コード例 #1
0
  /**
   * Validates the authentication request according to IdP Initiated SAML SSO Web Browser
   * Specification
   *
   * @return SAMLSSOSignInResponseDTO
   * @throws org.wso2.carbon.identity.base.IdentityException
   */
  public SAMLSSOReqValidationResponseDTO validate() throws IdentityException {

    SAMLSSOReqValidationResponseDTO validationResponse = new SAMLSSOReqValidationResponseDTO();
    try {

      // spEntityID MUST NOT be null
      if (StringUtils.isNotBlank(spEntityID)) {
        validationResponse.setIssuer(spEntityID);
      } else {
        String errorResp =
            SAMLSSOUtil.buildErrorResponse(
                SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR,
                "spEntityID parameter not found in request",
                null);
        if (log.isDebugEnabled()) {
          log.debug("spEntityID parameter not found in request");
        }
        validationResponse.setResponse(errorResp);
        validationResponse.setValid(false);
        return validationResponse;
      }

      if (!SAMLSSOUtil.isSAMLIssuerExists(
          spEntityID, SAMLSSOUtil.getTenantDomainFromThreadLocal())) {
        String message =
            "A Service Provider with the Issuer '"
                + spEntityID
                + "' is not registered. Service "
                + "Provider should be registered in advance";
        log.error(message);
        String errorResp =
            SAMLSSOUtil.buildErrorResponse(
                SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, message, null);
        validationResponse.setResponse(errorResp);
        validationResponse.setValid(false);
        return validationResponse;
      }

      // If SP has multiple ACS
      if (StringUtils.isNotBlank(acs)) {
        validationResponse.setAssertionConsumerURL(acs);
      }

      if (StringUtils.isBlank(SAMLSSOUtil.getTenantDomainFromThreadLocal())) {
        SAMLSSOUtil.setTenantDomainInThreadLocal(MultitenantConstants.SUPER_TENANT_DOMAIN_NAME);
      }

      validationResponse.setValid(true);

      if (log.isDebugEnabled()) {
        log.debug("IdP Initiated SSO request validation is successful");
      }
      return validationResponse;
    } catch (Exception e) {
      throw IdentityException.error("Error validating the IdP Initiated SSO request", e);
    }
  }
コード例 #2
0
  private void handleLogoutResponseFromFramework(
      HttpServletRequest request, HttpServletResponse response, SAMLSSOSessionDTO sessionDTO)
      throws ServletException, IOException, IdentityException {

    SAMLSSOReqValidationResponseDTO validationResponseDTO = sessionDTO.getValidationRespDTO();

    if (validationResponseDTO != null) {
      // sending LogoutRequests to other session participants
      LogoutRequestSender.getInstance()
          .sendLogoutRequests(validationResponseDTO.getLogoutRespDTO());
      SAMLSSOUtil.removeSession(sessionDTO.getSessionId(), validationResponseDTO.getIssuer());
      removeSessionDataFromCache(
          CharacterEncoder.getSafeText(request.getParameter("sessionDataKey")));

      if (validationResponseDTO.isIdPInitSLO()) {
        // redirecting to the return URL or IS logout page
        response.sendRedirect(validationResponseDTO.getReturnToURL());
      } else {
        // sending LogoutResponse back to the initiator
        sendResponse(
            request,
            response,
            sessionDTO.getRelayState(),
            validationResponseDTO.getLogoutResponse(),
            validationResponseDTO.getAssertionConsumerURL(),
            validationResponseDTO.getSubject(),
            null,
            sessionDTO.getTenantDomain());
      }
    } else {
      try {
        samlSsoService.doSingleLogout(request.getSession().getId());
      } catch (IdentityException e) {
        log.error("Error when processing the logout request!", e);
      }

      String errorResp =
          SAMLSSOUtil.buildErrorResponse(
              SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR,
              "Invalid request",
              sessionDTO.getAssertionConsumerURL());
      sendNotification(
          errorResp,
          SAMLSSOConstants.Notification.INVALID_MESSAGE_STATUS,
          SAMLSSOConstants.Notification.INVALID_MESSAGE_MESSAGE,
          sessionDTO.getAssertionConsumerURL(),
          request,
          response);
    }
  }
コード例 #3
0
  /**
   * This method handles authentication and sends authentication Response message back to the
   * Service Provider after successful authentication. In case of authentication failure the user is
   * prompted back for authentication.
   *
   * @param req
   * @param resp
   * @param sessionId
   * @throws IdentityException
   * @throws IOException
   * @throws ServletException
   */
  private void handleAuthenticationReponseFromFramework(
      HttpServletRequest req,
      HttpServletResponse resp,
      String sessionId,
      SAMLSSOSessionDTO sessionDTO)
      throws UserStoreException, IdentityException, IOException, ServletException {

    String sessionDataKey = CharacterEncoder.getSafeText(req.getParameter("sessionDataKey"));
    AuthenticationResult authResult = getAuthenticationResultFromCache(sessionDataKey);

    if (log.isDebugEnabled() && authResult == null) {
      log.debug("Session data is not found for key : " + sessionDataKey);
    }
    SAMLSSOReqValidationResponseDTO reqValidationDTO = sessionDTO.getValidationRespDTO();
    SAMLSSOAuthnReqDTO authnReqDTO = new SAMLSSOAuthnReqDTO();

    if (authResult == null || !authResult.isAuthenticated()) {

      if (log.isDebugEnabled() && authResult != null) {
        log.debug("Unauthenticated User");
      }

      if (reqValidationDTO.isPassive()) { // if passive

        List<String> statusCodes = new ArrayList<String>();
        statusCodes.add(SAMLSSOConstants.StatusCodes.NO_PASSIVE);
        statusCodes.add(SAMLSSOConstants.StatusCodes.IDENTITY_PROVIDER_ERROR);
        String destination = reqValidationDTO.getDestination();
        reqValidationDTO.setResponse(
            SAMLSSOUtil.buildErrorResponse(
                reqValidationDTO.getId(),
                statusCodes,
                "Cannot authenticate Subject in Passive Mode",
                destination));

        sendResponse(
            req,
            resp,
            sessionDTO.getRelayState(),
            reqValidationDTO.getResponse(),
            reqValidationDTO.getAssertionConsumerURL(),
            reqValidationDTO.getSubject(),
            null,
            sessionDTO.getTenantDomain());
        return;

      } else { // if forceAuthn or normal flow
        // TODO send a saml response with a status message.
        if (!authResult.isAuthenticated()) {
          String destination = reqValidationDTO.getDestination();
          String errorResp =
              SAMLSSOUtil.buildErrorResponse(
                  SAMLSSOConstants.StatusCodes.AUTHN_FAILURE,
                  "User authentication failed",
                  destination);
          sendNotification(
              errorResp,
              SAMLSSOConstants.Notification.EXCEPTION_STATUS,
              SAMLSSOConstants.Notification.EXCEPTION_MESSAGE,
              reqValidationDTO.getAssertionConsumerURL(),
              req,
              resp);
          return;
        } else {
          throw new IdentityException("Session data is not found for authenticated user");
        }
      }
    } else {
      populateAuthnReqDTO(req, authnReqDTO, sessionDTO, authResult);
      req.setAttribute(SAMLSSOConstants.AUTHENTICATION_RESULT, authResult);
      String relayState = null;

      if (req.getParameter(SAMLSSOConstants.RELAY_STATE) != null) {
        relayState = req.getParameter(SAMLSSOConstants.RELAY_STATE);
      } else {
        relayState = sessionDTO.getRelayState();
      }

      startTenantFlow(authnReqDTO.getTenantDomain());

      if (sessionId == null) {
        sessionId = UUIDGenerator.generateUUID();
      }

      SAMLSSOService samlSSOService = new SAMLSSOService();
      SAMLSSORespDTO authRespDTO =
          samlSSOService.authenticate(
              authnReqDTO,
              sessionId,
              authResult.isAuthenticated(),
              authResult.getAuthenticatedAuthenticators(),
              SAMLSSOConstants.AuthnModes.USERNAME_PASSWORD);

      if (authRespDTO.isSessionEstablished()) { // authenticated

        storeTokenIdCookie(sessionId, req, resp, authnReqDTO.getTenantDomain());
        removeSessionDataFromCache(
            CharacterEncoder.getSafeText(req.getParameter("sessionDataKey")));

        sendResponse(
            req,
            resp,
            relayState,
            authRespDTO.getRespString(),
            authRespDTO.getAssertionConsumerURL(),
            authRespDTO.getSubject().getAuthenticatedSubjectIdentifier(),
            authResult.getAuthenticatedIdPs(),
            sessionDTO.getTenantDomain());
      } else { // authentication FAILURE
        String errorResp = authRespDTO.getRespString();
        sendNotification(
            errorResp,
            SAMLSSOConstants.Notification.EXCEPTION_STATUS,
            SAMLSSOConstants.Notification.EXCEPTION_MESSAGE,
            authRespDTO.getAssertionConsumerURL(),
            req,
            resp);
      }
    }
  }
コード例 #4
0
  /**
   * All requests are handled by this handleRequest method. In case of SAMLRequest the user will be
   * redirected to commonAuth servlet for authentication. Based on successful authentication of the
   * user a SAMLResponse is sent back to service provider. In case of logout requests, the IDP will
   * send logout requests to the other session participants and then send the logout response back
   * to the initiator.
   *
   * @param req
   * @param resp
   * @throws ServletException
   * @throws IOException
   */
  private void handleRequest(HttpServletRequest req, HttpServletResponse resp, boolean isPost)
      throws ServletException, IOException {
    String sessionId = null;
    Cookie ssoTokenIdCookie = getTokenIdCookie(req);

    if (ssoTokenIdCookie != null) {
      sessionId = ssoTokenIdCookie.getValue();
    }

    String queryString = req.getQueryString();
    if (log.isDebugEnabled()) {
      log.debug("Query string : " + queryString);
    }
    // if an openid authentication or password authentication
    String authMode = CharacterEncoder.getSafeText(req.getParameter("authMode"));
    if (!SAMLSSOConstants.AuthnModes.OPENID.equals(authMode)) {
      authMode = SAMLSSOConstants.AuthnModes.USERNAME_PASSWORD;
    }
    String relayState =
        CharacterEncoder.getSafeText(req.getParameter(SAMLSSOConstants.RELAY_STATE));
    String spEntityID =
        CharacterEncoder.getSafeText(
            req.getParameter(SAMLSSOConstants.QueryParameter.SP_ENTITY_ID.toString()));
    String samlRequest = CharacterEncoder.getSafeText(req.getParameter("SAMLRequest"));
    String sessionDataKey = CharacterEncoder.getSafeText(req.getParameter("sessionDataKey"));
    String slo =
        CharacterEncoder.getSafeText(
            req.getParameter(SAMLSSOConstants.QueryParameter.SLO.toString()));

    boolean isExpFired = false;
    try {

      String tenantDomain = CharacterEncoder.getSafeText(req.getParameter("tenantDomain"));
      SAMLSSOUtil.setTenantDomainInThreadLocal(tenantDomain);

      if (sessionDataKey != null) { // Response from common authentication framework.
        SAMLSSOSessionDTO sessionDTO = getSessionDataFromCache(sessionDataKey);

        if (sessionDTO != null) {
          SAMLSSOUtil.setTenantDomainInThreadLocal(sessionDTO.getTenantDomain());
          if (sessionDTO.isInvalidLogout()) {
            log.warn("Redirecting to default logout page due to an invalid logout request");
            String serverUrl = CarbonUIUtil.getAdminConsoleURL(req);
            resp.sendRedirect(
                serverUrl.replace(
                    SAMLSSOConstants.SAML_ENDPOINT, SAMLSSOConstants.DEFAULT_LOGOUT_LOCATION));
          } else if (sessionDTO.isLogoutReq()) {
            handleLogoutResponseFromFramework(req, resp, sessionDTO);
          } else {
            handleAuthenticationReponseFromFramework(req, resp, sessionId, sessionDTO);
          }

          removeAuthenticationResultFromCache(sessionDataKey);

        } else {
          log.error("Failed to retrieve sessionDTO from the cache for key " + sessionDataKey);
          String errorResp =
              SAMLSSOUtil.buildErrorResponse(
                  SAMLSSOConstants.StatusCodes.IDENTITY_PROVIDER_ERROR,
                  SAMLSSOConstants.Notification.EXCEPTION_STATUS,
                  null);
          sendNotification(
              errorResp,
              SAMLSSOConstants.Notification.EXCEPTION_STATUS,
              SAMLSSOConstants.Notification.EXCEPTION_MESSAGE,
              null,
              req,
              resp);
          return;
        }
      } else if (spEntityID != null || slo != null) { // idp initiated SSO/SLO
        handleIdPInitSSO(
            req, resp, relayState, queryString, authMode, sessionId, isPost, (slo != null));
      } else if (samlRequest != null) { // SAMLRequest received. SP initiated SSO
        handleSPInitSSO(
            req, resp, queryString, relayState, authMode, samlRequest, sessionId, isPost);
      } else {
        log.debug("Invalid request message or single logout message ");

        if (sessionId == null) {
          String errorResp =
              SAMLSSOUtil.buildErrorResponse(
                  SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, "Invalid request message", null);
          sendNotification(
              errorResp,
              SAMLSSOConstants.Notification.INVALID_MESSAGE_STATUS,
              SAMLSSOConstants.Notification.INVALID_MESSAGE_MESSAGE,
              null,
              req,
              resp);
        } else {
          // Non-SAML request are assumed to be logout requests
          sendToFrameworkForLogout(req, resp, null, null, sessionId, true, false);
        }
      }
    } catch (UserStoreException e) {
      if (log.isDebugEnabled()) {
        log.debug("Error occurred while handling SAML2 SSO request", e);
      }
      String errorResp = null;
      try {
        errorResp =
            SAMLSSOUtil.buildErrorResponse(
                SAMLSSOConstants.StatusCodes.IDENTITY_PROVIDER_ERROR,
                "Error occurred while handling SAML2 SSO request",
                null);
      } catch (IdentityException e1) {
        log.error("Error while building SAML response", e1);
      }
      sendNotification(
          errorResp,
          SAMLSSOConstants.Notification.EXCEPTION_STATUS,
          SAMLSSOConstants.Notification.EXCEPTION_MESSAGE,
          null,
          req,
          resp);
    } catch (IdentityException e) {
      log.error("Error when processing the authentication request!", e);
      String errorResp = null;
      try {
        errorResp =
            SAMLSSOUtil.buildErrorResponse(
                SAMLSSOConstants.StatusCodes.IDENTITY_PROVIDER_ERROR,
                "Error when processing the authentication request",
                null);
      } catch (IdentityException e1) {
        log.error("Error while building SAML response", e1);
      }
      sendNotification(
          errorResp,
          SAMLSSOConstants.Notification.EXCEPTION_STATUS,
          SAMLSSOConstants.Notification.EXCEPTION_MESSAGE,
          null,
          req,
          resp);
    }
  }