private void handleLogoutResponseFromFramework( HttpServletRequest request, HttpServletResponse response, SAMLSSOSessionDTO sessionDTO) throws ServletException, IOException, IdentityException { SAMLSSOReqValidationResponseDTO validationResponseDTO = sessionDTO.getValidationRespDTO(); if (validationResponseDTO != null) { // sending LogoutRequests to other session participants LogoutRequestSender.getInstance() .sendLogoutRequests(validationResponseDTO.getLogoutRespDTO()); SAMLSSOUtil.removeSession(sessionDTO.getSessionId(), validationResponseDTO.getIssuer()); removeSessionDataFromCache( CharacterEncoder.getSafeText(request.getParameter("sessionDataKey"))); if (validationResponseDTO.isIdPInitSLO()) { // redirecting to the return URL or IS logout page response.sendRedirect(validationResponseDTO.getReturnToURL()); } else { // sending LogoutResponse back to the initiator sendResponse( request, response, sessionDTO.getRelayState(), validationResponseDTO.getLogoutResponse(), validationResponseDTO.getAssertionConsumerURL(), validationResponseDTO.getSubject(), null, sessionDTO.getTenantDomain()); } } else { try { samlSsoService.doSingleLogout(request.getSession().getId()); } catch (IdentityException e) { log.error("Error when processing the logout request!", e); } String errorResp = SAMLSSOUtil.buildErrorResponse( SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, "Invalid request", sessionDTO.getAssertionConsumerURL()); sendNotification( errorResp, SAMLSSOConstants.Notification.INVALID_MESSAGE_STATUS, SAMLSSOConstants.Notification.INVALID_MESSAGE_MESSAGE, sessionDTO.getAssertionConsumerURL(), request, response); } }
private void sendToFrameworkForLogout( HttpServletRequest request, HttpServletResponse response, SAMLSSOReqValidationResponseDTO signInRespDTO, String relayState, String sessionId, boolean invalid, boolean isPost) throws ServletException, IOException { SAMLSSOSessionDTO sessionDTO = new SAMLSSOSessionDTO(); sessionDTO.setHttpQueryString(request.getQueryString()); sessionDTO.setRelayState(relayState); sessionDTO.setSessionId(sessionId); sessionDTO.setLogoutReq(true); sessionDTO.setInvalidLogout(invalid); if (signInRespDTO != null) { sessionDTO.setDestination(signInRespDTO.getDestination()); sessionDTO.setRequestMessageString(signInRespDTO.getRequestMessageString()); sessionDTO.setIssuer(signInRespDTO.getIssuer()); sessionDTO.setRequestID(signInRespDTO.getId()); sessionDTO.setSubject(signInRespDTO.getSubject()); sessionDTO.setRelyingPartySessionId(signInRespDTO.getRpSessionId()); sessionDTO.setAssertionConsumerURL(signInRespDTO.getAssertionConsumerURL()); sessionDTO.setValidationRespDTO(signInRespDTO); } String sessionDataKey = UUIDGenerator.generateUUID(); addSessionDataToCache( sessionDataKey, sessionDTO, IdPManagementUtil.getIdleSessionTimeOut( CarbonContext.getThreadLocalCarbonContext().getTenantDomain())); String commonAuthURL = CarbonUIUtil.getAdminConsoleURL(request); commonAuthURL = commonAuthURL.replace("samlsso/carbon/", "commonauth"); String selfPath = URLEncoder.encode("/samlsso", "UTF-8"); // Add all parameters to authentication context before sending to authentication // framework AuthenticationRequest authenticationRequest = new AuthenticationRequest(); authenticationRequest.addRequestQueryParam( FrameworkConstants.RequestParams.LOGOUT, new String[] {"true"}); authenticationRequest.setRequestQueryParams(request.getParameterMap()); authenticationRequest.setCommonAuthCallerPath(selfPath); authenticationRequest.setPost(isPost); if (signInRespDTO != null) { authenticationRequest.setRelyingParty(signInRespDTO.getIssuer()); } authenticationRequest.appendRequestQueryParams(request.getParameterMap()); // Add headers to AuthenticationRequestContext for (Enumeration e = request.getHeaderNames(); e.hasMoreElements(); ) { String headerName = e.nextElement().toString(); authenticationRequest.addHeader(headerName, request.getHeader(headerName)); } AuthenticationRequestCacheEntry authRequest = new AuthenticationRequestCacheEntry(authenticationRequest); FrameworkUtils.addAuthenticationRequestToCache( sessionDataKey, authRequest, IdPManagementUtil.getIdleSessionTimeOut( CarbonContext.getThreadLocalCarbonContext().getTenantDomain())); String queryParams = "?" + SAMLSSOConstants.SESSION_DATA_KEY + "=" + sessionDataKey + "&" + "type" + "=" + "samlsso"; response.sendRedirect(commonAuthURL + queryParams); }
/** * This method handles authentication and sends authentication Response message back to the * Service Provider after successful authentication. In case of authentication failure the user is * prompted back for authentication. * * @param req * @param resp * @param sessionId * @throws IdentityException * @throws IOException * @throws ServletException */ private void handleAuthenticationReponseFromFramework( HttpServletRequest req, HttpServletResponse resp, String sessionId, SAMLSSOSessionDTO sessionDTO) throws UserStoreException, IdentityException, IOException, ServletException { String sessionDataKey = CharacterEncoder.getSafeText(req.getParameter("sessionDataKey")); AuthenticationResult authResult = getAuthenticationResultFromCache(sessionDataKey); if (log.isDebugEnabled() && authResult == null) { log.debug("Session data is not found for key : " + sessionDataKey); } SAMLSSOReqValidationResponseDTO reqValidationDTO = sessionDTO.getValidationRespDTO(); SAMLSSOAuthnReqDTO authnReqDTO = new SAMLSSOAuthnReqDTO(); if (authResult == null || !authResult.isAuthenticated()) { if (log.isDebugEnabled() && authResult != null) { log.debug("Unauthenticated User"); } if (reqValidationDTO.isPassive()) { // if passive List<String> statusCodes = new ArrayList<String>(); statusCodes.add(SAMLSSOConstants.StatusCodes.NO_PASSIVE); statusCodes.add(SAMLSSOConstants.StatusCodes.IDENTITY_PROVIDER_ERROR); String destination = reqValidationDTO.getDestination(); reqValidationDTO.setResponse( SAMLSSOUtil.buildErrorResponse( reqValidationDTO.getId(), statusCodes, "Cannot authenticate Subject in Passive Mode", destination)); sendResponse( req, resp, sessionDTO.getRelayState(), reqValidationDTO.getResponse(), reqValidationDTO.getAssertionConsumerURL(), reqValidationDTO.getSubject(), null, sessionDTO.getTenantDomain()); return; } else { // if forceAuthn or normal flow // TODO send a saml response with a status message. if (!authResult.isAuthenticated()) { String destination = reqValidationDTO.getDestination(); String errorResp = SAMLSSOUtil.buildErrorResponse( SAMLSSOConstants.StatusCodes.AUTHN_FAILURE, "User authentication failed", destination); sendNotification( errorResp, SAMLSSOConstants.Notification.EXCEPTION_STATUS, SAMLSSOConstants.Notification.EXCEPTION_MESSAGE, reqValidationDTO.getAssertionConsumerURL(), req, resp); return; } else { throw new IdentityException("Session data is not found for authenticated user"); } } } else { populateAuthnReqDTO(req, authnReqDTO, sessionDTO, authResult); req.setAttribute(SAMLSSOConstants.AUTHENTICATION_RESULT, authResult); String relayState = null; if (req.getParameter(SAMLSSOConstants.RELAY_STATE) != null) { relayState = req.getParameter(SAMLSSOConstants.RELAY_STATE); } else { relayState = sessionDTO.getRelayState(); } startTenantFlow(authnReqDTO.getTenantDomain()); if (sessionId == null) { sessionId = UUIDGenerator.generateUUID(); } SAMLSSOService samlSSOService = new SAMLSSOService(); SAMLSSORespDTO authRespDTO = samlSSOService.authenticate( authnReqDTO, sessionId, authResult.isAuthenticated(), authResult.getAuthenticatedAuthenticators(), SAMLSSOConstants.AuthnModes.USERNAME_PASSWORD); if (authRespDTO.isSessionEstablished()) { // authenticated storeTokenIdCookie(sessionId, req, resp, authnReqDTO.getTenantDomain()); removeSessionDataFromCache( CharacterEncoder.getSafeText(req.getParameter("sessionDataKey"))); sendResponse( req, resp, relayState, authRespDTO.getRespString(), authRespDTO.getAssertionConsumerURL(), authRespDTO.getSubject().getAuthenticatedSubjectIdentifier(), authResult.getAuthenticatedIdPs(), sessionDTO.getTenantDomain()); } else { // authentication FAILURE String errorResp = authRespDTO.getRespString(); sendNotification( errorResp, SAMLSSOConstants.Notification.EXCEPTION_STATUS, SAMLSSOConstants.Notification.EXCEPTION_MESSAGE, authRespDTO.getAssertionConsumerURL(), req, resp); } } }
/** * Sends the user for authentication to the login page * * @param req * @param resp * @param signInRespDTO * @param relayState * @throws ServletException * @throws IOException */ private void sendToFrameworkForAuthentication( HttpServletRequest req, HttpServletResponse resp, SAMLSSOReqValidationResponseDTO signInRespDTO, String relayState, boolean isPost) throws ServletException, IOException, UserStoreException, IdentityException { SAMLSSOSessionDTO sessionDTO = new SAMLSSOSessionDTO(); sessionDTO.setHttpQueryString(req.getQueryString()); sessionDTO.setDestination(signInRespDTO.getDestination()); sessionDTO.setRelayState(relayState); sessionDTO.setRequestMessageString(signInRespDTO.getRequestMessageString()); sessionDTO.setIssuer(signInRespDTO.getIssuer()); sessionDTO.setRequestID(signInRespDTO.getId()); sessionDTO.setSubject(signInRespDTO.getSubject()); sessionDTO.setRelyingPartySessionId(signInRespDTO.getRpSessionId()); sessionDTO.setAssertionConsumerURL(signInRespDTO.getAssertionConsumerURL()); sessionDTO.setTenantDomain(SAMLSSOUtil.getTenantDomainFromThreadLocal()); if (sessionDTO.getTenantDomain() == null) { String[] splitIssuer = sessionDTO.getIssuer().split("@"); if (splitIssuer != null && splitIssuer.length == 2 && !splitIssuer[0].trim().isEmpty() && !splitIssuer[1].trim().isEmpty()) { sessionDTO.setTenantDomain(splitIssuer[1]); } else { sessionDTO.setTenantDomain(MultitenantConstants.SUPER_TENANT_DOMAIN_NAME); } } SAMLSSOUtil.setTenantDomainInThreadLocal(sessionDTO.getTenantDomain()); sessionDTO.setForceAuth(signInRespDTO.isForceAuthn()); sessionDTO.setPassiveAuth(signInRespDTO.isPassive()); sessionDTO.setValidationRespDTO(signInRespDTO); sessionDTO.setIdPInitSSO(signInRespDTO.isIdPInitSSO()); String sessionDataKey = UUIDGenerator.generateUUID(); addSessionDataToCache( sessionDataKey, sessionDTO, IdPManagementUtil.getIdleSessionTimeOut(sessionDTO.getTenantDomain())); String commonAuthURL = CarbonUIUtil.getAdminConsoleURL(req); commonAuthURL = commonAuthURL.replace( FrameworkConstants.RequestType.CLAIM_TYPE_SAML_SSO + "/" + FrameworkConstants.CARBON + "/", FrameworkConstants.COMMONAUTH); String selfPath = URLEncoder.encode("/" + FrameworkConstants.RequestType.CLAIM_TYPE_SAML_SSO, "UTF-8"); // Setting authentication request context AuthenticationRequest authenticationRequest = new AuthenticationRequest(); // Adding query parameters authenticationRequest.appendRequestQueryParams(req.getParameterMap()); for (Enumeration headerNames = req.getHeaderNames(); headerNames.hasMoreElements(); ) { String headerName = headerNames.nextElement().toString(); authenticationRequest.addHeader(headerName, req.getHeader(headerName)); } authenticationRequest.setRelyingParty(signInRespDTO.getIssuer()); authenticationRequest.setCommonAuthCallerPath(selfPath); authenticationRequest.setForceAuth(signInRespDTO.isForceAuthn()); if (!authenticationRequest.getForceAuth() && authenticationRequest.getRequestQueryParam("forceAuth") != null) { String[] forceAuth = authenticationRequest.getRequestQueryParam("forceAuth"); if (!forceAuth[0].trim().isEmpty() && Boolean.parseBoolean(forceAuth[0].trim())) { authenticationRequest.setForceAuth(Boolean.parseBoolean(forceAuth[0].trim())); } } authenticationRequest.setPassiveAuth(signInRespDTO.isPassive()); authenticationRequest.setTenantDomain(sessionDTO.getTenantDomain()); authenticationRequest.setPost(isPost); // Creating cache entry and adding entry to the cache before calling to commonauth AuthenticationRequestCacheEntry authRequest = new AuthenticationRequestCacheEntry(authenticationRequest); FrameworkUtils.addAuthenticationRequestToCache( sessionDataKey, authRequest, IdPManagementUtil.getIdleSessionTimeOut(sessionDTO.getTenantDomain())); StringBuilder queryStringBuilder = new StringBuilder(); queryStringBuilder .append(commonAuthURL) .append("?") .append(SAMLSSOConstants.SESSION_DATA_KEY) .append("=") .append(sessionDataKey) .append("&") .append(FrameworkConstants.RequestParams.TYPE) .append("=") .append(FrameworkConstants.RequestType.CLAIM_TYPE_SAML_SSO); FrameworkUtils.setRequestPathCredentials(req); resp.sendRedirect(queryStringBuilder.toString()); }