add inbound/outbound interfederation SSO checks

5 files changed, 81 insertions, 1 deletions

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java
index 39c8ecfdc..a59cc10e0 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java
@@ -130,4 +130,19 @@ public interface IOAAuthParameters {
 
 	public String getIDPAttributQueryServiceURL();
 
+	/**
+	 * @return
+	 */
+	boolean isInboundSSOInterfederationAllowed();
+
+	/**
+	 * @return
+	 */
+	boolean isInterfederationSSOStorageAllowed();
+
+	/**
+	 * @return
+	 */
+	boolean isOutboundSSOInterfederationAllowed();
+
 }
\ No newline at end of file
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java
index fe2117b9c..7fc5746ee 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java
@@ -491,6 +491,30 @@ public String getIDPAttributQueryServiceURL() {
 	
 }
 
+@Override
+public boolean isInboundSSOInterfederationAllowed() {
+	if (inderfederatedIDP != null)
+		return inderfederatedIDP.isInboundSSO();	
+	else
+		return false;	
+}
+
+@Override
+public boolean isOutboundSSOInterfederationAllowed() {
+	if (inderfederatedIDP != null)
+		return inderfederatedIDP.isOutboundSSO();	
+	else
+		return false;	
+}
+
+@Override
+public boolean isInterfederationSSOStorageAllowed() {
+	if (inderfederatedIDP != null)
+		return inderfederatedIDP.isStoreSSOSession();	
+	else
+		return false;	
+}
+
 public boolean isIDPPublicService() {
 	return !getBusinessService();
 	
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java
index f35027f21..02ac09d70 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java
@@ -354,6 +354,33 @@ public class DynamicOAAuthParameters implements IOAAuthParameters {
 		this.applicationID = applicationID;
 	}
 
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#isInboundSSOInterfederationAllowed()
+	 */
+	@Override
+	public boolean isInboundSSOInterfederationAllowed() {
+		// TODO Auto-generated method stub
+		return false;
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#isInterfederationSSOStorageAllowed()
+	 */
+	@Override
+	public boolean isInterfederationSSOStorageAllowed() {
+		// TODO Auto-generated method stub
+		return false;
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#isOutboundSSOInterfederationAllowed()
+	 */
+	@Override
+	public boolean isOutboundSSOInterfederationAllowed() {
+		// TODO Auto-generated method stub
+		return false;
+	}
+
 	
 
 }
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
index 8a7a876a7..ee7d452c5 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
@@ -212,9 +212,17 @@ public class AuthenticationManager extends AuthServlet {
 		boolean requiredLocalAuthentication = true;
 		
 		Logger.debug("Build PVP 2.1 authentication request");
-		
+ 		
 		//get IDP metadata
 		try {
+			OAAuthParameter idp = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(target.getRequestedIDP());
+			if (!idp.isInderfederationIDP() || !idp.isInboundSSOInterfederationAllowed()) {
+				Logger.info("Requested interfederation IDP " + target.getRequestedIDP() + " is not valid for interfederation.");
+				Logger.info("Switch to local authentication on this IDP ... ");
+				perfomLocalAuthentication(request, response, target);
+				
+			}
+			
 			EntityDescriptor idpEntity = MOAMetadataProvider.getInstance().
 					getEntityDescriptor(target.getRequestedIDP());
 			
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
index d04480ff5..a786420cf 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
@@ -414,6 +414,12 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants {
 			throw new AttributQueryException("AttributeQuery requests are only allowed for interfederation IDPs.", null);
 			
 		}
+		
+		if (!oa.isOutboundSSOInterfederationAllowed()) {
+			Logger.warn("Interfederation IDP " + oa.getPublicURLPrefix() + " does not allow outgoing SSO interfederation.");
+			throw new AttributQueryException("Interfederation IDP does not allow outgoing SSO interfederation.", null);
+			
+		}
 			
 		PVPTargetConfiguration config = new PVPTargetConfiguration();
 		config.setRequest(moaRequest);