/* * Copyright 2014 Federal Chancellery Austria * MOA-ID has been developed in a cooperation between BRZ, the Federal * Chancellery Austria - ICT staff unit, and Graz University of Technology. * * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by * the European Commission - subsequent versions of the EUPL (the "Licence"); * You may not use this work except in compliance with the Licence. * You may obtain a copy of the Licence at: * http://www.osor.eu/eupl/ * * Unless required by applicable law or agreed to in writing, software * distributed under the Licence is distributed on an "AS IS" basis, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the Licence for the specific language governing permissions and * limitations under the Licence. * * This product combines work with different licenses. See the "NOTICE" text * file for details on the various modules and licenses. * The "NOTICE" text file is part of the distribution. Any derivative works * that you distribute must include a readable copy of the "NOTICE" text file. */ package at.gv.egovernment.moa.id.auth.builder; import iaik.x509.X509Certificate; import java.io.ByteArrayOutputStream; import java.io.IOException; import java.io.InputStream; import java.security.PrivateKey; import java.util.ArrayList; import java.util.Arrays; import java.util.Date; import java.util.List; import java.util.regex.Matcher; import java.util.regex.Pattern; import javax.naming.ldap.LdapName; import javax.naming.ldap.Rdn; import javax.xml.bind.JAXBContext; import javax.xml.bind.JAXBException; import javax.xml.bind.Marshaller; import org.opensaml.saml2.core.Attribute; import org.opensaml.saml2.core.AttributeQuery; import org.opensaml.saml2.core.Response; import org.opensaml.ws.soap.common.SOAPException; import org.opensaml.xml.XMLObject; import org.opensaml.xml.security.SecurityException; import org.w3c.dom.Element; import org.w3c.dom.Node; import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate; import at.gv.e_government.reference.namespace.mandates._20040701_.Mandator; import at.gv.e_government.reference.namespace.persondata._20020228_.CorporateBodyType; import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType; import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType.Value; import at.gv.e_government.reference.namespace.persondata._20020228_.PersonNameType; import at.gv.e_government.reference.namespace.persondata._20020228_.PersonNameType.FamilyName; import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPersonType; import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute; import at.gv.egovernment.moa.id.auth.data.IdentityLink; import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse; import at.gv.egovernment.moa.id.auth.exception.BuildException; import at.gv.egovernment.moa.id.auth.exception.DynamicOABuildException; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.auth.exception.ParseException; import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; import at.gv.egovernment.moa.id.auth.parser.IdentityLinkAssertionParser; import at.gv.egovernment.moa.id.commons.db.MOASessionDBUtils; import at.gv.egovernment.moa.id.commons.db.dao.session.InterfederationSessionStore; import at.gv.egovernment.moa.id.commons.db.dao.session.OASessionStore; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.AuthenticationData; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.moduls.IRequest; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.AttributQueryBuilder; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionAttributeExtractorExeption; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionValidationExeption; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AttributQueryException; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AssertionAttributeExtractor; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.MOASAMLSOAPClient; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngine; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory; import at.gv.egovernment.moa.id.protocols.saml1.SAML1AuthenticationData; import at.gv.egovernment.moa.id.protocols.saml1.SAML1RequestImpl; import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage; import at.gv.egovernment.moa.id.util.IdentityLinkReSigner; import at.gv.egovernment.moa.id.util.ParamValidatorUtils; import at.gv.egovernment.moa.id.util.client.mis.simple.MISMandate; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Base64Utils; import at.gv.egovernment.moa.util.Constants; import at.gv.egovernment.moa.util.MiscUtil; import at.gv.egovernment.moa.util.XPathUtils; import at.gv.util.client.szr.SZRClient; import at.gv.util.config.EgovUtilPropertiesConfiguration; import at.gv.util.ex.EgovUtilException; import at.gv.util.wsdl.szr.SZRException; import at.gv.util.xsd.szr.PersonInfoType; /** * @author tlenz * */ public class AuthenticationDataBuilder implements MOAIDAuthConstants { public static IAuthData buildAuthenticationData(IRequest protocolRequest, AuthenticationSession session, List reqAttributes) throws ConfigurationException, BuildException, WrongParametersException, DynamicOABuildException { String oaID = protocolRequest.getOAURL(); if (oaID == null) { throw new WrongParametersException("StartAuthentication", PARAM_OA, "auth.12"); } // check parameter if (!ParamValidatorUtils.isValidOA(oaID)) throw new WrongParametersException("StartAuthentication", PARAM_OA, "auth.12"); AuthenticationData authdata = null; if (protocolRequest instanceof SAML1RequestImpl) { //request is SAML1 SAML1AuthenticationData saml1authdata = new SAML1AuthenticationData(); if (session.getExtendedSAMLAttributesOA() == null) saml1authdata.setExtendedSAMLAttributesOA(new ArrayList()); else saml1authdata.setExtendedSAMLAttributesOA(session.getExtendedSAMLAttributesOA()); authdata = saml1authdata; } else { authdata = new AuthenticationData(); } //reuse some parameters if it is a reauthentication OASessionStore activeOA = AuthenticationSessionStoreage.searchActiveOASSOSession(session, oaID, protocolRequest.requestedModule()); if (activeOA != null) { authdata.setSessionIndex(activeOA.getAssertionSessionID()); authdata.setNameID(activeOA.getUserNameID()); authdata.setNameIDFormat(activeOA.getUserNameIDFormat()); //mark AttributeQuery as used if ( protocolRequest instanceof PVPTargetConfiguration && ((PVPTargetConfiguration) protocolRequest).getRequest() instanceof MOARequest && ((PVPTargetConfiguration) protocolRequest).getRequest().getInboundMessage() instanceof AttributeQuery) { try { activeOA.setAttributeQueryUsed(true); MOASessionDBUtils.saveOrUpdate(activeOA); } catch (MOADatabaseException e) { Logger.error("MOASession interfederation information can not stored to database.", e); } } } InterfederationSessionStore interfIDP = AuthenticationSessionStoreage.searchInterfederatedIDPFORAttributeQueryWithSessionID(session); IOAAuthParameters oaParam = null; if (reqAttributes == null) { //get OnlineApplication from MOA-ID-Auth configuration oaParam = AuthConfigurationProvider.getInstance() .getOnlineApplicationParameter(oaID); } else { //build OnlineApplication dynamic from requested attributes oaParam = DynamicOAAuthParameterBuilder.buildFromAttributeQuery(reqAttributes, interfIDP); } if (interfIDP != null ) { //IDP is a chained interfederated IDP and Authentication is requested if (oaParam.isInderfederationIDP() && protocolRequest instanceof PVPTargetConfiguration && !(((PVPTargetConfiguration)protocolRequest).getRequest() instanceof AttributeQuery)) { //only set minimal response attributes authdata.setQAALevel(interfIDP.getQAALevel()); authdata.setBPK(interfIDP.getUserNameID()); } else { //get attributes from interfederated IDP OAAuthParameter idp = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(interfIDP.getIdpurlprefix()); getAuthDataFromInterfederation(authdata, session, oaParam, protocolRequest, interfIDP, idp, reqAttributes); //mark attribute request as used try { interfIDP.setAttributesRequested(true); MOASessionDBUtils.saveOrUpdate(interfIDP); } catch (MOADatabaseException e) { Logger.error("MOASession interfederation information can not stored to database.", e); } } } else { //build AuthenticationData from MOASession buildAuthDataFormMOASession(authdata, session, oaParam); } return authdata; } /** * @param req * @param session * @param reqAttributes * @return * @throws WrongParametersException * @throws ConfigurationException * @throws BuildException * @throws DynamicOABuildException */ public static IAuthData buildAuthenticationData(IRequest req, AuthenticationSession session) throws WrongParametersException, ConfigurationException, BuildException, DynamicOABuildException { return buildAuthenticationData(req, session, null); } /** * @param authdata * @param session * @param oaParam * @param protocolRequest * @param interfIDP * @param idp * @param reqQueryAttr * @throws ConfigurationException */ private static void getAuthDataFromInterfederation( AuthenticationData authdata, AuthenticationSession session, IOAAuthParameters oaParam, IRequest req, InterfederationSessionStore interfIDP, OAAuthParameter idp, List reqQueryAttr) throws BuildException, ConfigurationException{ try { List attributs = null; //IDP is a chained interfederated IDP and request is of type AttributQuery if (oaParam.isInderfederationIDP() && req instanceof PVPTargetConfiguration && (((PVPTargetConfiguration)req).getRequest() instanceof AttributeQuery) && reqQueryAttr != null) { attributs = reqQueryAttr; //IDP is a service provider IDP and request interfederated IDP to collect attributes } else { //get PVP 2.1 attributes from protocol specific requested attributes attributs = req.getRequestedAttributes(); } Response intfResp = (Response) req.getInterfederationResponse().getResponse(); AssertionAttributeExtractor extractor = new AssertionAttributeExtractor(intfResp); if (!extractor.containsAllRequiredAttributes()) { //collect attributes by using BackChannel communication String endpoint = idp.getIDPAttributQueryServiceURL(); if (MiscUtil.isEmpty(endpoint)) { Logger.error("No AttributeQueryURL for interfederationIDP " + oaParam.getPublicURLPrefix()); throw new ConfigurationException("No AttributeQueryURL for interfederationIDP " + oaParam.getPublicURLPrefix(), null); } //build attributQuery request AttributeQuery query = AttributQueryBuilder.buildAttributQueryRequest(interfIDP.getUserNameID(), endpoint, attributs); //build SOAP request List xmlObjects = MOASAMLSOAPClient.send(endpoint, query); if (xmlObjects.size() == 0) { Logger.error("Receive emptry AttributeQuery response-body."); throw new AttributQueryException("Receive emptry AttributeQuery response-body.", null); } if (xmlObjects.get(0) instanceof Response) { intfResp = (Response) xmlObjects.get(0); //validate PVP 2.1 response try { SAMLVerificationEngine engine = new SAMLVerificationEngine(); engine.verifyResponse(intfResp, TrustEngineFactory.getSignatureKnownKeysTrustEngine()); SAMLVerificationEngine.validateAssertion(intfResp, false); } catch (Exception e) { Logger.warn("PVP 2.1 assertion validation FAILED.", e); throw new AssertionValidationExeption("PVP 2.1 assertion validation FAILED.", null, e); } } else { Logger.error("Receive AttributeQuery response-body include no PVP 2.1 response"); throw new AttributQueryException("Receive AttributeQuery response-body include no PVP 2.1 response.", null); } //create assertion attribute extractor from AttributeQuery response extractor = new AssertionAttributeExtractor(intfResp); } else { Logger.info("Interfedation response include all attributes with are required. Skip AttributQuery request step. "); } //parse response information to authData buildAuthDataFormInterfederationResponse(authdata, session, extractor, oaParam); } catch (SOAPException e) { throw new BuildException("builder.06", null, e); } catch (SecurityException e) { throw new BuildException("builder.06", null, e); } catch (AttributQueryException e) { throw new BuildException("builder.06", null, e); } catch (BuildException e) { throw new BuildException("builder.06", null, e); } catch (AssertionValidationExeption e) { throw new BuildException("builder.06", null, e); } catch (AssertionAttributeExtractorExeption e) { throw new BuildException("builder.06", null, e); } } private static void buildAuthDataFormInterfederationResponse( AuthenticationData authData, AuthenticationSession session, AssertionAttributeExtractor extractor, IOAAuthParameters oaParam) throws BuildException, AssertionAttributeExtractorExeption { Logger.debug("Build AuthData from assertion starts ...."); authData.setFamilyName(extractor.getAttribute(PVPConstants.PRINCIPAL_NAME_NAME)); authData.setGivenName(extractor.getAttribute(PVPConstants.GIVEN_NAME_NAME)); authData.setDateOfBirth(extractor.getAttribute(PVPConstants.BIRTHDATE_NAME)); authData.setBPKType(extractor.getAttribute(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME)); authData.setCcc(extractor.getAttribute(PVPConstants.EID_ISSUING_NATION_NAME)); authData.setBkuURL(extractor.getAttribute(PVPConstants.EID_CCS_URL_NAME)); authData.setIdentificationValue(extractor.getAttribute(PVPConstants.EID_SOURCE_PIN_NAME)); authData.setIdentificationType(extractor.getAttribute(PVPConstants.EID_SOURCE_PIN_TYPE_NAME)); if (extractor.containsAttribute(PVPConstants.BPK_NAME)) { String pvpbPK = extractor.getAttribute(PVPConstants.BPK_NAME); authData.setBPK(pvpbPK.split(":")[1]); } if (extractor.containsAttribute(PVPConstants.ENC_BPK_LIST_NAME)) { List encbPKList = Arrays.asList( extractor.getAttribute(PVPConstants.ENC_BPK_LIST_NAME).split(";")); authData.setEncbPKList(encbPKList); for (String fullEncbPK : encbPKList) { int index = fullEncbPK.indexOf("|"); if (index >= 0) { String encbPK = fullEncbPK.substring(index+1); String second = fullEncbPK.substring(0, index); int secIndex = second.indexOf("+"); if (secIndex >= 0) { if (oaParam.getTarget().equals(second.substring(secIndex+1))) { Logger.debug("Found encrypted bPK for online-application " + oaParam.getPublicURLPrefix() + " Start decryption process ..."); PrivateKey privKey = oaParam.getBPKDecBpkDecryptionKey(); if (privKey != null) { try { String bPK = BPKBuilder.decryptBPK(encbPK, oaParam.getTarget(), privKey); if (MiscUtil.isNotEmpty(bPK)) { if (MiscUtil.isEmpty(authData.getBPK())) { authData.setBPK(bPK); authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget()); Logger.info("bPK decryption process finished successfully."); } } else { Logger.error("bPK decryption FAILED."); } } catch (BuildException e) { Logger.error("bPK decryption FAILED.", e); } } else { Logger.info("bPK decryption FAILED, because no valid decryption key is found."); } } else { Logger.info("Found encrypted bPK but " + "encrypted bPK target does not match to online-application target"); } } } } } if (MiscUtil.isEmpty(authData.getBPK()) && authData.getEncbPKList().size() == 0 && MiscUtil.isEmpty(authData.getIdentificationValue())) { Logger.info("Federated assertion include no bPK, encrypted bPK or baseID"); try { EgovUtilPropertiesConfiguration eGovClientsConfig = AuthConfigurationProvider.getInstance().geteGovUtilsConfig(); if (eGovClientsConfig != null) { SZRClient szrclient = new SZRClient(eGovClientsConfig); Logger.debug("Create SZR request to get baseID ... "); PersonInfoType personInfo = new PersonInfoType(); at.gv.util.xsd.szr.persondata.PhysicalPersonType person = new at.gv.util.xsd.szr.persondata.PhysicalPersonType(); personInfo.setPerson(person); at.gv.util.xsd.szr.persondata.PersonNameType name = new at.gv.util.xsd.szr.persondata.PersonNameType(); person.setName(name); name.setGivenName(authData.getGivenName()); name.setFamilyName(authData.getFamilyName()); if (authData.getDateOfBirth() != null) person.setDateOfBirth(authData.getFormatedDateOfBirth()); authData.setIdentificationValue(szrclient.getStammzahl(personInfo)); authData.setIdentificationType(Constants.URN_PREFIX_BASEID); } else { Logger.warn("No SZR clieht configuration found. Interfederation SSO login not possible."); throw new AssertionAttributeExtractorExeption("No " + PVPConstants.BPK_FRIENDLY_NAME + " or " + PVPConstants.EID_SOURCE_PIN_NAME); } } catch (ConfigurationException e) { Logger.warn("SZR connection FAILED. Interfederation SSO login not possible.", e); throw new AssertionAttributeExtractorExeption("No " + PVPConstants.BPK_FRIENDLY_NAME + " or " + PVPConstants.EID_SOURCE_PIN_NAME); } catch (EgovUtilException e) { Logger.warn("SZR connection FAILED. Interfederation SSO login not possible.", e); throw new AssertionAttributeExtractorExeption("No " + PVPConstants.BPK_FRIENDLY_NAME + " or " + PVPConstants.EID_SOURCE_PIN_NAME); } catch (SZRException e) { Logger.warn("SZR connection FAILED. Interfederation SSO login not possible.", e); throw new AssertionAttributeExtractorExeption("No " + PVPConstants.BPK_FRIENDLY_NAME + " or " + PVPConstants.EID_SOURCE_PIN_NAME); } } if (MiscUtil.isEmpty(authData.getBPK())) { Logger.debug("Calcutlate bPK from baseID"); buildOAspecificbPK(oaParam, authData, authData.getIdentificationValue(), authData.getIdentificationType()); } if (extractor.containsAttribute(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME)) authData.setQAALevel(PVPConstants.STORK_QAA_PREFIX + extractor.getAttribute(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME)); if (extractor.containsAttribute(PVPConstants.EID_AUTH_BLOCK_NAME)) { try { byte[] authBlock = Base64Utils.decode(extractor.getAttribute(PVPConstants.EID_AUTH_BLOCK_NAME), false); authData.setAuthBlock(new String(authBlock, "UTF-8")); } catch (IOException e) { Logger.error("Received AuthBlock is not valid", e); } } if (extractor.containsAttribute(PVPConstants.EID_SIGNER_CERTIFICATE_NAME)) { try { authData.setSignerCertificate(Base64Utils.decode( extractor.getAttribute(PVPConstants.EID_SIGNER_CERTIFICATE_NAME), false)); } catch (IOException e) { Logger.error("Received SignerCertificate is not valid", e); } } if (extractor.containsAttribute(PVPConstants.EID_IDENTITY_LINK_NAME)) { try { InputStream idlStream = Base64Utils.decodeToStream(extractor.getAttribute(PVPConstants.EID_IDENTITY_LINK_NAME), false); IdentityLink idl = new IdentityLinkAssertionParser(idlStream).parseIdentityLink(); buildOAspecificIdentityLink(oaParam, authData, idl); } catch (ParseException e) { Logger.error("Received IdentityLink is not valid", e); } catch (Exception e) { Logger.error("Received IdentityLink is not valid", e); } } // set mandate attributes authData.setMandateReferenceValue(extractor.getAttribute(PVPConstants.MANDATE_REFERENCE_VALUE_NAME)); if (extractor.containsAttribute(PVPConstants.MANDATE_FULL_MANDATE_NAME)) { try { byte[] mandate = Base64Utils.decode( (extractor.getAttribute(PVPConstants.MANDATE_FULL_MANDATE_NAME)), false); if (authData.getMISMandate() == null) authData.setMISMandate(new MISMandate()); authData.getMISMandate().setMandate(mandate); authData.getMISMandate().setFullMandateIncluded(true); authData.setUseMandate(true); } catch (Exception e) { Logger.error("Received Mandate is not valid", e); throw new AssertionAttributeExtractorExeption(PVPConstants.MANDATE_FULL_MANDATE_NAME); } } //TODO: build short mandate if full mandate is no included. if (authData.getMISMandate() == null && (extractor.containsAttribute(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_NAME) || extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_BPK_NAME) || extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_SOURCE_PIN_NAME)) ) { Logger.info("Federated assertion contains no full mandate. Start short mandate generation process ... "); MISMandate misMandate = new MISMandate(); misMandate.setFullMandateIncluded(false); Mandate mandateObject = new Mandate(); Mandator mandator = new Mandator(); mandateObject.setMandator(mandator); //build legal person short mandate if (extractor.containsAttribute(PVPConstants.MANDATE_LEG_PER_FULL_NAME_NAME) && extractor.containsAttribute(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_NAME) && extractor.containsAttribute(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_TYPE_NAME)) { Logger.debug("Build short mandate for legal person ..."); CorporateBodyType legalperson = new CorporateBodyType(); IdentificationType legalID = new IdentificationType(); Value idvalue = new Value(); legalID.setValue(idvalue ); legalperson.getIdentification().add(legalID ); mandator.setCorporateBody(legalperson ); legalperson.setFullName(extractor.getAttribute(PVPConstants.MANDATE_LEG_PER_FULL_NAME_NAME)); legalID.setType(extractor.getAttribute(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_TYPE_NAME)); idvalue.setValue(extractor.getAttribute(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_NAME)); //build natural person short mandate } else if ( (extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_SOURCE_PIN_NAME) || extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_BPK_NAME)) && extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_BIRTHDATE_NAME) && extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_FAMILY_NAME_NAME) && extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_GIVEN_NAME_NAME)) { Logger.debug("Build short mandate for natural person ..."); PhysicalPersonType physPerson = new PhysicalPersonType(); PersonNameType persName = new PersonNameType(); mandator.setPhysicalPerson(physPerson ); physPerson.setName(persName ); FamilyName familyName = new FamilyName(); persName.getFamilyName().add(familyName ); IdentificationType persID = new IdentificationType(); physPerson.getIdentification().add(persID ); Value idValue = new Value(); persID.setValue(idValue ); String[] pvp2GivenName = extractor.getAttribute(PVPConstants.MANDATE_NAT_PER_GIVEN_NAME_NAME).split(" "); for(int i=0; i Use country from STORK request."); } } } else { authData.setCcc("AT"); } try { authData.setSsoSession(AuthenticationSessionStoreage.isSSOSession(session.getSessionID())); //set max. SSO session time if (authData.isSsoSession()) { long maxSSOSessionTime = AuthConfigurationProvider.getInstance().getTimeOuts().getMOASessionCreated().longValue() * 1000; Date ssoSessionValidTo = new Date(session.getSessionCreated().getTime() + maxSSOSessionTime); authData.setSsoSessionValidTo(ssoSessionValidTo); } else { //set valid to 5 min Date ssoSessionValidTo = new Date(new Date().getTime() + 5 * 60 * 1000); authData.setSsoSessionValidTo(ssoSessionValidTo); } /* TODO: Support SSO Mandate MODE! * Insert functionality to translate mandates in case of SSO */ MISMandate mandate = session.getMISMandate(); authData.setMISMandate(mandate); authData.setUseMandate(session.getUseMandate()); authData.setMandateReferenceValue(session.getMandateReferenceValue()); if (session.getUseMandate() && session.isOW() && mandate != null && MiscUtil.isNotEmpty(mandate.getOWbPK())) { authData.setBPK(mandate.getOWbPK()); authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + "OW"); //TODO: check in case of mandates for business services authData.setIdentityLink(identityLink); Logger.trace("Authenticated User is OW: " + mandate.getOWbPK()); } else { buildOAspecificbPK(oaParam, authData, identityLink.getIdentificationValue(), identityLink.getIdentificationType()); buildOAspecificIdentityLink(oaParam, authData, identityLink); } } catch (Throwable ex) { throw new BuildException("builder.00", new Object[]{ "AuthenticationData", ex.toString()}, ex); } } private static void buildOAspecificIdentityLink(IOAAuthParameters oaParam, AuthenticationData authData, IdentityLink idl) throws MOAIDException { if (oaParam.getBusinessService()) { Element idlassertion = idl.getSamlAssertion(); //set bpk/wpbk; Node prIdentification = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_IDENT_VALUE_XPATH); prIdentification.getFirstChild().setNodeValue(authData.getBPK()); //set bkp/wpbk type Node prIdentificationType = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_IDENT_TYPE_XPATH); prIdentificationType.getFirstChild().setNodeValue(authData.getBPKType()); IdentityLinkAssertionParser idlparser = new IdentityLinkAssertionParser(idlassertion); IdentityLink businessServiceIdl = idlparser.parseIdentityLink(); //resign IDL IdentityLinkReSigner identitylinkresigner = IdentityLinkReSigner.getInstance(); Element resignedilAssertion; resignedilAssertion = identitylinkresigner.resignIdentityLink(businessServiceIdl.getSamlAssertion()); IdentityLinkAssertionParser resignedIDLParser = new IdentityLinkAssertionParser(resignedilAssertion); IdentityLink resignedIDL = resignedIDLParser.parseIdentityLink(); authData.setIdentityLink(resignedIDL); } else authData.setIdentityLink(idl); } private static void buildOAspecificbPK(IOAAuthParameters oaParam, AuthenticationData authData, String baseID, String baseIDType) throws BuildException { if (oaParam.getBusinessService()) { //since we have foreigner, wbPK is not calculated in BKU if (baseIDType.equals(Constants.URN_PREFIX_BASEID)) { String registerAndOrdNr = oaParam.getIdentityLinkDomainIdentifier(); if (registerAndOrdNr.startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_)) { // If domainIdentifier starts with prefix // "urn:publicid:gv.at:wbpk+"; remove this prefix registerAndOrdNr = registerAndOrdNr .substring(AuthenticationSession.REGISTERANDORDNR_PREFIX_.length()); Logger.debug("Register and ordernumber prefix stripped off; resulting register string: " + registerAndOrdNr); } String wbpkBase64 = new BPKBuilder().buildWBPK(baseID, registerAndOrdNr); authData.setBPK(wbpkBase64); authData.setBPKType(Constants.URN_PREFIX_WBPK + "+" + registerAndOrdNr); } else { authData.setBPK(baseID); authData.setBPKType(baseIDType); } Logger.trace("Authenticate user with wbPK " + authData.getBPK()); } else { if (baseIDType.equals(Constants.URN_PREFIX_BASEID)) { // only compute bPK if online application is a public service and we have the Stammzahl String bpkBase64 = new BPKBuilder().buildBPK(baseID, oaParam.getTarget()); authData.setBPK(bpkBase64); authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget()); } Logger.trace("Authenticate user with bPK " + authData.getBPK()); } } }