com.sun.identity.saml2.profile

Class IDPSSOUtil

java.lang.Object

com.sun.identity.saml2.profile.IDPSSOUtil

public class IDPSSOUtil
extends Object

The utility class is used by the identity provider to process the authentication request from a service provider and send back a proper response. The identity provider can also send unsolicited response to a service provider to do single sign on and/or federation.

Field Summary

Fields

Modifier and Type	Field and Description
static CircleOfTrustManager	cotManager
static SAML2MetaManager	metaManager
static String	NAMEID_FORMAT
static String	NULL

Method Summary

Modifier and Type	Method and Description
static void	doSSOFederate(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, PrintWriter out, AuthnRequest authnReq, String spEntityID, String idpMetaAlias, String nameIDFormat, String relayState, Object newSession, SAML2EventLogger auditor) Does SSO with existing federation or new federation
static void	doSSOFederate(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, PrintWriter out, AuthnRequest authnReq, String spEntityID, String idpMetaAlias, String nameIDFormat, String relayState, SAML2EventLogger auditor) Does SSO with existing federation or new federation
static String	getACSurl(String spEntityID, String realm, AuthnRequest authnReq, javax.servlet.http.HttpServletRequest request, StringBuffer rBinding) Returns the assertion consumer service URL
static String	getACSurl(String spEntityID, String realm, String acsURL, String binding, Integer index, javax.servlet.http.HttpServletRequest request, StringBuffer rBinding) Returns the assertion consumer service URL.
static String	getACSurlFromMetaByBinding(String spEntityID, String realm, String desiredBinding, StringBuffer returnedBinding) Returns the assertion consumer service URL from meta data by binding
static String	getACSurlFromMetaByIndex(String spEntityID, String realm, int acsIndex, StringBuffer returnedBinding) Returns the assertion consumer service URL from meta data by binding
static String	getAttributeValueFromIDPSSOConfig(String realm, String hostEntityId, String attrName)
static String	getAuthenticationServiceURL(String realm, String hostEntityId, javax.servlet.http.HttpServletRequest request) Returns the authentication service URL of the identity provider
static String	getBindingForAcsUrl(String spEntityID, String realm, String acsURL) Returns the assertion consumer service url binding from the metadata.
protected static Conditions	getConditions(String audienceEntityID, int notBeforeSkewTime, int effectiveTime) Returns a SAML Conditions object
static String	getDefaultACSurl(String spEntityID, String realm, StringBuffer returnedBinding) Returns the default assertion consumer service url and binding from the metadata.
protected static int	getEffectiveTime(String realm, String idpEntityID) Returns the effective time from the IDP extended metadata .
static SAML2IdentityProviderAdapter	getIDPAdapterClass(String realm, String idpEntityID) Returns a SAML2IdentityProviderAdapter
static IDPAuthnContextMapper	getIDPAuthnContextMapper(String realm, String idpEntityID) Returns an IDPAuthnContextMapper
static IDPECPSessionMapper	getIDPECPSessionMapper(String realm, String idpEntityID) Returns an IDPECPSessionMapper
protected static int	getNotBeforeSkewTime(String realm, String idpEntityID) Returns the NotBefore skew time from the IDP extended metadata .
static Response	getResponse(javax.servlet.http.HttpServletRequest request, Object session, AuthnRequest authnReq, String recipientEntityID, String idpEntityID, String idpMetaAlias, String realm, String nameIDFormat, String acsURL, String affiliationID, AuthnContext matchingAuthnContext) Returns a SAML Response object.
static String	getSessionIndex(Object session) Returns the session index of an IDPSession
static long	getValidTimeofResponse(String realm, String idpEntityID, Response response)
static boolean	isValidSessionInRealm(String realm, Object session) Check that the authenticated session belongs to the same realm where the IDP is defined.
static void	sendResponse(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, PrintWriter out, String cachedResID) Sends a response to service provider
static void	sendResponse(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, PrintWriter out, String acsBinding, String spEntityID, String idpEntityID, String idpMetaAlias, String realm, String relayState, String acsURL, Response res, Object session) Sends a response to service provider
static void	sendResponseArtifact(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, String idpEntityID, String spEntityID, String realm, String acsURL, String relayState, Response res, Object session, Map props) This method opens a URL connection to the target specified and sends artifact response to it using the HttpServletResponse object.
static void	sendResponseECP(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, PrintWriter out, String idpEntityID, String realm, String acsURL, Response res) This method sends SAML Response back to ECP.
static void	sendResponseToACS(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, PrintWriter out, Object session, AuthnRequest authnReq, String spEntityID, String idpEntityID, String idpMetaAlias, String realm, String nameIDFormat, String relayState, AuthnContext matchingAuthnContext) Sends Response containing an Assertion back to the requesting service provider
static void	sendResponseWithStatus(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, PrintWriter out, String idpMetaAlias, String idpEntityID, String realm, AuthnRequest authnReq, String relayState, String spEntityID, String firstlevelStatusCodeValue, String secondlevelStatusCodeValue) A convenience method to construct response with First-level and Second-level status code for SAML authentication requests.
static byte[]	stringToByteArray(String input)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

NAMEID_FORMAT

public static final String NAMEID_FORMAT

See Also:

Constant Field Values

NULL

public static final String NULL

See Also:

Constant Field Values

metaManager

public static SAML2MetaManager metaManager

cotManager

public static CircleOfTrustManager cotManager

Method Detail

doSSOFederate

public static void doSSOFederate(javax.servlet.http.HttpServletRequest request,
                                 javax.servlet.http.HttpServletResponse response,
                                 PrintWriter out,
                                 AuthnRequest authnReq,
                                 String spEntityID,
                                 String idpMetaAlias,
                                 String nameIDFormat,
                                 String relayState,
                                 SAML2EventLogger auditor)
                          throws SAML2Exception

Does SSO with existing federation or new federation

Parameters:

request - the HttpServletRequest object

response - the HttpServletResponse object

out - the print writer for writing out presentation

authnReq - the AuthnRequest object

spEntityID - the entity id of the service provider

idpMetaAlias - the meta alias of the identity provider

nameIDFormat - the NameIDFormat

relayState - the relay state

auditor - the auditor for logging SAML2 Events - may be null

Throws:

SAML2Exception - if the operation is not successful

doSSOFederate

public static void doSSOFederate(javax.servlet.http.HttpServletRequest request,
                                 javax.servlet.http.HttpServletResponse response,
                                 PrintWriter out,
                                 AuthnRequest authnReq,
                                 String spEntityID,
                                 String idpMetaAlias,
                                 String nameIDFormat,
                                 String relayState,
                                 Object newSession,
                                 SAML2EventLogger auditor)
                          throws SAML2Exception

Does SSO with existing federation or new federation

Parameters:

request - the HttpServletRequest object

response - the HttpServletResponse object

out - the print writer for writing out presentation

authnReq - the AuthnRequest object

spEntityID - the entity id of the service provider

idpMetaAlias - the meta alias of the identity provider

nameIDFormat - the NameIDFormat

relayState - the relay state

newSession - Session used in IDP Proxy Case

auditor - the auditor for logging SAML2 Events

Throws:

SAML2Exception - if the operation is not successful

sendResponseToACS

public static void sendResponseToACS(javax.servlet.http.HttpServletRequest request,
                                     javax.servlet.http.HttpServletResponse response,
                                     PrintWriter out,
                                     Object session,
                                     AuthnRequest authnReq,
                                     String spEntityID,
                                     String idpEntityID,
                                     String idpMetaAlias,
                                     String realm,
                                     String nameIDFormat,
                                     String relayState,
                                     AuthnContext matchingAuthnContext)
                              throws SAML2Exception

Sends Response containing an Assertion back to the requesting service provider

Parameters:

request - the HttpServletRequest object

response - the HttpServletResponse object

out - the print writer for writing out presentation

session - user session

authnReq - the AuthnRequest object

spEntityID - the entity id of the service provider

idpEntityID - the entity id of the identity provider

idpMetaAlias - the meta alias of the identity provider

realm - the realm

nameIDFormat - the NameIDFormat

relayState - the relay state

matchingAuthnContext - the AuthnContext used to find authentication type and scheme.

Throws:

SAML2Exception

sendResponseWithStatus

public static void sendResponseWithStatus(javax.servlet.http.HttpServletRequest request,
                                          javax.servlet.http.HttpServletResponse response,
                                          PrintWriter out,
                                          String idpMetaAlias,
                                          String idpEntityID,
                                          String realm,
                                          AuthnRequest authnReq,
                                          String relayState,
                                          String spEntityID,
                                          String firstlevelStatusCodeValue,
                                          String secondlevelStatusCodeValue)
                                   throws SAML2Exception

A convenience method to construct response with First-level and Second-level status code for SAML authentication requests.

Parameters:

request - The servlet request.

response - The servlet response.

out - The print writer for writing out presentation.

idpMetaAlias - The IdP's metaAlias.

idpEntityID - The IdP's entity ID.

realm - The realm where the IdP belongs to.

authnReq - The SAML AuthnRequest sent by the SP.

relayState - The RelayState value.

spEntityID - The SP's entity ID.

firstlevelStatusCodeValue - First-level status code value passed.

secondlevelStatusCodeValue - Second-level status code value passed.

Throws:

SAML2Exception - If there was an error while creating or sending the response back to the SP.

sendResponse

public static void sendResponse(javax.servlet.http.HttpServletRequest request,
                                javax.servlet.http.HttpServletResponse response,
                                PrintWriter out,
                                String cachedResID)
                         throws SAML2Exception

Sends a response to service provider

Parameters:

request - The servlet request.

response - The servlet response.

out - The print writer for writing out presentation.

cachedResID - the key used to retrieve response information from the response information cache

Throws:

SAML2Exception - if the operation is not successful

sendResponse

public static void sendResponse(javax.servlet.http.HttpServletRequest request,
                                javax.servlet.http.HttpServletResponse response,
                                PrintWriter out,
                                String acsBinding,
                                String spEntityID,
                                String idpEntityID,
                                String idpMetaAlias,
                                String realm,
                                String relayState,
                                String acsURL,
                                Response res,
                                Object session)
                         throws SAML2Exception

Sends a response to service provider

Parameters:

response - the HttpServletResponse object

acsBinding - the assertion consumer service binding

spEntityID - the entity id of the service provider

idpEntityID - the entity id of the identity provider

idpMetaAlias - the meta alias of the identity provider

realm - the realm name

relayState - the relay state

acsURL - the assertion consumer service url

res - the SAML Response object

Throws:

SAML2Exception - if the operation is not successful

getResponse

public static Response getResponse(javax.servlet.http.HttpServletRequest request,
                                   Object session,
                                   AuthnRequest authnReq,
                                   String recipientEntityID,
                                   String idpEntityID,
                                   String idpMetaAlias,
                                   String realm,
                                   String nameIDFormat,
                                   String acsURL,
                                   String affiliationID,
                                   AuthnContext matchingAuthnContext)
                            throws SAML2Exception

Returns a SAML Response object.

Parameters:

request - The HTTP request.

session - The user's session object.

authnReq - The AuthnRequest object.

recipientEntityID - The entity ID of the response recipient.

idpEntityID - The entity ID of the identity provider.

realm - The realm name.

nameIDFormat - The NameIDFormat.

acsURL - The ACS service url.

affiliationID - AffiliationID for IDP initiated SSO.

matchingAuthnContext - the AuthnContext used to find authentication type and scheme.

Returns:

the SAML Response object.

Throws:

SAML2Exception - if the operation is not successful.

getIDPAuthnContextMapper

public static IDPAuthnContextMapper getIDPAuthnContextMapper(String realm,
                                                             String idpEntityID)
                                                      throws SAML2Exception

Returns an IDPAuthnContextMapper

Parameters:

realm - the realm name

idpEntityID - the entity id of the identity provider

Returns:

the IDPAuthnContextMapper

Throws:

SAML2Exception - if the operation is not successful

getIDPECPSessionMapper

public static IDPECPSessionMapper getIDPECPSessionMapper(String realm,
                                                         String idpEntityID)
                                                  throws SAML2Exception

Returns an IDPECPSessionMapper

Parameters:

realm - the realm name

idpEntityID - the entity id of the identity provider

Returns:

the IDPECPSessionMapper

Throws:

SAML2Exception - if the operation is not successful

getConditions

protected static Conditions getConditions(String audienceEntityID,
                                          int notBeforeSkewTime,
                                          int effectiveTime)
                                   throws SAML2Exception

Returns a SAML Conditions object

Parameters:

audienceEntityID - the entity id of the audience

effectiveTime - the effective time of the assertion

Returns:

the SAML Conditions object

Throws:

SAML2Exception - if the operation is not successful

getACSurl

public static String getACSurl(String spEntityID,
                               String realm,
                               AuthnRequest authnReq,
                               javax.servlet.http.HttpServletRequest request,
                               StringBuffer rBinding)
                        throws SAML2Exception

Returns the assertion consumer service URL

Parameters:

spEntityID - the entity id of the service provider

realm - the realm name of the identity provider

authnReq - the AuthnRequest object

request - the HttpServletRequest object

rBinding - the binding used to send back Response

Returns:

the assertion consumer service URL

Throws:

SAML2Exception - if the operation is not successful

getACSurl

public static String getACSurl(String spEntityID,
                               String realm,
                               String acsURL,
                               String binding,
                               Integer index,
                               javax.servlet.http.HttpServletRequest request,
                               StringBuffer rBinding)
                        throws SAML2Exception

Returns the assertion consumer service URL.

Parameters:

spEntityID - The entity id of the service provider.

realm - The realm name of the identity provider.

acsURL - AssertionConsumerServiceURL in AuthnRequest.

binding - ProtocolBinding in AuthnRequest.

index - AssertionConsumerServiceIndex in AuthnRequest.

request - The HttpServletRequest object.

rBinding - The binding used to send back Response.

Returns:

The assertion consumer service URL.

Throws:

SAML2Exception - if the operation is not successful.

getDefaultACSurl

public static String getDefaultACSurl(String spEntityID,
                                      String realm,
                                      StringBuffer returnedBinding)
                               throws SAML2Exception

Returns the default assertion consumer service url and binding from the metadata.

Parameters:

spEntityID - the entity id of the service provider

realm - the realm name of the identity provider

Returns:

the assertion consumer service url with returned binding.

Throws:

SAML2Exception - if the operation is not successful

getBindingForAcsUrl

public static String getBindingForAcsUrl(String spEntityID,
                                         String realm,
                                         String acsURL)
                                  throws SAML2Exception

Returns the assertion consumer service url binding from the metadata.

Parameters:

spEntityID - the entity id of the service provider

realm - the realm name of the identity provider

Returns:

the assertion consumer service url binding

Throws:

SAML2Exception - if the operation is not successful

getACSurlFromMetaByBinding

public static String getACSurlFromMetaByBinding(String spEntityID,
                                                String realm,
                                                String desiredBinding,
                                                StringBuffer returnedBinding)
                                         throws SAML2Exception

Returns the assertion consumer service URL from meta data by binding

Parameters:

spEntityID - the entity id of the service provider

realm - the realm name of the identity provider

desiredBinding - the desired binding

returnedBinding - the binding used to send back Response

Returns:

the assertion consumer service URL

Throws:

SAML2Exception - if the operation is not successful

getACSurlFromMetaByIndex

public static String getACSurlFromMetaByIndex(String spEntityID,
                                              String realm,
                                              int acsIndex,
                                              StringBuffer returnedBinding)
                                       throws SAML2Exception

Returns the assertion consumer service URL from meta data by binding

Parameters:

spEntityID - the entity id of the service provider

realm - the realm name of the identity provider

acsIndex - the ACS index

returnedBinding - the binding used to send back Response

Returns:

the assertion consumer service URL

Throws:

SAML2Exception - if the operation is not successful

sendResponseArtifact

public static void sendResponseArtifact(javax.servlet.http.HttpServletRequest request,
                                        javax.servlet.http.HttpServletResponse response,
                                        String idpEntityID,
                                        String spEntityID,
                                        String realm,
                                        String acsURL,
                                        String relayState,
                                        Response res,
                                        Object session,
                                        Map props)
                                 throws SAML2Exception

This method opens a URL connection to the target specified and sends artifact response to it using the HttpServletResponse object.

Parameters:

response - the HttpServletResponse object

idpEntityID - the entity id of the identity provider

realm - the realm name of the identity provider

acsURL - the assertion consumer service URL

relayState - the value of the RelayState

res - the SAML Response object

session - user session

props - property map including nameIDString for logging

Throws:

SAML2Exception - if the operation is not successful

sendResponseECP

public static void sendResponseECP(javax.servlet.http.HttpServletRequest request,
                                   javax.servlet.http.HttpServletResponse response,
                                   PrintWriter out,
                                   String idpEntityID,
                                   String realm,
                                   String acsURL,
                                   Response res)
                            throws SAML2Exception

This method sends SAML Response back to ECP.

Parameters:

request - The servlet request.

response - The servlet response.

out - The print writer for writing out presentation.

idpEntityID - the entity id of the identity provider

realm - the realm name of the identity provider

acsURL - the assertion consumer service URL

res - the SAML Response object

Throws:

SAML2Exception - if the operation is not successful

getSessionIndex

public static String getSessionIndex(Object session)

Returns the session index of an IDPSession

Parameters:

session - the session corresponding to the IDPSession

Returns:

the session index string

getAuthenticationServiceURL

public static String getAuthenticationServiceURL(String realm,
                                                 String hostEntityId,
                                                 javax.servlet.http.HttpServletRequest request)

Returns the authentication service URL of the identity provider

Parameters:

realm - the realm name of the identity provider

hostEntityId - the entity id of the identity provider

request - the HttpServletRequest object

Returns:

the authentication service URL of the identity provider

getAttributeValueFromIDPSSOConfig

public static String getAttributeValueFromIDPSSOConfig(String realm,
                                                       String hostEntityId,
                                                       String attrName)

getEffectiveTime

protected static int getEffectiveTime(String realm,
                                      String idpEntityID)

Returns the effective time from the IDP extended metadata . If the attreibute is not defined in the metadata then defaults to a value of 600 seconds (5 minutes).

Returns:

the effective time value in seconds.

getNotBeforeSkewTime

protected static int getNotBeforeSkewTime(String realm,
                                          String idpEntityID)

Returns the NotBefore skew time from the IDP extended metadata . If the attreibute is not defined in the metadata then defaults to a value of 600 seconds (5 minutes).

Returns:

the NotBefore skew value in seconds.

stringToByteArray

public static byte[] stringToByteArray(String input)

getValidTimeofResponse

public static long getValidTimeofResponse(String realm,
                                          String idpEntityID,
                                          Response response)
                                   throws SAML2Exception

Throws:

SAML2Exception

getIDPAdapterClass

public static SAML2IdentityProviderAdapter getIDPAdapterClass(String realm,
                                                              String idpEntityID)
                                                       throws SAML2Exception

Returns a SAML2IdentityProviderAdapter

Parameters:

realm - the realm name

idpEntityID - the entity id of the identity provider

Returns:

the SAML2IdenityProviderAdapter

Throws:

SAML2Exception - if the operation is not successful

isValidSessionInRealm

public static boolean isValidSessionInRealm(String realm,
                                            Object session)

Check that the authenticated session belongs to the same realm where the IDP is defined.

Parameters:

realm - The realm where the IdP is defined.

session - The Session object of the authenticated user.

Returns:

true If the session was initiated in the same realm as the session's realm.