Package com.nimbusds.oauth2.sdk.assertions.saml2

Class SAML2AssertionDetails

  • @Immutable
public class SAML2AssertionDetails
extends AssertionDetails
    SAML 2.0 bearer assertion details for OAuth 2.0 client authentication and authorisation grants.

    Used for SAML 2.0 bearer assertion grants.

    Example SAML 2.0 assertion: 

     <Assertion IssueInstant="2010-10-01T20:07:34.619Z"
            ID="ef1xsbZxPV2oqjd7HTLRLIBlBb7"
            Version="2.0"
            xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
     <Issuer>https://saml-idp.example.com</Issuer>
     <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
         [...omitted for brevity...]
     </ds:Signature>
     <Subject>
         <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
             [email protected]
         </NameID>
         <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
             <SubjectConfirmationData NotOnOrAfter="2010-10-01T20:12:34.619Z"
                                      Recipient="https://authz.example.net/token.oauth2"/>
         </SubjectConfirmation>
     </Subject>
     <Conditions>
         <AudienceRestriction>
             <Audience>https://saml-sp.example.net</Audience>
         </AudienceRestriction>
     </Conditions>
     <AuthnStatement AuthnInstant="2010-10-01T20:07:34.371Z">
         <AuthnContext>
             <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:X509</AuthnContextClassRef>
         </AuthnContext>
     </AuthnStatement>
 </Assertion>

    Related specifications:

    • Security Assertion Markup Language (SAML) 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants (RFC 7522), section 3.

    • Constructor Detail

      • SAML2AssertionDetails

        public SAML2AssertionDetails​(Issuer issuer,
                             Subject subject,
                             Audience audience)
        Creates a new SAML 2.0 bearer assertion details instance. The expiration time is set to five minutes from the current system time. Generates a default identifier for the assertion. The issue time is set to the current system time.
        Parameters:
        issuer - The issuer. Must not be null.
        subject - The subject. Must not be null.
        audience - The audience, typically the URI of the authorisation server's token endpoint. Must not be null.

      • SAML2AssertionDetails

        public SAML2AssertionDetails​(Issuer issuer,
                             Subject subject,
                             String subjectFormat,
                             Date subjectAuthTime,
                             ACR subjectACR,
                             List<Audience> audience,
                             Date exp,
                             Date nbf,
                             Date iat,
                             Identifier id,
                             InetAddress clientAddress,
                             Map<String,​List<String>> attrStatement)
        Creates a new SAML 2.0 bearer assertion details instance.
        Parameters:
        issuer - The issuer. Must not be null.
        subject - The subject. Must not be null.
        subjectFormat - The subject format, null if not specified.
        subjectAuthTime - The subject authentication time, null if not specified.
        subjectACR - The subject Authentication Context Class Reference (ACR), null if not specified.
        audience - The audience, typically including the URI of the authorisation server's token endpoint. Must not be null.
        exp - The expiration time. Must not be null.
        nbf - The time before which the assertion must not be accepted for processing, null if not specified.
        iat - The time at which the assertion was issued. Must not be null.
        id - Unique identifier for the assertion. Must not be null.
        clientAddress - The client address, null if not specified.
        attrStatement - The attribute statement (in simplified form), null if not specified.

    • Method Detail

      • getSubjectFormat

        public String getSubjectFormat()
        Returns the optional subject format.
        Returns:
        The subject format, null if not specified.

      • getSubjectAuthenticationTime

        public Date getSubjectAuthenticationTime()
        Returns the optional subject authentication time.
        Returns:
        The subject authentication time, null if not specified.

      • getSubjectACR

        public ACR getSubjectACR()
        Returns the optional subject Authentication Context Class Reference (ACR).
        Returns:
        The subject ACR, null if not specified.

      • getNotBeforeTime

        public Date getNotBeforeTime()
        Returns the optional not-before time.
        Returns:
        The not-before time, null if not specified.

      • getClientInetAddress

        public InetAddress getClientInetAddress()
        Returns the optional client address to which this assertion is bound.
        Returns:
        The client address, null if not specified.

      • getAttributeStatement

        public Map<String,​List<String>> getAttributeStatement()
        Returns the optional attribute statement.
        Returns:
        The attribute statement (in simplified form), null if not specified.

      • toSAML2Assertion

        public org.opensaml.saml.saml2.core.Assertion toSAML2Assertion()
                                                        throws SerializeException
        Returns a SAML 2.0 assertion (unsigned) representation of this assertion details instance.
        Returns:
        The SAML 2.0 assertion (with no signature element).
        Throws:
        SerializeException - If serialisation failed.

      • parse

        public static SAML2AssertionDetails parse​(org.opensaml.saml.saml2.core.Assertion assertion)
                                   throws ParseException
        Parses a SAML 2.0 bearer assertion details instance from the specified assertion object.
        Parameters:
        assertion - The assertion. Must not be null.
        Returns:
        The SAML 2.0 bearer assertion details.
        Throws:
        ParseException - If the assertion couldn't be parsed to a SAML 2.0 bearer assertion details instance.