/** * Establish the SAML2IDP using the PROXY_URLPATH_CONTEXT from the session<br> * Also puts the SAML2IDP's EntityId in the Session as PROXY_SHADOWED_ENTITYID<br> * <br> * When no SAML2IDP match could be made, there will be no PROXY_SHADOWED_ENTITYID attribute * written in the session, and null is returned. * * @param oAttributes Session Attributes * @param oURLPathContext non-null initialized URLPathContext instance to process * @return SAML2IDP organization as established, or null when no match could be made */ protected SAML2IDP processURLPathContext( ISessionAttributes oAttributes, URLPathContext oURLPathContext) throws OAException { // Did we try to find a match before? if (oAttributes.contains( com.alfaariss.oa.util.session.ProxyAttributes.class, com.alfaariss.oa.util.session.ProxyAttributes.PROXY_SHADOWED_IDPID)) { String sShadowedEntityId = (String) oAttributes.get( com.alfaariss.oa.util.session.ProxyAttributes.class, com.alfaariss.oa.util.session.ProxyAttributes.PROXY_SHADOWED_IDPID); // Re-use this intelligence, and return the SAML2IDP instance IIDP oIDP = _organizationStorage.getIDP(sShadowedEntityId); if (oIDP instanceof SAML2IDP) { _logger.info("Found IDP '" + sShadowedEntityId + "' from previous URLPath Context match"); return (SAML2IDP) oIDP; } else { _logger.warn( "Non-SAML2IDP found in IDP Storage - inform developers of this condition! (1)"); return null; } } String sIValue = oURLPathContext.getParams().get("i"); if (sIValue == null) { _logger.info("No 'i' value found in URLPath Context path ('" + oURLPathContext + "')"); return null; } List<IIDP> lAllIDPs = _organizationStorage.getAll(); for (IIDP oIDP : lAllIDPs) { String sIDPEntityIdHash = DigestUtils.shaHex(oIDP.getID()); if (sIDPEntityIdHash.equalsIgnoreCase(sIValue)) { _logger.info("Found IDP '" + oIDP.getID() + "' in matching URLPath Context"); if (oIDP instanceof SAML2IDP) { // Store the IDP that was found on the map oAttributes.put( com.alfaariss.oa.util.session.ProxyAttributes.class, com.alfaariss.oa.util.session.ProxyAttributes.PROXY_SHADOWED_IDPID, oIDP.getID()); // Return result return (SAML2IDP) oIDP; } else { _logger.warn( "Non-SAML2IDP found in IDP Storage - inform developers of this condition! (2)"); return null; } } } _logger.info("No IDP found for provided i"); return null; }
/** * Requestor selection based on RemoteASelectMethod.authenticate. * * <p>When implementing Synchronous (querying) authentication, this method should be adapted. - * Warnings * * @see * com.alfaariss.oa.sso.authentication.web.IWebAuthenticationMethod#authenticate(javax.servlet.http.HttpServletRequest, * javax.servlet.http.HttpServletResponse, com.alfaariss.oa.api.session.ISession) */ @SuppressWarnings("unchecked") public UserEvent authenticate( HttpServletRequest request, HttpServletResponse response, ISession session) throws OAException { try { ISessionAttributes oAttributes = session.getAttributes(); // check proxy att: Integer intCnt = (Integer) oAttributes.get(ProxyAttributes.class, ProxyAttributes.PROXYCOUNT); if (intCnt != null && intCnt <= 0) { _logger.debug("No more authentication proxying allowed: " + intCnt); _eventLogger.info( new UserEventLogItem( session, request.getRemoteAddr(), UserEvent.AUTHN_METHOD_FAILED, this, "ProxyCount <= 0")); return UserEvent.AUTHN_METHOD_FAILED; } SAML2IDP organization = null; List<Warnings> warnings = null; // Figure out whether there exists a pre-selected organization in the URLPath context URLPathContext oURLPathContext = (URLPathContext) oAttributes.get( com.alfaariss.oa.util.session.ProxyAttributes.class, com.alfaariss.oa.util.session.ProxyAttributes.PROXY_URLPATH_CONTEXT); if (oURLPathContext != null) { organization = processURLPathContext(oAttributes, oURLPathContext); } if (organization != null) { _logger.info("Established organization from URLPathContext: " + organization.getID()); // Add to Session context if it is not there yet if (!oAttributes.contains( SAML2AuthenticationMethod.class, _sMethodId + "." + SELECTED_ORGANIZATION)) { oAttributes.put( SAML2AuthenticationMethod.class, _sMethodId, SELECTED_ORGANIZATION, organization); } } else { if (oAttributes.contains( SAML2AuthenticationMethod.class, _sMethodId + "." + SELECTED_ORGANIZATION)) { organization = (SAML2IDP) oAttributes.get( SAML2AuthenticationMethod.class, _sMethodId + "." + SELECTED_ORGANIZATION); } else { List<SAML2IDP> listSelectableOrganizations = null; if (oAttributes.contains( SAML2AuthenticationMethod.class, _sMethodId + "." + LIST_AVAILABLE_ORGANIZATIONS)) { // The selected organization was not available, select again: listSelectableOrganizations = (List<SAML2IDP>) oAttributes.get( SAML2AuthenticationMethod.class, _sMethodId + "." + LIST_AVAILABLE_ORGANIZATIONS); warnings = new Vector<Warnings>(); warnings.add(Warnings.WARNING_ORGANIZATION_UNAVAILABLE); } else { IUser oUser = session.getUser(); if (oUser != null) { // verify if user that was identified in previous authn method may use this SAML2 // authn method if (!oUser.isAuthenticationRegistered(_sMethodId)) { _eventLogger.info( new UserEventLogItem( session, request.getRemoteAddr(), UserEvent.AUTHN_METHOD_NOT_REGISTERED, this, null)); return UserEvent.AUTHN_METHOD_NOT_REGISTERED; } } listSelectableOrganizations = new Vector<SAML2IDP>(); Vector fallbackList = new Vector<String>(); Collection<String> cForcedOrganizations = getForcedIDPs(session); if (cForcedOrganizations != null && !cForcedOrganizations.isEmpty()) oAttributes.put( SAML2AuthNConstants.class, SAML2AuthNConstants.FORCED_ORGANIZATIONS, cForcedOrganizations); List<SAML2IDP> listIDPs = _organizationStorage.getAll(); for (SAML2IDP saml2IDP : listIDPs) { fallbackList.add(saml2IDP); if (cForcedOrganizations == null || cForcedOrganizations.contains(saml2IDP.getID())) { // if no forced organizations are defined or organization is in the forced // organization list: Add to select organization list. listSelectableOrganizations.add(saml2IDP); } } if (listSelectableOrganizations.isEmpty()) { // DD if no forced orgs are known locally, add all and let user decide. // Make sure proxy orgs are send with AuthN request listSelectableOrganizations = fallbackList; } } if (listSelectableOrganizations.size() == 0) { _logger.debug("No organizations available to choose from"); _eventLogger.info( new UserEventLogItem( session, request.getRemoteAddr(), UserEvent.AUTHN_METHOD_NOT_SUPPORTED, this, null)); return UserEvent.AUTHN_METHOD_NOT_SUPPORTED; } if (_oSelector == null) { organization = listSelectableOrganizations.get(0); _logger.debug("No selector configured, using: " + organization.getID()); } else { try { // Select requestor organization = _oSelector.resolve( request, response, session, listSelectableOrganizations, _sFriendlyName, warnings); } catch (OAException e) { _eventLogger.info( new UserEventLogItem( session, request.getRemoteAddr(), UserEvent.INTERNAL_ERROR, this, "selecting organization")); throw e; } } if (organization == null) { // Page is shown _eventLogger.info( new UserEventLogItem( session, request.getRemoteAddr(), UserEvent.AUTHN_METHOD_IN_PROGRESS, this, null)); return UserEvent.AUTHN_METHOD_IN_PROGRESS; } oAttributes.put( SAML2AuthenticationMethod.class, _sMethodId, SELECTED_ORGANIZATION, organization); listSelectableOrganizations.remove(organization); oAttributes.put( SAML2AuthenticationMethod.class, _sMethodId, LIST_AVAILABLE_ORGANIZATIONS, listSelectableOrganizations); } } UserEvent event = null; if (_profileWebBrowserSSO != null) { event = _profileWebBrowserSSO.process( request, response, session, organization, _htAttributeMapper); _eventLogger.info( new UserEventLogItem(session, request.getRemoteAddr(), event, this, null)); } else { _eventLogger.info( new UserEventLogItem( session, request.getRemoteAddr(), UserEvent.AUTHN_METHOD_FAILED, this, "No suitable SAML2 profile could be found for authentication")); event = UserEvent.AUTHN_METHOD_FAILED; } if (event == UserEvent.AUTHN_METHOD_FAILED && _bEnableFallback) { // fallback event = UserEvent.AUTHN_METHOD_IN_PROGRESS; oAttributes.remove( SAML2AuthenticationMethod.class, _sMethodId + "." + SELECTED_ORGANIZATION); _eventLogger.info( new UserEventLogItem( session, request.getRemoteAddr(), UserEvent.AUTHN_METHOD_IN_PROGRESS, this, "Fallback mechanism activated")); event = authenticate(request, response, session); } return event; } catch (OAException oae) { _eventLogger.info( new UserEventLogItem( session, request.getRemoteAddr(), UserEvent.AUTHN_METHOD_FAILED, this, oae.getLocalizedMessage())); throw oae; } }