|
|
@ -1,5 +1,5 @@
|
|
|
|
/*
|
|
|
|
/*
|
|
|
|
* Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
|
|
|
|
* Copyright (c) 2017, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
|
|
|
|
*
|
|
|
|
*
|
|
|
|
* WSO2 Inc. licenses this file to you under the Apache License,
|
|
|
|
* WSO2 Inc. licenses this file to you under the Apache License,
|
|
|
|
* Version 2.0 (the "License"); you may not use this file except
|
|
|
|
* Version 2.0 (the "License"); you may not use this file except
|
|
|
@ -16,7 +16,6 @@
|
|
|
|
* under the License.
|
|
|
|
* under the License.
|
|
|
|
*
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
/**
|
|
|
|
* Following module act as a client to create a saml request and also to
|
|
|
|
* Following module act as a client to create a saml request and also to
|
|
|
|
* unwrap and return attributes of a returning saml response
|
|
|
|
* unwrap and return attributes of a returning saml response
|
|
|
@ -27,9 +26,10 @@ var client = {};
|
|
|
|
|
|
|
|
|
|
|
|
(function (client) {
|
|
|
|
(function (client) {
|
|
|
|
|
|
|
|
|
|
|
|
var Util = Packages.org.wso2.store.sso.common.util.Util,
|
|
|
|
var Util = Packages.org.jaggeryjs.modules.sso.common.util.Util,
|
|
|
|
carbon = require('carbon'),
|
|
|
|
carbon = require('carbon'),
|
|
|
|
log = new Log();
|
|
|
|
log = new Log();
|
|
|
|
|
|
|
|
var SSOSessionManager = Packages.org.jaggeryjs.modules.sso.common.managers.SSOSessionManager;
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
/**
|
|
|
|
* obtains an encoded saml response and return a decoded/unmarshalled saml obj
|
|
|
|
* obtains an encoded saml response and return a decoded/unmarshalled saml obj
|
|
|
@ -42,27 +42,28 @@ var client = {};
|
|
|
|
var decodedResp = Util.decode(samlResp);
|
|
|
|
var decodedResp = Util.decode(samlResp);
|
|
|
|
marshalledResponse = Util.unmarshall(decodedResp);
|
|
|
|
marshalledResponse = Util.unmarshall(decodedResp);
|
|
|
|
} catch (e) {
|
|
|
|
} catch (e) {
|
|
|
|
log.error('Unable to unmarshall SAML response');
|
|
|
|
log.error('Unable to unmarshall SAML response',e);
|
|
|
|
log.error(e);
|
|
|
|
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return marshalledResponse;
|
|
|
|
return marshalledResponse;
|
|
|
|
|
|
|
|
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
/**
|
|
|
|
* validating the signature of the response saml object
|
|
|
|
* validating the signature of the response saml object
|
|
|
|
*/
|
|
|
|
*/
|
|
|
|
client.validateSignature = function (samlObj, config) {
|
|
|
|
client.validateSignature = function (samlObj, config) {
|
|
|
|
var tDomain = Util.getDomainName(samlObj);
|
|
|
|
var tDomain, tId;
|
|
|
|
var tId = carbon.server.tenantId({domain: tDomain});
|
|
|
|
if(config.USE_ST_KEY){
|
|
|
|
if (tId != carbon.server.superTenant.tenantId) {
|
|
|
|
tDomain = carbon.server.superTenant.domain;
|
|
|
|
|
|
|
|
tId = carbon.server.superTenant.tenantId;
|
|
|
|
|
|
|
|
}else{
|
|
|
|
|
|
|
|
tDomain = Util.getDomainName(samlObj);
|
|
|
|
|
|
|
|
tId = carbon.server.tenantId({domain: tDomain});
|
|
|
|
var identityTenantUtil = Packages.org.wso2.carbon.identity.core.util.IdentityTenantUtil;
|
|
|
|
var identityTenantUtil = Packages.org.wso2.carbon.identity.core.util.IdentityTenantUtil;
|
|
|
|
identityTenantUtil.initializeRegistry(tId,tDomain);
|
|
|
|
identityTenantUtil.initializeRegistry(tId,tDomain);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return Util.validateSignature(samlObj,
|
|
|
|
return Util.validateSignature(samlObj,
|
|
|
|
config.KEY_STORE_NAME, config.KEY_STORE_PASSWORD, config.IDP_ALIAS, tId, tDomain);
|
|
|
|
config.KEY_STORE_NAME, config.KEY_STORE_PASSWORD, config.IDP_ALIAS, tId, tDomain);
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
/**
|
|
|
|
* Checking if the request is a logout call
|
|
|
|
* Checking if the request is a logout call
|
|
|
|
*/
|
|
|
|
*/
|
|
|
@ -84,7 +85,18 @@ var client = {};
|
|
|
|
client.getEncodedSAMLAuthRequest = function (issuerId) {
|
|
|
|
client.getEncodedSAMLAuthRequest = function (issuerId) {
|
|
|
|
return Util.encode(
|
|
|
|
return Util.encode(
|
|
|
|
Util.marshall(
|
|
|
|
Util.marshall(
|
|
|
|
new Packages.org.wso2.store.sso.common.builders.AuthReqBuilder().buildAuthenticationRequest(issuerId)
|
|
|
|
new Packages.org.jaggeryjs.modules.sso.common.builders.AuthReqBuilder().buildAuthenticationRequest(issuerId)
|
|
|
|
|
|
|
|
));
|
|
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
|
|
|
* getting url encoded signed saml authentication request
|
|
|
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
client.getEncodedSignedSAMLAuthRequest = function (issuerId, destination, acsUrl, isPassive, tenantId, tenantDomain, nameIdPolicy) {
|
|
|
|
|
|
|
|
return Util.encode(
|
|
|
|
|
|
|
|
Util.marshall(
|
|
|
|
|
|
|
|
new Packages.org.jaggeryjs.modules.sso.common.builders.AuthReqBuilder().buildAuthenticationRequest(issuerId, destination, acsUrl,
|
|
|
|
|
|
|
|
isPassive, tenantId, tenantDomain, nameIdPolicy)
|
|
|
|
));
|
|
|
|
));
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
@ -94,11 +106,23 @@ var client = {};
|
|
|
|
client.getEncodedSAMLLogoutRequest = function (user, sessionIndex, issuerId) {
|
|
|
|
client.getEncodedSAMLLogoutRequest = function (user, sessionIndex, issuerId) {
|
|
|
|
return Util.encode(
|
|
|
|
return Util.encode(
|
|
|
|
Util.marshall(
|
|
|
|
Util.marshall(
|
|
|
|
new Packages.org.wso2.store.sso.common.builders.LogoutRequestBuilder().buildLogoutRequest(user, sessionIndex,
|
|
|
|
new Packages.org.jaggeryjs.modules.sso.common.builders.LogoutRequestBuilder().buildLogoutRequest(user, sessionIndex,
|
|
|
|
Packages.org.wso2.store.sso.common.constants.SSOConstants.LOGOUT_USER,
|
|
|
|
Packages.org.jaggeryjs.modules.sso.common.constants.SSOConstants.LOGOUT_USER,
|
|
|
|
issuerId)));
|
|
|
|
issuerId)));
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
|
|
|
* get url encoded signed saml logout request
|
|
|
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
client.getEncodedSignedSAMLLogoutRequest = function (user, sessionIndex, issuerId, tenantId, tenantDomain, destination, nameIdFormat) {
|
|
|
|
|
|
|
|
return Util.encode(
|
|
|
|
|
|
|
|
Util.marshall(
|
|
|
|
|
|
|
|
new Packages.org.jaggeryjs.modules.sso.common.builders.LogoutRequestBuilder().buildLogoutRequest(user, sessionIndex,
|
|
|
|
|
|
|
|
Packages.org.jaggeryjs.modules.sso.common.constants.SSOConstants.LOGOUT_USER,
|
|
|
|
|
|
|
|
issuerId, tenantId, tenantDomain, destination, nameIdFormat)));
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
/**
|
|
|
|
* Reads the returning SAML login response and populates a session info object
|
|
|
|
* Reads the returning SAML login response and populates a session info object
|
|
|
|
*/
|
|
|
|
*/
|
|
|
@ -157,13 +181,46 @@ var client = {};
|
|
|
|
|
|
|
|
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
|
|
|
* Registers the provided Session HostObject against the IDP session index.This
|
|
|
|
|
|
|
|
* mapping is used to Single Logout all sessions when the logout method is called
|
|
|
|
|
|
|
|
* @param {String} idpSessionIndex The IDP session index provided in the SAML login response
|
|
|
|
|
|
|
|
* @param {String} serviceProvider
|
|
|
|
|
|
|
|
* @param {Object} session
|
|
|
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
client.login = function(idpSessionIndex,serviceProvider,session){
|
|
|
|
|
|
|
|
SSOSessionManager.getInstance().login(idpSessionIndex,serviceProvider,session);
|
|
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
|
|
|
* Handles the Single Logout operation by invalidating the sessions mapped
|
|
|
|
|
|
|
|
* to the provided IDP session index.
|
|
|
|
|
|
|
|
* @param {Object} indicator Either a String representing the IDP session index or a session object
|
|
|
|
|
|
|
|
* @param {String} serviceProvider
|
|
|
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
client.logout = function(indicator,serviceProvider) {
|
|
|
|
|
|
|
|
SSOSessionManager.getInstance().logout(indicator,serviceProvider);
|
|
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
|
|
|
* Removes issuer, session and IDP index details.This method should be called from a session destroy
|
|
|
|
|
|
|
|
* listener.Please note that this method will not attempt to invalidate the session and will assume that
|
|
|
|
|
|
|
|
* the session invalidate method has been already called
|
|
|
|
|
|
|
|
* @param {Object} indicator Either a String representing the IDP session index or a session object
|
|
|
|
|
|
|
|
* @param {String} serviceProvider
|
|
|
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
client.cleanUp = function(indicator,serviceProvider){
|
|
|
|
|
|
|
|
SSOSessionManager.getInstance().cleanUp(indicator,serviceProvider);
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
/**
|
|
|
|
* The method is used to encapsulate all of the validations that
|
|
|
|
* The method is used to encapsulate all of the validations that
|
|
|
|
* should be performed on a SAML Response
|
|
|
|
* should be performed on a SAML Response
|
|
|
|
*/
|
|
|
|
*/
|
|
|
|
client.validateSamlResponse = function(samlObj, props, keyStoreProps) {
|
|
|
|
client.validateSamlResponse = function(samlObj, props, keyStoreProps) {
|
|
|
|
props = props || {};
|
|
|
|
props = props || {};
|
|
|
|
var Util = Packages.org.wso2.store.sso.common.util.Util;
|
|
|
|
var Util = Packages.org.jaggeryjs.modules.sso.common.util.Util;
|
|
|
|
var propList = createProperties(props);
|
|
|
|
var propList = createProperties(props);
|
|
|
|
var DEFAULT_TO_TRUE = true;
|
|
|
|
var DEFAULT_TO_TRUE = true;
|
|
|
|
var DEFAULT_TO_FALSE = false;
|
|
|
|
var DEFAULT_TO_FALSE = false;
|
|
|
@ -206,31 +263,7 @@ var client = {};
|
|
|
|
isValid = callValidateAssertionSignature(samlObj, keyStoreProps);
|
|
|
|
isValid = callValidateAssertionSignature(samlObj, keyStoreProps);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return isValid;
|
|
|
|
return isValid;
|
|
|
|
};
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
|
|
|
* getting url encoded signed saml authentication request
|
|
|
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
client.getEncodedSignedSAMLAuthRequest = function (issuerId, destination, acsUrl, isPassive, tenantId, tenantDomain, nameIdPolicy) {
|
|
|
|
|
|
|
|
return Util.encode(
|
|
|
|
|
|
|
|
Util.marshall(
|
|
|
|
|
|
|
|
new Packages.org.jaggeryjs.modules.sso.common.builders.AuthReqBuilder().buildAuthenticationRequest(issuerId, destination, acsUrl,
|
|
|
|
|
|
|
|
isPassive, tenantId, tenantDomain, nameIdPolicy)
|
|
|
|
|
|
|
|
));
|
|
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
|
|
|
* get url encoded signed saml logout request
|
|
|
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
client.getEncodedSignedSAMLLogoutRequest = function (user, sessionIndex, issuerId, tenantId, tenantDomain, destination, nameIdFormat) {
|
|
|
|
|
|
|
|
return Util.encode(
|
|
|
|
|
|
|
|
Util.marshall(
|
|
|
|
|
|
|
|
new Packages.org.jaggeryjs.modules.sso.common.builders.LogoutRequestBuilder().buildLogoutRequest(user, sessionIndex,
|
|
|
|
|
|
|
|
Packages.org.wso2.store.sso.common.constants.SSOConstants.LOGOUT_USER,
|
|
|
|
|
|
|
|
issuerId)));
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
/**
|
|
|
|
* A utility method used to convert a JSON object to
|
|
|
|
* A utility method used to convert a JSON object to
|
|
|
|
* a properties object
|
|
|
|
* a properties object
|
|
|
@ -249,7 +282,7 @@ var client = {};
|
|
|
|
* resolving tenant details
|
|
|
|
* resolving tenant details
|
|
|
|
*/
|
|
|
|
*/
|
|
|
|
function callValidateAssertionSignature(samlObj, config) {
|
|
|
|
function callValidateAssertionSignature(samlObj, config) {
|
|
|
|
var Util = Packages.org.wso2.store.sso.common.util.Util;
|
|
|
|
var Util = Packages.org.jaggeryjs.modules.sso.common.util.Util;
|
|
|
|
var tDomain, tId;
|
|
|
|
var tDomain, tId;
|
|
|
|
var carbon = require('carbon');
|
|
|
|
var carbon = require('carbon');
|
|
|
|
if (config.USE_ST_KEY) {
|
|
|
|
if (config.USE_ST_KEY) {
|
|
|
@ -264,4 +297,4 @@ var client = {};
|
|
|
|
return Util.validateAssertionSignature(samlObj, config.KEY_STORE_NAME, config.KEY_STORE_PASSWORD, config.IDP_ALIAS, tId, tDomain);
|
|
|
|
return Util.validateAssertionSignature(samlObj, config.KEY_STORE_NAME, config.KEY_STORE_PASSWORD, config.IDP_ALIAS, tId, tDomain);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
}(client));
|
|
|
|
}(client));
|
|
|
|