public class SAML2DefaultResponseValidator extends java.lang.Object implements SAML2ResponseValidator
SAML2MessageContext
with the correct SAML assertion and the corresponding nameID's Bearer subject if every checks succeeds.Constructor and Description |
---|
SAML2DefaultResponseValidator(SAML2SignatureTrustEngineProvider engine,
org.opensaml.saml.saml2.encryption.Decrypter decrypter,
int maximumAuthenticationLifetime,
boolean wantsAssertionsSigned) |
SAML2DefaultResponseValidator(SAML2SignatureTrustEngineProvider engine,
org.opensaml.saml.saml2.encryption.Decrypter decrypter,
int maximumAuthenticationLifetime,
boolean wantsAssertionsSigned,
net.shibboleth.utilities.java.support.net.URIComparator uriComparator) |
Modifier and Type | Method and Description |
---|---|
protected SAML2Credentials |
buildSAML2Credentials(SAML2MessageContext context) |
protected void |
decryptEncryptedAssertions(org.opensaml.saml.saml2.core.Response response,
org.opensaml.saml.saml2.encryption.Decrypter decrypter)
Decrypt encrypted assertions and add them to the assertions list of the response.
|
protected org.opensaml.saml.saml2.core.NameID |
decryptEncryptedId(org.opensaml.saml.saml2.core.EncryptedID encryptedId,
org.opensaml.saml.saml2.encryption.Decrypter decrypter)
Decrypts an EncryptedID, using a decrypter.
|
protected boolean |
isValidBearerSubjectConfirmationData(org.opensaml.saml.saml2.core.SubjectConfirmationData data,
SAML2MessageContext context)
Validate Bearer subject confirmation data
- notBefore
- NotOnOrAfter
- recipient
|
void |
setAcceptedSkew(int acceptedSkew) |
void |
setMaximumAuthenticationLifetime(int maximumAuthenticationLifetime) |
Credentials |
validate(SAML2MessageContext context)
Validates the SAML protocol response and the SAML SSO response.
|
protected void |
validateAssertion(org.opensaml.saml.saml2.core.Assertion assertion,
SAML2MessageContext context,
org.opensaml.xmlsec.signature.support.SignatureTrustEngine engine,
org.opensaml.saml.saml2.encryption.Decrypter decrypter)
Validate the given assertion:
- issueInstant
- issuer
- subject
- conditions
- authnStatements
- signature
|
protected void |
validateAssertionConditions(org.opensaml.saml.saml2.core.Conditions conditions,
SAML2MessageContext context)
Validate assertionConditions
- notBefore
- notOnOrAfter
|
protected void |
validateAssertionSignature(org.opensaml.xmlsec.signature.Signature signature,
SAML2MessageContext context,
org.opensaml.xmlsec.signature.support.SignatureTrustEngine engine)
Validate assertion signature.
|
protected void |
validateAudienceRestrictions(java.util.List<org.opensaml.saml.saml2.core.AudienceRestriction> audienceRestrictions,
java.lang.String spEntityId)
Validate audience by matching the SP entityId.
|
protected void |
validateAuthenticationStatements(java.util.List<org.opensaml.saml.saml2.core.AuthnStatement> authnStatements,
SAML2MessageContext context)
Validate the given authnStatements:
- authnInstant
- sessionNotOnOrAfter
|
protected void |
validateIssuer(org.opensaml.saml.saml2.core.Issuer issuer,
SAML2MessageContext context)
Validate issuer format and value.
|
protected void |
validateSamlProtocolResponse(org.opensaml.saml.saml2.core.Response response,
SAML2MessageContext context,
org.opensaml.xmlsec.signature.support.SignatureTrustEngine engine)
Validates the SAML protocol response:
- IssueInstant
- Issuer
- StatusCode
- Signature
|
protected void |
validateSamlSSOResponse(org.opensaml.saml.saml2.core.Response response,
SAML2MessageContext context,
org.opensaml.xmlsec.signature.support.SignatureTrustEngine engine,
org.opensaml.saml.saml2.encryption.Decrypter decrypter)
Validates the SAML SSO response by finding a valid assertion with authn statements.
|
protected void |
validateSignature(org.opensaml.xmlsec.signature.Signature signature,
java.lang.String idpEntityId,
org.opensaml.xmlsec.signature.support.SignatureTrustEngine trustEngine)
Validate the given digital signature by checking its profile and value.
|
protected void |
validateSubject(org.opensaml.saml.saml2.core.Subject subject,
SAML2MessageContext context,
org.opensaml.saml.saml2.encryption.Decrypter decrypter)
Validate the given subject by finding a valid Bearer confirmation.
|
protected void |
verifyEndpoint(org.opensaml.saml.saml2.metadata.Endpoint endpoint,
java.lang.String destination) |
protected void |
verifyRequest(org.opensaml.saml.saml2.core.AuthnRequest request,
SAML2MessageContext context) |
public SAML2DefaultResponseValidator(SAML2SignatureTrustEngineProvider engine, org.opensaml.saml.saml2.encryption.Decrypter decrypter, int maximumAuthenticationLifetime, boolean wantsAssertionsSigned)
public SAML2DefaultResponseValidator(SAML2SignatureTrustEngineProvider engine, org.opensaml.saml.saml2.encryption.Decrypter decrypter, int maximumAuthenticationLifetime, boolean wantsAssertionsSigned, net.shibboleth.utilities.java.support.net.URIComparator uriComparator)
public Credentials validate(SAML2MessageContext context)
validate
in interface SAML2ResponseValidator
context
- the contextprotected final SAML2Credentials buildSAML2Credentials(SAML2MessageContext context)
protected final void validateSamlProtocolResponse(org.opensaml.saml.saml2.core.Response response, SAML2MessageContext context, org.opensaml.xmlsec.signature.support.SignatureTrustEngine engine)
response
- the responsecontext
- the contextengine
- the engineprotected void verifyRequest(org.opensaml.saml.saml2.core.AuthnRequest request, SAML2MessageContext context)
protected final void verifyEndpoint(org.opensaml.saml.saml2.metadata.Endpoint endpoint, java.lang.String destination)
protected final void validateSamlSSOResponse(org.opensaml.saml.saml2.core.Response response, SAML2MessageContext context, org.opensaml.xmlsec.signature.support.SignatureTrustEngine engine, org.opensaml.saml.saml2.encryption.Decrypter decrypter)
SAML2MessageContext
with a subjectAssertion and a subjectNameIdentifier.response
- the responsecontext
- the contextengine
- the enginedecrypter
- the decrypterprotected final void decryptEncryptedAssertions(org.opensaml.saml.saml2.core.Response response, org.opensaml.saml.saml2.encryption.Decrypter decrypter)
response
- the responsedecrypter
- the decrypterprotected final void validateIssuer(org.opensaml.saml.saml2.core.Issuer issuer, SAML2MessageContext context)
issuer
- the issuercontext
- the contextprotected final void validateAssertion(org.opensaml.saml.saml2.core.Assertion assertion, SAML2MessageContext context, org.opensaml.xmlsec.signature.support.SignatureTrustEngine engine, org.opensaml.saml.saml2.encryption.Decrypter decrypter)
assertion
- the assertioncontext
- the contextengine
- the enginedecrypter
- the decrypterprotected final void validateSubject(org.opensaml.saml.saml2.core.Subject subject, SAML2MessageContext context, org.opensaml.saml.saml2.encryption.Decrypter decrypter)
subject
- The Subject from an assertion.context
- SAML message context.decrypter
- Decrypter used to decrypt some encrypted IDs, if they are present. May be null
, no decryption will be possible
then.protected final org.opensaml.saml.saml2.core.NameID decryptEncryptedId(org.opensaml.saml.saml2.core.EncryptedID encryptedId, org.opensaml.saml.saml2.encryption.Decrypter decrypter) throws SAMLException
encryptedId
- The EncryptedID to be decrypted.decrypter
- The decrypter to use.null
if any input is null
.SAMLException
- If the input ID cannot be decrypted.protected final boolean isValidBearerSubjectConfirmationData(org.opensaml.saml.saml2.core.SubjectConfirmationData data, SAML2MessageContext context)
data
- the datacontext
- the contextprotected final void validateAssertionConditions(org.opensaml.saml.saml2.core.Conditions conditions, SAML2MessageContext context)
conditions
- the conditionscontext
- the contextprotected final void validateAudienceRestrictions(java.util.List<org.opensaml.saml.saml2.core.AudienceRestriction> audienceRestrictions, java.lang.String spEntityId)
audienceRestrictions
- the audience restrictionsspEntityId
- the sp entity idprotected final void validateAuthenticationStatements(java.util.List<org.opensaml.saml.saml2.core.AuthnStatement> authnStatements, SAML2MessageContext context)
authnStatements
- the authn statementscontext
- the contextprotected final void validateAssertionSignature(org.opensaml.xmlsec.signature.Signature signature, SAML2MessageContext context, org.opensaml.xmlsec.signature.support.SignatureTrustEngine engine)
signature
- the signaturecontext
- the contextengine
- the engineprotected final void validateSignature(org.opensaml.xmlsec.signature.Signature signature, java.lang.String idpEntityId, org.opensaml.xmlsec.signature.support.SignatureTrustEngine trustEngine)
signature
- the signatureidpEntityId
- the idp entity idtrustEngine
- the trust enginepublic final void setAcceptedSkew(int acceptedSkew)
setAcceptedSkew
in interface SAML2ResponseValidator
public final void setMaximumAuthenticationLifetime(int maximumAuthenticationLifetime)
setMaximumAuthenticationLifetime
in interface SAML2ResponseValidator
Copyright © 2017. All Rights Reserved.