public class SAML2AuthnResponseValidator extends AbstractSAML2ResponseValidator
SAML2MessageContext
with the correct SAML assertion and the corresponding nameID's Bearer subject if every checks succeeds.acceptedSkew, decrypter, logger, logoutHandler, replayCache, signatureTrustEngineProvider, uriComparator
Constructor and Description |
---|
SAML2AuthnResponseValidator(SAML2SignatureTrustEngineProvider engine,
org.opensaml.saml.saml2.encryption.Decrypter decrypter,
LogoutHandler logoutHandler,
int maximumAuthenticationLifetime,
boolean wantsAssertionsSigned)
Deprecated.
this constructor does not accept a replay cache, replay protection will be disabled
|
SAML2AuthnResponseValidator(SAML2SignatureTrustEngineProvider engine,
org.opensaml.saml.saml2.encryption.Decrypter decrypter,
LogoutHandler logoutHandler,
int maximumAuthenticationLifetime,
boolean wantsAssertionsSigned,
ReplayCacheProvider replayCache) |
SAML2AuthnResponseValidator(SAML2SignatureTrustEngineProvider engine,
org.opensaml.saml.saml2.encryption.Decrypter decrypter,
LogoutHandler logoutHandler,
int maximumAuthenticationLifetime,
boolean wantsAssertionsSigned,
ReplayCacheProvider replayCache,
net.shibboleth.utilities.java.support.net.URIComparator uriComparator) |
SAML2AuthnResponseValidator(SAML2SignatureTrustEngineProvider engine,
org.opensaml.saml.saml2.encryption.Decrypter decrypter,
LogoutHandler logoutHandler,
int maximumAuthenticationLifetime,
boolean wantsAssertionsSigned,
net.shibboleth.utilities.java.support.net.URIComparator uriComparator)
Deprecated.
this constructor does not accept a replay cache, replay protection will be disabled
|
Modifier and Type | Method and Description |
---|---|
protected SAML2Credentials |
buildSAML2Credentials(SAML2MessageContext context) |
protected void |
decryptEncryptedAssertions(org.opensaml.saml.saml2.core.Response response,
org.opensaml.saml.saml2.encryption.Decrypter decrypter)
Decrypt encrypted assertions and add them to the assertions list of the response.
|
protected String |
getSessionIndex(org.opensaml.saml.saml2.core.Assertion subjectAssertion)
Searches the sessionIndex in the assertion
|
protected boolean |
isValidBearerSubjectConfirmationData(org.opensaml.saml.saml2.core.SubjectConfirmationData data,
SAML2MessageContext context)
Validate Bearer subject confirmation data
- notBefore
- NotOnOrAfter
- recipient
|
void |
setMaximumAuthenticationLifetime(int maximumAuthenticationLifetime) |
Credentials |
validate(SAML2MessageContext context)
Validates the SAML protocol response and the SAML SSO response.
|
protected void |
validateAssertion(org.opensaml.saml.saml2.core.Assertion assertion,
SAML2MessageContext context,
org.opensaml.xmlsec.signature.support.SignatureTrustEngine engine,
org.opensaml.saml.saml2.encryption.Decrypter decrypter)
Validate the given assertion:
- issueInstant
- issuer
- subject
- conditions
- authnStatements
- signature
|
protected void |
validateAssertionConditions(org.opensaml.saml.saml2.core.Conditions conditions,
SAML2MessageContext context)
Validate assertionConditions
- notBefore
- notOnOrAfter
|
protected void |
validateAssertionReplay(org.opensaml.saml.saml2.core.Assertion assertion,
org.opensaml.saml.saml2.core.SubjectConfirmationData data)
Checks that the bearer assertion is not being replayed.
|
protected void |
validateAssertionSignature(org.opensaml.xmlsec.signature.Signature signature,
SAML2MessageContext context,
org.opensaml.xmlsec.signature.support.SignatureTrustEngine engine)
Validate assertion signature.
|
protected void |
validateAudienceRestrictions(List<org.opensaml.saml.saml2.core.AudienceRestriction> audienceRestrictions,
String spEntityId)
Validate audience by matching the SP entityId.
|
protected void |
validateAuthenticationStatements(List<org.opensaml.saml.saml2.core.AuthnStatement> authnStatements,
SAML2MessageContext context)
Validate the given authnStatements:
- authnInstant
- sessionNotOnOrAfter
|
protected void |
validateSamlProtocolResponse(org.opensaml.saml.saml2.core.Response response,
SAML2MessageContext context,
org.opensaml.xmlsec.signature.support.SignatureTrustEngine engine)
Validates the SAML protocol response:
- IssueInstant
- Issuer
- StatusCode
- Signature
|
protected void |
validateSamlSSOResponse(org.opensaml.saml.saml2.core.Response response,
SAML2MessageContext context,
org.opensaml.xmlsec.signature.support.SignatureTrustEngine engine,
org.opensaml.saml.saml2.encryption.Decrypter decrypter)
Validates the SAML SSO response by finding a valid assertion with authn statements.
|
protected void |
validateSubject(org.opensaml.saml.saml2.core.Subject subject,
SAML2MessageContext context,
org.opensaml.saml.saml2.encryption.Decrypter decrypter)
Validate the given subject by finding a valid Bearer confirmation.
|
protected void |
verifyRequest(org.opensaml.saml.saml2.core.AuthnRequest request,
SAML2MessageContext context) |
computeSloKey, decryptEncryptedId, isDateValid, isIssueInstantValid, setAcceptedSkew, validateIssueInstant, validateIssuer, validateIssuerIfItExists, validateSignature, validateSignatureIfItExists, validateSuccess, verifyEndpoint, verifyMessageReplay
@Deprecated public SAML2AuthnResponseValidator(SAML2SignatureTrustEngineProvider engine, org.opensaml.saml.saml2.encryption.Decrypter decrypter, LogoutHandler logoutHandler, int maximumAuthenticationLifetime, boolean wantsAssertionsSigned)
@Deprecated public SAML2AuthnResponseValidator(SAML2SignatureTrustEngineProvider engine, org.opensaml.saml.saml2.encryption.Decrypter decrypter, LogoutHandler logoutHandler, int maximumAuthenticationLifetime, boolean wantsAssertionsSigned, net.shibboleth.utilities.java.support.net.URIComparator uriComparator)
public SAML2AuthnResponseValidator(SAML2SignatureTrustEngineProvider engine, org.opensaml.saml.saml2.encryption.Decrypter decrypter, LogoutHandler logoutHandler, int maximumAuthenticationLifetime, boolean wantsAssertionsSigned, ReplayCacheProvider replayCache)
public SAML2AuthnResponseValidator(SAML2SignatureTrustEngineProvider engine, org.opensaml.saml.saml2.encryption.Decrypter decrypter, LogoutHandler logoutHandler, int maximumAuthenticationLifetime, boolean wantsAssertionsSigned, ReplayCacheProvider replayCache, net.shibboleth.utilities.java.support.net.URIComparator uriComparator)
public Credentials validate(SAML2MessageContext context)
SAML2ResponseValidator
context
- the contextprotected SAML2Credentials buildSAML2Credentials(SAML2MessageContext context)
protected String getSessionIndex(org.opensaml.saml.saml2.core.Assertion subjectAssertion)
subjectAssertion
- assertion from the responseprotected void validateSamlProtocolResponse(org.opensaml.saml.saml2.core.Response response, SAML2MessageContext context, org.opensaml.xmlsec.signature.support.SignatureTrustEngine engine)
response
- the responsecontext
- the contextengine
- the engineprotected void verifyRequest(org.opensaml.saml.saml2.core.AuthnRequest request, SAML2MessageContext context)
protected void validateSamlSSOResponse(org.opensaml.saml.saml2.core.Response response, SAML2MessageContext context, org.opensaml.xmlsec.signature.support.SignatureTrustEngine engine, org.opensaml.saml.saml2.encryption.Decrypter decrypter)
SAML2MessageContext
with a subjectAssertion and a subjectNameIdentifier.response
- the responsecontext
- the contextengine
- the enginedecrypter
- the decrypterprotected void decryptEncryptedAssertions(org.opensaml.saml.saml2.core.Response response, org.opensaml.saml.saml2.encryption.Decrypter decrypter)
response
- the responsedecrypter
- the decrypterprotected void validateAssertion(org.opensaml.saml.saml2.core.Assertion assertion, SAML2MessageContext context, org.opensaml.xmlsec.signature.support.SignatureTrustEngine engine, org.opensaml.saml.saml2.encryption.Decrypter decrypter)
assertion
- the assertioncontext
- the contextengine
- the enginedecrypter
- the decrypterprotected void validateSubject(org.opensaml.saml.saml2.core.Subject subject, SAML2MessageContext context, org.opensaml.saml.saml2.encryption.Decrypter decrypter)
NameID / BaseID / EncryptedID is first looked up directly in the Subject. If not present there, then all relevant SubjectConfirmations are parsed and the IDs are taken from them.
subject
- The Subject from an assertion.context
- SAML message context.decrypter
- Decrypter used to decrypt some encrypted IDs, if they are present.
May be null
, no decryption will be possible then.protected boolean isValidBearerSubjectConfirmationData(org.opensaml.saml.saml2.core.SubjectConfirmationData data, SAML2MessageContext context)
data
- the datacontext
- the contextprotected void validateAssertionReplay(org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.saml2.core.SubjectConfirmationData data)
assertion
- The Assertion to checkdata
- The SubjectConfirmationData to check the assertion againstprotected void validateAssertionConditions(org.opensaml.saml.saml2.core.Conditions conditions, SAML2MessageContext context)
conditions
- the conditionscontext
- the contextprotected void validateAudienceRestrictions(List<org.opensaml.saml.saml2.core.AudienceRestriction> audienceRestrictions, String spEntityId)
audienceRestrictions
- the audience restrictionsspEntityId
- the sp entity idprotected void validateAuthenticationStatements(List<org.opensaml.saml.saml2.core.AuthnStatement> authnStatements, SAML2MessageContext context)
authnStatements
- the authn statementscontext
- the contextprotected void validateAssertionSignature(org.opensaml.xmlsec.signature.Signature signature, SAML2MessageContext context, org.opensaml.xmlsec.signature.support.SignatureTrustEngine engine)
signature
- the signaturecontext
- the contextengine
- the enginepublic final void setMaximumAuthenticationLifetime(int maximumAuthenticationLifetime)
Copyright © 2019. All rights reserved.