.marshall(logoutResp)));
   } catch (IOException e) {
     throw new IdentityException("Error while creating logout response", e);
   }
   return reqValidationResponseDTO;
 }
コード例 #3
0
 @Override
 protected void doPost(HttpServletRequest req, HttpServletResponse resp)
     throws ServletException, IOException {
   try {
     handleRequest(req, resp, true);
   } finally {
     SAMLSSOUtil.removeSaaSApplicationThreaLocal();
     SAMLSSOUtil.removeUserTenantDomainThreaLocal();
     SAMLSSOUtil.removeTenantDomainFromThreadLocal();
   }
 }
コード例 #4
0
 @Override
 protected void doGet(
     HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse)
     throws ServletException, IOException {
   try {
     handleRequest(httpServletRequest, httpServletResponse, false);
   } finally {
     SAMLSSOUtil.removeSaaSApplicationThreaLocal();
     SAMLSSOUtil.removeUserTenantDomainThreaLocal();
     SAMLSSOUtil.removeTenantDomainFromThreadLocal();
   }
 }
コード例 #5
0
  private void handleLogoutResponseFromFramework(
      HttpServletRequest request, HttpServletResponse response, SAMLSSOSessionDTO sessionDTO)
      throws ServletException, IOException, IdentityException {

    SAMLSSOReqValidationResponseDTO validationResponseDTO = sessionDTO.getValidationRespDTO();

    if (validationResponseDTO != null) {
      // sending LogoutRequests to other session participants
      LogoutRequestSender.getInstance()
          .sendLogoutRequests(validationResponseDTO.getLogoutRespDTO());
      SAMLSSOUtil.removeSession(sessionDTO.getSessionId(), validationResponseDTO.getIssuer());
      removeSessionDataFromCache(
          CharacterEncoder.getSafeText(request.getParameter("sessionDataKey")));

      if (validationResponseDTO.isIdPInitSLO()) {
        // redirecting to the return URL or IS logout page
        response.sendRedirect(validationResponseDTO.getReturnToURL());
      } else {
        // sending LogoutResponse back to the initiator
        sendResponse(
            request,
            response,
            sessionDTO.getRelayState(),
            validationResponseDTO.getLogoutResponse(),
            validationResponseDTO.getAssertionConsumerURL(),
            validationResponseDTO.getSubject(),
            null,
            sessionDTO.getTenantDomain());
      }
    } else {
      try {
        samlSsoService.doSingleLogout(request.getSession().getId());
      } catch (IdentityException e) {
        log.error("Error when processing the logout request!", e);
      }

      String errorResp =
          SAMLSSOUtil.buildErrorResponse(
              SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR,
              "Invalid request",
              sessionDTO.getAssertionConsumerURL());
      sendNotification(
          errorResp,
          SAMLSSOConstants.Notification.INVALID_MESSAGE_STATUS,
          SAMLSSOConstants.Notification.INVALID_MESSAGE_MESSAGE,
          sessionDTO.getAssertionConsumerURL(),
          request,
          response);
    }
  }
コード例 #6
0
  private void startTenantFlow(String tenantDomain) throws IdentityException {

    int tenantId = MultitenantConstants.SUPER_TENANT_ID;

    if (tenantDomain != null
        && !tenantDomain.trim().isEmpty()
        && !"null".equalsIgnoreCase(tenantDomain.trim())) {
      try {
        tenantId = SAMLSSOUtil.getRealmService().getTenantManager().getTenantId(tenantDomain);
        if (tenantId == -1) {
          // invalid tenantId, hence throw exception to avoid setting invalid tenant info
          // to CC
          String message = "Invalid Tenant Domain : " + tenantDomain;
          if (log.isDebugEnabled()) {
            log.debug(message);
          }
          throw new IdentityException(message);
        }
      } catch (UserStoreException e) {
        String message = "Error occurred while getting tenant ID from tenantDomain " + tenantDomain;
        log.error(message, e);
        throw new IdentityException(message, e);
      }
    } else {
      tenantDomain = MultitenantConstants.SUPER_TENANT_DOMAIN_NAME;
    }

    PrivilegedCarbonContext.startTenantFlow();
    PrivilegedCarbonContext carbonContext = PrivilegedCarbonContext.getThreadLocalCarbonContext();
    carbonContext.setTenantId(tenantId);
    carbonContext.setTenantDomain(tenantDomain);
  }
コード例 #7
0
  /**
   * Validates the authentication request according to IdP Initiated SAML SSO Web Browser
   * Specification
   *
   * @return SAMLSSOSignInResponseDTO
   * @throws org.wso2.carbon.identity.base.IdentityException
   */
  public SAMLSSOReqValidationResponseDTO validate() throws IdentityException {

    SAMLSSOReqValidationResponseDTO validationResponse = new SAMLSSOReqValidationResponseDTO();
    try {

      // spEntityID MUST NOT be null
      if (StringUtils.isNotBlank(spEntityID)) {
        validationResponse.setIssuer(spEntityID);
      } else {
        String errorResp =
            SAMLSSOUtil.buildErrorResponse(
                SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR,
                "spEntityID parameter not found in request",
                null);
        if (log.isDebugEnabled()) {
          log.debug("spEntityID parameter not found in request");
        }
        validationResponse.setResponse(errorResp);
        validationResponse.setValid(false);
        return validationResponse;
      }

      if (!SAMLSSOUtil.isSAMLIssuerExists(
          spEntityID, SAMLSSOUtil.getTenantDomainFromThreadLocal())) {
        String message =
            "A Service Provider with the Issuer '"
                + spEntityID
                + "' is not registered. Service "
                + "Provider should be registered in advance";
        log.error(message);
        String errorResp =
            SAMLSSOUtil.buildErrorResponse(
                SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, message, null);
        validationResponse.setResponse(errorResp);
        validationResponse.setValid(false);
        return validationResponse;
      }

      // If SP has multiple ACS
      if (StringUtils.isNotBlank(acs)) {
        validationResponse.setAssertionConsumerURL(acs);
      }

      if (StringUtils.isBlank(SAMLSSOUtil.getTenantDomainFromThreadLocal())) {
        SAMLSSOUtil.setTenantDomainInThreadLocal(MultitenantConstants.SUPER_TENANT_DOMAIN_NAME);
      }

      validationResponse.setValid(true);

      if (log.isDebugEnabled()) {
        log.debug("IdP Initiated SSO request validation is successful");
      }
      return validationResponse;
    } catch (Exception e) {
      throw IdentityException.error("Error validating the IdP Initiated SSO request", e);
    }
  }
コード例 #8
0
  /**
   * @param req
   * @param authnReqDTO
   */
  private void populateAuthnReqDTO(
      HttpServletRequest req,
      SAMLSSOAuthnReqDTO authnReqDTO,
      SAMLSSOSessionDTO sessionDTO,
      AuthenticationResult authResult)
      throws UserStoreException, IdentityException {

    authnReqDTO.setAssertionConsumerURL(sessionDTO.getAssertionConsumerURL());
    authnReqDTO.setId(sessionDTO.getRequestID());
    authnReqDTO.setIssuer(sessionDTO.getIssuer());
    authnReqDTO.setSubject(sessionDTO.getSubject());
    authnReqDTO.setRpSessionId(sessionDTO.getRelyingPartySessionId());
    authnReqDTO.setRequestMessageString(sessionDTO.getRequestMessageString());
    authnReqDTO.setQueryString(sessionDTO.getHttpQueryString());
    authnReqDTO.setDestination(sessionDTO.getDestination());
    authnReqDTO.setUser(authResult.getSubject());
    authnReqDTO.setIdPInitSSOEnabled(sessionDTO.isIdPInitSSO());
    authnReqDTO.setClaimMapping(authResult.getClaimMapping());
    authnReqDTO.setTenantDomain(sessionDTO.getTenantDomain());
    authnReqDTO.setIdPInitSLOEnabled(sessionDTO.isIdPInitSLO());

    SAMLSSOUtil.setIsSaaSApplication(authResult.isSaaSApp());
    SAMLSSOUtil.setUserTenantDomain(authResult.getSubject().getTenantDomain());
  }
コード例 #9
0
 /**
  * @return
  * @throws IdentityException
  */
 public String[] getCertAliasOfPrimaryKeyStore() throws IdentityException {
   KeyStoreData[] keyStores = getKeyStores();
   KeyStoreData primaryKeyStore = null;
   for (int i = 0; i < keyStores.length; i++) {
     boolean superTenant =
         MultitenantConstants.SUPER_TENANT_ID
                 == CarbonContext.getThreadLocalCarbonContext().getTenantId()
             ? true
             : false;
     if (superTenant && KeyStoreUtil.isPrimaryStore(keyStores[i].getKeyStoreName())) {
       primaryKeyStore = keyStores[i];
       break;
     } else if (!superTenant
         && SAMLSSOUtil.generateKSNameFromDomainName(getTenantDomain())
             .equals(keyStores[i].getKeyStoreName())) {
       primaryKeyStore = keyStores[i];
       break;
     }
   }
   if (primaryKeyStore != null) {
     return getStoreEntries(primaryKeyStore.getKeyStoreName());
   }
   throw new IdentityException("Primary Keystore cannot be found.");
 }
コード例 #10
0
  private Assertion buildSAMLAssertion(
      SAMLSSOAuthnReqDTO authReqDTO, DateTime notOnOrAfter, String sessionId)
      throws IdentityException {
    try {
      DateTime currentTime = new DateTime();
      Assertion samlAssertion = new AssertionBuilder().buildObject();
      samlAssertion.setID(SAMLSSOUtil.createID());
      samlAssertion.setVersion(SAMLVersion.VERSION_20);
      samlAssertion.setIssuer(SAMLSSOUtil.getIssuer());
      samlAssertion.setIssueInstant(currentTime);
      Subject subject = new SubjectBuilder().buildObject();

      NameID nameId = new NameIDBuilder().buildObject();
      if (authReqDTO.getUseFullyQualifiedUsernameAsSubject()) {
        nameId.setValue(authReqDTO.getUsername());
        nameId.setFormat(NameIdentifier.EMAIL);
      } else {
        nameId.setValue(MultitenantUtils.getTenantAwareUsername(authReqDTO.getUsername()));
        nameId.setFormat(authReqDTO.getNameIDFormat());
      }

      subject.setNameID(nameId);

      SubjectConfirmation subjectConfirmation = new SubjectConfirmationBuilder().buildObject();
      subjectConfirmation.setMethod(SAMLSSOConstants.SUBJECT_CONFIRM_BEARER);

      SubjectConfirmationData scData = new SubjectConfirmationDataBuilder().buildObject();
      scData.setRecipient(authReqDTO.getAssertionConsumerURL());
      scData.setNotOnOrAfter(notOnOrAfter);
      scData.setInResponseTo(authReqDTO.getId());
      subjectConfirmation.setSubjectConfirmationData(scData);

      subject.getSubjectConfirmations().add(subjectConfirmation);

      samlAssertion.setSubject(subject);

      AuthnStatement authStmt = new AuthnStatementBuilder().buildObject();
      authStmt.setAuthnInstant(new DateTime());

      AuthnContext authContext = new AuthnContextBuilder().buildObject();
      AuthnContextClassRef authCtxClassRef = new AuthnContextClassRefBuilder().buildObject();
      authCtxClassRef.setAuthnContextClassRef(AuthnContext.PASSWORD_AUTHN_CTX);
      authContext.setAuthnContextClassRef(authCtxClassRef);
      authStmt.setAuthnContext(authContext);
      if (authReqDTO.isDoSingleLogout()) {
        authStmt.setSessionIndex(sessionId);
      }
      samlAssertion.getAuthnStatements().add(authStmt);

      /*
       * If <AttributeConsumingServiceIndex> element is in the
       * <AuthnRequest> and
       * according to the spec 2.0 the subject MUST be in the assertion
       */
      Map<String, String> claims = SAMLSSOUtil.getAttributes(authReqDTO);
      if (claims != null) {
        samlAssertion.getAttributeStatements().add(buildAttributeStatement(claims));
      }

      AudienceRestriction audienceRestriction = new AudienceRestrictionBuilder().buildObject();
      Audience issuerAudience = new AudienceBuilder().buildObject();
      issuerAudience.setAudienceURI(authReqDTO.getIssuer());
      audienceRestriction.getAudiences().add(issuerAudience);
      if (authReqDTO.getRequestedAudiences() != null) {
        for (String requestedAudience : authReqDTO.getRequestedAudiences()) {
          Audience audience = new AudienceBuilder().buildObject();
          audience.setAudienceURI(requestedAudience);
          audienceRestriction.getAudiences().add(audience);
        }
      }
      Conditions conditions = new ConditionsBuilder().buildObject();
      conditions.setNotBefore(currentTime);
      conditions.setNotOnOrAfter(notOnOrAfter);
      conditions.getAudienceRestrictions().add(audienceRestriction);
      samlAssertion.setConditions(conditions);

      if (authReqDTO.getDoSignAssertions()) {
        SAMLSSOUtil.setSignature(
            samlAssertion,
            XMLSignature.ALGO_ID_SIGNATURE_RSA,
            new SignKeyDataHolder(authReqDTO.getUsername()));
      }

      return samlAssertion;
    } catch (Exception e) {
      log.error("Error when reading claim values for generating SAML Response", e);
      throw new IdentityException(
          "Error when reading claim values for generating SAML Response", e);
    }
  }
コード例 #11
0
 static {
   SAMLSSOUtil.doBootstrap();
 }
  /**
   * @param logoutRequest
   * @param sessionId
   * @param queryString
   * @return
   * @throws IdentityException
   */
  public SAMLSSOReqValidationResponseDTO process(
      LogoutRequest logoutRequest, String sessionId, String queryString) throws IdentityException {

    try {
      SAMLSSOReqValidationResponseDTO reqValidationResponseDTO =
          new SAMLSSOReqValidationResponseDTO();
      reqValidationResponseDTO.setLogOutReq(true);

      String subject = null;
      String issuer = null;
      String defaultSigningAlgoUri = IdentityApplicationManagementUtil.getSigningAlgoURIByConfig();
      String defaultDigestAlgoUri = IdentityApplicationManagementUtil.getDigestAlgoURIByConfig();

      // Get the sessions from the SessionPersistenceManager and prepare
      // the logout responses
      SSOSessionPersistenceManager ssoSessionPersistenceManager =
          SSOSessionPersistenceManager.getPersistenceManager();
      if (StringUtils.isBlank(sessionId)) {
        String message = "Session was already Expired";
        log.error(message);
        return buildErrorResponse(
            logoutRequest.getID(),
            SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR,
            message,
            logoutRequest.getDestination(),
            defaultSigningAlgoUri,
            defaultDigestAlgoUri);
      }
      String sessionIndex = ssoSessionPersistenceManager.getSessionIndexFromTokenId(sessionId);

      if (StringUtils.isBlank(sessionId)) {
        String message = "Session index value not found in the request";
        log.error(message);
        reqValidationResponseDTO =
            buildErrorResponse(
                logoutRequest.getID(),
                SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR,
                message,
                null,
                defaultSigningAlgoUri,
                defaultDigestAlgoUri);
        reqValidationResponseDTO.setLogoutFromAuthFramework(true);
        return reqValidationResponseDTO;
      }
      // Only if the logout request is received.
      if (logoutRequest != null) {
        if (logoutRequest.getIssuer() == null) {
          String message = "Issuer should be mentioned in the Logout Request";
          log.error(message);
          return buildErrorResponse(
              logoutRequest.getID(),
              SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR,
              message,
              logoutRequest.getDestination(),
              defaultSigningAlgoUri,
              defaultDigestAlgoUri);
        }

        // TODO : Check for BaseID and EncryptedID as well.
        if (logoutRequest.getNameID() != null) {
          NameID nameID = logoutRequest.getNameID();
          subject = nameID.getValue();
        } else {
          String message = "Subject Name should be specified in the Logout Request";
          log.error(message);
          return buildErrorResponse(
              logoutRequest.getID(),
              SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR,
              message,
              logoutRequest.getDestination(),
              defaultSigningAlgoUri,
              defaultDigestAlgoUri);
        }

        if (logoutRequest.getSessionIndexes() == null) {
          String message = "At least one Session Index should be present in the Logout Request";
          log.error(message);
          return buildErrorResponse(
              logoutRequest.getID(),
              SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR,
              message,
              logoutRequest.getDestination(),
              defaultSigningAlgoUri,
              defaultDigestAlgoUri);
        }

        SessionInfoData sessionInfoData = ssoSessionPersistenceManager.getSessionInfo(sessionIndex);

        if (sessionInfoData == null) {
          String message = "No Established Sessions corresponding to Session Indexes provided.";
          log.error(message);
          reqValidationResponseDTO =
              buildErrorResponse(
                  logoutRequest.getID(),
                  SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR,
                  message,
                  null,
                  defaultSigningAlgoUri,
                  defaultDigestAlgoUri);
          reqValidationResponseDTO.setLogoutFromAuthFramework(true);
          return reqValidationResponseDTO;
        }

        issuer = logoutRequest.getIssuer().getValue();

        if (issuer.contains("@")) {
          String tenantDomain = issuer.substring(issuer.lastIndexOf('@') + 1);
          issuer = issuer.substring(0, issuer.lastIndexOf('@'));
          if (StringUtils.isNotEmpty(tenantDomain) && StringUtils.isNotEmpty(issuer)) {
            SAMLSSOUtil.setTenantDomainInThreadLocal(tenantDomain);
            if (log.isDebugEnabled()) {
              log.debug(
                  "Tenant Domain :"
                      + " "
                      + tenantDomain
                      + " "
                      + "&"
                      + " "
                      + "Issuer name :"
                      + issuer
                      + " "
                      + "has being spilt");
            }
          } else {
            SAMLSSOServiceProviderDO serviceProvider =
                sessionInfoData.getServiceProviderList().get(issuer);
            if (serviceProvider != null) {
              SAMLSSOUtil.setTenantDomainInThreadLocal(
                  sessionInfoData.getServiceProviderList().get(issuer).getTenantDomain());
            } else {
              throw new IdentityException(
                  "Service provider :" + issuer + " does not exist in session " + "info data.");
            }
          }
        } else {
          SAMLSSOServiceProviderDO serviceProvider =
              sessionInfoData.getServiceProviderList().get(issuer);
          if (serviceProvider != null) {
            SAMLSSOUtil.setTenantDomainInThreadLocal(
                sessionInfoData.getServiceProviderList().get(issuer).getTenantDomain());
          } else {
            throw new IdentityException(
                "Service provider :" + issuer + " does not exist in session info " + "data.");
          }
        }
        subject = sessionInfoData.getSubject(issuer);

        Map<String, SAMLSSOServiceProviderDO> sessionsList =
            sessionInfoData.getServiceProviderList();
        SAMLSSOServiceProviderDO logoutReqIssuer = sessionsList.get(issuer);

        if (logoutReqIssuer.isDoSingleLogout()) {
          // validate session index
          SessionIndex requestSessionIndex =
              logoutRequest.getSessionIndexes().size() > 0
                  ? logoutRequest.getSessionIndexes().get(0)
                  : null;

          if (requestSessionIndex == null
              || !sessionIndex.equals(requestSessionIndex.getSessionIndex())) {
            String message =
                "Session Index validation for Logout Request failed. "
                    + "Received: ["
                    + (requestSessionIndex == null ? "null" : requestSessionIndex.getSessionIndex())
                    + "]."
                    + " Expected: ["
                    + sessionIndex
                    + "]";
            log.error(message);
            return buildErrorResponse(
                logoutRequest.getID(),
                SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR,
                message,
                logoutRequest.getDestination(),
                logoutReqIssuer.getSigningAlgorithmUri(),
                logoutReqIssuer.getDigestAlgorithmUri());
          }
        }

        if (logoutReqIssuer.isDoValidateSignatureInRequests()) {

          // Validate 'Destination'
          List<String> idpUrlSet =
              SAMLSSOUtil.getDestinationFromTenantDomain(
                  SAMLSSOUtil.getTenantDomainFromThreadLocal());

          if (logoutRequest.getDestination() == null
              || !idpUrlSet.contains(logoutRequest.getDestination())) {
            String message =
                "Destination validation for Logout Request failed. "
                    + "Received: ["
                    + logoutRequest.getDestination()
                    + "]."
                    + " Expected: ["
                    + StringUtils.join(idpUrlSet, ',')
                    + "]";
            log.error(message);
            return buildErrorResponse(
                logoutRequest.getID(),
                SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR,
                message,
                logoutRequest.getDestination(),
                logoutReqIssuer.getSigningAlgorithmUri(),
                logoutReqIssuer.getDigestAlgorithmUri());
          }

          // Validate Signature
          boolean isSignatureValid =
              SAMLSSOUtil.validateLogoutRequestSignature(
                  logoutRequest, logoutReqIssuer.getCertAlias(), subject, queryString);
          if (!isSignatureValid) {
            String message = "Signature validation for Logout Request failed";
            log.error(message);
            return buildErrorResponse(
                logoutRequest.getID(),
                SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR,
                message,
                logoutRequest.getDestination(),
                logoutReqIssuer.getSigningAlgorithmUri(),
                logoutReqIssuer.getDigestAlgorithmUri());
          }
        }

        SingleLogoutMessageBuilder logoutMsgBuilder = new SingleLogoutMessageBuilder();
        Map<String, String> rpSessionsList = sessionInfoData.getRPSessionsList();
        List<SingleLogoutRequestDTO> singleLogoutReqDTOs = new ArrayList<SingleLogoutRequestDTO>();

        for (Map.Entry<String, SAMLSSOServiceProviderDO> entry : sessionsList.entrySet()) {
          String key = entry.getKey();
          SAMLSSOServiceProviderDO value = entry.getValue();

          if (!key.equals(issuer)) {
            SingleLogoutRequestDTO logoutReqDTO = new SingleLogoutRequestDTO();
            if (StringUtils.isNotBlank(value.getSloRequestURL())) {
              logoutReqDTO.setAssertionConsumerURL(value.getSloRequestURL());
            } else if (StringUtils.isNotBlank(value.getSloResponseURL())) {
              logoutReqDTO.setAssertionConsumerURL(value.getSloResponseURL());
            } else {
              logoutReqDTO.setAssertionConsumerURL(value.getAssertionConsumerUrl());
            }

            LogoutRequest logoutReq =
                logoutMsgBuilder.buildLogoutRequest(
                    sessionInfoData.getSubject(key),
                    sessionIndex,
                    SAMLSSOConstants.SingleLogoutCodes.LOGOUT_USER,
                    logoutReqDTO.getAssertionConsumerURL(),
                    value.getNameIDFormat(),
                    value.getTenantDomain(),
                    value.getSigningAlgorithmUri(),
                    value.getDigestAlgorithmUri());
            String logoutReqString = SAMLSSOUtil.encode(SAMLSSOUtil.marshall(logoutReq));
            logoutReqDTO.setLogoutResponse(logoutReqString);
            logoutReqDTO.setRpSessionId(rpSessionsList.get(key));
            singleLogoutReqDTOs.add(logoutReqDTO);
          } else {
            reqValidationResponseDTO.setIssuer(value.getIssuer());
            reqValidationResponseDTO.setDoSignResponse(value.isDoSignResponse());
            reqValidationResponseDTO.setSigningAlgorithmUri(value.getSigningAlgorithmUri());
            reqValidationResponseDTO.setDigestAlgorithmUri(value.getDigestAlgorithmUri());
            if (StringUtils.isNotBlank(value.getSloResponseURL())) {
              reqValidationResponseDTO.setAssertionConsumerURL(value.getSloResponseURL());
            } else {
              reqValidationResponseDTO.setAssertionConsumerURL(value.getAssertionConsumerUrl());
            }
          }
        }

        reqValidationResponseDTO.setLogoutRespDTO(
            singleLogoutReqDTOs.toArray(new SingleLogoutRequestDTO[singleLogoutReqDTOs.size()]));

        LogoutResponse logoutResponse =
            logoutMsgBuilder.buildLogoutResponse(
                logoutRequest.getID(),
                SAMLSSOConstants.StatusCodes.SUCCESS_CODE,
                null,
                reqValidationResponseDTO.getAssertionConsumerURL(),
                reqValidationResponseDTO.isDoSignResponse(),
                SAMLSSOUtil.getTenantDomainFromThreadLocal(),
                reqValidationResponseDTO.getSigningAlgorithmUri(),
                reqValidationResponseDTO.getDigestAlgorithmUri());

        reqValidationResponseDTO.setLogoutResponse(
            SAMLSSOUtil.encode(SAMLSSOUtil.marshall(logoutResponse)));
        reqValidationResponseDTO.setValid(true);
      }

      return reqValidationResponseDTO;
    } catch (UserStoreException | IdentityException e) {
      throw new IdentityException("Error Processing the Logout Request", e);
    }
  }
コード例 #13
0
  /**
   * This method handles authentication and sends authentication Response message back to the
   * Service Provider after successful authentication. In case of authentication failure the user is
   * prompted back for authentication.
   *
   * @param req
   * @param resp
   * @param sessionId
   * @throws IdentityException
   * @throws IOException
   * @throws ServletException
   */
  private void handleAuthenticationReponseFromFramework(
      HttpServletRequest req,
      HttpServletResponse resp,
      String sessionId,
      SAMLSSOSessionDTO sessionDTO)
      throws UserStoreException, IdentityException, IOException, ServletException {

    String sessionDataKey = CharacterEncoder.getSafeText(req.getParameter("sessionDataKey"));
    AuthenticationResult authResult = getAuthenticationResultFromCache(sessionDataKey);

    if (log.isDebugEnabled() && authResult == null) {
      log.debug("Session data is not found for key : " + sessionDataKey);
    }
    SAMLSSOReqValidationResponseDTO reqValidationDTO = sessionDTO.getValidationRespDTO();
    SAMLSSOAuthnReqDTO authnReqDTO = new SAMLSSOAuthnReqDTO();

    if (authResult == null || !authResult.isAuthenticated()) {

      if (log.isDebugEnabled() && authResult != null) {
        log.debug("Unauthenticated User");
      }

      if (reqValidationDTO.isPassive()) { // if passive

        List<String> statusCodes = new ArrayList<String>();
        statusCodes.add(SAMLSSOConstants.StatusCodes.NO_PASSIVE);
        statusCodes.add(SAMLSSOConstants.StatusCodes.IDENTITY_PROVIDER_ERROR);
        String destination = reqValidationDTO.getDestination();
        reqValidationDTO.setResponse(
            SAMLSSOUtil.buildErrorResponse(
                reqValidationDTO.getId(),
                statusCodes,
                "Cannot authenticate Subject in Passive Mode",
                destination));

        sendResponse(
            req,
            resp,
            sessionDTO.getRelayState(),
            reqValidationDTO.getResponse(),
            reqValidationDTO.getAssertionConsumerURL(),
            reqValidationDTO.getSubject(),
            null,
            sessionDTO.getTenantDomain());
        return;

      } else { // if forceAuthn or normal flow
        // TODO send a saml response with a status message.
        if (!authResult.isAuthenticated()) {
          String destination = reqValidationDTO.getDestination();
          String errorResp =
              SAMLSSOUtil.buildErrorResponse(
                  SAMLSSOConstants.StatusCodes.AUTHN_FAILURE,
                  "User authentication failed",
                  destination);
          sendNotification(
              errorResp,
              SAMLSSOConstants.Notification.EXCEPTION_STATUS,
              SAMLSSOConstants.Notification.EXCEPTION_MESSAGE,
              reqValidationDTO.getAssertionConsumerURL(),
              req,
              resp);
          return;
        } else {
          throw new IdentityException("Session data is not found for authenticated user");
        }
      }
    } else {
      populateAuthnReqDTO(req, authnReqDTO, sessionDTO, authResult);
      req.setAttribute(SAMLSSOConstants.AUTHENTICATION_RESULT, authResult);
      String relayState = null;

      if (req.getParameter(SAMLSSOConstants.RELAY_STATE) != null) {
        relayState = req.getParameter(SAMLSSOConstants.RELAY_STATE);
      } else {
        relayState = sessionDTO.getRelayState();
      }

      startTenantFlow(authnReqDTO.getTenantDomain());

      if (sessionId == null) {
        sessionId = UUIDGenerator.generateUUID();
      }

      SAMLSSOService samlSSOService = new SAMLSSOService();
      SAMLSSORespDTO authRespDTO =
          samlSSOService.authenticate(
              authnReqDTO,
              sessionId,
              authResult.isAuthenticated(),
              authResult.getAuthenticatedAuthenticators(),
              SAMLSSOConstants.AuthnModes.USERNAME_PASSWORD);

      if (authRespDTO.isSessionEstablished()) { // authenticated

        storeTokenIdCookie(sessionId, req, resp, authnReqDTO.getTenantDomain());
        removeSessionDataFromCache(
            CharacterEncoder.getSafeText(req.getParameter("sessionDataKey")));

        sendResponse(
            req,
            resp,
            relayState,
            authRespDTO.getRespString(),
            authRespDTO.getAssertionConsumerURL(),
            authRespDTO.getSubject().getAuthenticatedSubjectIdentifier(),
            authResult.getAuthenticatedIdPs(),
            sessionDTO.getTenantDomain());
      } else { // authentication FAILURE
        String errorResp = authRespDTO.getRespString();
        sendNotification(
            errorResp,
            SAMLSSOConstants.Notification.EXCEPTION_STATUS,
            SAMLSSOConstants.Notification.EXCEPTION_MESSAGE,
            authRespDTO.getAssertionConsumerURL(),
            req,
            resp);
      }
    }
  }
コード例 #14
0
  /**
   * Sends the user for authentication to the login page
   *
   * @param req
   * @param resp
   * @param signInRespDTO
   * @param relayState
   * @throws ServletException
   * @throws IOException
   */
  private void sendToFrameworkForAuthentication(
      HttpServletRequest req,
      HttpServletResponse resp,
      SAMLSSOReqValidationResponseDTO signInRespDTO,
      String relayState,
      boolean isPost)
      throws ServletException, IOException, UserStoreException, IdentityException {

    SAMLSSOSessionDTO sessionDTO = new SAMLSSOSessionDTO();
    sessionDTO.setHttpQueryString(req.getQueryString());
    sessionDTO.setDestination(signInRespDTO.getDestination());
    sessionDTO.setRelayState(relayState);
    sessionDTO.setRequestMessageString(signInRespDTO.getRequestMessageString());
    sessionDTO.setIssuer(signInRespDTO.getIssuer());
    sessionDTO.setRequestID(signInRespDTO.getId());
    sessionDTO.setSubject(signInRespDTO.getSubject());
    sessionDTO.setRelyingPartySessionId(signInRespDTO.getRpSessionId());
    sessionDTO.setAssertionConsumerURL(signInRespDTO.getAssertionConsumerURL());
    sessionDTO.setTenantDomain(SAMLSSOUtil.getTenantDomainFromThreadLocal());

    if (sessionDTO.getTenantDomain() == null) {
      String[] splitIssuer = sessionDTO.getIssuer().split("@");
      if (splitIssuer != null
          && splitIssuer.length == 2
          && !splitIssuer[0].trim().isEmpty()
          && !splitIssuer[1].trim().isEmpty()) {
        sessionDTO.setTenantDomain(splitIssuer[1]);
      } else {
        sessionDTO.setTenantDomain(MultitenantConstants.SUPER_TENANT_DOMAIN_NAME);
      }
    }
    SAMLSSOUtil.setTenantDomainInThreadLocal(sessionDTO.getTenantDomain());

    sessionDTO.setForceAuth(signInRespDTO.isForceAuthn());
    sessionDTO.setPassiveAuth(signInRespDTO.isPassive());
    sessionDTO.setValidationRespDTO(signInRespDTO);
    sessionDTO.setIdPInitSSO(signInRespDTO.isIdPInitSSO());

    String sessionDataKey = UUIDGenerator.generateUUID();
    addSessionDataToCache(
        sessionDataKey,
        sessionDTO,
        IdPManagementUtil.getIdleSessionTimeOut(sessionDTO.getTenantDomain()));

    String commonAuthURL = CarbonUIUtil.getAdminConsoleURL(req);
    commonAuthURL =
        commonAuthURL.replace(
            FrameworkConstants.RequestType.CLAIM_TYPE_SAML_SSO
                + "/"
                + FrameworkConstants.CARBON
                + "/",
            FrameworkConstants.COMMONAUTH);
    String selfPath =
        URLEncoder.encode("/" + FrameworkConstants.RequestType.CLAIM_TYPE_SAML_SSO, "UTF-8");
    // Setting authentication request context
    AuthenticationRequest authenticationRequest = new AuthenticationRequest();

    // Adding query parameters
    authenticationRequest.appendRequestQueryParams(req.getParameterMap());
    for (Enumeration headerNames = req.getHeaderNames(); headerNames.hasMoreElements(); ) {
      String headerName = headerNames.nextElement().toString();
      authenticationRequest.addHeader(headerName, req.getHeader(headerName));
    }

    authenticationRequest.setRelyingParty(signInRespDTO.getIssuer());
    authenticationRequest.setCommonAuthCallerPath(selfPath);
    authenticationRequest.setForceAuth(signInRespDTO.isForceAuthn());
    if (!authenticationRequest.getForceAuth()
        && authenticationRequest.getRequestQueryParam("forceAuth") != null) {
      String[] forceAuth = authenticationRequest.getRequestQueryParam("forceAuth");
      if (!forceAuth[0].trim().isEmpty() && Boolean.parseBoolean(forceAuth[0].trim())) {
        authenticationRequest.setForceAuth(Boolean.parseBoolean(forceAuth[0].trim()));
      }
    }
    authenticationRequest.setPassiveAuth(signInRespDTO.isPassive());
    authenticationRequest.setTenantDomain(sessionDTO.getTenantDomain());
    authenticationRequest.setPost(isPost);

    // Creating cache entry and adding entry to the cache before calling to commonauth
    AuthenticationRequestCacheEntry authRequest =
        new AuthenticationRequestCacheEntry(authenticationRequest);
    FrameworkUtils.addAuthenticationRequestToCache(
        sessionDataKey,
        authRequest,
        IdPManagementUtil.getIdleSessionTimeOut(sessionDTO.getTenantDomain()));
    StringBuilder queryStringBuilder = new StringBuilder();
    queryStringBuilder
        .append(commonAuthURL)
        .append("?")
        .append(SAMLSSOConstants.SESSION_DATA_KEY)
        .append("=")
        .append(sessionDataKey)
        .append("&")
        .append(FrameworkConstants.RequestParams.TYPE)
        .append("=")
        .append(FrameworkConstants.RequestType.CLAIM_TYPE_SAML_SSO);
    FrameworkUtils.setRequestPathCredentials(req);
    resp.sendRedirect(queryStringBuilder.toString());
  }
コード例 #15
0
  /**
   * All requests are handled by this handleRequest method. In case of SAMLRequest the user will be
   * redirected to commonAuth servlet for authentication. Based on successful authentication of the
   * user a SAMLResponse is sent back to service provider. In case of logout requests, the IDP will
   * send logout requests to the other session participants and then send the logout response back
   * to the initiator.
   *
   * @param req
   * @param resp
   * @throws ServletException
   * @throws IOException
   */
  private void handleRequest(HttpServletRequest req, HttpServletResponse resp, boolean isPost)
      throws ServletException, IOException {
    String sessionId = null;
    Cookie ssoTokenIdCookie = getTokenIdCookie(req);

    if (ssoTokenIdCookie != null) {
      sessionId = ssoTokenIdCookie.getValue();
    }

    String queryString = req.getQueryString();
    if (log.isDebugEnabled()) {
      log.debug("Query string : " + queryString);
    }
    // if an openid authentication or password authentication
    String authMode = CharacterEncoder.getSafeText(req.getParameter("authMode"));
    if (!SAMLSSOConstants.AuthnModes.OPENID.equals(authMode)) {
      authMode = SAMLSSOConstants.AuthnModes.USERNAME_PASSWORD;
    }
    String relayState =
        CharacterEncoder.getSafeText(req.getParameter(SAMLSSOConstants.RELAY_STATE));
    String spEntityID =
        CharacterEncoder.getSafeText(
            req.getParameter(SAMLSSOConstants.QueryParameter.SP_ENTITY_ID.toString()));
    String samlRequest = CharacterEncoder.getSafeText(req.getParameter("SAMLRequest"));
    String sessionDataKey = CharacterEncoder.getSafeText(req.getParameter("sessionDataKey"));
    String slo =
        CharacterEncoder.getSafeText(
            req.getParameter(SAMLSSOConstants.QueryParameter.SLO.toString()));

    boolean isExpFired = false;
    try {

      String tenantDomain = CharacterEncoder.getSafeText(req.getParameter("tenantDomain"));
      SAMLSSOUtil.setTenantDomainInThreadLocal(tenantDomain);

      if (sessionDataKey != null) { // Response from common authentication framework.
        SAMLSSOSessionDTO sessionDTO = getSessionDataFromCache(sessionDataKey);

        if (sessionDTO != null) {
          SAMLSSOUtil.setTenantDomainInThreadLocal(sessionDTO.getTenantDomain());
          if (sessionDTO.isInvalidLogout()) {
            log.warn("Redirecting to default logout page due to an invalid logout request");
            String serverUrl = CarbonUIUtil.getAdminConsoleURL(req);
            resp.sendRedirect(
                serverUrl.replace(
                    SAMLSSOConstants.SAML_ENDPOINT, SAMLSSOConstants.DEFAULT_LOGOUT_LOCATION));
          } else if (sessionDTO.isLogoutReq()) {
            handleLogoutResponseFromFramework(req, resp, sessionDTO);
          } else {
            handleAuthenticationReponseFromFramework(req, resp, sessionId, sessionDTO);
          }

          removeAuthenticationResultFromCache(sessionDataKey);

        } else {
          log.error("Failed to retrieve sessionDTO from the cache for key " + sessionDataKey);
          String errorResp =
              SAMLSSOUtil.buildErrorResponse(
                  SAMLSSOConstants.StatusCodes.IDENTITY_PROVIDER_ERROR,
                  SAMLSSOConstants.Notification.EXCEPTION_STATUS,
                  null);
          sendNotification(
              errorResp,
              SAMLSSOConstants.Notification.EXCEPTION_STATUS,
              SAMLSSOConstants.Notification.EXCEPTION_MESSAGE,
              null,
              req,
              resp);
          return;
        }
      } else if (spEntityID != null || slo != null) { // idp initiated SSO/SLO
        handleIdPInitSSO(
            req, resp, relayState, queryString, authMode, sessionId, isPost, (slo != null));
      } else if (samlRequest != null) { // SAMLRequest received. SP initiated SSO
        handleSPInitSSO(
            req, resp, queryString, relayState, authMode, samlRequest, sessionId, isPost);
      } else {
        log.debug("Invalid request message or single logout message ");

        if (sessionId == null) {
          String errorResp =
              SAMLSSOUtil.buildErrorResponse(
                  SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, "Invalid request message", null);
          sendNotification(
              errorResp,
              SAMLSSOConstants.Notification.INVALID_MESSAGE_STATUS,
              SAMLSSOConstants.Notification.INVALID_MESSAGE_MESSAGE,
              null,
              req,
              resp);
        } else {
          // Non-SAML request are assumed to be logout requests
          sendToFrameworkForLogout(req, resp, null, null, sessionId, true, false);
        }
      }
    } catch (UserStoreException e) {
      if (log.isDebugEnabled()) {
        log.debug("Error occurred while handling SAML2 SSO request", e);
      }
      String errorResp = null;
      try {
        errorResp =
            SAMLSSOUtil.buildErrorResponse(
                SAMLSSOConstants.StatusCodes.IDENTITY_PROVIDER_ERROR,
                "Error occurred while handling SAML2 SSO request",
                null);
      } catch (IdentityException e1) {
        log.error("Error while building SAML response", e1);
      }
      sendNotification(
          errorResp,
          SAMLSSOConstants.Notification.EXCEPTION_STATUS,
          SAMLSSOConstants.Notification.EXCEPTION_MESSAGE,
          null,
          req,
          resp);
    } catch (IdentityException e) {
      log.error("Error when processing the authentication request!", e);
      String errorResp = null;
      try {
        errorResp =
            SAMLSSOUtil.buildErrorResponse(
                SAMLSSOConstants.StatusCodes.IDENTITY_PROVIDER_ERROR,
                "Error when processing the authentication request",
                null);
      } catch (IdentityException e1) {
        log.error("Error while building SAML response", e1);
      }
      sendNotification(
          errorResp,
          SAMLSSOConstants.Notification.EXCEPTION_STATUS,
          SAMLSSOConstants.Notification.EXCEPTION_MESSAGE,
          null,
          req,
          resp);
    }
  }