com.sun.identity.saml2.profile

Class SPACSUtils

java.lang.Object

com.sun.identity.saml2.profile.SPACSUtils

public class SPACSUtils
extends Object

This class is used by a service provider (SP) to process the response from an identity provider for the SP's Assertion Consumer Service.

Method Summary

Modifier and Type	Method and Description
static List<Attribute>	getAttrs(Assertion authnAssertion, boolean needAttributeEncrypted, Set<PrivateKey> decryptionKeys) Gets the attributes for this assertion in a new List.
static String	getIntermediateURL(String orgName, String hostEntityId, SAML2MetaManager sm) Retrieves intermediate redirect url from SP sso config.
static boolean	getNeedAttributeEncrypted(boolean needAssertionEncrypted, SPSSOConfigElement spssoconfig)
static String	getPrincipalWithoutLogin(Subject assertionSubject, Assertion authnAssertion, String realm, String spEntityId, SAML2MetaManager metaManager, String idpEntityId, String storageKey) Returns the username if there was one from the Assertion we were able to map into a local user account.
static String	getRelayState(String relayStateID, String orgName, String hostEntityId, SAML2MetaManager sm) Obtains relay state.
static ResponseInfo	getResponse(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, String orgName, String hostEntityId, SAML2MetaManager metaManager) Retrieves SAML Response from http request.
static List<Attribute>	getSAMLAttributes(Assertion assertion, boolean needAttributeEncrypted, Set<PrivateKey> privateKeys) Gets the attributes from an assert's AttributeStates.
static String	prepareForLocalLogin(String realm, String hostEntityId, SAML2MetaManager sm, ResponseInfo respInfo, String requestURI) Saves response for later retrieval and retrieves local auth url from SPSSOConfig.
static Object	processResponse(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, PrintWriter out, String metaAlias, Object session, ResponseInfo respInfo, String realm, String hostEntityId, SAML2MetaManager metaManager, SAML2EventLogger auditor) Authenticates user with Response.
static Map	processResponseForFedlet(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, PrintWriter out) Processes response from Identity Provider to Fedlet (SP).
static void	saveInfoInMemory(SessionProvider sessionProvider, Object session, String sessionIndex, String metaAlias, NameIDInfo info, boolean isIDPProxy, boolean isTransient)
static void	setAttrMapInSession(SessionProvider sessionProvider, Map attrMap, Object session) Sets the attribute map in the session

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Detail

getResponse

public static ResponseInfo getResponse(javax.servlet.http.HttpServletRequest request,
                                       javax.servlet.http.HttpServletResponse response,
                                       String orgName,
                                       String hostEntityId,
                                       SAML2MetaManager metaManager)
                                throws SAML2Exception,
                                       IOException

Retrieves SAML Response from http request. It handles three cases:

 1. using http method get using request parameter "resID".
    This is the case after local login is done.
 2. using http method get using request parameter "SAMLart".
    This is the case for artifact profile.
 3. using http method post. This is the case for post profile.
 

Parameters:

request - http servlet request

response - http servlet response

orgName - realm or organization name the service provider resides in

hostEntityId - Entity ID of the hosted service provider

metaManager - SAML2MetaManager instance.

Returns:

ResponseInfo instance.

Throws:

SAML2Exception,IOException - if it fails in the process.

SAML2Exception

IOException

processResponse

public static Object processResponse(javax.servlet.http.HttpServletRequest request,
                                     javax.servlet.http.HttpServletResponse response,
                                     PrintWriter out,
                                     String metaAlias,
                                     Object session,
                                     ResponseInfo respInfo,
                                     String realm,
                                     String hostEntityId,
                                     SAML2MetaManager metaManager,
                                     SAML2EventLogger auditor)
                              throws SAML2Exception

Authenticates user with Response. Auth session upgrade will be called if input session is not null. Otherwise, saml2 auth module is called. The name of the auth module is retrieved from SPSSOConfig. If not found, "SAML2" will be used.

Parameters:

request - HTTP Servlet request

response - HTTP Servlet response.

out - the print writer for writing out presentation

metaAlias - metaAlias for the service provider

session - input session object. It could be null.

respInfo - ResponseInfo to be verified.

realm - realm or organization name of the service provider.

hostEntityId - hosted service provider Entity ID.

metaManager - SAML2MetaManager instance for meta operation.

auditor - a SAML2EventLogger auditor object to hook into tracking information for the saml request

Returns:

Object which holds result of the session.

Throws:

SAML2Exception - if the processing failed.

getNeedAttributeEncrypted

public static boolean getNeedAttributeEncrypted(boolean needAssertionEncrypted,
                                                SPSSOConfigElement spssoconfig)

saveInfoInMemory

public static void saveInfoInMemory(SessionProvider sessionProvider,
                                    Object session,
                                    String sessionIndex,
                                    String metaAlias,
                                    NameIDInfo info,
                                    boolean isIDPProxy,
                                    boolean isTransient)
                             throws SAML2Exception

Throws:

SAML2Exception

setAttrMapInSession

public static void setAttrMapInSession(SessionProvider sessionProvider,
                                       Map attrMap,
                                       Object session)
                                throws SessionException

Sets the attribute map in the session

Parameters:

sessionProvider - Session provider

attrMap - the Attribute Map

session - the valid session object

Throws:

SessionException

getRelayState

public static String getRelayState(String relayStateID,
                                   String orgName,
                                   String hostEntityId,
                                   SAML2MetaManager sm)

Obtains relay state. Retrieves the relay state from relay state cache. If input relay state is null, retrieve it from SPSSOConfig.

Parameters:

relayStateID - relay state value received from http request.

orgName - realm or organization name the service provider resides in

hostEntityId - Entity ID of the hosted service provider

sm - SAML2MetaManager instance.

Returns:

final relay state. Or null if the input relayStateID is null and no default relay state is configured.

getIntermediateURL

public static String getIntermediateURL(String orgName,
                                        String hostEntityId,
                                        SAML2MetaManager sm)

Retrieves intermediate redirect url from SP sso config. This url is used if you want to goto some place before the final relay state.

Parameters:

orgName - realm or organization name the service provider resides in

hostEntityId - Entity ID of the hosted service provider

sm - SAML2MetaManager instance.

Returns:

intermediate redirect url; or null if the url is is not configured or an error occured during the retrieval process.

prepareForLocalLogin

public static String prepareForLocalLogin(String realm,
                                          String hostEntityId,
                                          SAML2MetaManager sm,
                                          ResponseInfo respInfo,
                                          String requestURI)

Saves response for later retrieval and retrieves local auth url from SPSSOConfig. If the url does not exist, generate one from request URI. If still cannot get it, (shouldn't happen), get it from SystemConfigurationUtil.

Parameters:

realm - Realm or organization name the service provider resides in.

hostEntityId - Entity ID of the hosted service provider.

sm - SAML2MetaManager instance to perform metadata operations.

respInfo - The to be cached ResponseInfo.

requestURI - The HTTP request URI.

Returns:

The local login url.

getSAMLAttributes

public static List<Attribute> getSAMLAttributes(Assertion assertion,
                                                boolean needAttributeEncrypted,
                                                Set<PrivateKey> privateKeys)

Gets the attributes from an assert's AttributeStates.

Parameters:

assertion - The assertion from which to pull the AttributeStates.

needAttributeEncrypted - Whether attributes must be encrypted (or else rejected).

privateKeys - Private keys used to decrypt those encrypted attributes.

Returns:

a list of attributes pulled from the provided assertion.

processResponseForFedlet

public static Map processResponseForFedlet(javax.servlet.http.HttpServletRequest request,
                                           javax.servlet.http.HttpServletResponse response,
                                           PrintWriter out)
                                    throws SAML2Exception,
                                           IOException,
                                           SessionException,
                                           javax.servlet.ServletException

Processes response from Identity Provider to Fedlet (SP). This will do all required protocol processing, include signature, issuer and audience validation etc. A map containing processing result will be returned.
Here is a list of keys and values for the returned map:
SAML2Constants.ATTRIBUTE_MAP -- Attribute map containing all attributes passed down from IDP inside the Assertion. The value is a java.util.Map whose keys are attribute names and values are java.util.Set of string values for the attributes.
SAML2Constants.RELAY_STATE -- Relay state, value is a string
SAML2Constants.IDPENTITYID -- IDP entity ID, value is a string
SAML2Constants.RESPONSE -- Response object, value is an instance of com.sun.identity.saml2.protocol.Response SAML2Constants.ASSERTION -- Assertion object, value is an instance of com.sun.identity.saml2.assertion.Assertion SAML2Constants.SUBJECT -- Subject object, value is an instance of com.sun.identity.saml2.assertion.Subject SAML2Constants.NAMEID -- NameID object, value is an instance of com.sun.identity.saml2.assertion.NameID

Parameters:

request - HTTP Servlet request

response - HTTP Servlet response.

out - the print writer for writing out presentation

Returns:

Map which holds result of the processing.

Throws:

SAML2Exception - if the processing failed due to server error.

IOException - if the processing failed due to IO error.

SessionException - if the processing failed due to session error.

javax.servlet.ServletException - if the processing failed due to request error.

getPrincipalWithoutLogin

public static String getPrincipalWithoutLogin(Subject assertionSubject,
                                              Assertion authnAssertion,
                                              String realm,
                                              String spEntityId,
                                              SAML2MetaManager metaManager,
                                              String idpEntityId,
                                              String storageKey)
                                       throws SAML2Exception

Returns the username if there was one from the Assertion we were able to map into a local user account. Returns null if not. Should only be used from the SP side. Should only be called in conjuncture with the Auth Module. In addition, it performs what attribute federation it can. This method is a picked apart version of the "processResponse" function.

Throws:

SAML2Exception

getAttrs

public static List<Attribute> getAttrs(Assertion authnAssertion,
                                       boolean needAttributeEncrypted,
                                       Set<PrivateKey> decryptionKeys)

Gets the attributes for this assertion in a new List.

Parameters:

authnAssertion - Assertion from which to reead the attributes.

needAttributeEncrypted - Whether the attributes must be encrypted.

decryptionKeys - The keys used to decrypt the attributes, if they're encrypted.

Returns:

a List of the attributes in this assertion.