def prepareAttributesMapping(self, remoteAttributesList, localAttributesList):
remoteAttributesListArray = StringHelper.split(remoteAttributesList, ",")
if (ArrayHelper.isEmpty(remoteAttributesListArray)):
print "Google+ PrepareAttributesMapping. There is no attributes specified in remoteAttributesList property"
return None
localAttributesListArray = StringHelper.split(localAttributesList, ",")
if (ArrayHelper.isEmpty(localAttributesListArray)):
print "Google+ PrepareAttributesMapping. There is no attributes specified in localAttributesList property"
return None
if (len(remoteAttributesListArray) != len(localAttributesListArray)):
print "Google+ PrepareAttributesMapping. The number of attributes in remoteAttributesList and localAttributesList isn't equal"
return None
attributeMapping = IdentityHashMap()
containsUid = False
i = 0
count = len(remoteAttributesListArray)
while (i < count):
remoteAttribute = StringHelper.toLowerCase(remoteAttributesListArray[i])
localAttribute = StringHelper.toLowerCase(localAttributesListArray[i])
attributeMapping.put(remoteAttribute, localAttribute)
if (StringHelper.equalsIgnoreCase(localAttribute, "uid")):
containsUid = True
i = i + 1
if (not containsUid):
print "Google+ PrepareAttributesMapping. There is no mapping to mandatory 'uid' attribute"
return None
return attributeMapping
def attribute_mapping_function(azure_ad_attributes_list, gluu_ldap_attributes_list):
try:
azure_ad_attributes_list_array = StringHelper.split(azure_ad_attributes_list, ",")
if ArrayHelper.isEmpty(azure_ad_attributes_list_array):
print("AzureAD: There is no attributes specified in azure_ad_attributes_list property")
return None
gluu_ldap_attributes_list_array = StringHelper.split(gluu_ldap_attributes_list, ",")
if ArrayHelper.isEmpty(gluu_ldap_attributes_list_array):
print("AzureAD: There is no attributes specified in gluu_ldap_attributes_list property")
return None
if len(azure_ad_attributes_list_array) != len(gluu_ldap_attributes_list_array):
print("AzureAD: The number of attributes isn't equal")
return None
attributes_map = IdentityHashMap()
i = 0
count = len(azure_ad_attributes_list_array)
while i < count:
azure_ad_attribute = StringHelper.toLowerCase(azure_ad_attributes_list_array[i])
gluu_ldap_attribute = StringHelper.toLowerCase(gluu_ldap_attributes_list_array[i])
attributes_map.put(azure_ad_attribute, gluu_ldap_attribute)
i = i + 1
return attributes_map
except Exception, err:
print("AzureAD: Exception inside prepareAttributesMapping " + str(err))
def init(self, configurationAttributes):
print "Basic (multi login). Initialization"
login_attributes_list_object = configurationAttributes.get("login_attributes_list")
if (login_attributes_list_object == None):
print "Basic (multi login). Initialization. There is no property login_attributes_list"
return False
login_attributes_list = login_attributes_list_object.getValue2()
if (StringHelper.isEmpty(login_attributes_list)):
print "Basic (multi login). Initialization. There is no attributes specified in login_attributes property"
return False
login_attributes_list_array = StringHelper.split(login_attributes_list, ",")
if (ArrayHelper.isEmpty(login_attributes_list_array)):
print "Basic (multi login). Initialization. There is no attributes specified in login_attributes property"
return False
if (configurationAttributes.containsKey("local_login_attributes_list")):
local_login_attributes_list = configurationAttributes.get("local_login_attributes_list").getValue2()
local_login_attributes_list_array = StringHelper.split(local_login_attributes_list, ",")
else:
print "Basic (multi login). Initialization. There is no property local_login_attributes_list. Assuming that login attributes are equal to local login attributes."
local_login_attributes_list_array = login_attributes_list_array
if (len(login_attributes_list_array) != len(local_login_attributes_list_array)):
print "Basic (multi login). Initialization. The number of attributes in login_attributes_list and local_login_attributes_list isn't equal"
return False
self.login_attributes_list_array = login_attributes_list_array
self.local_login_attributes_list_array = local_login_attributes_list_array
print "Basic (multi login). Initialized successfully"
return True
def prepareAttributesMapping(self, remoteAttributesList, localAttributesList):
try:
remoteAttributesListArray = StringHelper.split(remoteAttributesList, ",")
if (ArrayHelper.isEmpty(remoteAttributesListArray)):
print("Registration: PrepareAttributesMapping. There is no attributes specified in remoteAttributesList property")
return None
localAttributesListArray = StringHelper.split(localAttributesList, ",")
if (ArrayHelper.isEmpty(localAttributesListArray)):
print("Registration: PrepareAttributesMapping. There is no attributes specified in localAttributesList property")
return None
if (len(remoteAttributesListArray) != len(localAttributesListArray)):
print("Registration: PrepareAttributesMapping. The number of attributes in remoteAttributesList and localAttributesList isn't equal")
return None
attributeMapping = IdentityHashMap()
containsUid = False
i = 0
count = len(remoteAttributesListArray)
while (i < count):
remoteAttribute = StringHelper.toLowerCase(remoteAttributesListArray[i])
localAttribute = StringHelper.toLowerCase(localAttributesListArray[i])
attributeMapping.put(remoteAttribute, localAttribute)
i = i + 1
return attributeMapping
except Exception, err:
print("Registration: Exception inside prepareAttributesMapping " + str(err))
def authenticate(self, configurationAttributes, requestParameters, step):
authenticationService = CdiUtil.bean(AuthenticationService)
if (step == 1):
print "Basic. Authenticate for step 1"
identity = CdiUtil.bean(Identity)
credentials = identity.getCredentials()
user_name_array = StringHelper.split(credentials.getUsername(),"+")
user_name = None
if len(user_name_array) == 2:
email_id_array = StringHelper.split(user_name_array[1],"@")
user_name = user_name_array[0] + "@"+ email_id_array[1]
else:
user_name = user_name_array[0]
print "Username for authentication is: %s " % user_name
user_password = credentials.getPassword()
logged_in = False
if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)):
logged_in = authenticationService.authenticate(user_name, user_password,"mail","mail")
if (not logged_in):
return False
return True
else:
return False
def prepareClientRedirectUris(self, configurationAttributes):
clientRedirectUrisSet = HashSet()
if not configurationAttributes.containsKey("client_redirect_uris"):
return clientRedirectUrisSet
clientRedirectUrisList = configurationAttributes.get(
"client_redirect_uris").getValue2()
if StringHelper.isEmpty(clientRedirectUrisList):
print "Client registration. The property client_redirect_uris is empty"
return clientRedirectUrisSet
clientRedirectUrisArray = StringHelper.split(clientRedirectUrisList,
",")
if ArrayHelper.isEmpty(clientRedirectUrisArray):
print "Client registration. No clients specified in client_redirect_uris property"
return clientRedirectUrisSet
# Convert to HashSet to quick search
i = 0
count = len(clientRedirectUrisArray)
while i < count:
uris = clientRedirectUrisArray[i]
clientRedirectUrisSet.add(uris)
i = i + 1
return clientRedirectUrisSet
def prepareClientsSet(self, configurationAttributes):
clientsSet = HashSet()
if (not configurationAttributes.containsKey("allowed_clients")):
return clientsSet
allowedClientsList = configurationAttributes.get(
"allowed_clients").getValue2()
if (StringHelper.isEmpty(allowedClientsList)):
print "UmaRptPolicy. The property allowed_clients is empty"
return clientsSet
allowedClientsListArray = StringHelper.split(allowedClientsList, ",")
if (ArrayHelper.isEmpty(allowedClientsListArray)):
print "UmaRptPolicy. No clients specified in allowed_clients property"
return clientsSet
# Convert to HashSet to quick search
i = 0
count = len(allowedClientsListArray)
while (i < count):
client = allowedClientsListArray[i]
clientsSet.add(client)
i = i + 1
return clientsSet
def prepareUserObjectClasses(self, configurationAttributes):
user_object_classes = configurationAttributes.get("user_object_classes").getValue2()
user_object_classes_list_array = StringHelper.split(user_object_classes, ",")
if ArrayHelper.isEmpty(user_object_classes_list_array):
return None
return user_object_classes_list_array
def prepareUserEnforceUniquenessAttributes(self, configurationAttributes):
enforce_uniqueness_attr_list = configurationAttributes.get("enforce_uniqueness_attr_list").getValue2()
enforce_uniqueness_attr_list_array = StringHelper.split(enforce_uniqueness_attr_list, ",")
if ArrayHelper.isEmpty(enforce_uniqueness_attr_list_array):
return None
return enforce_uniqueness_attr_list_array
def init(self, configurationAttributes):
print "Casa. init called"
self.authenticators = {}
self.configFileLocation = "/etc/gluu/conf/casa.json"
self.uid_attr = self.getLocalPrimaryKey()
custScriptService = CdiUtil.bean(CustomScriptService)
self.scriptsList = custScriptService.findCustomScripts(
Collections.singletonList(CustomScriptType.PERSON_AUTHENTICATION),
"oxConfigurationProperty", "displayName", "oxEnabled", "oxLevel")
dynamicMethods = self.computeMethods(self.scriptsList)
if len(dynamicMethods) > 0:
print "Casa. init. Loading scripts for dynamic modules: %s" % dynamicMethods
for acr in dynamicMethods:
moduleName = self.modulePrefix + acr
try:
external = __import__(moduleName, globals(), locals(),
["PersonAuthentication"], -1)
module = external.PersonAuthentication(
self.currentTimeMillis)
print "Casa. init. Got dynamic module for acr %s" % acr
configAttrs = self.getConfigurationAttributes(
acr, self.scriptsList)
if acr == self.ACR_U2F:
u2f_application_id = configurationAttributes.get(
"u2f_app_id").getValue2()
configAttrs.put(
"u2f_application_id",
SimpleCustomProperty("u2f_application_id",
u2f_application_id))
elif acr == self.ACR_SG:
application_id = configurationAttributes.get(
"supergluu_app_id").getValue2()
configAttrs.put(
"application_id",
SimpleCustomProperty("application_id",
application_id))
if module.init(configAttrs):
module.configAttrs = configAttrs
self.authenticators[acr] = module
else:
print "Casa. init. Call to init in module '%s' returned False" % moduleName
except:
print "Casa. init. Failed to load module %s" % moduleName
print "Exception: ", sys.exc_info()[1]
mobile_methods = configurationAttributes.get("mobile_methods")
self.mobile_methods = [] if mobile_methods == None else StringHelper.split(
mobile_methods.getValue2(), ",")
print "Casa. init. Initialized successfully"
return True
def update(self, dynamicScopeContext, configurationAttributes):
print "Dynamic scope [saml_nameid_scope]. Update method"
# Get the client and SAML affilitation value
authorizationGrant = dynamicScopeContext.getAuthorizationGrant()
oidcClient = authorizationGrant.getClient()
samlSpNameQualifier = oidcClient.getPolicyUri()
# if samlSpNameQualifier is not empty, we pass the affiliated SAML nameid
if (samlSpNameQualifier != None):
# then we look for the SAML persistentId value in user profile
print "Dynamic scope [saml_nameid_scope]. Found SPNameQualifier parameter '%s'" % samlSpNameQualifier
user = dynamicScopeContext.getUser()
userPersistentIds = user.getAttributeValues("persistentId")
print "Dynamic scope [saml_nameid_scope]. Found SPNameQualifier parameter"
if (userPersistentIds != None):
if (userPersistentIds.size > 0):
# go through existing user persistentIds
for userPersistentId in userPersistentIds:
# if the current RP already has a mapping then skip the second phase
if (userPersistentId.find(samlSpNameQualifier) > -1):
print "Dynamic scope [saml_nameid_scope]. Found matching persistentId '%s'" % userPersistentId
# Format is : persistentIdSamlSpNQ|persistentIdIdp|persistentIdUid
samlSpNameQualifier = StringHelper.split(
userPersistentId, '|')[0]
samlIDPNameQualifier = StringHelper.split(
userPersistentId, '|')[1]
samlSpNameIDSubject = StringHelper.split(
userPersistentId, '|')[2]
# create a JSON object with the full NameID object
samlNameIdJson = '{"SPNameQualifier":"%s","NameQualifier":"%s","value":"%s"}' % (
samlSpNameQualifier, samlIDPNameQualifier,
samlSpNameIDSubject)
samlNameId = JSONObject(samlNameIdJson)
# Add the saml_nameid value to the result if present
jsonWebResponse = dynamicScopeContext.getJsonWebResponse(
)
claims = jsonWebResponse.getClaims()
claims.setClaim("saml_nameid", samlNameId)
return True
def processMappingCollectionFilters(self, attrs):
param_idp = attrs.get("idp_to_collect_old_mappings_from")
param_rps = attrs.get("rps_to_collect_old_mappings_for")
self.idp_to_collect_old_mappings_from = []
self.rps_to_collect_old_mappings_for = []
# COLLECT - Parse the list of RPs and IDP that we need to collect for
if param_idp != None and param_rps != None:
idpList = param_idp.getValue2()
rpList = param_rps.getValue2()
if StringHelper.isNotEmpty(idpList) and StringHelper.isNotEmpty(rpList):
self.idp_to_collect_old_mappings_from = StringHelper.split(idpList,',')
self.rps_to_collect_old_mappings_for = StringHelper.split(rpList,',')
print "Passport-saml. init. COLLECTING mappings for IDPs [ %s ]" % ', '.join(self.idp_to_collect_old_mappings_from)
print "Passport-saml. init. COLLECTING mappings for RPs [ %s ]" % ', '.join(self.rps_to_collect_old_mappings_for)
return True
print "Passport-saml. init. NOT COLLECTING any mappings, parameters [idp_to_collect_old_mappings_from] and [rps_to_collect_old_mappings_for] missing/empty."
return True
def setClientScopes(self, client, requiredScopes):
if requiredScopes == None:
print "Casa client registration. No list of scopes was passed in script parameters"
return
requiredScopes = StringHelper.split(requiredScopes.getValue2(), ",")
newScopes = client.getScopes()
scopeService = CdiUtil.bean(ScopeService)
for scopeName in requiredScopes:
scope = scopeService.getScopeById(scopeName)
if not scope.isDefaultScope():
print "Casa client registration. Adding scope '%s'" % scopeName
newScopes = ArrayHelper.addItemToStringArray(newScopes, scope.getDn())
print "Casa client registration. Result scopes are: %s" % newScopes
client.setScopes(newScopes)
def setClientScopes(self, client, requiredScopes):
if requiredScopes == None:
print "Casa client registration. No list of scopes was passed in script parameters"
return
requiredScopes = StringHelper.split(requiredScopes.getValue2(), ",")
newScopes = client.getScopes()
scopeService = CdiUtil.bean(ScopeService)
for scopeName in requiredScopes:
scope = scopeService.getScopeById(scopeName)
if not scope.isDefaultScope():
print "Casa client registration. Adding scope '%s'" % scopeName
newScopes = ArrayHelper.addItemToStringArray(newScopes, scope.getDn())
print "Casa client registration. Result scopes are: %s" % newScopes
client.setScopes(newScopes)
def init(self, configurationAttributes):
print "Casa. init called"
self.authenticators = {}
self.configFileLocation = "/etc/gluu/conf/casa.json"
self.uid_attr = self.getLocalPrimaryKey()
custScriptService = CdiUtil.bean(CustomScriptService)
self.scriptsList = custScriptService.findCustomScripts(Collections.singletonList(CustomScriptType.PERSON_AUTHENTICATION), "oxConfigurationProperty", "displayName", "gluuStatus", "oxLevel")
dynamicMethods = self.computeMethods(self.scriptsList)
if len(dynamicMethods) > 0:
print "Casa. init. Loading scripts for dynamic modules: %s" % dynamicMethods
for acr in dynamicMethods:
moduleName = self.modulePrefix + acr
try:
external = __import__(moduleName, globals(), locals(), ["PersonAuthentication"], -1)
module = external.PersonAuthentication(self.currentTimeMillis)
print "Casa. init. Got dynamic module for acr %s" % acr
configAttrs = self.getConfigurationAttributes(acr, self.scriptsList)
if acr == self.ACR_U2F:
u2f_application_id = configurationAttributes.get("u2f_app_id").getValue2()
configAttrs.put("u2f_application_id", SimpleCustomProperty("u2f_application_id", u2f_application_id))
elif acr == self.ACR_SG:
client_redirect_uri = configurationAttributes.get("supergluu_app_id").getValue2()
configAttrs.put("client_redirect_uri", SimpleCustomProperty("client_redirect_uri", client_redirect_uri))
if module.init(configAttrs):
module.configAttrs = configAttrs
self.authenticators[acr] = module
else:
print "Casa. init. Call to init in module '%s' returned False" % moduleName
except:
print "Casa. init. Failed to load module %s" % moduleName
print "Exception: ", sys.exc_info()[1]
mobile_methods = configurationAttributes.get("mobile_methods")
self.mobile_methods = [] if mobile_methods == None else StringHelper.split(mobile_methods.getValue2(), ",")
print "Casa. init. Initialized successfully"
return True
def authenticate(self, configurationAttributes, requestParameters, step):
identity = CdiUtil.bean(Identity)
session_attributes = identity.getSessionId().getSessionAttributes()
authenticationService = CdiUtil.bean(AuthenticationService)
allowedCountriesListArray = StringHelper.split(self.allowedCountries,
",")
if (len(allowedCountriesListArray) > 0
and session_attributes.containsKey("remote_ip")):
remote_ip = session_attributes.get("remote_ip")
remote_loc_dic = self.determineGeolocationData(remote_ip)
if remote_loc_dic == None:
print "Super-Gluu. Prepare for step 2. Failed to determine remote location by remote IP '%s'" % remote_ip
return
remote_loc = "%s" % (remote_loc_dic['countryCode'])
print "Your remote location is " + remote_loc
if remote_loc in allowedCountriesListArray:
print "you are allowed to access"
else:
return False
if (step == 1):
print "Basic. Authenticate for step 1"
identity = CdiUtil.bean(Identity)
credentials = identity.getCredentials()
user_name = credentials.getUsername()
user_password = credentials.getPassword()
logged_in = False
if (StringHelper.isNotEmptyString(user_name)
and StringHelper.isNotEmptyString(user_password)):
logged_in = authenticationService.authenticate(
user_name, user_password)
if (not logged_in):
return False
return True
else:
return False
def prepareClientsSet(self, configurationAttributes):
clientsSet = HashSet()
if (not configurationAttributes.containsKey("allowed_clients")):
return clientsSet
allowedClientsList = configurationAttributes.get("allowed_clients").getValue2()
if (StringHelper.isEmpty(allowedClientsList)):
print "UMA authorization policy. Initialization. The property allowed_clients is empty"
return clientsSet
allowedClientsListArray = StringHelper.split(allowedClientsList, ",")
if (ArrayHelper.isEmpty(allowedClientsListArray)):
print "UMA authorization policy. Initialization. There aren't clients specified in allowed_clients property"
return clientsSet
# Convert to HashSet to quick search
i = 0
count = len(allowedClientsListArray)
while (i < count):
client = allowedClientsListArray[i]
clientsSet.add(client)
i = i + 1
return clientsSet
def prepareClientRedirectUris(self, configurationAttributes):
clientRedirectUrisSet = HashSet()
if not configurationAttributes.containsKey("client_redirect_uris"):
return clientRedirectUrisSet
clientRedirectUrisList = configurationAttributes.get("client_redirect_uris").getValue2()
if StringHelper.isEmpty(clientRedirectUrisList):
print "Casa client registration. The property client_redirect_uris is empty"
return clientRedirectUrisSet
clientRedirectUrisArray = StringHelper.split(clientRedirectUrisList, ",")
if ArrayHelper.isEmpty(clientRedirectUrisArray):
print "Casa client registration. No clients specified in client_redirect_uris property"
return clientRedirectUrisSet
# Convert to HashSet to quick search
i = 0
count = len(clientRedirectUrisArray)
while i < count:
uris = clientRedirectUrisArray[i]
clientRedirectUrisSet.add(uris)
i = i + 1
return clientRedirectUrisSet
def attemptAuthentication(self, identity, user_profile, user_profile_json):
uidKey = "uid"
print "Passport-saml. attemptAuthentication. got session '%s'" % identity.getSessionId().toString()
sessionId = identity.getSessionId()
sessionAttributes = sessionId.getSessionAttributes()
collectSamlPass = sessionAttributes.get("collectSamlPass")
switchFlowStatus = sessionAttributes.get("switchFlowStatus")
if (collectSamlPass != 2):
# COLLECT - Do not check user attributes if user has already been authenticated
if not self.checkRequiredAttributes(user_profile, [uidKey, self.providerKey]):
return False
provider = user_profile[self.providerKey]
if not provider in self.registeredProviders:
print "Passport-saml. attemptAuthentication. Identity Provider %s not recognized" % provider
return False
# We assign the UID from the response as the SAML uid by default
uid = user_profile[uidKey][0]
# PERSISTENT_ID - save the original one generated by passport for collection purposes in second pass
passportPersistentId = user_profile["persistentId"][0]
# PERSISTENT_ID - generate the persistentId for the RP in case there is no further processing/collection happening (SAML only)
newPersistentId = None
newPersistentIdRp = sessionAttributes.get("spNameQualifier")
if ( newPersistentIdRp != None and StringHelper.isNotEmptyString(newPersistentIdRp) ):
newPersistentIdIdp = self.registeredProviders[provider]["issuer"]
newPersistentIdUid = "sic" + uuid.uuid4().hex
newPersistentId = '%s|%s|%s' % (newPersistentIdRp, newPersistentIdIdp, newPersistentIdUid )
else:
print "WARNING! The 'spNameQualifier' attribute from SHIBBOLETH is empty, no persistentId will be generated"
# COLLECT - do NOT generate a new persistentId if collecting
if ( collectSamlPass != None and newPersistentId != None ):
user_profile["persistentId"][0] = newPersistentId
# SWITCH - do NOT generate a new persistentId if the switch flow is being executed
elif( switchFlowStatus == None and newPersistentId != None ):
user_profile["persistentId"][0] = newPersistentId
else:
user_profile.pop("persistentId");
# COLLECT - In this block we manipulate the "uid" and "persistentId" according to login or capturing pass
if (collectSamlPass == 1):
# The first time around we save the UID in the session parameter
print "Passport-saml. attemptAuthentication. COLLECTING - First Pass. Saving original UID in session as '%s'" % uid
sessionAttributes.put("collect_originalUid", uid)
# Removing persistentId from initial save because we need to run collection first
print "Passport-saml. attemptAuthentication. COLLECTING - First Pass. Saving generated PersistentId for second pass to '%s'" % user_profile["persistentId"][0]
sessionAttributes.put("collect_generatedPersistentId", user_profile["persistentId"][0])
user_profile.pop("persistentId")
elif (collectSamlPass == 2):
# The second time around we retrieve the saved UID
print "Passport-saml. attemptAuthentication. COLLECTING - Second Pass. Authenticated for collection as '%s'" % uid
# Here we verify if there was no answer (GCKey) because allowCreate=false
if (user_profile == None):
print "Passport-saml. attemptAuthentication. Aw Crap, user_profile in response is None for original UID '%s'" % uid
elif (user_profile[uidKey] == None):
print "Passport-saml. attemptAuthentication. Aw Crap, user_profile[uidKey] in response is None for original UID '%s'" % uid
#user_profile[persistentId] = []
#user_profile[persistentId].append(generatedPersistentId)
elif (user_profile[uidKey][0] == None):
print "Passport-saml. attemptAuthentication. Aw Crap, user_profile[uidKey][0] in response is None for original UID '%s'" % uid
else:
# COLLECT - Collect the persistent ID / PAI for the RP here
# 1. take old persistentId and split by |
# 2. replace the RP and keep provider and the PAI UID
# 3. lastly put it back into the profile mapping and put the original UID back into the profile
print "Passport-saml. attemptAuthentication. COLLECTING - Second Pass. Original persistentId from passport '%s'" % user_profile["persistentId"][0]
rpPersistentId = passportPersistentId.split('|')
newPersistentIdIdp = rpPersistentId[1]
newPersistentIdUid = rpPersistentId[2]
user_profile["persistentId"][0] = '%s|%s|%s' % (newPersistentIdRp, newPersistentIdIdp, newPersistentIdUid )
print "Passport-saml. attemptAuthentication. COLLECTING - Second Pass. Collected persistentId '%s'" % user_profile["persistentId"][0]
uid = sessionAttributes.get("collect_originalUid")
user_profile[uidKey][0] = uid
print "Passport-saml. attemptAuthentication. COLLECTING - Second Pass. Setting profile to original UID '%s'" % uid
sessionAttributes.remove("collectSamlPass")
sessionAttributes.remove("collect_originalUid")
sessionAttributes.remove("collect_generatedPersistentId")
externalUid = "passport-%s:%s:%s" % ("saml", provider, uid)
print "Passport-saml. attemptAuthentication. Searching for user ExternalUID '%s'" % externalUid
# MFA - save external UID to retrieve the user later
sessionAttributes.put("auth_user_externalUid", externalUid)
userService = CdiUtil.bean(UserService)
userByUid = self.getUserByExternalUid(uid, provider, userService)
# COLLECT - We will never use email in our data
email = None
if "mail" in user_profile:
email = user_profile["mail"]
if len(email) == 0:
email = None
else:
email = email[0]
user_profile["mail"] = [ email ]
if email == None and self.registeredProviders[provider]["requestForEmail"]:
print "Passport-saml. attemptAuthentication. Email was not received"
if userByUid != None:
# COLLECT - if collecting we check for existing persistentIds for RP to skip second call
if (collectSamlPass == 1):
userPersistentIds = userByUid.getAttributeValues("persistentId")
if ( newPersistentIdRp != None and userPersistentIds != None ):
if ( userPersistentIds.size > 0 ):
# go through existing user persistentIds
for userPersistentId in userPersistentIds:
existingMappedRp = StringHelper.split(userPersistentId,'|')[0]
# if the current RP already has a mapping then skip the second phase
if ( userPersistentId.find(newPersistentIdRp) > -1 ):
sessionAttributes.remove("selectedProvider")
# This avoids asking for the email over every login attempt
email = userByUid.getAttribute("mail")
if email != None:
print "Passport-saml. attemptAuthentication. Filling missing email value with %s" % email
user_profile["mail"] = [ email ]
if email == None:
# Store user profile in session and abort this routine
identity.setWorkingParameter("passport_user_profile", user_profile_json)
return True
# COLLECT - we will never store email addresses or match via EMAIL, skip to speed up processing
# userByMail = None if email == None else userService.getUserByAttribute("mail", email)
userByMail = None
# Determine if we should add entry, update existing, or deny access
doUpdate = False
doAdd = False
if userByUid != None:
print "User with externalUid '%s' already exists" % externalUid
if userByMail == None:
doUpdate = True
else:
if userByMail.getUserId() == userByUid.getUserId():
doUpdate = True
else:
print "Users with externalUid '%s' and mail '%s' are different. Access will be denied. Impersonation attempt?" % (externalUid, email)
self.setMessageError(FacesMessage.SEVERITY_ERROR, "Email value corresponds to an already existing provisioned account")
else:
if userByMail == None:
doAdd = True
elif self.registeredProviders[provider]["emailLinkingSafe"]:
tmpList = userByMail.getAttributeValues("oxExternalUid")
tmpList = ArrayList() if tmpList == None else ArrayList(tmpList)
tmpList.add(externalUid)
userByMail.setAttribute("oxExternalUid", tmpList)
userByUid = userByMail
print "External user supplying mail %s will be linked to existing account '%s'" % (email, userByMail.getUserId())
doUpdate = True
else:
print "An attempt to supply an email of an existing user was made. Turn on 'emailLinkingSafe' if you want to enable linking"
self.setMessageError(FacesMessage.SEVERITY_ERROR, "Email value corresponds to an already existing account. If you already have a username and password use those instead of an external authentication site to get access.")
# MFA - precreate a new PAI for MFA
if ( sessionAttributes.get("mfaFlowStatus") == "MFA_1_REQUIRED" ):
# generate a new MFA PAI in case there is none in the user profile
mfaUid = "mfa" + uuid.uuid4().hex
user_profile[ "oxExternalUid_newMfa" ] = [ "passport-mfa:" + mfaUid ]
username = None
try:
if doUpdate:
username = userByUid.getUserId()
user_profile[uidKey][0] = username
print "Passport-saml. attemptAuthentication. Updating user %s" % username
self.updateUser(userByUid, user_profile, userService)
elif doAdd:
print "Passport-saml. attemptAuthentication. Creating user %s" % externalUid
user_profile[uidKey][0] = uuid.uuid4().hex
newUser = self.addUser(externalUid, user_profile, userService)
username = newUser.getUserId()
except:
print "Exception: ", sys.exc_info()[1]
print "Passport-saml. attemptAuthentication. Authentication failed"
return False
if username == None:
print "Passport-saml. attemptAuthentication. Authentication attempt was rejected"
return False
else:
logged_in = CdiUtil.bean(AuthenticationService).authenticate(username)
print "Passport-saml. attemptAuthentication. Authentication for %s returned %s" % (username, logged_in)
if ( logged_in == True ):
# Save the authenticated data
sessionAttributes.put("authenticatedProvider", "passport_saml:" + provider)
sessionAttributes.put("authenticatedUser", username)
# SWITCH - Save contextual data for the switch flows
if (switchFlowStatus == "1_GET_SOURCE"):
print "Passport-saml. attemptAuthentication. SWITCH FLOW: Setting SOURCE provider to %s" % sessionAttributes.get("authenticatedProvider")
sessionAttributes.put( "switchSourceAuthenticatedProvider", sessionAttributes.get("authenticatedProvider") )
sessionAttributes.put( "switchSourceAuthenticatedUser", username)
elif (switchFlowStatus == "2_GET_TARGET"):
print "Passport-saml. attemptAuthentication. SWITCH FLOW: Setting TARGET provider to %s" % sessionAttributes.get("authenticatedProvider")
sessionAttributes.put("switchTargetAuthenticatedProvider", sessionAttributes.get("authenticatedProvider") )
sessionAttributes.put("switchTargetAuthenticatedUser", username)
elif (sessionAttributes.get("mfaFlowStatus") == "MFA_1_REQUIRED"):
print "Passport-saml. attemptAuthentication. MFA FLOW: starting flow marking status = MFA_2_IN_PROGRESS"
sessionAttributes.put("mfaFlowStatus", "MFA_2_IN_PROGRESS")
sessionAttributes.put("selectedProvider", "mfa")
## SESSION_SAFE - update
CdiUtil.bean(SessionIdService).updateSessionId(sessionId)
return logged_in
def prepareForStep(self, configurationAttributes, requestParameters, step):
print "IDP Chooser. prepareForStep called for step '%s'" % step
identity = CdiUtil.bean(Identity)
sessionId = identity.getSessionId()
sessionAttributes = sessionId.getSessionAttributes()
entityId = sessionAttributes.get("entityId")
entitySpNameQualifier = sessionAttributes.get("spNameQualifier")
# entityId is used for UI branding. Handle getting entityId if it's an OIDC client
if (entityId == None):
# First get the client_id (should be deterministic ... ?????)
currentClientId = sessionAttributes.get("client_id")
# Call the ClientService and get all clients
clientService = CdiUtil.bean(ClientService)
oidcClient = clientService.getClient(currentClientId)
if (oidcClient != None):
entityId = "oidc:%s" % oidcClient.getClientName()
sessionAttributes.put("entityId", entityId)
# SpNameQualifier is used for persistenId generation. Handle getting entitySpNameQualifier if it's an OIDC client
if (entitySpNameQualifier == None):
# Look for value saved in the PolicyURL field in the client configurationAttributes
clientPolicyUri = oidcClient.getPolicyUri()
if (StringHelper.isNotEmpty(clientPolicyUri)):
# Set it to the clientPolicyUri if absent
entitySpNameQualifier = clientPolicyUri
sessionAttributes.put("spNameQualifier", clientPolicyUri)
# FIXME - For now as an error scenario if it's not found put a default
if (entityId == None):
entityId = "_default"
# CUSTOMIZATION - Select which page body elements will be rendered
if (sessionAttributes.get("pageContent") == None):
# CUSTOMIZATION - FIRST try direct match
pageContent = self.selectorPageContent.get(entityId)
# CUSTOMIZATION - SECOND try prefix match
if (pageContent == None):
for contentKey in self.selectorPageContent.keys():
if (entityId.find(contentKey) == 0):
pageContent = self.selectorPageContent.get(contentKey)
# CUSTOMIZATION - LASTLY go to default content
if (pageContent == None):
pageContent = self.selectorPageContent.get("_default")
# CUSTOMIZATION - save the page content in session for reference in xhtml pages
if (pageContent != None):
sessionAttributes.put("pageContent", pageContent)
else:
# We have an error - log it and fail
print "IDP Chooser. prepareForStep ERROR: '_default' and '%s' page content missing in file " % (
entityId,
configurationAttributes.get(
"selector_page_content_file").getValue2())
return False
# CUSTOMIZATION - Select which credential buttons will show up
showCredentials = sessionAttributes.get(
"pageContent")["credentials"]
allCredentials = self.selectorPageContent["_default"][
"credentials"]
for cred in StringHelper.split(allCredentials, ','):
if (showCredentials.find(cred) == -1):
sessionAttributes.put("hide_cred_" + cred, False)
# SWITCH - update switch flow step if coming back with a user
if (sessionAttributes.get("switchFlowStatus") == "1_GET_SOURCE"
and sessionAttributes.get("auth_user") != None):
# first get the source user and validate the persistentId exists for the entitySpNameQualifier
userService = CdiUtil.bean(UserService)
sourceUser = userService.getUser(
sessionAttributes.get("switchSourceAuthenticatedUser"))
# then find the persistenId for the entitySpNameQualifier in the source user
sourcePersistentIds = sourceUser.getAttributeValues("persistentId")
if (sourcePersistentIds != None):
# go through source user persistentIds
for userPersistentId in sourcePersistentIds:
existingMappedRp = StringHelper.split(
userPersistentId, '|')[0]
# if the current RP matches, save the persistenId for the target
if (userPersistentId.find(entitySpNameQualifier) > -1):
sessionAttributes.put("switchPersistentId",
userPersistentId)
print "IDP Chooser. prepareForStep SWITCH FLOW: setting 2_GET_TARGET"
sessionAttributes.put("switchFlowStatus", "2_GET_TARGET")
# SWITCH - move to switch screen if the target has been authenticated
elif (sessionAttributes.get("switchFlowStatus") == "2_GET_TARGET"
and sessionAttributes.get("auth_user") != None):
# first get the target user
userService = CdiUtil.bean(UserService)
targetUser = userService.getUser(
sessionAttributes.get("switchTargetAuthenticatedUser"))
# then find the persistenId for the entitySpNameQualifier in the target user
targetPersistentIds = targetUser.getAttributeValues("persistentId")
switchCurrentState = "AVAILABLE"
if (targetPersistentIds != None):
# go through source user persistentIds
for userPersistentId in targetPersistentIds:
existingMappedRp = StringHelper.split(
userPersistentId, '|')[0]
# if the current RP already has a persistentId then mark it
if (entitySpNameQualifier != None and
userPersistentId.find(entitySpNameQualifier) > -1):
switchCurrentState = "NOT AVAILABLE - Persistent ID already exists for this RP in the target"
if (switchCurrentState == "AVAILABLE"):
print "IDP Chooser. prepareForStep SWITCH FLOW: setting 3_DO_SWITCH"
sessionAttributes.put("switchFlowStatus", "3_DO_SWITCH")
else:
print "IDP Chooser. prepareForStep SWITCH FLOW: FAILED - target contains mapping for %s" % entitySpNameQualifier
sessionAttributes.put("switchFlowStatus", "4_FINISHED")
sessionAttributes.put("switchCurrentState", switchCurrentState)
# MFA - update mfa flow status - check if the entityId is on the list of MFA applications
mfaFlowStatus = sessionAttributes.get("mfaFlowStatus")
print "IDP Chooser. prepareForStep Fetched mfaFlowStatus = '%s'" % mfaFlowStatus
for mfaEntityId in StringHelper.split(self.entityids_with_mfa, ','):
if (mfaEntityId == entityId):
# if the status is blank then we set it to MFA_1_REQUIRED. This also means first pass so no MFA forwarding
if (mfaFlowStatus == None):
mfaFlowStatus = "MFA_1_REQUIRED"
print "IDP Chooser. prepareForStep Setting mfaFlowStatus = '%s'" % mfaFlowStatus
sessionAttributes.put("mfaFlowStatus", mfaFlowStatus)
# we check that we have an authenticated user, which is a signal to trigger MFA
elif (sessionAttributes.get("auth_user") != None):
print "IDP Chooser. prepareForStep For mfaFlowStatus found authenticated user = '******'" % sessionAttributes.get(
"auth_user")
# SWITCH - we check that we are not in a switch flow, or switch flow has finished
switchFlowStatus = sessionAttributes.get(
"switchSourceAuthenticatedUser")
if (switchFlowStatus == None
or switchFlowStatus == "4_FINISHED"):
mfaFlowStatus = "MFA_2_IN_PROGRESS"
print "IDP Chooser. prepareForStep Setting mfaFlowStatus = '%s' and [new_acr_value to 'passport_social'] and [selectedProvider to 'mfa']" % mfaFlowStatus
sessionAttributes.put("mfaFlowStatus", mfaFlowStatus)
print "IDP Chooser. prepareForStep Setting [new_acr_value = 'passport_social'] and [selectedProvider = 'mfa']"
identity.setWorkingParameter("new_acr_value",
"passport_social")
sessionAttributes.put("selectedProvider", "mfa")
## SESSION_SAFE - update
CdiUtil.bean(SessionIdService).updateSessionId(sessionId)
print "IDP Chooser. prepareForStep. got session '%s'" % identity.getSessionId(
).toString()
if (step == 1 or step == 2):
return True
else:
return False
def authenticate(self, configurationAttributes, requestParameters, step):
print "IDP Chooser. authenticate called for step '%s'" % step
identity = CdiUtil.bean(Identity)
sessionId = identity.getSessionId()
sessionAttributes = sessionId.getSessionAttributes()
# SWITCH - if the switch credential is in 3_DO_SWITCH state, then do the switch
if (sessionAttributes.get("switchFlowStatus") == "3_DO_SWITCH"):
# first get the target user
userService = CdiUtil.bean(UserService)
sourceUser = userService.getUser(
sessionAttributes.get("switchSourceAuthenticatedUser"))
targetUser = userService.getUser(
sessionAttributes.get("switchTargetAuthenticatedUser"))
if (targetUser == None):
print "IDP Chooser. authenticate: Failed to fetch target user '%s'" % sessionAttributes.get(
"switchTargetAuthenticatedUser")
sessionAttributes.remove("switchFlowStatus")
## SESSION_SAFE - update
CdiUtil.bean(SessionIdService).updateSessionId(sessionId)
return False
elif (sourceUser == None):
print "IDP Chooser. authenticate: Failed to fetch source user '%s'" % sessionAttributes.get(
"switchSourceAuthenticatedUser")
sessionAttributes.remove("switchFlowStatus")
## SESSION_SAFE - update
CdiUtil.bean(SessionIdService).updateSessionId(sessionId)
return False
else:
switchPersistentId = sessionAttributes.get(
"switchPersistentId")
# FIRST set the persistentId for the entitySpNameQualifier in the target user
tergetPersistentIds = targetUser.getAttributeValues(
"persistentId")
tmpList = ArrayList(
tergetPersistentIds
) if tergetPersistentIds != None else ArrayList()
tmpList.add(switchPersistentId)
targetUser.setAttribute("persistentId", tmpList)
userService.updateUser(targetUser)
# SECOND remove the persistentId for the entitySpNameQualifier in the source user
sourcePersistentIds = sourceUser.getAttributeValues(
"persistentId")
tmpList = ArrayList()
# build a new list of persistentIds without the switched ID
for sourcePersistentId in sourcePersistentIds:
if (sourcePersistentId != switchPersistentId):
tmpList.add(
sessionAttributes.get("switchPersistentId"))
sourceUser.setAttribute("persistentId", tmpList)
try:
userService.updateUser(sourceUser)
except:
# THIRD if failed to update the source then reset the source user
print "IDP Chooser. authenticate: Failed to update source user, '%s', reverting target user " % sessionAttributes.get(
"switchSourceAuthenticatedUser")
print "Exception: ", sys.exc_info()[1]
tergetPersistentIds = targetUser.getAttributeValues(
"persistentId")
tmpList = ArrayList(
tergetPersistentIds
) if tergetPersistentIds != None else ArrayList()
tmpList.add(sessionAttributes.get("switchPersistentId"))
targetUser.setAttribute("persistentId", tmpList)
userService.updateUser(targetUser)
return False
# finish the switch flow
sessionAttributes.put("switchFlowStatus", "4_FINISHED")
## SESSION_SAFE - update
return CdiUtil.bean(AuthenticationService).authenticate(
targetUser.getUserId())
else:
# process the ACR selection
new_acr_provider_value = self.getAcrValueFromAuth(
requestParameters)
print "IDP Chooser. authenticate: saving new acr provider = '%s'" % new_acr_provider_value
new_acr_provider_elements = StringHelper.split(
new_acr_provider_value, ":")
new_acr_value = new_acr_provider_elements[0]
new_acr_provider = new_acr_provider_elements[1]
print "IDP Chooser. authenticate: setting new_acr_value = '%s'" % new_acr_value
print "IDP Chooser. authenticate: setting new_acr_provider = '%s'" % new_acr_provider
# Validate the ACR is allowed for the current entityId/client
allowedCredentials = sessionAttributes.get(
"pageContent")["credentials"]
allowSetNewAcr = False
for cred in StringHelper.split(allowedCredentials, ','):
if (new_acr_provider_value.find(cred) == -1):
allowSetNewAcr = True
if (allowSetNewAcr):
identity.setWorkingParameter("new_acr_value", new_acr_value)
sessionAttributes.put("selectedProvider", new_acr_provider)
else:
print "IDP Chooser. authenticate: provider '%s' not allowed for this client" % new_acr_provider
return False
# SWITCH - Reading switch credential checkbox
switchFlowStatus = sessionAttributes.get("switchFlowStatus")
if (switchFlowStatus == None):
switchSelected = self.getSwitchValueFromAuth(requestParameters)
if (switchSelected == True):
print "IDP Chooser. authenticate SWITCH FLOW: setting 1_GET_SOURCE"
sessionAttributes.put("switchFlowStatus", "1_GET_SOURCE")
## SESSION_SAFE - update
CdiUtil.bean(SessionIdService).updateSessionId(sessionId)
if step == 1:
return True
else:
return False
def prepareForStep(self, configurationAttributes, requestParameters, step):
extensionResult = self.extensionPrepareForStep(configurationAttributes, requestParameters, step)
if extensionResult != None:
return extensionResult
print "Passport-social. prepareForStep called for step %s" % str(step)
identity = CdiUtil.bean(Identity)
sessionAttributes = identity.getSessionId().getSessionAttributes()
sessionId = identity.getSessionId()
if step == 1:
identity.setWorkingParameter("externalProviders", json.dumps(self.registeredProviders))
providerParam = self.customAuthzParameter
providerFromSession = None
url = None
print "Passport-social. prepareForStep. got session '%s'" % identity.getSessionId().toString()
sessionAttributes = identity.getSessionId().getSessionAttributes()
self.skipProfileUpdate = StringHelper.equalsIgnoreCase(sessionAttributes.get("skipPassportProfileUpdate"), "true")
# MFAgetCountAuthenticationSteps
# 1. Check if there has been an authenticated user
# 2. Check that mfa flow status is MFA_2_IN_PROGRESS
# 3. Set the selected provider to "mfa"
# 4. Get the MFA PAI from the user profile
userService = CdiUtil.bean(UserService)
mfaPai = None
if ( sessionAttributes.get("auth_user") != None and sessionAttributes.get("mfaFlowStatus") == "MFA_2_IN_PROGRESS" ):
# set the provider to "mfa"
sessionAttributes.put("selectedProvider", "mfa")
# get the MFA PAI from the external UID
mfaOriginalUid = sessionAttributes.get( "authenticatedUser" )
mfaUserByUid = userService.getUserByAttribute("uid", mfaOriginalUid)
# go through the values to find the MFA PAI
mfaUserOxExternalUids = mfaUserByUid.getAttributeValues("oxExternalUid")
if (mfaUserOxExternalUids != None):
for mfaUserOxExternalUid in mfaUserOxExternalUids:
if ( mfaUserOxExternalUid.find("passport-mfa:") > -1 ):
mfaPai = StringHelper.split(mfaUserOxExternalUid,':')[1]
print "Passport-social. prepareForStep. Using mfaPai = '%s'" % mfaPai
elif ( sessionAttributes.get("selectedProvider") == "mfa"):
print "Passport-social. prepareForStep. ERROR: 'selectedProvider' is 'mfa' but not in the MFA flow, Exiting"
return False
# This is added to the script by a previous module if the provider is preselected
providerFromSession = sessionAttributes.get("selectedProvider")
if providerFromSession != None:
# Reset the provider in session in case the choice has to be made again
print "Passport-social. prepareForStep. Setting selectedProvider from session = '%s'" % providerFromSession
identity.setWorkingParameter("selectedProvider", providerFromSession)
sessionAttributes.remove("selectedProvider")
## SESSION_SAFE - update
CdiUtil.bean(SessionIdService).updateSessionId(sessionId)
loginHint = None
if (mfaPai != None):
entityId = sessionAttributes.get( "entityId" )
# concatinate mfaPai and entityId
plaintext = mfaPai + '|' + entityId
randomSource = string.ascii_letters + string.digits
loginHint = self.encryptAES( self.aesKey , plaintext )
# This param could have been set previously in authenticate step if current step is being retried
provider = identity.getWorkingParameter("selectedProvider")
if provider != None:
url = self.getPassportRedirectUrl(provider, loginHint)
identity.setWorkingParameter("selectedProvider", None)
elif providerParam != None:
paramValue = sessionAttributes.get(providerParam)
if paramValue != None:
print "Passport-social. prepareForStep. Found value in custom param of authorization request: %s" % paramValue
provider = self.getProviderFromJson(paramValue)
if provider == None:
print "Passport-social. prepareForStep. A provider value could not be extracted from custom authorization request parameter"
elif not provider in self.registeredProviders:
print "Passport-social. prepareForStep. Provider '%s' not part of known configured IDPs/OPs" % provider
else:
url = self.getPassportRedirectUrl(provider, loginHint)
if url == None:
print "Passport-social. prepareForStep. A page to manually select an identity provider will be shown"
else:
facesService = CdiUtil.bean(FacesService)
facesService.redirectToExternalURL(url)
return True
def fillUser(self, foundUser, profile):
for attr in profile:
# "provider" is disregarded if part of mapping
if attr != self.providerKey:
values = profile[attr]
# COLLECT - here go through existing PersistentIDs add new ones for RPs that if they are not found
print "Passport-saml. fillUser. %s = %s" % (attr, values)
if attr == "persistentId":
if (values != None):
# The format is rp|idp|uid, so we split by '|' and take the first element of the array
currentRp = StringHelper.split(values[0],'|')[0]
# then we look through the old values if there is a matching RP remove if from "values" and do not update
userPersistentIds = foundUser.getAttributeValues("persistentId")
if (userPersistentIds != None):
for userPersistentId in userPersistentIds:
if ( userPersistentId.find(currentRp) > -1 ):
values.pop(0)
# if there still is a persistentId, then add it to the current user profile
if ( len(values) > 0):
print "Passport-saml. fillUser. Updating persistent IDs, original = '%s'" % userPersistentIds
# if there are no current Persistent IDs create a new list
tmpList = ArrayList(userPersistentIds) if userPersistentIds != None else ArrayList()
tmpList.add( values[0] )
print "Passport-saml. fillUser. Updating persistent IDs, updated = '%s'" % tmpList
foundUser.setAttribute(attr, tmpList)
else:
print "Passport-saml. fillUser. PersistentId for RP '%s' already exists, ignoring new RP mapping" % currentRp
elif attr == "oxExternalUid_newMfa":
# The attribute is here so MFA flow is REQUIRED.
# First we check for existing MFA PAI already in the user profile
mfaOxExternalUid = values[0]
userOxExternalUids = foundUser.getAttributeValues("oxExternalUid")
if (userOxExternalUids != None):
for userOxExternalUid in userOxExternalUids:
if ( userOxExternalUid.find("passport-mfa:") > -1 ):
# if we found an MFA PAI then remove the new value
mfaOxExternalUid = userOxExternalUid
values.pop(0)
# if there still is a value for MFA PAI, then add it to the current user profile because it did not exist
if ( len(values) > 0):
print "Passport-saml. fillUser. Updating MFA PAI oxExternalUid, original list = '%s'" % userOxExternalUids
# if there are no current Persistent IDs create a new list
tmpList = ArrayList(userOxExternalUids) if userOxExternalUids != None else ArrayList()
tmpList.add( mfaOxExternalUid )
print "Passport-saml. fillUser. Updating persistent IDs, updated with MFA = '%s'" % tmpList
foundUser.setAttribute("oxExternalUid", tmpList)
else:
print "Passport-saml. fillUser. oxExternalUid for MFA '%s' already exists, ignoring new MFA mapping" % mfaOxExternalUid
elif attr == "mail":
oxtrustMails = []
for mail in values:
oxtrustMails.append('{"value":"%s","primary":false}' % mail)
foundUser.setAttribute("oxTrustEmail", oxtrustMails)
else:
foundUser.setAttribute(attr, values)
def update(self, dynamicScopeContext, configurationAttributes):
print "Dynamic scope [claims_scope]. Update method"
# Get the client and session and dynamic claims
authorizationGrant = dynamicScopeContext.getAuthorizationGrant()
oidcClient = authorizationGrant.getClient()
currentEntityId = "oidc:%s" % oidcClient.getClientName()
# sessionDn = authorizationGrant.getSessionDn()
# print "Dynamic scope [claims_scope]. Got session DN = '%s'" % sessionDn
# sessionId = dynamicScopeContext.getEntryAttributeValue(sessionDn, "sessionId")
# if ( sessionDn != None ):
# prepare the search results attributes
claimNamesJsonString = None
claimsSrcJsonString = None
# then we look for the SAML persistentId value in user profile
user = dynamicScopeContext.getUser()
userTransientIds = user.getAttributeValues("transientId")
if ( userTransientIds != None ):
if ( userTransientIds.size > 0 ):
# save latest time (set to 0 initially)
latestExpiryTimeSec = 0
# go through existing user persistentIds
for userTransientId in userTransientIds:
# if the current RP already has a mapping then skip the second phase
transientIdRp = StringHelper.split(userTransientId,'|')[0]
if ( transientIdRp == currentEntityId ):
print "Dynamic scope [claims_scope]. Found matching transientId '%s'" % userTransientId
# Format is : currentOidcRp, expiryTimeSec, userInfoUrl, accessToken
expiryTimeSec = StringHelper.split(userTransientId,'|')[1]
userInfoUrl = StringHelper.split(userTransientId,'|')[2]
accessToken = StringHelper.split(userTransientId,'|')[3]
# Check the last timestamp is newer than the current one and not older than 15 minutes (900 second)
expiryTimeSec = StringHelper.toInteger(expiryTimeSec)
currenttimeSec = int(round(time.time()))
if ( expiryTimeSec > latestExpiryTimeSec and expiryTimeSec > (currenttimeSec - 900) ):
# Save expiry and update/set the _claim_sources parameters
latestExpiryTimeSec = expiryTimeSec
# create a JSON object with _claim_sources for distributed claims
claimsSrcJsonString = '{"src1":{"endpoint":"%s","access_token":"%s"}}' % ( userInfoUrl, accessToken )
# Set the _claim_names value to the result - static as per PCTF
#######################################################
# "_claim_names": {
# "given_name": "src1",
# "family_name": "src1",
# "birthdate": "src1",
# "address": "src1"
# },
# create a JSON object with _claim_sources for distributed claims
claimNamesJsonString = '{"given_name":"src1","family_name":"src1","birthdate":"src1","address":"src1"}'
# set the claims if they have been found
if ( claimNamesJsonString != None and claimsSrcJsonString != None ):
# Get the claims object
jsonWebResponse = dynamicScopeContext.getJsonWebResponse()
claims = jsonWebResponse.getClaims()
# create JSON objects
claimNamesJson = JSONObject(claimNamesJsonString)
claimsSrcJson = JSONObject(claimsSrcJsonString)
# set the claims
claims.setClaim("_claim_names", claimNamesJson)
claims.setClaim("_claim_sources", claimsSrcJson)
return True
