Package org.pac4j.saml.sso.impl
Class SAML2AuthnResponseValidator
java.lang.Object
org.pac4j.saml.profile.impl.AbstractSAML2ResponseValidator
org.pac4j.saml.sso.impl.SAML2AuthnResponseValidator
- All Implemented Interfaces:
SAML2ResponseValidator
Class responsible for executing every required checks for validating a SAML response.
The method validate populates the given
SAML2MessageContext
with the correct SAML assertion and the corresponding nameID's Bearer subject if every checks succeeds.- Since:
- 1.5.0
- Author:
- Michael Remond, Jerome Leleu
-
Field Summary
Fields inherited from class org.pac4j.saml.profile.impl.AbstractSAML2ResponseValidator
acceptedSkew, decrypter, logger, logoutHandler, replayCache, signatureTrustEngineProvider, uriComparator
-
Constructor Summary
ConstructorDescriptionSAML2AuthnResponseValidator
(SAML2SignatureTrustEngineProvider engine, org.opensaml.saml.saml2.encryption.Decrypter decrypter, ReplayCacheProvider replayCache, SAML2Configuration saml2Configuration) -
Method Summary
Modifier and TypeMethodDescriptionprotected SAML2Credentials
buildSAML2Credentials
(SAML2MessageContext context, org.opensaml.saml.saml2.core.Response response) protected List<org.opensaml.saml.saml2.core.Attribute>
collectAssertionAttributes
(org.opensaml.saml.saml2.core.Assertion subjectAssertion) protected void
decryptEncryptedAssertions
(org.opensaml.saml.saml2.core.Response response, org.opensaml.saml.saml2.encryption.Decrypter decrypter) Decrypt encrypted assertions and add them to the assertions list of the response.protected SAML2Credentials.SAMLNameID
determineNameID
(SAML2MessageContext context, List<SAML2Credentials.SAMLAttribute> attributes) protected String
getSessionIndex
(org.opensaml.saml.saml2.core.Assertion subjectAssertion) Searches the sessionIndex in the assertionprotected boolean
isValidBearerSubjectConfirmationData
(org.opensaml.saml.saml2.core.SubjectConfirmationData data, SAML2MessageContext context) Validate Bearer subject confirmation data - notBefore - NotOnOrAfter - recipientorg.pac4j.core.credentials.Credentials
validate
(SAML2MessageContext context) Validates the SAML protocol response and the SAML SSO response.protected void
validateAssertion
(org.opensaml.saml.saml2.core.Assertion assertion, SAML2MessageContext context, org.opensaml.xmlsec.signature.support.SignatureTrustEngine engine, org.opensaml.saml.saml2.encryption.Decrypter decrypter) Validate the given assertion: - issueInstant - issuer - subject - conditions - authnStatements - signatureprotected void
validateAssertionConditions
(org.opensaml.saml.saml2.core.Conditions conditions, SAML2MessageContext context) Validate assertionConditions - notBefore - notOnOrAfterprotected void
validateAssertionReplay
(org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.saml2.core.SubjectConfirmationData data) Checks that the bearer assertion is not being replayed.protected void
validateAssertionSignature
(org.opensaml.xmlsec.signature.Signature signature, SAML2MessageContext context, org.opensaml.xmlsec.signature.support.SignatureTrustEngine engine) Validate assertion signature.protected void
validateAudienceRestrictions
(List<org.opensaml.saml.saml2.core.AudienceRestriction> audienceRestrictions, String spEntityId) Validate audience by matching the SP entityId.protected void
validateAuthenticationStatements
(List<org.opensaml.saml.saml2.core.AuthnStatement> authnStatements, SAML2MessageContext context) Validate the given authnStatements: - authnInstant - sessionNotOnOrAfterprotected void
validateAuthnContextClassRefs
(SAML2MessageContext context, List<String> providedAuthnContextClassRefs) protected void
validateSamlProtocolResponse
(org.opensaml.saml.saml2.core.Response response, SAML2MessageContext context, org.opensaml.xmlsec.signature.support.SignatureTrustEngine engine) Validates the SAML protocol response: - IssueInstant - Issuer - StatusCode - Signatureprotected void
validateSamlSSOResponse
(org.opensaml.saml.saml2.core.Response response, SAML2MessageContext context, org.opensaml.xmlsec.signature.support.SignatureTrustEngine engine, org.opensaml.saml.saml2.encryption.Decrypter decrypter) Validates the SAML SSO response by finding a valid assertion with authn statements.protected void
validateSubject
(org.opensaml.saml.saml2.core.Subject subject, SAML2MessageContext context, org.opensaml.saml.saml2.encryption.Decrypter decrypter) Validate the given subject by finding a valid Bearer confirmation.protected void
verifyRequest
(org.opensaml.saml.saml2.core.AuthnRequest request, SAML2MessageContext context) Methods inherited from class org.pac4j.saml.profile.impl.AbstractSAML2ResponseValidator
compareEndpoints, computeSloKey, decryptEncryptedId, isDateValid, isIssueInstantValid, setAcceptedSkew, validateIssueInstant, validateIssuer, validateIssuerIfItExists, validateSignature, validateSignatureIfItExists, validateSuccess, verifyEndpoint, verifyMessageReplay
-
Constructor Details
-
SAML2AuthnResponseValidator
public SAML2AuthnResponseValidator(SAML2SignatureTrustEngineProvider engine, org.opensaml.saml.saml2.encryption.Decrypter decrypter, ReplayCacheProvider replayCache, SAML2Configuration saml2Configuration)
-
-
Method Details
-
validate
Description copied from interface:SAML2ResponseValidator
Validates the SAML protocol response and the SAML SSO response. The method decrypt encrypted assertions if any.- Parameters:
context
- the context- Returns:
- the SAML credentials
-
buildSAML2Credentials
protected SAML2Credentials buildSAML2Credentials(SAML2MessageContext context, org.opensaml.saml.saml2.core.Response response) -
collectAssertionAttributes
protected List<org.opensaml.saml.saml2.core.Attribute> collectAssertionAttributes(org.opensaml.saml.saml2.core.Assertion subjectAssertion) -
determineNameID
protected SAML2Credentials.SAMLNameID determineNameID(SAML2MessageContext context, List<SAML2Credentials.SAMLAttribute> attributes) -
getSessionIndex
Searches the sessionIndex in the assertion- Parameters:
subjectAssertion
- assertion from the response- Returns:
- the sessionIndex if found in the assertion
-
validateSamlProtocolResponse
protected void validateSamlProtocolResponse(org.opensaml.saml.saml2.core.Response response, SAML2MessageContext context, org.opensaml.xmlsec.signature.support.SignatureTrustEngine engine) Validates the SAML protocol response: - IssueInstant - Issuer - StatusCode - Signature- Parameters:
response
- the responsecontext
- the contextengine
- the engine
-
verifyRequest
protected void verifyRequest(org.opensaml.saml.saml2.core.AuthnRequest request, SAML2MessageContext context) -
validateSamlSSOResponse
protected void validateSamlSSOResponse(org.opensaml.saml.saml2.core.Response response, SAML2MessageContext context, org.opensaml.xmlsec.signature.support.SignatureTrustEngine engine, org.opensaml.saml.saml2.encryption.Decrypter decrypter) Validates the SAML SSO response by finding a valid assertion with authn statements. Populates theSAML2MessageContext
with a subjectAssertion and a subjectNameIdentifier.- Parameters:
response
- the responsecontext
- the contextengine
- the enginedecrypter
- the decrypter
-
decryptEncryptedAssertions
protected void decryptEncryptedAssertions(org.opensaml.saml.saml2.core.Response response, org.opensaml.saml.saml2.encryption.Decrypter decrypter) Decrypt encrypted assertions and add them to the assertions list of the response.- Parameters:
response
- the responsedecrypter
- the decrypter
-
validateAssertion
protected void validateAssertion(org.opensaml.saml.saml2.core.Assertion assertion, SAML2MessageContext context, org.opensaml.xmlsec.signature.support.SignatureTrustEngine engine, org.opensaml.saml.saml2.encryption.Decrypter decrypter) Validate the given assertion: - issueInstant - issuer - subject - conditions - authnStatements - signature- Parameters:
assertion
- the assertioncontext
- the contextengine
- the enginedecrypter
- the decrypter
-
validateSubject
protected void validateSubject(org.opensaml.saml.saml2.core.Subject subject, SAML2MessageContext context, org.opensaml.saml.saml2.encryption.Decrypter decrypter) Validate the given subject by finding a valid Bearer confirmation. If the subject is valid, put its nameID in the context.NameID / BaseID / EncryptedID is first looked up directly in the Subject. If not present there, then all relevant SubjectConfirmations are parsed and the IDs are taken from them.
- Parameters:
subject
- The Subject from an assertion.context
- SAML message context.decrypter
- Decrypter used to decrypt some encrypted IDs, if they are present. May benull
, no decryption will be possible then.
-
isValidBearerSubjectConfirmationData
protected boolean isValidBearerSubjectConfirmationData(org.opensaml.saml.saml2.core.SubjectConfirmationData data, SAML2MessageContext context) Validate Bearer subject confirmation data - notBefore - NotOnOrAfter - recipient- Parameters:
data
- the datacontext
- the context- Returns:
- true if all Bearer subject checks are passing
-
validateAssertionReplay
protected void validateAssertionReplay(org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.saml2.core.SubjectConfirmationData data) Checks that the bearer assertion is not being replayed.- Parameters:
assertion
- The Assertion to checkdata
- The SubjectConfirmationData to check the assertion against
-
validateAssertionConditions
protected void validateAssertionConditions(org.opensaml.saml.saml2.core.Conditions conditions, SAML2MessageContext context) Validate assertionConditions - notBefore - notOnOrAfter- Parameters:
conditions
- the conditionscontext
- the context
-
validateAudienceRestrictions
protected void validateAudienceRestrictions(List<org.opensaml.saml.saml2.core.AudienceRestriction> audienceRestrictions, String spEntityId) Validate audience by matching the SP entityId.- Parameters:
audienceRestrictions
- the audience restrictionsspEntityId
- the sp entity id
-
validateAuthenticationStatements
protected void validateAuthenticationStatements(List<org.opensaml.saml.saml2.core.AuthnStatement> authnStatements, SAML2MessageContext context) Validate the given authnStatements: - authnInstant - sessionNotOnOrAfter- Parameters:
authnStatements
- the authn statementscontext
- the context
-
validateAuthnContextClassRefs
protected void validateAuthnContextClassRefs(SAML2MessageContext context, List<String> providedAuthnContextClassRefs) -
validateAssertionSignature
protected void validateAssertionSignature(org.opensaml.xmlsec.signature.Signature signature, SAML2MessageContext context, org.opensaml.xmlsec.signature.support.SignatureTrustEngine engine) Validate assertion signature. If none is found and the SAML response did not have one and the SP requires the assertions to be signed, the validation fails.- Parameters:
signature
- the signaturecontext
- the contextengine
- the engine
-