public Response buildResponse(SAMLSSOAuthnReqDTO authReqDTO, String sessionId)
throws IdentityException {
if (log.isDebugEnabled()) {
log.debug(
"Building SAML Response for the consumer '" + authReqDTO.getAssertionConsumerURL() + "'");
}
Response response = new org.opensaml.saml2.core.impl.ResponseBuilder().buildObject();
response.setIssuer(SAMLSSOUtil.getIssuer());
response.setID(SAMLSSOUtil.createID());
response.setInResponseTo(authReqDTO.getId());
response.setDestination(authReqDTO.getAssertionConsumerURL());
response.setStatus(buildStatus(SAMLSSOConstants.StatusCodes.SUCCESS_CODE, null));
response.setVersion(SAMLVersion.VERSION_20);
DateTime issueInstant = new DateTime();
DateTime notOnOrAfter =
new DateTime(
issueInstant.getMillis() + SAMLSSOUtil.getSAMLResponseValidityPeriod() * 60 * 1000);
response.setIssueInstant(issueInstant);
Assertion assertion = buildSAMLAssertion(authReqDTO, notOnOrAfter, sessionId);
response.getAssertions().add(assertion);
if (authReqDTO.isDoSignResponse()) {
SAMLSSOUtil.setSignature(
response,
XMLSignature.ALGO_ID_SIGNATURE_RSA,
new SignKeyDataHolder(authReqDTO.getUsername()));
}
return response;
}
/**
* Builds the SAML error response and sets the compressed value to the reqValidationResponseDTO
*
* @param id
* @param status
* @param statMsg
* @param destination
* @return
* @throws IdentityException
*/
private SAMLSSOReqValidationResponseDTO buildErrorResponse(
String id,
String status,
String statMsg,
String destination,
String responseSigningAlgorithmUri,
String responseDigestAlgorithmUri)
throws IdentityException {
SAMLSSOReqValidationResponseDTO reqValidationResponseDTO =
new SAMLSSOReqValidationResponseDTO();
LogoutResponse logoutResp =
new SingleLogoutMessageBuilder()
.buildLogoutResponse(
id,
status,
statMsg,
destination,
false,
null,
responseSigningAlgorithmUri,
responseDigestAlgorithmUri);
reqValidationResponseDTO.setLogOutReq(true);
reqValidationResponseDTO.setValid(false);
try {
reqValidationResponseDTO.setResponse(
SAMLSSOUtil.compressResponse(SAMLSSOUtil.marshall(logoutResp)));
} catch (IOException e) {
throw new IdentityException("Error while creating logout response", e);
}
return reqValidationResponseDTO;
}
@Override
protected void doPost(HttpServletRequest req, HttpServletResponse resp)
throws ServletException, IOException {
try {
handleRequest(req, resp, true);
} finally {
SAMLSSOUtil.removeSaaSApplicationThreaLocal();
SAMLSSOUtil.removeUserTenantDomainThreaLocal();
SAMLSSOUtil.removeTenantDomainFromThreadLocal();
}
}
@Override
protected void doGet(
HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse)
throws ServletException, IOException {
try {
handleRequest(httpServletRequest, httpServletResponse, false);
} finally {
SAMLSSOUtil.removeSaaSApplicationThreaLocal();
SAMLSSOUtil.removeUserTenantDomainThreaLocal();
SAMLSSOUtil.removeTenantDomainFromThreadLocal();
}
}
private void handleLogoutResponseFromFramework(
HttpServletRequest request, HttpServletResponse response, SAMLSSOSessionDTO sessionDTO)
throws ServletException, IOException, IdentityException {
SAMLSSOReqValidationResponseDTO validationResponseDTO = sessionDTO.getValidationRespDTO();
if (validationResponseDTO != null) {
// sending LogoutRequests to other session participants
LogoutRequestSender.getInstance()
.sendLogoutRequests(validationResponseDTO.getLogoutRespDTO());
SAMLSSOUtil.removeSession(sessionDTO.getSessionId(), validationResponseDTO.getIssuer());
removeSessionDataFromCache(
CharacterEncoder.getSafeText(request.getParameter("sessionDataKey")));
if (validationResponseDTO.isIdPInitSLO()) {
// redirecting to the return URL or IS logout page
response.sendRedirect(validationResponseDTO.getReturnToURL());
} else {
// sending LogoutResponse back to the initiator
sendResponse(
request,
response,
sessionDTO.getRelayState(),
validationResponseDTO.getLogoutResponse(),
validationResponseDTO.getAssertionConsumerURL(),
validationResponseDTO.getSubject(),
null,
sessionDTO.getTenantDomain());
}
} else {
try {
samlSsoService.doSingleLogout(request.getSession().getId());
} catch (IdentityException e) {
log.error("Error when processing the logout request!", e);
}
String errorResp =
SAMLSSOUtil.buildErrorResponse(
SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR,
"Invalid request",
sessionDTO.getAssertionConsumerURL());
sendNotification(
errorResp,
SAMLSSOConstants.Notification.INVALID_MESSAGE_STATUS,
SAMLSSOConstants.Notification.INVALID_MESSAGE_MESSAGE,
sessionDTO.getAssertionConsumerURL(),
request,
response);
}
}
private void startTenantFlow(String tenantDomain) throws IdentityException {
int tenantId = MultitenantConstants.SUPER_TENANT_ID;
if (tenantDomain != null
&& !tenantDomain.trim().isEmpty()
&& !"null".equalsIgnoreCase(tenantDomain.trim())) {
try {
tenantId = SAMLSSOUtil.getRealmService().getTenantManager().getTenantId(tenantDomain);
if (tenantId == -1) {
// invalid tenantId, hence throw exception to avoid setting invalid tenant info
// to CC
String message = "Invalid Tenant Domain : " + tenantDomain;
if (log.isDebugEnabled()) {
log.debug(message);
}
throw new IdentityException(message);
}
} catch (UserStoreException e) {
String message = "Error occurred while getting tenant ID from tenantDomain " + tenantDomain;
log.error(message, e);
throw new IdentityException(message, e);
}
} else {
tenantDomain = MultitenantConstants.SUPER_TENANT_DOMAIN_NAME;
}
PrivilegedCarbonContext.startTenantFlow();
PrivilegedCarbonContext carbonContext = PrivilegedCarbonContext.getThreadLocalCarbonContext();
carbonContext.setTenantId(tenantId);
carbonContext.setTenantDomain(tenantDomain);
}
/**
* Validates the authentication request according to IdP Initiated SAML SSO Web Browser
* Specification
*
* @return SAMLSSOSignInResponseDTO
* @throws org.wso2.carbon.identity.base.IdentityException
*/
public SAMLSSOReqValidationResponseDTO validate() throws IdentityException {
SAMLSSOReqValidationResponseDTO validationResponse = new SAMLSSOReqValidationResponseDTO();
try {
// spEntityID MUST NOT be null
if (StringUtils.isNotBlank(spEntityID)) {
validationResponse.setIssuer(spEntityID);
} else {
String errorResp =
SAMLSSOUtil.buildErrorResponse(
SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR,
"spEntityID parameter not found in request",
null);
if (log.isDebugEnabled()) {
log.debug("spEntityID parameter not found in request");
}
validationResponse.setResponse(errorResp);
validationResponse.setValid(false);
return validationResponse;
}
if (!SAMLSSOUtil.isSAMLIssuerExists(
spEntityID, SAMLSSOUtil.getTenantDomainFromThreadLocal())) {
String message =
"A Service Provider with the Issuer '"
+ spEntityID
+ "' is not registered. Service "
+ "Provider should be registered in advance";
log.error(message);
String errorResp =
SAMLSSOUtil.buildErrorResponse(
SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, message, null);
validationResponse.setResponse(errorResp);
validationResponse.setValid(false);
return validationResponse;
}
// If SP has multiple ACS
if (StringUtils.isNotBlank(acs)) {
validationResponse.setAssertionConsumerURL(acs);
}
if (StringUtils.isBlank(SAMLSSOUtil.getTenantDomainFromThreadLocal())) {
SAMLSSOUtil.setTenantDomainInThreadLocal(MultitenantConstants.SUPER_TENANT_DOMAIN_NAME);
}
validationResponse.setValid(true);
if (log.isDebugEnabled()) {
log.debug("IdP Initiated SSO request validation is successful");
}
return validationResponse;
} catch (Exception e) {
throw IdentityException.error("Error validating the IdP Initiated SSO request", e);
}
}
/**
* @param req
* @param authnReqDTO
*/
private void populateAuthnReqDTO(
HttpServletRequest req,
SAMLSSOAuthnReqDTO authnReqDTO,
SAMLSSOSessionDTO sessionDTO,
AuthenticationResult authResult)
throws UserStoreException, IdentityException {
authnReqDTO.setAssertionConsumerURL(sessionDTO.getAssertionConsumerURL());
authnReqDTO.setId(sessionDTO.getRequestID());
authnReqDTO.setIssuer(sessionDTO.getIssuer());
authnReqDTO.setSubject(sessionDTO.getSubject());
authnReqDTO.setRpSessionId(sessionDTO.getRelyingPartySessionId());
authnReqDTO.setRequestMessageString(sessionDTO.getRequestMessageString());
authnReqDTO.setQueryString(sessionDTO.getHttpQueryString());
authnReqDTO.setDestination(sessionDTO.getDestination());
authnReqDTO.setUser(authResult.getSubject());
authnReqDTO.setIdPInitSSOEnabled(sessionDTO.isIdPInitSSO());
authnReqDTO.setClaimMapping(authResult.getClaimMapping());
authnReqDTO.setTenantDomain(sessionDTO.getTenantDomain());
authnReqDTO.setIdPInitSLOEnabled(sessionDTO.isIdPInitSLO());
SAMLSSOUtil.setIsSaaSApplication(authResult.isSaaSApp());
SAMLSSOUtil.setUserTenantDomain(authResult.getSubject().getTenantDomain());
}
/**
* @return
* @throws IdentityException
*/
public String[] getCertAliasOfPrimaryKeyStore() throws IdentityException {
KeyStoreData[] keyStores = getKeyStores();
KeyStoreData primaryKeyStore = null;
for (int i = 0; i < keyStores.length; i++) {
boolean superTenant =
MultitenantConstants.SUPER_TENANT_ID
== CarbonContext.getThreadLocalCarbonContext().getTenantId()
? true
: false;
if (superTenant && KeyStoreUtil.isPrimaryStore(keyStores[i].getKeyStoreName())) {
primaryKeyStore = keyStores[i];
break;
} else if (!superTenant
&& SAMLSSOUtil.generateKSNameFromDomainName(getTenantDomain())
.equals(keyStores[i].getKeyStoreName())) {
primaryKeyStore = keyStores[i];
break;
}
}
if (primaryKeyStore != null) {
return getStoreEntries(primaryKeyStore.getKeyStoreName());
}
throw new IdentityException("Primary Keystore cannot be found.");
}
private Assertion buildSAMLAssertion(
SAMLSSOAuthnReqDTO authReqDTO, DateTime notOnOrAfter, String sessionId)
throws IdentityException {
try {
DateTime currentTime = new DateTime();
Assertion samlAssertion = new AssertionBuilder().buildObject();
samlAssertion.setID(SAMLSSOUtil.createID());
samlAssertion.setVersion(SAMLVersion.VERSION_20);
samlAssertion.setIssuer(SAMLSSOUtil.getIssuer());
samlAssertion.setIssueInstant(currentTime);
Subject subject = new SubjectBuilder().buildObject();
NameID nameId = new NameIDBuilder().buildObject();
if (authReqDTO.getUseFullyQualifiedUsernameAsSubject()) {
nameId.setValue(authReqDTO.getUsername());
nameId.setFormat(NameIdentifier.EMAIL);
} else {
nameId.setValue(MultitenantUtils.getTenantAwareUsername(authReqDTO.getUsername()));
nameId.setFormat(authReqDTO.getNameIDFormat());
}
subject.setNameID(nameId);
SubjectConfirmation subjectConfirmation = new SubjectConfirmationBuilder().buildObject();
subjectConfirmation.setMethod(SAMLSSOConstants.SUBJECT_CONFIRM_BEARER);
SubjectConfirmationData scData = new SubjectConfirmationDataBuilder().buildObject();
scData.setRecipient(authReqDTO.getAssertionConsumerURL());
scData.setNotOnOrAfter(notOnOrAfter);
scData.setInResponseTo(authReqDTO.getId());
subjectConfirmation.setSubjectConfirmationData(scData);
subject.getSubjectConfirmations().add(subjectConfirmation);
samlAssertion.setSubject(subject);
AuthnStatement authStmt = new AuthnStatementBuilder().buildObject();
authStmt.setAuthnInstant(new DateTime());
AuthnContext authContext = new AuthnContextBuilder().buildObject();
AuthnContextClassRef authCtxClassRef = new AuthnContextClassRefBuilder().buildObject();
authCtxClassRef.setAuthnContextClassRef(AuthnContext.PASSWORD_AUTHN_CTX);
authContext.setAuthnContextClassRef(authCtxClassRef);
authStmt.setAuthnContext(authContext);
if (authReqDTO.isDoSingleLogout()) {
authStmt.setSessionIndex(sessionId);
}
samlAssertion.getAuthnStatements().add(authStmt);
/*
* If <AttributeConsumingServiceIndex> element is in the
* <AuthnRequest> and
* according to the spec 2.0 the subject MUST be in the assertion
*/
Map<String, String> claims = SAMLSSOUtil.getAttributes(authReqDTO);
if (claims != null) {
samlAssertion.getAttributeStatements().add(buildAttributeStatement(claims));
}
AudienceRestriction audienceRestriction = new AudienceRestrictionBuilder().buildObject();
Audience issuerAudience = new AudienceBuilder().buildObject();
issuerAudience.setAudienceURI(authReqDTO.getIssuer());
audienceRestriction.getAudiences().add(issuerAudience);
if (authReqDTO.getRequestedAudiences() != null) {
for (String requestedAudience : authReqDTO.getRequestedAudiences()) {
Audience audience = new AudienceBuilder().buildObject();
audience.setAudienceURI(requestedAudience);
audienceRestriction.getAudiences().add(audience);
}
}
Conditions conditions = new ConditionsBuilder().buildObject();
conditions.setNotBefore(currentTime);
conditions.setNotOnOrAfter(notOnOrAfter);
conditions.getAudienceRestrictions().add(audienceRestriction);
samlAssertion.setConditions(conditions);
if (authReqDTO.getDoSignAssertions()) {
SAMLSSOUtil.setSignature(
samlAssertion,
XMLSignature.ALGO_ID_SIGNATURE_RSA,
new SignKeyDataHolder(authReqDTO.getUsername()));
}
return samlAssertion;
} catch (Exception e) {
log.error("Error when reading claim values for generating SAML Response", e);
throw new IdentityException(
"Error when reading claim values for generating SAML Response", e);
}
}
static {
SAMLSSOUtil.doBootstrap();
}
/**
* @param logoutRequest
* @param sessionId
* @param queryString
* @return
* @throws IdentityException
*/
public SAMLSSOReqValidationResponseDTO process(
LogoutRequest logoutRequest, String sessionId, String queryString) throws IdentityException {
try {
SAMLSSOReqValidationResponseDTO reqValidationResponseDTO =
new SAMLSSOReqValidationResponseDTO();
reqValidationResponseDTO.setLogOutReq(true);
String subject = null;
String issuer = null;
String defaultSigningAlgoUri = IdentityApplicationManagementUtil.getSigningAlgoURIByConfig();
String defaultDigestAlgoUri = IdentityApplicationManagementUtil.getDigestAlgoURIByConfig();
// Get the sessions from the SessionPersistenceManager and prepare
// the logout responses
SSOSessionPersistenceManager ssoSessionPersistenceManager =
SSOSessionPersistenceManager.getPersistenceManager();
if (StringUtils.isBlank(sessionId)) {
String message = "Session was already Expired";
log.error(message);
return buildErrorResponse(
logoutRequest.getID(),
SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR,
message,
logoutRequest.getDestination(),
defaultSigningAlgoUri,
defaultDigestAlgoUri);
}
String sessionIndex = ssoSessionPersistenceManager.getSessionIndexFromTokenId(sessionId);
if (StringUtils.isBlank(sessionId)) {
String message = "Session index value not found in the request";
log.error(message);
reqValidationResponseDTO =
buildErrorResponse(
logoutRequest.getID(),
SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR,
message,
null,
defaultSigningAlgoUri,
defaultDigestAlgoUri);
reqValidationResponseDTO.setLogoutFromAuthFramework(true);
return reqValidationResponseDTO;
}
// Only if the logout request is received.
if (logoutRequest != null) {
if (logoutRequest.getIssuer() == null) {
String message = "Issuer should be mentioned in the Logout Request";
log.error(message);
return buildErrorResponse(
logoutRequest.getID(),
SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR,
message,
logoutRequest.getDestination(),
defaultSigningAlgoUri,
defaultDigestAlgoUri);
}
// TODO : Check for BaseID and EncryptedID as well.
if (logoutRequest.getNameID() != null) {
NameID nameID = logoutRequest.getNameID();
subject = nameID.getValue();
} else {
String message = "Subject Name should be specified in the Logout Request";
log.error(message);
return buildErrorResponse(
logoutRequest.getID(),
SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR,
message,
logoutRequest.getDestination(),
defaultSigningAlgoUri,
defaultDigestAlgoUri);
}
if (logoutRequest.getSessionIndexes() == null) {
String message = "At least one Session Index should be present in the Logout Request";
log.error(message);
return buildErrorResponse(
logoutRequest.getID(),
SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR,
message,
logoutRequest.getDestination(),
defaultSigningAlgoUri,
defaultDigestAlgoUri);
}
SessionInfoData sessionInfoData = ssoSessionPersistenceManager.getSessionInfo(sessionIndex);
if (sessionInfoData == null) {
String message = "No Established Sessions corresponding to Session Indexes provided.";
log.error(message);
reqValidationResponseDTO =
buildErrorResponse(
logoutRequest.getID(),
SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR,
message,
null,
defaultSigningAlgoUri,
defaultDigestAlgoUri);
reqValidationResponseDTO.setLogoutFromAuthFramework(true);
return reqValidationResponseDTO;
}
issuer = logoutRequest.getIssuer().getValue();
if (issuer.contains("@")) {
String tenantDomain = issuer.substring(issuer.lastIndexOf('@') + 1);
issuer = issuer.substring(0, issuer.lastIndexOf('@'));
if (StringUtils.isNotEmpty(tenantDomain) && StringUtils.isNotEmpty(issuer)) {
SAMLSSOUtil.setTenantDomainInThreadLocal(tenantDomain);
if (log.isDebugEnabled()) {
log.debug(
"Tenant Domain :"
+ " "
+ tenantDomain
+ " "
+ "&"
+ " "
+ "Issuer name :"
+ issuer
+ " "
+ "has being spilt");
}
} else {
SAMLSSOServiceProviderDO serviceProvider =
sessionInfoData.getServiceProviderList().get(issuer);
if (serviceProvider != null) {
SAMLSSOUtil.setTenantDomainInThreadLocal(
sessionInfoData.getServiceProviderList().get(issuer).getTenantDomain());
} else {
throw new IdentityException(
"Service provider :" + issuer + " does not exist in session " + "info data.");
}
}
} else {
SAMLSSOServiceProviderDO serviceProvider =
sessionInfoData.getServiceProviderList().get(issuer);
if (serviceProvider != null) {
SAMLSSOUtil.setTenantDomainInThreadLocal(
sessionInfoData.getServiceProviderList().get(issuer).getTenantDomain());
} else {
throw new IdentityException(
"Service provider :" + issuer + " does not exist in session info " + "data.");
}
}
subject = sessionInfoData.getSubject(issuer);
Map<String, SAMLSSOServiceProviderDO> sessionsList =
sessionInfoData.getServiceProviderList();
SAMLSSOServiceProviderDO logoutReqIssuer = sessionsList.get(issuer);
if (logoutReqIssuer.isDoSingleLogout()) {
// validate session index
SessionIndex requestSessionIndex =
logoutRequest.getSessionIndexes().size() > 0
? logoutRequest.getSessionIndexes().get(0)
: null;
if (requestSessionIndex == null
|| !sessionIndex.equals(requestSessionIndex.getSessionIndex())) {
String message =
"Session Index validation for Logout Request failed. "
+ "Received: ["
+ (requestSessionIndex == null ? "null" : requestSessionIndex.getSessionIndex())
+ "]."
+ " Expected: ["
+ sessionIndex
+ "]";
log.error(message);
return buildErrorResponse(
logoutRequest.getID(),
SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR,
message,
logoutRequest.getDestination(),
logoutReqIssuer.getSigningAlgorithmUri(),
logoutReqIssuer.getDigestAlgorithmUri());
}
}
if (logoutReqIssuer.isDoValidateSignatureInRequests()) {
// Validate 'Destination'
List<String> idpUrlSet =
SAMLSSOUtil.getDestinationFromTenantDomain(
SAMLSSOUtil.getTenantDomainFromThreadLocal());
if (logoutRequest.getDestination() == null
|| !idpUrlSet.contains(logoutRequest.getDestination())) {
String message =
"Destination validation for Logout Request failed. "
+ "Received: ["
+ logoutRequest.getDestination()
+ "]."
+ " Expected: ["
+ StringUtils.join(idpUrlSet, ',')
+ "]";
log.error(message);
return buildErrorResponse(
logoutRequest.getID(),
SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR,
message,
logoutRequest.getDestination(),
logoutReqIssuer.getSigningAlgorithmUri(),
logoutReqIssuer.getDigestAlgorithmUri());
}
// Validate Signature
boolean isSignatureValid =
SAMLSSOUtil.validateLogoutRequestSignature(
logoutRequest, logoutReqIssuer.getCertAlias(), subject, queryString);
if (!isSignatureValid) {
String message = "Signature validation for Logout Request failed";
log.error(message);
return buildErrorResponse(
logoutRequest.getID(),
SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR,
message,
logoutRequest.getDestination(),
logoutReqIssuer.getSigningAlgorithmUri(),
logoutReqIssuer.getDigestAlgorithmUri());
}
}
SingleLogoutMessageBuilder logoutMsgBuilder = new SingleLogoutMessageBuilder();
Map<String, String> rpSessionsList = sessionInfoData.getRPSessionsList();
List<SingleLogoutRequestDTO> singleLogoutReqDTOs = new ArrayList<SingleLogoutRequestDTO>();
for (Map.Entry<String, SAMLSSOServiceProviderDO> entry : sessionsList.entrySet()) {
String key = entry.getKey();
SAMLSSOServiceProviderDO value = entry.getValue();
if (!key.equals(issuer)) {
SingleLogoutRequestDTO logoutReqDTO = new SingleLogoutRequestDTO();
if (StringUtils.isNotBlank(value.getSloRequestURL())) {
logoutReqDTO.setAssertionConsumerURL(value.getSloRequestURL());
} else if (StringUtils.isNotBlank(value.getSloResponseURL())) {
logoutReqDTO.setAssertionConsumerURL(value.getSloResponseURL());
} else {
logoutReqDTO.setAssertionConsumerURL(value.getAssertionConsumerUrl());
}
LogoutRequest logoutReq =
logoutMsgBuilder.buildLogoutRequest(
sessionInfoData.getSubject(key),
sessionIndex,
SAMLSSOConstants.SingleLogoutCodes.LOGOUT_USER,
logoutReqDTO.getAssertionConsumerURL(),
value.getNameIDFormat(),
value.getTenantDomain(),
value.getSigningAlgorithmUri(),
value.getDigestAlgorithmUri());
String logoutReqString = SAMLSSOUtil.encode(SAMLSSOUtil.marshall(logoutReq));
logoutReqDTO.setLogoutResponse(logoutReqString);
logoutReqDTO.setRpSessionId(rpSessionsList.get(key));
singleLogoutReqDTOs.add(logoutReqDTO);
} else {
reqValidationResponseDTO.setIssuer(value.getIssuer());
reqValidationResponseDTO.setDoSignResponse(value.isDoSignResponse());
reqValidationResponseDTO.setSigningAlgorithmUri(value.getSigningAlgorithmUri());
reqValidationResponseDTO.setDigestAlgorithmUri(value.getDigestAlgorithmUri());
if (StringUtils.isNotBlank(value.getSloResponseURL())) {
reqValidationResponseDTO.setAssertionConsumerURL(value.getSloResponseURL());
} else {
reqValidationResponseDTO.setAssertionConsumerURL(value.getAssertionConsumerUrl());
}
}
}
reqValidationResponseDTO.setLogoutRespDTO(
singleLogoutReqDTOs.toArray(new SingleLogoutRequestDTO[singleLogoutReqDTOs.size()]));
LogoutResponse logoutResponse =
logoutMsgBuilder.buildLogoutResponse(
logoutRequest.getID(),
SAMLSSOConstants.StatusCodes.SUCCESS_CODE,
null,
reqValidationResponseDTO.getAssertionConsumerURL(),
reqValidationResponseDTO.isDoSignResponse(),
SAMLSSOUtil.getTenantDomainFromThreadLocal(),
reqValidationResponseDTO.getSigningAlgorithmUri(),
reqValidationResponseDTO.getDigestAlgorithmUri());
reqValidationResponseDTO.setLogoutResponse(
SAMLSSOUtil.encode(SAMLSSOUtil.marshall(logoutResponse)));
reqValidationResponseDTO.setValid(true);
}
return reqValidationResponseDTO;
} catch (UserStoreException | IdentityException e) {
throw new IdentityException("Error Processing the Logout Request", e);
}
}
/**
* This method handles authentication and sends authentication Response message back to the
* Service Provider after successful authentication. In case of authentication failure the user is
* prompted back for authentication.
*
* @param req
* @param resp
* @param sessionId
* @throws IdentityException
* @throws IOException
* @throws ServletException
*/
private void handleAuthenticationReponseFromFramework(
HttpServletRequest req,
HttpServletResponse resp,
String sessionId,
SAMLSSOSessionDTO sessionDTO)
throws UserStoreException, IdentityException, IOException, ServletException {
String sessionDataKey = CharacterEncoder.getSafeText(req.getParameter("sessionDataKey"));
AuthenticationResult authResult = getAuthenticationResultFromCache(sessionDataKey);
if (log.isDebugEnabled() && authResult == null) {
log.debug("Session data is not found for key : " + sessionDataKey);
}
SAMLSSOReqValidationResponseDTO reqValidationDTO = sessionDTO.getValidationRespDTO();
SAMLSSOAuthnReqDTO authnReqDTO = new SAMLSSOAuthnReqDTO();
if (authResult == null || !authResult.isAuthenticated()) {
if (log.isDebugEnabled() && authResult != null) {
log.debug("Unauthenticated User");
}
if (reqValidationDTO.isPassive()) { // if passive
List<String> statusCodes = new ArrayList<String>();
statusCodes.add(SAMLSSOConstants.StatusCodes.NO_PASSIVE);
statusCodes.add(SAMLSSOConstants.StatusCodes.IDENTITY_PROVIDER_ERROR);
String destination = reqValidationDTO.getDestination();
reqValidationDTO.setResponse(
SAMLSSOUtil.buildErrorResponse(
reqValidationDTO.getId(),
statusCodes,
"Cannot authenticate Subject in Passive Mode",
destination));
sendResponse(
req,
resp,
sessionDTO.getRelayState(),
reqValidationDTO.getResponse(),
reqValidationDTO.getAssertionConsumerURL(),
reqValidationDTO.getSubject(),
null,
sessionDTO.getTenantDomain());
return;
} else { // if forceAuthn or normal flow
// TODO send a saml response with a status message.
if (!authResult.isAuthenticated()) {
String destination = reqValidationDTO.getDestination();
String errorResp =
SAMLSSOUtil.buildErrorResponse(
SAMLSSOConstants.StatusCodes.AUTHN_FAILURE,
"User authentication failed",
destination);
sendNotification(
errorResp,
SAMLSSOConstants.Notification.EXCEPTION_STATUS,
SAMLSSOConstants.Notification.EXCEPTION_MESSAGE,
reqValidationDTO.getAssertionConsumerURL(),
req,
resp);
return;
} else {
throw new IdentityException("Session data is not found for authenticated user");
}
}
} else {
populateAuthnReqDTO(req, authnReqDTO, sessionDTO, authResult);
req.setAttribute(SAMLSSOConstants.AUTHENTICATION_RESULT, authResult);
String relayState = null;
if (req.getParameter(SAMLSSOConstants.RELAY_STATE) != null) {
relayState = req.getParameter(SAMLSSOConstants.RELAY_STATE);
} else {
relayState = sessionDTO.getRelayState();
}
startTenantFlow(authnReqDTO.getTenantDomain());
if (sessionId == null) {
sessionId = UUIDGenerator.generateUUID();
}
SAMLSSOService samlSSOService = new SAMLSSOService();
SAMLSSORespDTO authRespDTO =
samlSSOService.authenticate(
authnReqDTO,
sessionId,
authResult.isAuthenticated(),
authResult.getAuthenticatedAuthenticators(),
SAMLSSOConstants.AuthnModes.USERNAME_PASSWORD);
if (authRespDTO.isSessionEstablished()) { // authenticated
storeTokenIdCookie(sessionId, req, resp, authnReqDTO.getTenantDomain());
removeSessionDataFromCache(
CharacterEncoder.getSafeText(req.getParameter("sessionDataKey")));
sendResponse(
req,
resp,
relayState,
authRespDTO.getRespString(),
authRespDTO.getAssertionConsumerURL(),
authRespDTO.getSubject().getAuthenticatedSubjectIdentifier(),
authResult.getAuthenticatedIdPs(),
sessionDTO.getTenantDomain());
} else { // authentication FAILURE
String errorResp = authRespDTO.getRespString();
sendNotification(
errorResp,
SAMLSSOConstants.Notification.EXCEPTION_STATUS,
SAMLSSOConstants.Notification.EXCEPTION_MESSAGE,
authRespDTO.getAssertionConsumerURL(),
req,
resp);
}
}
}
/**
* Sends the user for authentication to the login page
*
* @param req
* @param resp
* @param signInRespDTO
* @param relayState
* @throws ServletException
* @throws IOException
*/
private void sendToFrameworkForAuthentication(
HttpServletRequest req,
HttpServletResponse resp,
SAMLSSOReqValidationResponseDTO signInRespDTO,
String relayState,
boolean isPost)
throws ServletException, IOException, UserStoreException, IdentityException {
SAMLSSOSessionDTO sessionDTO = new SAMLSSOSessionDTO();
sessionDTO.setHttpQueryString(req.getQueryString());
sessionDTO.setDestination(signInRespDTO.getDestination());
sessionDTO.setRelayState(relayState);
sessionDTO.setRequestMessageString(signInRespDTO.getRequestMessageString());
sessionDTO.setIssuer(signInRespDTO.getIssuer());
sessionDTO.setRequestID(signInRespDTO.getId());
sessionDTO.setSubject(signInRespDTO.getSubject());
sessionDTO.setRelyingPartySessionId(signInRespDTO.getRpSessionId());
sessionDTO.setAssertionConsumerURL(signInRespDTO.getAssertionConsumerURL());
sessionDTO.setTenantDomain(SAMLSSOUtil.getTenantDomainFromThreadLocal());
if (sessionDTO.getTenantDomain() == null) {
String[] splitIssuer = sessionDTO.getIssuer().split("@");
if (splitIssuer != null
&& splitIssuer.length == 2
&& !splitIssuer[0].trim().isEmpty()
&& !splitIssuer[1].trim().isEmpty()) {
sessionDTO.setTenantDomain(splitIssuer[1]);
} else {
sessionDTO.setTenantDomain(MultitenantConstants.SUPER_TENANT_DOMAIN_NAME);
}
}
SAMLSSOUtil.setTenantDomainInThreadLocal(sessionDTO.getTenantDomain());
sessionDTO.setForceAuth(signInRespDTO.isForceAuthn());
sessionDTO.setPassiveAuth(signInRespDTO.isPassive());
sessionDTO.setValidationRespDTO(signInRespDTO);
sessionDTO.setIdPInitSSO(signInRespDTO.isIdPInitSSO());
String sessionDataKey = UUIDGenerator.generateUUID();
addSessionDataToCache(
sessionDataKey,
sessionDTO,
IdPManagementUtil.getIdleSessionTimeOut(sessionDTO.getTenantDomain()));
String commonAuthURL = CarbonUIUtil.getAdminConsoleURL(req);
commonAuthURL =
commonAuthURL.replace(
FrameworkConstants.RequestType.CLAIM_TYPE_SAML_SSO
+ "/"
+ FrameworkConstants.CARBON
+ "/",
FrameworkConstants.COMMONAUTH);
String selfPath =
URLEncoder.encode("/" + FrameworkConstants.RequestType.CLAIM_TYPE_SAML_SSO, "UTF-8");
// Setting authentication request context
AuthenticationRequest authenticationRequest = new AuthenticationRequest();
// Adding query parameters
authenticationRequest.appendRequestQueryParams(req.getParameterMap());
for (Enumeration headerNames = req.getHeaderNames(); headerNames.hasMoreElements(); ) {
String headerName = headerNames.nextElement().toString();
authenticationRequest.addHeader(headerName, req.getHeader(headerName));
}
authenticationRequest.setRelyingParty(signInRespDTO.getIssuer());
authenticationRequest.setCommonAuthCallerPath(selfPath);
authenticationRequest.setForceAuth(signInRespDTO.isForceAuthn());
if (!authenticationRequest.getForceAuth()
&& authenticationRequest.getRequestQueryParam("forceAuth") != null) {
String[] forceAuth = authenticationRequest.getRequestQueryParam("forceAuth");
if (!forceAuth[0].trim().isEmpty() && Boolean.parseBoolean(forceAuth[0].trim())) {
authenticationRequest.setForceAuth(Boolean.parseBoolean(forceAuth[0].trim()));
}
}
authenticationRequest.setPassiveAuth(signInRespDTO.isPassive());
authenticationRequest.setTenantDomain(sessionDTO.getTenantDomain());
authenticationRequest.setPost(isPost);
// Creating cache entry and adding entry to the cache before calling to commonauth
AuthenticationRequestCacheEntry authRequest =
new AuthenticationRequestCacheEntry(authenticationRequest);
FrameworkUtils.addAuthenticationRequestToCache(
sessionDataKey,
authRequest,
IdPManagementUtil.getIdleSessionTimeOut(sessionDTO.getTenantDomain()));
StringBuilder queryStringBuilder = new StringBuilder();
queryStringBuilder
.append(commonAuthURL)
.append("?")
.append(SAMLSSOConstants.SESSION_DATA_KEY)
.append("=")
.append(sessionDataKey)
.append("&")
.append(FrameworkConstants.RequestParams.TYPE)
.append("=")
.append(FrameworkConstants.RequestType.CLAIM_TYPE_SAML_SSO);
FrameworkUtils.setRequestPathCredentials(req);
resp.sendRedirect(queryStringBuilder.toString());
}
/**
* All requests are handled by this handleRequest method. In case of SAMLRequest the user will be
* redirected to commonAuth servlet for authentication. Based on successful authentication of the
* user a SAMLResponse is sent back to service provider. In case of logout requests, the IDP will
* send logout requests to the other session participants and then send the logout response back
* to the initiator.
*
* @param req
* @param resp
* @throws ServletException
* @throws IOException
*/
private void handleRequest(HttpServletRequest req, HttpServletResponse resp, boolean isPost)
throws ServletException, IOException {
String sessionId = null;
Cookie ssoTokenIdCookie = getTokenIdCookie(req);
if (ssoTokenIdCookie != null) {
sessionId = ssoTokenIdCookie.getValue();
}
String queryString = req.getQueryString();
if (log.isDebugEnabled()) {
log.debug("Query string : " + queryString);
}
// if an openid authentication or password authentication
String authMode = CharacterEncoder.getSafeText(req.getParameter("authMode"));
if (!SAMLSSOConstants.AuthnModes.OPENID.equals(authMode)) {
authMode = SAMLSSOConstants.AuthnModes.USERNAME_PASSWORD;
}
String relayState =
CharacterEncoder.getSafeText(req.getParameter(SAMLSSOConstants.RELAY_STATE));
String spEntityID =
CharacterEncoder.getSafeText(
req.getParameter(SAMLSSOConstants.QueryParameter.SP_ENTITY_ID.toString()));
String samlRequest = CharacterEncoder.getSafeText(req.getParameter("SAMLRequest"));
String sessionDataKey = CharacterEncoder.getSafeText(req.getParameter("sessionDataKey"));
String slo =
CharacterEncoder.getSafeText(
req.getParameter(SAMLSSOConstants.QueryParameter.SLO.toString()));
boolean isExpFired = false;
try {
String tenantDomain = CharacterEncoder.getSafeText(req.getParameter("tenantDomain"));
SAMLSSOUtil.setTenantDomainInThreadLocal(tenantDomain);
if (sessionDataKey != null) { // Response from common authentication framework.
SAMLSSOSessionDTO sessionDTO = getSessionDataFromCache(sessionDataKey);
if (sessionDTO != null) {
SAMLSSOUtil.setTenantDomainInThreadLocal(sessionDTO.getTenantDomain());
if (sessionDTO.isInvalidLogout()) {
log.warn("Redirecting to default logout page due to an invalid logout request");
String serverUrl = CarbonUIUtil.getAdminConsoleURL(req);
resp.sendRedirect(
serverUrl.replace(
SAMLSSOConstants.SAML_ENDPOINT, SAMLSSOConstants.DEFAULT_LOGOUT_LOCATION));
} else if (sessionDTO.isLogoutReq()) {
handleLogoutResponseFromFramework(req, resp, sessionDTO);
} else {
handleAuthenticationReponseFromFramework(req, resp, sessionId, sessionDTO);
}
removeAuthenticationResultFromCache(sessionDataKey);
} else {
log.error("Failed to retrieve sessionDTO from the cache for key " + sessionDataKey);
String errorResp =
SAMLSSOUtil.buildErrorResponse(
SAMLSSOConstants.StatusCodes.IDENTITY_PROVIDER_ERROR,
SAMLSSOConstants.Notification.EXCEPTION_STATUS,
null);
sendNotification(
errorResp,
SAMLSSOConstants.Notification.EXCEPTION_STATUS,
SAMLSSOConstants.Notification.EXCEPTION_MESSAGE,
null,
req,
resp);
return;
}
} else if (spEntityID != null || slo != null) { // idp initiated SSO/SLO
handleIdPInitSSO(
req, resp, relayState, queryString, authMode, sessionId, isPost, (slo != null));
} else if (samlRequest != null) { // SAMLRequest received. SP initiated SSO
handleSPInitSSO(
req, resp, queryString, relayState, authMode, samlRequest, sessionId, isPost);
} else {
log.debug("Invalid request message or single logout message ");
if (sessionId == null) {
String errorResp =
SAMLSSOUtil.buildErrorResponse(
SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, "Invalid request message", null);
sendNotification(
errorResp,
SAMLSSOConstants.Notification.INVALID_MESSAGE_STATUS,
SAMLSSOConstants.Notification.INVALID_MESSAGE_MESSAGE,
null,
req,
resp);
} else {
// Non-SAML request are assumed to be logout requests
sendToFrameworkForLogout(req, resp, null, null, sessionId, true, false);
}
}
} catch (UserStoreException e) {
if (log.isDebugEnabled()) {
log.debug("Error occurred while handling SAML2 SSO request", e);
}
String errorResp = null;
try {
errorResp =
SAMLSSOUtil.buildErrorResponse(
SAMLSSOConstants.StatusCodes.IDENTITY_PROVIDER_ERROR,
"Error occurred while handling SAML2 SSO request",
null);
} catch (IdentityException e1) {
log.error("Error while building SAML response", e1);
}
sendNotification(
errorResp,
SAMLSSOConstants.Notification.EXCEPTION_STATUS,
SAMLSSOConstants.Notification.EXCEPTION_MESSAGE,
null,
req,
resp);
} catch (IdentityException e) {
log.error("Error when processing the authentication request!", e);
String errorResp = null;
try {
errorResp =
SAMLSSOUtil.buildErrorResponse(
SAMLSSOConstants.StatusCodes.IDENTITY_PROVIDER_ERROR,
"Error when processing the authentication request",
null);
} catch (IdentityException e1) {
log.error("Error while building SAML response", e1);
}
sendNotification(
errorResp,
SAMLSSOConstants.Notification.EXCEPTION_STATUS,
SAMLSSOConstants.Notification.EXCEPTION_MESSAGE,
null,
req,
resp);
}
}