import javax.servlet.RequestDispatcher;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpSession;
import org.opensaml.common.SAMLObjectBuilder;
import org.opensaml.common.binding.decoding.SAMLMessageDecoder;
import org.opensaml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml2.metadata.IDPSSODescriptor;
import org.opensaml.saml2.metadata.SPSSODescriptor;
-import org.opensaml.saml2.metadata.provider.MetadataProvider;
-import org.opensaml.saml2.metadata.provider.MetadataProviderException;
import org.opensaml.ws.message.decoder.MessageDecodingException;
import org.opensaml.ws.transport.http.HTTPInTransport;
import org.opensaml.ws.transport.http.HTTPOutTransport;
import org.slf4j.LoggerFactory;
import edu.internet2.middleware.shibboleth.common.profile.ProfileException;
+import edu.internet2.middleware.shibboleth.common.profile.provider.BaseSAMLProfileRequestContext;
import edu.internet2.middleware.shibboleth.common.relyingparty.ProfileConfiguration;
import edu.internet2.middleware.shibboleth.common.relyingparty.RelyingPartyConfiguration;
import edu.internet2.middleware.shibboleth.common.relyingparty.provider.saml2.SSOConfiguration;
import edu.internet2.middleware.shibboleth.common.util.HttpHelper;
import edu.internet2.middleware.shibboleth.idp.authn.LoginContext;
+import edu.internet2.middleware.shibboleth.idp.authn.PassiveAuthenticationException;
import edu.internet2.middleware.shibboleth.idp.authn.Saml2LoginContext;
+import edu.internet2.middleware.shibboleth.idp.session.Session;
/** SAML 2.0 SSO request profile handler. */
public class SSOProfileHandler extends AbstractSAML2ProfileHandler {
/** URL of the authentication manager servlet. */
private String authenticationManagerPath;
- /** URI of request decoder. */
- private String decodingBinding;
-
/**
* Constructor.
*
/** {@inheritDoc} */
public String getProfileId() {
- return "urn:mace:shibboleth:2.0:idp:profiles:saml2:request:sso";
+ return SSOConfiguration.PROFILE_ID;
}
/** {@inheritDoc} */
public void processRequest(HTTPInTransport inTransport, HTTPOutTransport outTransport) throws ProfileException {
HttpServletRequest servletRequest = ((HttpServletRequestAdapter) inTransport).getWrappedRequest();
- HttpSession httpSession = servletRequest.getSession(true);
- LoginContext loginContext = (LoginContext) httpSession.getAttribute(LoginContext.LOGIN_CONTEXT_KEY);
+ LoginContext loginContext = (LoginContext) servletRequest.getAttribute(LoginContext.LOGIN_CONTEXT_KEY);
if (loginContext == null) {
- log.debug("User session does not contain a login context, processing as first leg of request");
- performAuthentication(inTransport, outTransport);
- } else if (!loginContext.isPrincipalAuthenticated() && !loginContext.getAuthenticationAttempted()) {
- log
- .debug("User session contained a login context but user was not authenticated, processing as first leg of request");
+ log.debug("Incoming request does not contain a login context, processing as first leg of request");
performAuthentication(inTransport, outTransport);
} else {
- log.debug("User session contains a login context, processing as second leg of request");
+ log.debug("Incoming request contains a login context, processing as second leg of request");
completeAuthenticationRequest(inTransport, outTransport);
}
}
protected void performAuthentication(HTTPInTransport inTransport, HTTPOutTransport outTransport)
throws ProfileException {
HttpServletRequest servletRequest = ((HttpServletRequestAdapter) inTransport).getWrappedRequest();
- HttpSession httpSession = servletRequest.getSession();
try {
SSORequestContext requestContext = decodeRequest(inTransport, outTransport);
loginContext.getRequestedAuthenticationMethods().add(rpConfig.getDefaultAuthenticationMethod());
}
- httpSession.setAttribute(Saml2LoginContext.LOGIN_CONTEXT_KEY, loginContext);
+ servletRequest.setAttribute(Saml2LoginContext.LOGIN_CONTEXT_KEY, loginContext);
RequestDispatcher dispatcher = servletRequest.getRequestDispatcher(authenticationManagerPath);
dispatcher.forward(servletRequest, ((HttpServletResponseAdapter) outTransport).getWrappedResponse());
} catch (MarshallingException e) {
- httpSession.removeAttribute(LoginContext.LOGIN_CONTEXT_KEY);
log.error("Unable to marshall authentication request context");
throw new ProfileException("Unable to marshall authentication request context", e);
} catch (IOException ex) {
- httpSession.removeAttribute(LoginContext.LOGIN_CONTEXT_KEY);
log.error("Error forwarding SAML 2 AuthnRequest to AuthenticationManager", ex);
throw new ProfileException("Error forwarding SAML 2 AuthnRequest to AuthenticationManager", ex);
} catch (ServletException ex) {
- httpSession.removeAttribute(LoginContext.LOGIN_CONTEXT_KEY);
log.error("Error forwarding SAML 2 AuthnRequest to AuthenticationManager", ex);
throw new ProfileException("Error forwarding SAML 2 AuthnRequest to AuthenticationManager", ex);
}
protected void completeAuthenticationRequest(HTTPInTransport inTransport, HTTPOutTransport outTransport)
throws ProfileException {
HttpServletRequest servletRequest = ((HttpServletRequestAdapter) inTransport).getWrappedRequest();
- HttpSession httpSession = servletRequest.getSession();
-
- Saml2LoginContext loginContext = (Saml2LoginContext) httpSession.getAttribute(LoginContext.LOGIN_CONTEXT_KEY);
- httpSession.removeAttribute(LoginContext.LOGIN_CONTEXT_KEY);
+ Saml2LoginContext loginContext = (Saml2LoginContext) servletRequest
+ .getAttribute(LoginContext.LOGIN_CONTEXT_KEY);
SSORequestContext requestContext = buildRequestContext(loginContext, inTransport, outTransport);
checkSamlVersion(requestContext);
Response samlResponse;
try {
- if (loginContext.getPrincipalName() == null) {
- log.error("User's login context did not contain a principal, user considered unauthenticiated.");
- if (loginContext.getPassiveAuth()) {
+ if (loginContext.getAuthenticationFailure() != null) {
+ log.error("User authentication failed with the following error: {}", loginContext
+ .getAuthenticationFailure().toString());
+
+ if (loginContext.getAuthenticationFailure() instanceof PassiveAuthenticationException) {
requestContext.setFailureStatus(buildStatus(StatusCode.RESPONDER_URI, StatusCode.NO_PASSIVE_URI,
null));
} else {
requestContext.setFailureStatus(buildStatus(StatusCode.RESPONDER_URI, StatusCode.AUTHN_FAILED_URI,
null));
}
- throw new ProfileException("User failed authentication");
+ throw new ProfileException("Authentication failure", loginContext.getAuthenticationFailure());
}
if (requestContext.getSubjectNameIdentifier() != null) {
if (requestContext.getProfileConfiguration().includeAttributeStatement()) {
AttributeStatement attributeStatement = buildAttributeStatement(requestContext);
if (attributeStatement != null) {
- requestContext.setRequestedAttributes(requestContext.getPrincipalAttributes().keySet());
+ requestContext.setRequestedAttributes(requestContext.getAttributes().keySet());
statements.add(attributeStatement);
}
}
requestContext.setMessageDecoder(getMessageDecoders().get(getInboundBinding()));
requestContext.setLoginContext(loginContext);
- requestContext.setPrincipalName(loginContext.getPrincipalName());
- requestContext.setPrincipalAuthenticationMethod(loginContext.getAuthenticationMethod());
- requestContext.setUserSession(getUserSession(in));
- requestContext.setRelayState(loginContext.getRelayState());
requestContext.setInboundMessageTransport(in);
requestContext.setInboundSAMLProtocol(SAMLConstants.SAML20P_NS);
+ requestContext.setOutboundMessageTransport(out);
+ requestContext.setOutboundSAMLProtocol(SAMLConstants.SAML20P_NS);
+
+ requestContext.setMetadataProvider(getMetadataProvider());
+
+ String relyingPartyId = loginContext.getRelyingPartyId();
+ requestContext.setInboundMessageIssuer(relyingPartyId);
+
+ populateSAMLMessageInformation(requestContext);
+ populateRequestContext(requestContext);
+ populateProfileInformation(requestContext);
+
+ return requestContext;
+ }
+
+ /** {@inheritDoc} */
+ protected void populateRelyingPartyInformation(BaseSAMLProfileRequestContext requestContext)
+ throws ProfileException {
+ super.populateRelyingPartyInformation(requestContext);
+
+ EntityDescriptor relyingPartyMetadata = requestContext.getPeerEntityMetadata();
+ if (relyingPartyMetadata != null) {
+ requestContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME);
+ requestContext.setPeerEntityRoleMetadata(relyingPartyMetadata.getSPSSODescriptor(SAMLConstants.SAML20P_NS));
+ }
+ }
+
+ /** {@inheritDoc} */
+ protected void populateAssertingPartyInformation(BaseSAMLProfileRequestContext requestContext)
+ throws ProfileException {
+ super.populateAssertingPartyInformation(requestContext);
+
+ EntityDescriptor localEntityDescriptor = requestContext.getLocalEntityMetadata();
+ if (localEntityDescriptor != null) {
+ requestContext.setLocalEntityRole(IDPSSODescriptor.DEFAULT_ELEMENT_NAME);
+ requestContext.setLocalEntityRoleMetadata(localEntityDescriptor
+ .getIDPSSODescriptor(SAMLConstants.SAML20P_NS));
+ }
+ }
+
+ /**
+ * Populates the request context with information from the inbound SAML message.
+ *
+ * This method requires the the following request context properties to be populated: login context
+ *
+ * This methods populates the following request context properties: inbound saml message, relay state, inbound saml
+ * message ID, subject name identifier
+ *
+ * @param requestContext current request context
+ *
+ * @throws ProfileException thrown if the inbound SAML message or subject identifier is null
+ */
+ protected void populateSAMLMessageInformation(BaseSAMLProfileRequestContext requestContext) throws ProfileException {
+ SSORequestContext ssoRequestContext = (SSORequestContext) requestContext;
try {
+ Saml2LoginContext loginContext = ssoRequestContext.getLoginContext();
+ requestContext.setRelayState(loginContext.getRelayState());
+
AuthnRequest authnRequest = loginContext.getAuthenticationRequest();
requestContext.setInboundMessage(authnRequest);
requestContext.setInboundSAMLMessage(loginContext.getAuthenticationRequest());
}
} catch (UnmarshallingException e) {
log.error("Unable to unmarshall authentication request context");
- requestContext.setFailureStatus(buildStatus(StatusCode.RESPONDER_URI, null,
+ ssoRequestContext.setFailureStatus(buildStatus(StatusCode.RESPONDER_URI, null,
"Error recovering request state"));
throw new ProfileException("Error recovering request state", e);
}
-
- requestContext.setOutboundMessageTransport(out);
- requestContext.setOutboundSAMLProtocol(SAMLConstants.SAML20P_NS);
-
- MetadataProvider metadataProvider = getMetadataProvider();
- requestContext.setMetadataProvider(metadataProvider);
-
- String relyingPartyId = loginContext.getRelyingPartyId();
- requestContext.setInboundMessageIssuer(relyingPartyId);
- try {
- EntityDescriptor relyingPartyMetadata = metadataProvider.getEntityDescriptor(relyingPartyId);
- if (relyingPartyMetadata != null) {
- requestContext.setPeerEntityMetadata(relyingPartyMetadata);
- requestContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME);
- requestContext.setPeerEntityRoleMetadata(relyingPartyMetadata
- .getSPSSODescriptor(SAMLConstants.SAML20P_NS));
- }
- } catch (MetadataProviderException e) {
- log.error("Unable to locate metadata for relying party");
- requestContext.setFailureStatus(buildStatus(StatusCode.RESPONDER_URI, null,
- "Error locating relying party metadata"));
- throw new ProfileException("Error locating relying party metadata");
- }
-
- RelyingPartyConfiguration rpConfig = getRelyingPartyConfiguration(relyingPartyId);
- if (rpConfig == null) {
- log.error("Unable to retrieve relying party configuration data for entity with ID {}", relyingPartyId);
- throw new ProfileException("Unable to retrieve relying party configuration data for entity with ID "
- + relyingPartyId);
- }
- requestContext.setRelyingPartyConfiguration(rpConfig);
-
- SSOConfiguration profileConfig = (SSOConfiguration) rpConfig
- .getProfileConfiguration(SSOConfiguration.PROFILE_ID);
- requestContext.setProfileConfiguration(profileConfig);
- requestContext.setOutboundMessageArtifactType(profileConfig.getOutboundArtifactType());
- requestContext.setPeerEntityEndpoint(selectEndpoint(requestContext));
-
- String assertingPartyId = rpConfig.getProviderId();
- requestContext.setLocalEntityId(assertingPartyId);
-
- try {
- EntityDescriptor localEntityDescriptor = metadataProvider.getEntityDescriptor(assertingPartyId);
- if (localEntityDescriptor != null) {
- requestContext.setLocalEntityMetadata(localEntityDescriptor);
- requestContext.setLocalEntityRole(IDPSSODescriptor.DEFAULT_ELEMENT_NAME);
- requestContext.setLocalEntityRoleMetadata(localEntityDescriptor
- .getIDPSSODescriptor(SAMLConstants.SAML20P_NS));
- }
- } catch (MetadataProviderException e) {
- log.error("Unable to locate metadata for asserting party");
- requestContext.setFailureStatus(buildStatus(StatusCode.RESPONDER_URI, null,
- "Error locating asserting party metadata"));
- throw new ProfileException("Error locating asserting party metadata");
- }
-
- return requestContext;
}
/**
statement.setAuthnContext(authnContext);
statement.setAuthnInstant(loginContext.getAuthenticationInstant());
- // TODO
- statement.setSessionIndex(null);
+ Session session = getUserSession(requestContext.getInboundMessageTransport());
+ if (session != null) {
+ statement.setSessionIndex(session.getSessionID());
+ }
if (loginContext.getAuthenticationDuration() > 0) {
statement.setSessionNotOnOrAfter(loginContext.getAuthenticationInstant().plus(
HTTPInTransport transport = (HTTPInTransport) requestContext.getInboundMessageTransport();
SubjectLocality subjectLocality = subjectLocalityBuilder.buildObject();
subjectLocality.setAddress(transport.getPeerAddress());
- subjectLocality.setDNSName(transport.getPeerDomainName());
return subjectLocality;
}
*
* @return Endpoint selected from the information provided in the request context
*/
- protected Endpoint selectEndpoint(SSORequestContext requestContext) {
+ protected Endpoint selectEndpoint(BaseSAMLProfileRequestContext requestContext) {
AuthnResponseEndpointSelector endpointSelector = new AuthnResponseEndpointSelector();
endpointSelector.setEndpointType(AssertionConsumerService.DEFAULT_ELEMENT_NAME);
endpointSelector.setMetadataProvider(getMetadataProvider());
projects / java-idp.git / blobdiff