001/* 002 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. 003 * 004 * Copyright (c) 2008 Sun Microsystems Inc. All Rights Reserved 005 * 006 * The contents of this file are subject to the terms 007 * of the Common Development and Distribution License 008 * (the License). You may not use this file except in 009 * compliance with the License. 010 * 011 * You can obtain a copy of the License at 012 * https://opensso.dev.java.net/public/CDDLv1.0.html or 013 * opensso/legal/CDDLv1.0.txt 014 * See the License for the specific language governing 015 * permission and limitations under the License. 016 * 017 * When distributing Covered Code, include this CDDL 018 * Header Notice in each file and include the License file 019 * at opensso/legal/CDDLv1.0.txt. 020 * If applicable, add the following below the CDDL Header, 021 * with the fields enclosed by brackets [] replaced by 022 * your own identifying information: 023 * "Portions Copyrighted [year] [name of copyright owner]" 024 * 025 * $Id: NameIDMapping.java,v 1.6 2009/11/20 21:41:16 exu Exp $ 026 * 027 * Portions Copyrighted 2013-2016 ForgeRock AS. 028 */ 029package com.sun.identity.saml2.profile; 030 031import static org.forgerock.openam.utils.Time.*; 032 033import java.security.PrivateKey; 034import java.security.cert.X509Certificate; 035import java.util.Date; 036import java.util.Iterator; 037import java.util.List; 038import java.util.Map; 039import java.util.Set; 040import javax.xml.soap.SOAPException; 041import javax.xml.soap.SOAPMessage; 042 043import com.sun.identity.saml2.common.SOAPCommunicator; 044import com.sun.identity.saml2.jaxb.entityconfig.IDPSSOConfigElement; 045import org.w3c.dom.Element; 046 047import com.sun.identity.plugin.session.SessionException; 048import com.sun.identity.plugin.session.SessionManager; 049import com.sun.identity.plugin.session.SessionProvider; 050import com.sun.identity.saml.xmlsig.KeyProvider; 051import com.sun.identity.saml2.assertion.AssertionFactory; 052import com.sun.identity.saml2.assertion.EncryptedID; 053import com.sun.identity.saml2.assertion.Issuer; 054import com.sun.identity.saml2.assertion.NameID; 055import com.sun.identity.saml2.common.AccountUtils; 056import com.sun.identity.saml2.common.NameIDInfo; 057import com.sun.identity.saml2.common.SAML2Constants; 058import com.sun.identity.saml2.common.SAML2Exception; 059import com.sun.identity.saml2.common.SAML2SDKUtils; 060import com.sun.identity.saml2.common.SAML2Utils; 061import com.sun.identity.saml2.jaxb.entityconfig.BaseConfigType; 062import com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement; 063import com.sun.identity.saml2.jaxb.metadata.NameIDMappingServiceElement; 064import com.sun.identity.saml2.jaxb.metadata.RoleDescriptorType; 065import com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement; 066import com.sun.identity.saml2.key.EncInfo; 067import com.sun.identity.saml2.key.KeyUtil; 068import com.sun.identity.saml2.meta.SAML2MetaException; 069import com.sun.identity.saml2.meta.SAML2MetaManager; 070import com.sun.identity.saml2.plugins.IDPAccountMapper; 071import com.sun.identity.saml2.protocol.NameIDMappingRequest; 072import com.sun.identity.saml2.protocol.NameIDMappingResponse; 073import com.sun.identity.saml2.protocol.NameIDPolicy; 074import com.sun.identity.saml2.protocol.ProtocolFactory; 075import com.sun.identity.saml2.protocol.Status; 076 077import com.sun.identity.shared.xml.XMLUtils; 078 079/** 080 * This class provides methods to send or process 081 * <code>NameIDMappingRequest</code>. 082 * 083 * @supported.api 084 */ 085 086public class NameIDMapping { 087 static ProtocolFactory pf = ProtocolFactory.getInstance(); 088 static AssertionFactory af = AssertionFactory.getInstance(); 089 static SAML2MetaManager metaManager = null; 090 static KeyProvider keyProvider = KeyUtil.getKeyProviderInstance(); 091 092 static SessionProvider sessionProvider = null; 093 094 static { 095 try { 096 metaManager= new SAML2MetaManager(); 097 sessionProvider = SessionManager.getProvider(); 098 } catch (SAML2MetaException se) { 099 SAML2Utils.debug.error(SAML2Utils.bundle.getString( 100 "errorMetaManager"), se); 101 } catch (SessionException sessE) { 102 SAML2Utils.debug.error("Error retrieving session provider.", sessE); 103 } 104 } 105 106 /** 107 * Parses the request parameters and builds the NameIDMappingRequest to 108 * sent to remote identity provider. 109 * 110 * @param session user session. 111 * @param realm the realm of hosted entity 112 * @param spEntityID entity ID of hosted service provider 113 * @param idpEntityID entity ID of remote idendity provider 114 * @param targetSPEntityID entity ID of target entity ID of service 115 * provider 116 * @param targetNameIDFormat format of target Name ID 117 * @param paramsMap Map of all other parameters 118 * 119 * @return the <code>NameIDMappingResponse</code> 120 * @throws SAML2Exception if error initiating request to remote entity. 121 * 122 * @supported.api 123 */ 124 public static NameIDMappingResponse initiateNameIDMappingRequest( 125 Object session, String realm, String spEntityID, String idpEntityID, 126 String targetSPEntityID, String targetNameIDFormat, 127 Map paramsMap) throws SAML2Exception { 128 129 if (spEntityID == null) { 130 throw new SAML2Exception( 131 SAML2Utils.bundle.getString("nullSPEntityID")); 132 } 133 134 if (idpEntityID == null) { 135 throw new SAML2Exception( 136 SAML2Utils.bundle.getString("nullIDPEntityID")); 137 } 138 139 String userID = null; 140 141 try { 142 userID = sessionProvider.getPrincipalName(session); 143 } catch (SessionException e) { 144 if (SAML2Utils.debug.messageEnabled()) { 145 SAML2Utils.debug.message( 146 "NameIDMapping.createNameIDMappingRequest: ", e); 147 } 148 } 149 150 if (userID == null) { 151 throw new SAML2Exception( 152 SAML2Utils.bundle.getString("invalidSSOToken")); 153 } 154 155 if (SAML2Utils.debug.messageEnabled()) { 156 SAML2Utils.debug.message( 157 "NameIDMapping.initiateNameMappingRequest:" + 158 " IDP EntityID is : " + idpEntityID); 159 SAML2Utils.debug.message( 160 "NameIDMapping.initiateNameMappingRequest:" + 161 " SP HOST EntityID is : " + spEntityID); 162 SAML2Utils.debug.message( 163 "NameIDMapping.initiateNameMappingRequest:" + 164 " target SP EntityID is : " + targetSPEntityID); 165 } 166 167 try { 168 // nameIDMappingService 169 String binding = 170 SAML2Utils.getParameter(paramsMap, SAML2Constants.BINDING); 171 if (binding == null) { 172 binding = SAML2Constants.SOAP; 173 } else if (!binding.equals(SAML2Constants.SOAP)) { 174 throw new SAML2Exception( 175 SAML2Utils.bundle.getString("nimServiceBindingUnsupport")); 176 } 177 178 String nimURL = SAML2Utils.getParameter(paramsMap, 179 "nimURL"); 180 if (nimURL == null) { 181 NameIDMappingServiceElement nameIDMappingService = 182 getNameIDMappingService(realm, idpEntityID, binding); 183 184 if (nameIDMappingService != null) { 185 nimURL = nameIDMappingService.getLocation(); 186 } 187 } 188 if (SAML2Utils.debug.messageEnabled()) { 189 SAML2Utils.debug.message( 190 "NameIDMapping.initiateNameMappingRequest:" + 191 " nimURL" + nimURL); 192 } 193 194 if (nimURL == null) { 195 throw new SAML2Exception( 196 SAML2Utils.bundle.getString("nimServiceNotFound")); 197 } 198 199 NameIDMappingRequest nimRequest = createNameIDMappingRequest( 200 userID, realm, spEntityID, idpEntityID, nimURL, 201 targetSPEntityID, targetNameIDFormat); 202 203 signNIMRequest(nimRequest, realm, spEntityID, false); 204 205 BaseConfigType config = metaManager.getIDPSSOConfig(realm, 206 idpEntityID); 207 208 nimURL = SAML2SDKUtils.fillInBasicAuthInfo(config, nimURL); 209 210 return doNIMBySOAP(nimRequest.toXMLString(true,true), nimURL, 211 realm, spEntityID); 212 213 } catch (SAML2MetaException sme) { 214 throw new SAML2Exception( 215 SAML2Utils.bundle.getString("metaDataError")); 216 } 217 } 218 219 public static NameIDMappingResponse processNameIDMappingRequest( 220 NameIDMappingRequest nimRequest, String realm, String idpEntityID) 221 throws SAML2Exception { 222 223 NameIDMappingResponse nimResponse = null; 224 String spEntityID = nimRequest.getIssuer().getValue(); 225 if (spEntityID == null) { 226 throw new SAML2Exception( 227 SAML2Utils.bundle.getString("nullSPEntityID")); 228 } 229 230 String responseID = SAML2Utils.generateID(); 231 if (responseID == null) { 232 SAML2Utils.debug.error( 233 SAML2Utils.bundle.getString("failedToGenResponseID")); 234 } 235 nimResponse = pf.createNameIDMappingResponse(); 236 nimResponse.setID(responseID); 237 nimResponse.setInResponseTo(nimRequest.getID()); 238 nimResponse.setVersion(SAML2Constants.VERSION_2_0); 239 nimResponse.setIssueInstant(newDate()); 240 nimResponse.setIssuer(SAML2Utils.createIssuer(idpEntityID)); 241 242 SAML2Utils.verifyRequestIssuer(realm, idpEntityID, 243 nimRequest.getIssuer(), nimRequest.getID()); 244 245 246 NameIDPolicy nameIDPolicy = nimRequest.getNameIDPolicy(); 247 String targetSPEntityID = nameIDPolicy.getSPNameQualifier(); 248 String format = nameIDPolicy.getFormat(); 249 250 Status status = null; 251 252 if ((format != null) && (format.length() != 0) && 253 (!format.equals(SAML2Constants.PERSISTENT)) && 254 (!format.equals(SAML2Constants.UNSPECIFIED))) { 255 256 nimResponse.setNameID(nimRequest.getNameID()); 257 nimResponse.setEncryptedID(nimRequest.getEncryptedID()); 258 status = SAML2Utils.generateStatus( 259 SAML2Constants.INVALID_NAME_ID_POLICY, 260 SAML2Utils.bundle.getString("targetNameIDFormatUnsupported")); 261 } else if ((targetSPEntityID == null) || 262 (targetSPEntityID.length() == 0) || 263 targetSPEntityID.equals(spEntityID)) { 264 265 nimResponse.setNameID(nimRequest.getNameID()); 266 nimResponse.setEncryptedID(nimRequest.getEncryptedID()); 267 status = SAML2Utils.generateStatus( 268 SAML2Constants.INVALID_NAME_ID_POLICY, 269 SAML2Utils.bundle.getString("targetNameIDNoChange")); 270 } else { 271 // check if source SP has account fed 272 // if yes then get nameid of targetSP 273 IDPAccountMapper idpAcctMapper = SAML2Utils.getIDPAccountMapper( 274 realm, idpEntityID); 275 276 NameID nameID = getNameID(nimRequest, realm, idpEntityID); 277 String userID = idpAcctMapper.getIdentity(nameID, idpEntityID, 278 spEntityID, realm); 279 NameIDInfo targetNameIDInfo = null; 280 if (userID != null) { 281 targetNameIDInfo = AccountUtils.getAccountFederation(userID, 282 idpEntityID, targetSPEntityID); 283 } 284 if (targetNameIDInfo == null) { 285 nimResponse.setNameID(nimRequest.getNameID()); 286 nimResponse.setEncryptedID(nimRequest.getEncryptedID()); 287 status = SAML2Utils.generateStatus( 288 SAML2Constants.INVALID_NAME_ID_POLICY, 289 SAML2Utils.bundle.getString("targetNameIDNotFound")); 290 } else { 291 NameID targetSPNameID = targetNameIDInfo.getNameID(); 292 if (SAML2Utils.debug.messageEnabled()) { 293 SAML2Utils.debug.message( 294 "NameIDMapping.processNameIDMappingRequest: " + 295 "User ID = " + userID + ", name ID = " + 296 targetSPNameID.toXMLString(true,true)); 297 } 298 299 nimResponse.setEncryptedID(getEncryptedID(targetSPNameID, 300 realm, spEntityID, SAML2Constants.SP_ROLE)); 301 status = SAML2Utils.generateStatus( 302 SAML2Constants.SUCCESS, null); 303 } 304 } 305 306 nimResponse.setStatus(status); 307 signNIMResponse(nimResponse, realm, idpEntityID, false); 308 309 return nimResponse; 310 } 311 312 static private NameIDMappingRequest createNameIDMappingRequest( 313 String userID, String realm, String spEntityID, String idpEntityID, 314 String destination, String targetSPEntityID, String targetNameIDFormat) 315 throws SAML2Exception { 316 317 if (SAML2Utils.debug.messageEnabled()) { 318 SAML2Utils.debug.message( 319 "NameIDMapping.createNameIDMappingRequest: User ID : " + 320 userID); 321 } 322 323 NameIDMappingRequest nimRequest = pf.createNameIDMappingRequest(); 324 325 nimRequest.setID(SAML2Utils.generateID()); 326 nimRequest.setVersion(SAML2Constants.VERSION_2_0); 327 nimRequest.setDestination(XMLUtils.escapeSpecialCharacters( 328 destination)); 329 nimRequest.setIssuer(SAML2Utils.createIssuer(spEntityID)); 330 nimRequest.setIssueInstant(newDate()); 331 332 setNameIDForNIMRequest(nimRequest, realm, spEntityID, idpEntityID, 333 targetSPEntityID, targetNameIDFormat, userID); 334 return nimRequest; 335 } 336 337 static private NameIDMappingResponse doNIMBySOAP( 338 String nimRequestXMLString, String nimURL, String realm, 339 String spEntityID) throws SAML2Exception { 340 341 if (SAML2Utils.debug.messageEnabled()) { 342 SAML2Utils.debug.message("NameIDMapping.doNIMBySOAP: " + 343 "NIMRequestXMLString : " + nimRequestXMLString); 344 SAML2Utils.debug.message("NameIDMapping.doNIMBySOAP: " + 345 "NIMRedirectURL : " + nimURL); 346 } 347 348 SOAPMessage resMsg = null; 349 try { 350 resMsg = SOAPCommunicator.getInstance().sendSOAPMessage(nimRequestXMLString, nimURL, 351 true); 352 } catch (SOAPException se) { 353 SAML2Utils.debug.error("NameIDMapping.doNIMBySOAP: ", se); 354 throw new SAML2Exception(SAML2Utils.bundle.getString( 355 "invalidSOAPMessge")); 356 } 357 358 Element nimRespElem = SOAPCommunicator.getInstance().getSamlpElement(resMsg, 359 SAML2Constants.NAME_ID_MAPPING_RESPONSE); 360 NameIDMappingResponse nimResponse = 361 pf.createNameIDMappingResponse(nimRespElem); 362 363 if (SAML2Utils.debug.messageEnabled()) { 364 SAML2Utils.debug.message("NameIDMapping.doNIMBySOAP: " + 365 "NameIDMappingResponse without SOAP envelope:\n" + 366 nimResponse.toXMLString(true,true)); 367 } 368 369 370 String idpEntityID = nimResponse.getIssuer().getValue(); 371 Issuer resIssuer = nimResponse.getIssuer(); 372 String requestId = nimResponse.getInResponseTo(); 373 SAML2Utils.verifyResponseIssuer(realm, spEntityID, resIssuer, 374 requestId); 375 376 if (!verifyNIMResponse(nimResponse, realm, idpEntityID)) { 377 throw new SAML2Exception( 378 SAML2Utils.bundle.getString("invalidSignInResponse")); 379 } 380 381 return nimResponse; 382 } 383 384 static private void setNameIDForNIMRequest(NameIDMappingRequest nimRequest, 385 String realm, String spEntityID, String idpEntityID, 386 String targetSPEntityID, String targetNameIDFormat, String userID) 387 throws SAML2Exception { 388 389 if (SAML2Utils.debug.messageEnabled()) { 390 SAML2Utils.debug.message("NameIDMapping.setNameIDForNIMRequest: " + 391 "user ID = " + userID); 392 } 393 394 NameID nameID = AssertionFactory.getInstance().createNameID(); 395 NameIDInfo info = AccountUtils.getAccountFederation(userID, spEntityID, 396 idpEntityID); 397 nameID.setValue(info.getNameIDValue()); 398 nameID.setFormat(info.getFormat()); 399 nameID.setNameQualifier(idpEntityID); 400 nameID.setSPNameQualifier(spEntityID); 401 402 NameIDPolicy nameIDPolicy = 403 ProtocolFactory.getInstance().createNameIDPolicy(); 404 nameIDPolicy.setSPNameQualifier(targetSPEntityID); 405 nameIDPolicy.setFormat(targetNameIDFormat); 406 nimRequest.setNameIDPolicy(nameIDPolicy); 407 408 boolean needEncryptIt = SAML2Utils.getWantNameIDEncrypted(realm, 409 idpEntityID, SAML2Constants.IDP_ROLE); 410 if (!needEncryptIt) { 411 if (SAML2Utils.debug.messageEnabled()) { 412 SAML2Utils.debug.message( 413 "NameIDMapping.setNameIDForNIMRequest: " + 414 "NamID doesn't need to be encrypted."); 415 } 416 nimRequest.setNameID(nameID); 417 return; 418 } 419 420 EncryptedID encryptedID = getEncryptedID(nameID, realm, idpEntityID, 421 SAML2Constants.IDP_ROLE); 422 423 nimRequest.setEncryptedID(encryptedID); 424 } 425 426 /** 427 * Returns first NameIDMappingService matching specified binding in an 428 * entity under the realm. 429 * 430 * @param realm The realm under which the entity resides. 431 * @param entityId ID of the entity to be retrieved. 432 * @param binding bind type need to has to be matched. 433 * @return <code>ManageNameIDServiceElement</code> for the entity or null 434 * @throws SAML2MetaException if unable to retrieve the first identity 435 * provider's SSO configuration. 436 * @throws SessionException invalid or expired single-sign-on session 437 */ 438 static public NameIDMappingServiceElement getNameIDMappingService( 439 String realm, String entityId, String binding) 440 throws SAML2MetaException { 441 442 443 IDPSSODescriptorElement idpSSODesc = metaManager.getIDPSSODescriptor( 444 realm, entityId); 445 if (idpSSODesc == null) { 446 SAML2Utils.debug.error(SAML2Utils.bundle.getString("noIDPEntry")); 447 return null; 448 } 449 450 List list = idpSSODesc.getNameIDMappingService(); 451 452 NameIDMappingServiceElement nimService = null; 453 if ((list != null) && !list.isEmpty()) { 454 if (binding == null) { 455 return (NameIDMappingServiceElement)list.get(0); 456 } 457 Iterator it = list.iterator(); 458 while (it.hasNext()) { 459 nimService = (NameIDMappingServiceElement)it.next(); 460 if (binding.equalsIgnoreCase(nimService.getBinding())) { 461 return nimService; 462 } 463 } 464 } 465 return null; 466 } 467 468 static EncryptedID getEncryptedID(NameID nameID, String realm, 469 String entityID, String role) throws SAML2Exception { 470 471 RoleDescriptorType roled = null; 472 473 if (role.equals(SAML2Constants.SP_ROLE)) { 474 roled = metaManager.getSPSSODescriptor(realm, entityID); 475 } else { 476 roled = metaManager.getIDPSSODescriptor(realm, entityID); 477 } 478 479 EncInfo encInfo = KeyUtil.getEncInfo(roled, entityID, role); 480 481 if (encInfo == null) { 482 throw new SAML2Exception( 483 SAML2Utils.bundle.getString("UnableToFindEncryptKeyInfo")); 484 } 485 486 EncryptedID encryptedID = nameID.encrypt(encInfo.getWrappingKey(), 487 encInfo.getDataEncAlgorithm(), encInfo.getDataEncStrength(), 488 entityID); 489 490 return encryptedID; 491 } 492 493 private static void signNIMRequest(NameIDMappingRequest nimRequest, 494 String realm, String spEntityID, boolean includeCert) 495 throws SAML2Exception { 496 497 String alias = SAML2Utils.getSigningCertAlias(realm, spEntityID, 498 SAML2Constants.SP_ROLE); 499 500 if (SAML2Utils.debug.messageEnabled()) { 501 SAML2Utils.debug.message("NameIDMapping.signNIMRequest: " + 502 "Cert Alias is : " + alias); 503 SAML2Utils.debug.message("NameIDMapping.signNIMRequest: " + 504 "NIMRequest before sign : " + 505 nimRequest.toXMLString(true, true)); 506 } 507 PrivateKey signingKey = keyProvider.getPrivateKey(alias); 508 X509Certificate signingCert = null; 509 if (includeCert) { 510 signingCert = keyProvider.getX509Certificate(alias); 511 } 512 513 if (signingKey != null) { 514 nimRequest.sign(signingKey, signingCert); 515 } else { 516 throw new SAML2Exception( 517 SAML2Utils.bundle.getString("missingSigningCertAlias")); 518 } 519 520 if (SAML2Utils.debug.messageEnabled()) { 521 SAML2Utils.debug.message("NameIDMapping.signNIMRequest: " + 522 "NIMRequest after sign : " + 523 nimRequest.toXMLString(true, true)); 524 } 525 } 526 527 static void signNIMResponse(NameIDMappingResponse nimResponse, 528 String realm, String idpEntityID, boolean includeCert) 529 throws SAML2Exception { 530 531 String alias = SAML2Utils.getSigningCertAlias(realm, idpEntityID, 532 SAML2Constants.IDP_ROLE); 533 if (SAML2Utils.debug.messageEnabled()) { 534 SAML2Utils.debug.message("NameIDMapping.signNIMResponse: " + 535 realm); 536 SAML2Utils.debug.message("NameIDMapping.signNIMResponse: " + 537 idpEntityID); 538 SAML2Utils.debug.message("NameIDMapping.signNIMResponse: " + 539 alias); 540 541 } 542 543 String encryptedKeyPass = 544 SAML2Utils.getSigningCertEncryptedKeyPass(realm, idpEntityID, SAML2Constants.IDP_ROLE); 545 PrivateKey signingKey; 546 if (encryptedKeyPass == null || encryptedKeyPass.isEmpty()) { 547 signingKey = keyProvider.getPrivateKey(alias); 548 } else { 549 signingKey = keyProvider.getPrivateKey(alias, encryptedKeyPass); 550 } 551 X509Certificate signingCert = null; 552 if (includeCert) { 553 signingCert = keyProvider.getX509Certificate(alias); 554 } 555 556 if (signingKey != null) { 557 nimResponse.sign(signingKey, signingCert); 558 } else { 559 SAML2Utils.debug.error("NameIDMapping.signNIMResponse: " + 560 "Incorrect configuration for Signing Certificate."); 561 throw new SAML2Exception( 562 SAML2Utils.bundle.getString("metaDataError")); 563 } 564 565 } 566 567 private static boolean verifyNIMResponse(NameIDMappingResponse nimResponse, 568 String realm, String idpEntityID) throws SAML2Exception { 569 570 IDPSSODescriptorElement idpSSODesc = metaManager.getIDPSSODescriptor( 571 realm, idpEntityID); 572 Set<X509Certificate> signingCerts = KeyUtil.getVerificationCerts(idpSSODesc, idpEntityID, 573 SAML2Constants.IDP_ROLE); 574 575 if (!signingCerts.isEmpty()) { 576 boolean valid = nimResponse.isSignatureValid(signingCerts); 577 if (SAML2Utils.debug.messageEnabled()) { 578 SAML2Utils.debug.message("NameIDMapping.verifyNIMResponse: " + 579 "Signature is : " + valid); 580 } 581 return valid; 582 } else { 583 throw new SAML2Exception(SAML2Utils.bundle.getString("missingSigningCertAlias")); 584 } 585 } 586 587 private static NameID getNameID(NameIDMappingRequest nimRequest, String realm, String idpEntityID) { 588 NameID nameID = nimRequest.getNameID(); 589 if (nameID == null) { 590 EncryptedID encryptedID = nimRequest.getEncryptedID(); 591 try { 592 final IDPSSOConfigElement idpSsoConfig = metaManager.getIDPSSOConfig(realm, idpEntityID); 593 nameID = encryptedID.decrypt(KeyUtil.getDecryptionKeys(idpSsoConfig)); 594 } catch (SAML2Exception ex) { 595 if (SAML2Utils.debug.messageEnabled()) { 596 SAML2Utils.debug.message("NameIDMapping.getNameID:", ex); 597 } 598 return null; 599 } 600 } 601 602 if (!SAML2Utils.isPersistentNameID(nameID)) { 603 return null; 604 } 605 606 return nameID; 607 } 608}