From 52a29dc86a57a4a998de94cdf6402f40f4a9fd39 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Thu, 12 Jun 2014 07:54:41 +0200
Subject: use SAML2 relaystate as additional MOA session binding feature

---
 .../moa/id/auth/AuthenticationServer.java          |  1 +
 .../moa/id/auth/servlet/PEPSConnectorServlet.java  | 22 ++++++++++++++++------
 2 files changed, 17 insertions(+), 6 deletions(-)

(limited to 'id/server/idserverlib/src')

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
index 4709f8c68..e7abf0f9a 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
@@ -1877,6 +1877,7 @@ public class AuthenticationServer implements MOAIDAuthConstants {
             Template template = velocityEngine.getTemplate("/resources/templates/saml2-post-binding-moa.vm");
             VelocityContext context = new VelocityContext();
             context.put("SAMLRequest", PEPSUtil.encodeSAMLToken(authnRequest.getTokenSaml()));
+            context.put("RelayState", moasession.getSessionID());
             context.put("action", destination);
 
             StringWriter writer = new StringWriter();
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java
index 024944c72..25749c8bc 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java
@@ -114,18 +114,28 @@ public class PEPSConnectorServlet extends AuthServlet {
 			//check if https or only http
 			super.checkIfHTTPisAllowed(request.getRequestURL().toString());
 			
-			Logger.debug("Trying to find MOA Session-ID");			
+			Logger.debug("Trying to find MOA Session-ID ...");			
 		    String moaSessionID = request.getParameter(PARAM_SESSIONID);
 	           
 		    // escape parameter strings
 		    moaSessionID= StringEscapeUtils.escapeHtml(moaSessionID);
 			
 			if (StringUtils.isEmpty(moaSessionID)) {
-				//No authentication session has been started before
-				Logger.error("MOA-SessionID was not found, no previous AuthnRequest had been started");
-				Logger.debug("PEPSConnectorURL was: " + request.getRequestURL());
-				throw new AuthenticationException("auth.02", new Object[] { moaSessionID });
-			}
+				//check if SAML2 relaystate includes a MOA sessionID
+				moaSessionID = request.getParameter("RelayState");
+				moaSessionID= StringEscapeUtils.escapeHtml(moaSessionID);
+				
+				if (StringUtils.isEmpty(moaSessionID)) {				
+					//No authentication session has been started before
+					Logger.error("MOA-SessionID was not found, no previous AuthnRequest had been started");
+					Logger.debug("PEPSConnectorURL was: " + request.getRequestURL());
+					throw new AuthenticationException("auth.02", new Object[] { moaSessionID });
+					
+				} else 
+					Logger.trace("MOA SessionID " + moaSessionID + " is found in SAML2 relayState.");
+					
+			} else 
+				Logger.trace("MOA SessionID " + moaSessionID + " is found in http GET parameter.");
 
 	         if (!ParamValidatorUtils.isValidSessionID(moaSessionID))
 	             throw new WrongParametersException("VerifyAuthenticationBlock", PARAM_SESSIONID, "auth.12");
-- 
cgit v1.2.3