d656df67d4eab78ff5107c1a0d13ece8e0e03e52
[java-idp.git] / src / main / java / edu / internet2 / middleware / shibboleth / idp / profile / saml2 / SSOProfileHandler.java
1 /*
2  * Copyright 2007 University Corporation for Advanced Internet Development, Inc.
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  * http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16
17 package edu.internet2.middleware.shibboleth.idp.profile.saml2;
18
19 import java.io.IOException;
20 import java.io.StringReader;
21 import java.util.ArrayList;
22
23 import javax.servlet.ServletContext;
24 import javax.servlet.http.HttpServletRequest;
25 import javax.servlet.http.HttpServletResponse;
26
27 import org.joda.time.DateTime;
28 import org.joda.time.DateTimeZone;
29 import org.opensaml.Configuration;
30 import org.opensaml.common.SAMLObjectBuilder;
31 import org.opensaml.common.binding.decoding.SAMLMessageDecoder;
32 import org.opensaml.common.xml.SAMLConstants;
33 import org.opensaml.saml2.binding.AuthnResponseEndpointSelector;
34 import org.opensaml.saml2.core.AttributeStatement;
35 import org.opensaml.saml2.core.AuthnContext;
36 import org.opensaml.saml2.core.AuthnContextClassRef;
37 import org.opensaml.saml2.core.AuthnContextDeclRef;
38 import org.opensaml.saml2.core.AuthnRequest;
39 import org.opensaml.saml2.core.AuthnStatement;
40 import org.opensaml.saml2.core.NameID;
41 import org.opensaml.saml2.core.NameIDPolicy;
42 import org.opensaml.saml2.core.RequestedAuthnContext;
43 import org.opensaml.saml2.core.Response;
44 import org.opensaml.saml2.core.Statement;
45 import org.opensaml.saml2.core.StatusCode;
46 import org.opensaml.saml2.core.Subject;
47 import org.opensaml.saml2.core.SubjectLocality;
48 import org.opensaml.saml2.metadata.AffiliateMember;
49 import org.opensaml.saml2.metadata.AffiliationDescriptor;
50 import org.opensaml.saml2.metadata.AssertionConsumerService;
51 import org.opensaml.saml2.metadata.Endpoint;
52 import org.opensaml.saml2.metadata.EntityDescriptor;
53 import org.opensaml.saml2.metadata.IDPSSODescriptor;
54 import org.opensaml.saml2.metadata.SPSSODescriptor;
55 import org.opensaml.saml2.metadata.provider.MetadataProviderException;
56 import org.opensaml.ws.message.decoder.MessageDecodingException;
57 import org.opensaml.ws.transport.http.HTTPInTransport;
58 import org.opensaml.ws.transport.http.HTTPOutTransport;
59 import org.opensaml.ws.transport.http.HttpServletRequestAdapter;
60 import org.opensaml.ws.transport.http.HttpServletResponseAdapter;
61 import org.opensaml.xml.io.MarshallingException;
62 import org.opensaml.xml.io.Unmarshaller;
63 import org.opensaml.xml.io.UnmarshallingException;
64 import org.opensaml.xml.security.SecurityException;
65 import org.opensaml.xml.util.DatatypeHelper;
66 import org.slf4j.Logger;
67 import org.slf4j.LoggerFactory;
68 import org.w3c.dom.Element;
69
70 import edu.internet2.middleware.shibboleth.common.profile.ProfileException;
71 import edu.internet2.middleware.shibboleth.common.profile.provider.BaseSAMLProfileRequestContext;
72 import edu.internet2.middleware.shibboleth.common.relyingparty.ProfileConfiguration;
73 import edu.internet2.middleware.shibboleth.common.relyingparty.RelyingPartyConfiguration;
74 import edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager;
75 import edu.internet2.middleware.shibboleth.common.relyingparty.provider.saml2.SSOConfiguration;
76 import edu.internet2.middleware.shibboleth.common.util.HttpHelper;
77 import edu.internet2.middleware.shibboleth.idp.authn.PassiveAuthenticationException;
78 import edu.internet2.middleware.shibboleth.idp.authn.Saml2LoginContext;
79 import edu.internet2.middleware.shibboleth.idp.authn.LoginContext;
80 import edu.internet2.middleware.shibboleth.idp.session.Session;
81 import edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper;
82
83 /** SAML 2.0 SSO request profile handler. */
84 public class SSOProfileHandler extends AbstractSAML2ProfileHandler {
85
86     /** Class logger. */
87     private final Logger log = LoggerFactory.getLogger(SSOProfileHandler.class);
88
89     /** Builder of AuthnStatement objects. */
90     private SAMLObjectBuilder<AuthnStatement> authnStatementBuilder;
91
92     /** Builder of AuthnContext objects. */
93     private SAMLObjectBuilder<AuthnContext> authnContextBuilder;
94
95     /** Builder of AuthnContextClassRef objects. */
96     private SAMLObjectBuilder<AuthnContextClassRef> authnContextClassRefBuilder;
97
98     /** Builder of AuthnContextDeclRef objects. */
99     private SAMLObjectBuilder<AuthnContextDeclRef> authnContextDeclRefBuilder;
100
101     /** Builder of SubjectLocality objects. */
102     private SAMLObjectBuilder<SubjectLocality> subjectLocalityBuilder;
103
104     /** Builder of Endpoint objects. */
105     private SAMLObjectBuilder<Endpoint> endpointBuilder;
106
107     /** URL of the authentication manager Servlet. */
108     private String authenticationManagerPath;
109
110     /**
111      * Constructor.
112      * 
113      * @param authnManagerPath path to the authentication manager Servlet
114      */
115     @SuppressWarnings("unchecked")
116     public SSOProfileHandler(String authnManagerPath) {
117         super();
118
119         if (DatatypeHelper.isEmpty(authnManagerPath)) {
120             throw new IllegalArgumentException("Authentication manager path may not be null");
121         }
122         if (authnManagerPath.startsWith("/")) {
123             authenticationManagerPath = authnManagerPath;
124         } else {
125             authenticationManagerPath = "/" + authnManagerPath;
126         }
127
128         authnStatementBuilder = (SAMLObjectBuilder<AuthnStatement>) getBuilderFactory().getBuilder(
129                 AuthnStatement.DEFAULT_ELEMENT_NAME);
130         authnContextBuilder = (SAMLObjectBuilder<AuthnContext>) getBuilderFactory().getBuilder(
131                 AuthnContext.DEFAULT_ELEMENT_NAME);
132         authnContextClassRefBuilder = (SAMLObjectBuilder<AuthnContextClassRef>) getBuilderFactory().getBuilder(
133                 AuthnContextClassRef.DEFAULT_ELEMENT_NAME);
134         authnContextDeclRefBuilder = (SAMLObjectBuilder<AuthnContextDeclRef>) getBuilderFactory().getBuilder(
135                 AuthnContextDeclRef.DEFAULT_ELEMENT_NAME);
136         subjectLocalityBuilder = (SAMLObjectBuilder<SubjectLocality>) getBuilderFactory().getBuilder(
137                 SubjectLocality.DEFAULT_ELEMENT_NAME);
138         endpointBuilder = (SAMLObjectBuilder<Endpoint>) getBuilderFactory().getBuilder(
139                 AssertionConsumerService.DEFAULT_ELEMENT_NAME);
140     }
141
142     /** {@inheritDoc} */
143     public String getProfileId() {
144         return SSOConfiguration.PROFILE_ID;
145     }
146
147     /** {@inheritDoc} */
148     public void processRequest(HTTPInTransport inTransport, HTTPOutTransport outTransport) throws ProfileException {
149         HttpServletRequest httpRequest = ((HttpServletRequestAdapter) inTransport).getWrappedRequest();
150         HttpServletResponse httpResponse = ((HttpServletResponseAdapter) outTransport).getWrappedResponse();
151         ServletContext servletContext = httpRequest.getSession().getServletContext();
152
153         LoginContext loginContext = HttpServletHelper.getLoginContext(getStorageService(),
154                 servletContext, httpRequest);
155         if (loginContext == null || !(loginContext instanceof Saml2LoginContext)) {
156             log.debug("Incoming request does not contain a login context, processing as first leg of request");
157             performAuthentication(inTransport, outTransport);
158         } else if (loginContext.isPrincipalAuthenticated() || loginContext.getAuthenticationFailure() != null) {
159             log.debug("Incoming request contains a login context, processing as second leg of request");
160             HttpServletHelper.unbindLoginContext(getStorageService(), servletContext, httpRequest, httpResponse);
161             completeAuthenticationRequest((Saml2LoginContext)loginContext, inTransport, outTransport);
162         } else {
163             log.debug("Incoming request contained a login context but principal was not authenticated, processing as first leg of request");
164             performAuthentication(inTransport, outTransport);
165         }
166     }
167
168     /**
169      * Creates a {@link Saml2LoginContext} an sends the request off to the AuthenticationManager to begin the process of
170      * authenticating the user.
171      * 
172      * @param inTransport inbound request transport
173      * @param outTransport outbound response transport
174      * 
175      * @throws ProfileException thrown if there is a problem creating the login context and transferring control to the
176      *             authentication manager
177      */
178     protected void performAuthentication(HTTPInTransport inTransport, HTTPOutTransport outTransport)
179             throws ProfileException {
180         HttpServletRequest httpRequest = ((HttpServletRequestAdapter) inTransport).getWrappedRequest();
181         HttpServletResponse httpResponse = ((HttpServletResponseAdapter) outTransport).getWrappedResponse();
182
183         SSORequestContext requestContext = new SSORequestContext();
184
185         try {
186             decodeRequest(requestContext, inTransport, outTransport);
187
188             String relyingPartyId = requestContext.getInboundMessageIssuer();
189             RelyingPartyConfiguration rpConfig = getRelyingPartyConfiguration(relyingPartyId);
190             ProfileConfiguration ssoConfig = rpConfig.getProfileConfiguration(getProfileId());
191             if (ssoConfig == null) {
192                 String msg = "SAML 2 SSO profile is not configured for relying party "
193                         + requestContext.getInboundMessageIssuer();
194                 log.warn(msg);
195                 throw new ProfileException(msg);
196             }
197
198             log.debug("Creating login context and transferring control to authentication engine");
199             Saml2LoginContext loginContext = new Saml2LoginContext(relyingPartyId, requestContext.getRelayState(),
200                     requestContext.getInboundSAMLMessage());
201             loginContext.setAuthenticationEngineURL(authenticationManagerPath);
202             loginContext.setProfileHandlerURL(HttpHelper.getRequestUriWithoutContext(httpRequest));
203             loginContext.setDefaultAuthenticationMethod(rpConfig.getDefaultAuthenticationMethod());
204
205             HttpServletHelper.bindLoginContext(loginContext, getStorageService(), httpRequest.getSession()
206                     .getServletContext(), httpRequest, httpResponse);
207
208             String authnEngineUrl = HttpServletHelper.getContextRelativeUrl(httpRequest, authenticationManagerPath)
209                     .buildURL();
210             log.debug("Redirecting user to authentication engine at {}", authnEngineUrl);
211             httpResponse.sendRedirect(authnEngineUrl);
212         } catch (MarshallingException e) {
213             log.error("Unable to marshall authentication request context");
214             throw new ProfileException("Unable to marshall authentication request context", e);
215         } catch (IOException ex) {
216             log.error("Error forwarding SAML 2 AuthnRequest to AuthenticationManager", ex);
217             throw new ProfileException("Error forwarding SAML 2 AuthnRequest to AuthenticationManager", ex);
218         }
219     }
220
221     /**
222      * Creates a response to the {@link AuthnRequest} and sends the user, with response in tow, back to the relying
223      * party after they've been authenticated.
224      * 
225      * @param loginContext login context for this request
226      * @param inTransport inbound message transport
227      * @param outTransport outbound message transport
228      * 
229      * @throws ProfileException thrown if the response can not be created and sent back to the relying party
230      */
231     protected void completeAuthenticationRequest(Saml2LoginContext loginContext, HTTPInTransport inTransport,
232             HTTPOutTransport outTransport) throws ProfileException {
233         SSORequestContext requestContext = buildRequestContext(loginContext, inTransport, outTransport);
234
235         Response samlResponse;
236         try {
237             checkSamlVersion(requestContext);
238             checkNameIDPolicy(requestContext);
239
240             if (loginContext.getAuthenticationFailure() != null) {
241                 if (loginContext.getAuthenticationFailure() instanceof PassiveAuthenticationException) {
242                     requestContext.setFailureStatus(buildStatus(StatusCode.RESPONDER_URI, StatusCode.NO_PASSIVE_URI,
243                             null));
244                 } else {
245                     requestContext.setFailureStatus(buildStatus(StatusCode.RESPONDER_URI, StatusCode.AUTHN_FAILED_URI,
246                             null));
247                 }
248                 throw new ProfileException("Authentication failure", loginContext.getAuthenticationFailure());
249             }
250
251             if (requestContext.getSubjectNameIdentifier() != null) {
252                 log.debug("Authentication request contained a subject with a name identifier, resolving principal from NameID");
253                 resolvePrincipal(requestContext);
254                 String requestedPrincipalName = requestContext.getPrincipalName();
255                 if (!DatatypeHelper.safeEquals(loginContext.getPrincipalName(), requestedPrincipalName)) {
256                     log.warn(
257                             "Authentication request identified principal {} but authentication mechanism identified principal {}",
258                             requestedPrincipalName, loginContext.getPrincipalName());
259                     requestContext.setFailureStatus(buildStatus(StatusCode.RESPONDER_URI, StatusCode.AUTHN_FAILED_URI,
260                             null));
261                     throw new ProfileException("User failed authentication");
262                 }
263             }
264
265             resolveAttributes(requestContext);
266
267             ArrayList<Statement> statements = new ArrayList<Statement>();
268             statements.add(buildAuthnStatement(requestContext));
269             if (requestContext.getProfileConfiguration().includeAttributeStatement()) {
270                 AttributeStatement attributeStatement = buildAttributeStatement(requestContext);
271                 if (attributeStatement != null) {
272                     requestContext.setReleasedAttributes(requestContext.getAttributes().keySet());
273                     statements.add(attributeStatement);
274                 }
275             }
276
277             samlResponse = buildResponse(requestContext, "urn:oasis:names:tc:SAML:2.0:cm:bearer", statements);
278         } catch (ProfileException e) {
279             samlResponse = buildErrorResponse(requestContext);
280         }
281
282         requestContext.setOutboundSAMLMessage(samlResponse);
283         requestContext.setOutboundSAMLMessageId(samlResponse.getID());
284         requestContext.setOutboundSAMLMessageIssueInstant(samlResponse.getIssueInstant());
285         encodeResponse(requestContext);
286         writeAuditLogEntry(requestContext);
287     }
288
289     /**
290      * Decodes an incoming request and stores the information in a created request context.
291      * 
292      * @param inTransport inbound transport
293      * @param outTransport outbound transport
294      * @param requestContext request context to which decoded information should be added
295      * 
296      * @throws ProfileException thrown if the incoming message failed decoding
297      */
298     protected void decodeRequest(SSORequestContext requestContext, HTTPInTransport inTransport,
299             HTTPOutTransport outTransport) throws ProfileException {
300         if (log.isDebugEnabled()) {
301             log.debug("Decoding message with decoder binding '{}'", getInboundMessageDecoder(requestContext)
302                     .getBindingURI());
303         }
304
305         requestContext.setCommunicationProfileId(getProfileId());
306
307         requestContext.setMetadataProvider(getMetadataProvider());
308         requestContext.setSecurityPolicyResolver(getSecurityPolicyResolver());
309
310         requestContext.setCommunicationProfileId(getProfileId());
311         requestContext.setInboundMessageTransport(inTransport);
312         requestContext.setInboundSAMLProtocol(SAMLConstants.SAML20P_NS);
313         requestContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME);
314
315         requestContext.setOutboundMessageTransport(outTransport);
316         requestContext.setOutboundSAMLProtocol(SAMLConstants.SAML20P_NS);
317
318         try {
319             SAMLMessageDecoder decoder = getInboundMessageDecoder(requestContext);
320             requestContext.setMessageDecoder(decoder);
321             decoder.decode(requestContext);
322             log.debug("Decoded request from relying party '{}'", requestContext.getInboundMessageIssuer());
323
324             if (!(requestContext.getInboundSAMLMessage() instanceof AuthnRequest)) {
325                 log.warn("Incomming message was not a AuthnRequest, it was a '{}'", requestContext
326                         .getInboundSAMLMessage().getClass().getName());
327                 requestContext.setFailureStatus(buildStatus(StatusCode.REQUESTER_URI, null,
328                         "Invalid SAML AuthnRequest message."));
329                 throw new ProfileException("Invalid SAML AuthnRequest message.");
330             }
331         } catch (MessageDecodingException e) {
332             String msg = "Error decoding authentication request message";
333             log.warn(msg, e);
334             throw new ProfileException(msg, e);
335         } catch (SecurityException e) {
336             String msg = "Message did not meet security requirements";
337             log.warn(msg, e);
338             throw new ProfileException(msg, e);
339         }
340     }
341
342     /**
343      * Checks to see, if present, if the affiliation associated with the SPNameQualifier given in the AuthnRequest
344      * NameIDPolicy lists the inbound message issuer as a member.
345      * 
346      * @param requestContext current request context
347      * 
348      * @throws ProfileException thrown if there the request is not a member of the affiliation or if there was a problem
349      *             determining membership
350      */
351     protected void checkNameIDPolicy(SSORequestContext requestContext) throws ProfileException {
352         AuthnRequest request = requestContext.getInboundSAMLMessage();
353
354         NameIDPolicy nameIdPolcy = request.getNameIDPolicy();
355         if (nameIdPolcy == null) {
356             return;
357         }
358
359         String spNameQualifier = DatatypeHelper.safeTrimOrNullString(nameIdPolcy.getSPNameQualifier());
360         if (spNameQualifier == null) {
361             return;
362         }
363
364         log.debug("Checking if message issuer is a member of affiliation '{}'", spNameQualifier);
365         try {
366             EntityDescriptor affiliation = getMetadataProvider().getEntityDescriptor(spNameQualifier);
367             if (affiliation != null) {
368                 AffiliationDescriptor affiliationDescriptor = affiliation.getAffiliationDescriptor();
369                 if (affiliationDescriptor != null && affiliationDescriptor.getMembers() != null) {
370                     for (AffiliateMember member : affiliationDescriptor.getMembers()) {
371                         if (DatatypeHelper.safeEquals(member.getID(), requestContext.getInboundMessageIssuer())) {
372                             return;
373                         }
374                     }
375                 }
376             }
377
378             requestContext.setFailureStatus(buildStatus(StatusCode.REQUESTER_URI, StatusCode.INVALID_NAMEID_POLICY_URI,
379                     "Invalid SPNameQualifier for this request"));
380             throw new ProfileException("Relying party '" + requestContext.getInboundMessageIssuer()
381                     + "' is not a member of the affiliation " + spNameQualifier);
382         } catch (MetadataProviderException e) {
383             requestContext.setFailureStatus(buildStatus(StatusCode.RESPONDER_URI, null, "Internal service error"));
384             log.error("Error looking up metadata for affiliation", e);
385             throw new ProfileException("Relying party '" + requestContext.getInboundMessageIssuer()
386                     + "' is not a member of the affiliation " + spNameQualifier);
387         }
388     }
389
390     /**
391      * Creates an authentication request context from the current environmental information.
392      * 
393      * @param loginContext current login context
394      * @param in inbound transport
395      * @param out outbount transport
396      * 
397      * @return created authentication request context
398      * 
399      * @throws ProfileException thrown if there is a problem creating the context
400      */
401     protected SSORequestContext buildRequestContext(Saml2LoginContext loginContext, HTTPInTransport in,
402             HTTPOutTransport out) throws ProfileException {
403         SSORequestContext requestContext = new SSORequestContext();
404         requestContext.setCommunicationProfileId(getProfileId());
405
406         requestContext.setMessageDecoder(getInboundMessageDecoder(requestContext));
407
408         requestContext.setLoginContext(loginContext);
409
410         requestContext.setInboundMessageTransport(in);
411         requestContext.setInboundSAMLProtocol(SAMLConstants.SAML20P_NS);
412
413         requestContext.setOutboundMessageTransport(out);
414         requestContext.setOutboundSAMLProtocol(SAMLConstants.SAML20P_NS);
415
416         requestContext.setMetadataProvider(getMetadataProvider());
417
418         String relyingPartyId = loginContext.getRelyingPartyId();
419         requestContext.setPeerEntityId(relyingPartyId);
420         requestContext.setInboundMessageIssuer(relyingPartyId);
421
422         populateRequestContext(requestContext);
423
424         return requestContext;
425     }
426
427     /** {@inheritDoc} */
428     protected void populateRelyingPartyInformation(BaseSAMLProfileRequestContext requestContext)
429             throws ProfileException {
430         super.populateRelyingPartyInformation(requestContext);
431
432         EntityDescriptor relyingPartyMetadata = requestContext.getPeerEntityMetadata();
433         if (relyingPartyMetadata != null) {
434             requestContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME);
435             requestContext.setPeerEntityRoleMetadata(relyingPartyMetadata.getSPSSODescriptor(SAMLConstants.SAML20P_NS));
436         }
437     }
438
439     /** {@inheritDoc} */
440     protected void populateAssertingPartyInformation(BaseSAMLProfileRequestContext requestContext)
441             throws ProfileException {
442         super.populateAssertingPartyInformation(requestContext);
443
444         EntityDescriptor localEntityDescriptor = requestContext.getLocalEntityMetadata();
445         if (localEntityDescriptor != null) {
446             requestContext.setLocalEntityRole(IDPSSODescriptor.DEFAULT_ELEMENT_NAME);
447             requestContext.setLocalEntityRoleMetadata(localEntityDescriptor
448                     .getIDPSSODescriptor(SAMLConstants.SAML20P_NS));
449         }
450     }
451
452     /**
453      * Populates the request context with information from the inbound SAML message.
454      * 
455      * This method requires the the following request context properties to be populated: login context
456      * 
457      * This methods populates the following request context properties: inbound saml message, relay state, inbound saml
458      * message ID, subject name identifier
459      * 
460      * @param requestContext current request context
461      * 
462      * @throws ProfileException thrown if the inbound SAML message or subject identifier is null
463      */
464     protected void populateSAMLMessageInformation(BaseSAMLProfileRequestContext requestContext) throws ProfileException {
465         SSORequestContext ssoRequestContext = (SSORequestContext) requestContext;
466         try {
467             Saml2LoginContext loginContext = ssoRequestContext.getLoginContext();
468             requestContext.setRelayState(loginContext.getRelayState());
469
470             AuthnRequest authnRequest = deserializeRequest(loginContext.getAuthenticationRequest());
471             requestContext.setInboundMessage(authnRequest);
472             requestContext.setInboundSAMLMessage(authnRequest);
473             requestContext.setInboundSAMLMessageId(authnRequest.getID());
474
475             Subject authnSubject = authnRequest.getSubject();
476             if (authnSubject != null) {
477                 requestContext.setSubjectNameIdentifier(authnSubject.getNameID());
478             }
479         } catch (UnmarshallingException e) {
480             log.error("Unable to unmarshall authentication request context");
481             ssoRequestContext.setFailureStatus(buildStatus(StatusCode.RESPONDER_URI, null,
482                     "Error recovering request state"));
483             throw new ProfileException("Error recovering request state", e);
484         }
485     }
486
487     /**
488      * Creates an authentication statement for the current request.
489      * 
490      * @param requestContext current request context
491      * 
492      * @return constructed authentication statement
493      */
494     protected AuthnStatement buildAuthnStatement(SSORequestContext requestContext) {
495         Saml2LoginContext loginContext = requestContext.getLoginContext();
496
497         AuthnContext authnContext = buildAuthnContext(requestContext);
498
499         AuthnStatement statement = authnStatementBuilder.buildObject();
500         statement.setAuthnContext(authnContext);
501         statement.setAuthnInstant(loginContext.getAuthenticationInstant());
502
503         Session session = getUserSession(requestContext.getInboundMessageTransport());
504         if (session != null) {
505             statement.setSessionIndex(session.getSessionID());
506         }
507
508         long maxSPSessionLifetime = requestContext.getProfileConfiguration().getMaximumSPSessionLifetime();
509         if (maxSPSessionLifetime > 0) {
510             DateTime lifetime = new DateTime(DateTimeZone.UTC).plus(maxSPSessionLifetime);
511             log.debug("Explicitly setting SP session expiration time to '{}'", lifetime.toString());
512             statement.setSessionNotOnOrAfter(lifetime);
513         }
514
515         statement.setSubjectLocality(buildSubjectLocality(requestContext));
516
517         return statement;
518     }
519
520     /**
521      * Creates an {@link AuthnContext} for a successful authentication request.
522      * 
523      * @param requestContext current request
524      * 
525      * @return the built authn context
526      */
527     protected AuthnContext buildAuthnContext(SSORequestContext requestContext) {
528         AuthnContext authnContext = authnContextBuilder.buildObject();
529
530         Saml2LoginContext loginContext = requestContext.getLoginContext();
531         AuthnRequest authnRequest = requestContext.getInboundSAMLMessage();
532         RequestedAuthnContext requestedAuthnContext = authnRequest.getRequestedAuthnContext();
533         if (requestedAuthnContext != null) {
534             if (requestedAuthnContext.getAuthnContextClassRefs() != null) {
535                 for (AuthnContextClassRef classRef : requestedAuthnContext.getAuthnContextClassRefs()) {
536                     if (DatatypeHelper.safeEquals(classRef.getAuthnContextClassRef(),
537                             loginContext.getAuthenticationMethod())) {
538                         AuthnContextClassRef ref = authnContextClassRefBuilder.buildObject();
539                         ref.setAuthnContextClassRef(loginContext.getAuthenticationMethod());
540                         authnContext.setAuthnContextClassRef(ref);
541                     }
542                 }
543             } else if (requestedAuthnContext.getAuthnContextDeclRefs() != null) {
544                 for (AuthnContextDeclRef declRef : requestedAuthnContext.getAuthnContextDeclRefs()) {
545                     if (DatatypeHelper.safeEquals(declRef.getAuthnContextDeclRef(),
546                             loginContext.getAuthenticationMethod())) {
547                         AuthnContextDeclRef ref = authnContextDeclRefBuilder.buildObject();
548                         ref.setAuthnContextDeclRef(loginContext.getAuthenticationMethod());
549                         authnContext.setAuthnContextDeclRef(ref);
550                     }
551                 }
552             }
553         }
554
555         if (authnContext.getAuthnContextClassRef() == null || authnContext.getAuthnContextDeclRef() == null) {
556             AuthnContextClassRef ref = authnContextClassRefBuilder.buildObject();
557             ref.setAuthnContextClassRef(loginContext.getAuthenticationMethod());
558             authnContext.setAuthnContextClassRef(ref);
559         }
560
561         return authnContext;
562     }
563
564     /**
565      * Constructs the subject locality for the authentication statement.
566      * 
567      * @param requestContext curent request context
568      * 
569      * @return subject locality for the authentication statement
570      */
571     protected SubjectLocality buildSubjectLocality(SSORequestContext requestContext) {
572         HTTPInTransport transport = (HTTPInTransport) requestContext.getInboundMessageTransport();
573         SubjectLocality subjectLocality = subjectLocalityBuilder.buildObject();
574         subjectLocality.setAddress(transport.getPeerAddress());
575
576         return subjectLocality;
577     }
578
579     /** {@inheritDoc} */
580     protected String getRequiredNameIDFormat(BaseSAMLProfileRequestContext requestContext) {
581         String requiredNameFormat = null;
582         AuthnRequest authnRequest = (AuthnRequest) requestContext.getInboundSAMLMessage();
583         NameIDPolicy nameIdPolicy = authnRequest.getNameIDPolicy();
584         if (nameIdPolicy != null) {
585             requiredNameFormat = DatatypeHelper.safeTrimOrNullString(nameIdPolicy.getFormat());
586             // Check for unspec'd or encryption formats, which aren't relevant for this section of code.
587             if (requiredNameFormat != null
588                     && (NameID.ENCRYPTED.equals(requiredNameFormat) || NameID.UNSPECIFIED.equals(requiredNameFormat))) {
589                 requiredNameFormat = null;
590             }
591         }
592
593         return requiredNameFormat;
594     }
595
596     /** {@inheritDoc} */
597     protected NameID buildNameId(BaseSAML2ProfileRequestContext<?, ?, ?> requestContext) throws ProfileException {
598         NameID nameId = super.buildNameId(requestContext);
599         if (nameId != null) {
600             AuthnRequest authnRequest = (AuthnRequest) requestContext.getInboundSAMLMessage();
601             NameIDPolicy nameIdPolicy = authnRequest.getNameIDPolicy();
602             if (nameIdPolicy != null) {
603                 String spNameQualifier = DatatypeHelper.safeTrimOrNullString(nameIdPolicy.getSPNameQualifier());
604                 if (spNameQualifier != null) {
605                     nameId.setSPNameQualifier(spNameQualifier);
606                 } else {
607                     nameId.setSPNameQualifier(requestContext.getInboundMessageIssuer());
608                 }
609             }
610         }
611
612         return nameId;
613     }
614
615     /**
616      * Selects the appropriate endpoint for the relying party and stores it in the request context.
617      * 
618      * @param requestContext current request context
619      * 
620      * @return Endpoint selected from the information provided in the request context
621      */
622     protected Endpoint selectEndpoint(BaseSAMLProfileRequestContext requestContext) {
623         AuthnRequest authnRequest = ((SSORequestContext) requestContext).getInboundSAMLMessage();
624
625         Endpoint endpoint = null;
626         if (requestContext.getRelyingPartyConfiguration().getRelyingPartyId() == SAMLMDRelyingPartyConfigurationManager.ANONYMOUS_RP_NAME) {
627             if (authnRequest.getAssertionConsumerServiceURL() != null) {
628                 endpoint = endpointBuilder.buildObject();
629                 endpoint.setLocation(authnRequest.getAssertionConsumerServiceURL());
630                 if (authnRequest.getProtocolBinding() != null) {
631                     endpoint.setBinding(authnRequest.getProtocolBinding());
632                 } else {
633                     endpoint.setBinding(getSupportedOutboundBindings().get(0));
634                 }
635                 log.warn(
636                         "Generating endpoint for anonymous relying party self-identified as '{}', ACS url '{}' and binding '{}'",
637                         new Object[] { requestContext.getInboundMessageIssuer(), endpoint.getLocation(),
638                                 endpoint.getBinding(), });
639             } else {
640                 log.warn("Unable to generate endpoint for anonymous party.  No ACS url provided.");
641             }
642         } else {
643             AuthnResponseEndpointSelector endpointSelector = new AuthnResponseEndpointSelector();
644             endpointSelector.setEndpointType(AssertionConsumerService.DEFAULT_ELEMENT_NAME);
645             endpointSelector.setMetadataProvider(getMetadataProvider());
646             endpointSelector.setEntityMetadata(requestContext.getPeerEntityMetadata());
647             endpointSelector.setEntityRoleMetadata(requestContext.getPeerEntityRoleMetadata());
648             endpointSelector.setSamlRequest(requestContext.getInboundSAMLMessage());
649             endpointSelector.getSupportedIssuerBindings().addAll(getSupportedOutboundBindings());
650             endpoint = endpointSelector.selectEndpoint();
651         }
652
653         return endpoint;
654     }
655
656     /**
657      * Deserailizes an authentication request from a string.
658      * 
659      * @param request request to deserialize
660      * 
661      * @return the request XMLObject
662      * 
663      * @throws UnmarshallingException thrown if the request can no be deserialized and unmarshalled
664      */
665     protected AuthnRequest deserializeRequest(String request) throws UnmarshallingException {
666         try {
667             Element requestElem = getParserPool().parse(new StringReader(request)).getDocumentElement();
668             Unmarshaller unmarshaller = Configuration.getUnmarshallerFactory().getUnmarshaller(requestElem);
669             return (AuthnRequest) unmarshaller.unmarshall(requestElem);
670         } catch (Exception e) {
671             throw new UnmarshallingException("Unable to read serialized authentication request");
672         }
673     }
674
675     /** Represents the internal state of a SAML 2.0 SSO Request while it's being processed by the IdP. */
676     protected class SSORequestContext extends BaseSAML2ProfileRequestContext<AuthnRequest, Response, SSOConfiguration> {
677
678         /** Current login context. */
679         private Saml2LoginContext loginContext;
680
681         /**
682          * Gets the current login context.
683          * 
684          * @return current login context
685          */
686         public Saml2LoginContext getLoginContext() {
687             return loginContext;
688         }
689
690         /**
691          * Sets the current login context.
692          * 
693          * @param context current login context
694          */
695         public void setLoginContext(Saml2LoginContext context) {
696             loginContext = context;
697         }
698     }
699 }