Package org.pac4j.saml.sso.impl

Class SAML2AuthnResponseValidator

  • All Implemented Interfaces:
    SAML2ResponseValidator
    public class SAML2AuthnResponseValidator
extends AbstractSAML2ResponseValidator
    Class responsible for executing every required checks for validating a SAML response. The method validate populates the given SAML2MessageContext with the correct SAML assertion and the corresponding nameID's Bearer subject if every checks succeeds.
    Since:
    1.5.0
    Author:
    Michael Remond, Jerome Leleu

    • Constructor Detail

      • SAML2AuthnResponseValidator

        @Deprecated
public SAML2AuthnResponseValidator​(SAML2SignatureTrustEngineProvider engine,
                                   org.opensaml.saml.saml2.encryption.Decrypter decrypter,
                                   LogoutHandler logoutHandler,
                                   int maximumAuthenticationLifetime,
                                   boolean wantsAssertionsSigned)
        Deprecated.
        this constructor does not accept a replay cache, replay protection will be disabled

      • SAML2AuthnResponseValidator

        @Deprecated
public SAML2AuthnResponseValidator​(SAML2SignatureTrustEngineProvider engine,
                                   org.opensaml.saml.saml2.encryption.Decrypter decrypter,
                                   LogoutHandler logoutHandler,
                                   int maximumAuthenticationLifetime,
                                   boolean wantsAssertionsSigned,
                                   net.shibboleth.utilities.java.support.net.URIComparator uriComparator)
        Deprecated.
        this constructor does not accept a replay cache, replay protection will be disabled

      • SAML2AuthnResponseValidator

        public SAML2AuthnResponseValidator​(SAML2SignatureTrustEngineProvider engine,
                                   org.opensaml.saml.saml2.encryption.Decrypter decrypter,
                                   LogoutHandler logoutHandler,
                                   int maximumAuthenticationLifetime,
                                   boolean wantsAssertionsSigned,
                                   ReplayCacheProvider replayCache,
                                   net.shibboleth.utilities.java.support.net.URIComparator uriComparator)

    • Method Detail

      • validate

        public Credentials validate​(SAML2MessageContext context)
        Description copied from interface: SAML2ResponseValidator
        Validates the SAML protocol response and the SAML SSO response. The method decrypt encrypted assertions if any.
        Parameters:
        context - the context
        Returns:
        the SAML credentials

      • getSessionIndex

        protected String getSessionIndex​(org.opensaml.saml.saml2.core.Assertion subjectAssertion)
        Searches the sessionIndex in the assertion
        Parameters:
        subjectAssertion - assertion from the response
        Returns:
        the sessionIndex if found in the assertion

      • validateSamlProtocolResponse

        protected void validateSamlProtocolResponse​(org.opensaml.saml.saml2.core.Response response,
                                            SAML2MessageContext context,
                                            org.opensaml.xmlsec.signature.support.SignatureTrustEngine engine)
        Validates the SAML protocol response: - IssueInstant - Issuer - StatusCode - Signature
        Parameters:
        response - the response
        context - the context
        engine - the engine

      • verifyRequest

        protected void verifyRequest​(org.opensaml.saml.saml2.core.AuthnRequest request,
                             SAML2MessageContext context)

      • validateSamlSSOResponse

        protected void validateSamlSSOResponse​(org.opensaml.saml.saml2.core.Response response,
                                       SAML2MessageContext context,
                                       org.opensaml.xmlsec.signature.support.SignatureTrustEngine engine,
                                       org.opensaml.saml.saml2.encryption.Decrypter decrypter)
        Validates the SAML SSO response by finding a valid assertion with authn statements. Populates the SAML2MessageContext with a subjectAssertion and a subjectNameIdentifier.
        Parameters:
        response - the response
        context - the context
        engine - the engine
        decrypter - the decrypter

      • decryptEncryptedAssertions

        protected void decryptEncryptedAssertions​(org.opensaml.saml.saml2.core.Response response,
                                          org.opensaml.saml.saml2.encryption.Decrypter decrypter)
        Decrypt encrypted assertions and add them to the assertions list of the response.
        Parameters:
        response - the response
        decrypter - the decrypter

      • validateAssertion

        protected void validateAssertion​(org.opensaml.saml.saml2.core.Assertion assertion,
                                 SAML2MessageContext context,
                                 org.opensaml.xmlsec.signature.support.SignatureTrustEngine engine,
                                 org.opensaml.saml.saml2.encryption.Decrypter decrypter)
        Validate the given assertion: - issueInstant - issuer - subject - conditions - authnStatements - signature
        Parameters:
        assertion - the assertion
        context - the context
        engine - the engine
        decrypter - the decrypter

      • validateSubject

        protected void validateSubject​(org.opensaml.saml.saml2.core.Subject subject,
                               SAML2MessageContext context,
                               org.opensaml.saml.saml2.encryption.Decrypter decrypter)
        Validate the given subject by finding a valid Bearer confirmation. If the subject is valid, put its nameID in the context.

        NameID / BaseID / EncryptedID is first looked up directly in the Subject. If not present there, then all relevant SubjectConfirmations are parsed and the IDs are taken from them.

        Parameters:
        subject - The Subject from an assertion.
        context - SAML message context.
        decrypter - Decrypter used to decrypt some encrypted IDs, if they are present. May be null, no decryption will be possible then.

      • isValidBearerSubjectConfirmationData

        protected boolean isValidBearerSubjectConfirmationData​(org.opensaml.saml.saml2.core.SubjectConfirmationData data,
                                                       SAML2MessageContext context)
        Validate Bearer subject confirmation data - notBefore - NotOnOrAfter - recipient
        Parameters:
        data - the data
        context - the context
        Returns:
        true if all Bearer subject checks are passing

      • validateAssertionReplay

        protected void validateAssertionReplay​(org.opensaml.saml.saml2.core.Assertion assertion,
                                       org.opensaml.saml.saml2.core.SubjectConfirmationData data)
        Checks that the bearer assertion is not being replayed.
        Parameters:
        assertion - The Assertion to check
        data - The SubjectConfirmationData to check the assertion against

      • validateAssertionConditions

        protected void validateAssertionConditions​(org.opensaml.saml.saml2.core.Conditions conditions,
                                           SAML2MessageContext context)
        Validate assertionConditions - notBefore - notOnOrAfter
        Parameters:
        conditions - the conditions
        context - the context

      • validateAudienceRestrictions

        protected void validateAudienceRestrictions​(List<org.opensaml.saml.saml2.core.AudienceRestriction> audienceRestrictions,
                                            String spEntityId)
        Validate audience by matching the SP entityId.
        Parameters:
        audienceRestrictions - the audience restrictions
        spEntityId - the sp entity id

      • validateAuthenticationStatements

        protected void validateAuthenticationStatements​(List<org.opensaml.saml.saml2.core.AuthnStatement> authnStatements,
                                                SAML2MessageContext context)
        Validate the given authnStatements: - authnInstant - sessionNotOnOrAfter
        Parameters:
        authnStatements - the authn statements
        context - the context

      • validateAssertionSignature

        protected void validateAssertionSignature​(org.opensaml.xmlsec.signature.Signature signature,
                                          SAML2MessageContext context,
                                          org.opensaml.xmlsec.signature.support.SignatureTrustEngine engine)
        Validate assertion signature. If none is found and the SAML response did not have one and the SP requires the assertions to be signed, the validation fails.
        Parameters:
        signature - the signature
        context - the context
        engine - the engine

      • setMaximumAuthenticationLifetime

        public final void setMaximumAuthenticationLifetime​(int maximumAuthenticationLifetime)