Package com.sun.identity.saml2.profile

Class IDPSSOUtil

  • public class IDPSSOUtil
extends Object
    The utility class is used by the identity provider to process the authentication request from a service provider and send back a proper response. The identity provider can also send unsolicited response to a service provider to do single sign on and/or federation.

    • Method Detail

      • doSSOFederate

        public static void doSSOFederate​(jakarta.servlet.http.HttpServletRequest request,
                                 jakarta.servlet.http.HttpServletResponse response,
                                 PrintWriter out,
                                 AuthnRequest authnReq,
                                 String spEntityID,
                                 String idpMetaAlias,
                                 String nameIDFormat,
                                 String relayState,
                                 SAML2EventLogger auditor)
                          throws SAML2Exception
        Does SSO with existing federation or new federation
        Parameters:
        request - the HttpServletRequest object
        response - the HttpServletResponse object
        out - the print writer for writing out presentation
        authnReq - the AuthnRequest object
        spEntityID - the entity id of the service provider
        idpMetaAlias - the meta alias of the identity provider
        nameIDFormat - the NameIDFormat
        relayState - the relay state
        auditor - the auditor for logging SAML2 Events - may be null
        Throws:
        SAML2Exception - if the operation is not successful

      • doSSOFederate

        public static void doSSOFederate​(jakarta.servlet.http.HttpServletRequest request,
                                 jakarta.servlet.http.HttpServletResponse response,
                                 PrintWriter out,
                                 AuthnRequest authnReq,
                                 String spEntityID,
                                 String idpMetaAlias,
                                 String nameIDFormat,
                                 String relayState,
                                 Object newSession,
                                 SAML2EventLogger auditor)
                          throws SAML2Exception
        Does SSO with existing federation or new federation
        Parameters:
        request - the HttpServletRequest object
        response - the HttpServletResponse object
        out - the print writer for writing out presentation
        authnReq - the AuthnRequest object
        spEntityID - the entity id of the service provider
        idpMetaAlias - the meta alias of the identity provider
        nameIDFormat - the NameIDFormat
        relayState - the relay state
        newSession - Session used in IDP Proxy Case
        auditor - the auditor for logging SAML2 Events
        Throws:
        SAML2Exception - if the operation is not successful

      • sendResponseToACS

        public static void sendResponseToACS​(jakarta.servlet.http.HttpServletRequest request,
                                     jakarta.servlet.http.HttpServletResponse response,
                                     PrintWriter out,
                                     Object session,
                                     AuthnRequest authnReq,
                                     String spEntityID,
                                     String idpEntityID,
                                     String idpMetaAlias,
                                     String realm,
                                     String nameIDFormat,
                                     String relayState,
                                     AuthnContext matchingAuthnContext)
                              throws SAML2Exception
        Sends Response containing an Assertion back to the requesting service provider
        Parameters:
        request - the HttpServletRequest object
        response - the HttpServletResponse object
        out - the print writer for writing out presentation
        session - user session
        authnReq - the AuthnRequest object
        spEntityID - the entity id of the service provider
        idpEntityID - the entity id of the identity provider
        idpMetaAlias - the meta alias of the identity provider
        realm - the realm
        nameIDFormat - the NameIDFormat
        relayState - the relay state
        matchingAuthnContext - the AuthnContext used to find authentication type and scheme.
        Throws:
        SAML2Exception

      • sendResponseWithStatus

        public static void sendResponseWithStatus​(jakarta.servlet.http.HttpServletRequest request,
                                          jakarta.servlet.http.HttpServletResponse response,
                                          PrintWriter out,
                                          String idpMetaAlias,
                                          String idpEntityID,
                                          String realm,
                                          AuthnRequest authnReq,
                                          String relayState,
                                          String spEntityID,
                                          String firstlevelStatusCodeValue,
                                          String secondlevelStatusCodeValue)
                                   throws SAML2Exception
        A convenience method to construct response with First-level and Second-level status code for SAML authentication requests.
        Parameters:
        request - The servlet request.
        response - The servlet response.
        out - The print writer for writing out presentation.
        idpMetaAlias - The IdP's metaAlias.
        idpEntityID - The IdP's entity ID.
        realm - The realm where the IdP belongs to.
        authnReq - The SAML AuthnRequest sent by the SP.
        relayState - The RelayState value.
        spEntityID - The SP's entity ID.
        firstlevelStatusCodeValue - First-level status code value passed.
        secondlevelStatusCodeValue - Second-level status code value passed.
        Throws:
        SAML2Exception - If there was an error while creating or sending the response back to the SP.

      • sendResponse

        public static void sendResponse​(jakarta.servlet.http.HttpServletRequest request,
                                jakarta.servlet.http.HttpServletResponse response,
                                PrintWriter out,
                                String cachedResID)
                         throws SAML2Exception
        Sends a response to service provider
        Parameters:
        request - The servlet request.
        response - The servlet response.
        out - The print writer for writing out presentation.
        cachedResID - the key used to retrieve response information from the response information cache
        Throws:
        SAML2Exception - if the operation is not successful

      • sendResponse

        public static void sendResponse​(jakarta.servlet.http.HttpServletRequest request,
                                jakarta.servlet.http.HttpServletResponse response,
                                PrintWriter out,
                                String acsBinding,
                                String spEntityID,
                                String idpEntityID,
                                String idpMetaAlias,
                                String realm,
                                String relayState,
                                String acsURL,
                                Response res,
                                Object session)
                         throws SAML2Exception
        Sends a response to service provider
        Parameters:
        response - the HttpServletResponse object
        acsBinding - the assertion consumer service binding
        spEntityID - the entity id of the service provider
        idpEntityID - the entity id of the identity provider
        idpMetaAlias - the meta alias of the identity provider
        realm - the realm name
        relayState - the relay state
        acsURL - the assertion consumer service url
        res - the SAML Response object
        Throws:
        SAML2Exception - if the operation is not successful

      • getResponse

        public static Response getResponse​(jakarta.servlet.http.HttpServletRequest request,
                                   Object session,
                                   AuthnRequest authnReq,
                                   String recipientEntityID,
                                   String idpEntityID,
                                   String idpMetaAlias,
                                   String realm,
                                   String nameIDFormat,
                                   String acsURL,
                                   String affiliationID,
                                   AuthnContext matchingAuthnContext)
                            throws SAML2Exception
        Returns a SAML Response object.
        Parameters:
        request - The HTTP request.
        session - The user's session object.
        authnReq - The AuthnRequest object.
        recipientEntityID - The entity ID of the response recipient.
        idpEntityID - The entity ID of the identity provider.
        realm - The realm name.
        nameIDFormat - The NameIDFormat.
        acsURL - The ACS service url.
        affiliationID - AffiliationID for IDP initiated SSO.
        matchingAuthnContext - the AuthnContext used to find authentication type and scheme.
        Returns:
        the SAML Response object.
        Throws:
        SAML2Exception - if the operation is not successful.

      • getIDPAuthnContextMapper

        public static IDPAuthnContextMapper getIDPAuthnContextMapper​(String realm,
                                                             String idpEntityID)
                                                      throws SAML2Exception
        Returns an IDPAuthnContextMapper
        Parameters:
        realm - the realm name
        idpEntityID - the entity id of the identity provider
        Returns:
        the IDPAuthnContextMapper
        Throws:
        SAML2Exception - if the operation is not successful

      • getIDPECPSessionMapper

        public static IDPECPSessionMapper getIDPECPSessionMapper​(String realm,
                                                         String idpEntityID)
                                                  throws SAML2Exception
        Returns an IDPECPSessionMapper
        Parameters:
        realm - the realm name
        idpEntityID - the entity id of the identity provider
        Returns:
        the IDPECPSessionMapper
        Throws:
        SAML2Exception - if the operation is not successful

      • getConditions

        protected static Conditions getConditions​(String audienceEntityID,
                                          int notBeforeSkewTime,
                                          int effectiveTime)
                                   throws SAML2Exception
        Returns a SAML Conditions object
        Parameters:
        audienceEntityID - the entity id of the audience
        effectiveTime - the effective time of the assertion
        Returns:
        the SAML Conditions object
        Throws:
        SAML2Exception - if the operation is not successful

      • getACSurl

        public static String getACSurl​(String spEntityID,
                               String realm,
                               AuthnRequest authnReq,
                               jakarta.servlet.http.HttpServletRequest request,
                               StringBuffer rBinding)
                        throws SAML2Exception
        Returns the assertion consumer service URL
        Parameters:
        spEntityID - the entity id of the service provider
        realm - the realm name of the identity provider
        authnReq - the AuthnRequest object
        request - the HttpServletRequest object
        rBinding - the binding used to send back Response
        Returns:
        the assertion consumer service URL
        Throws:
        SAML2Exception - if the operation is not successful

      • getACSurl

        public static String getACSurl​(String spEntityID,
                               String realm,
                               String acsURL,
                               String binding,
                               Integer index,
                               jakarta.servlet.http.HttpServletRequest request,
                               StringBuffer rBinding)
                        throws SAML2Exception
        Returns the assertion consumer service URL.
        Parameters:
        spEntityID - The entity id of the service provider.
        realm - The realm name of the identity provider.
        acsURL - AssertionConsumerServiceURL in AuthnRequest.
        binding - ProtocolBinding in AuthnRequest.
        index - AssertionConsumerServiceIndex in AuthnRequest.
        request - The HttpServletRequest object.
        rBinding - The binding used to send back Response.
        Returns:
        The assertion consumer service URL.
        Throws:
        SAML2Exception - if the operation is not successful.

      • getDefaultACSurl

        public static String getDefaultACSurl​(String spEntityID,
                                      String realm,
                                      StringBuffer returnedBinding)
                               throws SAML2Exception
        Returns the default assertion consumer service url and binding from the metadata.
        Parameters:
        spEntityID - the entity id of the service provider
        realm - the realm name of the identity provider
        Returns:
        the assertion consumer service url with returned binding.
        Throws:
        SAML2Exception - if the operation is not successful

      • getBindingForAcsUrl

        public static String getBindingForAcsUrl​(String spEntityID,
                                         String realm,
                                         String acsURL)
                                  throws SAML2Exception
        Returns the assertion consumer service url binding from the metadata.
        Parameters:
        spEntityID - the entity id of the service provider
        realm - the realm name of the identity provider
        Returns:
        the assertion consumer service url binding
        Throws:
        SAML2Exception - if the operation is not successful

      • getACSurlFromMetaByBinding

        public static String getACSurlFromMetaByBinding​(String spEntityID,
                                                String realm,
                                                String desiredBinding,
                                                StringBuffer returnedBinding)
                                         throws SAML2Exception
        Returns the assertion consumer service URL from meta data by binding
        Parameters:
        spEntityID - the entity id of the service provider
        realm - the realm name of the identity provider
        desiredBinding - the desired binding
        returnedBinding - the binding used to send back Response
        Returns:
        the assertion consumer service URL
        Throws:
        SAML2Exception - if the operation is not successful

      • getACSurlFromMetaByIndex

        public static String getACSurlFromMetaByIndex​(String spEntityID,
                                              String realm,
                                              int acsIndex,
                                              StringBuffer returnedBinding)
                                       throws SAML2Exception
        Returns the assertion consumer service URL from meta data by binding
        Parameters:
        spEntityID - the entity id of the service provider
        realm - the realm name of the identity provider
        acsIndex - the ACS index
        returnedBinding - the binding used to send back Response
        Returns:
        the assertion consumer service URL
        Throws:
        SAML2Exception - if the operation is not successful

      • sendResponseArtifact

        public static void sendResponseArtifact​(jakarta.servlet.http.HttpServletRequest request,
                                        jakarta.servlet.http.HttpServletResponse response,
                                        String idpEntityID,
                                        String spEntityID,
                                        String realm,
                                        String acsURL,
                                        String relayState,
                                        Response res,
                                        Object session,
                                        Map props)
                                 throws SAML2Exception
        This method opens a URL connection to the target specified and sends artifact response to it using the HttpServletResponse object.
        Parameters:
        response - the HttpServletResponse object
        idpEntityID - the entity id of the identity provider
        realm - the realm name of the identity provider
        acsURL - the assertion consumer service URL
        relayState - the value of the RelayState
        res - the SAML Response object
        session - user session
        props - property map including nameIDString for logging
        Throws:
        SAML2Exception - if the operation is not successful

      • sendResponseECP

        public static void sendResponseECP​(jakarta.servlet.http.HttpServletRequest request,
                                   jakarta.servlet.http.HttpServletResponse response,
                                   PrintWriter out,
                                   String idpEntityID,
                                   String realm,
                                   String acsURL,
                                   Response res)
                            throws SAML2Exception
        This method sends SAML Response back to ECP.
        Parameters:
        request - The servlet request.
        response - The servlet response.
        out - The print writer for writing out presentation.
        idpEntityID - the entity id of the identity provider
        realm - the realm name of the identity provider
        acsURL - the assertion consumer service URL
        res - the SAML Response object
        Throws:
        SAML2Exception - if the operation is not successful

      • getSessionIndex

        public static String getSessionIndex​(Object session)
        Returns the session index of an IDPSession
        Parameters:
        session - the session corresponding to the IDPSession
        Returns:
        the session index string

      • getAuthenticationServiceURL

        public static String getAuthenticationServiceURL​(String realm,
                                                 String hostEntityId,
                                                 jakarta.servlet.http.HttpServletRequest request)
        Returns the authentication service URL of the identity provider
        Parameters:
        realm - the realm name of the identity provider
        hostEntityId - the entity id of the identity provider
        request - the HttpServletRequest object
        Returns:
        the authentication service URL of the identity provider

      • getAttributeValueFromIDPSSOConfig

        public static String getAttributeValueFromIDPSSOConfig​(String realm,
                                                       String hostEntityId,
                                                       String attrName)

      • getEffectiveTime

        protected static int getEffectiveTime​(String realm,
                                      String idpEntityID)
        Returns the effective time from the IDP extended metadata . If the attreibute is not defined in the metadata then defaults to a value of 600 seconds (5 minutes).
        Returns:
        the effective time value in seconds.

      • getNotBeforeSkewTime

        protected static int getNotBeforeSkewTime​(String realm,
                                          String idpEntityID)
        Returns the NotBefore skew time from the IDP extended metadata . If the attreibute is not defined in the metadata then defaults to a value of 600 seconds (5 minutes).
        Returns:
        the NotBefore skew value in seconds.

      • stringToByteArray

        public static byte[] stringToByteArray​(String input)

      • getIDPAdapterClass

        public static SAML2IdentityProviderAdapter getIDPAdapterClass​(String realm,
                                                              String idpEntityID)
                                                       throws SAML2Exception
        Returns a SAML2IdentityProviderAdapter
        Parameters:
        realm - the realm name
        idpEntityID - the entity id of the identity provider
        Returns:
        the SAML2IdenityProviderAdapter
        Throws:
        SAML2Exception - if the operation is not successful

      • isValidSessionInRealm

        public static boolean isValidSessionInRealm​(String realm,
                                            Object session)
        Check that the authenticated session belongs to the same realm where the IDP is defined.
        Parameters:
        realm - The realm where the IdP is defined.
        session - The Session object of the authenticated user.
        Returns:
        true If the session was initiated in the same realm as the session's realm.