/**
* If the SAMLRequest is a Logout request then IDP will send logout requests to other session
* participants and then sends the logout Response back to the initiator. In case of
* authentication request, check if there is a valid session for the user, if there is, the user
* will be redirected directly to the Service Provider, if not the user will be redirected to the
* login page.
*
* @param req
* @param resp
* @param sessionId
* @param samlRequest
* @param relayState
* @param authMode
* @throws IdentityException
* @throws IOException
* @throws ServletException
* @throws org.wso2.carbon.identity.base.IdentityException
*/
private void handleSPInitSSO(
HttpServletRequest req,
HttpServletResponse resp,
String queryString,
String relayState,
String authMode,
String samlRequest,
String sessionId,
boolean isPost)
throws UserStoreException, IdentityException, IOException, ServletException {
String rpSessionId =
CharacterEncoder.getSafeText(req.getParameter(MultitenantConstants.SSO_AUTH_SESSION_ID));
SAMLSSOService samlSSOService = new SAMLSSOService();
SAMLSSOReqValidationResponseDTO signInRespDTO =
samlSSOService.validateSPInitSSORequest(
samlRequest, queryString, sessionId, rpSessionId, authMode, isPost);
if (!signInRespDTO.isLogOutReq()) { // an <AuthnRequest> received
if (signInRespDTO.isValid()) {
sendToFrameworkForAuthentication(req, resp, signInRespDTO, relayState, isPost);
} else {
// TODO send invalid response to SP
if (log.isDebugEnabled()) {
log.debug("Invalid SAML SSO Request : " + samlRequest);
}
String errorResp = signInRespDTO.getResponse();
sendNotification(
errorResp,
SAMLSSOConstants.Notification.EXCEPTION_STATUS,
SAMLSSOConstants.Notification.EXCEPTION_MESSAGE,
signInRespDTO.getAssertionConsumerURL(),
req,
resp);
}
} else { // a <LogoutRequest> received
if (signInRespDTO.isValid()) {
sendToFrameworkForLogout(req, resp, signInRespDTO, relayState, sessionId, false, isPost);
} else {
if (log.isDebugEnabled()) {
log.debug("Invalid SAML SSO Logout Request : " + samlRequest);
}
if (signInRespDTO.isLogoutFromAuthFramework()) {
sendToFrameworkForLogout(req, resp, null, null, sessionId, true, isPost);
} else {
// TODO send invalid response to SP
String errorResp = signInRespDTO.getResponse();
sendNotification(
errorResp,
SAMLSSOConstants.Notification.EXCEPTION_STATUS,
SAMLSSOConstants.Notification.EXCEPTION_MESSAGE,
signInRespDTO.getAssertionConsumerURL(),
req,
resp);
}
}
}
}
private void handleIdPInitSSO(
HttpServletRequest req,
HttpServletResponse resp,
String relayState,
String queryString,
String authMode,
String sessionId,
boolean isPost,
boolean isLogout)
throws UserStoreException, IdentityException, IOException, ServletException {
String rpSessionId =
CharacterEncoder.getSafeText(req.getParameter(MultitenantConstants.SSO_AUTH_SESSION_ID));
SAMLSSOService samlSSOService = new SAMLSSOService();
SAMLSSOReqValidationResponseDTO signInRespDTO =
samlSSOService.validateIdPInitSSORequest(
relayState,
queryString,
getQueryParams(req),
CarbonUIUtil.getAdminConsoleURL(req),
sessionId,
rpSessionId,
authMode,
isLogout);
if (!signInRespDTO.isLogOutReq()) {
if (signInRespDTO.isValid()) {
sendToFrameworkForAuthentication(req, resp, signInRespDTO, relayState, false);
} else {
if (log.isDebugEnabled()) {
log.debug("Invalid IdP initiated SAML SSO Request");
}
String errorResp = signInRespDTO.getResponse();
sendNotification(
errorResp,
SAMLSSOConstants.Notification.EXCEPTION_STATUS,
SAMLSSOConstants.Notification.EXCEPTION_MESSAGE,
signInRespDTO.getAssertionConsumerURL(),
req,
resp);
}
} else {
if (signInRespDTO.isValid()) {
sendToFrameworkForLogout(req, resp, signInRespDTO, relayState, sessionId, false, isPost);
} else {
if (log.isDebugEnabled()) {
log.debug("Invalid IdP initiated SAML Single Logout Request");
}
if (signInRespDTO.isLogoutFromAuthFramework()) {
sendToFrameworkForLogout(req, resp, null, null, sessionId, true, isPost);
} else {
String errorResp = signInRespDTO.getResponse();
sendNotification(
errorResp,
SAMLSSOConstants.Notification.INVALID_MESSAGE_STATUS,
SAMLSSOConstants.Notification.EXCEPTION_MESSAGE,
signInRespDTO.getAssertionConsumerURL(),
req,
resp);
}
}
}
}