package com.alfaariss.oa.authentication.remote.saml2.profile.sso;

import com.alfaariss.oa.OAException;
import com.alfaariss.oa.UserEvent;
import com.alfaariss.oa.api.attribute.IAttributes;
import com.alfaariss.oa.api.attribute.ISessionAttributes;
import com.alfaariss.oa.api.configuration.IConfigurationManager;
import com.alfaariss.oa.api.idmapper.IIDMapper;
import com.alfaariss.oa.api.requestor.IRequestor;
import com.alfaariss.oa.api.session.ISession;
import com.alfaariss.oa.authentication.remote.saml2.SAML2AuthNConstants;
import com.alfaariss.oa.authentication.remote.saml2.beans.SAMLRemoteUser;
import com.alfaariss.oa.authentication.remote.saml2.profile.AbstractAuthNMethodSAML2Profile;
import com.alfaariss.oa.authentication.remote.saml2.util.ResponseValidator;
import com.alfaariss.oa.engine.core.authentication.AuthenticationContext;
import com.alfaariss.oa.engine.core.authentication.AuthenticationContexts;
import com.alfaariss.oa.engine.core.idp.storage.IIDPStorage;
import com.alfaariss.oa.engine.user.provisioning.translator.standard.StandardProfile;
import com.alfaariss.oa.sso.SSOService;
import com.alfaariss.oa.util.saml2.SAML2ConditionsWindow;
import com.alfaariss.oa.util.saml2.SAML2Exchange;
import com.alfaariss.oa.util.saml2.SAML2SecurityException;
import com.alfaariss.oa.util.saml2.binding.AbstractEncodingFactory;
import com.alfaariss.oa.util.saml2.crypto.SAML2CryptoUtils;
import com.alfaariss.oa.util.saml2.idp.SAML2IDP;
import com.alfaariss.oa.util.saml2.proxy.ProxyAttributes;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.List;
import java.util.Vector;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.asimba.util.saml2.assertion.SAML2TimestampWindow;
import org.joda.time.DateTime;
import org.opensaml.common.SAMLObject;
import org.opensaml.common.SignableSAMLObject;
import org.opensaml.common.binding.SAMLMessageContext;
import org.opensaml.common.binding.encoding.SAMLMessageEncoder;
import org.opensaml.common.impl.SecureRandomIdentifierGenerator;
import org.opensaml.saml2.core.ArtifactResponse;
import org.opensaml.saml2.core.Assertion;
import org.opensaml.saml2.core.Audience;
import org.opensaml.saml2.core.AudienceRestriction;
import org.opensaml.saml2.core.AuthenticatingAuthority;
import org.opensaml.saml2.core.AuthnContext;
import org.opensaml.saml2.core.AuthnContextClassRef;
import org.opensaml.saml2.core.AuthnContextComparisonTypeEnumeration;
import org.opensaml.saml2.core.AuthnRequest;
import org.opensaml.saml2.core.AuthnStatement;
import org.opensaml.saml2.core.Conditions;
import org.opensaml.saml2.core.Issuer;
import org.opensaml.saml2.core.NameIDPolicy;
import org.opensaml.saml2.core.RequestedAuthnContext;
import org.opensaml.saml2.core.Response;
import org.opensaml.saml2.core.Scoping;
import org.opensaml.saml2.core.Subject;
import org.opensaml.saml2.metadata.AssertionConsumerService;
import org.opensaml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml2.metadata.IDPSSODescriptor;
import org.opensaml.saml2.metadata.SPSSODescriptor;
import org.opensaml.saml2.metadata.SingleSignOnService;
import org.opensaml.ws.message.encoder.MessageEncodingException;
import org.w3c.dom.Element;

/* loaded from: input_file:com/alfaariss/oa/authentication/remote/saml2/profile/sso/WebBrowserSSOProfile.class */
public class WebBrowserSSOProfile extends AbstractAuthNMethodSAML2Profile {
    protected static Log _logger;
    protected SPSSODescriptor _spSSODescriptor;
    protected String _sAuthnContextComparison;
    protected List<String> _listAuthnContextClassRefs;
    protected SecureRandomIdentifierGenerator _idGenerator;

    public WebBrowserSSOProfile() {
        _logger = LogFactory.getLog(getClass());
        this._sAuthnContextComparison = null;
        this._listAuthnContextClassRefs = new Vector();
    }

    @Override // com.alfaariss.oa.authentication.remote.saml2.profile.AbstractAuthNMethodSAML2Profile, com.alfaariss.oa.authentication.remote.saml2.profile.IAuthNMethodSAML2Profile
    public void init(IConfigurationManager iConfigurationManager, Element element, EntityDescriptor entityDescriptor, IIDMapper iIDMapper, IIDPStorage iIDPStorage, String str, String str2, SAML2ConditionsWindow sAML2ConditionsWindow, SAML2TimestampWindow sAML2TimestampWindow, StandardProfile standardProfile) throws OAException {
        super.init(iConfigurationManager, element, entityDescriptor, iIDMapper, iIDPStorage, str, str2, sAML2ConditionsWindow, sAML2TimestampWindow, standardProfile);
        this._bCompatible = isCompatible();
        _logger.info("Optional user attribute name format: " + (this._bCompatible ? "supported" : "not supported"));
        this._spSSODescriptor = this._entityDescriptor.getSPSSODescriptor("urn:oasis:names:tc:SAML:2.0:protocol");
        Element section = iConfigurationManager.getSection(element, "AuthnContext");
        if (section != null) {
            readAuthnContextConfig(iConfigurationManager, section);
            return;
        }
        _logger.info("No optional 'AuthnContext' section found in configuration");
        this._sAuthnContextComparison = null;
        this._listAuthnContextClassRefs = new Vector();
    }

    public UserEvent process(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, ISession iSession, SAML2IDP saml2idp, Hashtable<String, String> hashtable) throws OAException {
        _logger.debug("Request recieved: " + httpServletRequest.getRequestURL().toString());
        Boolean bool = (Boolean) httpServletRequest.getAttribute(SAML2AuthNConstants.RESPONSE_ENDPOINT_PARAM);
        return (bool == null || !bool.booleanValue()) ? createAuthNRequest(httpServletRequest, httpServletResponse, iSession, saml2idp) : handleResponse(httpServletRequest, iSession, saml2idp, hashtable);
    }

    protected UserEvent createAuthNRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, ISession iSession, SAML2IDP saml2idp) throws OAException {
        String friendlyName;
        SAMLObject outboundSAMLMessage;
        Scoping buildScoping;
        String str;
        NameIDPolicy buildNameIDPolicy;
        AssertionConsumerService defaultAssertionConsumerService;
        try {
            IDPSSODescriptor idPDescriptor = getIdPDescriptor(saml2idp);
            String supportedBinding = getSupportedBinding(idPDescriptor);
            if (supportedBinding == null) {
                _logger.error("Authentication request could not be formed, since no suitable binding can be found");
                throw new OAException(1);
            }
            _logger.debug("Using binding: " + supportedBinding);
            String str2 = null;
            for (SingleSignOnService singleSignOnService : idPDescriptor.getSingleSignOnServices()) {
                if (singleSignOnService.getBinding().equals(supportedBinding)) {
                    str2 = singleSignOnService.getLocation();
                }
            }
            AuthnRequest buildAuthnRequest = buildAuthnRequest();
            ISessionAttributes attributes = iSession.getAttributes();
            buildAuthnRequest.setID(generateRequestID(iSession.getId(), attributes));
            if (this._spSSODescriptor != null && (defaultAssertionConsumerService = this._spSSODescriptor.getDefaultAssertionConsumerService()) != null) {
                Integer index = defaultAssertionConsumerService.getIndex();
                String location = defaultAssertionConsumerService.getLocation();
                String binding = defaultAssertionConsumerService.getBinding();
                if (index != null && saml2idp.useACSIndex() != null && saml2idp.useACSIndex().booleanValue()) {
                    buildAuthnRequest.setAssertionConsumerServiceIndex(index);
                } else if (location != null && binding != null) {
                    buildAuthnRequest.setAssertionConsumerServiceURL(location);
                    buildAuthnRequest.setProtocolBinding(binding);
                }
            }
            buildAuthnRequest.setDestination(str2);
            buildAuthnRequest.setIssueInstant(new DateTime());
            buildAuthnRequest.setIssuer(buildIssuer());
            if (saml2idp.useNameIDPolicy() != null && saml2idp.useNameIDPolicy().booleanValue() && (buildNameIDPolicy = buildNameIDPolicy(iSession, idPDescriptor, saml2idp.useAllowCreate(), saml2idp.getNameIDFormat())) != null) {
                buildAuthnRequest.setNameIDPolicy(buildNameIDPolicy);
            }
            SAMLRemoteUser user = iSession.getUser();
            String forcedUserID = iSession.getForcedUserID();
            if (user != null) {
                forcedUserID = user.getID();
            }
            if (forcedUserID != null) {
                String entityID = this._entityDescriptor.getEntityID();
                str = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified";
                if (user instanceof SAMLRemoteUser) {
                    SAMLRemoteUser sAMLRemoteUser = user;
                    str = sAMLRemoteUser.getFormat();
                    entityID = sAMLRemoteUser.getOrganization();
                } else {
                    String str3 = (String) attributes.get(ProxyAttributes.class, "NameID");
                    if (str3 != null && str3.equals(iSession.getForcedUserID())) {
                        String str4 = (String) attributes.get(ProxyAttributes.class, "NameFormat");
                        str = str4 != null ? str4 : "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified";
                        String str5 = (String) attributes.get(ProxyAttributes.class, "NameQualifier");
                        if (str5 != null) {
                            entityID = str5;
                        }
                    }
                }
                Subject buildSubject = buildSubject(forcedUserID, str, entityID, saml2idp.avoidSubjectConfirmations().booleanValue());
                if (buildSubject != null) {
                    buildAuthnRequest.setSubject(buildSubject);
                }
            }
            if (saml2idp.useScoping() != null && saml2idp.useScoping().booleanValue() && (buildScoping = buildScoping(attributes, iSession.getRequestorId())) != null) {
                buildAuthnRequest.setScoping(buildScoping);
            }
            buildAuthnRequest.setForceAuthn(Boolean.valueOf(iSession.isForcedAuthentication()));
            String str6 = (String) attributes.get(ProxyAttributes.class, "ProviderName");
            if (str6 != null) {
                buildAuthnRequest.setProviderName(str6);
            } else {
                IRequestor requestor = this._requestorPoolFactory.getRequestor(iSession.getRequestorId());
                if (requestor != null && (friendlyName = requestor.getFriendlyName()) != null && friendlyName.length() > 0) {
                    buildAuthnRequest.setProviderName(friendlyName);
                }
            }
            RequestedAuthnContext buildRequestedAuthnContext = buildRequestedAuthnContext(attributes);
            if (buildRequestedAuthnContext != null) {
                buildAuthnRequest.setRequestedAuthnContext(buildRequestedAuthnContext);
            }
            AbstractEncodingFactory createInstance = AbstractEncodingFactory.createInstance(httpServletRequest, httpServletResponse, supportedBinding, SAML2Exchange.getSPSSOBindingProperties(this._sLinkedIDPProfile));
            if (createInstance == null) {
                _logger.error("No encoding factory available for request");
                throw new OAException(1);
            }
            SAMLMessageContext<SignableSAMLObject, SignableSAMLObject, SAMLObject> createEncodingContext = createEncodingContext(httpServletRequest, httpServletResponse);
            createEncodingContext.setInboundMessageIssuer(saml2idp.getID());
            createEncodingContext.setOutboundMessageIssuer(this._entityDescriptor.getEntityID());
            createEncodingContext.setLocalEntityId(this._entityDescriptor.getEntityID());
            createEncodingContext.setLocalEntityMetadata(this._entityDescriptor);
            createEncodingContext.setLocalEntityRoleMetadata(this._entityDescriptor.getSPSSODescriptor("urn:oasis:names:tc:SAML:2.0:protocol"));
            createEncodingContext.setMetadataProvider(saml2idp.getMetadataProvider());
            createEncodingContext.setOutboundSAMLMessage(buildAuthnRequest);
            createEncodingContext.setPeerEntityEndpoint(buildMetadataEndpoint(AssertionConsumerService.DEFAULT_ELEMENT_NAME, supportedBinding, str2, null));
            if (this._signingEnabled) {
                createEncodingContext.setOutboundSAMLMessageSigningCredential(SAML2CryptoUtils.retrieveMySigningCredentials(this._crypto, this._entityDescriptor.getEntityID()));
            } else if (this._spSSODescriptor.isAuthnRequestsSigned().booleanValue() || idPDescriptor.getWantAuthnRequestsSigned().booleanValue()) {
                _logger.warn("Could not sign AuthnRequest: no private key available");
            }
            SAMLMessageEncoder encoder = createInstance.getEncoder();
            iSession.persist();
            encoder.encode(createEncodingContext);
            if (_logger.isDebugEnabled() && (outboundSAMLMessage = createEncodingContext.getOutboundSAMLMessage()) != null) {
                logXML(outboundSAMLMessage);
            }
            return UserEvent.AUTHN_METHOD_IN_PROGRESS;
        } catch (MessageEncodingException e) {
            _logger.error("Encoding of authentication request failed", e);
            throw new OAException(1);
        } catch (OAException e2) {
            throw e2;
        }
    }

    protected UserEvent handleResponse(HttpServletRequest httpServletRequest, ISession iSession, SAML2IDP saml2idp, Hashtable<String, String> hashtable) throws OAException {
        SAMLObject inboundSAMLMessage;
        AuthenticationContext authenticationContext = new AuthenticationContext();
        SAMLMessageContext<SignableSAMLObject, SignableSAMLObject, SAMLObject> sAMLMessageContext = (SAMLMessageContext) httpServletRequest.getAttribute(SAML2AuthNConstants.SESSION_ATTRIBUTE_NAME);
        try {
            if (sAMLMessageContext == null) {
                _logger.debug("No context available in request as attribute with name: saml_response_obj");
                return UserEvent.AUTHN_METHOD_FAILED;
            }
            SignableSAMLObject signableSAMLObject = (Response) sAMLMessageContext.getInboundSAMLMessage();
            if (_logger.isDebugEnabled() && (inboundSAMLMessage = sAMLMessageContext.getInboundSAMLMessage()) != null) {
                logXML(inboundSAMLMessage);
            }
            if (!saml2idp.getID().equals(sAMLMessageContext.getInboundMessageIssuer())) {
                _logger.debug("Response issuer was not the same as who the AuthnRequest was sent to.");
                return UserEvent.AUTHN_METHOD_FAILED;
            }
            SAML2IDP saml2idp2 = saml2idp;
            ResponseValidator responseValidator = new ResponseValidator(this._entityDescriptor.getEntityID(), saml2idp2, false);
            responseValidator.validateResponse(sAMLMessageContext);
            if (signableSAMLObject == null) {
                _logger.debug("Could not fetch response from session");
                return UserEvent.AUTHN_METHOD_FAILED;
            }
            UserEvent status = getStatus(signableSAMLObject.getStatus(), saml2idp);
            if (status != UserEvent.AUTHN_METHOD_SUCCESSFUL) {
                _logger.debug("Message indicated that the authentication was not successful: " + status);
                return status;
            }
            SignableSAMLObject signableSAMLObject2 = null;
            if (signableSAMLObject instanceof Response) {
                signableSAMLObject2 = (Response) signableSAMLObject;
            } else if (signableSAMLObject instanceof ArtifactResponse) {
                SignableSAMLObject message = ((ArtifactResponse) signableSAMLObject).getMessage();
                if (message instanceof Response) {
                    signableSAMLObject2 = (Response) message;
                    if (!responseValidator.validateMessage(sAMLMessageContext, signableSAMLObject2)) {
                        _logger.debug("Response in ArtifactResponse signature validation failure");
                        return UserEvent.AUTHN_METHOD_FAILED;
                    }
                    UserEvent status2 = getStatus(signableSAMLObject2.getStatus(), saml2idp);
                    if (status2 != UserEvent.AUTHN_METHOD_SUCCESSFUL) {
                        _logger.debug("Message (in artifact response) indicated that the authentication was not successful: " + status2);
                        return status2;
                    }
                } else {
                    _logger.debug("Artifact response did not contain a Response message: received " + message.getElementQName());
                }
            }
            if (signableSAMLObject2 == null) {
                _logger.debug("Response message did not contain 'Response' or 'ArtifactResponse' XML object");
                return UserEvent.AUTHN_METHOD_FAILED;
            }
            List assertions = signableSAMLObject2.getAssertions();
            if (assertions.isEmpty()) {
                _logger.debug("Response contains no (unencrypted) assertions");
                return UserEvent.AUTHN_METHOD_FAILED;
            }
            SignableSAMLObject signableSAMLObject3 = null;
            Collection collection = (Collection) iSession.getAttributes().get(SAML2AuthNConstants.class, SAML2AuthNConstants.FORCED_ORGANIZATIONS);
            Iterator it = assertions.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                SignableSAMLObject signableSAMLObject4 = (Assertion) it.next();
                SAML2IDP saml2idp3 = null;
                Issuer issuer = signableSAMLObject4.getIssuer();
                String value = issuer != null ? issuer.getValue() : null;
                if (value == null || value.equals(saml2idp.getID())) {
                    saml2idp3 = saml2idp;
                } else {
                    SAML2IDP saml2idp4 = (SAML2IDP) this._organizationStorage.getIDP(value);
                    if (saml2idp4 != null) {
                        saml2idp3 = saml2idp4;
                    } else if (collection == null || !collection.contains(value)) {
                        _logger.debug("Assertion found with unknown issuer: " + value);
                    } else {
                        _logger.debug("Assertion found with unknown forced issuer: " + value);
                        saml2idp3 = saml2idp;
                    }
                }
                if (saml2idp3 != null) {
                    if (saml2idp3 == saml2idp) {
                        if (!new ResponseValidator(this._entityDescriptor.getEntityID(), saml2idp2, this._spSSODescriptor.getWantAssertionsSigned().booleanValue()).validateMessage(sAMLMessageContext, signableSAMLObject4)) {
                            _logger.warn("Assertion signature validation failure");
                            return UserEvent.AUTHN_METHOD_FAILED;
                        }
                    } else if (!new ResponseValidator(this._entityDescriptor.getEntityID(), saml2idp3, this._spSSODescriptor.getWantAssertionsSigned().booleanValue()).validateMessage(sAMLMessageContext, signableSAMLObject4)) {
                        _logger.warn("Foreign Assertion signature validation failure");
                        return UserEvent.AUTHN_METHOD_FAILED;
                    }
                    signableSAMLObject3 = signableSAMLObject4;
                    saml2idp2 = saml2idp3;
                }
            }
            if (signableSAMLObject3 == null) {
                _logger.debug("No (valid) assertions found");
                return UserEvent.AUTHN_METHOD_FAILED;
            }
            List encryptedAssertions = signableSAMLObject2.getEncryptedAssertions();
            if (encryptedAssertions != null && !encryptedAssertions.isEmpty()) {
                _logger.debug("One or more encrypted assertions received and ignored. This feature is not implemented yet.");
            }
            String value2 = signableSAMLObject3.getIssuer() == null ? null : signableSAMLObject3.getIssuer().getValue();
            if (!saml2idp2.getID().equals(value2)) {
                _logger.debug("Assertion issuer not found or correct");
                return UserEvent.AUTHN_METHOD_FAILED;
            }
            authenticationContext.set("issuer", value2);
            Conditions conditions = signableSAMLObject3.getConditions();
            if (conditions != null) {
                if (!doConditions(conditions)) {
                    _logger.debug("Response conditions not met");
                    return UserEvent.AUTHN_METHOD_FAILED;
                }
                setAudienceInAuthnContext(conditions, authenticationContext);
            }
            if (signableSAMLObject3.getSubject() == null) {
                _logger.debug("Missing required subject");
                return UserEvent.AUTHN_METHOD_FAILED;
            }
            SAMLRemoteUser createUserFromAssertion = createUserFromAssertion(signableSAMLObject3, this._sMethodID, saml2idp2.getID());
            SAMLRemoteUser user = iSession.getUser();
            if (user == null && createUserFromAssertion == null) {
                _logger.error("Response user conditions not met (no user found)");
                return UserEvent.AUTHN_METHOD_FAILED;
            }
            if (user == null || createUserFromAssertion == null) {
                if (user == null) {
                    user = createUserFromAssertion;
                }
            } else if (!user.getID().equals(createUserFromAssertion.getID())) {
                _logger.error("Response user conditions not met (UID has changed from " + user.getID() + " to " + createUserFromAssertion.getID() + "during remote authN)");
                return UserEvent.AUTHN_METHOD_FAILED;
            }
            if (signableSAMLObject3.getAuthnStatements().size() < 1) {
                _logger.debug("No AuthN statement found");
                return UserEvent.AUTHN_METHOD_FAILED;
            }
            SAMLRemoteUser sAMLRemoteUser = user instanceof SAMLRemoteUser ? user : null;
            Vector vector = new Vector();
            for (AuthnStatement authnStatement : signableSAMLObject3.getAuthnStatements()) {
                if (!checkAuthNStatement(authnStatement)) {
                    _logger.debug("Response conditions not met");
                    return UserEvent.AUTHN_METHOD_FAILED;
                }
                String sessionIndex = authnStatement.getSessionIndex();
                if (sAMLRemoteUser != null && sessionIndex != null) {
                    sAMLRemoteUser.addSessionIndex(sessionIndex);
                }
                AuthnContext authnContext = authnStatement.getAuthnContext();
                if (authnContext != null) {
                    AuthnContextClassRef authnContextClassRef = authnContext.getAuthnContextClassRef();
                    if (authnContextClassRef != null) {
                        iSession.getAttributes().put(ProxyAttributes.class, "AuthnContextClassRef", authnContextClassRef.getAuthnContextClassRef());
                        authenticationContext.set("authncontext_classref", authnContextClassRef.getAuthnContextClassRef());
                    }
                    List authenticatingAuthorities = authnContext.getAuthenticatingAuthorities();
                    if (authenticatingAuthorities != null) {
                        Iterator it2 = authenticatingAuthorities.iterator();
                        while (it2.hasNext()) {
                            String uri = ((AuthenticatingAuthority) it2.next()).getURI();
                            if (uri != null) {
                                vector.add(uri);
                            }
                        }
                    }
                }
                if (authnStatement.getAuthnInstant() != null) {
                    authenticationContext.set("authentication_time", authnStatement.getAuthnInstant().toString());
                }
            }
            if (!vector.contains(saml2idp.getID())) {
                vector.add(saml2idp.getID());
            }
            iSession.getAttributes().put(ProxyAttributes.class, "AuthenticatingAuthorities", vector);
            IAttributes attributeMap = getAttributeMap(signableSAMLObject3.getAttributeStatements());
            user.setAttributes(attributeMap != null ? mapAttributes(attributeMap, user.getAttributes(), hashtable) : user.getAttributes());
            iSession.setUser(user);
            httpServletRequest.setAttribute(SAML2AuthNConstants.RESPONSE_ENDPOINT_PARAM, new Boolean(false));
            if (saml2idp2.disableSSO()) {
                iSession.getAttributes().put(SSOService.class, this._sMethodID, "disable_sso", "true");
            }
            AuthenticationContexts authenticationContexts = (AuthenticationContexts) iSession.getAttributes().get(AuthenticationContexts.class, "authcontexts");
            if (authenticationContexts == null) {
                authenticationContexts = new AuthenticationContexts();
                iSession.getAttributes().put(AuthenticationContexts.class, "authcontexts", authenticationContexts);
            }
            authenticationContexts.setAuthenticationContext(this._sMethodID, authenticationContext);
            iSession.persist();
            return UserEvent.AUTHN_METHOD_SUCCESSFUL;
        } catch (ClassCastException e) {
            _logger.debug("Illegally typed object retrieved from session", e);
            throw new OAException(1);
        } catch (SAML2SecurityException e2) {
            _logger.debug("Validation of incoming SAML message failed", e2);
            return UserEvent.AUTHN_METHOD_FAILED;
        }
    }

    protected String getSupportedBinding(IDPSSODescriptor iDPSSODescriptor) {
        if (iDPSSODescriptor == null) {
            _logger.debug("Could not determine binding, no IDP role descriptor found");
            return null;
        }
        List<SingleSignOnService> singleSignOnServices = iDPSSODescriptor.getSingleSignOnServices();
        if (singleSignOnServices.size() <= 0) {
            return null;
        }
        for (SingleSignOnService singleSignOnService : singleSignOnServices) {
            if (AbstractEncodingFactory.getSupportedBindings().contains(singleSignOnService.getBinding())) {
                return singleSignOnService.getBinding();
            }
        }
        _logger.error("Could not find a binding that we support in IDP's metadata; supported: " + AbstractEncodingFactory.getSupportedBindings());
        return null;
    }

    protected AuthnRequest buildAuthnRequest() {
        return this._builderFactory.getBuilder(AuthnRequest.DEFAULT_ELEMENT_NAME).buildObject();
    }

    protected RequestedAuthnContext buildRequestedAuthnContext(ISessionAttributes iSessionAttributes) {
        List<String> list = (List) iSessionAttributes.get(ProxyAttributes.class, "AuthnContextClassRefs");
        if (list == null && !this._listAuthnContextClassRefs.isEmpty()) {
            _logger.debug("Using configured ClassRefs: " + this._listAuthnContextClassRefs);
            list = new Vector();
            list.addAll(this._listAuthnContextClassRefs);
        }
        String str = (String) iSessionAttributes.get(ProxyAttributes.class, "AuthnContextComparisonType");
        if (str == null && this._sAuthnContextComparison != null) {
            _logger.debug("Using configured Comparison: " + this._sAuthnContextComparison);
            str = this._sAuthnContextComparison;
        }
        RequestedAuthnContext requestedAuthnContext = null;
        if (list != null) {
            _logger.debug("Using session attribute: AuthnContextClassRefs");
            requestedAuthnContext = this._builderFactory.getBuilder(RequestedAuthnContext.DEFAULT_ELEMENT_NAME).buildObject();
            for (String str2 : list) {
                AuthnContextClassRef buildObject = this._builderFactory.getBuilder(AuthnContextClassRef.DEFAULT_ELEMENT_NAME).buildObject();
                buildObject.setAuthnContextClassRef(str2);
                requestedAuthnContext.getAuthnContextClassRefs().add(buildObject);
            }
            if (str != null) {
                AuthnContextComparisonTypeEnumeration authnContextComparisonTypeEnumeration = null;
                if (str.equalsIgnoreCase(AuthnContextComparisonTypeEnumeration.MINIMUM.toString())) {
                    authnContextComparisonTypeEnumeration = AuthnContextComparisonTypeEnumeration.MINIMUM;
                } else if (str.equalsIgnoreCase(AuthnContextComparisonTypeEnumeration.BETTER.toString())) {
                    authnContextComparisonTypeEnumeration = AuthnContextComparisonTypeEnumeration.BETTER;
                } else if (str.equalsIgnoreCase(AuthnContextComparisonTypeEnumeration.EXACT.toString())) {
                    authnContextComparisonTypeEnumeration = AuthnContextComparisonTypeEnumeration.EXACT;
                } else if (str.equalsIgnoreCase(AuthnContextComparisonTypeEnumeration.MAXIMUM.toString())) {
                    authnContextComparisonTypeEnumeration = AuthnContextComparisonTypeEnumeration.MAXIMUM;
                } else {
                    _logger.debug("Unknown comparison type available as session attribute: " + str);
                }
                if (authnContextComparisonTypeEnumeration != null) {
                    _logger.debug("Using comparison type session attribute: AuthnContextComparisonType");
                    requestedAuthnContext.setComparison(authnContextComparisonTypeEnumeration);
                }
            }
        }
        return requestedAuthnContext;
    }

    private void readAuthnContextConfig(IConfigurationManager iConfigurationManager, Element element) throws OAException {
        this._sAuthnContextComparison = iConfigurationManager.getParam(element, "Comparison");
        if (this._sAuthnContextComparison == null) {
            _logger.info("No optional 'Comparison' parameter in 'AuthnContext' section found in configuration");
            this._sAuthnContextComparison = null;
        } else {
            _logger.info("Using configured AuthnContext Comparison value: " + this._sAuthnContextComparison);
        }
        Element section = iConfigurationManager.getSection(element, "ClassRefs");
        if (section == null) {
            _logger.info("No optional 'ClassRefs' section in 'AuthnContext' section found in configuration");
            this._listAuthnContextClassRefs = new Vector();
            return;
        }
        Element section2 = iConfigurationManager.getSection(section, "ClassRef");
        if (section2 == null) {
            _logger.error("No 'ClassRef' section in 'ClassRefs' section found in configuration");
            throw new OAException(17);
        }
        while (section2 != null) {
            String param = iConfigurationManager.getParam(section2, "uri");
            if (param == null) {
                _logger.error("No 'uri' parameter in 'ClassRef' section found in configuration");
                throw new OAException(17);
            }
            if (this._listAuthnContextClassRefs.contains(param)) {
                _logger.error("Configured 'uri' parameter in 'ClassRef' section is not unique: " + param);
                throw new OAException(2);
            }
            this._listAuthnContextClassRefs.add(param);
            _logger.info("Using configured AuthnContext ClassRef uri: " + param);
            section2 = iConfigurationManager.getNextSection(section2);
        }
    }

    private boolean isCompatible() {
        try {
            IAttributes.class.getDeclaredMethod("getFormat", String.class);
            return true;
        } catch (NoSuchMethodException | SecurityException e) {
            return false;
        }
    }

    private void setAudienceInAuthnContext(Conditions conditions, AuthenticationContext authenticationContext) {
        List audienceRestrictions = conditions.getAudienceRestrictions();
        if (audienceRestrictions == null) {
            return;
        }
        ArrayList arrayList = new ArrayList();
        Iterator it = audienceRestrictions.iterator();
        while (it.hasNext()) {
            List audiences = ((AudienceRestriction) it.next()).getAudiences();
            if (audiences != null) {
                Iterator it2 = audiences.iterator();
                while (it2.hasNext()) {
                    String audienceURI = ((Audience) it2.next()).getAudienceURI();
                    if (audienceURI != null) {
                        arrayList.add(audienceURI);
                    }
                }
            }
        }
        if (arrayList.size() > 0) {
            String join = StringUtils.join(arrayList.iterator(), " ");
            authenticationContext.set("audience", join);
            _logger.debug("Audience set in local AuthenticationContext (" + join + ")");
        }
    }
}
