Saml2ResponseValidator (pac4j for SAML protocol 1.7.0 API)

java.lang.Object
- org.pac4j.saml.sso.Saml2ResponseValidator

```
public class Saml2ResponseValidator
extends Object
```
Class responsible for executing every required checks for validating a SAML response. The method validateSamlResponse populates the given ExtendedSAMLMessageContext with the correct SAML assertion and the corresponding nameID's Bearer subject if every checks succeeds.

Since:

1.5.0

Author:

Michael Remond

Constructor Summary

Constructors
Constructor and Description

Saml2ResponseValidator()

Constructors
Constructor and Description
`Saml2ResponseValidator()`

Method Summary

All Methods Instance Methods Concrete Methods
Modifier and Type	Method and Description
`protected void`	`decryptEncryptedAssertions(org.opensaml.saml2.core.Response response, org.opensaml.saml2.encryption.Decrypter decrypter)` Decrypt encrypted assertions and add them to the assertions list of the response.
`protected boolean`	`isValidBearerSubjectConfirmationData(org.opensaml.saml2.core.SubjectConfirmationData data, ExtendedSAMLMessageContext context)` Validate Bearer subject confirmation data - notBefore - NotOnOrAfter - recipient
`void`	`setAcceptedSkew(int acceptedSkew)`
`void`	`setMaximumAuthenticationLifetime(int maximumAuthenticationLifetime)`
`protected void`	`validateAssertion(org.opensaml.saml2.core.Assertion assertion, ExtendedSAMLMessageContext context, org.opensaml.xml.signature.SignatureTrustEngine engine, org.opensaml.saml2.encryption.Decrypter decrypter)` Validate the given assertion: - issueInstant - issuer - subject - conditions - authnStatements - signature
`protected void`	`validateAssertionConditions(org.opensaml.saml2.core.Conditions conditions, ExtendedSAMLMessageContext context)` Validate assertionConditions - notBefore - notOnOrAfter
`protected void`	`validateAssertionSignature(org.opensaml.xml.signature.Signature signature, ExtendedSAMLMessageContext context, org.opensaml.xml.signature.SignatureTrustEngine engine)` Validate assertion signature.
`protected void`	`validateAudienceRestrictions(List<org.opensaml.saml2.core.AudienceRestriction> audienceRestrictions, String spEntityId)` Validate audience by matching the SP entityId.
`protected void`	`validateAuthenticationStatements(List<org.opensaml.saml2.core.AuthnStatement> authnStatements, ExtendedSAMLMessageContext context)` Validate the given authnStatements: - authnInstant - sessionNotOnOrAfter
`protected void`	`validateIssuer(org.opensaml.saml2.core.Issuer issuer, ExtendedSAMLMessageContext context)` Validate issuer format and value.
`void`	`validateSamlProtocolResponse(org.opensaml.saml2.core.Response response, ExtendedSAMLMessageContext context, org.opensaml.xml.signature.SignatureTrustEngine engine)` Validates the SAML protocol response: - IssueInstant - Issuer - StatusCode - Signature
`void`	`validateSamlResponse(ExtendedSAMLMessageContext context, org.opensaml.xml.signature.SignatureTrustEngine engine, org.opensaml.saml2.encryption.Decrypter decrypter)` Validates the SAML protocol response and the SAML SSO response.
`void`	`validateSamlSSOResponse(org.opensaml.saml2.core.Response response, ExtendedSAMLMessageContext context, org.opensaml.xml.signature.SignatureTrustEngine engine, org.opensaml.saml2.encryption.Decrypter decrypter)` Validates the SAML SSO response by finding a valid assertion with authn statements.
`protected void`	`validateSignature(org.opensaml.xml.signature.Signature signature, String idpEntityId, org.opensaml.xml.signature.SignatureTrustEngine trustEngine)` Validate the given digital signature by checking its profile and value.
`protected void`	`validateSubject(org.opensaml.saml2.core.Subject subject, ExtendedSAMLMessageContext context, org.opensaml.saml2.encryption.Decrypter decrypter)` Validate the given subject by finding a valid Bearer confirmation.

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail
- Saml2ResponseValidator
```
public Saml2ResponseValidator()
```

Method Detail

validateSamlResponse

public void validateSamlResponse(ExtendedSAMLMessageContext context,
                                 org.opensaml.xml.signature.SignatureTrustEngine engine,
                                 org.opensaml.saml2.encryption.Decrypter decrypter)

Validates the SAML protocol response and the SAML SSO response. The method decrypt encrypted assertions if any.

Parameters:: context -; engine -; decrypter -

validateSamlProtocolResponse

public void validateSamlProtocolResponse(org.opensaml.saml2.core.Response response,
                                         ExtendedSAMLMessageContext context,
                                         org.opensaml.xml.signature.SignatureTrustEngine engine)

Validates the SAML protocol response: - IssueInstant - Issuer - StatusCode - Signature

Parameters:: response -; context -; engine -

validateSamlSSOResponse

public void validateSamlSSOResponse(org.opensaml.saml2.core.Response response,
                                    ExtendedSAMLMessageContext context,
                                    org.opensaml.xml.signature.SignatureTrustEngine engine,
                                    org.opensaml.saml2.encryption.Decrypter decrypter)

Validates the SAML SSO response by finding a valid assertion with authn statements. Populates the ExtendedSAMLMessageContext with a subjectAssertion and a subjectNameIdentifier.

Parameters:: response -; context -; engine -; decrypter -

decryptEncryptedAssertions

protected void decryptEncryptedAssertions(org.opensaml.saml2.core.Response response,
                                          org.opensaml.saml2.encryption.Decrypter decrypter)

Decrypt encrypted assertions and add them to the assertions list of the response.

Parameters:: response -; decrypter -

validateIssuer

protected void validateIssuer(org.opensaml.saml2.core.Issuer issuer,
                              ExtendedSAMLMessageContext context)

Validate issuer format and value.

Parameters:: issuer -; context -

validateAssertion

protected void validateAssertion(org.opensaml.saml2.core.Assertion assertion,
                                 ExtendedSAMLMessageContext context,
                                 org.opensaml.xml.signature.SignatureTrustEngine engine,
                                 org.opensaml.saml2.encryption.Decrypter decrypter)

Validate the given assertion: - issueInstant - issuer - subject - conditions - authnStatements - signature

Parameters:: assertion -; context -; engine -; decrypter -

validateSubject
```
protected void validateSubject(org.opensaml.saml2.core.Subject subject,
                               ExtendedSAMLMessageContext context,
                               org.opensaml.saml2.encryption.Decrypter decrypter)
```
Validate the given subject by finding a valid Bearer confirmation. If the subject is valid, put its nameID in the context. NameID / BaseID / EncryptedID is first looked up directly in the Subject. If not present there, then all relevant SubjectConfirmations are parsed and the IDs are taken from them.

Parameters:

subject - The Subject from an assertion.

context - SAML message context.

decrypter - Decrypter used to decrypt some encrypted IDs, if they are present. May be null, no decryption will be possible then.

isValidBearerSubjectConfirmationData

protected boolean isValidBearerSubjectConfirmationData(org.opensaml.saml2.core.SubjectConfirmationData data,
                                                       ExtendedSAMLMessageContext context)

Validate Bearer subject confirmation data - notBefore - NotOnOrAfter - recipient

Parameters:: data -; context -
Returns:: true if all Bearer subject checks are passing

validateAssertionConditions

protected void validateAssertionConditions(org.opensaml.saml2.core.Conditions conditions,
                                           ExtendedSAMLMessageContext context)

Validate assertionConditions - notBefore - notOnOrAfter

Parameters:: conditions -; context -

validateAudienceRestrictions

protected void validateAudienceRestrictions(List<org.opensaml.saml2.core.AudienceRestriction> audienceRestrictions,
                                            String spEntityId)

Validate audience by matching the SP entityId.

Parameters:: audienceRestrictions -; spEntityId -

validateAuthenticationStatements

protected void validateAuthenticationStatements(List<org.opensaml.saml2.core.AuthnStatement> authnStatements,
                                                ExtendedSAMLMessageContext context)

Validate the given authnStatements: - authnInstant - sessionNotOnOrAfter

Parameters:: authnStatements -; context -

validateAssertionSignature

protected void validateAssertionSignature(org.opensaml.xml.signature.Signature signature,
                                          ExtendedSAMLMessageContext context,
                                          org.opensaml.xml.signature.SignatureTrustEngine engine)

Validate assertion signature. If none is found and the SAML response did not have one and the SP requires the assertions to be signed, the validation fails.

Parameters:: signature -; context -; engine -

validateSignature

protected void validateSignature(org.opensaml.xml.signature.Signature signature,
                                 String idpEntityId,
                                 org.opensaml.xml.signature.SignatureTrustEngine trustEngine)

Validate the given digital signature by checking its profile and value.

Parameters:: signature -; idpEntityId -; trustEngine -

setAcceptedSkew

public void setAcceptedSkew(int acceptedSkew)

setMaximumAuthenticationLifetime

public void setMaximumAuthenticationLifetime(int maximumAuthenticationLifetime)

Class Saml2ResponseValidator

Constructor Summary