com.sun.identity.saml2.common

Class SAML2Utils

java.lang.Object

com.sun.identity.saml2.common.SAML2SDKUtils

com.sun.identity.saml2.common.SAML2Utils

public class SAML2Utils
extends SAML2SDKUtils

The SAML2Utils contains utility methods for SAML 2.0 implementation.

Field Summary

Fields inherited from class com.sun.identity.saml2.common.SAML2SDKUtils

ACTION, ADVICE, ARTIFACT, ARTIFACT_RESOLVE, ARTIFACT_RESPONSE, ASSERTION, ASSERTION_ID_REF, ASSERTION_ID_REQUEST, ATTRIBUTE, ATTRIBUTE_QUERY, ATTRIBUTE_STATEMENT, AUDIENCE_RESTRICTION, AUTHN_CONTEXT, AUTHN_QUERY, AUTHN_REQUEST, AUTHN_STATEMENT, AUTHZ_DECISION_STATEMENT, BASEID, bundle, BUNDLE_NAME, CONDITION, CONDITIONS, debug, ECP_RELAY_STATE, ECP_REQUEST, ECP_RESPONSE, ENCRYPTED_ASSERTION, ENCRYPTED_ATTRIBUTE, ENCRYPTED_ELEMENT, ENCRYPTEDID, EVIDENCE, EXTENSIONS, GET_COMPLETE, IDPENTRY, IDPLIST, ISSUER, KEYINFO_CONFIRMATION_DATA, LOGOUT_REQUEST, LOGOUT_RESPONSE, MANAGE_NAMEID_REQUEST, MANAGE_NAMEID_RESPONSE, NAMEID, NAMEID_POLICY, NAMEIDMAPPING_REQ, NAMEIDMAPPING_RES, NEW_ENCRYPTEDID, NEWID, ONE_TIME_USE, PROXY_RESTRICTION, random, REQUESTED_AUTHN_CONTEXT, REQUESTERID, RESPONSE, SAML2ID_PREFIX, SCOPING, SESSION_INDEX, STATEMENT, STATUS, STATUS_CODE, STATUS_DETAIL, STATUS_MESSAGE, STATUS_RESPONSE, SUBJECT, SUBJECT_CONFIRMATION, SUBJECT_CONFIRMATION_DATA, SUBJECT_LOCALITY

Constructor Summary

Constructors

Constructor and Description
SAML2Utils()

Method Summary

Modifier and Type	Method and Description
static Object	checkSession(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, String metaAlias, Map paramsMap) Parses the request parameters and return session object or redirect to login url.
static javax.servlet.http.Cookie	createCookie(String cookieName, String cookieValue, String cookieDomain, String path) Creates a Cookie with the cookieName, cookieValue for the cookie domains specified.
static Issuer	createIssuer(String entityID) Returns url for redirection.
static String	createNameIdentifier() Returns a Name Identifier
static String	decodeFromRedirect(String str) Decodes the request message.
static String	encodeForPOST(String str) Returns the encoded request message.
static String	encodeForRedirect(String str) Returns the encoded request message.
static String	extractServerId(String id) Extracts serverID from the specified id.
static String	generateIDWithServerID() Generates ID with server id at the end.
static String	generateMessageHandleWithServerID() Generates message handle with server id used in an Artifact.
static String	generateSourceID(String entityID) Generates provider Source ID based on provider Entity ID.
static Status	generateStatus(String code, String message) Generates SAMLv2 Status object
static Status	generateStatus(String code, String subCode, String message) Generates SAMLv2 Status object
static List<String>	getAllAttributeValueFromSSOConfig(String realm, String hostEntityId, String entityRole, String attrName) Returns all values of specified attribute from SSOConfig.
static String	getAttributeValueFromSPSSOConfig(SPSSOConfigElement config, String attrName) Retrieves attribute value for a given attribute name from SPSSOConfig.
static String	getAttributeValueFromSSOConfig(String realm, String hostEntityId, String entityRole, String attrName) Returns single value of specified attribute from SSOConfig.
static String	getAttributeValueFromXACMLConfig(String realm, String entityRole, String entityID, String attrName) Returns the value of attribute from entity configuration.
static String	getBaseURL(javax.servlet.http.HttpServletRequest request) Returns the Request URL.
static boolean	getBooleanAttributeValueFromSSOConfig(String realm, String hostEntityId, String entityRole, String attrName) Returns boolean value of specified attribute from SSOConfig.
static Map	getConfigAttributeMap(String realm, String hostEntityID, String role) Returns the attribute map by parsing the configured map in hosted provider configuration
static String	getCookiesString(javax.servlet.http.HttpServletRequest request)
static DataStoreProvider	getDataStoreProvider() Returns DataStoreProvider object.
static SAML2IDPFinder	getECPIDPFinder(String realm, String spEntityID) Returns an SAML2IDPFinder which is used to find a list of IDP's for ECP Request.
static List<String>	getEncryptionCertAliases(String realm, String hostEntityId, String entityRole) Returns encryption certificate alias names.
static Response	getErrorResponse(RequestAbstract request, String code, String subCode, String statusMsg, String issuerEntityID) Returns a SAML Response object containing error status
static FedletAdapter	getFedletAdapterClass(String spEntityID, String realm) Returns a Fedlet adapter class.
static String	getHostEntityRole(Map paramsMap) Returns the role of host entity.
static IDPAccountMapper	getIDPAccountMapper(String realm, String idpEntityID) Returns an IDPAccountMapper
static SAML2IdentityProviderAdapter	getIDPAdapterClass(String realm, String idpEntityID) Returns a SAML2IdentityProviderAdapter
static String	getLocalServerID() Returns the server id of the local server
static Map<String,String>	getMappedAttributes(List<String> mappedAttributes) For the list of Strings containing mappings, return a map of name value pairs that match the mapping string
static Map	getNameIDKeyMap(NameID nameID, String hostEntityID, String remoteEntityID, String realm, String hostEntityRole) Returns the NameIDInfoKey key value pair that can be used for searching the user.
static String	getNameIDStringFromResponse(Response response) Obtains the value of NameID from Response.
static String	getParameter(Map<String,String> paramsMap, String attributeName) Returns the query parameter value for the param specified from the given Map.
static Map<String,List<String>>	getParamsMap(javax.servlet.http.HttpServletRequest request) Returns a Map of parameters retrieved from the Query parameters in the HttpServletRequest.
static String	getPreferredIDP(javax.servlet.http.HttpServletRequest request) Returns the Identity Provider Entity Identifier.
static String	getReaderURL(String spMetaAlias)
static String	getRealm(String realm) Returns the realm.
static String	getRedirectURL(String readerURL, String requestID, javax.servlet.http.HttpServletRequest request) Returns the redirect URL.
static String	getRelayState(javax.servlet.http.HttpServletRequest request) Returns the URL to which redirection will happen after Single-Signon / Federation.
static String	getRemoteServiceURL(String id) Gets remote service URL according to server id embedded in the provided ID.
static Map	getSAEAttrs(String realm, String entityId, String role, String appUrl) Retrieves SAE related attributes from exended metadata.
static SAML2MetaManager	getSAML2MetaManager() Returns an instance of SAML2MetaManger.
static Attribute	getSAMLAttribute(String name, String[] values) Returns the SAML Attribute object.
static String	getSigningCertAlias(String realm, String hostEntityId, String entityRole) Returns signing certificate alias name.
static String	getSigningCertEncryptedKeyPass(String realm, String hostEntityId, String entityRole) Returns signing certificate key password (encrypted).
static String	getSingleValuedSessionProperty(Object session, String propertyName) Returns the first value of the session property.
static SPAccountMapper	getSPAccountMapper(String realm, String spEntityID) Returns an SPAccountMapper
static SAML2ServiceProviderAdapter	getSPAdapterClass(String spEntityID, String realm) Returns an SP adapter class
static SPAttributeMapper	getSPAttributeMapper(String realm, String spEntityID) Gets the SPAttributeMapper.
static SPAuthnContextMapper	getSPAuthnContextMapper(String realm, String hostEntityID, String authnCtxClassName) Returns the Service Provider AuthnContext Mapper Object.
static List	getStrAssertions(List assertions) Gets List of 'String' assertions from the list of 'Assertion' assertions
static boolean	getWantArtifactResolveSigned(String realm, String hostEntityId, String entityRole) Returns true if wantArtifactResolveSigned has String true.
static boolean	getWantArtifactResponseSigned(String realm, String hostEntityId, String entityRole) Returns true if wantArtifactResponseSigned has String true.
static boolean	getWantAssertionEncrypted(String realm, String hostEntityId, String entityRole) Returns true if wantAssertionEncrypted has String true.
static boolean	getWantAttributeEncrypted(String realm, String hostEntityId, String entityRole) Returns true if wantAttributeEncrypted has String true.
static boolean	getWantLogoutRequestSigned(String realm, String hostEntityId, String entityRole) Returns true if wantLogoutRequestSigned has String true.
static boolean	getWantLogoutResponseSigned(String realm, String hostEntityId, String entityRole) Returns true if wantLogoutResponseSigned has String true.
static boolean	getWantMNIRequestSigned(String realm, String hostEntityId, String entityRole) Returns true if wantMNIRequestSigned has String true.
static boolean	getWantMNIResponseSigned(String realm, String hostEntityId, String entityRole) Returns true if wantMNIResponseSigned has String true.
static boolean	getWantNameIDEncrypted(String realm, String hostEntityId, String entityRole) Returns true if wantNameIDEncrypted has String true.
static boolean	getWantXACMLAuthzDecisionQuerySigned(String realm, String entityID, String entityRole) Returns true if wantXACMLAuthzDecisionQuerySigned has true true.
static boolean	isAuthnContextMatching(List requestedACClassRefs, String acClassRef, String comparison, Map acClassRefLevelMap) Returns true if the specified AuthnContextClassRef matches a list of requested AuthnContextClassRef.
static boolean	isDualRole(String hostEntityId, String realm) Returns true if this entity is acting as both SP and IDP.
static boolean	isFedInfoExists(String userName, String hostEntityID, String remoteEntityId, NameID nameID) Checks if the federation information for the user exists or not.
static boolean	isIDPProfileBindingSupported(String realm, String idpEntityID, String profile, String binding) Checks if a profile binding is suppported by an IDP.
static boolean	isIgnoreProfileSet(Object session) Return true if the User for this session has a profile set to Ignore
static boolean	isPersistentNameID(NameID nameId) Checks if it is a persistent request or not.
static boolean	isRelayStateURLValid(javax.servlet.http.HttpServletRequest request, String relayState, String role) Convenience method to validate a SAML2 relay state (goto) URL, often called from a JSP.
static boolean	isRelayStateURLValid(String metaAlias, String relayState, String role) Convenience method to validate a SAML2 relay state (goto) URL, often called from a JSP.
static boolean	isSourceSiteValid(Issuer issuer, String orgName, String hostEntityId) Returns true if Issuer is valid.
static boolean	isSPProfileBindingSupported(String realm, String spEntityID, String profile, String binding) Checks if a profile binding is suppported by a SP.
static void	logAccess(Level lvl, String msgid, String[] data, Object tok, String ipaddr, String userid, String org, String module, Map props) Writes a log record in SAML2 access log.
static void	logError(Level lvl, String msgid, String[] data, Object tok, String ipaddr, String userid, String org, String module, Map props) Writes error occurred in SAML2 component into a log (fmSAML2.error)
static void	postToAppLogout(javax.servlet.http.HttpServletRequest request, String appLogoutURL, Object session) Processes logout for external application.
static void	postToTarget(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, String SAMLmessageName, String SAMLmessageValue, String relayStateName, String relayStateValue, String targetURL)
static void	putHeaders(MimeHeaders headers, javax.servlet.http.HttpServletResponse response) Sets mime headers in HTTP servlet response.
static void	redirectAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, String realm, String hostEntityID, String entityRole) Returns url for redirection.
static String	removeNewLineChars(String string) Removes new line character from a String.
static HashMap	sendRequestToOrigServer(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, String sloServerUrl) Sends the request to the original Federation server and receives the result data.
static String	signQueryString(String queryString, String realm, String hostEntity, String hostEntityRole) Sign Query string.
static boolean	validateCertificate(X509Certificate cert) Checks certificate validity with configured CRL
static void	validateRecipient(SPSSODescriptorElement spDesc, String assertionID, SubjectConfirmationData subjectConfData) Validates the Recipient value stored within the SubjectConfirmationData element based on the following rules: The value MUST not be null.
static void	validateRelayStateURL(String orgName, String hostEntityId, String relayState, String role) Validates the Relay State URL against a list of valid Relay State URLs created on the hosted service provider.
static boolean	verifyDestination(String destination, String location) Compares the destination and location
static String	verifyNameIDFormat(String nameIDFormat, SPSSODescriptorElement spsso, IDPSSODescriptorElement idpsso) Verifies specified name ID format and returns it.
static boolean	verifyQueryString(String queryString, String realm, String hostEntityRole, String remoteEntity) Verify Signed Query string.
static boolean	verifyRequestIssuer(String realm, String hostEntity, Issuer reqIssuer, String requestId) Verifies Issuer in Request and returns true if the Issuer is part of COT SAML2 auth module only.
static Map	verifyResponse(javax.servlet.http.HttpServletRequest httpRequest, javax.servlet.http.HttpServletResponse httpResponse, Response response, String orgName, String hostEntityId, String profileBinding) Verifies single sign on Response and returns information to SAML2 auth module for further processing.
static boolean	verifyResponseIssuer(String realm, String hostEntity, Issuer resIssuer, String requestId) Verifies Issuer in Response and returns true if the Issuer is part of COT
static boolean	wantPOSTResponseSigned(String realm, String hostEntityId, String entityRole) Returns value of attribute wantPOSTResponseSigned as a boolean value true to false.

Methods inherited from class com.sun.identity.saml2.common.SAML2SDKUtils

booleanValueOf, byteArrayToHexString, byteArrayToString, checkStatement, createSOAPMessageString, decodeXMLToDebugLog, fillInBasicAuthInfo, generateID, generateMessageHandle, getDiscoveryBootStrapCredentials, getDiscoveryBootStrapResourceOffering, getObjectInstance, getObjectInstance, getObjectInstance, getObjectInstance, hexStringToByteArray, intToTwoBytes, isSAMLDecryptionDebugEnabled, removeDeployUri, StringToBoolean, stringToByteArray, twoBytesToInt

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

SAML2Utils

public SAML2Utils()

Method Detail

verifyResponse

public static Map verifyResponse(javax.servlet.http.HttpServletRequest httpRequest,
                                 javax.servlet.http.HttpServletResponse httpResponse,
                                 Response response,
                                 String orgName,
                                 String hostEntityId,
                                 String profileBinding)
                          throws SAML2Exception

Verifies single sign on Response and returns information to SAML2 auth module for further processing. This method is used by SAML2 auth module only.

Parameters:

httpRequest - HttpServletRequest

httpResponse - HttpServletResponse

response - Single Sign On Response.

orgName - name of the realm or organization the provider is in.

hostEntityId - Entity ID of the hosted provider.

profileBinding - Profile binding used.

Returns:

A Map of information extracted from the Response. The keys of map are: SAML2Constants.SUBJECT, SAML2Constants.POST_ASSERTION, SAML2Constants.ASSERTIONS, SAML2Constants.SESSION_INDEX, SAML2Constants.AUTH_LEVEL, SAML2Constants.MAX_SESSION_TIME.

Throws:

SAML2Exception - if the Response is not valid according to the processing rules.

validateRecipient

public static void validateRecipient(SPSSODescriptorElement spDesc,
                                     String assertionID,
                                     SubjectConfirmationData subjectConfData)
                              throws SAML2Exception

Validates the Recipient value stored within the SubjectConfirmationData element based on the following rules:

• The value MUST not be null.
• The value must correspond to one of the hosted SP's ACS endpoints.

Parameters:

spDesc - The standard SAML metadata of the hosted SP.

assertionID - The ID of the assertion to be used when creating audit log entries.

subjectConfData - The SubjectConfirmationData element to validate.

Throws:

SAML2Exception - If there was a validation error.

getAttributeValueFromSPSSOConfig

public static String getAttributeValueFromSPSSOConfig(SPSSOConfigElement config,
                                                      String attrName)

Retrieves attribute value for a given attribute name from SPSSOConfig.

Parameters:

config - SPSSOConfigElement instance.

attrName - name of the attribute whose value ot be retrived.

Returns:

value of the attribute; or null if the attribute if not configured, or an error occured in the process.

getStrAssertions

public static List getStrAssertions(List assertions)

Gets List of 'String' assertions from the list of 'Assertion' assertions

Parameters:

assertions - A list of Assertions

Returns:

a String printout of the list of Assertions

isPersistentNameID

public static boolean isPersistentNameID(NameID nameId)

Checks if it is a persistent request or not.

Parameters:

nameId - Name ID object

Returns:

true if it is a persistent request, false if not.

isFedInfoExists

public static boolean isFedInfoExists(String userName,
                                      String hostEntityID,
                                      String remoteEntityId,
                                      NameID nameID)

Checks if the federation information for the user exists or not.

Parameters:

userName - user id for which account federation needs to be returned.

hostEntityID - EntityID of the hosted entity.

remoteEntityId - EntityID of the remote entity.

Returns:

true if exists, false otherwise.

getNameIDKeyMap

public static Map getNameIDKeyMap(NameID nameID,
                                  String hostEntityID,
                                  String remoteEntityID,
                                  String realm,
                                  String hostEntityRole)
                           throws SAML2Exception

Returns the NameIDInfoKey key value pair that can be used for searching the user.

Parameters:

nameID - NameID object.

hostEntityID - hosted EntityID.

remoteEntityID - remote EntityID.

hostEntityRole - the role of hosted entity.

Throws:

SAML2Exception - if any failure.

SAML2Exception

isSourceSiteValid

public static boolean isSourceSiteValid(Issuer issuer,
                                        String orgName,
                                        String hostEntityId)

Returns true if Issuer is valid.

Parameters:

issuer - to be checked Issuer instance.

orgName - the name of the realm or organization.

hostEntityId - Entity ID of the hosted provider.

Returns:

true if the Issuer is trusted; false otherwise.

getDataStoreProvider

public static DataStoreProvider getDataStoreProvider()
                                              throws SAML2Exception

Returns DataStoreProvider object.

Returns:

DataStoreProvider configured for the SAML2 plugin.

Throws:

SAML2Exception - if any failure.

encodeForPOST

public static String encodeForPOST(String str)

Returns the encoded request message. The SAML Request message must be encoded before being transmitted. The Request message is base-64 encoded according to the rules specified in RFC2045.

Parameters:

str - String to be encoded.

Returns:

String the encoded String value or null on error.

encodeForRedirect

public static String encodeForRedirect(String str)

Returns the encoded request message. The SAML Request message must be encoded before being transmitted. The Request message is encoded as follows: 1. URL Encoded using the DEFLATE compression method. 2. Then the message is base-64 encoded according to the rules specified in RFC2045.

Parameters:

str - String to be encoded.

Returns:

String the encoded String value or null on error.

decodeFromRedirect

public static String decodeFromRedirect(String str)

Decodes the request message.

Parameters:

str - String to be decoded.

Returns:

String the decoded String.

removeNewLineChars

public static String removeNewLineChars(String string)

Removes new line character from a String.

Parameters:

string - String to remove newline characters from.

Returns:

String with newline characters trimmed.

getSAML2MetaManager

public static SAML2MetaManager getSAML2MetaManager()

Returns an instance of SAML2MetaManger.

Returns:

Instance of SAML2MetaManager

getRealm

public static String getRealm(String realm)

Returns the realm.

Parameters:

realm - Realm object.

Returns:

realm if the input is not null or empty, otherwise return the root realm.

getParameter

public static String getParameter(Map<String,String> paramsMap,
                                  String attributeName)

Returns the query parameter value for the param specified from the given Map.

Parameters:

paramsMap - a map of parameters

attributeName - name of the parameter

Returns:

the value of this parameter or null if the parameter was not found in the params map

getParamsMap

public static Map<String,List<String>> getParamsMap(javax.servlet.http.HttpServletRequest request)

Returns a Map of parameters retrieved from the Query parameters in the HttpServletRequest.

Parameters:

request - the HttpServletRequest.

Returns:

a Map where the key is the parameter Name and value is of the type List.

generateSourceID

public static String generateSourceID(String entityID)

Generates provider Source ID based on provider Entity ID. The returned is SHA-1 digest string.

Parameters:

entityID - Entity ID for example http://host.sun.com:81

Returns:

sourceID string

extractServerId

public static String extractServerId(String id)

Extracts serverID from the specified id.

Parameters:

id - an id.

Returns:

the extracted id, or null if the given string is too short or null.

getRemoteServiceURL

public static String getRemoteServiceURL(String id)

Gets remote service URL according to server id embedded in the provided ID.

Parameters:

id - The server's ID or a user's sessionIndex.

Returns:

Remote service URL corresponding to the ID, or null if the ID is local, or an error occurred.

generateIDWithServerID

public static String generateIDWithServerID()

Generates ID with server id at the end.

Returns:

ID value.

generateMessageHandleWithServerID

public static String generateMessageHandleWithServerID()

Generates message handle with server id used in an Artifact.

Returns:

String format of 20-byte sequence identifying message.

getLocalServerID

public static String getLocalServerID()

Returns the server id of the local server

putHeaders

public static void putHeaders(MimeHeaders headers,
                              javax.servlet.http.HttpServletResponse response)

Sets mime headers in HTTP servlet response.

Parameters:

headers - mime headers to be set.

response - HTTP servlet response.

generateStatus

public static Status generateStatus(String code,
                                    String message)

Generates SAMLv2 Status object

Parameters:

code - Status code value.

message - Status message.

Returns:

Status object.

generateStatus

public static Status generateStatus(String code,
                                    String subCode,
                                    String message)

Generates SAMLv2 Status object

Parameters:

code - Status code value.

subCode - second-level status code

message - Status message.

Returns:

Status object.

getErrorResponse

public static Response getErrorResponse(RequestAbstract request,
                                        String code,
                                        String subCode,
                                        String statusMsg,
                                        String issuerEntityID)
                                 throws SAML2Exception

Returns a SAML Response object containing error status

Parameters:

request - the RequestAbstract object

code - the error code

subCode - teh second-level error code

statusMsg - the error message

issuerEntityID - the entity id of the issuer

Returns:

the SAML Response object containing error status

Throws:

SAML2Exception - if the operation is not successful

getEncryptionCertAliases

public static List<String> getEncryptionCertAliases(String realm,
                                                    String hostEntityId,
                                                    String entityRole)

Returns encryption certificate alias names.

Parameters:

realm - realm of hosted entity.

hostEntityId - name of hosted entity.

entityRole - role of hosted entity.

Returns:

The list of certificate aliases for encryption.

getSigningCertAlias

public static String getSigningCertAlias(String realm,
                                         String hostEntityId,
                                         String entityRole)

Returns signing certificate alias name.

Parameters:

realm - realm of hosted entity.

hostEntityId - name of hosted entity.

entityRole - role of hosted entity.

Returns:

alias name of certificate alias for signing.

getSigningCertEncryptedKeyPass

public static String getSigningCertEncryptedKeyPass(String realm,
                                                    String hostEntityId,
                                                    String entityRole)

Returns signing certificate key password (encrypted).

Parameters:

realm - realm of hosted entity.

hostEntityId - name of hosted entity.

entityRole - role of hosted entity.

Returns:

The encrypted keypass of the private key used for signing.

getWantAssertionEncrypted

public static boolean getWantAssertionEncrypted(String realm,
                                                String hostEntityId,
                                                String entityRole)

Returns true if wantAssertionEncrypted has String true.

Parameters:

realm - realm of hosted entity.

hostEntityId - name of hosted entity.

entityRole - role of hosted entity.

Returns:

true if wantAssertionEncrypted has String true.

getWantAttributeEncrypted

public static boolean getWantAttributeEncrypted(String realm,
                                                String hostEntityId,
                                                String entityRole)

Returns true if wantAttributeEncrypted has String true.

Parameters:

realm - realm of hosted entity.

hostEntityId - name of hosted entity.

entityRole - role of hosted entity.

Returns:

true if wantAttributeEncrypted has String true.

getWantNameIDEncrypted

public static boolean getWantNameIDEncrypted(String realm,
                                             String hostEntityId,
                                             String entityRole)

Returns true if wantNameIDEncrypted has String true.

Parameters:

realm - realm of hosted entity.

hostEntityId - name of hosted entity.

entityRole - role of hosted entity.

Returns:

true if wantNameIDEncrypted has String true.

getWantArtifactResolveSigned

public static boolean getWantArtifactResolveSigned(String realm,
                                                   String hostEntityId,
                                                   String entityRole)

Returns true if wantArtifactResolveSigned has String true.

Parameters:

realm - realm of hosted entity.

hostEntityId - name of hosted entity.

entityRole - role of hosted entity.

Returns:

true if wantArtifactResolveSigned has String true.

getWantArtifactResponseSigned

public static boolean getWantArtifactResponseSigned(String realm,
                                                    String hostEntityId,
                                                    String entityRole)

Returns true if wantArtifactResponseSigned has String true.

Parameters:

realm - realm of hosted entity.

hostEntityId - name of hosted entity.

entityRole - role of hosted entity.

Returns:

true if wantArtifactResponseSigned has String true.

getWantLogoutRequestSigned

public static boolean getWantLogoutRequestSigned(String realm,
                                                 String hostEntityId,
                                                 String entityRole)

Returns true if wantLogoutRequestSigned has String true.

Parameters:

realm - realm of hosted entity.

hostEntityId - name of hosted entity.

entityRole - role of hosted entity.

Returns:

true if wantLogoutRequestSigned has String true.

getWantLogoutResponseSigned

public static boolean getWantLogoutResponseSigned(String realm,
                                                  String hostEntityId,
                                                  String entityRole)

Returns true if wantLogoutResponseSigned has String true.

Parameters:

realm - realm of hosted entity.

hostEntityId - name of hosted entity.

entityRole - role of hosted entity.

Returns:

true if wantLogoutResponseSigned has String true.

getWantMNIRequestSigned

public static boolean getWantMNIRequestSigned(String realm,
                                              String hostEntityId,
                                              String entityRole)

Returns true if wantMNIRequestSigned has String true.

Parameters:

realm - realm of hosted entity.

hostEntityId - name of hosted entity.

entityRole - role of hosted entity.

Returns:

true if wantMNIRequestSigned has String true.

getWantMNIResponseSigned

public static boolean getWantMNIResponseSigned(String realm,
                                               String hostEntityId,
                                               String entityRole)

Returns true if wantMNIResponseSigned has String true.

Parameters:

realm - realm of hosted entity.

hostEntityId - name of hosted entity.

entityRole - role of hosted entity.

Returns:

true if wantMNIResponseSigned has String true.

getBooleanAttributeValueFromSSOConfig

public static boolean getBooleanAttributeValueFromSSOConfig(String realm,
                                                            String hostEntityId,
                                                            String entityRole,
                                                            String attrName)

Returns boolean value of specified attribute from SSOConfig. This method is used for boolean-valued attributes.

Parameters:

realm - realm of hosted entity.

hostEntityId - name of hosted entity.

entityRole - role of hosted entity.

attrName - attribute name for the value.

Returns:

value of specified attribute from SSOConfig.

getAttributeValueFromSSOConfig

public static String getAttributeValueFromSSOConfig(String realm,
                                                    String hostEntityId,
                                                    String entityRole,
                                                    String attrName)

Returns single value of specified attribute from SSOConfig. This method is used for single-valued attributes.

Parameters:

realm - realm of hosted entity.

hostEntityId - name of hosted entity.

entityRole - role of hosted entity.

attrName - attribute name for the value.

Returns:

value of specified attribute from SSOConfig.

getAllAttributeValueFromSSOConfig

public static List<String> getAllAttributeValueFromSSOConfig(String realm,
                                                             String hostEntityId,
                                                             String entityRole,
                                                             String attrName)

Returns all values of specified attribute from SSOConfig.

Parameters:

realm - realm of hosted entity.

hostEntityId - name of hosted entity.

entityRole - role of hosted entity.

attrName - attribute name for the value.

Returns:

value of specified attribute from SSOConfig.

getHostEntityRole

public static String getHostEntityRole(Map paramsMap)
                                throws SAML2Exception

Returns the role of host entity.

Parameters:

paramsMap - Map includes parameters.

Returns:

role name for hosted entity.

Throws:

SAML2Exception - if error in retrieving the parameters.

isDualRole

public static boolean isDualRole(String hostEntityId,
                                 String realm)

Returns true if this entity is acting as both SP and IDP.

Parameters:

hostEntityId - entity ID of the hosted entity.

realm - the realm the entity resides.

Returns:

true if this entity is acting as both SP and IDP, false otherwise.

redirectAuthentication

public static void redirectAuthentication(javax.servlet.http.HttpServletRequest request,
                                          javax.servlet.http.HttpServletResponse response,
                                          String realm,
                                          String hostEntityID,
                                          String entityRole)
                                   throws IOException

Returns url for redirection.

Parameters:

request - HttpServletRequest for redirecting.

response - HttpServletResponse for redirecting.

realm - realm of hosted entity.

hostEntityID - name of hosted entity.

entityRole - role of hosted entity.

Throws:

IOException - if error in redirecting request.

createIssuer

public static Issuer createIssuer(String entityID)
                           throws SAML2Exception

Returns url for redirection.

Parameters:

entityID - entityID for Issuer.

Returns:

Issuer for the specified entityID.

Throws:

SAML2Exception - if error in creating Issuer element.

signQueryString

public static String signQueryString(String queryString,
                                     String realm,
                                     String hostEntity,
                                     String hostEntityRole)
                              throws SAML2Exception

Sign Query string.

Parameters:

queryString - URL query string that will be signed.

realm - realm of host entity.

hostEntity - entityID of host entity.

hostEntityRole - entity role of host entity.

Returns:

returns signed query string.

Throws:

SAML2Exception - if error in signing the query string.

verifyQueryString

public static boolean verifyQueryString(String queryString,
                                        String realm,
                                        String hostEntityRole,
                                        String remoteEntity)
                                 throws SAML2Exception

Verify Signed Query string.

Parameters:

queryString - URL query string that will be verified.

realm - realm of host entity.

hostEntityRole - entity role of host entity.

remoteEntity - entityID of peer entity.

Returns:

returns true if sign is valid.

Throws:

SAML2Exception - if error in verifying the signature.

checkSession

public static Object checkSession(javax.servlet.http.HttpServletRequest request,
                                  javax.servlet.http.HttpServletResponse response,
                                  String metaAlias,
                                  Map paramsMap)
                           throws SAML2Exception

Parses the request parameters and return session object or redirect to login url.

Parameters:

request - the HttpServletRequest.

response - the HttpServletResponse.

metaAlias - entityID of hosted entity.

paramsMap - Map of all other parameters.

Returns:

session object of HttpServletRequest.

Throws:

SAML2Exception - if error initiating request to remote entity.

createNameIdentifier

public static String createNameIdentifier()

Returns a Name Identifier

Returns:

a String the Name Identifier. Null value is returned if there is an error in generating the Name Identifier.

getSPAuthnContextMapper

public static SPAuthnContextMapper getSPAuthnContextMapper(String realm,
                                                           String hostEntityID,
                                                           String authnCtxClassName)

Returns the Service Provider AuthnContext Mapper Object.

Parameters:

authnCtxClassName - Service Provider AuthnContext Mapper Class Name.

Returns:

SPAuthnContextMapper Object.

verifyRequestIssuer

public static boolean verifyRequestIssuer(String realm,
                                          String hostEntity,
                                          Issuer reqIssuer,
                                          String requestId)
                                   throws SAML2Exception

Verifies Issuer in Request and returns true if the Issuer is part of COT SAML2 auth module only.

Parameters:

realm - realm of hosted entity.

hostEntity - name of hosted entity.

reqIssuer - Issuer of Request.

requestId - request ID

Returns:

true if issuer is valid.

Throws:

SAML2Exception

verifyResponseIssuer

public static boolean verifyResponseIssuer(String realm,
                                           String hostEntity,
                                           Issuer resIssuer,
                                           String requestId)
                                    throws SAML2Exception

Verifies Issuer in Response and returns true if the Issuer is part of COT

Parameters:

realm - realm of hosted entity.

hostEntity - name of hosted entity.

resIssuer - Issuer of Response.

requestId - request ID for the response.

Returns:

true if issuer is valid.

Throws:

SAML2Exception

getReaderURL

public static String getReaderURL(String spMetaAlias)

getBaseURL

public static String getBaseURL(javax.servlet.http.HttpServletRequest request)

Returns the Request URL. The getRequestURL does not alway returns the correct url so this method builds the URL by retrieving the protocol,port host name and deploy descriptor.

Parameters:

request - the HttpServletRequest.

Returns:

the Request URL string.

getPreferredIDP

public static String getPreferredIDP(javax.servlet.http.HttpServletRequest request)

Returns the Identity Provider Entity Identifier. This method retrieves the _saml_idp query parameter from the request and parses it to get the idp entity id. If there are more then one idps then the last one is the preferred idp.

Parameters:

request - the HttpServletRequest .

Returns:

the identity provider entity identifier String.

getRedirectURL

public static String getRedirectURL(String readerURL,
                                    String requestID,
                                    javax.servlet.http.HttpServletRequest request)

Returns the redirect URL. This methods returns the complete reader redirect url. The RelayState and requestId parameter are appended to the URL to redirection back to the spSSOInit jsp.

Parameters:

readerURL - the readerURL to redirect to.

requestID - the unique identifier to identify the request.

request - the HttpServletRequest.

Returns:

redirectURL the URL to redirect to.

getIDPAccountMapper

public static IDPAccountMapper getIDPAccountMapper(String realm,
                                                   String idpEntityID)
                                            throws SAML2Exception

Returns an IDPAccountMapper

Parameters:

realm - the realm name

idpEntityID - the entity id of the identity provider

Returns:

the IDPAccountMapper

Throws:

SAML2Exception - if the operation is not successful

getIDPAdapterClass

public static SAML2IdentityProviderAdapter getIDPAdapterClass(String realm,
                                                              String idpEntityID)
                                                       throws SAML2Exception

Returns a SAML2IdentityProviderAdapter

Parameters:

realm - the realm name

idpEntityID - the entity id of the identity provider

Returns:

the SAML2IdentityProviderAdapter

Throws:

SAML2Exception - if the operation is not successful

getSPAdapterClass

public static SAML2ServiceProviderAdapter getSPAdapterClass(String spEntityID,
                                                            String realm)
                                                     throws SAML2Exception

Returns an SP adapter class

Parameters:

spEntityID - the entity id of the service provider

realm - the realm name

Returns:

the SP adapter class

Throws:

SAML2Exception - if the operation is not successful

getFedletAdapterClass

public static FedletAdapter getFedletAdapterClass(String spEntityID,
                                                  String realm)
                                           throws SAML2Exception

Returns a Fedlet adapter class.

Parameters:

spEntityID - the entity id of the service provider

realm - the realm name

Returns:

the Fedlet adapter class

Throws:

SAML2Exception - if the operation is not successful

getSPAccountMapper

public static SPAccountMapper getSPAccountMapper(String realm,
                                                 String spEntityID)
                                          throws SAML2Exception

Returns an SPAccountMapper

Parameters:

realm - the realm name

spEntityID - the entity id of the service provider

Returns:

the SPAccountMapper

Throws:

SAML2Exception - if the operation is not successful

getECPIDPFinder

public static SAML2IDPFinder getECPIDPFinder(String realm,
                                             String spEntityID)
                                      throws SAML2Exception

Returns an SAML2IDPFinder which is used to find a list of IDP's for ECP Request.

Parameters:

realm - the realm name

spEntityID - the entity id of the service provider

Returns:

the SAML2IDPFinder

Throws:

SAML2Exception - if the operation is not successful

getRelayState

public static String getRelayState(javax.servlet.http.HttpServletRequest request)

Returns the URL to which redirection will happen after Single-Signon / Federation. This methods checks the following parameters to determine the Relay State. 1. The "RelayState" query parameter in the request. 2. The "RelayStateAlias" query parameter in the request which is used in the absence of the RelayState parameter to determine which query parameter to use if no "RelayState" query paramerter is present. 3. The "goto" query parameter if present is the default RelayState in the absence of the above.

Parameters:

request - the HttpServletRequest object.

Returns:

the value of the URL to which to redirect on successful Single-SignOn / Federation.

verifyDestination

public static boolean verifyDestination(String destination,
                                        String location)

Compares the destination and location

Parameters:

destination - Destination

location - the URL from the meta

Returns:

true if the input are the same, otherwise, return false

getSAEAttrs

public static Map getSAEAttrs(String realm,
                              String entityId,
                              String role,
                              String appUrl)

Retrieves SAE related attributes from exended metadata.

Parameters:

realm - realm the FM provider is in

entityId - the entity ID of the FM provider

role - Role of the FM provider

appUrl - application url

Returns:

Map containing SAE parameters or null in case of error.

getNameIDStringFromResponse

public static String getNameIDStringFromResponse(Response response)

Obtains the value of NameID from Response.

Parameters:

response - Response object

Returns:

value of the NameID from the first Assertion in the response. null if the response is null, or no assertion in the response, or no NameID in the assertion.

logAccess

public static void logAccess(Level lvl,
                             String msgid,
                             String[] data,
                             Object tok,
                             String ipaddr,
                             String userid,
                             String org,
                             String module,
                             Map props)

Writes a log record in SAML2 access log. (fmSAML2.access)

Parameters:

lvl - indicating log level

msgid - Message id

data - string array of dynamic data only known during run time

tok - Session of authenticated user

ipaddr - IP Address.

userid - User Id.

org - Organization.

module - Module Name.

props - log record columns - used if tok is not available to specify log record columns such as ip address, realm, etc

logError

public static void logError(Level lvl,
                            String msgid,
                            String[] data,
                            Object tok,
                            String ipaddr,
                            String userid,
                            String org,
                            String module,
                            Map props)

Writes error occurred in SAML2 component into a log (fmSAML2.error)

Parameters:

lvl - indicating log level

msgid - Message id

data - string array of dynamic data only known during run time

tok - Session of authenticated user

ipaddr - IP Address

userid - User Id

org - Organization

module - Module Name

props - log record columns - used if tok is not available to specify log record columns such as ip address, realm, etc

getAttributeValueFromXACMLConfig

public static String getAttributeValueFromXACMLConfig(String realm,
                                                      String entityRole,
                                                      String entityID,
                                                      String attrName)

Returns the value of attribute from entity configuration.

Parameters:

realm - the realm of the entity.

entityRole - role of the entity (PEP or PDP).

entityID - identity of the entity.

attrName - name of attribute whose value is to be retreived.

Returns:

value of the attribute.

getWantXACMLAuthzDecisionQuerySigned

public static boolean getWantXACMLAuthzDecisionQuerySigned(String realm,
                                                           String entityID,
                                                           String entityRole)

Returns true if wantXACMLAuthzDecisionQuerySigned has true true.

Parameters:

realm - realm of hosted entity.

entityID - name of hosted entity.

entityRole - role of hosted entity.

Returns:

true if wantXACMLAuthzDecisionQuerySigned has String true.

validateCertificate

public static boolean validateCertificate(X509Certificate cert)

Checks certificate validity with configured CRL

Parameters:

cert - x509 certificate

Returns:

true if the certificate is not in CRL, otherwise, return false

getSPAttributeMapper

public static SPAttributeMapper getSPAttributeMapper(String realm,
                                                     String spEntityID)
                                              throws SAML2Exception

Gets the SPAttributeMapper.

Parameters:

realm - The realm the SP belongs to.

spEntityID - The entity ID of the SP.

Returns:

The SPAttributeMapper defined in the configuration.

Throws:

SAML2Exception - if the processing failed.

getConfigAttributeMap

public static Map getConfigAttributeMap(String realm,
                                        String hostEntityID,
                                        String role)
                                 throws SAML2Exception

Returns the attribute map by parsing the configured map in hosted provider configuration

Parameters:

realm - realm name.

hostEntityID - EntityID of the hosted provider.

Returns:

a map of local attributes configuration map. This map will have a key as the SAML attribute name and the value is the local attribute.

Throws:

SAML2Exception - if any failured.

SAML2Exception

getMappedAttributes

public static Map<String,String> getMappedAttributes(List<String> mappedAttributes)

For the list of Strings containing mappings, return a map of name value pairs that match the mapping string

Parameters:

mappedAttributes - a non-null list of strings in the form of name=value or name="static value"

Returns:

a Map of name value pairs keyed off of the mapping name from the mappedAttributes list

getSAMLAttribute

public static Attribute getSAMLAttribute(String name,
                                         String[] values)
                                  throws SAML2Exception

Returns the SAML Attribute object.

Parameters:

name - attribute name.

values - attribute values.

Throws:

SAML2Exception - if any failure.

postToTarget

public static void postToTarget(javax.servlet.http.HttpServletRequest request,
                                javax.servlet.http.HttpServletResponse response,
                                String SAMLmessageName,
                                String SAMLmessageValue,
                                String relayStateName,
                                String relayStateValue,
                                String targetURL)
                         throws SAML2Exception

Throws:

SAML2Exception

verifyNameIDFormat

public static String verifyNameIDFormat(String nameIDFormat,
                                        SPSSODescriptorElement spsso,
                                        IDPSSODescriptorElement idpsso)
                                 throws SAML2Exception

Verifies specified name ID format and returns it. If specified name ID format is empty, returns name ID foramt supported by both IDP and SP.

Parameters:

nameIDFormat - name ID format.

spsso - SP meta data desciptor.

idpsso - IDP meta data desciptor.

Throws:

SAML2Exception - if name ID format is not supported.

isAuthnContextMatching

public static boolean isAuthnContextMatching(List requestedACClassRefs,
                                             String acClassRef,
                                             String comparison,
                                             Map acClassRefLevelMap)

Returns true if the specified AuthnContextClassRef matches a list of requested AuthnContextClassRef.

Parameters:

requestedACClassRefs - a list of requested AuthnContextClassRef's

acClassRef - AuthnContextClassRef

comparison - the type of comparison

acClassRefLevelMap - a AuthnContextClassRef to AuthLevel map. Key is AuthnContextClassRef in String and value is AuthLevel in Integer

Returns:

true if the specified AuthnContextClassRef matches a list of requested AuthnContextClassRef

postToAppLogout

public static void postToAppLogout(javax.servlet.http.HttpServletRequest request,
                                   String appLogoutURL,
                                   Object session)

Processes logout for external application. This will do a back channel HTTP POST to the external application logout URL with all the cookies and selected session property as HTTP header.

Parameters:

request - HttpServletRequest

appLogoutURL - external application logout URL

session - session object of the user

getCookiesString

public static String getCookiesString(javax.servlet.http.HttpServletRequest request)

wantPOSTResponseSigned

public static boolean wantPOSTResponseSigned(String realm,
                                             String hostEntityId,
                                             String entityRole)

Returns value of attribute wantPOSTResponseSigned as a boolean value true to false.

Parameters:

realm - realm of hosted entity.

hostEntityId - name of hosted entity.

entityRole - role of hosted entity.

Returns:

true if wantPOSTResponseSigned has String true, otherwise false.

isSPProfileBindingSupported

public static boolean isSPProfileBindingSupported(String realm,
                                                  String spEntityID,
                                                  String profile,
                                                  String binding)

Checks if a profile binding is suppported by a SP.

Parameters:

realm - Realm the SP is in.

spEntityID - SP entity id.

profile - name of the profile/service

binding - binding to be checked on

Returns:

true if the binding is supported; false otherwise.

isIDPProfileBindingSupported

public static boolean isIDPProfileBindingSupported(String realm,
                                                   String idpEntityID,
                                                   String profile,
                                                   String binding)

Checks if a profile binding is suppported by an IDP.

Parameters:

realm - Realm the IDP is in.

idpEntityID - IDP entity id.

profile - name of the profile/service

binding - binding to be checked on

Returns:

true if the binding is supported; false otherwise.

isRelayStateURLValid

public static boolean isRelayStateURLValid(javax.servlet.http.HttpServletRequest request,
                                           String relayState,
                                           String role)

Convenience method to validate a SAML2 relay state (goto) URL, often called from a JSP.

Parameters:

request - Used to help establish the realm and hostEntityID.

relayState - The URL to validate.

role - The role of the caller.

Returns:

true if the relayState is valid.

isRelayStateURLValid

public static boolean isRelayStateURLValid(String metaAlias,
                                           String relayState,
                                           String role)

Convenience method to validate a SAML2 relay state (goto) URL, often called from a JSP.

Parameters:

metaAlias - The metaAlias of the hosted entity.

relayState - The URL to validate.

role - The role of the caller.

Returns:

true if the relayState is valid.

validateRelayStateURL

public static void validateRelayStateURL(String orgName,
                                         String hostEntityId,
                                         String relayState,
                                         String role)
                                  throws SAML2Exception

Validates the Relay State URL against a list of valid Relay State URLs created on the hosted service provider.

Parameters:

orgName - realm or organization name the provider resides in.

hostEntityId - Entity ID of the hosted provider.

relayState - Relay State URL.

role - IDP/SP Role.

Throws:

SAML2Exception - if the processing failed.

sendRequestToOrigServer

public static HashMap sendRequestToOrigServer(javax.servlet.http.HttpServletRequest request,
                                              javax.servlet.http.HttpServletResponse response,
                                              String sloServerUrl)

Sends the request to the original Federation server and receives the result data.

Parameters:

request - HttpServletRequest to be sent

response - HttpServletResponse to be received

sloServerUrl - URL of the original federation server to be connected

Returns:

HashMap of the result data from the original server's response

createCookie

public static javax.servlet.http.Cookie createCookie(String cookieName,
                                                     String cookieValue,
                                                     String cookieDomain,
                                                     String path)

Creates a Cookie with the cookieName, cookieValue for the cookie domains specified.

TODO: Copied from AuthClientUtils Refactor

Parameters:

cookieName - is the name of the cookie

cookieValue - is the value fo the cookie

cookieDomain - Domain for which the cookie is to be set.

path - The path into which the cookie shall be set

Returns:

the cookie object.

isIgnoreProfileSet

public static boolean isIgnoreProfileSet(Object session)
                                  throws SessionException

Return true if the User for this session has a profile set to Ignore

Parameters:

session - session object of the user

Returns:

true if the User for this session has a profile set to Ignore

Throws:

SessionException

getSingleValuedSessionProperty

public static String getSingleValuedSessionProperty(Object session,
                                                    String propertyName)
                                             throws SessionException

Returns the first value of the session property.

Parameters:

session - The session object.

propertyName - The property's name that needs to be returned.

Returns:

The property value derived from the session object.

Throws:

SessionException - If there was a problem while retrieving the session property.