Package com.sun.identity.saml2.profile

Class SPACSUtils

  • public class SPACSUtils
extends Object
    This class is used by a service provider (SP) to process the response from an identity provider for the SP's Assertion Consumer Service.

    • Method Detail

      • getResponse

        public static ResponseInfo getResponse​(jakarta.servlet.http.HttpServletRequest request,
                                       jakarta.servlet.http.HttpServletResponse response,
                                       String orgName,
                                       String hostEntityId,
                                       SAML2MetaManager metaManager)
                                throws SAML2Exception,
                                       IOException
        Retrieves SAML Response from http request. It handles three cases: 
         1. using http method get using request parameter "resID".
    This is the case after local login is done.
 2. using http method get using request parameter "SAMLart".
    This is the case for artifact profile.
 3. using http method post. This is the case for post profile.
        Parameters:
        request - http servlet request
        response - http servlet response
        orgName - realm or organization name the service provider resides in
        hostEntityId - Entity ID of the hosted service provider
        metaManager - SAML2MetaManager instance.
        Returns:
        ResponseInfo instance.
        Throws:
        SAML2Exception
        IOException

      • processResponse

        public static Object processResponse​(jakarta.servlet.http.HttpServletRequest request,
                                     jakarta.servlet.http.HttpServletResponse response,
                                     PrintWriter out,
                                     String metaAlias,
                                     Object session,
                                     ResponseInfo respInfo,
                                     String realm,
                                     String hostEntityId,
                                     SAML2MetaManager metaManager,
                                     SAML2EventLogger auditor)
                              throws SAML2Exception
        Authenticates user with Response. Auth session upgrade will be called if input session is not null. Otherwise, saml2 auth module is called. The name of the auth module is retrieved from SPSSOConfig. If not found, "SAML2" will be used.
        Parameters:
        request - HTTP Servlet request
        response - HTTP Servlet response.
        out - the print writer for writing out presentation
        metaAlias - metaAlias for the service provider
        session - input session object. It could be null.
        respInfo - ResponseInfo to be verified.
        realm - realm or organization name of the service provider.
        hostEntityId - hosted service provider Entity ID.
        metaManager - SAML2MetaManager instance for meta operation.
        auditor - a SAML2EventLogger auditor object to hook into tracking information for the saml request
        Returns:
        Object which holds result of the session.
        Throws:
        SAML2Exception - if the processing failed.

      • getNeedAttributeEncrypted

        public static boolean getNeedAttributeEncrypted​(boolean needAssertionEncrypted,
                                                SPSSOConfigElement spssoconfig)

      • setAttrMapInSession

        public static void setAttrMapInSession​(SessionProvider sessionProvider,
                                       Map attrMap,
                                       Object session)
                                throws SessionException
        Sets the attribute map in the session
        Parameters:
        sessionProvider - Session provider
        attrMap - the Attribute Map
        session - the valid session object
        Throws:
        SessionException

      • getRelayState

        public static String getRelayState​(String relayStateID,
                                   String orgName,
                                   String hostEntityId,
                                   SAML2MetaManager sm)
        Obtains relay state. Retrieves the relay state from relay state cache. If input relay state is null, retrieve it from SPSSOConfig.
        Parameters:
        relayStateID - relay state value received from http request.
        orgName - realm or organization name the service provider resides in
        hostEntityId - Entity ID of the hosted service provider
        sm - SAML2MetaManager instance.
        Returns:
        final relay state. Or null if the input relayStateID is null and no default relay state is configured.

      • getIntermediateURL

        public static String getIntermediateURL​(String orgName,
                                        String hostEntityId,
                                        SAML2MetaManager sm)
        Retrieves intermediate redirect url from SP sso config. This url is used if you want to goto some place before the final relay state.
        Parameters:
        orgName - realm or organization name the service provider resides in
        hostEntityId - Entity ID of the hosted service provider
        sm - SAML2MetaManager instance.
        Returns:
        intermediate redirect url; or null if the url is is not configured or an error occured during the retrieval process.

      • prepareForLocalLogin

        public static String prepareForLocalLogin​(String realm,
                                          String hostEntityId,
                                          SAML2MetaManager sm,
                                          ResponseInfo respInfo,
                                          String requestURI)
        Saves response for later retrieval and retrieves local auth url from SPSSOConfig. If the url does not exist, generate one from request URI. If still cannot get it, (shouldn't happen), get it from SystemConfigurationUtil.
        Parameters:
        realm - Realm or organization name the service provider resides in.
        hostEntityId - Entity ID of the hosted service provider.
        sm - SAML2MetaManager instance to perform metadata operations.
        respInfo - The to be cached ResponseInfo.
        requestURI - The HTTP request URI.
        Returns:
        The local login url.

      • getSAMLAttributes

        public static List<Attribute> getSAMLAttributes​(Assertion assertion,
                                                boolean needAttributeEncrypted,
                                                Set<PrivateKey> privateKeys)
        Gets the attributes from an assert's AttributeStates.
        Parameters:
        assertion - The assertion from which to pull the AttributeStates.
        needAttributeEncrypted - Whether attributes must be encrypted (or else rejected).
        privateKeys - Private keys used to decrypt those encrypted attributes.
        Returns:
        a list of attributes pulled from the provided assertion.

      • processResponseForFedlet

        public static Map processResponseForFedlet​(jakarta.servlet.http.HttpServletRequest request,
                                           jakarta.servlet.http.HttpServletResponse response,
                                           PrintWriter out)
                                    throws SAML2Exception,
                                           IOException,
                                           SessionException,
                                           jakarta.servlet.ServletException
        Processes response from Identity Provider to Fedlet (SP). This will do all required protocol processing, include signature, issuer and audience validation etc. A map containing processing result will be returned.
        Here is a list of keys and values for the returned map:
        SAML2Constants.ATTRIBUTE_MAP -- Attribute map containing all attributes passed down from IDP inside the Assertion. The value is a java.util.Map whose keys are attribute names and values are java.util.Set of string values for the attributes.
        SAML2Constants.RELAY_STATE -- Relay state, value is a string
        SAML2Constants.IDPENTITYID -- IDP entity ID, value is a string
        SAML2Constants.RESPONSE -- Response object, value is an instance of com.sun.identity.saml2.protocol.Response SAML2Constants.ASSERTION -- Assertion object, value is an instance of com.sun.identity.saml2.assertion.Assertion SAML2Constants.SUBJECT -- Subject object, value is an instance of com.sun.identity.saml2.assertion.Subject SAML2Constants.NAMEID -- NameID object, value is an instance of com.sun.identity.saml2.assertion.NameID
        Parameters:
        request - HTTP Servlet request
        response - HTTP Servlet response.
        out - the print writer for writing out presentation
        Returns:
        Map which holds result of the processing.
        Throws:
        SAML2Exception - if the processing failed due to server error.
        IOException - if the processing failed due to IO error.
        SessionException - if the processing failed due to session error.
        jakarta.servlet.ServletException - if the processing failed due to request error.

      • getPrincipalWithoutLogin

        public static String getPrincipalWithoutLogin​(Subject assertionSubject,
                                              Assertion authnAssertion,
                                              String realm,
                                              String spEntityId,
                                              SAML2MetaManager metaManager,
                                              String idpEntityId,
                                              String storageKey)
                                       throws SAML2Exception
        Returns the username if there was one from the Assertion we were able to map into a local user account. Returns null if not. Should only be used from the SP side. Should only be called in conjuncture with the Auth Module. In addition, it performs what attribute federation it can. This method is a picked apart version of the "processResponse" function.
        Throws:
        SAML2Exception

      • getAttrs

        public static List<Attribute> getAttrs​(Assertion authnAssertion,
                                       boolean needAttributeEncrypted,
                                       Set<PrivateKey> decryptionKeys)
        Gets the attributes for this assertion in a new List.
        Parameters:
        authnAssertion - Assertion from which to reead the attributes.
        needAttributeEncrypted - Whether the attributes must be encrypted.
        decryptionKeys - The keys used to decrypt the attributes, if they're encrypted.
        Returns:
        a List of the attributes in this assertion.