diff --git a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/SAMLSSOConstants.java b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/SAMLSSOConstants.java index 3ce5c9e0e..f766bac5e 100644 --- a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/SAMLSSOConstants.java +++ b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/SAMLSSOConstants.java @@ -1,7 +1,7 @@ /* - * Copyright (c) 2010, WSO2 Inc. (http://www.wso2.org) All Rights Reserved. + * Copyright (c) 2010, WSO2 LLC. (http://www.wso2.org). * - * WSO2 Inc. licenses this file to you under the Apache License, + * WSO2 LLC. licenses this file to you under the Apache License, * Version 2.0 (the "License"); you may not use this file except * in compliance with the License. * You may obtain a copy of the License at @@ -126,7 +126,8 @@ public enum QueryParameter { SLO("slo"), RETURN_TO("returnTo"), SP_ENTITY_ID("spEntityID"), - SP_QUALIFIER("spQualifier"); + SP_QUALIFIER("spQualifier"), + IS_PASSIVE("IsPassive"); private final String parameterName; diff --git a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/SAMLSSOService.java b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/SAMLSSOService.java index a7644fce9..5d964a65f 100644 --- a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/SAMLSSOService.java +++ b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/SAMLSSOService.java @@ -1,7 +1,7 @@ /* - * Copyright (c) 2010, WSO2 Inc. (http://www.wso2.org) All Rights Reserved. + * Copyright (c) 2010, WSO2 LLC. (http://www.wso2.org). * - * WSO2 Inc. licenses this file to you under the Apache License, + * WSO2 LLC. licenses this file to you under the Apache License, * Version 2.0 (the "License"); you may not use this file except * in compliance with the License. * You may obtain a copy of the License at @@ -187,20 +187,24 @@ public SAMLSSOReqValidationResponseDTO validateIdPInitSSORequest(String relaySta /** * validates the IdP Initiated SSO/SLO request. - * If the user already having a SSO session then the Response + * If the user already have a SSO session then the Response * will be returned if not only the validation results will be returned. * - * @param relayState Relay State - * @param queryString Query String - * @param queryParamDTOs Query Param DTOs - * @param serverURL Server url - * @param sessionId Session id - * @param rpSessionId Rp Session id - * @param authnMode Authn Mode - * @param isLogout Is Logout - * @param loginTenantDomain Login tenant Domain - * @return validationResponseDTO - * @throws IdentityException + * @param relayState The relay state value used in SSO/SLO process, typically a unique identifier. + * @param queryString The complete query string from the SSO/SLO request. + * @param queryParamDTOs An array of QueryParamDTO objects representing the query parameters. + * @param serverURL The URL of the server where SSO/SLO request is processed. + * @param sessionId The session identifier for the user's current session. + * @param rpSessionId The session identifier for the relying party's session. + * @param authnMode The authentication mode used in the SSO/SLO process. + * @param isLogout Boolean flag indicating whether the request is for logout. + * @param loginTenantDomain The domain of the tenant in which the user is attempting to log in. + * @return + * @throws IdentityException If any error occurs during the validation of the IdP Initiated SSO/SLO request. + * + * @deprecated This method was deprecated to support IsPassive. + * Use {@link #validateIdPInitSSORequest(String,String,QueryParamDTO[], + * String,String,String,String,boolean,String,boolean)} instead. */ public SAMLSSOReqValidationResponseDTO validateIdPInitSSORequest(String relayState, String queryString, QueryParamDTO[] queryParamDTOs, @@ -209,6 +213,37 @@ public SAMLSSOReqValidationResponseDTO validateIdPInitSSORequest(String relaySta boolean isLogout, String loginTenantDomain) throws IdentityException { + // For backward compatibility, the IsPassive param is set to false by default. + return validateIdPInitSSORequest(relayState, queryString, queryParamDTOs, serverURL, sessionId, rpSessionId, + authnMode, isLogout, loginTenantDomain, false); + } + + /** + * validates the IdP Initiated SSO/SLO request. + * If the user already having a SSO session then the Response + * will be returned if not only the validation results will be returned. + * + * @param relayState The relay state value used in SSO/SLO process, typically a unique identifier. + * @param queryString The complete query string from the SSO/SLO request. + * @param queryParamDTOs An array of QueryParamDTO objects representing the query parameters. + * @param serverURL The URL of the server where SSO/SLO request is processed. + * @param sessionId The session identifier for the user's current session. + * @param rpSessionId The session identifier for the relying party's session. + * @param authnMode The authentication mode used in the SSO/SLO process. + * @param isLogout Boolean flag indicating whether the request is for logout. + * @param loginTenantDomain The domain of the tenant in which the user is attempting to log in. + * @param isPassive A boolean indicating whether the request is passive. + * @return validationResponseDTO + * @throws IdentityException If any error occurs during the validation of the IdP Initiated SSO/SLO request. + */ + public SAMLSSOReqValidationResponseDTO validateIdPInitSSORequest(String relayState, String queryString, + QueryParamDTO[] queryParamDTOs, + String serverURL, String sessionId, + String rpSessionId, String authnMode, + boolean isLogout, String loginTenantDomain, + boolean isPassive) + throws IdentityException { + SAMLSSOReqValidationResponseDTO validationResponseDTO = null; if (isLogout) { IdPInitLogoutRequestProcessor idPInitLogoutRequestProcessor = @@ -224,6 +259,7 @@ public SAMLSSOReqValidationResponseDTO validateIdPInitSSORequest(String relaySta } validationResponseDTO.setQueryString(queryString); validationResponseDTO.setRpSessionId(rpSessionId); + validationResponseDTO.setPassive(isPassive); return validationResponseDTO; } diff --git a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/servlet/SAMLSSOProviderServlet.java b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/servlet/SAMLSSOProviderServlet.java index 57f3c8e01..907bb8421 100644 --- a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/servlet/SAMLSSOProviderServlet.java +++ b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/servlet/SAMLSSOProviderServlet.java @@ -669,9 +669,10 @@ private void handleIdPInitSSO(HttpServletRequest req, HttpServletResponse resp, SAMLSSOService samlSSOService = new SAMLSSOService(); String defaultLogoutLocation = FrameworkUtils.getRedirectURL(SAMLSSOUtil.getDefaultLogoutEndpoint(), req); + boolean isPassive = Boolean.valueOf(req.getParameter(SAMLSSOConstants.QueryParameter.IS_PASSIVE.toString())); SAMLSSOReqValidationResponseDTO signInRespDTO = samlSSOService.validateIdPInitSSORequest( relayState, queryString, getQueryParams(req), defaultLogoutLocation, sessionId, rpSessionId, - authMode, isLogout, getLoggedInTenantDomain(req)); + authMode, isLogout, getLoggedInTenantDomain(req), isPassive); setSPAttributeToRequest(req, signInRespDTO.getIssuer(), SAMLSSOUtil.getTenantDomainFromThreadLocal()); if (!signInRespDTO.isLogOutReq()) { diff --git a/components/org.wso2.carbon.identity.sso.saml/src/test/java/org/wso2/carbon/identity/sso/saml/SAMLSSOServiceTest.java b/components/org.wso2.carbon.identity.sso.saml/src/test/java/org/wso2/carbon/identity/sso/saml/SAMLSSOServiceTest.java index 29a385df4..c347c43fd 100644 --- a/components/org.wso2.carbon.identity.sso.saml/src/test/java/org/wso2/carbon/identity/sso/saml/SAMLSSOServiceTest.java +++ b/components/org.wso2.carbon.identity.sso.saml/src/test/java/org/wso2/carbon/identity/sso/saml/SAMLSSOServiceTest.java @@ -1,7 +1,7 @@ /* - * Copyright (c) 2017, WSO2 Inc. (http://www.wso2.org) All Rights Reserved. + * Copyright (c) 2017, WSO2 LLC. (http://www.wso2.org). * - * WSO2 Inc. licenses this file to you under the Apache License, + * WSO2 LLC. licenses this file to you under the Apache License, * Version 2.0 (the "License"); you may not use this file except * in compliance with the License. * You may obtain a copy of the License at @@ -90,6 +90,16 @@ public static Object[][] authnRequests() { }; } + @DataProvider(name = "testValidateIdPInitSSORequestAuthentication") + public static Object[][] idpInitAuthRequests() { + return new Object[][]{{true}, {false}}; + } + + @DataProvider(name = "testValidateIdPInitSSORequestLogout") + public static Object[][] idpInitLogoutRequests() { + return new Object[][]{{true}, {false}}; + } + @ObjectFactory public IObjectFactory getObjectFactory() { return new PowerMockObjectFactory(); @@ -185,8 +195,8 @@ private SAMLSSOReqValidationResponseDTO mockValidSPInitLogoutRequestProcessing(S return samlssoReqValidationResponseDTO; } - @Test - public void testValidateIdPInitSSORequestAuthentication() throws Exception { + @Test(dataProvider = "testValidateIdPInitSSORequestAuthentication") + public void testValidateIdPInitSSORequestAuthentication(boolean isPassive) throws Exception { // Inputs for SAMLSSOService's validateIdPInitSSORequest method. String relayState = null; @@ -213,7 +223,7 @@ public void testValidateIdPInitSSORequestAuthentication() throws Exception { SAMLSSOService samlssoService = new SAMLSSOService(); SAMLSSOReqValidationResponseDTO samlssoReqValidationResponseDTO = samlssoService.validateIdPInitSSORequest( relayState, queryString, queryParamDTOs, serverURL, sessionId, rpSessionId, authnMode, isLogout, - MultitenantConstants.SUPER_TENANT_DOMAIN_NAME); + MultitenantConstants.SUPER_TENANT_DOMAIN_NAME,isPassive); assertTrue(samlssoReqValidationResponseDTO.isValid(), "Should be a valid SAML authentication request."); assertTrue(samlssoReqValidationResponseDTO.isIdPInitSSO(), "Should be an IDP initiated SAML SSO request."); assertEquals(samlssoReqValidationResponseDTO.getQueryString(), queryString, "Query String should be same as " + @@ -222,8 +232,8 @@ public void testValidateIdPInitSSORequestAuthentication() throws Exception { "the given input RpSessionId."); } - @Test - public void testValidateIdPInitSSORequestLogout() throws Exception { + @Test(dataProvider = "testValidateIdPInitSSORequestLogout") + public void testValidateIdPInitSSORequestLogout(boolean isPassive) throws Exception { // Inputs for SAMLSSOService's validateIdPInitSSORequest method. String relayState = null; @@ -249,7 +259,7 @@ public void testValidateIdPInitSSORequestLogout() throws Exception { SAMLSSOService samlssoService = new SAMLSSOService(); SAMLSSOReqValidationResponseDTO samlssoReqValidationResponseDTO = samlssoService.validateIdPInitSSORequest( relayState, queryString, queryParamDTOs, serverURL, sessionId, rpSessionId, authnMode, isLogout, - MultitenantConstants.SUPER_TENANT_DOMAIN_NAME); + MultitenantConstants.SUPER_TENANT_DOMAIN_NAME, isPassive); assertTrue(samlssoReqValidationResponseDTO.isValid(), "Should be a valid SAML SLO request."); assertTrue(samlssoReqValidationResponseDTO.isIdPInitSLO(), "Should be an IDP initiated SLO request"); assertEquals(samlssoReqValidationResponseDTO.getQueryString(), queryString, "Query String should be same as " +