src/edu/internet2/middleware/shibboleth/idp/profile/saml2/SSOProfileHandler.java

   1 /*
   2  * Copyright [2007] [University Corporation for Advanced Internet Development, Inc.]
   3  *
   4  * Licensed under the Apache License, Version 2.0 (the "License");
   5  * you may not use this file except in compliance with the License.
   6  * You may obtain a copy of the License at
   7  *
   8  * http://www.apache.org/licenses/LICENSE-2.0
   9  *
  10  * Unless required by applicable law or agreed to in writing, software
  11  * distributed under the License is distributed on an "AS IS" BASIS,
  12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13  * See the License for the specific language governing permissions and
  14  * limitations under the License.
  15  */
  16
  17 package edu.internet2.middleware.shibboleth.idp.profile.saml2;
  18
  19 import java.io.IOException;
  20 import java.util.ArrayList;
  21
  22 import javax.servlet.RequestDispatcher;
  23 import javax.servlet.ServletException;
  24 import javax.servlet.http.HttpServletRequest;
  25
  26 import org.opensaml.common.SAMLObjectBuilder;
  27 import org.opensaml.common.binding.decoding.SAMLMessageDecoder;
  28 import org.opensaml.common.xml.SAMLConstants;
  29 import org.opensaml.saml2.binding.AuthnResponseEndpointSelector;
  30 import org.opensaml.saml2.core.AttributeStatement;
  31 import org.opensaml.saml2.core.AuthnContext;
  32 import org.opensaml.saml2.core.AuthnContextClassRef;
  33 import org.opensaml.saml2.core.AuthnContextDeclRef;
  34 import org.opensaml.saml2.core.AuthnRequest;
  35 import org.opensaml.saml2.core.AuthnStatement;
  36 import org.opensaml.saml2.core.RequestedAuthnContext;
  37 import org.opensaml.saml2.core.Response;
  38 import org.opensaml.saml2.core.Statement;
  39 import org.opensaml.saml2.core.StatusCode;
  40 import org.opensaml.saml2.core.Subject;
  41 import org.opensaml.saml2.core.SubjectLocality;
  42 import org.opensaml.saml2.metadata.AssertionConsumerService;
  43 import org.opensaml.saml2.metadata.Endpoint;
  44 import org.opensaml.saml2.metadata.EntityDescriptor;
  45 import org.opensaml.saml2.metadata.IDPSSODescriptor;
  46 import org.opensaml.saml2.metadata.SPSSODescriptor;
  47 import org.opensaml.ws.message.decoder.MessageDecodingException;
  48 import org.opensaml.ws.transport.http.HTTPInTransport;
  49 import org.opensaml.ws.transport.http.HTTPOutTransport;
  50 import org.opensaml.ws.transport.http.HttpServletRequestAdapter;
  51 import org.opensaml.ws.transport.http.HttpServletResponseAdapter;
  52 import org.opensaml.xml.io.MarshallingException;
  53 import org.opensaml.xml.io.UnmarshallingException;
  54 import org.opensaml.xml.security.SecurityException;
  55 import org.opensaml.xml.util.DatatypeHelper;
  56 import org.slf4j.Logger;
  57 import org.slf4j.LoggerFactory;
  58
  59 import edu.internet2.middleware.shibboleth.common.profile.ProfileException;
  60 import edu.internet2.middleware.shibboleth.common.profile.provider.BaseSAMLProfileRequestContext;
  61 import edu.internet2.middleware.shibboleth.common.relyingparty.ProfileConfiguration;
  62 import edu.internet2.middleware.shibboleth.common.relyingparty.RelyingPartyConfiguration;
  63 import edu.internet2.middleware.shibboleth.common.relyingparty.provider.saml2.SSOConfiguration;
  64 import edu.internet2.middleware.shibboleth.common.util.HttpHelper;
  65 import edu.internet2.middleware.shibboleth.idp.authn.LoginContext;
  66 import edu.internet2.middleware.shibboleth.idp.authn.PassiveAuthenticationException;
  67 import edu.internet2.middleware.shibboleth.idp.authn.Saml2LoginContext;
  68 import edu.internet2.middleware.shibboleth.idp.session.Session;
  69
  70 /** SAML 2.0 SSO request profile handler. */
  71 public class SSOProfileHandler extends AbstractSAML2ProfileHandler {
  72
  73     /** Class logger. */
  74     private final Logger log = LoggerFactory.getLogger(SSOProfileHandler.class);
  75
  76     /** Builder of AuthnStatement objects. */
  77     private SAMLObjectBuilder<AuthnStatement> authnStatementBuilder;
  78
  79     /** Builder of AuthnContext objects. */
  80     private SAMLObjectBuilder<AuthnContext> authnContextBuilder;
  81
  82     /** Builder of AuthnContextClassRef objects. */
  83     private SAMLObjectBuilder<AuthnContextClassRef> authnContextClassRefBuilder;
  84
  85     /** Builder of AuthnContextDeclRef objects. */
  86     private SAMLObjectBuilder<AuthnContextDeclRef> authnContextDeclRefBuilder;
  87
  88     /** Builder of SubjectLocality objects. */
  89     private SAMLObjectBuilder<SubjectLocality> subjectLocalityBuilder;
  90
  91     /** URL of the authentication manager servlet. */
  92     private String authenticationManagerPath;
  93
  94     /**
  95      * Constructor.
  96      *
  97      * @param authnManagerPath path to the authentication manager servlet
  98      */
  99     @SuppressWarnings("unchecked")
 100     public SSOProfileHandler(String authnManagerPath) {
 101         super();
 102
 103         authenticationManagerPath = authnManagerPath;
 104
 105         authnStatementBuilder = (SAMLObjectBuilder<AuthnStatement>) getBuilderFactory().getBuilder(
 106                 AuthnStatement.DEFAULT_ELEMENT_NAME);
 107         authnContextBuilder = (SAMLObjectBuilder<AuthnContext>) getBuilderFactory().getBuilder(
 108                 AuthnContext.DEFAULT_ELEMENT_NAME);
 109         authnContextClassRefBuilder = (SAMLObjectBuilder<AuthnContextClassRef>) getBuilderFactory().getBuilder(
 110                 AuthnContextClassRef.DEFAULT_ELEMENT_NAME);
 111         authnContextDeclRefBuilder = (SAMLObjectBuilder<AuthnContextDeclRef>) getBuilderFactory().getBuilder(
 112                 AuthnContextDeclRef.DEFAULT_ELEMENT_NAME);
 113         subjectLocalityBuilder = (SAMLObjectBuilder<SubjectLocality>) getBuilderFactory().getBuilder(
 114                 SubjectLocality.DEFAULT_ELEMENT_NAME);
 115     }
 116
 117     /** {@inheritDoc} */
 118     public String getProfileId() {
 119         return SSOConfiguration.PROFILE_ID;
 120     }
 121
 122     /** {@inheritDoc} */
 123     public void processRequest(HTTPInTransport inTransport, HTTPOutTransport outTransport) throws ProfileException {
 124         HttpServletRequest servletRequest = ((HttpServletRequestAdapter) inTransport).getWrappedRequest();
 125
 126         LoginContext loginContext = (LoginContext) servletRequest.getAttribute(LoginContext.LOGIN_CONTEXT_KEY);
 127         if (loginContext == null) {
 128             log.debug("Incoming request does not contain a login context, processing as first leg of request");
 129             performAuthentication(inTransport, outTransport);
 130         } else {
 131             log.debug("Incoming request contains a login context, processing as second leg of request");
 132             completeAuthenticationRequest(inTransport, outTransport);
 133         }
 134     }
 135
 136     /**
 137      * Creates a {@link Saml2LoginContext} an sends the request off to the AuthenticationManager to begin the process of
 138      * authenticating the user.
 139      *
 140      * @param inTransport inbound request transport
 141      * @param outTransport outbound response transport
 142      *
 143      * @throws ProfileException thrown if there is a problem creating the login context and transferring control to the
 144      *             authentication manager
 145      */
 146     protected void performAuthentication(HTTPInTransport inTransport, HTTPOutTransport outTransport)
 147             throws ProfileException {
 148         HttpServletRequest servletRequest = ((HttpServletRequestAdapter) inTransport).getWrappedRequest();
 149
 150         try {
 151             SSORequestContext requestContext = decodeRequest(inTransport, outTransport);
 152
 153             String relyingPartyId = requestContext.getInboundMessageIssuer();
 154             RelyingPartyConfiguration rpConfig = getRelyingPartyConfiguration(relyingPartyId);
 155             ProfileConfiguration ssoConfig = rpConfig.getProfileConfiguration(SSOConfiguration.PROFILE_ID);
 156             if (ssoConfig == null) {
 157                 log.error("SAML 2 SSO profile is not configured for relying party "
 158                         + requestContext.getInboundMessageIssuer());
 159                 throw new ProfileException("SAML 2 SSO profile is not configured for relying party "
 160                         + requestContext.getInboundMessageIssuer());
 161             }
 162
 163             log.debug("Creating login context and transferring control to authentication engine");
 164             Saml2LoginContext loginContext = new Saml2LoginContext(relyingPartyId, requestContext.getRelayState(),
 165                     requestContext.getInboundSAMLMessage());
 166             loginContext.setAuthenticationEngineURL(authenticationManagerPath);
 167             loginContext.setProfileHandlerURL(HttpHelper.getRequestUriWithoutContext(servletRequest));
 168             if (loginContext.getRequestedAuthenticationMethods().size() == 0) {
 169                 loginContext.getRequestedAuthenticationMethods().add(rpConfig.getDefaultAuthenticationMethod());
 170             }
 171
 172             servletRequest.setAttribute(Saml2LoginContext.LOGIN_CONTEXT_KEY, loginContext);
 173             RequestDispatcher dispatcher = servletRequest.getRequestDispatcher(authenticationManagerPath);
 174             dispatcher.forward(servletRequest, ((HttpServletResponseAdapter) outTransport).getWrappedResponse());
 175         } catch (MarshallingException e) {
 176             log.error("Unable to marshall authentication request context");
 177             throw new ProfileException("Unable to marshall authentication request context", e);
 178         } catch (IOException ex) {
 179             log.error("Error forwarding SAML 2 AuthnRequest to AuthenticationManager", ex);
 180             throw new ProfileException("Error forwarding SAML 2 AuthnRequest to AuthenticationManager", ex);
 181         } catch (ServletException ex) {
 182             log.error("Error forwarding SAML 2 AuthnRequest to AuthenticationManager", ex);
 183             throw new ProfileException("Error forwarding SAML 2 AuthnRequest to AuthenticationManager", ex);
 184         }
 185     }
 186
 187     /**
 188      * Creates a response to the {@link AuthnRequest} and sends the user, with response in tow, back to the relying
 189      * party after they've been authenticated.
 190      *
 191      * @param inTransport inbound message transport
 192      * @param outTransport outbound message transport
 193      *
 194      * @throws ProfileException thrown if the response can not be created and sent back to the relying party
 195      */
 196     protected void completeAuthenticationRequest(HTTPInTransport inTransport, HTTPOutTransport outTransport)
 197             throws ProfileException {
 198         HttpServletRequest servletRequest = ((HttpServletRequestAdapter) inTransport).getWrappedRequest();
 199
 200         Saml2LoginContext loginContext = (Saml2LoginContext) servletRequest
 201                 .getAttribute(LoginContext.LOGIN_CONTEXT_KEY);
 202         SSORequestContext requestContext = buildRequestContext(loginContext, inTransport, outTransport);
 203
 204         checkSamlVersion(requestContext);
 205
 206         Response samlResponse;
 207         try {
 208             if (loginContext.getAuthenticationFailure() != null) {
 209                 log.error("User authentication failed with the following error: {}", loginContext
 210                         .getAuthenticationFailure().toString());
 211
 212                 if (loginContext.getAuthenticationFailure() instanceof PassiveAuthenticationException) {
 213                     requestContext.setFailureStatus(buildStatus(StatusCode.RESPONDER_URI, StatusCode.NO_PASSIVE_URI,
 214                             null));
 215                 } else {
 216                     requestContext.setFailureStatus(buildStatus(StatusCode.RESPONDER_URI, StatusCode.AUTHN_FAILED_URI,
 217                             null));
 218                 }
 219                 throw new ProfileException("Authentication failure", loginContext.getAuthenticationFailure());
 220             }
 221
 222             if (requestContext.getSubjectNameIdentifier() != null) {
 223                 log
 224                         .debug("Authentication request contained a subject with a name identifier, resolving principal from NameID");
 225                 resolvePrincipal(requestContext);
 226                 String requestedPrincipalName = requestContext.getPrincipalName();
 227                 if (!DatatypeHelper.safeEquals(loginContext.getPrincipalName(), requestedPrincipalName)) {
 228                     log
 229                             .error(
 230                                     "Authentication request identified principal {} but authentication mechanism identified principal {}",
 231                                     requestedPrincipalName, loginContext.getPrincipalName());
 232                     requestContext.setFailureStatus(buildStatus(StatusCode.RESPONDER_URI, StatusCode.AUTHN_FAILED_URI,
 233                             null));
 234                     throw new ProfileException("User failed authentication");
 235                 }
 236             }
 237
 238             resolveAttributes(requestContext);
 239
 240             ArrayList<Statement> statements = new ArrayList<Statement>();
 241             statements.add(buildAuthnStatement(requestContext));
 242             if (requestContext.getProfileConfiguration().includeAttributeStatement()) {
 243                 AttributeStatement attributeStatement = buildAttributeStatement(requestContext);
 244                 if (attributeStatement != null) {
 245                     requestContext.setRequestedAttributes(requestContext.getAttributes().keySet());
 246                     statements.add(attributeStatement);
 247                 }
 248             }
 249
 250             samlResponse = buildResponse(requestContext, "urn:oasis:names:tc:SAML:2.0:cm:bearer", statements);
 251         } catch (ProfileException e) {
 252             samlResponse = buildErrorResponse(requestContext);
 253         }
 254
 255         requestContext.setOutboundSAMLMessage(samlResponse);
 256         requestContext.setOutboundSAMLMessageId(samlResponse.getID());
 257         requestContext.setOutboundSAMLMessageIssueInstant(samlResponse.getIssueInstant());
 258         encodeResponse(requestContext);
 259         writeAuditLogEntry(requestContext);
 260     }
 261
 262     /**
 263      * Decodes an incoming request and stores the information in a created request context.
 264      *
 265      * @param inTransport inbound transport
 266      * @param outTransport outbound transport
 267      *
 268      * @return request context with decoded information
 269      *
 270      * @throws ProfileException thrown if the incoming message failed decoding
 271      */
 272     protected SSORequestContext decodeRequest(HTTPInTransport inTransport, HTTPOutTransport outTransport)
 273             throws ProfileException {
 274         log.debug("Decoding message with decoder binding {}", getInboundBinding());
 275         SSORequestContext requestContext = new SSORequestContext();
 276         requestContext.setMetadataProvider(getMetadataProvider());
 277         requestContext.setSecurityPolicyResolver(getSecurityPolicyResolver());
 278
 279         requestContext.setCommunicationProfileId(SSOConfiguration.PROFILE_ID);
 280         requestContext.setInboundMessageTransport(inTransport);
 281         requestContext.setInboundSAMLProtocol(SAMLConstants.SAML20P_NS);
 282         requestContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME);
 283
 284         requestContext.setOutboundMessageTransport(outTransport);
 285         requestContext.setOutboundSAMLProtocol(SAMLConstants.SAML20P_NS);
 286
 287         try {
 288             SAMLMessageDecoder decoder = getMessageDecoders().get(getInboundBinding());
 289             requestContext.setMessageDecoder(decoder);
 290             decoder.decode(requestContext);
 291             log.debug("Decoded request");
 292
 293             if (!(requestContext.getInboundMessage() instanceof AuthnRequest)) {
 294                 log.error("Incomming message was not a AuthnRequest, it was a {}", requestContext.getInboundMessage()
 295                         .getClass().getName());
 296                 requestContext.setFailureStatus(buildStatus(StatusCode.REQUESTER_URI, null,
 297                         "Invalid SAML AuthnRequest message."));
 298                 throw new ProfileException("Invalid SAML AuthnRequest message.");
 299             }
 300
 301             return requestContext;
 302         } catch (MessageDecodingException e) {
 303             log.error("Error decoding authentication request message", e);
 304             throw new ProfileException("Error decoding authentication request message", e);
 305         } catch (SecurityException e) {
 306             log.error("Message did not meet security requirements", e);
 307             throw new ProfileException("Message did not meet security requirements", e);
 308         }
 309     }
 310
 311     /**
 312      * Creates an authentication request context from the current environmental information.
 313      *
 314      * @param loginContext current login context
 315      * @param in inbound transport
 316      * @param out outbount transport
 317      *
 318      * @return created authentication request context
 319      *
 320      * @throws ProfileException thrown if there is a problem creating the context
 321      */
 322     protected SSORequestContext buildRequestContext(Saml2LoginContext loginContext, HTTPInTransport in,
 323             HTTPOutTransport out) throws ProfileException {
 324         SSORequestContext requestContext = new SSORequestContext();
 325
 326         requestContext.setMessageDecoder(getMessageDecoders().get(getInboundBinding()));
 327
 328         requestContext.setLoginContext(loginContext);
 329
 330         requestContext.setInboundMessageTransport(in);
 331         requestContext.setInboundSAMLProtocol(SAMLConstants.SAML20P_NS);
 332
 333         requestContext.setOutboundMessageTransport(out);
 334         requestContext.setOutboundSAMLProtocol(SAMLConstants.SAML20P_NS);
 335
 336         requestContext.setMetadataProvider(getMetadataProvider());
 337
 338         String relyingPartyId = loginContext.getRelyingPartyId();
 339         requestContext.setPeerEntityId(relyingPartyId);
 340         requestContext.setInboundMessageIssuer(relyingPartyId);
 341
 342         populateSAMLMessageInformation(requestContext);
 343         populateRequestContext(requestContext);
 344         populateProfileInformation(requestContext);
 345
 346         return requestContext;
 347     }
 348
 349     /** {@inheritDoc} */
 350     protected void populateRelyingPartyInformation(BaseSAMLProfileRequestContext requestContext)
 351             throws ProfileException {
 352         super.populateRelyingPartyInformation(requestContext);
 353
 354         EntityDescriptor relyingPartyMetadata = requestContext.getPeerEntityMetadata();
 355         if (relyingPartyMetadata != null) {
 356             requestContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME);
 357             requestContext.setPeerEntityRoleMetadata(relyingPartyMetadata.getSPSSODescriptor(SAMLConstants.SAML20P_NS));
 358         }
 359     }
 360
 361     /** {@inheritDoc} */
 362     protected void populateAssertingPartyInformation(BaseSAMLProfileRequestContext requestContext)
 363             throws ProfileException {
 364         super.populateAssertingPartyInformation(requestContext);
 365
 366         EntityDescriptor localEntityDescriptor = requestContext.getLocalEntityMetadata();
 367         if (localEntityDescriptor != null) {
 368             requestContext.setLocalEntityRole(IDPSSODescriptor.DEFAULT_ELEMENT_NAME);
 369             requestContext.setLocalEntityRoleMetadata(localEntityDescriptor
 370                     .getIDPSSODescriptor(SAMLConstants.SAML20P_NS));
 371         }
 372     }
 373
 374     /**
 375      * Populates the request context with information from the inbound SAML message.
 376      *
 377      * This method requires the the following request context properties to be populated: login context
 378      *
 379      * This methods populates the following request context properties: inbound saml message, relay state, inbound saml
 380      * message ID, subject name identifier
 381      *
 382      * @param requestContext current request context
 383      *
 384      * @throws ProfileException thrown if the inbound SAML message or subject identifier is null
 385      */
 386     protected void populateSAMLMessageInformation(BaseSAMLProfileRequestContext requestContext) throws ProfileException {
 387         SSORequestContext ssoRequestContext = (SSORequestContext) requestContext;
 388         try {
 389             Saml2LoginContext loginContext = ssoRequestContext.getLoginContext();
 390             requestContext.setRelayState(loginContext.getRelayState());
 391
 392             AuthnRequest authnRequest = loginContext.getAuthenticationRequest();
 393             requestContext.setInboundMessage(authnRequest);
 394             requestContext.setInboundSAMLMessage(loginContext.getAuthenticationRequest());
 395             requestContext.setInboundSAMLMessageId(loginContext.getAuthenticationRequest().getID());
 396
 397             Subject authnSubject = authnRequest.getSubject();
 398             if (authnSubject != null) {
 399                 requestContext.setSubjectNameIdentifier(authnSubject.getNameID());
 400             }
 401         } catch (UnmarshallingException e) {
 402             log.error("Unable to unmarshall authentication request context");
 403             ssoRequestContext.setFailureStatus(buildStatus(StatusCode.RESPONDER_URI, null,
 404                     "Error recovering request state"));
 405             throw new ProfileException("Error recovering request state", e);
 406         }
 407     }
 408
 409     /**
 410      * Creates an authentication statement for the current request.
 411      *
 412      * @param requestContext current request context
 413      *
 414      * @return constructed authentication statement
 415      */
 416     protected AuthnStatement buildAuthnStatement(SSORequestContext requestContext) {
 417         Saml2LoginContext loginContext = requestContext.getLoginContext();
 418
 419         AuthnContext authnContext = buildAuthnContext(requestContext);
 420
 421         AuthnStatement statement = authnStatementBuilder.buildObject();
 422         statement.setAuthnContext(authnContext);
 423         statement.setAuthnInstant(loginContext.getAuthenticationInstant());
 424
 425         Session session = getUserSession(requestContext.getInboundMessageTransport());
 426         if (session != null) {
 427             statement.setSessionIndex(session.getSessionID());
 428         }
 429
 430         if (loginContext.getAuthenticationDuration() > 0) {
 431             statement.setSessionNotOnOrAfter(loginContext.getAuthenticationInstant().plus(
 432                     loginContext.getAuthenticationDuration()));
 433         }
 434
 435         statement.setSubjectLocality(buildSubjectLocality(requestContext));
 436
 437         return statement;
 438     }
 439
 440     /**
 441      * Creates an {@link AuthnContext} for a succesful authentication request.
 442      *
 443      * @param requestContext current request
 444      *
 445      * @return the built authn context
 446      */
 447     protected AuthnContext buildAuthnContext(SSORequestContext requestContext) {
 448         AuthnContext authnContext = authnContextBuilder.buildObject();
 449
 450         Saml2LoginContext loginContext = requestContext.getLoginContext();
 451         AuthnRequest authnRequest = requestContext.getInboundSAMLMessage();
 452         RequestedAuthnContext requestedAuthnContext = authnRequest.getRequestedAuthnContext();
 453         if (requestedAuthnContext != null) {
 454             if (requestedAuthnContext.getAuthnContextClassRefs() != null) {
 455                 for (AuthnContextClassRef classRef : requestedAuthnContext.getAuthnContextClassRefs()) {
 456                     if (classRef.getAuthnContextClassRef().equals(loginContext.getAuthenticationMethod())) {
 457                         AuthnContextClassRef ref = authnContextClassRefBuilder.buildObject();
 458                         ref.setAuthnContextClassRef(loginContext.getAuthenticationMethod());
 459                         authnContext.setAuthnContextClassRef(ref);
 460                     }
 461                 }
 462             } else if (requestedAuthnContext.getAuthnContextDeclRefs() != null) {
 463                 for (AuthnContextDeclRef declRef : requestedAuthnContext.getAuthnContextDeclRefs()) {
 464                     if (declRef.getAuthnContextDeclRef().equals(loginContext.getAuthenticationMethod())) {
 465                         AuthnContextDeclRef ref = authnContextDeclRefBuilder.buildObject();
 466                         ref.setAuthnContextDeclRef(loginContext.getAuthenticationMethod());
 467                         authnContext.setAuthnContextDeclRef(ref);
 468                     }
 469                 }
 470             }
 471         } else {
 472             AuthnContextDeclRef ref = authnContextDeclRefBuilder.buildObject();
 473             ref.setAuthnContextDeclRef(loginContext.getAuthenticationMethod());
 474             authnContext.setAuthnContextDeclRef(ref);
 475         }
 476
 477         return authnContext;
 478     }
 479
 480     /**
 481      * Constructs the subject locality for the authentication statement.
 482      *
 483      * @param requestContext curent request context
 484      *
 485      * @return subject locality for the authentication statement
 486      */
 487     protected SubjectLocality buildSubjectLocality(SSORequestContext requestContext) {
 488         HTTPInTransport transport = (HTTPInTransport) requestContext.getInboundMessageTransport();
 489         SubjectLocality subjectLocality = subjectLocalityBuilder.buildObject();
 490         subjectLocality.setAddress(transport.getPeerAddress());
 491
 492         return subjectLocality;
 493     }
 494
 495     /**
 496      * Selects the appropriate endpoint for the relying party and stores it in the request context.
 497      *
 498      * @param requestContext current request context
 499      *
 500      * @return Endpoint selected from the information provided in the request context
 501      */
 502     protected Endpoint selectEndpoint(BaseSAMLProfileRequestContext requestContext) {
 503         AuthnResponseEndpointSelector endpointSelector = new AuthnResponseEndpointSelector();
 504         endpointSelector.setEndpointType(AssertionConsumerService.DEFAULT_ELEMENT_NAME);
 505         endpointSelector.setMetadataProvider(getMetadataProvider());
 506         endpointSelector.setEntityMetadata(requestContext.getPeerEntityMetadata());
 507         endpointSelector.setEntityRoleMetadata(requestContext.getPeerEntityRoleMetadata());
 508         endpointSelector.setSamlRequest(requestContext.getInboundSAMLMessage());
 509         endpointSelector.getSupportedIssuerBindings().addAll(getSupportedOutboundBindings());
 510         return endpointSelector.selectEndpoint();
 511     }
 512
 513     /** Represents the internal state of a SAML 2.0 SSO Request while it's being processed by the IdP. */
 514     protected class SSORequestContext extends BaseSAML2ProfileRequestContext<AuthnRequest, Response, SSOConfiguration> {
 515
 516         /** Current login context. */
 517         private Saml2LoginContext loginContext;
 518
 519         /**
 520          * Gets the current login context.
 521          *
 522          * @return current login context
 523          */
 524         public Saml2LoginContext getLoginContext() {
 525             return loginContext;
 526         }
 527
 528         /**
 529          * Sets the current login context.
 530          *
 531          * @param context current login context
 532          */
 533         public void setLoginContext(Saml2LoginContext context) {
 534             loginContext = context;
 535         }
 536     }
 537 }