2 * Copyright [2005] [University Corporation for Advanced Internet Development, Inc.]
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
17 package edu.internet2.middleware.shibboleth.common;
19 import java.net.MalformedURLException;
21 import java.net.URISyntaxException;
23 import java.util.ArrayList;
24 import java.util.HashMap;
25 import java.util.List;
28 import org.apache.log4j.Logger;
29 import org.w3c.dom.Element;
30 import org.w3c.dom.NodeList;
32 import edu.internet2.middleware.shibboleth.idp.IdPConfig;
33 import edu.internet2.middleware.shibboleth.metadata.EntitiesDescriptor;
34 import edu.internet2.middleware.shibboleth.metadata.EntityDescriptor;
35 import edu.internet2.middleware.shibboleth.metadata.Metadata;
38 * Class for determining the effective relying party from the unique id of the service provider. Checks first for an
39 * exact match on the service provider, then for membership in a group of providers (perhaps a federation). Uses the
40 * default relying party if neither is found.
42 * @author Walter Hoehn
44 public class ServiceProviderMapper {
46 private static Logger log = Logger.getLogger(ServiceProviderMapper.class.getName());
47 protected Map relyingParties = new HashMap();
48 private Metadata metaData;
49 private IdPConfig configuration;
50 private Credentials credentials;
51 private NameMapper nameMapper;
53 public ServiceProviderMapper(Element rawConfig, IdPConfig configuration, Credentials credentials,
54 NameMapper nameMapper) throws ServiceProviderMapperException {
56 this.configuration = configuration;
57 this.credentials = credentials;
58 this.nameMapper = nameMapper;
60 NodeList itemElements = rawConfig.getElementsByTagNameNS(IdPConfig.configNameSpace, "RelyingParty");
62 for (int i = 0; i < itemElements.getLength(); i++) {
63 addRelyingParty((Element) itemElements.item(i));
66 verifyDefaultParty(configuration);
70 public void setMetadata(Metadata metadata) {
72 this.metaData = metadata;
75 private IdPConfig getIdPConfig() {
80 protected void verifyDefaultParty(IdPConfig configuration) throws ServiceProviderMapperException {
82 // Verify we have a proper default party
83 String defaultParty = configuration.getDefaultRelyingPartyName();
84 if (defaultParty == null || defaultParty.equals("")) {
85 if (relyingParties.size() != 1) {
87 .error("Default Relying Party not specified. Add a (defaultRelyingParty) attribute to <IdPConfig>.");
88 throw new ServiceProviderMapperException("Required configuration not specified.");
90 log.debug("Only one Relying Party loaded. Using this as the default.");
93 log.debug("Default Relying Party set to: (" + defaultParty + ").");
94 if (!relyingParties.containsKey(defaultParty)) {
95 log.error("Default Relying Party refers to a Relying Party that has not been loaded.");
96 throw new ServiceProviderMapperException("Invalid configuration (Default Relying Party).");
100 protected RelyingParty getRelyingPartyImpl(String providerIdFromSP) {
102 // Null request, send the default
103 if (providerIdFromSP == null) {
104 RelyingParty relyingParty = getDefaultRelyingParty();
105 log.info("Using default Relying Party: (" + relyingParty.getName() + ").");
106 return new UnknownProviderWrapper(relyingParty, providerIdFromSP);
109 // Look for a configuration for the specific relying party
110 if (relyingParties.containsKey(providerIdFromSP)) {
111 log.info("Found Relying Party for (" + providerIdFromSP + ").");
112 return (RelyingParty) relyingParties.get(providerIdFromSP);
115 // Next, check to see if the relying party is in any groups
116 RelyingParty groupParty = findRelyingPartyByGroup(providerIdFromSP);
117 if (groupParty != null) {
118 log.info("Provider is a member of Relying Party (" + groupParty.getName() + ").");
119 return new RelyingPartyGroupWrapper(groupParty, providerIdFromSP);
122 // OK, we can't find it... just send the default
123 RelyingParty relyingParty = getDefaultRelyingParty();
124 log.info("Could not locate Relying Party configuration for (" + providerIdFromSP
125 + "). Using default Relying Party: (" + relyingParty.getName() + ").");
126 return new UnknownProviderWrapper(relyingParty, providerIdFromSP);
129 private RelyingParty findRelyingPartyByGroup(String providerIdFromSP) {
131 if (metaData == null) { return null; }
133 EntityDescriptor provider = metaData.lookup(providerIdFromSP);
134 if (provider != null) {
135 EntitiesDescriptor parent = provider.getEntitiesDescriptor();
136 while (parent != null) {
137 if (parent.getName() != null) {
138 if (relyingParties.containsKey(parent.getName())) {
139 log.info("Found matching Relying Party for group (" + parent.getName() + ").");
140 return (RelyingParty) relyingParties.get(parent.getName());
143 log.debug("Provider is a member of group (" + parent.getName()
144 + "), but no matching Relying Party was found.");
147 parent = parent.getEntitiesDescriptor();
153 public RelyingParty getDefaultRelyingParty() {
155 // If there is no explicit default, pick the single configured Relying
157 String defaultParty = getIdPConfig().getDefaultRelyingPartyName();
158 if (defaultParty == null || defaultParty.equals("")) { return (RelyingParty) relyingParties.values().iterator()
161 // If we do have a default specified, use it...
162 return (RelyingParty) relyingParties.get(defaultParty);
166 * Returns the relying party for a legacy provider(the default)
168 public RelyingParty getLegacyRelyingParty() {
170 RelyingParty relyingParty = getDefaultRelyingParty();
171 log.info("Request is from legacy shib SP. Selecting default Relying Party: (" + relyingParty.getName() + ").");
172 return new LegacyWrapper((RelyingParty) relyingParty);
177 * Returns the appropriate relying party for the supplied service provider id.
179 public RelyingParty getRelyingParty(String providerIdFromSP) {
181 if (providerIdFromSP == null || providerIdFromSP.equals("")) {
182 RelyingParty relyingParty = getDefaultRelyingParty();
183 log.info("Selecting default Relying Party: (" + relyingParty.getName() + ").");
184 return new NoMetadataWrapper((RelyingParty) relyingParty);
187 return (RelyingParty) getRelyingPartyImpl(providerIdFromSP);
190 private void addRelyingParty(Element e) throws ServiceProviderMapperException {
192 log.debug("Found a Relying Party.");
194 if (e.getLocalName().equals("RelyingParty")) {
195 RelyingParty party = new RelyingPartyImpl(e, configuration, credentials, nameMapper);
196 log.debug("Relying Party (" + party.getName() + ") loaded.");
197 relyingParties.put(party.getName(), party);
199 } catch (ServiceProviderMapperException exc) {
200 log.error("Encountered an error while attempting to load Relying Party configuration. Skipping...");
206 * Base relying party implementation.
208 * @author Walter Hoehn
210 protected class RelyingPartyImpl implements RelyingParty {
212 private RelyingPartyIdentityProvider identityProvider;
214 private String overridenIdPProviderId;
215 private URL overridenAAUrl;
216 private URI overridenDefaultAuthMethod;
217 private List mappingIds = new ArrayList();
218 private IdPConfig configuration;
219 private boolean overridenPassThruErrors = false;
220 private boolean passThruIsOverriden = false;
221 private boolean forceAttributePush = false;
222 private boolean forceAttributeNoPush = false;
223 private boolean singleAssertion = false;
224 private boolean defaultToPOST = true;
225 private boolean wantsAssertionsSigned = false;
226 private int preferredArtifactType = 1;
227 private String defaultTarget;
228 private boolean wantsSchemaHack = false;
230 public RelyingPartyImpl(Element partyConfig, IdPConfig globalConfig, Credentials credentials,
231 NameMapper nameMapper) throws ServiceProviderMapperException {
233 configuration = globalConfig;
236 name = ((Element) partyConfig).getAttribute("name");
237 if (name == null || name.equals("")) {
238 log.error("Relying Party name not set. Add a (name) attribute to <RelyingParty>.");
239 throw new ServiceProviderMapperException("Required configuration not specified.");
241 log.debug("Loading Relying Party: (" + name + ").");
243 // Process overrides for global configuration data
244 String attribute = ((Element) partyConfig).getAttribute("providerId");
245 if (attribute != null && !attribute.equals("")) {
246 log.debug("Overriding providerId for Relying Pary (" + name + ") with (" + attribute + ").");
247 overridenIdPProviderId = attribute;
250 attribute = ((Element) partyConfig).getAttribute("AAUrl");
251 if (attribute != null && !attribute.equals("")) {
252 log.debug("Overriding AAUrl for Relying Pary (" + name + ") with (" + attribute + ").");
254 overridenAAUrl = new URL(attribute);
255 } catch (MalformedURLException e) {
256 log.error("(AAUrl) attribute to is not a valid URL.");
257 throw new ServiceProviderMapperException("Configuration is invalid.");
261 attribute = ((Element) partyConfig).getAttribute("defaultAuthMethod");
262 if (attribute != null && !attribute.equals("")) {
263 log.debug("Overriding defaultAuthMethod for Relying Pary (" + name + ") with (" + attribute + ").");
265 overridenDefaultAuthMethod = new URI(attribute);
266 } catch (URISyntaxException e1) {
267 log.error("(defaultAuthMethod) attribute to is not a valid URI.");
268 throw new ServiceProviderMapperException("Configuration is invalid.");
272 attribute = ((Element) partyConfig).getAttribute("passThruErrors");
273 if (attribute != null && !attribute.equals("")) {
274 log.debug("Overriding passThruErrors for Relying Pary (" + name + ") with (" + attribute + ").");
275 overridenPassThruErrors = Boolean.valueOf(attribute).booleanValue();
276 passThruIsOverriden = true;
279 // SSO profile defaulting
280 attribute = ((Element) partyConfig).getAttribute("defaultToPOSTProfile");
281 if (attribute != null && !attribute.equals("")) {
282 defaultToPOST = Boolean.valueOf(attribute).booleanValue();
285 log.debug("Relying party defaults to POST profile.");
287 log.debug("Relying party defaults to Artifact profile.");
290 attribute = ((Element) partyConfig).getAttribute("singleAssertion");
291 if (attribute != null && !attribute.equals("")) {
292 singleAssertion = Boolean.valueOf(attribute).booleanValue();
294 if (singleAssertion) {
295 log.debug("Relying party defaults to a single assertion when pushing attributes.");
297 log.debug("Relying party defaults to multiple assertions when pushing attributes.");
300 // Relying Party wants assertions signed?
301 attribute = ((Element) partyConfig).getAttribute("signAssertions");
302 if (attribute != null && !attribute.equals("")) {
303 wantsAssertionsSigned = Boolean.valueOf(attribute).booleanValue();
305 if (wantsAssertionsSigned) {
306 log.debug("Relying party wants SAML Assertions to be signed.");
308 log.debug("Relying party does not want SAML Assertions to be signed.");
311 // Decide whether or not to use the schema hack for old xerces
312 attribute = ((Element) partyConfig).getAttribute("schemaHack");
313 if (attribute != null && !attribute.equals("")) {
314 wantsSchemaHack = Boolean.valueOf(attribute).booleanValue();
316 if (wantsSchemaHack) {
317 log.debug("XML schema hack enabled for this relying party.");
320 // Set a default target for use in artifact redirects
321 defaultTarget = ((Element) partyConfig).getAttribute("defaultTarget");
323 // Determine whether or not we are forcing attribute push on or off
324 String forcePush = ((Element) partyConfig).getAttribute("forceAttributePush");
325 String forceNoPush = ((Element) partyConfig).getAttribute("forceAttributeNoPush");
327 if (forcePush != null && Boolean.valueOf(forcePush).booleanValue() && forceNoPush != null
328 && Boolean.valueOf(forceNoPush).booleanValue()) {
329 log.error("Invalid configuration: Attribute push is forced to ON and OFF for this relying "
330 + "party. Turning off forcing in favor of profile defaults.");
332 forceAttributePush = Boolean.valueOf(forcePush).booleanValue();
333 forceAttributeNoPush = Boolean.valueOf(forceNoPush).booleanValue();
334 log.debug("Attribute push forcing is set to (" + forceAttributePush + ").");
335 log.debug("No attribute push forcing is set to (" + forceAttributeNoPush + ").");
338 attribute = ((Element) partyConfig).getAttribute("preferredArtifactType");
339 if (attribute != null && !attribute.equals("")) {
340 log.debug("Overriding AAUrl for Relying Pary (" + name + ") with (" + attribute + ").");
342 preferredArtifactType = Integer.parseInt(attribute);
343 } catch (NumberFormatException e) {
344 log.error("(preferredArtifactType) attribute to is not a valid integer.");
345 throw new ServiceProviderMapperException("Configuration is invalid.");
347 log.debug("Preferred artifact type: (" + preferredArtifactType + ").");
350 // Load and verify the name mappings that should be used in
351 // assertions for this RelyingParty
353 NodeList nameIDs = ((Element) partyConfig).getElementsByTagNameNS(IdPConfig.configNameSpace, "NameID");
354 // If no specification. Make sure we have a default mapping
355 if (nameIDs.getLength() < 1) {
356 if (nameMapper.getNameIdentifierMappingById(null) == null) {
357 log.error("Relying Party NameId configuration not set. Add a <NameID> element to <RelyingParty>.");
358 throw new ServiceProviderMapperException("Required configuration not specified.");
363 // We do have a specification, so make sure it points to a
364 // valid Name Mapping
366 for (int i = 0; i < nameIDs.getLength(); i++) {
368 String mappingId = ((Element) nameIDs.item(i)).getAttribute("nameMapping");
369 if (mappingId == null || mappingId.equals("")) {
370 log.error("Name mapping not set. Add a (nameMapping) attribute to <NameID>.");
371 throw new ServiceProviderMapperException("Required configuration not specified.");
374 if (nameMapper.getNameIdentifierMappingById(mappingId) == null) {
375 log.error("Relying Party NameID refers to a name mapping that is not loaded.");
376 throw new ServiceProviderMapperException("Required configuration not specified.");
379 mappingIds.add(mappingId);
383 // Load the credential for signing
384 String credentialName = ((Element) partyConfig).getAttribute("signingCredential");
385 Credential signingCredential = credentials.getCredential(credentialName);
386 if (signingCredential == null) {
387 if (credentialName == null || credentialName.equals("")) {
388 log.error("Relying Party credential not set. Add a (signingCredential) "
389 + "attribute to <RelyingParty>.");
390 throw new ServiceProviderMapperException("Required configuration not specified.");
392 log.error("Relying Party credential invalid. Fix the (signingCredential) attribute "
393 + "on <RelyingParty>.");
394 throw new ServiceProviderMapperException("Required configuration is invalid.");
399 // Initialize and Identity Provider object for this use by this relying party
400 identityProvider = new RelyingPartyIdentityProvider(overridenIdPProviderId != null
401 ? overridenIdPProviderId
402 : configuration.getProviderId(), signingCredential);
406 public String getProviderId() {
411 public String getName() {
416 public IdentityProvider getIdentityProvider() {
418 return identityProvider;
421 public boolean isLegacyProvider() {
426 public String[] getNameMapperIds() {
428 return (String[]) mappingIds.toArray(new String[0]);
431 public URI getDefaultAuthMethod() {
433 if (overridenDefaultAuthMethod != null) {
434 return overridenDefaultAuthMethod;
436 return configuration.getDefaultAuthMethod();
440 public URL getAAUrl() {
442 if (overridenAAUrl != null) {
443 return overridenAAUrl;
445 return configuration.getAAUrl();
449 public boolean passThruErrors() {
451 if (passThruIsOverriden) {
452 return overridenPassThruErrors;
454 return configuration.passThruErrors();
458 public boolean forceAttributePush() {
460 return forceAttributePush;
463 public boolean forceAttributeNoPush() {
465 return forceAttributeNoPush;
468 public boolean singleAssertion() {
469 return singleAssertion;
472 public boolean defaultToPOSTProfile() {
474 return defaultToPOST;
477 public boolean wantsAssertionsSigned() {
479 return wantsAssertionsSigned;
482 public int getPreferredArtifactType() {
484 return preferredArtifactType;
487 public String getDefaultTarget() {
489 return defaultTarget;
492 public boolean wantsSchemaHack() {
494 return wantsSchemaHack;
498 * Default identity provider implementation.
500 * @author Walter Hoehn
502 protected class RelyingPartyIdentityProvider implements IdentityProvider {
504 private String providerId;
505 private Credential credential;
507 public RelyingPartyIdentityProvider(String providerId, Credential credential) {
509 this.providerId = providerId;
510 this.credential = credential;
514 * @see edu.internet2.middleware.shibboleth.common.IdentityProvider#getProviderId()
516 public String getProviderId() {
522 * @see edu.internet2.middleware.shibboleth.common.IdentityProvider#getSigningCredential()
524 public Credential getSigningCredential() {
532 * Relying party implementation wrapper for relying parties that are groups.
534 * @author Walter Hoehn
536 class RelyingPartyGroupWrapper implements RelyingParty {
538 private RelyingParty wrapped;
539 private String providerId;
541 RelyingPartyGroupWrapper(RelyingParty wrapped, String providerId) {
543 this.wrapped = wrapped;
544 this.providerId = providerId;
547 public String getName() {
549 return wrapped.getName();
552 public boolean isLegacyProvider() {
557 public IdentityProvider getIdentityProvider() {
559 return wrapped.getIdentityProvider();
562 public String getProviderId() {
567 public String[] getNameMapperIds() {
569 return wrapped.getNameMapperIds();
572 public URL getAAUrl() {
574 return wrapped.getAAUrl();
577 public URI getDefaultAuthMethod() {
579 return wrapped.getDefaultAuthMethod();
582 public boolean passThruErrors() {
584 return wrapped.passThruErrors();
587 public boolean forceAttributePush() {
589 return wrapped.forceAttributePush();
592 public boolean forceAttributeNoPush() {
594 return wrapped.forceAttributeNoPush();
597 public boolean singleAssertion() {
599 return wrapped.singleAssertion();
602 public boolean defaultToPOSTProfile() {
604 return wrapped.defaultToPOSTProfile();
607 public boolean wantsAssertionsSigned() {
609 return wrapped.wantsAssertionsSigned();
612 public int getPreferredArtifactType() {
614 return wrapped.getPreferredArtifactType();
617 public String getDefaultTarget() {
619 return wrapped.getDefaultTarget();
622 public boolean wantsSchemaHack() {
624 return wrapped.wantsSchemaHack();
629 * Relying party implementation wrapper for anonymous service providers.
631 * @author Walter Hoehn
633 protected class UnknownProviderWrapper implements RelyingParty {
635 protected RelyingParty wrapped;
636 protected String providerId;
638 protected UnknownProviderWrapper(RelyingParty wrapped, String providerId) {
640 this.wrapped = wrapped;
641 this.providerId = providerId;
644 public String getName() {
646 return wrapped.getName();
649 public IdentityProvider getIdentityProvider() {
651 return wrapped.getIdentityProvider();
654 public String getProviderId() {
659 public String[] getNameMapperIds() {
661 return wrapped.getNameMapperIds();
664 public boolean isLegacyProvider() {
666 return wrapped.isLegacyProvider();
669 public URL getAAUrl() {
671 return wrapped.getAAUrl();
674 public URI getDefaultAuthMethod() {
676 return wrapped.getDefaultAuthMethod();
679 public boolean passThruErrors() {
681 return wrapped.passThruErrors();
684 public boolean forceAttributePush() {
689 public boolean forceAttributeNoPush() {
694 public boolean singleAssertion() {
699 public boolean defaultToPOSTProfile() {
704 public boolean wantsAssertionsSigned() {
706 return wrapped.wantsAssertionsSigned();
709 public int getPreferredArtifactType() {
711 return wrapped.getPreferredArtifactType();
714 public String getDefaultTarget() {
716 return wrapped.getDefaultTarget();
719 public boolean wantsSchemaHack() {
721 return wrapped.wantsSchemaHack();
726 * Relying party wrapper for Shibboleth <=1.1 service providers.
728 * @author Walter Hoehn
730 class LegacyWrapper extends UnknownProviderWrapper implements RelyingParty {
732 LegacyWrapper(RelyingParty wrapped) {
734 super(wrapped, null);
737 public boolean isLegacyProvider() {
742 public String[] getNameMapperIds() {
744 return ((RelyingParty) wrapped).getNameMapperIds();
747 public URL getAAUrl() {
749 return ((RelyingParty) wrapped).getAAUrl();
752 public URI getDefaultAuthMethod() {
754 return ((RelyingParty) wrapped).getDefaultAuthMethod();
759 * Relying party wrapper for providers for which we have no metadata
761 * @author Walter Hoehn
763 class NoMetadataWrapper extends UnknownProviderWrapper implements RelyingParty {
765 NoMetadataWrapper(RelyingParty wrapped) {
767 super(wrapped, null);
770 public String[] getNameMapperIds() {
772 return ((RelyingParty) wrapped).getNameMapperIds();
775 public URL getAAUrl() {
777 return ((RelyingParty) wrapped).getAAUrl();
780 public URI getDefaultAuthMethod() {
782 return ((RelyingParty) wrapped).getDefaultAuthMethod();