From 19a93bea2c8c74b1d4257dc2d058301b68d55f0e Mon Sep 17 00:00:00 2001 From: JeethJJ Date: Wed, 22 Nov 2023 14:29:48 +0530 Subject: [PATCH 1/7] Add isPassive validation for IPD initiated SSO flow --- .../wso2/carbon/identity/sso/saml/SAMLSSOConstants.java | 3 ++- .../wso2/carbon/identity/sso/saml/SAMLSSOService.java | 8 +++++--- .../sso/saml/servlet/SAMLSSOProviderServlet.java | 9 ++++++--- .../carbon/identity/sso/saml/SAMLSSOServiceTest.java | 4 ++-- 4 files changed, 15 insertions(+), 9 deletions(-) diff --git a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/SAMLSSOConstants.java b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/SAMLSSOConstants.java index 3ce5c9e0e..f657ef669 100644 --- a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/SAMLSSOConstants.java +++ b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/SAMLSSOConstants.java @@ -126,7 +126,8 @@ public enum QueryParameter { SLO("slo"), RETURN_TO("returnTo"), SP_ENTITY_ID("spEntityID"), - SP_QUALIFIER("spQualifier"); + SP_QUALIFIER("spQualifier"), + IS_PASSIVE("IsPassive"); private final String parameterName; diff --git a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/SAMLSSOService.java b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/SAMLSSOService.java index a7644fce9..3df654f64 100644 --- a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/SAMLSSOService.java +++ b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/SAMLSSOService.java @@ -178,11 +178,11 @@ public SAMLSSOReqValidationResponseDTO validateIdPInitSSORequest(String relaySta QueryParamDTO[] queryParamDTOs, String serverURL, String sessionId, String rpSessionId, String authnMode, - boolean isLogout) throws IdentityException { + boolean isLogout, String isPassive) throws IdentityException { // For backward compatibility, SUPER_TENANT_DOMAIN was used as the cache maintaining tenant. return validateIdPInitSSORequest(relayState, queryString, queryParamDTOs, serverURL, sessionId, rpSessionId, - authnMode, isLogout, MultitenantConstants.SUPER_TENANT_DOMAIN_NAME); + authnMode, isLogout, MultitenantConstants.SUPER_TENANT_DOMAIN_NAME, isPassive); } /** @@ -206,7 +206,8 @@ public SAMLSSOReqValidationResponseDTO validateIdPInitSSORequest(String relaySta QueryParamDTO[] queryParamDTOs, String serverURL, String sessionId, String rpSessionId, String authnMode, - boolean isLogout, String loginTenantDomain) + boolean isLogout, String loginTenantDomain, + String isPassive) throws IdentityException { SAMLSSOReqValidationResponseDTO validationResponseDTO = null; @@ -224,6 +225,7 @@ public SAMLSSOReqValidationResponseDTO validateIdPInitSSORequest(String relaySta } validationResponseDTO.setQueryString(queryString); validationResponseDTO.setRpSessionId(rpSessionId); + validationResponseDTO.setPassive(Boolean.valueOf(isPassive)); return validationResponseDTO; } diff --git a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/servlet/SAMLSSOProviderServlet.java b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/servlet/SAMLSSOProviderServlet.java index 57f3c8e01..d9a7c8e29 100644 --- a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/servlet/SAMLSSOProviderServlet.java +++ b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/servlet/SAMLSSOProviderServlet.java @@ -224,6 +224,8 @@ private void handleRequest(HttpServletRequest req, HttpServletResponse resp, boo String relayState = req.getParameter(SAMLSSOConstants.RELAY_STATE); String spEntityID = req.getParameter(SAMLSSOConstants.QueryParameter .SP_ENTITY_ID.toString()); + String isPassive = req.getParameter(SAMLSSOConstants.QueryParameter + .IS_PASSIVE.toString()); String samlRequest = req.getParameter(SAMLSSOConstants.SAML_REQUEST); String samlResponse = req.getParameter(SAMLSSOConstants.SAML_RESP); String sessionDataKey = getSessionDataKey(req); @@ -308,7 +310,8 @@ private void handleRequest(HttpServletRequest req, HttpServletResponse resp, boo return; } } else if (spEntityID != null || slo != null) { // idp initiated SSO/SLO - handleIdPInitSSO(req, resp, relayState, queryString, authMode, sessionId, isPost, (slo != null)); + handleIdPInitSSO(req, resp, relayState, queryString, authMode, sessionId, isPost, + (slo != null), isPassive); } else if (samlRequest != null) {// SAMLRequest received. SP initiated SSO handleSPInitSSO(req, resp, queryString, relayState, authMode, samlRequest, sessionId, isPost); } else if (samlResponse != null) {// SAMLResponse received. @@ -649,7 +652,7 @@ private void sendNotification(String errorResp, String status, String message, private void handleIdPInitSSO(HttpServletRequest req, HttpServletResponse resp, String relayState, String queryString, String authMode, String sessionId, - boolean isPost, boolean isLogout) throws UserStoreException, IdentityException, + boolean isPost, boolean isLogout, String isPassive) throws UserStoreException, IdentityException, IOException, ServletException { DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = null; @@ -671,7 +674,7 @@ private void handleIdPInitSSO(HttpServletRequest req, HttpServletResponse resp, String defaultLogoutLocation = FrameworkUtils.getRedirectURL(SAMLSSOUtil.getDefaultLogoutEndpoint(), req); SAMLSSOReqValidationResponseDTO signInRespDTO = samlSSOService.validateIdPInitSSORequest( relayState, queryString, getQueryParams(req), defaultLogoutLocation, sessionId, rpSessionId, - authMode, isLogout, getLoggedInTenantDomain(req)); + authMode, isLogout, getLoggedInTenantDomain(req), isPassive); setSPAttributeToRequest(req, signInRespDTO.getIssuer(), SAMLSSOUtil.getTenantDomainFromThreadLocal()); if (!signInRespDTO.isLogOutReq()) { diff --git a/components/org.wso2.carbon.identity.sso.saml/src/test/java/org/wso2/carbon/identity/sso/saml/SAMLSSOServiceTest.java b/components/org.wso2.carbon.identity.sso.saml/src/test/java/org/wso2/carbon/identity/sso/saml/SAMLSSOServiceTest.java index 29a385df4..964718d12 100644 --- a/components/org.wso2.carbon.identity.sso.saml/src/test/java/org/wso2/carbon/identity/sso/saml/SAMLSSOServiceTest.java +++ b/components/org.wso2.carbon.identity.sso.saml/src/test/java/org/wso2/carbon/identity/sso/saml/SAMLSSOServiceTest.java @@ -213,7 +213,7 @@ public void testValidateIdPInitSSORequestAuthentication() throws Exception { SAMLSSOService samlssoService = new SAMLSSOService(); SAMLSSOReqValidationResponseDTO samlssoReqValidationResponseDTO = samlssoService.validateIdPInitSSORequest( relayState, queryString, queryParamDTOs, serverURL, sessionId, rpSessionId, authnMode, isLogout, - MultitenantConstants.SUPER_TENANT_DOMAIN_NAME); + MultitenantConstants.SUPER_TENANT_DOMAIN_NAME,"false"); assertTrue(samlssoReqValidationResponseDTO.isValid(), "Should be a valid SAML authentication request."); assertTrue(samlssoReqValidationResponseDTO.isIdPInitSSO(), "Should be an IDP initiated SAML SSO request."); assertEquals(samlssoReqValidationResponseDTO.getQueryString(), queryString, "Query String should be same as " + @@ -249,7 +249,7 @@ public void testValidateIdPInitSSORequestLogout() throws Exception { SAMLSSOService samlssoService = new SAMLSSOService(); SAMLSSOReqValidationResponseDTO samlssoReqValidationResponseDTO = samlssoService.validateIdPInitSSORequest( relayState, queryString, queryParamDTOs, serverURL, sessionId, rpSessionId, authnMode, isLogout, - MultitenantConstants.SUPER_TENANT_DOMAIN_NAME); + MultitenantConstants.SUPER_TENANT_DOMAIN_NAME, "false"); assertTrue(samlssoReqValidationResponseDTO.isValid(), "Should be a valid SAML SLO request."); assertTrue(samlssoReqValidationResponseDTO.isIdPInitSLO(), "Should be an IDP initiated SLO request"); assertEquals(samlssoReqValidationResponseDTO.getQueryString(), queryString, "Query String should be same as " + From 29e9f3ed868a02b70fa688b6595307b4c82e2c5b Mon Sep 17 00:00:00 2001 From: JeethJJ Date: Wed, 22 Nov 2023 17:05:01 +0530 Subject: [PATCH 2/7] Update testcases and update license. --- .../identity/sso/saml/SAMLSSOConstants.java | 4 +-- .../identity/sso/saml/SAMLSSOService.java | 10 +++---- .../saml/servlet/SAMLSSOProviderServlet.java | 6 ++--- .../identity/sso/saml/SAMLSSOServiceTest.java | 26 +++++++++++++------ 4 files changed, 28 insertions(+), 18 deletions(-) diff --git a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/SAMLSSOConstants.java b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/SAMLSSOConstants.java index f657ef669..f766bac5e 100644 --- a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/SAMLSSOConstants.java +++ b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/SAMLSSOConstants.java @@ -1,7 +1,7 @@ /* - * Copyright (c) 2010, WSO2 Inc. (http://www.wso2.org) All Rights Reserved. + * Copyright (c) 2010, WSO2 LLC. (http://www.wso2.org). * - * WSO2 Inc. licenses this file to you under the Apache License, + * WSO2 LLC. licenses this file to you under the Apache License, * Version 2.0 (the "License"); you may not use this file except * in compliance with the License. * You may obtain a copy of the License at diff --git a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/SAMLSSOService.java b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/SAMLSSOService.java index 3df654f64..a27a5754d 100644 --- a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/SAMLSSOService.java +++ b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/SAMLSSOService.java @@ -1,7 +1,7 @@ /* - * Copyright (c) 2010, WSO2 Inc. (http://www.wso2.org) All Rights Reserved. + * Copyright (c) 2010, WSO2 LLC. (http://www.wso2.org). * - * WSO2 Inc. licenses this file to you under the Apache License, + * WSO2 LLC. licenses this file to you under the Apache License, * Version 2.0 (the "License"); you may not use this file except * in compliance with the License. * You may obtain a copy of the License at @@ -178,7 +178,7 @@ public SAMLSSOReqValidationResponseDTO validateIdPInitSSORequest(String relaySta QueryParamDTO[] queryParamDTOs, String serverURL, String sessionId, String rpSessionId, String authnMode, - boolean isLogout, String isPassive) throws IdentityException { + boolean isLogout, boolean isPassive) throws IdentityException { // For backward compatibility, SUPER_TENANT_DOMAIN was used as the cache maintaining tenant. return validateIdPInitSSORequest(relayState, queryString, queryParamDTOs, serverURL, sessionId, rpSessionId, @@ -207,7 +207,7 @@ public SAMLSSOReqValidationResponseDTO validateIdPInitSSORequest(String relaySta String serverURL, String sessionId, String rpSessionId, String authnMode, boolean isLogout, String loginTenantDomain, - String isPassive) + boolean isPassive) throws IdentityException { SAMLSSOReqValidationResponseDTO validationResponseDTO = null; @@ -225,7 +225,7 @@ public SAMLSSOReqValidationResponseDTO validateIdPInitSSORequest(String relaySta } validationResponseDTO.setQueryString(queryString); validationResponseDTO.setRpSessionId(rpSessionId); - validationResponseDTO.setPassive(Boolean.valueOf(isPassive)); + validationResponseDTO.setPassive(isPassive); return validationResponseDTO; } diff --git a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/servlet/SAMLSSOProviderServlet.java b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/servlet/SAMLSSOProviderServlet.java index d9a7c8e29..8ae54f695 100644 --- a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/servlet/SAMLSSOProviderServlet.java +++ b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/servlet/SAMLSSOProviderServlet.java @@ -224,8 +224,8 @@ private void handleRequest(HttpServletRequest req, HttpServletResponse resp, boo String relayState = req.getParameter(SAMLSSOConstants.RELAY_STATE); String spEntityID = req.getParameter(SAMLSSOConstants.QueryParameter .SP_ENTITY_ID.toString()); - String isPassive = req.getParameter(SAMLSSOConstants.QueryParameter - .IS_PASSIVE.toString()); + boolean isPassive = Boolean.valueOf(req.getParameter(SAMLSSOConstants.QueryParameter + .IS_PASSIVE.toString())); String samlRequest = req.getParameter(SAMLSSOConstants.SAML_REQUEST); String samlResponse = req.getParameter(SAMLSSOConstants.SAML_RESP); String sessionDataKey = getSessionDataKey(req); @@ -652,7 +652,7 @@ private void sendNotification(String errorResp, String status, String message, private void handleIdPInitSSO(HttpServletRequest req, HttpServletResponse resp, String relayState, String queryString, String authMode, String sessionId, - boolean isPost, boolean isLogout, String isPassive) throws UserStoreException, IdentityException, + boolean isPost, boolean isLogout, boolean isPassive) throws UserStoreException, IdentityException, IOException, ServletException { DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = null; diff --git a/components/org.wso2.carbon.identity.sso.saml/src/test/java/org/wso2/carbon/identity/sso/saml/SAMLSSOServiceTest.java b/components/org.wso2.carbon.identity.sso.saml/src/test/java/org/wso2/carbon/identity/sso/saml/SAMLSSOServiceTest.java index 964718d12..c347c43fd 100644 --- a/components/org.wso2.carbon.identity.sso.saml/src/test/java/org/wso2/carbon/identity/sso/saml/SAMLSSOServiceTest.java +++ b/components/org.wso2.carbon.identity.sso.saml/src/test/java/org/wso2/carbon/identity/sso/saml/SAMLSSOServiceTest.java @@ -1,7 +1,7 @@ /* - * Copyright (c) 2017, WSO2 Inc. (http://www.wso2.org) All Rights Reserved. + * Copyright (c) 2017, WSO2 LLC. (http://www.wso2.org). * - * WSO2 Inc. licenses this file to you under the Apache License, + * WSO2 LLC. licenses this file to you under the Apache License, * Version 2.0 (the "License"); you may not use this file except * in compliance with the License. * You may obtain a copy of the License at @@ -90,6 +90,16 @@ public static Object[][] authnRequests() { }; } + @DataProvider(name = "testValidateIdPInitSSORequestAuthentication") + public static Object[][] idpInitAuthRequests() { + return new Object[][]{{true}, {false}}; + } + + @DataProvider(name = "testValidateIdPInitSSORequestLogout") + public static Object[][] idpInitLogoutRequests() { + return new Object[][]{{true}, {false}}; + } + @ObjectFactory public IObjectFactory getObjectFactory() { return new PowerMockObjectFactory(); @@ -185,8 +195,8 @@ private SAMLSSOReqValidationResponseDTO mockValidSPInitLogoutRequestProcessing(S return samlssoReqValidationResponseDTO; } - @Test - public void testValidateIdPInitSSORequestAuthentication() throws Exception { + @Test(dataProvider = "testValidateIdPInitSSORequestAuthentication") + public void testValidateIdPInitSSORequestAuthentication(boolean isPassive) throws Exception { // Inputs for SAMLSSOService's validateIdPInitSSORequest method. String relayState = null; @@ -213,7 +223,7 @@ public void testValidateIdPInitSSORequestAuthentication() throws Exception { SAMLSSOService samlssoService = new SAMLSSOService(); SAMLSSOReqValidationResponseDTO samlssoReqValidationResponseDTO = samlssoService.validateIdPInitSSORequest( relayState, queryString, queryParamDTOs, serverURL, sessionId, rpSessionId, authnMode, isLogout, - MultitenantConstants.SUPER_TENANT_DOMAIN_NAME,"false"); + MultitenantConstants.SUPER_TENANT_DOMAIN_NAME,isPassive); assertTrue(samlssoReqValidationResponseDTO.isValid(), "Should be a valid SAML authentication request."); assertTrue(samlssoReqValidationResponseDTO.isIdPInitSSO(), "Should be an IDP initiated SAML SSO request."); assertEquals(samlssoReqValidationResponseDTO.getQueryString(), queryString, "Query String should be same as " + @@ -222,8 +232,8 @@ public void testValidateIdPInitSSORequestAuthentication() throws Exception { "the given input RpSessionId."); } - @Test - public void testValidateIdPInitSSORequestLogout() throws Exception { + @Test(dataProvider = "testValidateIdPInitSSORequestLogout") + public void testValidateIdPInitSSORequestLogout(boolean isPassive) throws Exception { // Inputs for SAMLSSOService's validateIdPInitSSORequest method. String relayState = null; @@ -249,7 +259,7 @@ public void testValidateIdPInitSSORequestLogout() throws Exception { SAMLSSOService samlssoService = new SAMLSSOService(); SAMLSSOReqValidationResponseDTO samlssoReqValidationResponseDTO = samlssoService.validateIdPInitSSORequest( relayState, queryString, queryParamDTOs, serverURL, sessionId, rpSessionId, authnMode, isLogout, - MultitenantConstants.SUPER_TENANT_DOMAIN_NAME, "false"); + MultitenantConstants.SUPER_TENANT_DOMAIN_NAME, isPassive); assertTrue(samlssoReqValidationResponseDTO.isValid(), "Should be a valid SAML SLO request."); assertTrue(samlssoReqValidationResponseDTO.isIdPInitSLO(), "Should be an IDP initiated SLO request"); assertEquals(samlssoReqValidationResponseDTO.getQueryString(), queryString, "Query String should be same as " + From dcc7cf95d3798284aa4331e4ee00d44076f5d324 Mon Sep 17 00:00:00 2001 From: JeethJJ Date: Fri, 24 Nov 2023 09:27:16 +0530 Subject: [PATCH 3/7] Preserve backward compatibility with method overloading when introducing a new parameter. --- .../identity/sso/saml/SAMLSSOService.java | 37 ++++++++++++++++++- .../saml/servlet/SAMLSSOProviderServlet.java | 10 ++--- 2 files changed, 39 insertions(+), 8 deletions(-) diff --git a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/SAMLSSOService.java b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/SAMLSSOService.java index a27a5754d..e9b40da27 100644 --- a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/SAMLSSOService.java +++ b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/SAMLSSOService.java @@ -178,11 +178,43 @@ public SAMLSSOReqValidationResponseDTO validateIdPInitSSORequest(String relaySta QueryParamDTO[] queryParamDTOs, String serverURL, String sessionId, String rpSessionId, String authnMode, - boolean isLogout, boolean isPassive) throws IdentityException { + boolean isLogout) throws IdentityException { // For backward compatibility, SUPER_TENANT_DOMAIN was used as the cache maintaining tenant. return validateIdPInitSSORequest(relayState, queryString, queryParamDTOs, serverURL, sessionId, rpSessionId, - authnMode, isLogout, MultitenantConstants.SUPER_TENANT_DOMAIN_NAME, isPassive); + authnMode, isLogout, MultitenantConstants.SUPER_TENANT_DOMAIN_NAME); + } + + /** + * validates the IdP Initiated SSO/SLO request. + * If the user already have a SSO session then the Response + * will be returned if not only the validation results will be returned. + * + * @param relayState + * @param queryString + * @param queryParamDTOs + * @param serverURL + * @param sessionId + * @param rpSessionId + * @param authnMode + * @param isLogout + * @return + * @throws IdentityException + * + * @deprecated This method was deprecated to support IsPassive. + * Use {@link #validateIdPInitSSORequest(String,String,QueryParamDTO[], + * String,String,String,String,boolean,String,boolean)} instead. + */ + public SAMLSSOReqValidationResponseDTO validateIdPInitSSORequest(String relayState, String queryString, + QueryParamDTO[] queryParamDTOs, + String serverURL, String sessionId, + String rpSessionId, String authnMode, + boolean isLogout, String loginTenantDomain) + throws IdentityException { + + // For backward compatibility, the IsPassive param is set to false by default. + return validateIdPInitSSORequest(relayState, queryString, queryParamDTOs, serverURL, sessionId, rpSessionId, + authnMode, isLogout, loginTenantDomain, false); } /** @@ -199,6 +231,7 @@ public SAMLSSOReqValidationResponseDTO validateIdPInitSSORequest(String relaySta * @param authnMode Authn Mode * @param isLogout Is Logout * @param loginTenantDomain Login tenant Domain + * @param isPassive Is Passive * @return validationResponseDTO * @throws IdentityException */ diff --git a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/servlet/SAMLSSOProviderServlet.java b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/servlet/SAMLSSOProviderServlet.java index 8ae54f695..7b2dd4746 100644 --- a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/servlet/SAMLSSOProviderServlet.java +++ b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/servlet/SAMLSSOProviderServlet.java @@ -224,8 +224,6 @@ private void handleRequest(HttpServletRequest req, HttpServletResponse resp, boo String relayState = req.getParameter(SAMLSSOConstants.RELAY_STATE); String spEntityID = req.getParameter(SAMLSSOConstants.QueryParameter .SP_ENTITY_ID.toString()); - boolean isPassive = Boolean.valueOf(req.getParameter(SAMLSSOConstants.QueryParameter - .IS_PASSIVE.toString())); String samlRequest = req.getParameter(SAMLSSOConstants.SAML_REQUEST); String samlResponse = req.getParameter(SAMLSSOConstants.SAML_RESP); String sessionDataKey = getSessionDataKey(req); @@ -310,8 +308,7 @@ private void handleRequest(HttpServletRequest req, HttpServletResponse resp, boo return; } } else if (spEntityID != null || slo != null) { // idp initiated SSO/SLO - handleIdPInitSSO(req, resp, relayState, queryString, authMode, sessionId, isPost, - (slo != null), isPassive); + handleIdPInitSSO(req, resp, relayState, queryString, authMode, sessionId, isPost, (slo != null)); } else if (samlRequest != null) {// SAMLRequest received. SP initiated SSO handleSPInitSSO(req, resp, queryString, relayState, authMode, samlRequest, sessionId, isPost); } else if (samlResponse != null) {// SAMLResponse received. @@ -652,7 +649,7 @@ private void sendNotification(String errorResp, String status, String message, private void handleIdPInitSSO(HttpServletRequest req, HttpServletResponse resp, String relayState, String queryString, String authMode, String sessionId, - boolean isPost, boolean isLogout, boolean isPassive) throws UserStoreException, IdentityException, + boolean isPost, boolean isLogout) throws UserStoreException, IdentityException, IOException, ServletException { DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = null; @@ -674,7 +671,8 @@ private void handleIdPInitSSO(HttpServletRequest req, HttpServletResponse resp, String defaultLogoutLocation = FrameworkUtils.getRedirectURL(SAMLSSOUtil.getDefaultLogoutEndpoint(), req); SAMLSSOReqValidationResponseDTO signInRespDTO = samlSSOService.validateIdPInitSSORequest( relayState, queryString, getQueryParams(req), defaultLogoutLocation, sessionId, rpSessionId, - authMode, isLogout, getLoggedInTenantDomain(req), isPassive); + authMode, isLogout, getLoggedInTenantDomain(req), Boolean.valueOf(req.getParameter + (SAMLSSOConstants.QueryParameter.IS_PASSIVE.toString()))); setSPAttributeToRequest(req, signInRespDTO.getIssuer(), SAMLSSOUtil.getTenantDomainFromThreadLocal()); if (!signInRespDTO.isLogOutReq()) { From 990008bca865cb8cc7abba87960d8a48461a7a80 Mon Sep 17 00:00:00 2001 From: JeethJJ Date: Fri, 24 Nov 2023 09:39:39 +0530 Subject: [PATCH 4/7] Separate isPassive parameter to a variable. --- .../identity/sso/saml/servlet/SAMLSSOProviderServlet.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/servlet/SAMLSSOProviderServlet.java b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/servlet/SAMLSSOProviderServlet.java index 7b2dd4746..907bb8421 100644 --- a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/servlet/SAMLSSOProviderServlet.java +++ b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/servlet/SAMLSSOProviderServlet.java @@ -669,10 +669,10 @@ private void handleIdPInitSSO(HttpServletRequest req, HttpServletResponse resp, SAMLSSOService samlSSOService = new SAMLSSOService(); String defaultLogoutLocation = FrameworkUtils.getRedirectURL(SAMLSSOUtil.getDefaultLogoutEndpoint(), req); + boolean isPassive = Boolean.valueOf(req.getParameter(SAMLSSOConstants.QueryParameter.IS_PASSIVE.toString())); SAMLSSOReqValidationResponseDTO signInRespDTO = samlSSOService.validateIdPInitSSORequest( relayState, queryString, getQueryParams(req), defaultLogoutLocation, sessionId, rpSessionId, - authMode, isLogout, getLoggedInTenantDomain(req), Boolean.valueOf(req.getParameter - (SAMLSSOConstants.QueryParameter.IS_PASSIVE.toString()))); + authMode, isLogout, getLoggedInTenantDomain(req), isPassive); setSPAttributeToRequest(req, signInRespDTO.getIssuer(), SAMLSSOUtil.getTenantDomainFromThreadLocal()); if (!signInRespDTO.isLogOutReq()) { From 93b4a097cbda1d16d390b66beffae42d49035ba8 Mon Sep 17 00:00:00 2001 From: JeethJJ Date: Fri, 24 Nov 2023 09:59:37 +0530 Subject: [PATCH 5/7] Adding param descriptions. --- .../identity/sso/saml/SAMLSSOService.java | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/SAMLSSOService.java b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/SAMLSSOService.java index e9b40da27..899305dfe 100644 --- a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/SAMLSSOService.java +++ b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/SAMLSSOService.java @@ -190,14 +190,15 @@ public SAMLSSOReqValidationResponseDTO validateIdPInitSSORequest(String relaySta * If the user already have a SSO session then the Response * will be returned if not only the validation results will be returned. * - * @param relayState - * @param queryString - * @param queryParamDTOs - * @param serverURL - * @param sessionId - * @param rpSessionId - * @param authnMode - * @param isLogout + * @param relayState Relay State + * @param queryString Query String + * @param queryParamDTOs Query Param DTOs + * @param serverURL Server url + * @param sessionId Session id + * @param rpSessionId Rp Session id + * @param authnMode Authentication Mode + * @param isLogout Is Logout + * @param loginTenantDomain Login tenant Domain * @return * @throws IdentityException * From e1e873049ec7b7c59ad78afe9471c9f4f9d6b35d Mon Sep 17 00:00:00 2001 From: JeethJJ Date: Fri, 24 Nov 2023 10:35:33 +0530 Subject: [PATCH 6/7] Fix javadoc comments. --- .../carbon/identity/sso/saml/SAMLSSOService.java | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/SAMLSSOService.java b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/SAMLSSOService.java index 899305dfe..fcbf02ce4 100644 --- a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/SAMLSSOService.java +++ b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/SAMLSSOService.java @@ -190,15 +190,15 @@ public SAMLSSOReqValidationResponseDTO validateIdPInitSSORequest(String relaySta * If the user already have a SSO session then the Response * will be returned if not only the validation results will be returned. * - * @param relayState Relay State - * @param queryString Query String - * @param queryParamDTOs Query Param DTOs + * @param relayState Relay state + * @param queryString Query string + * @param queryParamDTOs Query param DTOs * @param serverURL Server url * @param sessionId Session id - * @param rpSessionId Rp Session id - * @param authnMode Authentication Mode - * @param isLogout Is Logout - * @param loginTenantDomain Login tenant Domain + * @param rpSessionId Rp session id + * @param authnMode Authentication mode + * @param isLogout Is logout + * @param loginTenantDomain Login tenant domain * @return * @throws IdentityException * @@ -232,7 +232,7 @@ public SAMLSSOReqValidationResponseDTO validateIdPInitSSORequest(String relaySta * @param authnMode Authn Mode * @param isLogout Is Logout * @param loginTenantDomain Login tenant Domain - * @param isPassive Is Passive + * @param isPassive Is passive * @return validationResponseDTO * @throws IdentityException */ From a16d8035057c178349f2e87cf137fd5557752353 Mon Sep 17 00:00:00 2001 From: JeethJJ Date: Fri, 24 Nov 2023 18:01:45 +0530 Subject: [PATCH 7/7] Fix comments. --- .../identity/sso/saml/SAMLSSOService.java | 44 +++++++++---------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/SAMLSSOService.java b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/SAMLSSOService.java index fcbf02ce4..5d964a65f 100644 --- a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/SAMLSSOService.java +++ b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/SAMLSSOService.java @@ -190,17 +190,17 @@ public SAMLSSOReqValidationResponseDTO validateIdPInitSSORequest(String relaySta * If the user already have a SSO session then the Response * will be returned if not only the validation results will be returned. * - * @param relayState Relay state - * @param queryString Query string - * @param queryParamDTOs Query param DTOs - * @param serverURL Server url - * @param sessionId Session id - * @param rpSessionId Rp session id - * @param authnMode Authentication mode - * @param isLogout Is logout - * @param loginTenantDomain Login tenant domain + * @param relayState The relay state value used in SSO/SLO process, typically a unique identifier. + * @param queryString The complete query string from the SSO/SLO request. + * @param queryParamDTOs An array of QueryParamDTO objects representing the query parameters. + * @param serverURL The URL of the server where SSO/SLO request is processed. + * @param sessionId The session identifier for the user's current session. + * @param rpSessionId The session identifier for the relying party's session. + * @param authnMode The authentication mode used in the SSO/SLO process. + * @param isLogout Boolean flag indicating whether the request is for logout. + * @param loginTenantDomain The domain of the tenant in which the user is attempting to log in. * @return - * @throws IdentityException + * @throws IdentityException If any error occurs during the validation of the IdP Initiated SSO/SLO request. * * @deprecated This method was deprecated to support IsPassive. * Use {@link #validateIdPInitSSORequest(String,String,QueryParamDTO[], @@ -223,18 +223,18 @@ public SAMLSSOReqValidationResponseDTO validateIdPInitSSORequest(String relaySta * If the user already having a SSO session then the Response * will be returned if not only the validation results will be returned. * - * @param relayState Relay State - * @param queryString Query String - * @param queryParamDTOs Query Param DTOs - * @param serverURL Server url - * @param sessionId Session id - * @param rpSessionId Rp Session id - * @param authnMode Authn Mode - * @param isLogout Is Logout - * @param loginTenantDomain Login tenant Domain - * @param isPassive Is passive - * @return validationResponseDTO - * @throws IdentityException + * @param relayState The relay state value used in SSO/SLO process, typically a unique identifier. + * @param queryString The complete query string from the SSO/SLO request. + * @param queryParamDTOs An array of QueryParamDTO objects representing the query parameters. + * @param serverURL The URL of the server where SSO/SLO request is processed. + * @param sessionId The session identifier for the user's current session. + * @param rpSessionId The session identifier for the relying party's session. + * @param authnMode The authentication mode used in the SSO/SLO process. + * @param isLogout Boolean flag indicating whether the request is for logout. + * @param loginTenantDomain The domain of the tenant in which the user is attempting to log in. + * @param isPassive A boolean indicating whether the request is passive. + * @return validationResponseDTO + * @throws IdentityException If any error occurs during the validation of the IdP Initiated SSO/SLO request. */ public SAMLSSOReqValidationResponseDTO validateIdPInitSSORequest(String relayState, String queryString, QueryParamDTO[] queryParamDTOs,