aboutsummaryrefslogtreecommitdiff
path: root/id
diff options
context:
space:
mode:
authorThomas Lenz <tlenz@iaik.tugraz.at>2016-02-24 06:22:18 +0100
committerThomas Lenz <tlenz@iaik.tugraz.at>2016-02-24 06:22:18 +0100
commit101f582d457f3e0bbd42083521360d18168fbd84 (patch)
tree48aa8e439f3e0f02197bacc8095f3aba530ad6c9 /id
parentcbdb6946d5af7de63afebf5ad256743303f00935 (diff)
downloadmoa-id-spss-101f582d457f3e0bbd42083521360d18168fbd84.tar.gz
moa-id-spss-101f582d457f3e0bbd42083521360d18168fbd84.tar.bz2
moa-id-spss-101f582d457f3e0bbd42083521360d18168fbd84.zip
add federated IDP authentication modul
Diffstat (limited to 'id')
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SP/tasks/AbstractAuthnRequestTask.java293
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAuthnRequestBuilder.java172
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IPVPAuthnRequestBuilderConfiguruation.java114
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/AuthnRequestBuildException.java (renamed from id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SP/tasks/AbstractAuthnResponseTask.java)34
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/AuthnResponseValidationException.java48
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBAuthenticationSessionStoreage.java68
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/IAuthenticationSessionStoreage.java4
-rw-r--r--id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties9
-rw-r--r--id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/FederatedAuthConstants.java3
-rw-r--r--id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/FederatedAuthenticationModuleImpl.java12
-rw-r--r--id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthnRequestBuilderConfiguration.java161
-rw-r--r--id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/controller/FederatedAuthMetadataController.java14
-rw-r--r--id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/CreateAuthnRequestTask.java220
-rw-r--r--id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java225
-rw-r--r--id/server/modules/moa-id-modules-federated_authentication/src/main/resources/at/gv/egovernment/moa/id/auth/modules/federatedauth/federated.Authentication.process.xml30
-rw-r--r--id/server/modules/moa-id-modules-federated_authentication/src/main/resources/moaid_federated_auth.beans.xml15
16 files changed, 1040 insertions, 382 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SP/tasks/AbstractAuthnRequestTask.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SP/tasks/AbstractAuthnRequestTask.java
deleted file mode 100644
index c8c115f82..000000000
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SP/tasks/AbstractAuthnRequestTask.java
+++ /dev/null
@@ -1,293 +0,0 @@
-/*
- * Copyright 2014 Federal Chancellery Austria
- * MOA-ID has been developed in a cooperation between BRZ, the Federal
- * Chancellery Austria - ICT staff unit, and Graz University of Technology.
- *
- * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
- * the European Commission - subsequent versions of the EUPL (the "Licence");
- * You may not use this work except in compliance with the Licence.
- * You may obtain a copy of the Licence at:
- * http://www.osor.eu/eupl/
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the Licence is distributed on an "AS IS" basis,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the Licence for the specific language governing permissions and
- * limitations under the Licence.
- *
- * This product combines work with different licenses. See the "NOTICE" text
- * file for details on the various modules and licenses.
- * The "NOTICE" text file is part of the distribution. Any derivative works
- * that you distribute must include a readable copy of the "NOTICE" text file.
- */
-package at.gv.egovernment.moa.id.protocols.pvp2x.SP.tasks;
-import java.lang.reflect.InvocationTargetException;
-import java.security.NoSuchAlgorithmException;
-
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import org.joda.time.DateTime;
-import org.opensaml.common.impl.SecureRandomIdentifierGenerator;
-import org.opensaml.common.xml.SAMLConstants;
-import org.opensaml.saml2.core.AuthnContextClassRef;
-import org.opensaml.saml2.core.AuthnContextComparisonTypeEnumeration;
-import org.opensaml.saml2.core.AuthnRequest;
-import org.opensaml.saml2.core.Issuer;
-import org.opensaml.saml2.core.NameID;
-import org.opensaml.saml2.core.NameIDPolicy;
-import org.opensaml.saml2.core.NameIDType;
-import org.opensaml.saml2.core.RequestedAuthnContext;
-import org.opensaml.saml2.metadata.EntityDescriptor;
-import org.opensaml.saml2.metadata.SingleSignOnService;
-import org.opensaml.saml2.metadata.provider.MetadataProviderException;
-import org.opensaml.ws.message.encoder.MessageEncodingException;
-import org.opensaml.xml.security.SecurityException;
-
-import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
-import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
-import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
-import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
-import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
-import at.gv.egovernment.moa.id.config.ConfigurationException;
-import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
-import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters;
-import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
-import at.gv.egovernment.moa.id.moduls.RequestImpl;
-import at.gv.egovernment.moa.id.process.api.ExecutionContext;
-import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
-import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IEncoder;
-import at.gv.egovernment.moa.id.protocols.pvp2x.binding.PostBinding;
-import at.gv.egovernment.moa.id.protocols.pvp2x.binding.RedirectBinding;
-import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception;
-import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;
-import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
-import at.gv.egovernment.moa.id.util.PVPtoSTORKMapper;
-import at.gv.egovernment.moa.logging.Logger;
-import at.gv.egovernment.moa.util.MiscUtil;
-
-/**
- * @author tlenz
- *
- */
-public abstract class AbstractAuthnRequestTask extends AbstractAuthServletTask {
-
- /* (non-Javadoc)
- * @see at.gv.egovernment.moa.id.process.springweb.MoaIdTask#execute(at.gv.egovernment.moa.id.process.api.ExecutionContext, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)
- */
- @Override
- public void execute(ExecutionContext executionContext,
- HttpServletRequest request, HttpServletResponse response)
- throws TaskExecutionException {
- boolean requiredLocalAuthentication = true;
-
- String idpEntityID =
- (String) executionContext.get(MOAIDAuthConstants.PROCESSCONTEXT_INTERFEDERATION_ENTITYID);
-
- if (MiscUtil.isEmpty(idpEntityID)) {
- Logger.info("Interfederation not possible -> not inderfederation IDP EntityID found!");
- throw new TaskExecutionException(pendingReq, "Interfederation not possible", new MOAIDException("No inderfederation-IDP EntityID found.", null));
-
- }
-
- //TODO: create MOASession
- //TODO: set relayState to MOASession
- //TODO: add support for requested attributes (from context and from metadata)
-
-
- try {
- OAAuthParameter idp = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(idpEntityID);
- IOAAuthParameters sp = pendingReq.getOnlineApplicationConfiguration();
-
- String requestedIDP = pendingReq.getGenericData(RequestImpl.DATAID_INTERFEDERATIOIDP_URL, String.class);
-
- if (!idp.isInderfederationIDP() || !idp.isInboundSSOInterfederationAllowed()) {
- Logger.info("Requested interfederation IDP " + requestedIDP + " is not valid for interfederation.");
- Logger.debug("isInderfederationIDP:" + String.valueOf(idp.isInderfederationIDP())
- + " isInboundSSOAllowed:" + String.valueOf(idp.isInboundSSOInterfederationAllowed()));
- Logger.info("Switch to local authentication on this IDP ... ");
-
- executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_REQUIRELOCALAUTHENTICATION, true);
- return;
-
- }
-
-
-
-
- EntityDescriptor idpEntity = MOAMetadataProvider.getInstance().
- getEntityDescriptor(idpEntityID);
-
- if (idpEntity != null ) {
-
- //fetch endpoint from IDP metadata
- SingleSignOnService redirectEndpoint = null;
- for (SingleSignOnService sss :
- idpEntity.getIDPSSODescriptor(SAMLConstants.SAML20P_NS).getSingleSignOnServices()) {
-
- // use POST binding as default if it exists
- //TODO: maybe use RedirectBinding as default
- if (sss.getBinding().equals(SAMLConstants.SAML2_POST_BINDING_URI)) {
- redirectEndpoint = sss;
-
- } else if ( sss.getBinding().equals(SAMLConstants.SAML2_REDIRECT_BINDING_URI) &&
- redirectEndpoint == null )
- redirectEndpoint = sss;
- }
-
- if (redirectEndpoint != null) {
-
- AuthnRequest authReq = SAML2Utils
- .createSAMLObject(AuthnRequest.class);
- SecureRandomIdentifierGenerator gen = new SecureRandomIdentifierGenerator();
- authReq.setID(gen.generateIdentifier());
-
- //send passive AuthnRequest
- authReq.setIsPassive(idp.isPassivRequestUsedForInterfederation());
-
- authReq.setAssertionConsumerServiceIndex(0);
- authReq.setIssueInstant(new DateTime());
- Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class);
- issuer.setValue(pendingReq.getAuthURLWithOutSlash());
-
- issuer.setFormat(NameIDType.ENTITY);
- authReq.setIssuer(issuer);
- NameIDPolicy policy = SAML2Utils
- .createSAMLObject(NameIDPolicy.class);
- policy.setAllowCreate(true);
- policy.setFormat(NameID.TRANSIENT);
- authReq.setNameIDPolicy(policy);
-
- authReq.setDestination(redirectEndpoint.getLocation());
-
- RequestedAuthnContext reqAuthContext =
- SAML2Utils.createSAMLObject(RequestedAuthnContext.class);
-
- AuthnContextClassRef authnClassRef =
- SAML2Utils.createSAMLObject(AuthnContextClassRef.class);
-
- //check if STORK protocol module is in ClassPath
- Object storkRequst = null;
- Integer storkSecClass = null;
- try {
- storkRequst = Class.forName("at.gv.egovernment.moa.id.protocols.stork2.MOASTORKRequest").newInstance();
- if (storkRequst != null &&
- pendingReq.getClass().isInstance(storkRequst)) {
- Object storkAuthnRequest = pendingReq.getClass().getMethod("getStorkAuthnRequest", null).invoke(pendingReq, null);
- storkSecClass = (Integer) storkAuthnRequest.getClass().getMethod("getQaa", null).invoke(storkAuthnRequest, null);
-
- }
-
- } catch (ClassNotFoundException | InstantiationException | IllegalAccessException | IllegalArgumentException | InvocationTargetException | NoSuchMethodException | java.lang.SecurityException ex) {
-
-
- }
-
-
- if (sp != null && sp.isSTORKPVPGateway()){
- //use PVP SecClass instead of STORK QAA level
- String secClass = null;
- if (storkRequst != null &&
- pendingReq.getClass().isInstance(storkRequst)) {
-
- try {
- secClass = PVPtoSTORKMapper.getInstance().mapToSecClass(
- PVPConstants.STORK_QAA_PREFIX + String.valueOf(storkSecClass));
-
- } catch (Exception e) {
- Logger.warn("STORK-QAA level can not read from STORK request. Use default QAA 4", e);
-
- }
- }
-
- if (MiscUtil.isNotEmpty(secClass))
- authnClassRef.setAuthnContextClassRef(secClass);
- else
- authnClassRef.setAuthnContextClassRef("http://www.ref.gv.at/ns/names/agiz/pvp/secclass/0-3");
-
- } else {
- if (storkRequst != null &&
- pendingReq.getClass().isInstance(storkRequst)) {
- //use requested QAA level from STORK request
- try {
- authnClassRef.setAuthnContextClassRef(
- PVPConstants.STORK_QAA_PREFIX + String.valueOf(storkSecClass));
- Logger.debug("Use STORK-QAA level " + authnClassRef.getAuthnContextClassRef()
- + " from STORK request");
-
- } catch (Exception e) {
- Logger.warn("STORK-QAA level can not read from STORK request. Use default QAA 4", e);
-
- }
-
- }
-
- if (MiscUtil.isEmpty(authnClassRef.getAuthnContextClassRef()))
- authnClassRef.setAuthnContextClassRef("http://www.stork.gov.eu/1.0/citizenQAALevel/4");
-
- }
-
- reqAuthContext.setComparison(AuthnContextComparisonTypeEnumeration.MINIMUM);
- reqAuthContext.getAuthnContextClassRefs().add(authnClassRef);
- authReq.setRequestedAuthnContext(reqAuthContext);
-
- IEncoder binding = null;
- if (redirectEndpoint.getBinding().equals(
- SAMLConstants.SAML2_REDIRECT_BINDING_URI)) {
- binding = new RedirectBinding();
-
- } else if (redirectEndpoint.getBinding().equals(
- SAMLConstants.SAML2_POST_BINDING_URI)) {
- binding = new PostBinding();
-
- }
-
- binding.encodeRequest(request, response, authReq,
- redirectEndpoint.getLocation(), pendingReq.getRequestID());
-
- //build and send request without an error
- requiredLocalAuthentication = false;
-
- revisionsLogger.logEvent(pendingReq.getOnlineApplicationConfiguration(),
- pendingReq, MOAIDEventConstants.AUTHPROCESS_INTERFEDERATION_IDP, idpEntity.getEntityID());
-
-
- } else {
- Logger.warn("Requested IDP " + requestedIDP
- + " does not support POST or Redirect Binding.");
-
- }
-
- } else {
- Logger.warn("Requested IDP " + requestedIDP
- + " is not found in InterFederation configuration");
-
- }
-
- } catch (MetadataProviderException e) {
- Logger.error("IDP metadata error." , e);
-
- } catch (NoSuchAlgorithmException e) {
- Logger.error("Build IDP authentication request FAILED.", e);
-
- } catch (MessageEncodingException e) {
- Logger.error("Build IDP authentication request FAILED.", e);
-
- } catch (SecurityException e) {
- Logger.error("Build IDP authentication request FAILED.", e);
-
- } catch (PVP2Exception e) {
- Logger.error("Build IDP authentication request FAILED.", e);
-
- } catch (ConfigurationException e1) {
- Logger.error("Build IDP authentication request FAILED.", e1);
-
- }
-
- //set flag for next step
- executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_REQUIRELOCALAUTHENTICATION,
- requiredLocalAuthentication);
-
- }
-
-}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAuthnRequestBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAuthnRequestBuilder.java
new file mode 100644
index 000000000..312bb823d
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAuthnRequestBuilder.java
@@ -0,0 +1,172 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.protocols.pvp2x.builder;
+
+import java.security.NoSuchAlgorithmException;
+
+import javax.servlet.http.HttpServletResponse;
+
+import org.joda.time.DateTime;
+import org.opensaml.common.impl.SecureRandomIdentifierGenerator;
+import org.opensaml.common.xml.SAMLConstants;
+import org.opensaml.saml2.core.AuthnContextClassRef;
+import org.opensaml.saml2.core.AuthnContextComparisonTypeEnumeration;
+import org.opensaml.saml2.core.AuthnRequest;
+import org.opensaml.saml2.core.Issuer;
+import org.opensaml.saml2.core.NameIDPolicy;
+import org.opensaml.saml2.core.NameIDType;
+import org.opensaml.saml2.core.RequestedAuthnContext;
+import org.opensaml.saml2.metadata.EntityDescriptor;
+import org.opensaml.saml2.metadata.SingleSignOnService;
+import org.opensaml.ws.message.encoder.MessageEncodingException;
+import org.opensaml.xml.security.SecurityException;
+import org.springframework.stereotype.Service;
+
+import at.gv.egovernment.moa.id.moduls.IRequest;
+import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IEncoder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.binding.PostBinding;
+import at.gv.egovernment.moa.id.protocols.pvp2x.binding.RedirectBinding;
+import at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AuthnRequestBuildException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception;
+import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
+import at.gv.egovernment.moa.logging.Logger;
+
+/**
+ * @author tlenz
+ *
+ */
+@Service("PVPAuthnRequestBuilder")
+public class PVPAuthnRequestBuilder {
+
+
+ /**
+ * Build a PVP2.x specific authentication request
+ *
+ * @param pendingReq Currently processed pendingRequest
+ * @param config AuthnRequest builder configuration, never null
+ * @param idpEntity SAML2 EntityDescriptor of the IDP, which receive this AuthnRequest, never null
+ * @param httpResp
+ * @throws NoSuchAlgorithmException
+ * @throws SecurityException
+ * @throws PVP2Exception
+ * @throws MessageEncodingException
+ */
+ public void buildAuthnRequest(IRequest pendingReq, IPVPAuthnRequestBuilderConfiguruation config,
+ HttpServletResponse httpResp) throws NoSuchAlgorithmException, MessageEncodingException, PVP2Exception, SecurityException {
+ //get IDP Entity element from config
+ EntityDescriptor idpEntity = config.getIDPEntityDescriptor();
+
+ AuthnRequest authReq = SAML2Utils
+ .createSAMLObject(AuthnRequest.class);
+
+ //select SingleSignOn Service endpoint from IDP metadata
+ SingleSignOnService endpoint = null;
+ for (SingleSignOnService sss :
+ idpEntity.getIDPSSODescriptor(SAMLConstants.SAML20P_NS).getSingleSignOnServices()) {
+
+ // use POST binding as default if it exists
+ if (sss.getBinding().equals(SAMLConstants.SAML2_POST_BINDING_URI)) {
+ endpoint = sss;
+
+ } else if ( sss.getBinding().equals(SAMLConstants.SAML2_REDIRECT_BINDING_URI)
+ && endpoint == null )
+ endpoint = sss;
+
+ }
+
+ if (endpoint == null) {
+ Logger.warn("Building AuthnRequest FAILED: > Requested IDP " + idpEntity.getEntityID()
+ + " does not support POST or Redirect Binding.");
+ throw new AuthnRequestBuildException("sp.pvp2.00", new Object[]{idpEntity.getEntityID()});
+
+ } else
+ authReq.setDestination(endpoint.getLocation());
+
+
+ //set basic AuthnRequest information
+ SecureRandomIdentifierGenerator gen = new SecureRandomIdentifierGenerator();
+ authReq.setID(gen.generateIdentifier());
+ authReq.setIssueInstant(new DateTime());
+
+ //set isPassive flag
+ if (config.isPassivRequest() == null)
+ authReq.setIsPassive(false);
+ else
+ authReq.setIsPassive(config.isPassivRequest());
+
+ //set EntityID of the service provider
+ Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class);
+ issuer.setFormat(NameIDType.ENTITY);
+ issuer.setValue(config.getSPEntityID());
+ authReq.setIssuer(issuer);
+
+ //set AssertionConsumerService ID
+ if (config.getAssertionConsumerServiceId() != null)
+ authReq.setAssertionConsumerServiceIndex(config.getAssertionConsumerServiceId());
+
+ //set NameIDPolicy
+ if (config.getNameIDPolicyFormat() != null) {
+ NameIDPolicy policy = SAML2Utils.createSAMLObject(NameIDPolicy.class);
+ policy.setAllowCreate(config.getNameIDPolicyAllowCreation());
+ policy.setFormat(config.getNameIDPolicyFormat());
+ authReq.setNameIDPolicy(policy);
+ }
+
+ //set requested QAA level
+ if (config.getAuthnContextClassRef() != null) {
+ RequestedAuthnContext reqAuthContext = SAML2Utils.createSAMLObject(RequestedAuthnContext.class);
+ AuthnContextClassRef authnClassRef = SAML2Utils.createSAMLObject(AuthnContextClassRef.class);
+
+ authnClassRef.setAuthnContextClassRef(config.getAuthnContextClassRef());
+
+ if (config.getAuthnContextComparison() == null)
+ reqAuthContext.setComparison(AuthnContextComparisonTypeEnumeration.MINIMUM);
+ else
+ reqAuthContext.setComparison(config.getAuthnContextComparison());
+
+ reqAuthContext.getAuthnContextClassRefs().add(authnClassRef);
+ authReq.setRequestedAuthnContext(reqAuthContext);
+ }
+
+ //TODO: implement requested attributes
+ //maybe: config.getRequestedAttributes();
+
+ //select message encoder
+ IEncoder binding = null;
+ if (endpoint.getBinding().equals(
+ SAMLConstants.SAML2_REDIRECT_BINDING_URI)) {
+ binding = new RedirectBinding();
+
+ } else if (endpoint.getBinding().equals(
+ SAMLConstants.SAML2_POST_BINDING_URI)) {
+ binding = new PostBinding();
+
+ }
+
+ //encode message
+ binding.encodeRequest(null, httpResp, authReq,
+ endpoint.getLocation(), pendingReq.getRequestID(), config.getAuthnRequestSigningCredential());
+ }
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IPVPAuthnRequestBuilderConfiguruation.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IPVPAuthnRequestBuilderConfiguruation.java
new file mode 100644
index 000000000..d51231044
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IPVPAuthnRequestBuilderConfiguruation.java
@@ -0,0 +1,114 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.protocols.pvp2x.config;
+
+import org.opensaml.saml2.core.AuthnContextComparisonTypeEnumeration;
+import org.opensaml.saml2.metadata.EntityDescriptor;
+import org.opensaml.xml.security.credential.Credential;
+
+/**
+ * @author tlenz
+ *
+ */
+public interface IPVPAuthnRequestBuilderConfiguruation {
+
+ /**
+ * If true, the SAML2 isPassive flag is set in the AuthnRequest
+ *
+ * @return
+ */
+ public Boolean isPassivRequest();
+
+ /**
+ * Define the ID of the AssertionConsumerService,
+ * which defines the required attributes in service-provider metadata.
+ *
+ * @return
+ */
+ public Integer getAssertionConsumerServiceId();
+
+ /**
+ * Define the SAML2 EntityID of the service provider.
+ *
+ * @return
+ */
+ public String getSPEntityID();
+
+ /**
+ * Define the SAML2 NameIDPolicy
+ *
+ * @return Service-Provider EntityID, but never null
+ */
+ public String getNameIDPolicyFormat();
+
+ /**
+ * Define the AuthnContextClassRefernece of this request
+ *
+ * Example:
+ * http://www.ref.gv.at/ns/names/agiz/pvp/secclass/0-3
+ * http://www.stork.gov.eu/1.0/citizenQAALevel/4
+ *
+ *
+ * @return
+ */
+ public String getAuthnContextClassRef();
+
+ /**
+ * Define the AuthnContextComparison model, which should be used
+ *
+ * @return
+ */
+ public AuthnContextComparisonTypeEnumeration getAuthnContextComparison();
+
+
+ /**
+ * Define the credential, which should be used to sign the AuthnRequest
+ *
+ * @return
+ */
+ public Credential getAuthnRequestSigningCredential();
+
+
+ /**
+ * Define the SAML2 EntityDescriptor of the IDP, which should receive the AuthnRequest
+ *
+ * @return Credential, but never null.
+ */
+ public EntityDescriptor getIDPEntityDescriptor();
+
+ /**
+ * Set the SAML2 NameIDPolicy allow-creation flag
+ *
+ * @return EntityDescriptor, but never null.
+ */
+ public boolean getNameIDPolicyAllowCreation();
+
+
+ /**
+ * Set the requested SubjectNameID
+ *
+ * @return SubjectNameID, or null if no SubjectNameID should be used
+ */
+ public String getSubjectNameID();
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SP/tasks/AbstractAuthnResponseTask.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/AuthnRequestBuildException.java
index 6ce8fab59..eebaf6c9e 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SP/tasks/AbstractAuthnResponseTask.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/AuthnRequestBuildException.java
@@ -20,34 +20,28 @@
* The "NOTICE" text file is part of the distribution. Any derivative works
* that you distribute must include a readable copy of the "NOTICE" text file.
*/
-package at.gv.egovernment.moa.id.protocols.pvp2x.SP.tasks;
-
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
-import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
-import at.gv.egovernment.moa.id.process.api.ExecutionContext;
+package at.gv.egovernment.moa.id.protocols.pvp2x.exceptions;
/**
* @author tlenz
*
*/
-public abstract class AbstractAuthnResponseTask extends AbstractAuthServletTask {
+public class AuthnRequestBuildException extends PVP2Exception {
- /* (non-Javadoc)
- * @see at.gv.egovernment.moa.id.process.springweb.MoaIdTask#execute(at.gv.egovernment.moa.id.process.api.ExecutionContext, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)
+ /**
+ *
*/
- @Override
- public void execute(ExecutionContext executionContext,
- HttpServletRequest request, HttpServletResponse response)
- throws TaskExecutionException {
-
- //TODO: validate SAML2 assertion
- //TODO: move attributeQuery from AuthenticationDataBuilder to her
- //TODO: add SAML2 interfederation Response to MOASession
- //TODO: update AuthenticationDataBuilder to use Response from MOASession if exists
+ private static final long serialVersionUID = -1375451065455859354L;
+ /**
+ * @param messageId
+ * @param parameters
+ */
+ public AuthnRequestBuildException(String messageId, Object[] parameters) {
+ super(messageId, parameters);
}
+ public AuthnRequestBuildException(String messageId, Object[] parameters, Throwable e) {
+ super(messageId, parameters, e);
+ }
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/AuthnResponseValidationException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/AuthnResponseValidationException.java
new file mode 100644
index 000000000..957f9af1d
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/AuthnResponseValidationException.java
@@ -0,0 +1,48 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.protocols.pvp2x.exceptions;
+
+/**
+ * @author tlenz
+ *
+ */
+public class AuthnResponseValidationException extends PVP2Exception {
+
+ /**
+ *
+ */
+ private static final long serialVersionUID = 8023812861029406575L;
+
+ /**
+ * @param messageId
+ * @param parameters
+ */
+ public AuthnResponseValidationException(String messageId, Object[] parameters) {
+ super(messageId, parameters);
+ }
+
+ public AuthnResponseValidationException(String messageId, Object[] parameters, Throwable e) {
+ super(messageId, parameters, e);
+ }
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBAuthenticationSessionStoreage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBAuthenticationSessionStoreage.java
index 743caec55..cfdb4426b 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBAuthenticationSessionStoreage.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBAuthenticationSessionStoreage.java
@@ -32,6 +32,7 @@ import org.hibernate.HibernateException;
import org.hibernate.Query;
import org.hibernate.Session;
import org.hibernate.Transaction;
+import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
import com.fasterxml.jackson.core.JsonProcessingException;
@@ -47,8 +48,7 @@ import at.gv.egovernment.moa.id.commons.db.dao.session.OASessionStore;
import at.gv.egovernment.moa.id.commons.db.dao.session.OldSSOSessionIDStore;
import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
import at.gv.egovernment.moa.id.commons.utils.JsonMapper;
-import at.gv.egovernment.moa.id.config.ConfigurationException;
-import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
+import at.gv.egovernment.moa.id.config.auth.AuthConfiguration;
import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
import at.gv.egovernment.moa.id.data.EncryptedData;
import at.gv.egovernment.moa.id.data.SLOInformationInterface;
@@ -65,6 +65,8 @@ import at.gv.egovernment.moa.util.MiscUtil;
@Service("AuthenticationSessionStoreage")
public class DBAuthenticationSessionStoreage implements IAuthenticationSessionStoreage{
+ @Autowired AuthConfiguration authConfig;
+
private static JsonMapper mapper = new JsonMapper();
@Override
@@ -749,44 +751,30 @@ public class DBAuthenticationSessionStoreage implements IAuthenticationSessionSt
}
}
- public String createInterfederatedSession(IRequest req, boolean isAuthenticated, String ssoID) throws MOADatabaseException, AssertionAttributeExtractorExeption, BuildException {
+ public void createInterfederatedSession(IRequest req, boolean isAuthenticated) throws MOADatabaseException, AssertionAttributeExtractorExeption, BuildException {
AuthenticatedSessionStore dbsession = null;
+ Date now = new Date();
- //search for active SSO session
- if (MiscUtil.isNotEmpty(ssoID)) {
- String moaSession = getMOASessionSSOID(ssoID);
- if (MiscUtil.isNotEmpty(moaSession)) {
- try {
- dbsession = searchInDatabase(moaSession, true);
-
- }catch (MOADatabaseException e) {
+ //search for active session
+ String moaSession = getMOASessionSSOID(req.getMOASessionIdentifier());
+ if (MiscUtil.isNotEmpty(moaSession)) {
+ try {
+ dbsession = searchInDatabase(moaSession, true);
- }
- }
- }
-
- String id = null;
- Date now = new Date();
- //create new MOASession if any exists
- AuthenticationSession session = null;
- if (dbsession == null) {
- id = Random.nextRandom();
- dbsession = new AuthenticatedSessionStore();
- dbsession.setSessionid(id);
- dbsession.setCreated(now);
- dbsession.setPendingRequestID(req.getRequestID());
- session = new AuthenticationSession(id, now);
+ }catch (MOADatabaseException e) {
+ Logger.error("NO MOASession found but MOASession MUST already exist!");
+ throw e;
+ }
+ }
- } else {
- id = dbsession.getSessionid();
- session = decryptSession(dbsession);
+ AuthenticationSession session = decryptSession(dbsession);
- }
-
- dbsession.setInterfederatedSSOSession(true);
+ //set Session parameters
+ session.setAuthenticated(isAuthenticated);
dbsession.setAuthenticated(isAuthenticated);
+ dbsession.setInterfederatedSSOSession(true);
dbsession.setUpdated(now);
- session.setAuthenticated(true);
+
encryptSession(session, dbsession);
//add interfederation information
@@ -816,16 +804,8 @@ public class DBAuthenticationSessionStoreage implements IAuthenticationSessionSt
idp.setIdpurlprefix(interFedEntityID);
idp.setAuthURL(req.getAuthURL());
- try {
- OAAuthParameter oa = AuthConfigurationProviderFactory.getInstance().
- getOnlineApplicationParameter(idp.getIdpurlprefix());
- idp.setStoreSSOInformation(oa.isInterfederationSSOStorageAllowed());
-
- } catch (ConfigurationException e) {
- Logger.warn("MOASession could not be created.");
- throw new MOADatabaseException(e);
-
- }
+ OAAuthParameter oa = authConfig.getOnlineApplicationParameter(idp.getIdpurlprefix());
+ idp.setStoreSSOInformation(oa.isInterfederationSSOStorageAllowed());
idp.setMoasession(dbsession);
idpList.add(idp);
@@ -839,14 +819,12 @@ public class DBAuthenticationSessionStoreage implements IAuthenticationSessionSt
//store AssertionStore element to Database
try {
MOASessionDBUtils.saveOrUpdate(dbsession);
- Logger.debug("MOASession with sessionID=" + id + " is stored in Database");
} catch (MOADatabaseException e) {
Logger.warn("MOASession could not be created.");
throw new MOADatabaseException(e);
}
- return id;
}
@Override
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/IAuthenticationSessionStoreage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/IAuthenticationSessionStoreage.java
index e89713b2e..2fd540a67 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/IAuthenticationSessionStoreage.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/IAuthenticationSessionStoreage.java
@@ -242,14 +242,12 @@ public interface IAuthenticationSessionStoreage {
*
* @param req Pending request
* @param isAuthenticated true if the session should be marked as authenticated, otherwise false
- * @param ssoID Single Sign-On session identifer
- * @return MOASessionID of new created MOASession
* @throws MOADatabaseException
* @throws AssertionAttributeExtractorExeption
* @throws BuildException
*/
@Deprecated
- public String createInterfederatedSession(IRequest req, boolean isAuthenticated, String ssoID) throws MOADatabaseException, AssertionAttributeExtractorExeption, BuildException;
+ public void createInterfederatedSession(IRequest req, boolean isAuthenticated) throws MOADatabaseException, AssertionAttributeExtractorExeption, BuildException;
/**
* Search an active federation IDP which could be used for federated Single Sign-On by using an AttributeQuery
diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
index 92f4c1fa2..50d01ce2f 100644
--- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
+++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
@@ -270,6 +270,15 @@ pvp2.21=Die Signature des Requests konnte nicht g\u00FCltig validiert werden.
pvp2.22=Der Request konnte nicht g\u00FCltig validiert werden (Fehler\={0}).
pvp2.23={0} ist keine gueltige AssertionConsumerServiceURL oder entspricht nicht den Metadaten.
+
+##add status codes!!!!
+sp.pvp2.00=Can not build PVP AuthnRequest for IDP {0}. No valid SingleSignOnService endpoint found.
+sp.pvp2.01=Can not build PVP AuthnRequest for IDP {0}. IDP is not allowed for federated authentication.
+sp.pvp2.02=Can not build PVP AuthnRequest for IDP {0}. IDP has no (valid) metadata.
+sp.pvp2.03=Receive PVP Response from IDP with unsupported Binding.
+sp.pvp2.04=Receive invalid PVP Response from IDP. No PVP metadata found.
+sp.pvp2.04=Receive invalid PVP Response from IDP {0}. StatusCode {1}.
+
oauth20.01=Fehlerhafte redirect url
oauth20.02=Fehlender oder ung\u00FCltiger Parameter "{0}"
oauth20.03=Angeforderter response_type ist nicht erlaubt
diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/FederatedAuthConstants.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/FederatedAuthConstants.java
index 97e4c0a20..e2f851132 100644
--- a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/FederatedAuthConstants.java
+++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/FederatedAuthConstants.java
@@ -44,4 +44,7 @@ public class FederatedAuthConstants {
public static final String CONFIG_PROPS_ENCRYPTION_KEY_PASSWORD = CONFIG_PROPS_PREFIX + "response.encryption.password";
public static final String CONFIG_PROPS_ENCRYPTION_ALIAS_PASSWORD = CONFIG_PROPS_PREFIX + "response.encryption.alias";
+ public static final String CONFIG_DEFAULT_QAA_STORK_LEVEL = "http://www.stork.gov.eu/1.0/citizenQAALevel/4";
+ public static final String CONFIG_DEFAULT_QAA_SECCLASS_LEVEL = "http://www.ref.gv.at/ns/names/agiz/pvp/secclass/0-3";
+
}
diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/FederatedAuthenticationModuleImpl.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/FederatedAuthenticationModuleImpl.java
index 4a610549d..6abc60c46 100644
--- a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/FederatedAuthenticationModuleImpl.java
+++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/FederatedAuthenticationModuleImpl.java
@@ -22,6 +22,7 @@
*/
package at.gv.egovernment.moa.id.auth.modules.federatedauth;
+import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
import at.gv.egovernment.moa.id.auth.modules.AuthModule;
import at.gv.egovernment.moa.id.process.api.ExecutionContext;
@@ -45,8 +46,15 @@ public class FederatedAuthenticationModuleImpl implements AuthModule {
*/
@Override
public String selectProcess(ExecutionContext context) {
- // TODO Auto-generated method stub
- return null;
+ //select interfederation authentication if PERFORM_INTERFEDERATION_AUTH flag is set
+ Object performfedAuthObj = context.get(MOAIDAuthConstants.PROCESSCONTEXT_PERFORM_INTERFEDERATION_AUTH);
+ if (performfedAuthObj != null && performfedAuthObj instanceof Boolean) {
+ if ((boolean) performfedAuthObj)
+ return "SSOfederationAuthentication";
+
+ }
+
+ return null;
}
/* (non-Javadoc)
diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthnRequestBuilderConfiguration.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthnRequestBuilderConfiguration.java
new file mode 100644
index 000000000..eca5c7649
--- /dev/null
+++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthnRequestBuilderConfiguration.java
@@ -0,0 +1,161 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.federatedauth.config;
+
+import org.opensaml.saml2.core.AuthnContextComparisonTypeEnumeration;
+import org.opensaml.saml2.core.NameID;
+import org.opensaml.saml2.metadata.EntityDescriptor;
+import org.opensaml.xml.security.credential.Credential;
+
+import at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation;
+
+/**
+ * @author tlenz
+ *
+ */
+public class FederatedAuthnRequestBuilderConfiguration implements IPVPAuthnRequestBuilderConfiguruation {
+
+ private boolean isPassive;
+ private String SPEntityID;
+ private String QAA_Level;
+ private EntityDescriptor idpEntity;
+ private Credential signCred;
+
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#isPassivRequest()
+ */
+ @Override
+ public Boolean isPassivRequest() {
+ return this.isPassive;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getAssertionConsumerServiceId()
+ */
+ @Override
+ public Integer getAssertionConsumerServiceId() {
+ return 0;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getEntityID()
+ */
+ @Override
+ public String getSPEntityID() {
+ return this.SPEntityID;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getNameIDPolicy()
+ */
+ @Override
+ public String getNameIDPolicyFormat() {
+ return NameID.TRANSIENT;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getNameIDPolicy()
+ */
+ @Override
+ public boolean getNameIDPolicyAllowCreation() {
+ return true;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getAuthnContextClassRef()
+ */
+ @Override
+ public String getAuthnContextClassRef() {
+ return this.QAA_Level;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getAuthnContextComparison()
+ */
+ @Override
+ public AuthnContextComparisonTypeEnumeration getAuthnContextComparison() {
+ return AuthnContextComparisonTypeEnumeration.MINIMUM;
+ }
+
+ /**
+ * @param isPassive the isPassive to set
+ */
+ public void setPassive(boolean isPassive) {
+ this.isPassive = isPassive;
+ }
+
+ /**
+ * @param sPEntityID the sPEntityID to set
+ */
+ public void setSPEntityID(String sPEntityID) {
+ SPEntityID = sPEntityID;
+ }
+
+ /**
+ * @param qAA_Level the qAA_Level to set
+ */
+ public void setQAA_Level(String qAA_Level) {
+ QAA_Level = qAA_Level;
+ }
+
+ /**
+ * @param idpEntity the idpEntity to set
+ */
+ public void setIdpEntity(EntityDescriptor idpEntity) {
+ this.idpEntity = idpEntity;
+ }
+
+ /**
+ * @param signCred the signCred to set
+ */
+ public void setSignCred(Credential signCred) {
+ this.signCred = signCred;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getAuthnRequestSigningCredential()
+ */
+ @Override
+ public Credential getAuthnRequestSigningCredential() {
+ return this.signCred;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getIDPEntityDescriptor()
+ */
+ @Override
+ public EntityDescriptor getIDPEntityDescriptor() {
+ return this.idpEntity;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getSubjectNameID()
+ */
+ @Override
+ public String getSubjectNameID() {
+ return null;
+ }
+
+
+}
diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/controller/FederatedAuthMetadataController.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/controller/FederatedAuthMetadataController.java
index d41a25a10..c06800079 100644
--- a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/controller/FederatedAuthMetadataController.java
+++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/controller/FederatedAuthMetadataController.java
@@ -33,9 +33,12 @@ import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import at.gv.egovernment.moa.id.auth.modules.federatedauth.FederatedAuthConstants;
-import at.gv.egovernment.moa.id.auth.modules.federatedauth.builder.FederatedAuthMetadataBuilder;
+import at.gv.egovernment.moa.id.auth.modules.federatedauth.config.FederatedAuthMetadataConfiguration;
+import at.gv.egovernment.moa.id.auth.modules.federatedauth.utils.FederatedAuthCredentialProvider;
import at.gv.egovernment.moa.id.auth.servlet.AbstractController;
import at.gv.egovernment.moa.id.config.auth.AuthConfiguration;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPMetadataBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPMetadataBuilderConfiguration;
import at.gv.egovernment.moa.id.util.HTTPUtils;
import at.gv.egovernment.moa.logging.Logger;
@@ -46,8 +49,9 @@ import at.gv.egovernment.moa.logging.Logger;
@Controller
public class FederatedAuthMetadataController extends AbstractController {
- @Autowired FederatedAuthMetadataBuilder metadatabuilder;
+ @Autowired PVPMetadataBuilder metadatabuilder;
@Autowired AuthConfiguration authConfig;
+ @Autowired FederatedAuthCredentialProvider credentialProvider;
public FederatedAuthMetadataController() {
super();
@@ -68,8 +72,12 @@ public class FederatedAuthMetadataController extends AbstractController {
return;
} else {
+ //initialize metadata builder configuration
+ IPVPMetadataBuilderConfiguration metadataConfig =
+ new FederatedAuthMetadataConfiguration(authURL, credentialProvider);
+
//build metadata
- String xmlMetadata = metadatabuilder.buildPVPMetadata(authURL);
+ String xmlMetadata = metadatabuilder.buildPVPMetadata(metadataConfig);
//write response
resp.setContentType("text/xml");
diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/CreateAuthnRequestTask.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/CreateAuthnRequestTask.java
new file mode 100644
index 000000000..2e134713b
--- /dev/null
+++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/CreateAuthnRequestTask.java
@@ -0,0 +1,220 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.federatedauth.tasks;
+
+import java.lang.reflect.InvocationTargetException;
+import java.security.NoSuchAlgorithmException;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.opensaml.saml2.metadata.EntityDescriptor;
+import org.opensaml.saml2.metadata.provider.MetadataProviderException;
+import org.opensaml.ws.message.encoder.MessageEncodingException;
+import org.opensaml.xml.security.SecurityException;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Component;
+
+import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
+import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
+import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
+import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
+import at.gv.egovernment.moa.id.auth.modules.federatedauth.FederatedAuthConstants;
+import at.gv.egovernment.moa.id.auth.modules.federatedauth.config.FederatedAuthnRequestBuilderConfiguration;
+import at.gv.egovernment.moa.id.auth.modules.federatedauth.utils.FederatedAuthCredentialProvider;
+import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters;
+import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
+import at.gv.egovernment.moa.id.moduls.RequestImpl;
+import at.gv.egovernment.moa.id.process.api.ExecutionContext;
+import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAuthnRequestBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AuthnRequestBuildException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;
+import at.gv.egovernment.moa.id.util.PVPtoSTORKMapper;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
+
+/**
+ * @author tlenz
+ *
+ */
+@Component("CreateFederatedAuthnRequestTask")
+public class CreateAuthnRequestTask extends AbstractAuthServletTask {
+
+ @Autowired PVPAuthnRequestBuilder authnReqBuilder;
+ @Autowired FederatedAuthCredentialProvider credential;
+
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask#execute(at.gv.egovernment.moa.id.process.api.ExecutionContext, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)
+ */
+ @Override
+ public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response)
+ throws TaskExecutionException {
+ try{
+ // get IDP entityID
+ String idpEntityID = pendingReq.getGenericData(RequestImpl.DATAID_INTERFEDERATIOIDP_URL, String.class);
+
+ if (MiscUtil.isEmpty(idpEntityID)) {
+ Logger.info("Interfederation not possible -> not inderfederation IDP EntityID found!");
+ throw new TaskExecutionException(pendingReq, "Interfederation not possible", new MOAIDException("No inderfederation-IDP EntityID found.", null));
+
+ }
+
+ //load IDP configuration from MOA-ID Configuration
+ OAAuthParameter idpConfig = authConfig.getOnlineApplicationParameter(idpEntityID);
+ //validate IDP
+ if (!idpConfig.isInderfederationIDP() || !idpConfig.isInboundSSOInterfederationAllowed()) {
+ Logger.info("Requested interfederation IDP " + idpEntityID + " is not valid for interfederation.");
+ Logger.debug("isInderfederationIDP:" + String.valueOf(idpConfig.isInderfederationIDP())
+ + " isInboundSSOAllowed:" + String.valueOf(idpConfig.isInboundSSOInterfederationAllowed()));
+
+ handleAuthnRequestBuildProblem(executionContext, idpConfig, "sp.pvp2.01", new Object[]{idpEntityID});
+
+ return;
+
+ }
+
+ //load IDP SAML2 entitydescriptor
+ EntityDescriptor idpEntity = MOAMetadataProvider.getInstance().
+ getEntityDescriptor(idpEntityID);
+ if (idpEntity == null) {
+ Logger.warn("Requested IDP " + idpEntityID
+ + " has no valid metadata or metadata is not found");
+
+ handleAuthnRequestBuildProblem(executionContext, idpConfig, "sp.pvp2.02", new Object[]{idpEntityID});
+ return;
+
+ }
+
+ //setup AuthnRequestBuilder configuration
+ FederatedAuthnRequestBuilderConfiguration authnReqConfig = new FederatedAuthnRequestBuilderConfiguration();
+ authnReqConfig.setIdpEntity(idpEntity);
+ authnReqConfig.setPassive(idpConfig.isPassivRequestUsedForInterfederation());
+ authnReqConfig.setSignCred(credential.getIDPAssertionSigningCredential());
+ authnReqConfig.setSPEntityID(pendingReq.getAuthURL() + FederatedAuthConstants.ENDPOINT_METADATA);
+ authnReqConfig.setQAA_Level(evaluateRequiredQAALevel());
+
+ //build and transmit AuthnRequest
+ authnReqBuilder.buildAuthnRequest(pendingReq, authnReqConfig , response);
+
+ } catch (MOAIDException | MetadataProviderException e) {
+ throw new TaskExecutionException(pendingReq, "Build PVP2.1 AuthnRequest for SSO inderfederation FAILED.", e);
+
+ } catch (MessageEncodingException | NoSuchAlgorithmException | SecurityException e) {
+ Logger.error("Build PVP2.1 AuthnRequest for SSO inderfederation FAILED", e);
+ throw new TaskExecutionException(pendingReq, e.getMessage(), e);
+
+ } catch (Exception e) {
+ Logger.error("Build PVP2.1 AuthnRequest for SSO inderfederation FAILED", e);
+ throw new TaskExecutionException(pendingReq, e.getMessage(), e);
+
+ }
+ }
+
+ /**
+ * @param executionContext
+ * @param idpConfig
+ * @param message
+ * @param objects
+ * @throws AuthnRequestBuildException
+ */
+ private void handleAuthnRequestBuildProblem(ExecutionContext executionContext, OAAuthParameter idpConfig, String msgCode, Object[] objects) throws AuthnRequestBuildException {
+
+ if (idpConfig.isPerformLocalAuthenticationOnInterfederationError()) {
+ Logger.info("Switch to local authentication on this IDP ... ");
+
+ executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_REQUIRELOCALAUTHENTICATION, true);
+ executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_PERFORM_BKUSELECTION, true);
+
+ executionContext.remove(MOAIDAuthConstants.PROCESSCONTEXT_PERFORM_INTERFEDERATION_AUTH);
+
+ } else {
+ throw new AuthnRequestBuildException(msgCode, objects);
+
+ }
+
+ }
+
+ private String evaluateRequiredQAALevel() {
+ IOAAuthParameters sp = pendingReq.getOnlineApplicationConfiguration();
+
+ //check if STORK protocol module is in ClassPath
+ Object storkRequst = null;
+ Integer storkSecClass = null;
+ try {
+ storkRequst = Class.forName("at.gv.egovernment.moa.id.protocols.stork2.MOASTORKRequest").newInstance();
+ if (storkRequst != null &&
+ pendingReq.getClass().isInstance(storkRequst)) {
+ Object storkAuthnRequest = pendingReq.getClass().getMethod("getStorkAuthnRequest", null).invoke(pendingReq, null);
+ storkSecClass = (Integer) storkAuthnRequest.getClass().getMethod("getQaa", null).invoke(storkAuthnRequest, null);
+
+ }
+
+ } catch (ClassNotFoundException | InstantiationException | IllegalAccessException | IllegalArgumentException | InvocationTargetException | NoSuchMethodException | java.lang.SecurityException ex) {
+
+
+ }
+
+ if (sp != null && sp.isSTORKPVPGateway()){
+ //use PVP SecClass instead of STORK QAA level
+ String secClass = null;
+ if (storkRequst != null &&
+ pendingReq.getClass().isInstance(storkRequst)) {
+
+ try {
+ secClass = PVPtoSTORKMapper.getInstance().mapToSecClass(
+ PVPConstants.STORK_QAA_PREFIX + String.valueOf(storkSecClass));
+
+ } catch (Exception e) {
+ Logger.warn("STORK-QAA level can not read from STORK request. Use default QAA 4", e);
+
+ }
+ }
+
+ if (MiscUtil.isNotEmpty(secClass))
+ return secClass;
+ else
+ return FederatedAuthConstants.CONFIG_DEFAULT_QAA_SECCLASS_LEVEL;
+
+ } else {
+ if (storkRequst != null && pendingReq.getClass().isInstance(storkRequst)) {
+ //use requested QAA level from STORK request
+ try {
+ String qaaLevel = PVPConstants.STORK_QAA_PREFIX + String.valueOf(storkSecClass);
+ Logger.debug("Use STORK-QAA level " + qaaLevel + " from STORK request");
+ return qaaLevel;
+
+
+ } catch (Exception e) {
+ Logger.warn("Read STORK-QAA level FAILED with an exception.", e);
+
+ }
+ }
+ Logger.warn("STORK-QAA level can not read from STORK request. Use default QAA 4");
+ return FederatedAuthConstants.CONFIG_DEFAULT_QAA_STORK_LEVEL;
+
+ }
+ }
+
+}
diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java
new file mode 100644
index 000000000..49f9782ae
--- /dev/null
+++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java
@@ -0,0 +1,225 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.federatedauth.tasks;
+
+import java.io.IOException;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.xml.transform.TransformerException;
+
+import org.opensaml.saml2.core.Response;
+import org.opensaml.saml2.core.StatusCode;
+import org.opensaml.ws.message.decoder.MessageDecodingException;
+import org.opensaml.xml.io.MarshallingException;
+import org.opensaml.xml.security.SecurityException;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Component;
+
+import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
+import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
+import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException;
+import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
+import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
+import at.gv.egovernment.moa.id.auth.modules.federatedauth.utils.FederatedAuthCredentialProvider;
+import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
+import at.gv.egovernment.moa.id.moduls.RequestImpl;
+import at.gv.egovernment.moa.id.moduls.SSOManager;
+import at.gv.egovernment.moa.id.process.api.ExecutionContext;
+import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IDecoder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.binding.PostBinding;
+import at.gv.egovernment.moa.id.protocols.pvp2x.binding.RedirectBinding;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionValidationExeption;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AuthnResponseValidationException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage;
+import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse;
+import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
+import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngine;
+import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
+
+/**
+ * @author tlenz
+ *
+ */
+@Component("ReceiveFederatedAuthnResponseTask")
+public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
+
+ @Autowired SAMLVerificationEngine samlVerificationEngine;
+ @Autowired FederatedAuthCredentialProvider credentialProvider;
+ @Autowired SSOManager ssoManager;
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask#execute(at.gv.egovernment.moa.id.process.api.ExecutionContext, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)
+ */
+ @Override
+ public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response)
+ throws TaskExecutionException {
+ InboundMessage msg = null;
+
+ try {
+
+ IDecoder decoder = null;
+ //select Response Binding
+ if (request.getMethod().equalsIgnoreCase("POST")) {
+ decoder = new PostBinding();
+ Logger.trace("Receive PVP Response from federated IDP, by using POST-Binding.");
+
+ } else if (request.getMethod().equalsIgnoreCase("GET")) {
+ decoder = new RedirectBinding();
+ Logger.trace("Receive PVP Response from federated IDP, by using Redirect-Binding.");
+
+ } else {
+ Logger.warn("Receive PVP Response, but Binding ("
+ + request.getMethod() + ") is not supported.");
+ throw new AuthnResponseValidationException("sp.pvp2.03", null);
+
+ }
+
+ //decode PVP response object
+ msg = (InboundMessage) decoder.decode(request, response, true);
+
+ if (MiscUtil.isEmpty(msg.getEntityID())) {
+ throw new InvalidProtocolRequestException("sp.pvp2.04", new Object[] {});
+
+ }
+
+ //validate response signature
+ if(!msg.isVerified()) {
+ samlVerificationEngine.verify(msg, TrustEngineFactory.getSignatureKnownKeysTrustEngine());
+ msg.setVerified(true);
+
+ }
+
+ revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROTOCOL_PVP_REQUEST_AUTHRESPONSE);
+
+ //validate assertion
+ MOAResponse processedMsg = preProcessAuthResponse((MOAResponse) msg);
+
+ //store valid assertion into pending-request
+ pendingReq.setGenericDataToSession(RequestImpl.DATAID_INTERFEDERATIOIDP_RESPONSE, processedMsg);
+
+ //update MOASession with federation information
+ authenticatedSessionStorage.createInterfederatedSession(pendingReq, true);
+
+ //store pending-request
+ requestStoreage.storePendingRequest(pendingReq);
+
+ //write log entries
+ revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROCESS_INTERFEDERATION_REVEIVED);
+ Logger.info("Receive a valid assertion from IDP " + msg.getEntityID());
+
+ } catch (MessageDecodingException | SecurityException e) {
+ String samlRequest = request.getParameter("SAMLRequest");
+ Logger.warn("Receive INVALID PVP Response from federated IDP: " + samlRequest, e);
+ throw new TaskExecutionException(pendingReq, "Receive INVALID PVP Response from federated IDP", e);
+
+ } catch (IOException | MarshallingException | TransformerException e) {
+ Logger.warn("Processing PVP response from federated IDP FAILED.", e);
+ throw new TaskExecutionException(pendingReq, "Processing PVP response from federated IDP FAILED.", e);
+
+ } catch (CredentialsNotAvailableException e) {
+ Logger.error("PVP response decrytion FAILED. No credential found.", e);
+ throw new TaskExecutionException(pendingReq, "PVP response decrytion FAILED. No credential found.", e);
+
+ } catch (AssertionValidationExeption | AuthnResponseValidationException e) {
+ Logger.info("PVP response validation FAILED. Msg:" + e.getMessage());
+ if (msg != null) {
+ OAAuthParameter idpConfig = authConfig.getOnlineApplicationParameter(msg.getEntityID());
+
+ //remove federated IDP from SSO session if exists
+ ssoManager.removeInterfederatedSSOIDP(msg.getEntityID(), request);
+
+ //select next step
+ handleAuthnResponseValidationProblem(executionContext, idpConfig, e);
+
+ } else
+ throw new TaskExecutionException(pendingReq, "PVP response validation FAILED.", e);
+
+ } catch (Exception e) {
+
+
+ }
+
+ }
+
+ /**
+ * @param executionContext
+ * @param idpConfig
+ * @param message
+ * @param objects
+ * @throws TaskExecutionException
+ * @throws Throwable
+ */
+ private void handleAuthnResponseValidationProblem(ExecutionContext executionContext, OAAuthParameter idpConfig, Throwable e) throws TaskExecutionException {
+
+ if (idpConfig != null && idpConfig.isPerformLocalAuthenticationOnInterfederationError()) {
+ Logger.info("Switch to local authentication on this IDP ... ");
+
+ executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_REQUIRELOCALAUTHENTICATION, true);
+ executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_PERFORM_BKUSELECTION, true);
+
+ executionContext.remove(MOAIDAuthConstants.PROCESSCONTEXT_PERFORM_INTERFEDERATION_AUTH);
+
+ } else {
+ throw new TaskExecutionException(pendingReq, "PVP response validation FAILED.", e);
+
+ }
+
+ }
+
+ /**
+ * PreProcess AuthResponse and Assertion
+ * @param msg
+ * @throws TransformerException
+ * @throws MarshallingException
+ * @throws IOException
+ * @throws CredentialsNotAvailableException
+ * @throws AssertionValidationExeption
+ * @throws AuthnResponseValidationException
+ */
+ private MOAResponse preProcessAuthResponse(MOAResponse msg) throws IOException, MarshallingException, TransformerException, AssertionValidationExeption, CredentialsNotAvailableException, AuthnResponseValidationException {
+ Logger.debug("Start PVP21 assertion processing... ");
+ Response samlResp = (Response) msg.getResponse();
+
+ // check SAML2 response status-code
+ if (samlResp.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) {
+ //validate PVP 2.1 assertion
+ samlVerificationEngine.validateAssertion(samlResp, true, credentialProvider.getIDPAssertionEncryptionCredential());
+
+ msg.setSAMLMessage(SAML2Utils.asDOMDocument(samlResp).getDocumentElement());
+ return msg;
+
+ } else {
+ Logger.info("Receive StatusCode " + samlResp.getStatus().getStatusCode().getValue()
+ + " from federated IDP.");
+ throw new AuthnResponseValidationException("sp.pvp2.04",
+ new Object[]{samlResp.getIssuer().getValue(), samlResp.getStatus().getStatusCode().getValue()});
+
+ }
+
+ }
+
+}
diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/resources/at/gv/egovernment/moa/id/auth/modules/federatedauth/federated.Authentication.process.xml b/id/server/modules/moa-id-modules-federated_authentication/src/main/resources/at/gv/egovernment/moa/id/auth/modules/federatedauth/federated.Authentication.process.xml
index 4ff64e76d..c5c491ff8 100644
--- a/id/server/modules/moa-id-modules-federated_authentication/src/main/resources/at/gv/egovernment/moa/id/auth/modules/federatedauth/federated.Authentication.process.xml
+++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/resources/at/gv/egovernment/moa/id/auth/modules/federatedauth/federated.Authentication.process.xml
@@ -1,18 +1,26 @@
<?xml version="1.0" encoding="UTF-8"?>
-<pd:ProcessDefinition id="eIDASAuthentication" xmlns:pd="http://reference.e-government.gv.at/namespace/moa/process/definition/v1">
+<pd:ProcessDefinition id="SSOfederationAuthentication" xmlns:pd="http://reference.e-government.gv.at/namespace/moa/process/definition/v1">
- <pd:Task id="createAuthnRequest" class="GenerateAuthnRequestTask" />
- <pd:Task id="receiveAuthnResponse" class="ReceiveAuthnResponseTask" async="true" />
- <pd:Task id="finalizeAuthentication" class="FinalizeAuthenticationTask" />
- <pd:Task id="generateIdentityLink" class="CreateIdentityLinkTask" />
+ <pd:Task id="createInterfederationAuthnRequest" class="CreateFederatedAuthnRequestTask" />
+ <pd:Task id="receiveInterfederationAuthnResponse" class="ReceiveFederatedAuthnResponseTask" async="true" />
+ <pd:Task id="finalizeAuthentication" class="FinalizeAuthenticationTask" />
+ <pd:Task id="restartAuthProzessManagement" class="RestartAuthProzessManagement"/>
<pd:StartEvent id="start" />
- <pd:Transition from="start" to="createAuthnRequest" />
- <pd:Transition from="createAuthnRequest" to="receiveAuthnResponse" />
- <pd:Transition from="receiveAuthnResponse" to="generateIdentityLink" />
- <pd:Transition from="generateIdentityLink" to="finalizeAuthentication" />
- <pd:Transition from="finalizeAuthentication" to="end" />
+
+ <pd:Transition from="start" to="createInterfederationAuthnRequest" />
+
+ <!-- Switch to local authentication -->
+ <pd:Transition from="createInterfederationAuthnRequest" to="restartAuthProzessManagement" conditionExpression="ctx['requireLocalAuthentication']"/>
+ <pd:Transition from="receiveInterfederationAuthnResponse" to="restartAuthProzessManagement" conditionExpression="ctx['requireLocalAuthentication']"/>
+ <pd:Transition from="restartAuthProzessManagement" to="end" />
+
+ <!-- Perform federated authentication -->
+ <pd:Transition from="createInterfederationAuthnRequest" to="receiveInterfederationAuthnResponse"/>
+ <pd:Transition from="receiveInterfederationAuthnResponse" to="finalizeAuthentication"/>
+ <pd:Transition from="finalizeAuthentication" to="end" />
+
<pd:EndEvent id="end" />
-</pd:ProcessDefinition>
+</pd:ProcessDefinition> \ No newline at end of file
diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/resources/moaid_federated_auth.beans.xml b/id/server/modules/moa-id-modules-federated_authentication/src/main/resources/moaid_federated_auth.beans.xml
index 3c3dd5b23..4933504f0 100644
--- a/id/server/modules/moa-id-modules-federated_authentication/src/main/resources/moaid_federated_auth.beans.xml
+++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/resources/moaid_federated_auth.beans.xml
@@ -10,9 +10,7 @@
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.0.xsd">
-
-<!-- Authentication Process Tasks -->
-
+<!-- Federated authentication services -->
<bean id="FederatedAuthCredentialProvider"
class="at.gv.egovernment.moa.id.auth.modules.federatedauth.utils.FederatedAuthCredentialProvider"/>
@@ -24,8 +22,15 @@
<bean id="FederatedAuthSignalController"
class="at.gv.egovernment.moa.id.auth.modules.federatedauth.controller.FederatedAuthSignalController"/>
+
+
+<!-- Federated Authentication Process Tasks -->
+ <bean id="CreateFederatedAuthnRequestTask"
+ class="at.gv.egovernment.moa.id.auth.modules.federatedauth.tasks.CreateAuthnRequestTask"
+ scope="prototype"/>
- <bean id="FederatedAuthMetadataBuilder"
- class="at.gv.egovernment.moa.id.auth.modules.federatedauth.builder.FederatedAuthMetadataBuilder"/>
+ <bean id="ReceiveFederatedAuthnResponseTask"
+ class="at.gv.egovernment.moa.id.auth.modules.federatedauth.tasks.ReceiveAuthnResponseTask"
+ scope="prototype"/>
</beans> \ No newline at end of file