package org.forgerock.openam.authentication.modules.saml2;

import com.iplanet.sso.SSOException;
import com.iplanet.sso.SSOToken;
import com.sun.identity.authentication.AuthContext;
import com.sun.identity.authentication.client.AuthClientUtils;
import com.sun.identity.authentication.spi.AMLoginModule;
import com.sun.identity.authentication.spi.AuthLoginException;
import com.sun.identity.authentication.spi.AuthenticationException;
import com.sun.identity.authentication.spi.RedirectCallback;
import com.sun.identity.common.DNUtils;
import com.sun.identity.saml2.assertion.Assertion;
import com.sun.identity.saml2.assertion.EncryptedID;
import com.sun.identity.saml2.assertion.NameID;
import com.sun.identity.saml2.assertion.Subject;
import com.sun.identity.saml2.common.AccountUtils;
import com.sun.identity.saml2.common.NameIDInfo;
import com.sun.identity.saml2.common.NameIDInfoKey;
import com.sun.identity.saml2.common.SAML2Exception;
import com.sun.identity.saml2.common.SAML2FailoverUtils;
import com.sun.identity.saml2.common.SAML2Utils;
import com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement;
import com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement;
import com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement;
import com.sun.identity.saml2.jaxb.metadata.SingleSignOnServiceElement;
import com.sun.identity.saml2.key.KeyUtil;
import com.sun.identity.saml2.meta.SAML2MetaException;
import com.sun.identity.saml2.meta.SAML2MetaManager;
import com.sun.identity.saml2.plugins.DefaultLibrarySPAccountMapper;
import com.sun.identity.saml2.plugins.SAML2PluginsUtils;
import com.sun.identity.saml2.profile.AuthnRequestInfo;
import com.sun.identity.saml2.profile.AuthnRequestInfoCopy;
import com.sun.identity.saml2.profile.ResponseInfo;
import com.sun.identity.saml2.profile.SPACSUtils;
import com.sun.identity.saml2.profile.SPCache;
import com.sun.identity.saml2.profile.SPSSOFederate;
import com.sun.identity.saml2.protocol.AuthnRequest;
import com.sun.identity.shared.datastruct.CollectionHelper;
import com.sun.identity.shared.debug.Debug;
import com.sun.identity.shared.encode.CookieUtils;
import com.sun.identity.shared.encode.URLEncDec;
import com.sun.identity.shared.locale.L10NMessageImpl;
import com.sun.identity.sm.DNMapper;
import java.security.Principal;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.ResourceBundle;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import javax.security.auth.callback.Callback;
import javax.security.auth.login.LoginException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.forgerock.guice.core.InjectorHolder;
import org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException;
import org.forgerock.openam.saml2.SAML2Store;
import org.forgerock.openam.utils.JsonValueBuilder;
import org.forgerock.openam.utils.StringUtils;
import org.forgerock.openam.utils.Time;
import org.forgerock.openam.xui.XUIState;

/* loaded from: input_file:org/forgerock/openam/authentication/modules/saml2/SAML2.class */
public class SAML2 extends AMLoginModule {
    private static final String PROPERTY_VALUES_SEPARATOR = "|";
    private String entityName;
    private String metaAlias;
    private String reqBinding;
    private String binding;
    private String localChain;
    private String sloRelayState;
    private boolean singleLogoutEnabled;
    private String nameIDFormat;
    private Assertion authnAssertion;
    private Subject assertionSubject;
    private Principal principal;
    private AuthContext authenticationContext;
    private String realm;
    private String sessionIndex;
    private boolean isTransient;
    private ResponseInfo respInfo;
    private String storageKey;
    private AuthnRequest authnRequest;
    private SAML2MetaManager metaManager;
    private static final String BUNDLE_NAME = "amAuthSAML2";
    private static final Debug DEBUG = Debug.getInstance(BUNDLE_NAME);
    private Map<String, List<String>> params = new HashMap();
    private int previousLength = 0;
    private ResourceBundle bundle = null;

    public void init(javax.security.auth.Subject subject, Map map, Map map2) {
        for (Object obj : map2.keySet()) {
            String str = (String) obj;
            if (Constants.OPTIONS_MAP.containsKey(str) && CollectionHelper.getMapAttr(map2, str) != null) {
                if (((String) obj).equalsIgnoreCase("forgerock-am-auth-saml2-binding")) {
                    String mapAttr = CollectionHelper.getMapAttr(map2, str);
                    this.params.put(Constants.OPTIONS_MAP.get(str), Collections.singletonList(mapAttr.substring(mapAttr.lastIndexOf(":") + 1)));
                } else {
                    this.params.put(Constants.OPTIONS_MAP.get(str), Collections.singletonList(CollectionHelper.getMapAttr(map2, str)));
                }
            }
        }
        this.nameIDFormat = CollectionHelper.getMapAttr(map2, "forgerock-am-auth-saml2-name-id-format");
        this.entityName = CollectionHelper.getMapAttr(map2, "forgerock-am-auth-saml2-entity-name");
        this.metaAlias = CollectionHelper.getMapAttr(map2, "forgerock-am-auth-saml2-meta-alias");
        this.reqBinding = CollectionHelper.getMapAttr(map2, "forgerock-am-auth-saml2-req-binding");
        this.binding = CollectionHelper.getMapAttr(map2, "forgerock-am-auth-saml2-binding");
        this.localChain = CollectionHelper.getMapAttr(map2, "forgerock-am-auth-saml2-login-chain");
        this.singleLogoutEnabled = CollectionHelper.getBooleanMapAttr(map2, "forgerock-am-auth-saml2-slo-enabled", false);
        this.sloRelayState = CollectionHelper.getMapAttr(map2, "forgerock-am-auth-saml2-slo-relay");
        this.metaManager = SAML2Utils.getSAML2MetaManager();
        this.realm = DNMapper.orgNameToRealmName(getRequestOrg());
        this.bundle = amCache.getResBundle(BUNDLE_NAME, getLoginLocale());
        String mapAttr2 = CollectionHelper.getMapAttr(map2, "forgerock-am-auth-saml2-auth-level");
        if (mapAttr2 != null) {
            try {
                setAuthLevel(Integer.parseInt(mapAttr2));
            } catch (Exception e) {
                DEBUG.error("SAML2 :: init() : Unable to set auth level {}", new Object[]{mapAttr2, e});
            }
        }
    }

    public int process(Callback[] callbackArr, int i) throws LoginException {
        HttpServletRequest httpServletRequest = getHttpServletRequest();
        HttpServletResponse httpServletResponse = getHttpServletResponse();
        if (null == httpServletRequest) {
            return processError(this.bundle.getString("samlNullRequest"), "SAML2 :: process() : Http Request is null - programmatic login is not supported.", new Object[0]);
        }
        try {
            String entityByMetaAlias = this.metaManager.getEntityByMetaAlias(this.metaAlias);
            if (this.authenticationContext != null) {
                i = 3;
            }
            switch (i) {
                case 1:
                    return initiateSAMLLoginAtIDP(httpServletResponse, httpServletRequest);
                case 2:
                    return handleReturnFromRedirect(i, httpServletRequest, entityByMetaAlias, httpServletResponse);
                case 3:
                    return stepLogin(callbackArr, i);
                default:
                    return processError(this.bundle.getString("invalidLoginState"), "Unrecognised login state: {}", Integer.valueOf(i));
            }
        } catch (SAML2Exception e) {
            return processError(e, null, "SAML2 :: process() : Authentication Error", new Object[0]);
        }
    }

    private int initiateSAMLLoginAtIDP(HttpServletResponse httpServletResponse, HttpServletRequest httpServletRequest) throws SAML2Exception, AuthLoginException {
        String sPEntityId = SPSSOFederate.getSPEntityId(this.metaAlias);
        IDPSSODescriptorElement iDPSSOForAuthnReq = SPSSOFederate.getIDPSSOForAuthnReq(this.realm, this.entityName);
        SPSSODescriptorElement sPSSOForAuthnReq = SPSSOFederate.getSPSSOForAuthnReq(this.realm, sPEntityId);
        if (iDPSSOForAuthnReq == null || sPSSOForAuthnReq == null) {
            return processError(this.bundle.getString("samlLocalConfigFailed"), "SAML2 :: initiateSAMLLoginAtIDP() : {}", this.bundle.getString("samlLocalConfigFailed"));
        }
        SingleSignOnServiceElement singleSignOnServiceEndpoint = SPSSOFederate.getSingleSignOnServiceEndpoint(iDPSSOForAuthnReq.getSingleSignOnService(), this.reqBinding);
        if (singleSignOnServiceEndpoint == null || StringUtils.isEmpty(singleSignOnServiceEndpoint.getLocation())) {
            throw new SAML2Exception(SAML2Utils.bundle.getString("ssoServiceNotfound"));
        }
        if (this.reqBinding == null) {
            SAML2Utils.debug.message("SAML2 :: initiateSAMLLoginAtIDP() reqBinding is null using endpoint  binding: {}", new Object[]{singleSignOnServiceEndpoint.getBinding()});
            this.reqBinding = singleSignOnServiceEndpoint.getBinding();
            if (this.reqBinding == null) {
                throw new SAML2Exception(SAML2Utils.bundle.getString("UnableTofindBinding"));
            }
        }
        String location = singleSignOnServiceEndpoint.getLocation();
        SAML2Utils.debug.message("SAML2 :: initiateSAMLLoginAtIDP()  ssoURL : {}", new Object[]{location});
        List extensionsList = SPSSOFederate.getExtensionsList(sPEntityId, this.realm);
        Map attrsMapForAuthnReq = SPSSOFederate.getAttrsMapForAuthnReq(this.realm, sPEntityId);
        this.authnRequest = SPSSOFederate.createAuthnRequest(httpServletRequest, httpServletResponse, this.realm, sPEntityId, this.entityName, this.params, attrsMapForAuthnReq, extensionsList, sPSSOForAuthnReq, iDPSSOForAuthnReq, location, false);
        AuthnRequestInfo authnRequestInfo = new AuthnRequestInfo(httpServletRequest, httpServletResponse, this.realm, sPEntityId, (String) null, this.authnRequest, (String) null, this.params);
        synchronized (SPCache.requestHash) {
            SPCache.requestHash.put(this.authnRequest.getID(), authnRequestInfo);
        }
        saveAuthnRequest(this.authnRequest, authnRequestInfo);
        RedirectCallback redirectCallback = (RedirectCallback) getCallback(2)[0];
        setCookiesForRedirects(httpServletRequest, httpServletResponse);
        if ("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST".equals(this.reqBinding)) {
            configurePostRedirectCallback(SPSSOFederate.getPostBindingMsg(iDPSSOForAuthnReq, sPSSOForAuthnReq, attrsMapForAuthnReq, this.authnRequest), location, redirectCallback);
            return 2;
        }
        configureGetRedirectCallback(SPSSOFederate.getRedirect(this.authnRequest.toXMLString(true, true), (String) null, location, iDPSSOForAuthnReq, sPSSOForAuthnReq, attrsMapForAuthnReq), redirectCallback);
        return 2;
    }

    private void saveAuthnRequest(AuthnRequest authnRequest, AuthnRequestInfo authnRequestInfo) throws SAML2Exception {
        long seconds = TimeUnit.MILLISECONDS.toSeconds(Time.currentTimeMillis()) + SPCache.interval;
        String id = authnRequest.getID();
        if (!SAML2FailoverUtils.isSAML2FailoverEnabled()) {
            SAML2Store.saveTokenWithKey(id, new AuthnRequestInfoCopy(authnRequestInfo));
            DEBUG.message("SAML2.saveAuthnRequestIfFailoverDisabled : SAVE AuthnRequestInfoCopy for requestID {}", new Object[]{id});
            return;
        }
        try {
            SAML2FailoverUtils.saveSAML2TokenWithoutSecondaryKey(id, new AuthnRequestInfoCopy(authnRequestInfo), seconds);
            DEBUG.message("SAML2.saveAuthnRequestIfFailoverEnabled : SAVE AuthnRequestInfoCopy for requestID {}", new Object[]{id});
        } catch (SAML2TokenRepositoryException e) {
            DEBUG.error("SAML2.saveAuthnRequestIfFailoverEnabled : There was a problem saving the AuthnRequestInfoCopy in the SAML2 Token Repository for requestID {}", new Object[]{id, e});
            throw new SAML2Exception(BUNDLE_NAME, SAML2Proxy.SAML_FAILOVER_DISABLED_ERROR, (Object[]) null);
        }
    }

    private int handleReturnFromRedirect(int i, HttpServletRequest httpServletRequest, String str, HttpServletResponse httpServletResponse) throws AuthLoginException {
        removeCookiesForRedirects(httpServletRequest, httpServletResponse);
        if (Boolean.parseBoolean(httpServletRequest.getParameter(SAML2Proxy.ERROR_PARAM_KEY))) {
            return handleRedirectError(httpServletRequest);
        }
        String asString = httpServletRequest.getParameter("jsonContent") != null ? JsonValueBuilder.toJsonValue(httpServletRequest.getParameter("jsonContent")).get(SAML2Proxy.RESPONSE_KEY).asString() : httpServletRequest.getParameter(SAML2Proxy.RESPONSE_KEY);
        SAML2ResponseData sAML2ResponseData = null;
        if (!StringUtils.isBlank(asString)) {
            sAML2ResponseData = (SAML2ResponseData) SAML2Store.getTokenFromStore(asString);
            if (sAML2ResponseData == null && SAML2FailoverUtils.isSAML2FailoverEnabled()) {
                try {
                    sAML2ResponseData = (SAML2ResponseData) SAML2FailoverUtils.retrieveSAML2Token(asString);
                } catch (SAML2TokenRepositoryException e) {
                    return processError(this.bundle.getString("samlFailoverError"), "SAML2.handleReturnFromRedirect : Error reading from failover map.", e);
                }
            }
        }
        if (sAML2ResponseData == null) {
            return processError(this.bundle.getString("localLinkError"), "SAML2 :: handleReturnFromRedirect() : Unable to perform local linking - response data not found", new Object[0]);
        }
        this.storageKey = asString;
        this.assertionSubject = sAML2ResponseData.getSubject();
        this.authnAssertion = sAML2ResponseData.getAssertion();
        this.sessionIndex = sAML2ResponseData.getSessionIndex();
        this.respInfo = sAML2ResponseData.getResponseInfo();
        try {
            String principalWithoutLogin = SPACSUtils.getPrincipalWithoutLogin(this.assertionSubject, this.authnAssertion, this.realm, str, this.metaManager, this.entityName, this.storageKey);
            if (SAML2PluginsUtils.isDynamicProfile(this.realm)) {
                String sPEntityId = SPSSOFederate.getSPEntityId(this.metaAlias);
                if (shouldPersistNameID(sPEntityId)) {
                    setUserAttributes(AccountUtils.convertToAttributes(new NameIDInfo(sPEntityId, this.entityName, getNameId(), "SPRole", false), (NameIDInfoKey) null));
                }
            }
            if (principalWithoutLogin != null) {
                this.principal = new SAML2Principal(principalWithoutLogin);
                return success(this.authnAssertion, getNameId(), principalWithoutLogin);
            }
            if (StringUtils.isBlank(this.localChain)) {
                return processError(this.bundle.getString("localLinkError"), "SAML2 :: handleReturnFromRedirect() : Unable to perform local linking - local auth chain not found.", new Object[0]);
            }
            this.authenticationContext = new AuthContext(this.realm);
            this.authenticationContext.setLocale(getLoginLocale());
            this.authenticationContext.login(AuthContext.IndexType.SERVICE, this.localChain, (String[]) null, (Map) null, (HttpServletRequest) null, (HttpServletResponse) null);
            return injectCallbacks(null, i);
        } catch (SAML2Exception e2) {
            return processError(e2, null, "SAML2.handleReturnFromRedirect : Unable to perform user lookup.", new Object[0]);
        }
    }

    private int handleRedirectError(HttpServletRequest httpServletRequest) throws AuthLoginException {
        String parameter = httpServletRequest.getParameter(SAML2Proxy.ERROR_CODE_PARAM_KEY);
        String parameter2 = httpServletRequest.getParameter(SAML2Proxy.ERROR_MESSAGE_PARAM_KEY);
        return StringUtils.isNotEmpty(parameter2) ? processError(parameter2, "SAML2 :: handleReturnFromRedirect() : error forwarded from saml2AuthAssertionConsumer.jsp.  Error code - {}. Error message - {}", String.valueOf(parameter), String.valueOf(parameter2)) : StringUtils.isNotEmpty(parameter) ? processError(this.bundle.getString(parameter), "SAML2 :: handleReturnFromRedirect() : error forwarded from saml2AuthAssertionConsumer.jsp.  Error code - {}. Error message - {}", parameter, parameter2) : processError(this.bundle.getString(SAML2Proxy.SAML_VERIFY_RESPONSE_ERROR), "SAML2 :: handleReturnFromRedirect() : error forwarded from saml2AuthAssertionConsumer.jsp.  Error code - {}. Error message - {}", parameter2);
    }

    private void configurePostRedirectCallback(String str, String str2, RedirectCallback redirectCallback) throws AuthLoginException {
        HashMap hashMap = new HashMap();
        hashMap.put("SAMLRequest", str);
        RedirectCallback redirectCallback2 = new RedirectCallback(str2, hashMap, "POST", redirectCallback.getStatusParameter(), redirectCallback.getRedirectBackUrlCookieName());
        redirectCallback2.setTrackingCookie(true);
        replaceCallback(2, 0, redirectCallback2);
    }

    private void configureGetRedirectCallback(String str, RedirectCallback redirectCallback) throws AuthLoginException {
        RedirectCallback redirectCallback2 = new RedirectCallback(str, (Map) null, "GET", redirectCallback.getStatusParameter(), redirectCallback.getRedirectBackUrlCookieName());
        redirectCallback2.setRedirectData(redirectCallback2.getRedirectData());
        redirectCallback2.setTrackingCookie(true);
        replaceCallback(2, 0, redirectCallback2);
    }

    private void setCookiesForRedirects(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        Set cookieDomainsForRequest = AuthClientUtils.getCookieDomainsForRequest(httpServletRequest);
        StringBuilder sb = new StringBuilder();
        String queryString = httpServletRequest.getQueryString();
        if (((XUIState) InjectorHolder.getInstance(XUIState.class)).isXUIEnabled()) {
            sb.append(httpServletRequest.getContextPath());
        } else {
            sb.append(httpServletRequest.getRequestURI());
        }
        if (StringUtils.isNotEmpty(this.realm)) {
            sb.append("?realm=").append(URLEncDec.encode(this.realm));
        }
        if (queryString != null) {
            sb.append(sb.indexOf("?") == -1 ? '?' : '&');
            sb.append(queryString);
        }
        Iterator it = cookieDomainsForRequest.iterator();
        while (it.hasNext()) {
            CookieUtils.addCookieToResponse(httpServletResponse, CookieUtils.newCookie("authenticationStep", sb.toString(), "/", (String) it.next()));
        }
    }

    private void removeCookiesForRedirects(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        Iterator it = AuthClientUtils.getCookieDomainsForRequest(httpServletRequest).iterator();
        while (it.hasNext()) {
            CookieUtils.addCookieToResponse(httpServletResponse, CookieUtils.newCookie("authenticationStep", "", 0, "/", (String) it.next()));
        }
    }

    private int stepLogin(Callback[] callbackArr, int i) throws AuthLoginException {
        if (this.authenticationContext == null || this.authenticationContext.getStatus().equals(AuthContext.Status.FAILED)) {
            return processError(this.bundle.getString("samlLocalAuthFailed"), "SAML2 :: process() : failed to perform local authentication - {} ", this.bundle.getString("samlLocalAuthFailed"));
        }
        if (this.authenticationContext.getStatus().equals(AuthContext.Status.IN_PROGRESS)) {
            return injectCallbacks(callbackArr, i);
        }
        try {
            if (!this.authenticationContext.getStatus().equals(AuthContext.Status.SUCCESS)) {
                return processError(this.bundle.getString("invalidLoginState"), "SAML2 :: stepLogin() : unexpected login state", new Object[0]);
            }
            try {
                NameID nameId = getNameId();
                String property = this.authenticationContext.getSSOToken().getProperty("sun.am.UniversalIdentifier");
                linkAccount(property, nameId);
                int success = success(this.authnAssertion, nameId, property);
                this.authenticationContext.logout();
                return success;
            } catch (L10NMessageImpl e) {
                int processError = processError(e, null, "SAML2 :: process() : failed to perform local authentication - {} ", e.getL10NMessage(getLoginLocale()));
                this.authenticationContext.logout();
                return processError;
            }
        } catch (Throwable th) {
            this.authenticationContext.logout();
            throw th;
        }
    }

    private int success(Assertion assertion, NameID nameID, String str) throws AuthLoginException, SAML2Exception {
        setSessionProperties(assertion, nameID, str);
        setSessionAttributes(assertion, str);
        DEBUG.message("SAML2 :: User Authenticated via SAML2 - {}", new Object[]{getPrincipal().getName()});
        storeUsernamePasswd(DNUtils.DNtoName(getPrincipal().getName()), null);
        return -1;
    }

    private void setSessionAttributes(Assertion assertion, String str) throws AuthLoginException, SAML2Exception {
        synchronized (SPCache.authnRequestHash) {
            SPCache.authnRequestHash.put(this.storageKey, this.authnRequest);
        }
        linkAttributeValues(assertion, str);
    }

    private int injectCallbacks(Callback[] callbackArr, int i) throws AuthLoginException {
        if (!this.authenticationContext.hasMoreRequirements()) {
            return processError(this.bundle.getString("invalidLoginState"), "SAML2 :: injectCallbacks() : Authentication Module - invalid login state", new Object[0]);
        }
        if (callbackArr != null) {
            this.authenticationContext.submitRequirements(callbackArr);
        }
        return this.authenticationContext.hasMoreRequirements() ? injectAndReturn(i) : finishLoginModule(i);
    }

    private int injectAndReturn(int i) throws AuthLoginException {
        Callback[] requirements = this.authenticationContext.getRequirements();
        while (true) {
            Callback[] callbackArr = requirements;
            if (callbackArr.length != 0) {
                replaceHeader(3, this.authenticationContext.getAuthContextLocal().getLoginState().getReceivedInfo()[0].getHeader());
                if (callbackArr.length > 10) {
                    return processError(this.bundle.getString("samlLocalAuthFailed"), "SAML2 :: injectAndReturn() : Local authentication failed", new Object[0]);
                }
                if (this.previousLength > 0) {
                    for (int i2 = 0; i2 < this.previousLength; i2++) {
                        replaceCallback(3, i2, Constants.DEFAULT_CALLBACK);
                    }
                }
                for (int i3 = 0; i3 < callbackArr.length; i3++) {
                    replaceCallback(3, i3, callbackArr[i3]);
                }
                this.previousLength = callbackArr.length;
                return 3;
            }
            this.authenticationContext.submitRequirements(callbackArr);
            if (!this.authenticationContext.hasMoreRequirements()) {
                return finishLoginModule(i);
            }
            requirements = this.authenticationContext.getRequirements();
        }
    }

    private int finishLoginModule(int i) throws AuthLoginException {
        return this.authenticationContext.getStatus().equals(AuthContext.Status.IN_PROGRESS) ? processError(this.bundle.getString("invalidLoginState"), "SAML2 :: injectCallbacks() : Authentication Module - invalid login state", new Object[0]) : stepLogin(null, i);
    }

    private NameID getNameId() throws SAML2Exception, AuthLoginException {
        EncryptedID encryptedID = this.assertionSubject.getEncryptedID();
        Set decryptionKeys = KeyUtil.getDecryptionKeys(this.metaManager.getSPSSOConfig(this.realm, this.metaManager.getEntityByMetaAlias(this.metaAlias)));
        NameID nameID = this.assertionSubject.getNameID();
        if (encryptedID != null) {
            nameID = encryptedID.decrypt(decryptionKeys);
        }
        return nameID;
    }

    private void setSessionProperties(Assertion assertion, NameID nameID, String str) throws AuthLoginException, SAML2Exception {
        setUserSessionProperty("openam.saml.singlelogout.enabled", String.valueOf(this.singleLogoutEnabled));
        if (this.singleLogoutEnabled) {
            setUserSessionProperty("RelayState", this.sloRelayState);
        }
        setUserSessionProperty("SessionIndex", this.sessionIndex);
        setUserSessionProperty("idpEntityID", this.entityName);
        setUserSessionProperty("spEntityID", SPSSOFederate.getSPEntityId(this.metaAlias));
        setUserSessionProperty("metaAlias", this.metaAlias);
        setUserSessionProperty("reqBinding", this.reqBinding);
        setUserSessionProperty("NameID", nameID.toXMLString(true, true));
        setUserSessionProperty(Constants.IS_TRANSIENT, Boolean.toString(this.isTransient));
        setUserSessionProperty(Constants.REQUEST_ID, this.respInfo.getResponse().getInResponseTo());
        setUserSessionProperty("binding", this.binding);
        setUserSessionProperty(Constants.CACHE_KEY, this.storageKey);
    }

    private void linkAttributeValues(Assertion assertion, String str) throws AuthLoginException, SAML2Exception {
        String entityByMetaAlias = this.metaManager.getEntityByMetaAlias(this.metaAlias);
        SPSSOConfigElement sPSSOConfig = this.metaManager.getSPSSOConfig(this.realm, entityByMetaAlias);
        List attrs = SPACSUtils.getAttrs(assertion, SPACSUtils.getNeedAttributeEncrypted(Boolean.parseBoolean(SAML2Utils.getAttributeValueFromSPSSOConfig(sPSSOConfig, "wantAssertionEncrypted")), sPSSOConfig), KeyUtil.getDecryptionKeys(sPSSOConfig));
        try {
            Map attributes = SAML2Utils.getSPAttributeMapper(this.realm, entityByMetaAlias).getAttributes(attrs, str, entityByMetaAlias, this.entityName, this.realm);
            setUserAttributes(attributes);
            if (assertion.getAdvice() != null) {
                attributes.put("DiscoveryBootstrapCrendentials", new HashSet(assertion.getAdvice().getAdditionalInfo()));
            }
            for (String str2 : attributes.keySet()) {
                Set set = (Set) attributes.get(str2);
                StringBuilder sb = new StringBuilder();
                Iterator it = set.iterator();
                while (it.hasNext()) {
                    sb.append(com.sun.identity.shared.StringUtils.getEscapedValue((String) it.next())).append(PROPERTY_VALUES_SEPARATOR);
                }
                sb.deleteCharAt(sb.length() - 1);
                setUserSessionProperty(str2, sb.toString());
            }
        } catch (SAML2Exception e) {
        }
    }

    private void linkAccount(String str, NameID nameID) throws SAML2MetaException, AuthenticationException {
        String entityByMetaAlias = this.metaManager.getEntityByMetaAlias(this.metaAlias);
        try {
            NameIDInfo nameIDInfo = new NameIDInfo(entityByMetaAlias, this.entityName, nameID, "SPRole", false);
            DEBUG.message("SAML2 :: Local User {} Linked to Federation Account - {}", new Object[]{str, nameID.getValue()});
            if (shouldPersistNameID(entityByMetaAlias)) {
                AccountUtils.setAccountFederation(nameIDInfo, str);
            }
            this.principal = new SAML2Principal(str);
        } catch (SAML2Exception e) {
            throw new AuthenticationException(BUNDLE_NAME, "localLinkError", new Object[0]);
        }
    }

    private boolean shouldPersistNameID(String str) throws SAML2Exception {
        DefaultLibrarySPAccountMapper defaultLibrarySPAccountMapper = new DefaultLibrarySPAccountMapper();
        this.nameIDFormat = SAML2Utils.verifyNameIDFormat(this.nameIDFormat, SPSSOFederate.getSPSSOForAuthnReq(this.realm, SPSSOFederate.getSPEntityId(this.metaAlias)), SPSSOFederate.getIDPSSOForAuthnReq(this.realm, this.entityName));
        this.isTransient = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient".equals(this.nameIDFormat);
        SSOToken sSOToken = null;
        try {
            sSOToken = getLoginState("shouldPersistNameID").getSSOToken();
        } catch (SSOException | AuthLoginException e) {
            if (DEBUG.messageEnabled()) {
                DEBUG.message("SAML2 :: failed to get user's SSOToken.");
            }
        }
        return (this.isTransient || SAML2PluginsUtils.isIgnoredProfile(sSOToken, this.realm) || !defaultLibrarySPAccountMapper.shouldPersistNameIDFormat(this.realm, str, this.entityName, this.nameIDFormat)) ? false : true;
    }

    private int processError(String str, String str2, Object... objArr) throws AuthLoginException {
        if (null != str2) {
            DEBUG.error(str2, objArr);
        }
        substituteHeader(4, str);
        return 4;
    }

    private int processError(L10NMessageImpl l10NMessageImpl, String str, String str2, Object... objArr) throws AuthLoginException {
        if (null == l10NMessageImpl) {
            return processError(str, str2, objArr);
        }
        String l10NMessage = null == str ? l10NMessageImpl.getL10NMessage(getLoginLocale()) : this.bundle.getString(str);
        if (str2 != null) {
            DEBUG.error(str2, new Object[]{objArr, l10NMessageImpl});
        }
        substituteHeader(4, l10NMessage);
        return 4;
    }

    public Principal getPrincipal() {
        return this.principal;
    }
}
