001/** 002 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. 003 * 004 * Copyright (c) 2007 Sun Microsystems Inc. All Rights Reserved 005 * 006 * The contents of this file are subject to the terms 007 * of the Common Development and Distribution License 008 * (the License). You may not use this file except in 009 * compliance with the License. 010 * 011 * You can obtain a copy of the License at 012 * https://opensso.dev.java.net/public/CDDLv1.0.html or 013 * opensso/legal/CDDLv1.0.txt 014 * See the License for the specific language governing 015 * permission and limitations under the License. 016 * 017 * When distributing Covered Code, include this CDDL 018 * Header Notice in each file and include the License file 019 * at opensso/legal/CDDLv1.0.txt. 020 * If applicable, add the following below the CDDL Header, 021 * with the fields enclosed by brackets [] replaced by 022 * your own identifying information: 023 * "Portions Copyrighted [year] [name of copyright owner]" 024 * 025 * $Id: FederationSPAdapter.java,v 1.4 2008/06/25 05:46:50 qcheng Exp $ 026 * Portions Copyrighted 2014 ForgeRock AS 027 */ 028 029package com.sun.identity.federation.plugins; 030 031import com.sun.identity.federation.common.FederationException; 032import com.sun.identity.federation.message.FSAuthnRequest; 033import com.sun.identity.federation.message.FSAuthnResponse; 034import com.sun.identity.federation.message.FSFederationTerminationNotification; 035import com.sun.identity.federation.message.FSLogoutNotification; 036import com.sun.identity.federation.message.FSLogoutResponse; 037import com.sun.identity.federation.message.FSNameRegistrationRequest; 038import com.sun.identity.federation.message.FSNameRegistrationResponse; 039import com.sun.identity.federation.message.FSResponse; 040import java.util.Set; 041import javax.servlet.http.HttpServletRequest; 042import javax.servlet.http.HttpServletResponse; 043 044/** 045 * The interface <code>FederationSPAdapter</code> could be implemented to 046 * perform user specific processing during federation process on the 047 * Liberty Service Provider side. 048 * <p> 049 * A singleton instance of this <code>FederationSPAdapter</code> will be used 050 * during runtime, so make sure implementation of the federation 051 * processing methods (except initialize() method) are thread safe. 052 * @supported.all.api 053 * @deprecated since 12.0.0 054 */ 055@Deprecated 056public interface FederationSPAdapter { 057 058 /** 059 * Federation or Single Sign on process succeed at <code>SP</code> side. 060 */ 061 public static final int SUCCESS = 0; 062 063 /** 064 * Response from <code>IDP</code> with Browser POST or LECP profile contains * non-Success status code. 065 */ 066 public static final int INVALID_AUTHN_RESPONSE = 1; 067 068 /** 069 * Response from <code>IDP</code> with Browser Artifact profile contains 070 * non-Success status code. 071 */ 072 public static final int INVALID_RESPONSE = 2; 073 074 /** 075 * Account federation failed. 076 */ 077 public static final int FEDERATION_FAILED = 3; 078 079 /** 080 * Account federation failed because it failed to generate user token. 081 */ 082 public static final int FEDERATION_FAILED_SSO_TOKEN_GENERATION = 4; 083 084 /** 085 * Account federation failed because it failed to generate anonymous 086 * token. 087 */ 088 public static final int FEDERATION_FAILED_ANON_TOKEN_GENERATION = 5; 089 090 /** 091 * Account federation failed because anonymous user account is inactive. 092 */ 093 public static final int FEDERATION_FAILED_ANON_AUTH_USER_INACTIVE = 6; 094 095 /** 096 * Account federation failed because anonymous user account is locked. 097 */ 098 public static final int FEDERATION_FAILED_ANON_AUTH_USER_LOCKED = 7; 099 100 /** 101 * Account federation failed because anonymous user account is expired. 102 */ 103 public static final int FEDERATION_FAILED_ANON_AUTH_ACCOUNT_EXPIRED = 8; 104 105 /** 106 * Account federation failed because it failed to write account federation 107 * info. 108 */ 109 public static final int FEDERATION_FAILED_WRITING_ACCOUNT_INFO = 9; 110 111 /** 112 * Single Sign On failed. 113 */ 114 public static final int SSO_FAILED = 10; 115 116 /** 117 * Single Sign On failed because federation info does not exist at 118 * <code>SP</code> side. 119 */ 120 public static final int SSO_FAILED_FEDERATION_DOESNOT_EXIST = 11; 121 122 /** 123 * Single Sign On failed because it failed to find auto federation user. 124 */ 125 public static final int SSO_FAILED_AUTO_FED = 12; 126 127 /** 128 * Single Sign On failed because the user account is inactive. 129 */ 130 public static final int SSO_FAILED_AUTH_USER_INACTIVE = 13; 131 132 /** 133 * Single Sign On failed because the user account is locked. 134 */ 135 public static final int SSO_FAILED_AUTH_USER_LOCKED = 14; 136 137 /** 138 * Single Sign On failed because the user account is expired. 139 */ 140 public static final int SSO_FAILED_AUTH_ACCOUNT_EXPIRED = 15; 141 142 /** 143 * Single Sign On failed because it failed to generate user token. 144 */ 145 public static final int SSO_FAILED_TOKEN_GENERATION = 16; 146 147 /** 148 * Adapter's initialization parameter name for realm. 149 */ 150 public static final String ENV_REALM = "REALM="; 151 152 /** 153 * Initializes the federation adapter, this method will only be executed 154 * once after creation of the adapter instance. 155 * @param hostedEntityID entity ID for the hosted SP 156 * @param initParams initial set of parameters(such as REALM) configured 157 * in the service provider for this adapter. 158 */ 159 public void initialize(String hostedEntityID, Set initParams); 160 161 /** 162 * Invokes before federation manager sends the Single-Sing-On and Federation 163 * request to IDP. 164 * @param hostedEntityID entity ID for the hosted SP 165 * @param idpEntityID entity id for the IDP to which the request will 166 * be sent 167 * @param request servlet request 168 * @param response servlet response 169 * @param authnRequest the authentication request to be send to IDP 170 */ 171 public void preSSOFederationRequest( 172 String hostedEntityID, 173 String idpEntityID, 174 HttpServletRequest request, 175 HttpServletResponse response, 176 FSAuthnRequest authnRequest); 177 178 179 /** 180 * Invokes when the FM received the Single-Sign-On and Federation response 181 * from the IDP, this is called before any processing started on SP side. 182 * @param hostedEntityID entity ID for the hosted SP 183 * @param request servlet request 184 * @param response servlet response 185 * @param authnRequest the original authentication request sent from SP 186 * @param authnResponse response from IDP if Browser POST or LECP profile 187 * is used for the request, value will be null if Browser Artifact 188 * profile is used. 189 * @param samlResponse response from IDP if Browser Artifact profile is used 190 * for the request, value will be null if Browser POST or LECP 191 * profile is used. 192 * @exception FederationException if user want to fail the process. 193 */ 194 public void preSSOFederationProcess( 195 String hostedEntityID, 196 HttpServletRequest request, 197 HttpServletResponse response, 198 FSAuthnRequest authnRequest, 199 FSAuthnResponse authnResponse, 200 FSResponse samlResponse) 201 throws FederationException; 202 203 /** 204 * Invokes after Single-Sign-On and Federation processing is successful. 205 * @param hostedEntityID Entity ID for the hosted SP 206 * @param request servlet request 207 * @param response servlet response 208 * @param ssoToken user's SSO Token 209 * @param authnRequest the original authentication request sent from SP 210 * @param authnResponse response from IDP if Browser POST or LECP profile 211 * is used for the request, value will be null if Browser Artifact 212 * profile is used. 213 * @param samlResponse response from IDP if Browser Artifact profile is used 214 * for the request, value will be null if Browser POST or LECP 215 * profile is used. 216 * @return true if browser redirection happened, false otherwise. 217 * @exception FederationException if user want to fail the process. 218 */ 219 public boolean postSSOFederationSuccess( 220 String hostedEntityID, 221 HttpServletRequest request, 222 HttpServletResponse response, 223 Object ssoToken, 224 FSAuthnRequest authnRequest, 225 FSAuthnResponse authnResponse, 226 FSResponse samlResponse) 227 throws FederationException; 228 229 230 /** 231 * Invokes after Single-Sign-On or Federation processing is failed. 232 * @param hostedEntityID Entity ID for the hosted SP 233 * @param request servlet request 234 * @param response servlet response 235 * @param authnRequest the original authentication request sent from SP 236 * @param authnResponse response from IDP if Browser POST or LECP profile 237 * is used for the request, value will be null if Browser Artifact 238 * profile is used. 239 * @param samlResponse response from IDP if Browser Artifact profile is used * for the request, value will be null if Browser POST or LECP 240 * profile is used. 241 * @param failureCode an integer specifies the failure code. Possible 242 * failure codes are defined in this interface. 243 * @return true if browser redirection happened, false otherwise. 244 */ 245 public boolean postSSOFederationFailure(String hostedEntityID, 246 HttpServletRequest request, 247 HttpServletResponse response, 248 FSAuthnRequest authnRequest, 249 FSAuthnResponse authnResponse, 250 FSResponse samlResponse, 251 int failureCode); 252 253 254 /** 255 * Invokes after Register Name Identifier processing is successful 256 * @param hostedEntityID Entity ID for the hosted SP 257 * @param request servlet request 258 * @param response servlet response 259 * @param userDN DN of the user with whom name identifier registration 260 * performed 261 * @param regRequest register name identifier request, value will be 262 * null if the request object is not available 263 * @param regResponse register name identifier response, value will be 264 * null if the response object is not available 265 * @param regProfile register name identifier profile used, one of following 266 * IFSConstants.NAME_REGISTRATION_SP_HTTP_PROFILE 267 * IFSConstants.NAME_REGISTRATION_SP_SOAP_PROFILE 268 * IFSConstants.NAME_REGISTRATION_IDP_HTTP_PROFILE 269 * IFSConstants.NAME_REGISTRATION_IDP_SOAP_PROFILE 270 */ 271 public void postRegisterNameIdentifierSuccess( 272 String hostedEntityID, 273 HttpServletRequest request, 274 HttpServletResponse response, 275 String userDN, 276 FSNameRegistrationRequest regRequest, 277 FSNameRegistrationResponse regResponse, 278 String regProfile); 279 280 /** 281 * Invokes after the service provider successfully terminates federation 282 * with IDP. 283 * @param hostedEntityID Entity ID for the hosted SP 284 * @param request servlet request 285 * @param response servlet response 286 * @param userDN DN of the user with whom name identifier registration 287 * performed 288 * @param notification federation termination notification message 289 * @param termProfile federation termination profile used, one of following 290 * IFSConstants.TERMINATION_SP_HTTP_PROFILE 291 * IFSConstants.TERMINATION_SP_SOAP_PROFILE 292 * IFSConstants.TERMINATION_IDP_HTTP_PROFILE 293 * IFSConstants.TERMINATION_IDP_SOAP_PROFILE 294 */ 295 public void postTerminationNotificationSuccess( 296 String hostedEntityID, 297 HttpServletRequest request, 298 HttpServletResponse response, 299 String userDN, 300 FSFederationTerminationNotification notification, 301 String termProfile); 302 303 /** 304 * Invokes before single logout process started on FM side. This method 305 * is called before the user token is invalidated on the service provider 306 * side. 307 * @param hostedEntityID Entity ID for the hosted SP 308 * @param request servlet request 309 * @param response servlet response 310 * @param userDN user DN 311 * @param logoutRequest single logout request object 312 * @param logoutResponse single logout response, value will be 313 * null if the response object is not available 314 * @param sloProfile single logout profile used, one of following 315 * IFSConstants.LOGOUT_SP_REDIRECT_PROFILE 316 * IFSConstants.LOGOUT_SP_SOAP_PROFILE 317 * IFSConstants.LOGOUT_IDP_REDIRECT_PROFILE 318 * IFSConstants.LOGOUT_IDP_SOAP_PROFILE 319 */ 320 public void preSingleLogoutProcess( 321 String hostedEntityID, 322 HttpServletRequest request, 323 HttpServletResponse response, 324 String userDN, 325 FSLogoutNotification logoutRequest, 326 FSLogoutResponse logoutResponse, 327 String sloProfile); 328 329 /** 330 * Invokes after single logout is successful completed, i.e. user token 331 * has been invalidated. 332 * @param hostedEntityID Entity ID for the hosted SP 333 * @param request servlet request 334 * @param response servlet response 335 * @param userDN user DN 336 * @param logoutRequest single logout request, value will be 337 * null if the request object is not available 338 * @param logoutResponse single logout response, value will be 339 * null if the response object is not available 340 * @param sloProfile single logout profile used, one of following 341 * IFSConstants.LOGOUT_SP_HTTP_PROFILE 342 * IFSConstants.LOGOUT_SP_SOAP_PROFILE 343 * IFSConstants.LOGOUT_IDP_HTTP_PROFILE 344 * IFSConstants.LOGOUT_IDP_SOAP_PROFILE 345 */ 346 public void postSingleLogoutSuccess( 347 String hostedEntityID, 348 HttpServletRequest request, 349 HttpServletResponse response, 350 String userDN, 351 FSLogoutNotification logoutRequest, 352 FSLogoutResponse logoutResponse, 353 String sloProfile); 354}