public Response buildResponse(SAMLSSOAuthnReqDTO authReqDTO, String sessionId) throws IdentityException { if (log.isDebugEnabled()) { log.debug( "Building SAML Response for the consumer '" + authReqDTO.getAssertionConsumerURL() + "'"); } Response response = new org.opensaml.saml2.core.impl.ResponseBuilder().buildObject(); response.setIssuer(SAMLSSOUtil.getIssuer()); response.setID(SAMLSSOUtil.createID()); response.setInResponseTo(authReqDTO.getId()); response.setDestination(authReqDTO.getAssertionConsumerURL()); response.setStatus(buildStatus(SAMLSSOConstants.StatusCodes.SUCCESS_CODE, null)); response.setVersion(SAMLVersion.VERSION_20); DateTime issueInstant = new DateTime(); DateTime notOnOrAfter = new DateTime( issueInstant.getMillis() + SAMLSSOUtil.getSAMLResponseValidityPeriod() * 60 * 1000); response.setIssueInstant(issueInstant); Assertion assertion = buildSAMLAssertion(authReqDTO, notOnOrAfter, sessionId); response.getAssertions().add(assertion); if (authReqDTO.isDoSignResponse()) { SAMLSSOUtil.setSignature( response, XMLSignature.ALGO_ID_SIGNATURE_RSA, new SignKeyDataHolder(authReqDTO.getUsername())); } return response; }
/** * Builds the SAML error response and sets the compressed value to the reqValidationResponseDTO * * @param id * @param status * @param statMsg * @param destination * @return * @throws IdentityException */ private SAMLSSOReqValidationResponseDTO buildErrorResponse( String id, String status, String statMsg, String destination, String responseSigningAlgorithmUri, String responseDigestAlgorithmUri) throws IdentityException { SAMLSSOReqValidationResponseDTO reqValidationResponseDTO = new SAMLSSOReqValidationResponseDTO(); LogoutResponse logoutResp = new SingleLogoutMessageBuilder() .buildLogoutResponse( id, status, statMsg, destination, false, null, responseSigningAlgorithmUri, responseDigestAlgorithmUri); reqValidationResponseDTO.setLogOutReq(true); reqValidationResponseDTO.setValid(false); try { reqValidationResponseDTO.setResponse( SAMLSSOUtil.compressResponse(SAMLSSOUtil.marshall(logoutResp))); } catch (IOException e) { throw new IdentityException("Error while creating logout response", e); } return reqValidationResponseDTO; }
@Override protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { try { handleRequest(req, resp, true); } finally { SAMLSSOUtil.removeSaaSApplicationThreaLocal(); SAMLSSOUtil.removeUserTenantDomainThreaLocal(); SAMLSSOUtil.removeTenantDomainFromThreadLocal(); } }
@Override protected void doGet( HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException { try { handleRequest(httpServletRequest, httpServletResponse, false); } finally { SAMLSSOUtil.removeSaaSApplicationThreaLocal(); SAMLSSOUtil.removeUserTenantDomainThreaLocal(); SAMLSSOUtil.removeTenantDomainFromThreadLocal(); } }
private void handleLogoutResponseFromFramework( HttpServletRequest request, HttpServletResponse response, SAMLSSOSessionDTO sessionDTO) throws ServletException, IOException, IdentityException { SAMLSSOReqValidationResponseDTO validationResponseDTO = sessionDTO.getValidationRespDTO(); if (validationResponseDTO != null) { // sending LogoutRequests to other session participants LogoutRequestSender.getInstance() .sendLogoutRequests(validationResponseDTO.getLogoutRespDTO()); SAMLSSOUtil.removeSession(sessionDTO.getSessionId(), validationResponseDTO.getIssuer()); removeSessionDataFromCache( CharacterEncoder.getSafeText(request.getParameter("sessionDataKey"))); if (validationResponseDTO.isIdPInitSLO()) { // redirecting to the return URL or IS logout page response.sendRedirect(validationResponseDTO.getReturnToURL()); } else { // sending LogoutResponse back to the initiator sendResponse( request, response, sessionDTO.getRelayState(), validationResponseDTO.getLogoutResponse(), validationResponseDTO.getAssertionConsumerURL(), validationResponseDTO.getSubject(), null, sessionDTO.getTenantDomain()); } } else { try { samlSsoService.doSingleLogout(request.getSession().getId()); } catch (IdentityException e) { log.error("Error when processing the logout request!", e); } String errorResp = SAMLSSOUtil.buildErrorResponse( SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, "Invalid request", sessionDTO.getAssertionConsumerURL()); sendNotification( errorResp, SAMLSSOConstants.Notification.INVALID_MESSAGE_STATUS, SAMLSSOConstants.Notification.INVALID_MESSAGE_MESSAGE, sessionDTO.getAssertionConsumerURL(), request, response); } }
private void startTenantFlow(String tenantDomain) throws IdentityException { int tenantId = MultitenantConstants.SUPER_TENANT_ID; if (tenantDomain != null && !tenantDomain.trim().isEmpty() && !"null".equalsIgnoreCase(tenantDomain.trim())) { try { tenantId = SAMLSSOUtil.getRealmService().getTenantManager().getTenantId(tenantDomain); if (tenantId == -1) { // invalid tenantId, hence throw exception to avoid setting invalid tenant info // to CC String message = "Invalid Tenant Domain : " + tenantDomain; if (log.isDebugEnabled()) { log.debug(message); } throw new IdentityException(message); } } catch (UserStoreException e) { String message = "Error occurred while getting tenant ID from tenantDomain " + tenantDomain; log.error(message, e); throw new IdentityException(message, e); } } else { tenantDomain = MultitenantConstants.SUPER_TENANT_DOMAIN_NAME; } PrivilegedCarbonContext.startTenantFlow(); PrivilegedCarbonContext carbonContext = PrivilegedCarbonContext.getThreadLocalCarbonContext(); carbonContext.setTenantId(tenantId); carbonContext.setTenantDomain(tenantDomain); }
/** * Validates the authentication request according to IdP Initiated SAML SSO Web Browser * Specification * * @return SAMLSSOSignInResponseDTO * @throws org.wso2.carbon.identity.base.IdentityException */ public SAMLSSOReqValidationResponseDTO validate() throws IdentityException { SAMLSSOReqValidationResponseDTO validationResponse = new SAMLSSOReqValidationResponseDTO(); try { // spEntityID MUST NOT be null if (StringUtils.isNotBlank(spEntityID)) { validationResponse.setIssuer(spEntityID); } else { String errorResp = SAMLSSOUtil.buildErrorResponse( SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, "spEntityID parameter not found in request", null); if (log.isDebugEnabled()) { log.debug("spEntityID parameter not found in request"); } validationResponse.setResponse(errorResp); validationResponse.setValid(false); return validationResponse; } if (!SAMLSSOUtil.isSAMLIssuerExists( spEntityID, SAMLSSOUtil.getTenantDomainFromThreadLocal())) { String message = "A Service Provider with the Issuer '" + spEntityID + "' is not registered. Service " + "Provider should be registered in advance"; log.error(message); String errorResp = SAMLSSOUtil.buildErrorResponse( SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, message, null); validationResponse.setResponse(errorResp); validationResponse.setValid(false); return validationResponse; } // If SP has multiple ACS if (StringUtils.isNotBlank(acs)) { validationResponse.setAssertionConsumerURL(acs); } if (StringUtils.isBlank(SAMLSSOUtil.getTenantDomainFromThreadLocal())) { SAMLSSOUtil.setTenantDomainInThreadLocal(MultitenantConstants.SUPER_TENANT_DOMAIN_NAME); } validationResponse.setValid(true); if (log.isDebugEnabled()) { log.debug("IdP Initiated SSO request validation is successful"); } return validationResponse; } catch (Exception e) { throw IdentityException.error("Error validating the IdP Initiated SSO request", e); } }
/** * @param req * @param authnReqDTO */ private void populateAuthnReqDTO( HttpServletRequest req, SAMLSSOAuthnReqDTO authnReqDTO, SAMLSSOSessionDTO sessionDTO, AuthenticationResult authResult) throws UserStoreException, IdentityException { authnReqDTO.setAssertionConsumerURL(sessionDTO.getAssertionConsumerURL()); authnReqDTO.setId(sessionDTO.getRequestID()); authnReqDTO.setIssuer(sessionDTO.getIssuer()); authnReqDTO.setSubject(sessionDTO.getSubject()); authnReqDTO.setRpSessionId(sessionDTO.getRelyingPartySessionId()); authnReqDTO.setRequestMessageString(sessionDTO.getRequestMessageString()); authnReqDTO.setQueryString(sessionDTO.getHttpQueryString()); authnReqDTO.setDestination(sessionDTO.getDestination()); authnReqDTO.setUser(authResult.getSubject()); authnReqDTO.setIdPInitSSOEnabled(sessionDTO.isIdPInitSSO()); authnReqDTO.setClaimMapping(authResult.getClaimMapping()); authnReqDTO.setTenantDomain(sessionDTO.getTenantDomain()); authnReqDTO.setIdPInitSLOEnabled(sessionDTO.isIdPInitSLO()); SAMLSSOUtil.setIsSaaSApplication(authResult.isSaaSApp()); SAMLSSOUtil.setUserTenantDomain(authResult.getSubject().getTenantDomain()); }
/** * @return * @throws IdentityException */ public String[] getCertAliasOfPrimaryKeyStore() throws IdentityException { KeyStoreData[] keyStores = getKeyStores(); KeyStoreData primaryKeyStore = null; for (int i = 0; i < keyStores.length; i++) { boolean superTenant = MultitenantConstants.SUPER_TENANT_ID == CarbonContext.getThreadLocalCarbonContext().getTenantId() ? true : false; if (superTenant && KeyStoreUtil.isPrimaryStore(keyStores[i].getKeyStoreName())) { primaryKeyStore = keyStores[i]; break; } else if (!superTenant && SAMLSSOUtil.generateKSNameFromDomainName(getTenantDomain()) .equals(keyStores[i].getKeyStoreName())) { primaryKeyStore = keyStores[i]; break; } } if (primaryKeyStore != null) { return getStoreEntries(primaryKeyStore.getKeyStoreName()); } throw new IdentityException("Primary Keystore cannot be found."); }
private Assertion buildSAMLAssertion( SAMLSSOAuthnReqDTO authReqDTO, DateTime notOnOrAfter, String sessionId) throws IdentityException { try { DateTime currentTime = new DateTime(); Assertion samlAssertion = new AssertionBuilder().buildObject(); samlAssertion.setID(SAMLSSOUtil.createID()); samlAssertion.setVersion(SAMLVersion.VERSION_20); samlAssertion.setIssuer(SAMLSSOUtil.getIssuer()); samlAssertion.setIssueInstant(currentTime); Subject subject = new SubjectBuilder().buildObject(); NameID nameId = new NameIDBuilder().buildObject(); if (authReqDTO.getUseFullyQualifiedUsernameAsSubject()) { nameId.setValue(authReqDTO.getUsername()); nameId.setFormat(NameIdentifier.EMAIL); } else { nameId.setValue(MultitenantUtils.getTenantAwareUsername(authReqDTO.getUsername())); nameId.setFormat(authReqDTO.getNameIDFormat()); } subject.setNameID(nameId); SubjectConfirmation subjectConfirmation = new SubjectConfirmationBuilder().buildObject(); subjectConfirmation.setMethod(SAMLSSOConstants.SUBJECT_CONFIRM_BEARER); SubjectConfirmationData scData = new SubjectConfirmationDataBuilder().buildObject(); scData.setRecipient(authReqDTO.getAssertionConsumerURL()); scData.setNotOnOrAfter(notOnOrAfter); scData.setInResponseTo(authReqDTO.getId()); subjectConfirmation.setSubjectConfirmationData(scData); subject.getSubjectConfirmations().add(subjectConfirmation); samlAssertion.setSubject(subject); AuthnStatement authStmt = new AuthnStatementBuilder().buildObject(); authStmt.setAuthnInstant(new DateTime()); AuthnContext authContext = new AuthnContextBuilder().buildObject(); AuthnContextClassRef authCtxClassRef = new AuthnContextClassRefBuilder().buildObject(); authCtxClassRef.setAuthnContextClassRef(AuthnContext.PASSWORD_AUTHN_CTX); authContext.setAuthnContextClassRef(authCtxClassRef); authStmt.setAuthnContext(authContext); if (authReqDTO.isDoSingleLogout()) { authStmt.setSessionIndex(sessionId); } samlAssertion.getAuthnStatements().add(authStmt); /* * If <AttributeConsumingServiceIndex> element is in the * <AuthnRequest> and * according to the spec 2.0 the subject MUST be in the assertion */ Map<String, String> claims = SAMLSSOUtil.getAttributes(authReqDTO); if (claims != null) { samlAssertion.getAttributeStatements().add(buildAttributeStatement(claims)); } AudienceRestriction audienceRestriction = new AudienceRestrictionBuilder().buildObject(); Audience issuerAudience = new AudienceBuilder().buildObject(); issuerAudience.setAudienceURI(authReqDTO.getIssuer()); audienceRestriction.getAudiences().add(issuerAudience); if (authReqDTO.getRequestedAudiences() != null) { for (String requestedAudience : authReqDTO.getRequestedAudiences()) { Audience audience = new AudienceBuilder().buildObject(); audience.setAudienceURI(requestedAudience); audienceRestriction.getAudiences().add(audience); } } Conditions conditions = new ConditionsBuilder().buildObject(); conditions.setNotBefore(currentTime); conditions.setNotOnOrAfter(notOnOrAfter); conditions.getAudienceRestrictions().add(audienceRestriction); samlAssertion.setConditions(conditions); if (authReqDTO.getDoSignAssertions()) { SAMLSSOUtil.setSignature( samlAssertion, XMLSignature.ALGO_ID_SIGNATURE_RSA, new SignKeyDataHolder(authReqDTO.getUsername())); } return samlAssertion; } catch (Exception e) { log.error("Error when reading claim values for generating SAML Response", e); throw new IdentityException( "Error when reading claim values for generating SAML Response", e); } }
static { SAMLSSOUtil.doBootstrap(); }
/** * @param logoutRequest * @param sessionId * @param queryString * @return * @throws IdentityException */ public SAMLSSOReqValidationResponseDTO process( LogoutRequest logoutRequest, String sessionId, String queryString) throws IdentityException { try { SAMLSSOReqValidationResponseDTO reqValidationResponseDTO = new SAMLSSOReqValidationResponseDTO(); reqValidationResponseDTO.setLogOutReq(true); String subject = null; String issuer = null; String defaultSigningAlgoUri = IdentityApplicationManagementUtil.getSigningAlgoURIByConfig(); String defaultDigestAlgoUri = IdentityApplicationManagementUtil.getDigestAlgoURIByConfig(); // Get the sessions from the SessionPersistenceManager and prepare // the logout responses SSOSessionPersistenceManager ssoSessionPersistenceManager = SSOSessionPersistenceManager.getPersistenceManager(); if (StringUtils.isBlank(sessionId)) { String message = "Session was already Expired"; log.error(message); return buildErrorResponse( logoutRequest.getID(), SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, message, logoutRequest.getDestination(), defaultSigningAlgoUri, defaultDigestAlgoUri); } String sessionIndex = ssoSessionPersistenceManager.getSessionIndexFromTokenId(sessionId); if (StringUtils.isBlank(sessionId)) { String message = "Session index value not found in the request"; log.error(message); reqValidationResponseDTO = buildErrorResponse( logoutRequest.getID(), SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, message, null, defaultSigningAlgoUri, defaultDigestAlgoUri); reqValidationResponseDTO.setLogoutFromAuthFramework(true); return reqValidationResponseDTO; } // Only if the logout request is received. if (logoutRequest != null) { if (logoutRequest.getIssuer() == null) { String message = "Issuer should be mentioned in the Logout Request"; log.error(message); return buildErrorResponse( logoutRequest.getID(), SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, message, logoutRequest.getDestination(), defaultSigningAlgoUri, defaultDigestAlgoUri); } // TODO : Check for BaseID and EncryptedID as well. if (logoutRequest.getNameID() != null) { NameID nameID = logoutRequest.getNameID(); subject = nameID.getValue(); } else { String message = "Subject Name should be specified in the Logout Request"; log.error(message); return buildErrorResponse( logoutRequest.getID(), SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, message, logoutRequest.getDestination(), defaultSigningAlgoUri, defaultDigestAlgoUri); } if (logoutRequest.getSessionIndexes() == null) { String message = "At least one Session Index should be present in the Logout Request"; log.error(message); return buildErrorResponse( logoutRequest.getID(), SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, message, logoutRequest.getDestination(), defaultSigningAlgoUri, defaultDigestAlgoUri); } SessionInfoData sessionInfoData = ssoSessionPersistenceManager.getSessionInfo(sessionIndex); if (sessionInfoData == null) { String message = "No Established Sessions corresponding to Session Indexes provided."; log.error(message); reqValidationResponseDTO = buildErrorResponse( logoutRequest.getID(), SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, message, null, defaultSigningAlgoUri, defaultDigestAlgoUri); reqValidationResponseDTO.setLogoutFromAuthFramework(true); return reqValidationResponseDTO; } issuer = logoutRequest.getIssuer().getValue(); if (issuer.contains("@")) { String tenantDomain = issuer.substring(issuer.lastIndexOf('@') + 1); issuer = issuer.substring(0, issuer.lastIndexOf('@')); if (StringUtils.isNotEmpty(tenantDomain) && StringUtils.isNotEmpty(issuer)) { SAMLSSOUtil.setTenantDomainInThreadLocal(tenantDomain); if (log.isDebugEnabled()) { log.debug( "Tenant Domain :" + " " + tenantDomain + " " + "&" + " " + "Issuer name :" + issuer + " " + "has being spilt"); } } else { SAMLSSOServiceProviderDO serviceProvider = sessionInfoData.getServiceProviderList().get(issuer); if (serviceProvider != null) { SAMLSSOUtil.setTenantDomainInThreadLocal( sessionInfoData.getServiceProviderList().get(issuer).getTenantDomain()); } else { throw new IdentityException( "Service provider :" + issuer + " does not exist in session " + "info data."); } } } else { SAMLSSOServiceProviderDO serviceProvider = sessionInfoData.getServiceProviderList().get(issuer); if (serviceProvider != null) { SAMLSSOUtil.setTenantDomainInThreadLocal( sessionInfoData.getServiceProviderList().get(issuer).getTenantDomain()); } else { throw new IdentityException( "Service provider :" + issuer + " does not exist in session info " + "data."); } } subject = sessionInfoData.getSubject(issuer); Map<String, SAMLSSOServiceProviderDO> sessionsList = sessionInfoData.getServiceProviderList(); SAMLSSOServiceProviderDO logoutReqIssuer = sessionsList.get(issuer); if (logoutReqIssuer.isDoSingleLogout()) { // validate session index SessionIndex requestSessionIndex = logoutRequest.getSessionIndexes().size() > 0 ? logoutRequest.getSessionIndexes().get(0) : null; if (requestSessionIndex == null || !sessionIndex.equals(requestSessionIndex.getSessionIndex())) { String message = "Session Index validation for Logout Request failed. " + "Received: [" + (requestSessionIndex == null ? "null" : requestSessionIndex.getSessionIndex()) + "]." + " Expected: [" + sessionIndex + "]"; log.error(message); return buildErrorResponse( logoutRequest.getID(), SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, message, logoutRequest.getDestination(), logoutReqIssuer.getSigningAlgorithmUri(), logoutReqIssuer.getDigestAlgorithmUri()); } } if (logoutReqIssuer.isDoValidateSignatureInRequests()) { // Validate 'Destination' List<String> idpUrlSet = SAMLSSOUtil.getDestinationFromTenantDomain( SAMLSSOUtil.getTenantDomainFromThreadLocal()); if (logoutRequest.getDestination() == null || !idpUrlSet.contains(logoutRequest.getDestination())) { String message = "Destination validation for Logout Request failed. " + "Received: [" + logoutRequest.getDestination() + "]." + " Expected: [" + StringUtils.join(idpUrlSet, ',') + "]"; log.error(message); return buildErrorResponse( logoutRequest.getID(), SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, message, logoutRequest.getDestination(), logoutReqIssuer.getSigningAlgorithmUri(), logoutReqIssuer.getDigestAlgorithmUri()); } // Validate Signature boolean isSignatureValid = SAMLSSOUtil.validateLogoutRequestSignature( logoutRequest, logoutReqIssuer.getCertAlias(), subject, queryString); if (!isSignatureValid) { String message = "Signature validation for Logout Request failed"; log.error(message); return buildErrorResponse( logoutRequest.getID(), SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, message, logoutRequest.getDestination(), logoutReqIssuer.getSigningAlgorithmUri(), logoutReqIssuer.getDigestAlgorithmUri()); } } SingleLogoutMessageBuilder logoutMsgBuilder = new SingleLogoutMessageBuilder(); Map<String, String> rpSessionsList = sessionInfoData.getRPSessionsList(); List<SingleLogoutRequestDTO> singleLogoutReqDTOs = new ArrayList<SingleLogoutRequestDTO>(); for (Map.Entry<String, SAMLSSOServiceProviderDO> entry : sessionsList.entrySet()) { String key = entry.getKey(); SAMLSSOServiceProviderDO value = entry.getValue(); if (!key.equals(issuer)) { SingleLogoutRequestDTO logoutReqDTO = new SingleLogoutRequestDTO(); if (StringUtils.isNotBlank(value.getSloRequestURL())) { logoutReqDTO.setAssertionConsumerURL(value.getSloRequestURL()); } else if (StringUtils.isNotBlank(value.getSloResponseURL())) { logoutReqDTO.setAssertionConsumerURL(value.getSloResponseURL()); } else { logoutReqDTO.setAssertionConsumerURL(value.getAssertionConsumerUrl()); } LogoutRequest logoutReq = logoutMsgBuilder.buildLogoutRequest( sessionInfoData.getSubject(key), sessionIndex, SAMLSSOConstants.SingleLogoutCodes.LOGOUT_USER, logoutReqDTO.getAssertionConsumerURL(), value.getNameIDFormat(), value.getTenantDomain(), value.getSigningAlgorithmUri(), value.getDigestAlgorithmUri()); String logoutReqString = SAMLSSOUtil.encode(SAMLSSOUtil.marshall(logoutReq)); logoutReqDTO.setLogoutResponse(logoutReqString); logoutReqDTO.setRpSessionId(rpSessionsList.get(key)); singleLogoutReqDTOs.add(logoutReqDTO); } else { reqValidationResponseDTO.setIssuer(value.getIssuer()); reqValidationResponseDTO.setDoSignResponse(value.isDoSignResponse()); reqValidationResponseDTO.setSigningAlgorithmUri(value.getSigningAlgorithmUri()); reqValidationResponseDTO.setDigestAlgorithmUri(value.getDigestAlgorithmUri()); if (StringUtils.isNotBlank(value.getSloResponseURL())) { reqValidationResponseDTO.setAssertionConsumerURL(value.getSloResponseURL()); } else { reqValidationResponseDTO.setAssertionConsumerURL(value.getAssertionConsumerUrl()); } } } reqValidationResponseDTO.setLogoutRespDTO( singleLogoutReqDTOs.toArray(new SingleLogoutRequestDTO[singleLogoutReqDTOs.size()])); LogoutResponse logoutResponse = logoutMsgBuilder.buildLogoutResponse( logoutRequest.getID(), SAMLSSOConstants.StatusCodes.SUCCESS_CODE, null, reqValidationResponseDTO.getAssertionConsumerURL(), reqValidationResponseDTO.isDoSignResponse(), SAMLSSOUtil.getTenantDomainFromThreadLocal(), reqValidationResponseDTO.getSigningAlgorithmUri(), reqValidationResponseDTO.getDigestAlgorithmUri()); reqValidationResponseDTO.setLogoutResponse( SAMLSSOUtil.encode(SAMLSSOUtil.marshall(logoutResponse))); reqValidationResponseDTO.setValid(true); } return reqValidationResponseDTO; } catch (UserStoreException | IdentityException e) { throw new IdentityException("Error Processing the Logout Request", e); } }
/** * This method handles authentication and sends authentication Response message back to the * Service Provider after successful authentication. In case of authentication failure the user is * prompted back for authentication. * * @param req * @param resp * @param sessionId * @throws IdentityException * @throws IOException * @throws ServletException */ private void handleAuthenticationReponseFromFramework( HttpServletRequest req, HttpServletResponse resp, String sessionId, SAMLSSOSessionDTO sessionDTO) throws UserStoreException, IdentityException, IOException, ServletException { String sessionDataKey = CharacterEncoder.getSafeText(req.getParameter("sessionDataKey")); AuthenticationResult authResult = getAuthenticationResultFromCache(sessionDataKey); if (log.isDebugEnabled() && authResult == null) { log.debug("Session data is not found for key : " + sessionDataKey); } SAMLSSOReqValidationResponseDTO reqValidationDTO = sessionDTO.getValidationRespDTO(); SAMLSSOAuthnReqDTO authnReqDTO = new SAMLSSOAuthnReqDTO(); if (authResult == null || !authResult.isAuthenticated()) { if (log.isDebugEnabled() && authResult != null) { log.debug("Unauthenticated User"); } if (reqValidationDTO.isPassive()) { // if passive List<String> statusCodes = new ArrayList<String>(); statusCodes.add(SAMLSSOConstants.StatusCodes.NO_PASSIVE); statusCodes.add(SAMLSSOConstants.StatusCodes.IDENTITY_PROVIDER_ERROR); String destination = reqValidationDTO.getDestination(); reqValidationDTO.setResponse( SAMLSSOUtil.buildErrorResponse( reqValidationDTO.getId(), statusCodes, "Cannot authenticate Subject in Passive Mode", destination)); sendResponse( req, resp, sessionDTO.getRelayState(), reqValidationDTO.getResponse(), reqValidationDTO.getAssertionConsumerURL(), reqValidationDTO.getSubject(), null, sessionDTO.getTenantDomain()); return; } else { // if forceAuthn or normal flow // TODO send a saml response with a status message. if (!authResult.isAuthenticated()) { String destination = reqValidationDTO.getDestination(); String errorResp = SAMLSSOUtil.buildErrorResponse( SAMLSSOConstants.StatusCodes.AUTHN_FAILURE, "User authentication failed", destination); sendNotification( errorResp, SAMLSSOConstants.Notification.EXCEPTION_STATUS, SAMLSSOConstants.Notification.EXCEPTION_MESSAGE, reqValidationDTO.getAssertionConsumerURL(), req, resp); return; } else { throw new IdentityException("Session data is not found for authenticated user"); } } } else { populateAuthnReqDTO(req, authnReqDTO, sessionDTO, authResult); req.setAttribute(SAMLSSOConstants.AUTHENTICATION_RESULT, authResult); String relayState = null; if (req.getParameter(SAMLSSOConstants.RELAY_STATE) != null) { relayState = req.getParameter(SAMLSSOConstants.RELAY_STATE); } else { relayState = sessionDTO.getRelayState(); } startTenantFlow(authnReqDTO.getTenantDomain()); if (sessionId == null) { sessionId = UUIDGenerator.generateUUID(); } SAMLSSOService samlSSOService = new SAMLSSOService(); SAMLSSORespDTO authRespDTO = samlSSOService.authenticate( authnReqDTO, sessionId, authResult.isAuthenticated(), authResult.getAuthenticatedAuthenticators(), SAMLSSOConstants.AuthnModes.USERNAME_PASSWORD); if (authRespDTO.isSessionEstablished()) { // authenticated storeTokenIdCookie(sessionId, req, resp, authnReqDTO.getTenantDomain()); removeSessionDataFromCache( CharacterEncoder.getSafeText(req.getParameter("sessionDataKey"))); sendResponse( req, resp, relayState, authRespDTO.getRespString(), authRespDTO.getAssertionConsumerURL(), authRespDTO.getSubject().getAuthenticatedSubjectIdentifier(), authResult.getAuthenticatedIdPs(), sessionDTO.getTenantDomain()); } else { // authentication FAILURE String errorResp = authRespDTO.getRespString(); sendNotification( errorResp, SAMLSSOConstants.Notification.EXCEPTION_STATUS, SAMLSSOConstants.Notification.EXCEPTION_MESSAGE, authRespDTO.getAssertionConsumerURL(), req, resp); } } }
/** * Sends the user for authentication to the login page * * @param req * @param resp * @param signInRespDTO * @param relayState * @throws ServletException * @throws IOException */ private void sendToFrameworkForAuthentication( HttpServletRequest req, HttpServletResponse resp, SAMLSSOReqValidationResponseDTO signInRespDTO, String relayState, boolean isPost) throws ServletException, IOException, UserStoreException, IdentityException { SAMLSSOSessionDTO sessionDTO = new SAMLSSOSessionDTO(); sessionDTO.setHttpQueryString(req.getQueryString()); sessionDTO.setDestination(signInRespDTO.getDestination()); sessionDTO.setRelayState(relayState); sessionDTO.setRequestMessageString(signInRespDTO.getRequestMessageString()); sessionDTO.setIssuer(signInRespDTO.getIssuer()); sessionDTO.setRequestID(signInRespDTO.getId()); sessionDTO.setSubject(signInRespDTO.getSubject()); sessionDTO.setRelyingPartySessionId(signInRespDTO.getRpSessionId()); sessionDTO.setAssertionConsumerURL(signInRespDTO.getAssertionConsumerURL()); sessionDTO.setTenantDomain(SAMLSSOUtil.getTenantDomainFromThreadLocal()); if (sessionDTO.getTenantDomain() == null) { String[] splitIssuer = sessionDTO.getIssuer().split("@"); if (splitIssuer != null && splitIssuer.length == 2 && !splitIssuer[0].trim().isEmpty() && !splitIssuer[1].trim().isEmpty()) { sessionDTO.setTenantDomain(splitIssuer[1]); } else { sessionDTO.setTenantDomain(MultitenantConstants.SUPER_TENANT_DOMAIN_NAME); } } SAMLSSOUtil.setTenantDomainInThreadLocal(sessionDTO.getTenantDomain()); sessionDTO.setForceAuth(signInRespDTO.isForceAuthn()); sessionDTO.setPassiveAuth(signInRespDTO.isPassive()); sessionDTO.setValidationRespDTO(signInRespDTO); sessionDTO.setIdPInitSSO(signInRespDTO.isIdPInitSSO()); String sessionDataKey = UUIDGenerator.generateUUID(); addSessionDataToCache( sessionDataKey, sessionDTO, IdPManagementUtil.getIdleSessionTimeOut(sessionDTO.getTenantDomain())); String commonAuthURL = CarbonUIUtil.getAdminConsoleURL(req); commonAuthURL = commonAuthURL.replace( FrameworkConstants.RequestType.CLAIM_TYPE_SAML_SSO + "/" + FrameworkConstants.CARBON + "/", FrameworkConstants.COMMONAUTH); String selfPath = URLEncoder.encode("/" + FrameworkConstants.RequestType.CLAIM_TYPE_SAML_SSO, "UTF-8"); // Setting authentication request context AuthenticationRequest authenticationRequest = new AuthenticationRequest(); // Adding query parameters authenticationRequest.appendRequestQueryParams(req.getParameterMap()); for (Enumeration headerNames = req.getHeaderNames(); headerNames.hasMoreElements(); ) { String headerName = headerNames.nextElement().toString(); authenticationRequest.addHeader(headerName, req.getHeader(headerName)); } authenticationRequest.setRelyingParty(signInRespDTO.getIssuer()); authenticationRequest.setCommonAuthCallerPath(selfPath); authenticationRequest.setForceAuth(signInRespDTO.isForceAuthn()); if (!authenticationRequest.getForceAuth() && authenticationRequest.getRequestQueryParam("forceAuth") != null) { String[] forceAuth = authenticationRequest.getRequestQueryParam("forceAuth"); if (!forceAuth[0].trim().isEmpty() && Boolean.parseBoolean(forceAuth[0].trim())) { authenticationRequest.setForceAuth(Boolean.parseBoolean(forceAuth[0].trim())); } } authenticationRequest.setPassiveAuth(signInRespDTO.isPassive()); authenticationRequest.setTenantDomain(sessionDTO.getTenantDomain()); authenticationRequest.setPost(isPost); // Creating cache entry and adding entry to the cache before calling to commonauth AuthenticationRequestCacheEntry authRequest = new AuthenticationRequestCacheEntry(authenticationRequest); FrameworkUtils.addAuthenticationRequestToCache( sessionDataKey, authRequest, IdPManagementUtil.getIdleSessionTimeOut(sessionDTO.getTenantDomain())); StringBuilder queryStringBuilder = new StringBuilder(); queryStringBuilder .append(commonAuthURL) .append("?") .append(SAMLSSOConstants.SESSION_DATA_KEY) .append("=") .append(sessionDataKey) .append("&") .append(FrameworkConstants.RequestParams.TYPE) .append("=") .append(FrameworkConstants.RequestType.CLAIM_TYPE_SAML_SSO); FrameworkUtils.setRequestPathCredentials(req); resp.sendRedirect(queryStringBuilder.toString()); }
/** * All requests are handled by this handleRequest method. In case of SAMLRequest the user will be * redirected to commonAuth servlet for authentication. Based on successful authentication of the * user a SAMLResponse is sent back to service provider. In case of logout requests, the IDP will * send logout requests to the other session participants and then send the logout response back * to the initiator. * * @param req * @param resp * @throws ServletException * @throws IOException */ private void handleRequest(HttpServletRequest req, HttpServletResponse resp, boolean isPost) throws ServletException, IOException { String sessionId = null; Cookie ssoTokenIdCookie = getTokenIdCookie(req); if (ssoTokenIdCookie != null) { sessionId = ssoTokenIdCookie.getValue(); } String queryString = req.getQueryString(); if (log.isDebugEnabled()) { log.debug("Query string : " + queryString); } // if an openid authentication or password authentication String authMode = CharacterEncoder.getSafeText(req.getParameter("authMode")); if (!SAMLSSOConstants.AuthnModes.OPENID.equals(authMode)) { authMode = SAMLSSOConstants.AuthnModes.USERNAME_PASSWORD; } String relayState = CharacterEncoder.getSafeText(req.getParameter(SAMLSSOConstants.RELAY_STATE)); String spEntityID = CharacterEncoder.getSafeText( req.getParameter(SAMLSSOConstants.QueryParameter.SP_ENTITY_ID.toString())); String samlRequest = CharacterEncoder.getSafeText(req.getParameter("SAMLRequest")); String sessionDataKey = CharacterEncoder.getSafeText(req.getParameter("sessionDataKey")); String slo = CharacterEncoder.getSafeText( req.getParameter(SAMLSSOConstants.QueryParameter.SLO.toString())); boolean isExpFired = false; try { String tenantDomain = CharacterEncoder.getSafeText(req.getParameter("tenantDomain")); SAMLSSOUtil.setTenantDomainInThreadLocal(tenantDomain); if (sessionDataKey != null) { // Response from common authentication framework. SAMLSSOSessionDTO sessionDTO = getSessionDataFromCache(sessionDataKey); if (sessionDTO != null) { SAMLSSOUtil.setTenantDomainInThreadLocal(sessionDTO.getTenantDomain()); if (sessionDTO.isInvalidLogout()) { log.warn("Redirecting to default logout page due to an invalid logout request"); String serverUrl = CarbonUIUtil.getAdminConsoleURL(req); resp.sendRedirect( serverUrl.replace( SAMLSSOConstants.SAML_ENDPOINT, SAMLSSOConstants.DEFAULT_LOGOUT_LOCATION)); } else if (sessionDTO.isLogoutReq()) { handleLogoutResponseFromFramework(req, resp, sessionDTO); } else { handleAuthenticationReponseFromFramework(req, resp, sessionId, sessionDTO); } removeAuthenticationResultFromCache(sessionDataKey); } else { log.error("Failed to retrieve sessionDTO from the cache for key " + sessionDataKey); String errorResp = SAMLSSOUtil.buildErrorResponse( SAMLSSOConstants.StatusCodes.IDENTITY_PROVIDER_ERROR, SAMLSSOConstants.Notification.EXCEPTION_STATUS, null); sendNotification( errorResp, SAMLSSOConstants.Notification.EXCEPTION_STATUS, SAMLSSOConstants.Notification.EXCEPTION_MESSAGE, null, req, resp); return; } } else if (spEntityID != null || slo != null) { // idp initiated SSO/SLO handleIdPInitSSO( req, resp, relayState, queryString, authMode, sessionId, isPost, (slo != null)); } else if (samlRequest != null) { // SAMLRequest received. SP initiated SSO handleSPInitSSO( req, resp, queryString, relayState, authMode, samlRequest, sessionId, isPost); } else { log.debug("Invalid request message or single logout message "); if (sessionId == null) { String errorResp = SAMLSSOUtil.buildErrorResponse( SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, "Invalid request message", null); sendNotification( errorResp, SAMLSSOConstants.Notification.INVALID_MESSAGE_STATUS, SAMLSSOConstants.Notification.INVALID_MESSAGE_MESSAGE, null, req, resp); } else { // Non-SAML request are assumed to be logout requests sendToFrameworkForLogout(req, resp, null, null, sessionId, true, false); } } } catch (UserStoreException e) { if (log.isDebugEnabled()) { log.debug("Error occurred while handling SAML2 SSO request", e); } String errorResp = null; try { errorResp = SAMLSSOUtil.buildErrorResponse( SAMLSSOConstants.StatusCodes.IDENTITY_PROVIDER_ERROR, "Error occurred while handling SAML2 SSO request", null); } catch (IdentityException e1) { log.error("Error while building SAML response", e1); } sendNotification( errorResp, SAMLSSOConstants.Notification.EXCEPTION_STATUS, SAMLSSOConstants.Notification.EXCEPTION_MESSAGE, null, req, resp); } catch (IdentityException e) { log.error("Error when processing the authentication request!", e); String errorResp = null; try { errorResp = SAMLSSOUtil.buildErrorResponse( SAMLSSOConstants.StatusCodes.IDENTITY_PROVIDER_ERROR, "Error when processing the authentication request", null); } catch (IdentityException e1) { log.error("Error while building SAML response", e1); } sendNotification( errorResp, SAMLSSOConstants.Notification.EXCEPTION_STATUS, SAMLSSOConstants.Notification.EXCEPTION_MESSAGE, null, req, resp); } }