Consolidating both protocols into a single subflow for "signin"
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/31c75529 Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/31c75529 Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/31c75529 Branch: refs/heads/master Commit: 31c7552968565fea3fb0957ab84c03f21f11f279 Parents: 44633f3 Author: Colm O hEigeartaigh <[email protected]> Authored: Wed Dec 14 11:01:05 2016 +0000 Committer: Colm O hEigeartaigh <[email protected]> Committed: Wed Dec 14 11:01:05 2016 +0000 ---------------------------------------------------------------------- .../webapp/WEB-INF/config/idp-core-servlet.xml | 3 +- .../WEB-INF/flows/federation-signin-request.xml | 173 ------------------- .../WEB-INF/flows/saml-signin-request.xml | 172 ------------------ .../WEB-INF/flows/saml-validate-request.xml | 5 +- .../webapp/WEB-INF/flows/signin-request.xml | 173 +++++++++++++++++++ 5 files changed, 177 insertions(+), 349 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/31c75529/services/idp/src/main/webapp/WEB-INF/config/idp-core-servlet.xml ---------------------------------------------------------------------- diff --git a/services/idp/src/main/webapp/WEB-INF/config/idp-core-servlet.xml b/services/idp/src/main/webapp/WEB-INF/config/idp-core-servlet.xml index 8a8760a..542360e 100644 --- a/services/idp/src/main/webapp/WEB-INF/config/idp-core-servlet.xml +++ b/services/idp/src/main/webapp/WEB-INF/config/idp-core-servlet.xml @@ -64,14 +64,13 @@ <webflow:flow-location path="/WEB-INF/flows/federation-validate-request.xml" id="federation/up" /> <webflow:flow-location path="/WEB-INF/flows/federation-validate-request.xml" id="federation/krb" /> <webflow:flow-location path="/WEB-INF/flows/federation-validate-request.xml" id="federation/clientcert" /> - <webflow:flow-location path="/WEB-INF/flows/federation-signin-request.xml" id="signinRequest" /> <webflow:flow-location path="/WEB-INF/flows/saml-validate-request.xml" id="saml" /> <webflow:flow-location path="/WEB-INF/flows/saml-validate-request.xml" id="saml/up" /> <webflow:flow-location path="/WEB-INF/flows/saml-validate-request.xml" id="saml/krb" /> <webflow:flow-location path="/WEB-INF/flows/saml-validate-request.xml" id="saml/clientcert" /> - <webflow:flow-location path="/WEB-INF/flows/saml-signin-request.xml" id="signinSAMLRequest" /> + <webflow:flow-location path="/WEB-INF/flows/signin-request.xml" id="signinRequest" /> <webflow:flow-location path="/WEB-INF/flows/signin-response.xml" id="signinResponse" /> </webflow:flow-registry> http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/31c75529/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-request.xml ---------------------------------------------------------------------- diff --git a/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-request.xml b/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-request.xml deleted file mode 100644 index d9e8558..0000000 --- a/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-request.xml +++ /dev/null @@ -1,173 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!-- - Licensed to the Apache Software Foundation (ASF) under one - or more contributor license agreements. See the NOTICE file - distributed with this work for additional information - regarding copyright ownership. The ASF licenses this file - to you under the Apache License, Version 2.0 (the - "License"); you may not use this file except in compliance - with the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, - software distributed under the License is distributed on an - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - KIND, either express or implied. See the License for the - specific language governing permissions and limitations - under the License. ---> -<flow xmlns="http://www.springframework.org/schema/webflow"; - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; - xsi:schemaLocation=" - http://www.springframework.org/schema/webflow - http://www.springframework.org/schema/webflow/spring-webflow-2.0.xsd";> - - <input name="idpConfig" /> - <input name="wfresh" /> - <input name="realm" /> - <input name="home_realm" /> - <input name="protocol" /> - <input name="return_address" /> - <input name="request_context" /> - - <!-- ===== Home Realm Discovery ===== --> - - <decision-state id="processHRDSExpression"> - <on-entry> - <evaluate expression="processHRDSExpressionAction.submit(flowRequestContext, flowScope.home_realm)" - result="flowScope.home_realm" /> - </on-entry> - <if test="flowScope.home_realm == null or flowScope.home_realm.trim().isEmpty()" - then="provideIDPListForUser" else="checkIsThisIDP" /> - </decision-state> - - <decision-state id="provideIDPListForUser"> - <if test="flowScope.idpConfig.trustedIdps == null or idpConfig.trustedIdps.isEmpty()" - then="checkDefaultToThisIDP" /> - <if test="flowScope.idpConfig.isProvideIdpList() == false" - then="checkDefaultToThisIDP" else="showIDPList" /> - </decision-state> - - <decision-state id="checkDefaultToThisIDP"> - <if test="flowScope.idpConfig.isUseCurrentIdp()" then="homeRealmSignInEntryPoint" - else="viewBadRequest" /> - </decision-state> - - <view-state id="showIDPList" view="idplist" model="trustedIDPSelection"> - <var name="trustedIDPSelection" - class="org.apache.cxf.fediz.service.idp.model.TrustedIDPSelection" /> - <binder> - <binding property="home_realm" required="true" /> - </binder> - <on-entry> - <set name="requestScope.idPConfig" value="flowScope.idpConfig" /> - </on-entry> - <transition on="submit" to="checkIsThisIDP" bind="true" - validate="true"> - <set name="flowScope.home_realm" value="trustedIDPSelection.home_realm" /> - <evaluate - expression="homeRealmReminder.addCookie(flowRequestContext, flowScope.home_realm)" /> - </transition> - <transition on="cancel" to="checkDefaultToThisIDP" - bind="false" validate="false" /> - </view-state> - - <!-- Home Realm is known then we can store it in cookie --> - <decision-state id="checkIsThisIDP"> - <if test="flowScope.idpConfig.realm.equals(flowScope.home_realm)" - then="homeRealmSignInEntryPoint" else="checkRemoteIdpToken" /> - </decision-state> - - <!-- ===== Realm independent ===== --> - - <action-state id="validateReturnAddress"> - <evaluate expression="commonsURLValidator.isValid(flowRequestContext, flowScope.return_address) - and passiveRequestorValidator.isValid(flowRequestContext, flowScope.return_address, flowScope.realm)"/> - <transition on="yes" to="requestRpToken" /> - <transition on="no" to="viewBadRequest" /> - </action-state> - - <!-- ===== Home Realm != this realm ===== --> - - <decision-state id="checkRemoteIdpToken"> - <if test="externalContext.sessionMap[flowScope.home_realm] != null" - then="checkRemoteIdpTokenExpiry" else="redirectToTrustedIDP" /> - </decision-state> - - <action-state id="checkRemoteIdpTokenExpiry"> - <evaluate - expression="idpTokenExpiredAction.isTokenExpired(flowScope.home_realm, flowRequestContext) or - protocol.equals('wsfed') and wfreshParser.authenticationRequired(flowScope.wfresh, flowScope.home_realm, flowRequestContext) - or protocol.equals('samlsso') and authnRequestParser.isForceAuthentication(flowRequestContext)" /> - <transition on="yes" to="redirectToTrustedIDP" /> - <transition on="no" to="validateReturnAddress" > - <set name="flowScope.idpToken" value="externalContext.sessionMap[home_realm]" /> - </transition> - <transition on-exception="java.lang.Throwable" to="viewBadRequest" /> - </action-state> - - <!-- ===== Home Realm == this realm ===== --> - - <decision-state id="homeRealmSignInEntryPoint"> - <on-entry> - <!-- Here, home realm is guaranteed to be THIS realm --> - <set name="flowScope.home_realm" value="flowScope.idpConfig.realm" /> - </on-entry> - <if test="flowScope.idpConfig.getAuthenticationURIs() == null" - then="viewBadRequest" /> - - <!-- check presence of cached IDP token for THIS realm --> - <if test="externalContext.sessionMap[flowScope.home_realm] == null" - then="cacheSecurityToken" else="checkLocalIdPTokenExpiry" /> - </decision-state> - - <action-state id="checkLocalIdPTokenExpiry"> - <evaluate - expression="idpTokenExpiredAction.isTokenExpired(flowScope.home_realm, flowRequestContext) or - protocol.equals('wsfed') and wfreshParser.authenticationRequired(flowScope.wfresh, flowScope.home_realm, flowRequestContext) - or protocol.equals('samlsso') and authnRequestParser.isForceAuthentication(flowRequestContext)" /> - <transition on="yes" to="redirectToLocalIDP" /> - <transition on="no" to="validateReturnAddress"> - <set name="flowScope.idpToken" value="externalContext.sessionMap[home_realm]" /> - </transition> - <transition on-exception="java.lang.Throwable" to="viewBadRequest" /> - </action-state> - - <end-state id="redirectToLocalIDP"> - <on-entry> - <evaluate expression="logoutAction.submit(flowRequestContext)" /> - </on-entry> - <output name="wctx" value="flowScope.wctx" /> - <output name="home_realm" value="flowScope.home_realm" /> - </end-state> - - <action-state id="cacheSecurityToken"> - <secured attributes="IS_AUTHENTICATED_FULLY" /> - <evaluate expression="cacheSecurityToken.submit(flowRequestContext)" /> - <transition to="validateReturnAddress"> - <set name="flowScope.idpToken" value="externalContext.sessionMap[home_realm]" /> - </transition> - </action-state> - - <!-- ============================================================================================================= --> - - <!-- normal exit point --> - <end-state id="requestRpToken"> - <output name="home_realm" value="flowScope.home_realm" /> - <output name="idpToken" value="flowScope.idpToken" /> - </end-state> - - <!-- abnormal exit point : Http 400 Bad Request --> - <end-state id="viewBadRequest" /> - - <!-- redirects to requestor idp --> - <end-state id="redirectToTrustedIDP"> - <on-entry> - <evaluate expression="signinParametersCacheAction.store(flowRequestContext, protocol)" /> - </on-entry> - <output name="home_realm" value="flowScope.home_realm" /> - <output name="trusted_idp_context" value="flowScope.trusted_idp_context" /> - </end-state> - -</flow> http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/31c75529/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml ---------------------------------------------------------------------- diff --git a/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml b/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml deleted file mode 100644 index c3f6dbe..0000000 --- a/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml +++ /dev/null @@ -1,172 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!-- - Licensed to the Apache Software Foundation (ASF) under one - or more contributor license agreements. See the NOTICE file - distributed with this work for additional information - regarding copyright ownership. The ASF licenses this file - to you under the Apache License, Version 2.0 (the - "License"); you may not use this file except in compliance - with the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, - software distributed under the License is distributed on an - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - KIND, either express or implied. See the License for the - specific language governing permissions and limitations - under the License. ---> -<flow xmlns="http://www.springframework.org/schema/webflow"; - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; - xsi:schemaLocation=" - http://www.springframework.org/schema/webflow - http://www.springframework.org/schema/webflow/spring-webflow-2.0.xsd";> - - <input name="idpConfig" /> - <input name="saml_authn_request" /> - <input name="realm" /> - <input name="home_realm" /> - <input name="protocol" /> - <input name="return_address" /> - <input name="request_context" /> - - <!-- ===== Home Realm Discovery ===== --> - - <decision-state id="processHRDSExpression"> - <on-entry> - <evaluate expression="processHRDSExpressionAction.submit(flowRequestContext, flowScope.home_realm)" - result="flowScope.home_realm" /> - </on-entry> - <if test="flowScope.home_realm == null or flowScope.home_realm.trim().isEmpty()" - then="provideIDPListForUser" else="checkIsThisIDP" /> - </decision-state> - - <decision-state id="provideIDPListForUser"> - <if test="flowScope.idpConfig.trustedIdps == null or idpConfig.trustedIdps.isEmpty()" - then="checkDefaultToThisIDP" /> - <if test="flowScope.idpConfig.isProvideIdpList() == false" - then="checkDefaultToThisIDP" else="showIDPList" /> - </decision-state> - - <decision-state id="checkDefaultToThisIDP"> - <if test="flowScope.idpConfig.isUseCurrentIdp()" then="homeRealmSignInEntryPoint" - else="viewBadRequest" /> - </decision-state> - - <view-state id="showIDPList" view="idplist" model="trustedIDPSelection"> - <var name="trustedIDPSelection" - class="org.apache.cxf.fediz.service.idp.model.TrustedIDPSelection" /> - <binder> - <binding property="home_realm" required="true" /> - </binder> - <on-entry> - <set name="requestScope.idPConfig" value="flowScope.idpConfig" /> - </on-entry> - <transition on="submit" to="checkIsThisIDP" bind="true" - validate="true"> - <set name="flowScope.home_realm" value="trustedIDPSelection.home_realm" /> - <evaluate - expression="homeRealmReminder.addCookie(flowRequestContext, flowScope.home_realm)" /> - </transition> - <transition on="cancel" to="checkDefaultToThisIDP" - bind="false" validate="false" /> - </view-state> - - <!-- Home Realm is known then we can store it in cookie --> - <decision-state id="checkIsThisIDP"> - <if test="flowScope.idpConfig.realm.equals(flowScope.home_realm)" - then="homeRealmSignInEntryPoint" else="checkRemoteIdpToken" /> - </decision-state> - - <!-- ===== Realm independent ===== --> - - <action-state id="validateReturnAddress"> - <evaluate expression="commonsURLValidator.isValid(flowRequestContext, flowScope.return_address) - and passiveRequestorValidator.isValid(flowRequestContext, flowScope.return_address, flowScope.realm)"/> - <transition on="yes" to="requestRpToken" /> - <transition on="no" to="viewBadRequest" /> - </action-state> - - <!-- ===== Home Realm != this realm ===== --> - - <decision-state id="checkRemoteIdpToken"> - <if test="externalContext.sessionMap[flowScope.home_realm] != null" - then="checkRemoteIdpTokenExpiry" else="redirectToTrustedIDP" /> - </decision-state> - - <action-state id="checkRemoteIdpTokenExpiry"> - <evaluate - expression="idpTokenExpiredAction.isTokenExpired(flowScope.home_realm, flowRequestContext) or - protocol.equals('wsfed') and wfreshParser.authenticationRequired(flowScope.wfresh, flowScope.home_realm, flowRequestContext) - or protocol.equals('samlsso') and authnRequestParser.isForceAuthentication(flowRequestContext)" /> - <transition on="yes" to="redirectToTrustedIDP" /> - <transition on="no" to="validateReturnAddress" > - <set name="flowScope.idpToken" value="externalContext.sessionMap[flowScope.home_realm]" /> - </transition> - <transition on-exception="java.lang.Throwable" to="viewBadRequest" /> - </action-state> - - <!-- ===== Home Realm == this realm ===== --> - - <decision-state id="homeRealmSignInEntryPoint"> - <on-entry> - <!-- Here, home realm is guaranteed to be THIS realm --> - <set name="flowScope.home_realm" value="flowScope.idpConfig.realm" /> - </on-entry> - <if test="flowScope.idpConfig.getAuthenticationURIs() == null" - then="viewBadRequest" /> - - <!-- check presence of cached IDP token for THIS realm --> - <if test="externalContext.sessionMap[flowScope.home_realm] == null" - then="cacheSecurityToken" else="checkLocalIdPTokenExpiry" /> - </decision-state> - - <action-state id="checkLocalIdPTokenExpiry"> - <evaluate - expression="idpTokenExpiredAction.isTokenExpired(flowScope.home_realm, flowRequestContext) or - protocol.equals('wsfed') and wfreshParser.authenticationRequired(flowScope.wfresh, flowScope.home_realm, flowRequestContext) - or protocol.equals('samlsso') and authnRequestParser.isForceAuthentication(flowRequestContext)" /> - <transition on="yes" to="redirectToLocalIDP" /> - <transition on="no" to="validateReturnAddress"> - <set name="flowScope.idpToken" value="externalContext.sessionMap[flowScope.home_realm]" /> - </transition> - <transition on-exception="java.lang.Throwable" to="viewBadRequest" /> - </action-state> - - <end-state id="redirectToLocalIDP"> - <on-entry> - <evaluate expression="logoutAction.submit(flowRequestContext)" /> - </on-entry> - <output name="home_realm" value="flowScope.home_realm" /> - </end-state> - - <action-state id="cacheSecurityToken"> - <secured attributes="IS_AUTHENTICATED_FULLY" /> - <evaluate expression="cacheSecurityToken.submit(flowRequestContext)" /> - <transition to="validateReturnAddress"> - <set name="flowScope.idpToken" value="externalContext.sessionMap[flowScope.home_realm]" /> - </transition> - </action-state> - - <!-- ============================================================================================================= --> - - <!-- normal exit point --> - <end-state id="requestRpToken"> - <output name="home_realm" value="flowScope.home_realm" /> - <output name="idpToken" value="flowScope.idpToken" /> - </end-state> - - <!-- abnormal exit point --> - <end-state id="viewBadRequest" /> - - <!-- redirects to requestor idp --> - <end-state id="redirectToTrustedIDP"> - <on-entry> - <evaluate expression="signinParametersCacheAction.store(flowRequestContext, protocol)" /> - </on-entry> - <output name="home_realm" value="flowScope.home_realm" /> - <output name="trusted_idp_context" value="flowScope.trusted_idp_context" /> - </end-state> - -</flow> http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/31c75529/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml ---------------------------------------------------------------------- diff --git a/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml b/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml index 17d6067..e1993b9 100644 --- a/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml +++ b/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml @@ -92,11 +92,11 @@ <action-state id="retrieveRealm"> <evaluate expression="authnRequestParser.retrieveRealm(flowRequestContext)" result="flowScope.realm"/> - <transition to="signinSAMLRequest"/> + <transition to="signinRequest"/> <transition on-exception="org.apache.cxf.fediz.core.exception.ProcessingException" to="viewBadRequest" /> </action-state> - <subflow-state id="signinSAMLRequest" subflow="signinSAMLRequest"> + <subflow-state id="signinRequest" subflow="signinRequest"> <input name="idpConfig" value="flowScope.idpConfig" /> <input name="SAMLRequest" value="flowScope.SAMLRequest" /> <input name="RelayState" value="flowScope.RelayState" /> @@ -105,6 +105,7 @@ <input name="saml_authn_request" value="flowScope.saml_authn_request" /> <input name="realm" value="flowScope.realm" /> <input name="home_realm" value="null" /> + <input name="wfresh" value="null" /> <input name="return_address" value="flowScope.consumerURL" /> <input name="request_context" value="flowScope.request_context" /> http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/31c75529/services/idp/src/main/webapp/WEB-INF/flows/signin-request.xml ---------------------------------------------------------------------- diff --git a/services/idp/src/main/webapp/WEB-INF/flows/signin-request.xml b/services/idp/src/main/webapp/WEB-INF/flows/signin-request.xml new file mode 100644 index 0000000..78b149e --- /dev/null +++ b/services/idp/src/main/webapp/WEB-INF/flows/signin-request.xml @@ -0,0 +1,173 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +--> +<flow xmlns="http://www.springframework.org/schema/webflow"; + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; + xsi:schemaLocation=" + http://www.springframework.org/schema/webflow + http://www.springframework.org/schema/webflow/spring-webflow-2.0.xsd";> + + <input name="idpConfig" /> + <input name="wfresh" /> + <input name="saml_authn_request" /> + <input name="realm" /> + <input name="home_realm" /> + <input name="protocol" /> + <input name="return_address" /> + <input name="request_context" /> + + <!-- ===== Home Realm Discovery ===== --> + + <decision-state id="processHRDSExpression"> + <on-entry> + <evaluate expression="processHRDSExpressionAction.submit(flowRequestContext, flowScope.home_realm)" + result="flowScope.home_realm" /> + </on-entry> + <if test="flowScope.home_realm == null or flowScope.home_realm.trim().isEmpty()" + then="provideIDPListForUser" else="checkIsThisIDP" /> + </decision-state> + + <decision-state id="provideIDPListForUser"> + <if test="flowScope.idpConfig.trustedIdps == null or idpConfig.trustedIdps.isEmpty()" + then="checkDefaultToThisIDP" /> + <if test="flowScope.idpConfig.isProvideIdpList() == false" + then="checkDefaultToThisIDP" else="showIDPList" /> + </decision-state> + + <decision-state id="checkDefaultToThisIDP"> + <if test="flowScope.idpConfig.isUseCurrentIdp()" then="homeRealmSignInEntryPoint" + else="viewBadRequest" /> + </decision-state> + + <view-state id="showIDPList" view="idplist" model="trustedIDPSelection"> + <var name="trustedIDPSelection" + class="org.apache.cxf.fediz.service.idp.model.TrustedIDPSelection" /> + <binder> + <binding property="home_realm" required="true" /> + </binder> + <on-entry> + <set name="requestScope.idPConfig" value="flowScope.idpConfig" /> + </on-entry> + <transition on="submit" to="checkIsThisIDP" bind="true" + validate="true"> + <set name="flowScope.home_realm" value="trustedIDPSelection.home_realm" /> + <evaluate + expression="homeRealmReminder.addCookie(flowRequestContext, flowScope.home_realm)" /> + </transition> + <transition on="cancel" to="checkDefaultToThisIDP" + bind="false" validate="false" /> + </view-state> + + <!-- Home Realm is known then we can store it in cookie --> + <decision-state id="checkIsThisIDP"> + <if test="flowScope.idpConfig.realm.equals(flowScope.home_realm)" + then="homeRealmSignInEntryPoint" else="checkRemoteIdpToken" /> + </decision-state> + + <!-- ===== Realm independent ===== --> + + <action-state id="validateReturnAddress"> + <evaluate expression="commonsURLValidator.isValid(flowRequestContext, flowScope.return_address) + and passiveRequestorValidator.isValid(flowRequestContext, flowScope.return_address, flowScope.realm)"/> + <transition on="yes" to="requestRpToken" /> + <transition on="no" to="viewBadRequest" /> + </action-state> + + <!-- ===== Home Realm != this realm ===== --> + + <decision-state id="checkRemoteIdpToken"> + <if test="externalContext.sessionMap[flowScope.home_realm] != null" + then="checkRemoteIdpTokenExpiry" else="redirectToTrustedIDP" /> + </decision-state> + + <action-state id="checkRemoteIdpTokenExpiry"> + <evaluate + expression="idpTokenExpiredAction.isTokenExpired(flowScope.home_realm, flowRequestContext) or + protocol.equals('wsfed') and wfreshParser.authenticationRequired(flowScope.wfresh, flowScope.home_realm, flowRequestContext) + or protocol.equals('samlsso') and authnRequestParser.isForceAuthentication(flowRequestContext)" /> + <transition on="yes" to="redirectToTrustedIDP" /> + <transition on="no" to="validateReturnAddress" > + <set name="flowScope.idpToken" value="externalContext.sessionMap[flowScope.home_realm]" /> + </transition> + <transition on-exception="java.lang.Throwable" to="viewBadRequest" /> + </action-state> + + <!-- ===== Home Realm == this realm ===== --> + + <decision-state id="homeRealmSignInEntryPoint"> + <on-entry> + <!-- Here, home realm is guaranteed to be THIS realm --> + <set name="flowScope.home_realm" value="flowScope.idpConfig.realm" /> + </on-entry> + <if test="flowScope.idpConfig.getAuthenticationURIs() == null" + then="viewBadRequest" /> + + <!-- check presence of cached IDP token for THIS realm --> + <if test="externalContext.sessionMap[flowScope.home_realm] == null" + then="cacheSecurityToken" else="checkLocalIdPTokenExpiry" /> + </decision-state> + + <action-state id="checkLocalIdPTokenExpiry"> + <evaluate + expression="idpTokenExpiredAction.isTokenExpired(flowScope.home_realm, flowRequestContext) or + protocol.equals('wsfed') and wfreshParser.authenticationRequired(flowScope.wfresh, flowScope.home_realm, flowRequestContext) + or protocol.equals('samlsso') and authnRequestParser.isForceAuthentication(flowRequestContext)" /> + <transition on="yes" to="redirectToLocalIDP" /> + <transition on="no" to="validateReturnAddress"> + <set name="flowScope.idpToken" value="externalContext.sessionMap[flowScope.home_realm]" /> + </transition> + <transition on-exception="java.lang.Throwable" to="viewBadRequest" /> + </action-state> + + <end-state id="redirectToLocalIDP"> + <on-entry> + <evaluate expression="logoutAction.submit(flowRequestContext)" /> + </on-entry> + <output name="home_realm" value="flowScope.home_realm" /> + </end-state> + + <action-state id="cacheSecurityToken"> + <secured attributes="IS_AUTHENTICATED_FULLY" /> + <evaluate expression="cacheSecurityToken.submit(flowRequestContext)" /> + <transition to="validateReturnAddress"> + <set name="flowScope.idpToken" value="externalContext.sessionMap[flowScope.home_realm]" /> + </transition> + </action-state> + + <!-- ============================================================================================================= --> + + <!-- normal exit point --> + <end-state id="requestRpToken"> + <output name="home_realm" value="flowScope.home_realm" /> + <output name="idpToken" value="flowScope.idpToken" /> + </end-state> + + <!-- abnormal exit point --> + <end-state id="viewBadRequest" /> + + <!-- redirects to requestor idp --> + <end-state id="redirectToTrustedIDP"> + <on-entry> + <evaluate expression="signinParametersCacheAction.store(flowRequestContext, protocol)" /> + </on-entry> + <output name="home_realm" value="flowScope.home_realm" /> + <output name="trusted_idp_context" value="flowScope.trusted_idp_context" /> + </end-state> + +</flow>
