Package com.sun.identity.saml2.common

Class SAML2Utils

  • public class SAML2Utils
extends SAML2SDKUtils
    The SAML2Utils contains utility methods for SAML 2.0 implementation.

    • Constructor Detail

      • SAML2Utils

        public SAML2Utils()

    • Method Detail

      • verifyResponse

        public static Map verifyResponse​(jakarta.servlet.http.HttpServletRequest httpRequest,
                                 jakarta.servlet.http.HttpServletResponse httpResponse,
                                 Response response,
                                 String orgName,
                                 String hostEntityId,
                                 String profileBinding)
                          throws SAML2Exception
        Verifies single sign on Response and returns information to SAML2 auth module for further processing. This method is used by SAML2 auth module only.
        Parameters:
        httpRequest - HttpServletRequest
        httpResponse - HttpServletResponse
        response - Single Sign On Response.
        orgName - name of the realm or organization the provider is in.
        hostEntityId - Entity ID of the hosted provider.
        profileBinding - Profile binding used.
        Returns:
        A Map of information extracted from the Response. The keys of map are: SAML2Constants.SUBJECT, SAML2Constants.POST_ASSERTION, SAML2Constants.ASSERTIONS, SAML2Constants.SESSION_INDEX, SAML2Constants.AUTH_LEVEL, SAML2Constants.MAX_SESSION_TIME.
        Throws:
        SAML2Exception - if the Response is not valid according to the processing rules.

      • validateRecipient

        public static void validateRecipient​(SPSSODescriptorElement spDesc,
                                     String assertionID,
                                     SubjectConfirmationData subjectConfData)
                              throws SAML2Exception
        Validates the Recipient value stored within the SubjectConfirmationData element based on the following rules:
        • The value MUST not be null.
        • The value must correspond to one of the hosted SP's ACS endpoints.
        Parameters:
        spDesc - The standard SAML metadata of the hosted SP.
        assertionID - The ID of the assertion to be used when creating audit log entries.
        subjectConfData - The SubjectConfirmationData element to validate.
        Throws:
        SAML2Exception - If there was a validation error.

      • getAttributeValueFromSPSSOConfig

        public static String getAttributeValueFromSPSSOConfig​(SPSSOConfigElement config,
                                                      String attrName)
        Retrieves attribute value for a given attribute name from SPSSOConfig.
        Parameters:
        config - SPSSOConfigElement instance.
        attrName - name of the attribute whose value ot be retrived.
        Returns:
        value of the attribute; or null if the attribute if not configured, or an error occured in the process.

      • getStrAssertions

        public static List getStrAssertions​(List assertions)
        Gets List of 'String' assertions from the list of 'Assertion' assertions
        Parameters:
        assertions - A list of Assertions
        Returns:
        a String printout of the list of Assertions

      • isPersistentNameID

        public static boolean isPersistentNameID​(NameID nameId)
        Checks if it is a persistent request or not.
        Parameters:
        nameId - Name ID object
        Returns:
        true if it is a persistent request, false if not.

      • isFedInfoExists

        public static boolean isFedInfoExists​(String userName,
                                      String hostEntityID,
                                      String remoteEntityId,
                                      NameID nameID)
        Checks if the federation information for the user exists or not.
        Parameters:
        userName - user id for which account federation needs to be returned.
        hostEntityID - EntityID of the hosted entity.
        remoteEntityId - EntityID of the remote entity.
        Returns:
        true if exists, false otherwise.

      • getNameIDKeyMap

        public static Map getNameIDKeyMap​(NameID nameID,
                                  String hostEntityID,
                                  String remoteEntityID,
                                  String realm,
                                  String hostEntityRole)
                           throws SAML2Exception
        Returns the NameIDInfoKey key value pair that can be used for searching the user.
        Parameters:
        nameID - NameID object.
        hostEntityID - hosted EntityID.
        remoteEntityID - remote EntityID.
        hostEntityRole - the role of hosted entity.
        Throws:
        SAML2Exception

      • isSourceSiteValid

        public static boolean isSourceSiteValid​(Issuer issuer,
                                        String orgName,
                                        String hostEntityId)
        Returns true if Issuer is valid.
        Parameters:
        issuer - to be checked Issuer instance.
        orgName - the name of the realm or organization.
        hostEntityId - Entity ID of the hosted provider.
        Returns:
        true if the Issuer is trusted; false otherwise.

      • getDataStoreProvider

        public static DataStoreProvider getDataStoreProvider()
                                              throws SAML2Exception
        Returns DataStoreProvider object.
        Returns:
        DataStoreProvider configured for the SAML2 plugin.
        Throws:
        SAML2Exception - if any failure.

      • encodeForPOST

        public static String encodeForPOST​(String str)
        Returns the encoded request message. The SAML Request message must be encoded before being transmitted. The Request message is base-64 encoded according to the rules specified in RFC2045.
        Parameters:
        str - String to be encoded.
        Returns:
        String the encoded String value or null on error.

      • encodeForRedirect

        public static String encodeForRedirect​(String str)
        Returns the encoded request message. The SAML Request message must be encoded before being transmitted. The Request message is encoded as follows: 1. URL Encoded using the DEFLATE compression method. 2. Then the message is base-64 encoded according to the rules specified in RFC2045.
        Parameters:
        str - String to be encoded.
        Returns:
        String the encoded String value or null on error.

      • decodeFromRedirect

        public static String decodeFromRedirect​(String str)
        Decodes the request message.
        Parameters:
        str - String to be decoded.
        Returns:
        String the decoded String.

      • removeNewLineChars

        public static String removeNewLineChars​(String string)
        Removes new line character from a String.
        Parameters:
        string - String to remove newline characters from.
        Returns:
        String with newline characters trimmed.

      • getSAML2MetaManager

        public static SAML2MetaManager getSAML2MetaManager()
        Returns an instance of SAML2MetaManger.
        Returns:
        Instance of SAML2MetaManager

      • getRealm

        public static String getRealm​(String realm)
        Returns the realm.
        Parameters:
        realm - Realm object.
        Returns:
        realm if the input is not null or empty, otherwise return the root realm.

      • getParameter

        public static String getParameter​(Map<String,​String> paramsMap,
                                  String attributeName)
        Returns the query parameter value for the param specified from the given Map.
        Parameters:
        paramsMap - a map of parameters
        attributeName - name of the parameter
        Returns:
        the value of this parameter or null if the parameter was not found in the params map

      • getParamsMap

        public static Map<String,​List<String>> getParamsMap​(jakarta.servlet.http.HttpServletRequest request)
        Returns a Map of parameters retrieved from the Query parameters in the HttpServletRequest.
        Parameters:
        request - the HttpServletRequest.
        Returns:
        a Map where the key is the parameter Name and value is of the type List.

      • generateSourceID

        public static String generateSourceID​(String entityID)
        Generates provider Source ID based on provider Entity ID. The returned is SHA-1 digest string.
        Parameters:
        entityID - Entity ID for example http://host.sun.com:81
        Returns:
        sourceID string

      • extractServerId

        public static String extractServerId​(String id)
        Extracts serverID from the specified id.
        Parameters:
        id - an id.
        Returns:
        the extracted id, or null if the given string is too short or null.

      • getRemoteServiceURL

        public static String getRemoteServiceURL​(String id)
        Gets remote service URL according to server id embedded in the provided ID.
        Parameters:
        id - The server's ID or a user's sessionIndex.
        Returns:
        Remote service URL corresponding to the ID, or null if the ID is local, or an error occurred.

      • generateIDWithServerID

        public static String generateIDWithServerID()
        Generates ID with server id at the end.
        Returns:
        ID value.

      • generateMessageHandleWithServerID

        public static String generateMessageHandleWithServerID()
        Generates message handle with server id used in an Artifact.
        Returns:
        String format of 20-byte sequence identifying message.

      • getLocalServerID

        public static String getLocalServerID()
        Returns the server id of the local server

      • putHeaders

        public static void putHeaders​(jakarta.xml.soap.MimeHeaders headers,
                              jakarta.servlet.http.HttpServletResponse response)
        Sets mime headers in HTTP servlet response.
        Parameters:
        headers - mime headers to be set.
        response - HTTP servlet response.

      • generateStatus

        public static Status generateStatus​(String code,
                                    String message)
        Generates SAMLv2 Status object
        Parameters:
        code - Status code value.
        message - Status message.
        Returns:
        Status object.

      • generateStatus

        public static Status generateStatus​(String code,
                                    String subCode,
                                    String message)
        Generates SAMLv2 Status object
        Parameters:
        code - Status code value.
        subCode - second-level status code
        message - Status message.
        Returns:
        Status object.

      • getErrorResponse

        public static Response getErrorResponse​(RequestAbstract request,
                                        String code,
                                        String subCode,
                                        String statusMsg,
                                        String issuerEntityID)
                                 throws SAML2Exception
        Returns a SAML Response object containing error status
        Parameters:
        request - the RequestAbstract object
        code - the error code
        subCode - teh second-level error code
        statusMsg - the error message
        issuerEntityID - the entity id of the issuer
        Returns:
        the SAML Response object containing error status
        Throws:
        SAML2Exception - if the operation is not successful

      • getEncryptionCertAliases

        public static List<String> getEncryptionCertAliases​(String realm,
                                                    String hostEntityId,
                                                    String entityRole)
        Returns encryption certificate alias names.
        Parameters:
        realm - realm of hosted entity.
        hostEntityId - name of hosted entity.
        entityRole - role of hosted entity.
        Returns:
        The list of certificate aliases for encryption.

      • getSigningCertAlias

        public static String getSigningCertAlias​(String realm,
                                         String hostEntityId,
                                         String entityRole)
        Returns signing certificate alias name.
        Parameters:
        realm - realm of hosted entity.
        hostEntityId - name of hosted entity.
        entityRole - role of hosted entity.
        Returns:
        alias name of certificate alias for signing.

      • getSigningCertEncryptedKeyPass

        public static String getSigningCertEncryptedKeyPass​(String realm,
                                                    String hostEntityId,
                                                    String entityRole)
        Returns signing certificate key password (encrypted).
        Parameters:
        realm - realm of hosted entity.
        hostEntityId - name of hosted entity.
        entityRole - role of hosted entity.
        Returns:
        The encrypted keypass of the private key used for signing.

      • getWantAssertionEncrypted

        public static boolean getWantAssertionEncrypted​(String realm,
                                                String hostEntityId,
                                                String entityRole)
        Returns true if wantAssertionEncrypted has String true.
        Parameters:
        realm - realm of hosted entity.
        hostEntityId - name of hosted entity.
        entityRole - role of hosted entity.
        Returns:
        true if wantAssertionEncrypted has String true.

      • getWantAttributeEncrypted

        public static boolean getWantAttributeEncrypted​(String realm,
                                                String hostEntityId,
                                                String entityRole)
        Returns true if wantAttributeEncrypted has String true.
        Parameters:
        realm - realm of hosted entity.
        hostEntityId - name of hosted entity.
        entityRole - role of hosted entity.
        Returns:
        true if wantAttributeEncrypted has String true.

      • getWantNameIDEncrypted

        public static boolean getWantNameIDEncrypted​(String realm,
                                             String hostEntityId,
                                             String entityRole)
        Returns true if wantNameIDEncrypted has String true.
        Parameters:
        realm - realm of hosted entity.
        hostEntityId - name of hosted entity.
        entityRole - role of hosted entity.
        Returns:
        true if wantNameIDEncrypted has String true.

      • getWantArtifactResolveSigned

        public static boolean getWantArtifactResolveSigned​(String realm,
                                                   String hostEntityId,
                                                   String entityRole)
        Returns true if wantArtifactResolveSigned has String true.
        Parameters:
        realm - realm of hosted entity.
        hostEntityId - name of hosted entity.
        entityRole - role of hosted entity.
        Returns:
        true if wantArtifactResolveSigned has String true.

      • getWantArtifactResponseSigned

        public static boolean getWantArtifactResponseSigned​(String realm,
                                                    String hostEntityId,
                                                    String entityRole)
        Returns true if wantArtifactResponseSigned has String true.
        Parameters:
        realm - realm of hosted entity.
        hostEntityId - name of hosted entity.
        entityRole - role of hosted entity.
        Returns:
        true if wantArtifactResponseSigned has String true.

      • getWantLogoutRequestSigned

        public static boolean getWantLogoutRequestSigned​(String realm,
                                                 String hostEntityId,
                                                 String entityRole)
        Returns true if wantLogoutRequestSigned has String true.
        Parameters:
        realm - realm of hosted entity.
        hostEntityId - name of hosted entity.
        entityRole - role of hosted entity.
        Returns:
        true if wantLogoutRequestSigned has String true.

      • getWantLogoutResponseSigned

        public static boolean getWantLogoutResponseSigned​(String realm,
                                                  String hostEntityId,
                                                  String entityRole)
        Returns true if wantLogoutResponseSigned has String true.
        Parameters:
        realm - realm of hosted entity.
        hostEntityId - name of hosted entity.
        entityRole - role of hosted entity.
        Returns:
        true if wantLogoutResponseSigned has String true.

      • getWantMNIRequestSigned

        public static boolean getWantMNIRequestSigned​(String realm,
                                              String hostEntityId,
                                              String entityRole)
        Returns true if wantMNIRequestSigned has String true.
        Parameters:
        realm - realm of hosted entity.
        hostEntityId - name of hosted entity.
        entityRole - role of hosted entity.
        Returns:
        true if wantMNIRequestSigned has String true.

      • getWantMNIResponseSigned

        public static boolean getWantMNIResponseSigned​(String realm,
                                               String hostEntityId,
                                               String entityRole)
        Returns true if wantMNIResponseSigned has String true.
        Parameters:
        realm - realm of hosted entity.
        hostEntityId - name of hosted entity.
        entityRole - role of hosted entity.
        Returns:
        true if wantMNIResponseSigned has String true.

      • getBooleanAttributeValueFromSSOConfig

        public static boolean getBooleanAttributeValueFromSSOConfig​(String realm,
                                                            String hostEntityId,
                                                            String entityRole,
                                                            String attrName)
        Returns boolean value of specified attribute from SSOConfig. This method is used for boolean-valued attributes.
        Parameters:
        realm - realm of hosted entity.
        hostEntityId - name of hosted entity.
        entityRole - role of hosted entity.
        attrName - attribute name for the value.
        Returns:
        value of specified attribute from SSOConfig.

      • getAttributeValueFromSSOConfig

        public static String getAttributeValueFromSSOConfig​(String realm,
                                                    String hostEntityId,
                                                    String entityRole,
                                                    String attrName)
        Returns single value of specified attribute from SSOConfig. This method is used for single-valued attributes.
        Parameters:
        realm - realm of hosted entity.
        hostEntityId - name of hosted entity.
        entityRole - role of hosted entity.
        attrName - attribute name for the value.
        Returns:
        value of specified attribute from SSOConfig.

      • getAllAttributeValueFromSSOConfig

        public static List<String> getAllAttributeValueFromSSOConfig​(String realm,
                                                             String hostEntityId,
                                                             String entityRole,
                                                             String attrName)
        Returns all values of specified attribute from SSOConfig.
        Parameters:
        realm - realm of hosted entity.
        hostEntityId - name of hosted entity.
        entityRole - role of hosted entity.
        attrName - attribute name for the value.
        Returns:
        value of specified attribute from SSOConfig.

      • getHostEntityRole

        public static String getHostEntityRole​(Map paramsMap)
                                throws SAML2Exception
        Returns the role of host entity.
        Parameters:
        paramsMap - Map includes parameters.
        Returns:
        role name for hosted entity.
        Throws:
        SAML2Exception - if error in retrieving the parameters.

      • isDualRole

        public static boolean isDualRole​(String hostEntityId,
                                 String realm)
        Returns true if this entity is acting as both SP and IDP.
        Parameters:
        hostEntityId - entity ID of the hosted entity.
        realm - the realm the entity resides.
        Returns:
        true if this entity is acting as both SP and IDP, false otherwise.

      • redirectAuthentication

        public static void redirectAuthentication​(jakarta.servlet.http.HttpServletRequest request,
                                          jakarta.servlet.http.HttpServletResponse response,
                                          String realm,
                                          String hostEntityID,
                                          String entityRole)
                                   throws IOException
        Returns url for redirection.
        Parameters:
        request - HttpServletRequest for redirecting.
        response - HttpServletResponse for redirecting.
        realm - realm of hosted entity.
        hostEntityID - name of hosted entity.
        entityRole - role of hosted entity.
        Throws:
        IOException - if error in redirecting request.

      • createIssuer

        public static Issuer createIssuer​(String entityID)
                           throws SAML2Exception
        Returns url for redirection.
        Parameters:
        entityID - entityID for Issuer.
        Returns:
        Issuer for the specified entityID.
        Throws:
        SAML2Exception - if error in creating Issuer element.

      • signQueryString

        public static String signQueryString​(String queryString,
                                     String realm,
                                     String hostEntity,
                                     String hostEntityRole)
                              throws SAML2Exception
        Sign Query string.
        Parameters:
        queryString - URL query string that will be signed.
        realm - realm of host entity.
        hostEntity - entityID of host entity.
        hostEntityRole - entity role of host entity.
        Returns:
        returns signed query string.
        Throws:
        SAML2Exception - if error in signing the query string.

      • verifyQueryString

        public static boolean verifyQueryString​(String queryString,
                                        String realm,
                                        String hostEntityRole,
                                        String remoteEntity)
                                 throws SAML2Exception
        Verify Signed Query string.
        Parameters:
        queryString - URL query string that will be verified.
        realm - realm of host entity.
        hostEntityRole - entity role of host entity.
        remoteEntity - entityID of peer entity.
        Returns:
        returns true if sign is valid.
        Throws:
        SAML2Exception - if error in verifying the signature.

      • checkSession

        public static Object checkSession​(jakarta.servlet.http.HttpServletRequest request,
                                  jakarta.servlet.http.HttpServletResponse response,
                                  String metaAlias,
                                  Map paramsMap)
                           throws SAML2Exception
        Parses the request parameters and return session object or redirect to login url.
        Parameters:
        request - the HttpServletRequest.
        response - the HttpServletResponse.
        metaAlias - entityID of hosted entity.
        paramsMap - Map of all other parameters.
        Returns:
        session object of HttpServletRequest.
        Throws:
        SAML2Exception - if error initiating request to remote entity.

      • createNameIdentifier

        public static String createNameIdentifier()
        Returns a Name Identifier
        Returns:
        a String the Name Identifier. Null value is returned if there is an error in generating the Name Identifier.

      • getSPAuthnContextMapper

        public static SPAuthnContextMapper getSPAuthnContextMapper​(String realm,
                                                           String hostEntityID,
                                                           String authnCtxClassName)
        Returns the Service Provider AuthnContext Mapper Object.
        Parameters:
        authnCtxClassName - Service Provider AuthnContext Mapper Class Name.
        Returns:
        SPAuthnContextMapper Object.

      • verifyRequestIssuer

        public static boolean verifyRequestIssuer​(String realm,
                                          String hostEntity,
                                          Issuer reqIssuer,
                                          String requestId)
                                   throws SAML2Exception
        Verifies Issuer in Request and returns true if the Issuer is part of COT SAML2 auth module only.
        Parameters:
        realm - realm of hosted entity.
        hostEntity - name of hosted entity.
        reqIssuer - Issuer of Request.
        requestId - request ID
        Returns:
        true if issuer is valid.
        Throws:
        SAML2Exception

      • verifyResponseIssuer

        public static boolean verifyResponseIssuer​(String realm,
                                           String hostEntity,
                                           Issuer resIssuer,
                                           String requestId)
                                    throws SAML2Exception
        Verifies Issuer in Response and returns true if the Issuer is part of COT
        Parameters:
        realm - realm of hosted entity.
        hostEntity - name of hosted entity.
        resIssuer - Issuer of Response.
        requestId - request ID for the response.
        Returns:
        true if issuer is valid.
        Throws:
        SAML2Exception

      • getReaderURL

        public static String getReaderURL​(String spMetaAlias)

      • getBaseURL

        public static String getBaseURL​(jakarta.servlet.http.HttpServletRequest request)
        Returns the Request URL. The getRequestURL does not alway returns the correct url so this method builds the URL by retrieving the protocol,port host name and deploy descriptor.
        Parameters:
        request - the HttpServletRequest.
        Returns:
        the Request URL string.

      • getPreferredIDP

        public static String getPreferredIDP​(jakarta.servlet.http.HttpServletRequest request)
        Returns the Identity Provider Entity Identifier. This method retrieves the _saml_idp query parameter from the request and parses it to get the idp entity id. If there are more then one idps then the last one is the preferred idp.
        Parameters:
        request - the HttpServletRequest .
        Returns:
        the identity provider entity identifier String.

      • getRedirectURL

        public static String getRedirectURL​(String readerURL,
                                    String requestID,
                                    jakarta.servlet.http.HttpServletRequest request)
        Returns the redirect URL. This methods returns the complete reader redirect url. The RelayState and requestId parameter are appended to the URL to redirection back to the spSSOInit jsp.
        Parameters:
        readerURL - the readerURL to redirect to.
        requestID - the unique identifier to identify the request.
        request - the HttpServletRequest.
        Returns:
        redirectURL the URL to redirect to.

      • getIDPAccountMapper

        public static IDPAccountMapper getIDPAccountMapper​(String realm,
                                                   String idpEntityID)
                                            throws SAML2Exception
        Returns an IDPAccountMapper
        Parameters:
        realm - the realm name
        idpEntityID - the entity id of the identity provider
        Returns:
        the IDPAccountMapper
        Throws:
        SAML2Exception - if the operation is not successful

      • getIDPAdapterClass

        public static SAML2IdentityProviderAdapter getIDPAdapterClass​(String realm,
                                                              String idpEntityID)
                                                       throws SAML2Exception
        Returns a SAML2IdentityProviderAdapter
        Parameters:
        realm - the realm name
        idpEntityID - the entity id of the identity provider
        Returns:
        the SAML2IdentityProviderAdapter
        Throws:
        SAML2Exception - if the operation is not successful

      • getSPAdapterClass

        public static SAML2ServiceProviderAdapter getSPAdapterClass​(String spEntityID,
                                                            String realm)
                                                     throws SAML2Exception
        Returns an SP adapter class
        Parameters:
        spEntityID - the entity id of the service provider
        realm - the realm name
        Returns:
        the SP adapter class
        Throws:
        SAML2Exception - if the operation is not successful

      • getFedletAdapterClass

        public static FedletAdapter getFedletAdapterClass​(String spEntityID,
                                                  String realm)
                                           throws SAML2Exception
        Returns a Fedlet adapter class.
        Parameters:
        spEntityID - the entity id of the service provider
        realm - the realm name
        Returns:
        the Fedlet adapter class
        Throws:
        SAML2Exception - if the operation is not successful

      • getSPAccountMapper

        public static SPAccountMapper getSPAccountMapper​(String realm,
                                                 String spEntityID)
                                          throws SAML2Exception
        Returns an SPAccountMapper
        Parameters:
        realm - the realm name
        spEntityID - the entity id of the service provider
        Returns:
        the SPAccountMapper
        Throws:
        SAML2Exception - if the operation is not successful

      • getECPIDPFinder

        public static SAML2IDPFinder getECPIDPFinder​(String realm,
                                             String spEntityID)
                                      throws SAML2Exception
        Returns an SAML2IDPFinder which is used to find a list of IDP's for ECP Request.
        Parameters:
        realm - the realm name
        spEntityID - the entity id of the service provider
        Returns:
        the SAML2IDPFinder
        Throws:
        SAML2Exception - if the operation is not successful

      • getRelayState

        public static String getRelayState​(jakarta.servlet.http.HttpServletRequest request)
        Returns the URL to which redirection will happen after Single-Signon / Federation. This methods checks the following parameters to determine the Relay State. 1. The "RelayState" query parameter in the request. 2. The "RelayStateAlias" query parameter in the request which is used in the absence of the RelayState parameter to determine which query parameter to use if no "RelayState" query paramerter is present. 3. The "goto" query parameter if present is the default RelayState in the absence of the above.
        Parameters:
        request - the HttpServletRequest object.
        Returns:
        the value of the URL to which to redirect on successful Single-SignOn / Federation.

      • verifyDestination

        public static boolean verifyDestination​(String destination,
                                        String location)
        Compares the destination and location
        Parameters:
        destination - Destination
        location - the URL from the meta
        Returns:
        true if the input are the same, otherwise, return false

      • getSAEAttrs

        public static Map getSAEAttrs​(String realm,
                              String entityId,
                              String role,
                              String appUrl)
        Retrieves SAE related attributes from exended metadata.
        Parameters:
        realm - realm the FM provider is in
        entityId - the entity ID of the FM provider
        role - Role of the FM provider
        appUrl - application url
        Returns:
        Map containing SAE parameters or null in case of error.

      • getNameIDStringFromResponse

        public static String getNameIDStringFromResponse​(Response response)
        Obtains the value of NameID from Response.
        Parameters:
        response - Response object
        Returns:
        value of the NameID from the first Assertion in the response. null if the response is null, or no assertion in the response, or no NameID in the assertion.

      • logAccess

        public static void logAccess​(Level lvl,
                             String msgid,
                             String[] data,
                             Object tok,
                             String ipaddr,
                             String userid,
                             String org,
                             String module,
                             Map props)
        Writes a log record in SAML2 access log. (fmSAML2.access)
        Parameters:
        lvl - indicating log level
        msgid - Message id
        data - string array of dynamic data only known during run time
        tok - Session of authenticated user
        ipaddr - IP Address.
        userid - User Id.
        org - Organization.
        module - Module Name.
        props - log record columns - used if tok is not available to specify log record columns such as ip address, realm, etc

      • logError

        public static void logError​(Level lvl,
                            String msgid,
                            String[] data,
                            Object tok,
                            String ipaddr,
                            String userid,
                            String org,
                            String module,
                            Map props)
        Writes error occurred in SAML2 component into a log (fmSAML2.error)
        Parameters:
        lvl - indicating log level
        msgid - Message id
        data - string array of dynamic data only known during run time
        tok - Session of authenticated user
        ipaddr - IP Address
        userid - User Id
        org - Organization
        module - Module Name
        props - log record columns - used if tok is not available to specify log record columns such as ip address, realm, etc

      • getAttributeValueFromXACMLConfig

        public static String getAttributeValueFromXACMLConfig​(String realm,
                                                      String entityRole,
                                                      String entityID,
                                                      String attrName)
        Returns the value of attribute from entity configuration.
        Parameters:
        realm - the realm of the entity.
        entityRole - role of the entity (PEP or PDP).
        entityID - identity of the entity.
        attrName - name of attribute whose value is to be retreived.
        Returns:
        value of the attribute.

      • getWantXACMLAuthzDecisionQuerySigned

        public static boolean getWantXACMLAuthzDecisionQuerySigned​(String realm,
                                                           String entityID,
                                                           String entityRole)
        Returns true if wantXACMLAuthzDecisionQuerySigned has true true.
        Parameters:
        realm - realm of hosted entity.
        entityID - name of hosted entity.
        entityRole - role of hosted entity.
        Returns:
        true if wantXACMLAuthzDecisionQuerySigned has String true.

      • validateCertificate

        public static boolean validateCertificate​(X509Certificate cert)
        Checks certificate validity with configured CRL
        Parameters:
        cert - x509 certificate
        Returns:
        true if the certificate is not in CRL, otherwise, return false

      • getConfigAttributeMap

        public static Map getConfigAttributeMap​(String realm,
                                        String hostEntityID,
                                        String role)
                                 throws SAML2Exception
        Returns the attribute map by parsing the configured map in hosted provider configuration
        Parameters:
        realm - realm name.
        hostEntityID - EntityID of the hosted provider.
        Returns:
        a map of local attributes configuration map. This map will have a key as the SAML attribute name and the value is the local attribute.
        Throws:
        SAML2Exception

      • getMappedAttributes

        public static Map<String,​String> getMappedAttributes​(List<String> mappedAttributes)
        For the list of Strings containing mappings, return a map of name value pairs that match the mapping string
        Parameters:
        mappedAttributes - a non-null list of strings in the form of name=value or name="static value"
        Returns:
        a Map of name value pairs keyed off of the mapping name from the mappedAttributes list

      • getSAMLAttribute

        public static Attribute getSAMLAttribute​(String name,
                                         String[] values)
                                  throws SAML2Exception
        Returns the SAML Attribute object.
        Parameters:
        name - attribute name.
        values - attribute values.
        Throws:
        SAML2Exception - if any failure.

      • postToTarget

        public static void postToTarget​(jakarta.servlet.http.HttpServletRequest request,
                                jakarta.servlet.http.HttpServletResponse response,
                                String SAMLmessageName,
                                String SAMLmessageValue,
                                String relayStateName,
                                String relayStateValue,
                                String targetURL)
                         throws SAML2Exception
        Throws:
        SAML2Exception

      • verifyNameIDFormat

        public static String verifyNameIDFormat​(String nameIDFormat,
                                        SPSSODescriptorElement spsso,
                                        IDPSSODescriptorElement idpsso)
                                 throws SAML2Exception
        Verifies specified name ID format and returns it. If specified name ID format is empty, returns name ID foramt supported by both IDP and SP.
        Parameters:
        nameIDFormat - name ID format.
        spsso - SP meta data desciptor.
        idpsso - IDP meta data desciptor.
        Throws:
        SAML2Exception - if name ID format is not supported.

      • isAuthnContextMatching

        public static boolean isAuthnContextMatching​(List requestedACClassRefs,
                                             String acClassRef,
                                             String comparison,
                                             Map acClassRefLevelMap)
        Returns true if the specified AuthnContextClassRef matches a list of requested AuthnContextClassRef.
        Parameters:
        requestedACClassRefs - a list of requested AuthnContextClassRef's
        acClassRef - AuthnContextClassRef
        comparison - the type of comparison
        acClassRefLevelMap - a AuthnContextClassRef to AuthLevel map. Key is AuthnContextClassRef in String and value is AuthLevel in Integer
        Returns:
        true if the specified AuthnContextClassRef matches a list of requested AuthnContextClassRef

      • postToAppLogout

        public static void postToAppLogout​(jakarta.servlet.http.HttpServletRequest request,
                                   String appLogoutURL,
                                   Object session)
        Processes logout for external application. This will do a back channel HTTP POST to the external application logout URL with all the cookies and selected session property as HTTP header.
        Parameters:
        request - HttpServletRequest
        appLogoutURL - external application logout URL
        session - session object of the user

      • getCookiesString

        public static String getCookiesString​(jakarta.servlet.http.HttpServletRequest request)

      • wantPOSTResponseSigned

        public static boolean wantPOSTResponseSigned​(String realm,
                                             String hostEntityId,
                                             String entityRole)
        Returns value of attribute wantPOSTResponseSigned as a boolean value true to false.
        Parameters:
        realm - realm of hosted entity.
        hostEntityId - name of hosted entity.
        entityRole - role of hosted entity.
        Returns:
        true if wantPOSTResponseSigned has String true, otherwise false.

      • isSPProfileBindingSupported

        public static boolean isSPProfileBindingSupported​(String realm,
                                                  String spEntityID,
                                                  String profile,
                                                  String binding)
        Checks if a profile binding is suppported by a SP.
        Parameters:
        realm - Realm the SP is in.
        spEntityID - SP entity id.
        profile - name of the profile/service
        binding - binding to be checked on
        Returns:
        true if the binding is supported; false otherwise.

      • isIDPProfileBindingSupported

        public static boolean isIDPProfileBindingSupported​(String realm,
                                                   String idpEntityID,
                                                   String profile,
                                                   String binding)
        Checks if a profile binding is suppported by an IDP.
        Parameters:
        realm - Realm the IDP is in.
        idpEntityID - IDP entity id.
        profile - name of the profile/service
        binding - binding to be checked on
        Returns:
        true if the binding is supported; false otherwise.

      • isRelayStateURLValid

        public static boolean isRelayStateURLValid​(jakarta.servlet.http.HttpServletRequest request,
                                           String relayState,
                                           String role)
        Convenience method to validate a SAML2 relay state (goto) URL, often called from a JSP.
        Parameters:
        request - Used to help establish the realm and hostEntityID.
        relayState - The URL to validate.
        role - The role of the caller.
        Returns:
        true if the relayState is valid.

      • isRelayStateURLValid

        public static boolean isRelayStateURLValid​(String metaAlias,
                                           String relayState,
                                           String role)
        Convenience method to validate a SAML2 relay state (goto) URL, often called from a JSP.
        Parameters:
        metaAlias - The metaAlias of the hosted entity.
        relayState - The URL to validate.
        role - The role of the caller.
        Returns:
        true if the relayState is valid.

      • validateRelayStateURL

        public static void validateRelayStateURL​(String orgName,
                                         String hostEntityId,
                                         String relayState,
                                         String role)
                                  throws SAML2Exception
        Validates the Relay State URL against a list of valid Relay State URLs created on the hosted service provider.
        Parameters:
        orgName - realm or organization name the provider resides in.
        hostEntityId - Entity ID of the hosted provider.
        relayState - Relay State URL.
        role - IDP/SP Role.
        Throws:
        SAML2Exception - if the processing failed.

      • sendRequestToOrigServer

        public static HashMap sendRequestToOrigServer​(jakarta.servlet.http.HttpServletRequest request,
                                              jakarta.servlet.http.HttpServletResponse response,
                                              String sloServerUrl)
        Sends the request to the original Federation server and receives the result data.
        Parameters:
        request - HttpServletRequest to be sent
        response - HttpServletResponse to be received
        sloServerUrl - URL of the original federation server to be connected
        Returns:
        HashMap of the result data from the original server's response

      • createCookie

        public static jakarta.servlet.http.Cookie createCookie​(String cookieName,
                                                       String cookieValue,
                                                       String cookieDomain,
                                                       String path)
        Creates a Cookie with the cookieName, cookieValue for the cookie domains specified.

        TODO: Copied from AuthClientUtils Refactor

        Parameters:
        cookieName - is the name of the cookie
        cookieValue - is the value fo the cookie
        cookieDomain - Domain for which the cookie is to be set.
        path - The path into which the cookie shall be set
        Returns:
        the cookie object.

      • isIgnoreProfileSet

        public static boolean isIgnoreProfileSet​(Object session)
                                  throws SessionException
        Return true if the User for this session has a profile set to Ignore
        Parameters:
        session - session object of the user
        Returns:
        true if the User for this session has a profile set to Ignore
        Throws:
        SessionException

      • getSingleValuedSessionProperty

        public static String getSingleValuedSessionProperty​(Object session,
                                                    String propertyName)
                                             throws SessionException
        Returns the first value of the session property.
        Parameters:
        session - The session object.
        propertyName - The property's name that needs to be returned.
        Returns:
        The property value derived from the session object.
        Throws:
        SessionException - If there was a problem while retrieving the session property.