Merge pull request #411 from JeethJJ/isPassiveIDPinitSSOsaml

Add `IsPassive` support in SAML IDP initiated flow

components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/SAMLSSOConstants.java

@@ -1,7 +1,7 @@
 /*
- * Copyright (c) 2010, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+ * Copyright (c) 2010, WSO2 LLC. (http://www.wso2.org).
  *
- * WSO2 Inc. licenses this file to you under the Apache License,
+ * WSO2 LLC. licenses this file to you under the Apache License,
  * Version 2.0 (the "License"); you may not use this file except
  * in compliance with the License.
  * You may obtain a copy of the License at
@@ -126,7 +126,8 @@ public enum QueryParameter {
  SLO("slo"),
  RETURN_TO("returnTo"),
  SP_ENTITY_ID("spEntityID"),
- SP_QUALIFIER("spQualifier");
+ SP_QUALIFIER("spQualifier"),
+ IS_PASSIVE("IsPassive");
 
  private final String parameterName;
 

components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/SAMLSSOService.java

@@ -1,7 +1,7 @@
 /*
- * Copyright (c) 2010, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+ * Copyright (c) 2010, WSO2 LLC. (http://www.wso2.org).
  *
- * WSO2 Inc. licenses this file to you under the Apache License,
+ * WSO2 LLC. licenses this file to you under the Apache License,
  * Version 2.0 (the "License"); you may not use this file except
  * in compliance with the License.
  * You may obtain a copy of the License at
@@ -187,20 +187,24 @@ public SAMLSSOReqValidationResponseDTO validateIdPInitSSORequest(String relaySta
 
  /**
  * validates the IdP Initiated SSO/SLO request.
- * If the user already having a SSO session then the Response
+ * If the user already have a SSO session then the Response
  * will be returned if not only the validation results will be returned.
  *
- * @param relayState Relay State
- * @param queryString Query String
- * @param queryParamDTOs Query Param DTOs
- * @param serverURL Server url
- * @param sessionId Session id
- * @param rpSessionId Rp Session id
- * @param authnMode Authn Mode
- * @param isLogout Is Logout
- * @param loginTenantDomain Login tenant Domain
- * @return validationResponseDTO
- * @throws IdentityException
+ * @param relayState The relay state value used in SSO/SLO process, typically a unique identifier.
+ * @param queryString The complete query string from the SSO/SLO request.
+ * @param queryParamDTOs An array of QueryParamDTO objects representing the query parameters.
+ * @param serverURL The URL of the server where SSO/SLO request is processed.
+ * @param sessionId The session identifier for the user's current session.
+ * @param rpSessionId The session identifier for the relying party's session.
+ * @param authnMode The authentication mode used in the SSO/SLO process.
+ * @param isLogout Boolean flag indicating whether the request is for logout.
+ * @param loginTenantDomain The domain of the tenant in which the user is attempting to log in.
+ * @return
+ * @throws IdentityException If any error occurs during the validation of the IdP Initiated SSO/SLO request.
+ *
+ * @deprecated This method was deprecated to support IsPassive.
+ * Use {@link #validateIdPInitSSORequest(String,String,QueryParamDTO[],
+ * String,String,String,String,boolean,String,boolean)} instead.
  */
  public SAMLSSOReqValidationResponseDTO validateIdPInitSSORequest(String relayState, String queryString,
  QueryParamDTO[] queryParamDTOs,
@@ -209,6 +213,37 @@ public SAMLSSOReqValidationResponseDTO validateIdPInitSSORequest(String relaySta
  boolean isLogout, String loginTenantDomain)
  throws IdentityException {
 
+ // For backward compatibility, the IsPassive param is set to false by default.
+ return validateIdPInitSSORequest(relayState, queryString, queryParamDTOs, serverURL, sessionId, rpSessionId,
+ authnMode, isLogout, loginTenantDomain, false);
+ }
+
+ /**
+ * validates the IdP Initiated SSO/SLO request.
+ * If the user already having a SSO session then the Response
+ * will be returned if not only the validation results will be returned.
+ *
+ * @param relayState The relay state value used in SSO/SLO process, typically a unique identifier.
+ * @param queryString The complete query string from the SSO/SLO request.
+ * @param queryParamDTOs An array of QueryParamDTO objects representing the query parameters.
+ * @param serverURL The URL of the server where SSO/SLO request is processed.
+ * @param sessionId The session identifier for the user's current session.
+ * @param rpSessionId The session identifier for the relying party's session.
+ * @param authnMode The authentication mode used in the SSO/SLO process.
+ * @param isLogout Boolean flag indicating whether the request is for logout.
+ * @param loginTenantDomain The domain of the tenant in which the user is attempting to log in.
+ * @param isPassive A boolean indicating whether the request is passive.
+ * @return validationResponseDTO
+ * @throws IdentityException If any error occurs during the validation of the IdP Initiated SSO/SLO request.
+ */
+ public SAMLSSOReqValidationResponseDTO validateIdPInitSSORequest(String relayState, String queryString,
+ QueryParamDTO[] queryParamDTOs,
+ String serverURL, String sessionId,
+ String rpSessionId, String authnMode,
+ boolean isLogout, String loginTenantDomain,
+ boolean isPassive)
+ throws IdentityException {
+
  SAMLSSOReqValidationResponseDTO validationResponseDTO = null;
  if (isLogout) {
  IdPInitLogoutRequestProcessor idPInitLogoutRequestProcessor =
@@ -224,6 +259,7 @@ public SAMLSSOReqValidationResponseDTO validateIdPInitSSORequest(String relaySta
  }
  validationResponseDTO.setQueryString(queryString);
  validationResponseDTO.setRpSessionId(rpSessionId);
+ validationResponseDTO.setPassive(isPassive);
  return validationResponseDTO;
  }
 

components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/servlet/SAMLSSOProviderServlet.java

@@ -669,9 +669,10 @@ private void handleIdPInitSSO(HttpServletRequest req, HttpServletResponse resp,
  SAMLSSOService samlSSOService = new SAMLSSOService();
 
  String defaultLogoutLocation = FrameworkUtils.getRedirectURL(SAMLSSOUtil.getDefaultLogoutEndpoint(), req);
+ boolean isPassive = Boolean.valueOf(req.getParameter(SAMLSSOConstants.QueryParameter.IS_PASSIVE.toString()));
  SAMLSSOReqValidationResponseDTO signInRespDTO = samlSSOService.validateIdPInitSSORequest(
  relayState, queryString, getQueryParams(req), defaultLogoutLocation, sessionId, rpSessionId,
- authMode, isLogout, getLoggedInTenantDomain(req));
+ authMode, isLogout, getLoggedInTenantDomain(req), isPassive);
  setSPAttributeToRequest(req, signInRespDTO.getIssuer(), SAMLSSOUtil.getTenantDomainFromThreadLocal());
 
  if (!signInRespDTO.isLogOutReq()) {

components/org.wso2.carbon.identity.sso.saml/src/test/java/org/wso2/carbon/identity/sso/saml/SAMLSSOServiceTest.java

@@ -1,7 +1,7 @@
 /*
- * Copyright (c) 2017, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+ * Copyright (c) 2017, WSO2 LLC. (http://www.wso2.org).
  *
- * WSO2 Inc. licenses this file to you under the Apache License,
+ * WSO2 LLC. licenses this file to you under the Apache License,
  * Version 2.0 (the "License"); you may not use this file except
  * in compliance with the License.
  * You may obtain a copy of the License at
@@ -90,6 +90,16 @@ public static Object[][] authnRequests() {
  };
  }
 
+ @DataProvider(name = "testValidateIdPInitSSORequestAuthentication")
+ public static Object[][] idpInitAuthRequests() {
+ return new Object[][]{{true}, {false}};
+ }
+
+ @DataProvider(name = "testValidateIdPInitSSORequestLogout")
+ public static Object[][] idpInitLogoutRequests() {
+ return new Object[][]{{true}, {false}};
+ }
+
  @ObjectFactory
  public IObjectFactory getObjectFactory() {
  return new PowerMockObjectFactory();
@@ -185,8 +195,8 @@ private SAMLSSOReqValidationResponseDTO mockValidSPInitLogoutRequestProcessing(S
  return samlssoReqValidationResponseDTO;
  }
 
- @Test
- public void testValidateIdPInitSSORequestAuthentication() throws Exception {
+ @Test(dataProvider = "testValidateIdPInitSSORequestAuthentication")
+ public void testValidateIdPInitSSORequestAuthentication(boolean isPassive) throws Exception {
 
  // Inputs for SAMLSSOService's validateIdPInitSSORequest method.
  String relayState = null;
@@ -213,7 +223,7 @@ public void testValidateIdPInitSSORequestAuthentication() throws Exception {
  SAMLSSOService samlssoService = new SAMLSSOService();
  SAMLSSOReqValidationResponseDTO samlssoReqValidationResponseDTO = samlssoService.validateIdPInitSSORequest(
  relayState, queryString, queryParamDTOs, serverURL, sessionId, rpSessionId, authnMode, isLogout,
- MultitenantConstants.SUPER_TENANT_DOMAIN_NAME);
+ MultitenantConstants.SUPER_TENANT_DOMAIN_NAME,isPassive);
  assertTrue(samlssoReqValidationResponseDTO.isValid(), "Should be a valid SAML authentication request.");
  assertTrue(samlssoReqValidationResponseDTO.isIdPInitSSO(), "Should be an IDP initiated SAML SSO request.");
  assertEquals(samlssoReqValidationResponseDTO.getQueryString(), queryString, "Query String should be same as " +
@@ -222,8 +232,8 @@ public void testValidateIdPInitSSORequestAuthentication() throws Exception {
  "the given input RpSessionId.");
  }
 
- @Test
- public void testValidateIdPInitSSORequestLogout() throws Exception {
+ @Test(dataProvider = "testValidateIdPInitSSORequestLogout")
+ public void testValidateIdPInitSSORequestLogout(boolean isPassive) throws Exception {
 
  // Inputs for SAMLSSOService's validateIdPInitSSORequest method.
  String relayState = null;
@@ -249,7 +259,7 @@ public void testValidateIdPInitSSORequestLogout() throws Exception {
  SAMLSSOService samlssoService = new SAMLSSOService();
  SAMLSSOReqValidationResponseDTO samlssoReqValidationResponseDTO = samlssoService.validateIdPInitSSORequest(
  relayState, queryString, queryParamDTOs, serverURL, sessionId, rpSessionId, authnMode, isLogout,
- MultitenantConstants.SUPER_TENANT_DOMAIN_NAME);
+ MultitenantConstants.SUPER_TENANT_DOMAIN_NAME, isPassive);
  assertTrue(samlssoReqValidationResponseDTO.isValid(), "Should be a valid SAML SLO request.");
  assertTrue(samlssoReqValidationResponseDTO.isIdPInitSLO(), "Should be an IDP initiated SLO request");
  assertEquals(samlssoReqValidationResponseDTO.getQueryString(), queryString, "Query String should be same as " +