001/*
002 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
003 *
004 * Copyright (c) 2008 Sun Microsystems Inc. All Rights Reserved
005 *
006 * The contents of this file are subject to the terms
007 * of the Common Development and Distribution License
008 * (the License). You may not use this file except in
009 * compliance with the License.
010 *
011 * You can obtain a copy of the License at
012 * https://opensso.dev.java.net/public/CDDLv1.0.html or
013 * opensso/legal/CDDLv1.0.txt
014 * See the License for the specific language governing
015 * permission and limitations under the License.
016 *
017 * When distributing Covered Code, include this CDDL
018 * Header Notice in each file and include the License file
019 * at opensso/legal/CDDLv1.0.txt.
020 * If applicable, add the following below the CDDL Header,
021 * with the fields enclosed by brackets [] replaced by
022 * your own identifying information:
023 * "Portions Copyrighted [year] [name of copyright owner]"
024 *
025 * $Id: NameIDMapping.java,v 1.6 2009/11/20 21:41:16 exu Exp $
026 *
027 * Portions Copyrighted 2013-2016 ForgeRock AS.
028 */
029package com.sun.identity.saml2.profile;
030
031import static org.forgerock.openam.utils.Time.*;
032
033import java.security.PrivateKey;
034import java.security.cert.X509Certificate;
035import java.util.Date;
036import java.util.Iterator;
037import java.util.List;
038import java.util.Map;
039import java.util.Set;
040import javax.xml.soap.SOAPException;
041import javax.xml.soap.SOAPMessage;
042
043import com.sun.identity.saml2.common.SOAPCommunicator;
044import com.sun.identity.saml2.jaxb.entityconfig.IDPSSOConfigElement;
045import org.w3c.dom.Element;
046
047import com.sun.identity.plugin.session.SessionException;
048import com.sun.identity.plugin.session.SessionManager;
049import com.sun.identity.plugin.session.SessionProvider;
050import com.sun.identity.saml.xmlsig.KeyProvider;
051import com.sun.identity.saml2.assertion.AssertionFactory;
052import com.sun.identity.saml2.assertion.EncryptedID;
053import com.sun.identity.saml2.assertion.Issuer;
054import com.sun.identity.saml2.assertion.NameID;
055import com.sun.identity.saml2.common.AccountUtils;
056import com.sun.identity.saml2.common.NameIDInfo;
057import com.sun.identity.saml2.common.SAML2Constants;
058import com.sun.identity.saml2.common.SAML2Exception;
059import com.sun.identity.saml2.common.SAML2SDKUtils;
060import com.sun.identity.saml2.common.SAML2Utils;
061import com.sun.identity.saml2.jaxb.entityconfig.BaseConfigType;
062import com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement;
063import com.sun.identity.saml2.jaxb.metadata.NameIDMappingServiceElement;
064import com.sun.identity.saml2.jaxb.metadata.RoleDescriptorType;
065import com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement;
066import com.sun.identity.saml2.key.EncInfo;
067import com.sun.identity.saml2.key.KeyUtil;
068import com.sun.identity.saml2.meta.SAML2MetaException;
069import com.sun.identity.saml2.meta.SAML2MetaManager;
070import com.sun.identity.saml2.plugins.IDPAccountMapper;
071import com.sun.identity.saml2.protocol.NameIDMappingRequest;
072import com.sun.identity.saml2.protocol.NameIDMappingResponse;
073import com.sun.identity.saml2.protocol.NameIDPolicy;
074import com.sun.identity.saml2.protocol.ProtocolFactory;
075import com.sun.identity.saml2.protocol.Status;
076
077import com.sun.identity.shared.xml.XMLUtils;
078
079/**
080 * This class provides methods to send or process
081 * <code>NameIDMappingRequest</code>.
082 *
083 * @supported.api
084 */
085
086public class NameIDMapping {
087    static ProtocolFactory pf = ProtocolFactory.getInstance();
088    static AssertionFactory af = AssertionFactory.getInstance();
089    static SAML2MetaManager metaManager = null;
090    static KeyProvider keyProvider = KeyUtil.getKeyProviderInstance(); 
091
092    static SessionProvider sessionProvider = null;
093    
094    static {
095        try {
096            metaManager= new SAML2MetaManager();
097            sessionProvider = SessionManager.getProvider();
098        } catch (SAML2MetaException se) {
099            SAML2Utils.debug.error(SAML2Utils.bundle.getString(
100                "errorMetaManager"), se);
101        } catch (SessionException sessE) {
102            SAML2Utils.debug.error("Error retrieving session provider.", sessE);
103        }
104    }
105    
106    /**
107     * Parses the request parameters and builds the NameIDMappingRequest to
108     * sent to remote identity provider.
109     *
110     * @param session user session.
111     * @param realm the realm of hosted entity
112     * @param spEntityID entity ID of hosted service provider
113     * @param idpEntityID entity ID of remote idendity provider
114     * @param targetSPEntityID entity ID of target entity ID of service
115     *     provider
116     * @param targetNameIDFormat format of target Name ID
117     * @param paramsMap Map of all other parameters
118     *
119     * @return the <code>NameIDMappingResponse</code>
120     * @throws SAML2Exception if error initiating request to remote entity.
121     *
122     * @supported.api
123     */
124    public static NameIDMappingResponse initiateNameIDMappingRequest(
125        Object session, String realm, String spEntityID, String idpEntityID,
126        String targetSPEntityID, String targetNameIDFormat,
127        Map paramsMap) throws SAML2Exception {
128            
129        if (spEntityID == null) {
130            throw new SAML2Exception(
131                SAML2Utils.bundle.getString("nullSPEntityID"));
132        }
133                
134        if (idpEntityID == null)  {
135            throw new SAML2Exception(
136                SAML2Utils.bundle.getString("nullIDPEntityID"));
137        }
138
139        String userID = null;
140
141        try {
142            userID = sessionProvider.getPrincipalName(session);
143        } catch (SessionException e) {
144            if (SAML2Utils.debug.messageEnabled()) {
145                SAML2Utils.debug.message(
146                    "NameIDMapping.createNameIDMappingRequest: ", e);
147            }
148        }
149
150        if (userID == null) {
151            throw new SAML2Exception(
152                SAML2Utils.bundle.getString("invalidSSOToken"));
153        }
154        
155        if (SAML2Utils.debug.messageEnabled()) {
156            SAML2Utils.debug.message(
157                "NameIDMapping.initiateNameMappingRequest:" +
158                " IDP EntityID is : " + idpEntityID);
159            SAML2Utils.debug.message(
160                "NameIDMapping.initiateNameMappingRequest:" +
161                " SP HOST EntityID is : " + spEntityID); 
162            SAML2Utils.debug.message(
163                "NameIDMapping.initiateNameMappingRequest:" +
164                " target SP EntityID is : " + targetSPEntityID); 
165        }
166        
167        try {
168            // nameIDMappingService
169            String binding = 
170                SAML2Utils.getParameter(paramsMap, SAML2Constants.BINDING); 
171            if (binding == null) {
172                binding = SAML2Constants.SOAP;
173            } else if (!binding.equals(SAML2Constants.SOAP)) {
174                throw new SAML2Exception(
175                    SAML2Utils.bundle.getString("nimServiceBindingUnsupport"));
176            }
177
178            String nimURL = SAML2Utils.getParameter(paramsMap,
179                "nimURL");
180            if (nimURL == null) {
181                NameIDMappingServiceElement nameIDMappingService =
182                    getNameIDMappingService(realm, idpEntityID, binding);
183
184                if (nameIDMappingService != null) {
185                    nimURL = nameIDMappingService.getLocation();
186                }
187            }
188            if (SAML2Utils.debug.messageEnabled()) {
189                SAML2Utils.debug.message(
190                    "NameIDMapping.initiateNameMappingRequest:" +
191                    " nimURL" + nimURL);
192            }
193
194            if (nimURL == null) {
195                throw new SAML2Exception(
196                    SAML2Utils.bundle.getString("nimServiceNotFound"));
197            }
198
199            NameIDMappingRequest nimRequest = createNameIDMappingRequest(
200                userID, realm, spEntityID, idpEntityID, nimURL,
201                targetSPEntityID, targetNameIDFormat);
202
203            signNIMRequest(nimRequest, realm, spEntityID, false);
204
205            BaseConfigType config = metaManager.getIDPSSOConfig(realm,
206                idpEntityID);
207
208            nimURL = SAML2SDKUtils.fillInBasicAuthInfo(config, nimURL);
209
210            return doNIMBySOAP(nimRequest.toXMLString(true,true), nimURL, 
211                realm, spEntityID);
212
213        } catch (SAML2MetaException sme) {
214            throw new SAML2Exception(
215                SAML2Utils.bundle.getString("metaDataError"));            
216        }
217    }
218    
219    public static NameIDMappingResponse processNameIDMappingRequest(
220        NameIDMappingRequest nimRequest, String realm, String idpEntityID)
221        throws SAML2Exception {
222
223        NameIDMappingResponse nimResponse = null;
224        String spEntityID = nimRequest.getIssuer().getValue();
225        if (spEntityID == null)  {
226            throw new SAML2Exception(
227                SAML2Utils.bundle.getString("nullSPEntityID"));
228        }
229
230        String responseID = SAML2Utils.generateID();
231        if (responseID == null) {
232            SAML2Utils.debug.error(
233                SAML2Utils.bundle.getString("failedToGenResponseID"));
234        }
235        nimResponse = pf.createNameIDMappingResponse();
236        nimResponse.setID(responseID);
237        nimResponse.setInResponseTo(nimRequest.getID());
238        nimResponse.setVersion(SAML2Constants.VERSION_2_0);
239        nimResponse.setIssueInstant(newDate());
240        nimResponse.setIssuer(SAML2Utils.createIssuer(idpEntityID)); 
241
242        SAML2Utils.verifyRequestIssuer(realm, idpEntityID,
243            nimRequest.getIssuer(), nimRequest.getID());
244
245
246        NameIDPolicy nameIDPolicy = nimRequest.getNameIDPolicy();
247        String targetSPEntityID = nameIDPolicy.getSPNameQualifier();
248        String format = nameIDPolicy.getFormat();
249
250        Status status = null;
251
252        if ((format != null) && (format.length() != 0) &&
253            (!format.equals(SAML2Constants.PERSISTENT)) &&
254            (!format.equals(SAML2Constants.UNSPECIFIED))) {
255
256            nimResponse.setNameID(nimRequest.getNameID());
257            nimResponse.setEncryptedID(nimRequest.getEncryptedID());
258            status = SAML2Utils.generateStatus(
259            SAML2Constants.INVALID_NAME_ID_POLICY,
260                 SAML2Utils.bundle.getString("targetNameIDFormatUnsupported"));
261        } else if ((targetSPEntityID == null) ||
262            (targetSPEntityID.length() == 0) ||
263            targetSPEntityID.equals(spEntityID)) {
264
265            nimResponse.setNameID(nimRequest.getNameID());
266            nimResponse.setEncryptedID(nimRequest.getEncryptedID());
267            status = SAML2Utils.generateStatus(
268                SAML2Constants.INVALID_NAME_ID_POLICY,
269                SAML2Utils.bundle.getString("targetNameIDNoChange"));
270        } else {
271            // check if source SP has account fed
272            // if yes then get nameid of targetSP
273            IDPAccountMapper idpAcctMapper = SAML2Utils.getIDPAccountMapper(
274                realm, idpEntityID);
275
276            NameID nameID = getNameID(nimRequest, realm, idpEntityID);
277            String userID = idpAcctMapper.getIdentity(nameID, idpEntityID,
278                spEntityID, realm);
279            NameIDInfo targetNameIDInfo = null;
280            if (userID != null) {
281                targetNameIDInfo = AccountUtils.getAccountFederation(userID,
282                    idpEntityID, targetSPEntityID);
283            }
284            if (targetNameIDInfo == null) {
285                nimResponse.setNameID(nimRequest.getNameID());
286                nimResponse.setEncryptedID(nimRequest.getEncryptedID());
287                status = SAML2Utils.generateStatus(
288                    SAML2Constants.INVALID_NAME_ID_POLICY,
289                    SAML2Utils.bundle.getString("targetNameIDNotFound"));
290            } else {
291                NameID targetSPNameID = targetNameIDInfo.getNameID();
292                if (SAML2Utils.debug.messageEnabled()) {
293                    SAML2Utils.debug.message(
294                        "NameIDMapping.processNameIDMappingRequest: " +
295                        "User ID = " + userID + ", name ID = " +
296                        targetSPNameID.toXMLString(true,true));
297                }
298
299                nimResponse.setEncryptedID(getEncryptedID(targetSPNameID,
300                    realm, spEntityID, SAML2Constants.SP_ROLE));
301                status = SAML2Utils.generateStatus(
302                    SAML2Constants.SUCCESS, null);
303            }
304        }
305
306        nimResponse.setStatus(status);
307        signNIMResponse(nimResponse, realm, idpEntityID, false);
308
309        return nimResponse;
310    }
311    
312    static private NameIDMappingRequest createNameIDMappingRequest(
313        String userID, String realm, String spEntityID, String idpEntityID,
314        String destination, String targetSPEntityID, String targetNameIDFormat)
315        throws SAML2Exception {
316
317        if (SAML2Utils.debug.messageEnabled()) {
318            SAML2Utils.debug.message(
319                "NameIDMapping.createNameIDMappingRequest: User ID : " +
320                userID);
321        }
322        
323        NameIDMappingRequest nimRequest = pf.createNameIDMappingRequest();
324        
325        nimRequest.setID(SAML2Utils.generateID());
326        nimRequest.setVersion(SAML2Constants.VERSION_2_0);
327        nimRequest.setDestination(XMLUtils.escapeSpecialCharacters(
328            destination));
329        nimRequest.setIssuer(SAML2Utils.createIssuer(spEntityID));
330        nimRequest.setIssueInstant(newDate());
331
332        setNameIDForNIMRequest(nimRequest, realm, spEntityID, idpEntityID,
333            targetSPEntityID, targetNameIDFormat, userID);
334        return nimRequest;
335    }
336
337    static private NameIDMappingResponse doNIMBySOAP(
338        String nimRequestXMLString, String nimURL, String realm,
339        String spEntityID) throws SAML2Exception {
340
341        if (SAML2Utils.debug.messageEnabled()) {
342            SAML2Utils.debug.message("NameIDMapping.doNIMBySOAP: " +
343                "NIMRequestXMLString : " + nimRequestXMLString);
344            SAML2Utils.debug.message("NameIDMapping.doNIMBySOAP: " +
345                "NIMRedirectURL : " + nimURL);
346        }
347        
348        SOAPMessage resMsg = null;
349        try {
350            resMsg = SOAPCommunicator.getInstance().sendSOAPMessage(nimRequestXMLString, nimURL,
351                    true);
352        } catch (SOAPException se) {
353            SAML2Utils.debug.error("NameIDMapping.doNIMBySOAP: ", se);
354            throw new SAML2Exception(SAML2Utils.bundle.getString(
355                "invalidSOAPMessge"));
356        }
357
358        Element nimRespElem = SOAPCommunicator.getInstance().getSamlpElement(resMsg,
359                SAML2Constants.NAME_ID_MAPPING_RESPONSE);
360        NameIDMappingResponse nimResponse = 
361             pf.createNameIDMappingResponse(nimRespElem);
362        
363        if (SAML2Utils.debug.messageEnabled()) {
364            SAML2Utils.debug.message("NameIDMapping.doNIMBySOAP: " +
365                "NameIDMappingResponse without SOAP envelope:\n" +
366                nimResponse.toXMLString(true,true));
367        }
368
369
370        String idpEntityID = nimResponse.getIssuer().getValue();
371        Issuer resIssuer = nimResponse.getIssuer();
372        String requestId = nimResponse.getInResponseTo();
373        SAML2Utils.verifyResponseIssuer(realm, spEntityID, resIssuer,
374            requestId);
375                    
376        if (!verifyNIMResponse(nimResponse, realm, idpEntityID)) {
377            throw new SAML2Exception(
378                SAML2Utils.bundle.getString("invalidSignInResponse"));
379        }
380
381        return nimResponse;
382    }
383
384    static private void setNameIDForNIMRequest(NameIDMappingRequest nimRequest,
385        String realm, String spEntityID, String idpEntityID,
386        String targetSPEntityID, String targetNameIDFormat, String userID)
387        throws SAML2Exception {
388
389        if (SAML2Utils.debug.messageEnabled()) {
390            SAML2Utils.debug.message("NameIDMapping.setNameIDForNIMRequest: " +
391                "user ID = " + userID);
392        }
393
394        NameID nameID = AssertionFactory.getInstance().createNameID();
395        NameIDInfo info = AccountUtils.getAccountFederation(userID, spEntityID,
396            idpEntityID);
397        nameID.setValue(info.getNameIDValue());
398        nameID.setFormat(info.getFormat());
399        nameID.setNameQualifier(idpEntityID);
400        nameID.setSPNameQualifier(spEntityID);
401
402        NameIDPolicy nameIDPolicy =
403            ProtocolFactory.getInstance().createNameIDPolicy();
404        nameIDPolicy.setSPNameQualifier(targetSPEntityID);
405        nameIDPolicy.setFormat(targetNameIDFormat);
406        nimRequest.setNameIDPolicy(nameIDPolicy);
407
408        boolean needEncryptIt = SAML2Utils.getWantNameIDEncrypted(realm,
409            idpEntityID, SAML2Constants.IDP_ROLE);
410        if (!needEncryptIt) {
411            if (SAML2Utils.debug.messageEnabled()) {
412                SAML2Utils.debug.message(
413                    "NameIDMapping.setNameIDForNIMRequest: "  +
414                    "NamID doesn't need to be encrypted.");
415            }
416            nimRequest.setNameID(nameID);
417            return;
418        }
419        
420        EncryptedID encryptedID = getEncryptedID(nameID, realm, idpEntityID,
421            SAML2Constants.IDP_ROLE);
422
423        nimRequest.setEncryptedID(encryptedID);
424    }    
425
426    /**
427     * Returns first NameIDMappingService matching specified binding in an
428     * entity under the realm.
429     *
430     * @param realm The realm under which the entity resides.
431     * @param entityId ID of the entity to be retrieved.
432     * @param binding bind type need to has to be matched.
433     * @return <code>ManageNameIDServiceElement</code> for the entity or null
434     * @throws SAML2MetaException if unable to retrieve the first identity
435     *     provider's SSO configuration.
436     * @throws SessionException invalid or expired single-sign-on session
437     */
438    static public NameIDMappingServiceElement getNameIDMappingService(
439        String realm, String entityId, String binding)
440        throws SAML2MetaException {
441
442
443        IDPSSODescriptorElement idpSSODesc = metaManager.getIDPSSODescriptor(
444            realm, entityId);
445        if (idpSSODesc == null) {
446            SAML2Utils.debug.error(SAML2Utils.bundle.getString("noIDPEntry"));
447            return null;
448        }
449
450        List list = idpSSODesc.getNameIDMappingService();
451
452        NameIDMappingServiceElement nimService = null;
453        if ((list != null) && !list.isEmpty()) {
454            if (binding == null) {
455                return (NameIDMappingServiceElement)list.get(0);
456            }
457            Iterator it = list.iterator();
458            while (it.hasNext()) {
459                nimService = (NameIDMappingServiceElement)it.next();  
460                if (binding.equalsIgnoreCase(nimService.getBinding())) {
461                    return nimService;
462                }
463            }
464        }
465        return null;
466    }
467        
468    static EncryptedID getEncryptedID(NameID nameID, String realm,
469        String entityID, String role) throws SAML2Exception {
470
471        RoleDescriptorType roled = null;
472
473        if (role.equals(SAML2Constants.SP_ROLE)) {
474            roled = metaManager.getSPSSODescriptor(realm, entityID);
475        } else {
476            roled = metaManager.getIDPSSODescriptor(realm, entityID);
477        }
478
479        EncInfo encInfo = KeyUtil.getEncInfo(roled, entityID, role);
480        
481        if (encInfo == null) {
482            throw new SAML2Exception(
483                SAML2Utils.bundle.getString("UnableToFindEncryptKeyInfo"));
484        }
485        
486        EncryptedID encryptedID = nameID.encrypt(encInfo.getWrappingKey(), 
487            encInfo.getDataEncAlgorithm(), encInfo.getDataEncStrength(),
488            entityID);
489
490        return encryptedID;
491    }    
492
493    private static void signNIMRequest(NameIDMappingRequest nimRequest, 
494        String realm, String spEntityID, boolean includeCert)
495        throws SAML2Exception {
496
497        String alias = SAML2Utils.getSigningCertAlias(realm, spEntityID,
498            SAML2Constants.SP_ROLE);
499        
500        if (SAML2Utils.debug.messageEnabled()) {
501            SAML2Utils.debug.message("NameIDMapping.signNIMRequest: " +
502                "Cert Alias is : " + alias);
503            SAML2Utils.debug.message("NameIDMapping.signNIMRequest: " +
504                "NIMRequest before sign : " +
505                nimRequest.toXMLString(true, true));
506        }
507        PrivateKey signingKey = keyProvider.getPrivateKey(alias);
508        X509Certificate signingCert = null;
509        if (includeCert) {
510            signingCert = keyProvider.getX509Certificate(alias);
511        }
512        
513        if (signingKey != null) {
514            nimRequest.sign(signingKey, signingCert);
515        } else {
516            throw new SAML2Exception(
517                SAML2Utils.bundle.getString("missingSigningCertAlias"));
518        }
519        
520        if (SAML2Utils.debug.messageEnabled()) {
521            SAML2Utils.debug.message("NameIDMapping.signNIMRequest: " +
522                "NIMRequest after sign : " +
523                nimRequest.toXMLString(true, true));
524        }
525    }
526
527    static void signNIMResponse(NameIDMappingResponse nimResponse,
528        String realm, String idpEntityID, boolean includeCert)
529        throws SAML2Exception {
530
531        String alias = SAML2Utils.getSigningCertAlias(realm, idpEntityID,
532            SAML2Constants.IDP_ROLE);
533        if (SAML2Utils.debug.messageEnabled()) {
534            SAML2Utils.debug.message("NameIDMapping.signNIMResponse: " +
535                realm);
536            SAML2Utils.debug.message("NameIDMapping.signNIMResponse: " +
537                idpEntityID);
538            SAML2Utils.debug.message("NameIDMapping.signNIMResponse: " +
539                alias);
540
541        }
542
543        String encryptedKeyPass =
544                SAML2Utils.getSigningCertEncryptedKeyPass(realm, idpEntityID, SAML2Constants.IDP_ROLE);
545        PrivateKey signingKey;
546        if (encryptedKeyPass == null || encryptedKeyPass.isEmpty()) {
547            signingKey = keyProvider.getPrivateKey(alias);
548        } else {
549            signingKey = keyProvider.getPrivateKey(alias, encryptedKeyPass);
550        }
551        X509Certificate signingCert = null;
552        if (includeCert) {
553            signingCert = keyProvider.getX509Certificate(alias);
554        }
555
556        if (signingKey != null) {
557            nimResponse.sign(signingKey, signingCert); 
558        } else {
559            SAML2Utils.debug.error("NameIDMapping.signNIMResponse: " +
560                "Incorrect configuration for Signing Certificate.");
561            throw new SAML2Exception(
562                SAML2Utils.bundle.getString("metaDataError"));
563        }
564
565    }
566
567    private static boolean verifyNIMResponse(NameIDMappingResponse nimResponse,
568        String realm, String idpEntityID) throws SAML2Exception {
569
570        IDPSSODescriptorElement idpSSODesc = metaManager.getIDPSSODescriptor(
571            realm, idpEntityID);
572        Set<X509Certificate> signingCerts = KeyUtil.getVerificationCerts(idpSSODesc, idpEntityID,
573                SAML2Constants.IDP_ROLE);
574        
575        if (!signingCerts.isEmpty()) {
576            boolean valid = nimResponse.isSignatureValid(signingCerts);
577            if (SAML2Utils.debug.messageEnabled()) {
578                SAML2Utils.debug.message("NameIDMapping.verifyNIMResponse: " +
579                    "Signature is : " + valid);
580            }
581            return valid;
582        } else {
583            throw new SAML2Exception(SAML2Utils.bundle.getString("missingSigningCertAlias"));
584        }
585    }
586
587    private static NameID getNameID(NameIDMappingRequest nimRequest, String realm, String idpEntityID) {
588        NameID nameID = nimRequest.getNameID();
589        if (nameID == null) {
590            EncryptedID encryptedID = nimRequest.getEncryptedID();
591            try {
592                final IDPSSOConfigElement idpSsoConfig = metaManager.getIDPSSOConfig(realm, idpEntityID);
593                nameID = encryptedID.decrypt(KeyUtil.getDecryptionKeys(idpSsoConfig));
594            } catch (SAML2Exception ex) {
595                if (SAML2Utils.debug.messageEnabled()) {
596                    SAML2Utils.debug.message("NameIDMapping.getNameID:", ex);
597                }
598                return null;
599            }
600        }
601
602        if (!SAML2Utils.isPersistentNameID(nameID)) {
603            return null;
604        }
605
606        return nameID;
607    }
608}