org.pac4j.saml.sso.impl

Class SAML2AuthnResponseValidator

java.lang.Object

org.pac4j.saml.profile.impl.AbstractSAML2ResponseValidator

org.pac4j.saml.sso.impl.SAML2AuthnResponseValidator

All Implemented Interfaces:

SAML2ResponseValidator

public class SAML2AuthnResponseValidator
extends AbstractSAML2ResponseValidator

Class responsible for executing every required checks for validating a SAML response. The method validate populates the given SAML2MessageContext with the correct SAML assertion and the corresponding nameID's Bearer subject if every checks succeeds.

Since:

1.5.0

Author:

Michael Remond, Jerome Leleu

Field Summary

Fields inherited from class org.pac4j.saml.profile.impl.AbstractSAML2ResponseValidator

acceptedSkew, decrypter, logger, logoutHandler, replayCache, signatureTrustEngineProvider, uriComparator

Constructor Summary

Constructors

Constructor and Description
SAML2AuthnResponseValidator(SAML2SignatureTrustEngineProvider engine, org.opensaml.saml.saml2.encryption.Decrypter decrypter, LogoutHandler logoutHandler, int maximumAuthenticationLifetime, boolean wantsAssertionsSigned) Deprecated. this constructor does not accept a replay cache, replay protection will be disabled
SAML2AuthnResponseValidator(SAML2SignatureTrustEngineProvider engine, org.opensaml.saml.saml2.encryption.Decrypter decrypter, LogoutHandler logoutHandler, int maximumAuthenticationLifetime, boolean wantsAssertionsSigned, ReplayCacheProvider replayCache)
SAML2AuthnResponseValidator(SAML2SignatureTrustEngineProvider engine, org.opensaml.saml.saml2.encryption.Decrypter decrypter, LogoutHandler logoutHandler, int maximumAuthenticationLifetime, boolean wantsAssertionsSigned, ReplayCacheProvider replayCache, net.shibboleth.utilities.java.support.net.URIComparator uriComparator)
SAML2AuthnResponseValidator(SAML2SignatureTrustEngineProvider engine, org.opensaml.saml.saml2.encryption.Decrypter decrypter, LogoutHandler logoutHandler, int maximumAuthenticationLifetime, boolean wantsAssertionsSigned, net.shibboleth.utilities.java.support.net.URIComparator uriComparator) Deprecated. this constructor does not accept a replay cache, replay protection will be disabled

Method Summary

Modifier and Type	Method and Description
protected SAML2Credentials	buildSAML2Credentials(SAML2MessageContext context)
protected void	decryptEncryptedAssertions(org.opensaml.saml.saml2.core.Response response, org.opensaml.saml.saml2.encryption.Decrypter decrypter) Decrypt encrypted assertions and add them to the assertions list of the response.
protected String	getSessionIndex(org.opensaml.saml.saml2.core.Assertion subjectAssertion) Searches the sessionIndex in the assertion
protected boolean	isValidBearerSubjectConfirmationData(org.opensaml.saml.saml2.core.SubjectConfirmationData data, SAML2MessageContext context) Validate Bearer subject confirmation data - notBefore - NotOnOrAfter - recipient
void	setMaximumAuthenticationLifetime(int maximumAuthenticationLifetime)
Credentials	validate(SAML2MessageContext context) Validates the SAML protocol response and the SAML SSO response.
protected void	validateAssertion(org.opensaml.saml.saml2.core.Assertion assertion, SAML2MessageContext context, org.opensaml.xmlsec.signature.support.SignatureTrustEngine engine, org.opensaml.saml.saml2.encryption.Decrypter decrypter) Validate the given assertion: - issueInstant - issuer - subject - conditions - authnStatements - signature
protected void	validateAssertionConditions(org.opensaml.saml.saml2.core.Conditions conditions, SAML2MessageContext context) Validate assertionConditions - notBefore - notOnOrAfter
protected void	validateAssertionReplay(org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.saml2.core.SubjectConfirmationData data) Checks that the bearer assertion is not being replayed.
protected void	validateAssertionSignature(org.opensaml.xmlsec.signature.Signature signature, SAML2MessageContext context, org.opensaml.xmlsec.signature.support.SignatureTrustEngine engine) Validate assertion signature.
protected void	validateAudienceRestrictions(List<org.opensaml.saml.saml2.core.AudienceRestriction> audienceRestrictions, String spEntityId) Validate audience by matching the SP entityId.
protected void	validateAuthenticationStatements(List<org.opensaml.saml.saml2.core.AuthnStatement> authnStatements, SAML2MessageContext context) Validate the given authnStatements: - authnInstant - sessionNotOnOrAfter
protected void	validateSamlProtocolResponse(org.opensaml.saml.saml2.core.Response response, SAML2MessageContext context, org.opensaml.xmlsec.signature.support.SignatureTrustEngine engine) Validates the SAML protocol response: - IssueInstant - Issuer - StatusCode - Signature
protected void	validateSamlSSOResponse(org.opensaml.saml.saml2.core.Response response, SAML2MessageContext context, org.opensaml.xmlsec.signature.support.SignatureTrustEngine engine, org.opensaml.saml.saml2.encryption.Decrypter decrypter) Validates the SAML SSO response by finding a valid assertion with authn statements.
protected void	validateSubject(org.opensaml.saml.saml2.core.Subject subject, SAML2MessageContext context, org.opensaml.saml.saml2.encryption.Decrypter decrypter) Validate the given subject by finding a valid Bearer confirmation.
protected void	verifyRequest(org.opensaml.saml.saml2.core.AuthnRequest request, SAML2MessageContext context)

Methods inherited from class org.pac4j.saml.profile.impl.AbstractSAML2ResponseValidator

computeSloKey, decryptEncryptedId, isDateValid, isIssueInstantValid, setAcceptedSkew, validateIssueInstant, validateIssuer, validateIssuerIfItExists, validateSignature, validateSignatureIfItExists, validateSuccess, verifyEndpoint, verifyMessageReplay

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

SAML2AuthnResponseValidator

@Deprecated
public SAML2AuthnResponseValidator(SAML2SignatureTrustEngineProvider engine,
                                               org.opensaml.saml.saml2.encryption.Decrypter decrypter,
                                               LogoutHandler logoutHandler,
                                               int maximumAuthenticationLifetime,
                                               boolean wantsAssertionsSigned)

Deprecated. this constructor does not accept a replay cache, replay protection will be disabled

SAML2AuthnResponseValidator

@Deprecated
public SAML2AuthnResponseValidator(SAML2SignatureTrustEngineProvider engine,
                                               org.opensaml.saml.saml2.encryption.Decrypter decrypter,
                                               LogoutHandler logoutHandler,
                                               int maximumAuthenticationLifetime,
                                               boolean wantsAssertionsSigned,
                                               net.shibboleth.utilities.java.support.net.URIComparator uriComparator)

Deprecated. this constructor does not accept a replay cache, replay protection will be disabled

SAML2AuthnResponseValidator

public SAML2AuthnResponseValidator(SAML2SignatureTrustEngineProvider engine,
                                   org.opensaml.saml.saml2.encryption.Decrypter decrypter,
                                   LogoutHandler logoutHandler,
                                   int maximumAuthenticationLifetime,
                                   boolean wantsAssertionsSigned,
                                   ReplayCacheProvider replayCache)

SAML2AuthnResponseValidator

public SAML2AuthnResponseValidator(SAML2SignatureTrustEngineProvider engine,
                                   org.opensaml.saml.saml2.encryption.Decrypter decrypter,
                                   LogoutHandler logoutHandler,
                                   int maximumAuthenticationLifetime,
                                   boolean wantsAssertionsSigned,
                                   ReplayCacheProvider replayCache,
                                   net.shibboleth.utilities.java.support.net.URIComparator uriComparator)

Method Detail

validate

public Credentials validate(SAML2MessageContext context)

Description copied from interface: SAML2ResponseValidator

Validates the SAML protocol response and the SAML SSO response. The method decrypt encrypted assertions if any.

Parameters:

context - the context

Returns:

the SAML credentials

buildSAML2Credentials

protected SAML2Credentials buildSAML2Credentials(SAML2MessageContext context)

getSessionIndex

protected String getSessionIndex(org.opensaml.saml.saml2.core.Assertion subjectAssertion)

Searches the sessionIndex in the assertion

Parameters:

subjectAssertion - assertion from the response

Returns:

the sessionIndex if found in the assertion

validateSamlProtocolResponse

protected void validateSamlProtocolResponse(org.opensaml.saml.saml2.core.Response response,
                                            SAML2MessageContext context,
                                            org.opensaml.xmlsec.signature.support.SignatureTrustEngine engine)

Validates the SAML protocol response: - IssueInstant - Issuer - StatusCode - Signature

Parameters:

response - the response

context - the context

engine - the engine

verifyRequest

protected void verifyRequest(org.opensaml.saml.saml2.core.AuthnRequest request,
                             SAML2MessageContext context)

validateSamlSSOResponse

protected void validateSamlSSOResponse(org.opensaml.saml.saml2.core.Response response,
                                       SAML2MessageContext context,
                                       org.opensaml.xmlsec.signature.support.SignatureTrustEngine engine,
                                       org.opensaml.saml.saml2.encryption.Decrypter decrypter)

Validates the SAML SSO response by finding a valid assertion with authn statements. Populates the SAML2MessageContext with a subjectAssertion and a subjectNameIdentifier.

Parameters:

response - the response

context - the context

engine - the engine

decrypter - the decrypter

decryptEncryptedAssertions

protected void decryptEncryptedAssertions(org.opensaml.saml.saml2.core.Response response,
                                          org.opensaml.saml.saml2.encryption.Decrypter decrypter)

Decrypt encrypted assertions and add them to the assertions list of the response.

Parameters:

response - the response

decrypter - the decrypter

validateAssertion

protected void validateAssertion(org.opensaml.saml.saml2.core.Assertion assertion,
                                 SAML2MessageContext context,
                                 org.opensaml.xmlsec.signature.support.SignatureTrustEngine engine,
                                 org.opensaml.saml.saml2.encryption.Decrypter decrypter)

Validate the given assertion: - issueInstant - issuer - subject - conditions - authnStatements - signature

Parameters:

assertion - the assertion

context - the context

engine - the engine

decrypter - the decrypter

validateSubject

protected void validateSubject(org.opensaml.saml.saml2.core.Subject subject,
                               SAML2MessageContext context,
                               org.opensaml.saml.saml2.encryption.Decrypter decrypter)

Validate the given subject by finding a valid Bearer confirmation. If the subject is valid, put its nameID in the context.

NameID / BaseID / EncryptedID is first looked up directly in the Subject. If not present there, then all relevant SubjectConfirmations are parsed and the IDs are taken from them.

Parameters:

subject - The Subject from an assertion.

context - SAML message context.

decrypter - Decrypter used to decrypt some encrypted IDs, if they are present. May be null, no decryption will be possible then.

isValidBearerSubjectConfirmationData

protected boolean isValidBearerSubjectConfirmationData(org.opensaml.saml.saml2.core.SubjectConfirmationData data,
                                                       SAML2MessageContext context)

Validate Bearer subject confirmation data - notBefore - NotOnOrAfter - recipient

Parameters:

data - the data

context - the context

Returns:

true if all Bearer subject checks are passing

validateAssertionReplay

protected void validateAssertionReplay(org.opensaml.saml.saml2.core.Assertion assertion,
                                       org.opensaml.saml.saml2.core.SubjectConfirmationData data)

Checks that the bearer assertion is not being replayed.

Parameters:

assertion - The Assertion to check

data - The SubjectConfirmationData to check the assertion against

validateAssertionConditions

protected void validateAssertionConditions(org.opensaml.saml.saml2.core.Conditions conditions,
                                           SAML2MessageContext context)

Validate assertionConditions - notBefore - notOnOrAfter

Parameters:

conditions - the conditions

context - the context

validateAudienceRestrictions

protected void validateAudienceRestrictions(List<org.opensaml.saml.saml2.core.AudienceRestriction> audienceRestrictions,
                                            String spEntityId)

Validate audience by matching the SP entityId.

Parameters:

audienceRestrictions - the audience restrictions

spEntityId - the sp entity id

validateAuthenticationStatements

protected void validateAuthenticationStatements(List<org.opensaml.saml.saml2.core.AuthnStatement> authnStatements,
                                                SAML2MessageContext context)

Validate the given authnStatements: - authnInstant - sessionNotOnOrAfter

Parameters:

authnStatements - the authn statements

context - the context

validateAssertionSignature

protected void validateAssertionSignature(org.opensaml.xmlsec.signature.Signature signature,
                                          SAML2MessageContext context,
                                          org.opensaml.xmlsec.signature.support.SignatureTrustEngine engine)

Validate assertion signature. If none is found and the SAML response did not have one and the SP requires the assertions to be signed, the validation fails.

Parameters:

signature - the signature

context - the context

engine - the engine

setMaximumAuthenticationLifetime

public final void setMaximumAuthenticationLifetime(int maximumAuthenticationLifetime)