Package org.pac4j.saml.sso.impl

Class SAML2AuthnResponseValidator

java.lang.Object
org.pac4j.saml.profile.impl.AbstractSAML2ResponseValidator
org.pac4j.saml.sso.impl.SAML2AuthnResponseValidator
All Implemented Interfaces:
SAML2ResponseValidator
public class SAML2AuthnResponseValidator extends AbstractSAML2ResponseValidator
Class responsible for executing every required checks for validating a SAML response. The method validate populates the given SAML2MessageContext with the correct SAML assertion and the corresponding nameID's Bearer subject if every checks succeeds.
Since:
1.5.0
Author:
Michael Remond, Jerome Leleu

  • Constructor Details

  • Method Details

    • validate

      public org.pac4j.core.credentials.Credentials validate(SAML2MessageContext context)
      Validates the SAML protocol response and the SAML SSO response. The method decrypt encrypted assertions if any.
      Parameters:
      context - the context
      Returns:
      the SAML credentials

    • buildSAML2Credentials

      protected SAML2AuthenticationCredentials buildSAML2Credentials(SAML2MessageContext context, org.opensaml.saml.saml2.core.StatusResponseType response)

      buildSAML2Credentials.

      Parameters:
      context - a SAML2MessageContext object
      response - a Response object
      Returns:
      a SAML2AuthenticationCredentials object

    • collectAssertionAttributes

      protected List<org.opensaml.saml.saml2.core.Attribute> collectAssertionAttributes(org.opensaml.saml.saml2.core.Assertion subjectAssertion)

      collectAssertionAttributes.

      Parameters:
      subjectAssertion - a Assertion object
      Returns:
      a List object

    • determineNameID

      protected SAML2AuthenticationCredentials.SAMLNameID determineNameID(SAML2MessageContext context, Collection<SAML2AuthenticationCredentials.SAMLAttribute> attributes)

      determineNameID.

      Parameters:
      context - a SAML2MessageContext object
      attributes - a List object
      Returns:
      a SAML2AuthenticationCredentials.SAMLNameID object

    • getSessionIndex

      protected String getSessionIndex(org.opensaml.saml.saml2.core.Assertion subjectAssertion)
      Searches the sessionIndex in the assertion
      Parameters:
      subjectAssertion - assertion from the response
      Returns:
      the sessionIndex if found in the assertion

    • validateSamlProtocolResponse

      protected void validateSamlProtocolResponse(org.opensaml.saml.saml2.core.StatusResponseType response, SAML2MessageContext context, org.opensaml.xmlsec.signature.support.SignatureTrustEngine engine)
      Validates the SAML protocol response: - IssueInstant - Issuer - StatusCode - Signature
      Parameters:
      response - the response
      context - the context
      engine - the engine

    • verifyRequest

      protected void verifyRequest(org.opensaml.saml.saml2.core.AuthnRequest request, SAML2MessageContext context)

      verifyRequest.

      Parameters:
      request - a AuthnRequest object
      context - a SAML2MessageContext object

    • validateSamlSSOResponse

      protected void validateSamlSSOResponse(org.opensaml.saml.saml2.core.Response response, SAML2MessageContext context, org.opensaml.xmlsec.signature.support.SignatureTrustEngine engine, org.opensaml.saml.saml2.encryption.Decrypter decrypter)
      Validates the SAML SSO response by finding a valid assertion with authn statements. Populates the SAML2MessageContext with a subjectAssertion and a subjectNameIdentifier.
      Parameters:
      response - the response
      context - the context
      engine - the engine
      decrypter - the decrypter

    • decryptEncryptedAssertions

      protected void decryptEncryptedAssertions(org.opensaml.saml.saml2.core.Response response, org.opensaml.saml.saml2.encryption.Decrypter decrypter)
      Decrypt encrypted assertions and add them to the assertions list of the response.
      Parameters:
      response - the response
      decrypter - the decrypter

    • validateAssertion

      protected void validateAssertion(org.opensaml.saml.saml2.core.Assertion assertion, SAML2MessageContext context, org.opensaml.xmlsec.signature.support.SignatureTrustEngine engine, org.opensaml.saml.saml2.encryption.Decrypter decrypter)
      Validate the given assertion: - issueInstant - issuer - subject - conditions - authnStatements - signature
      Parameters:
      assertion - the assertion
      context - the context
      engine - the engine
      decrypter - the decrypter

    • validateSubject

      protected void validateSubject(org.opensaml.saml.saml2.core.Subject subject, SAML2MessageContext context, org.opensaml.saml.saml2.encryption.Decrypter decrypter)
      Validate the given subject by finding a valid Bearer confirmation. If the subject is valid, put its nameID in the context.

      NameID / BaseID / EncryptedID is first looked up directly in the Subject. If not present there, then all relevant SubjectConfirmations are parsed and the IDs are taken from them.

      Parameters:
      subject - The Subject from an assertion.
      context - SAML message context.
      decrypter - Decrypter used to decrypt some encrypted IDs, if they are present. May be null, no decryption will be possible then.

    • isValidBearerSubjectConfirmationData

      protected boolean isValidBearerSubjectConfirmationData(org.opensaml.saml.saml2.core.SubjectConfirmationData data, SAML2MessageContext context)
      Validate Bearer subject confirmation data - notBefore - NotOnOrAfter - recipient
      Parameters:
      data - the data
      context - the context
      Returns:
      true if all Bearer subject checks are passing

    • validateAssertionReplay

      protected void validateAssertionReplay(org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.saml2.core.SubjectConfirmationData data)
      Checks that the bearer assertion is not being replayed.
      Parameters:
      assertion - The Assertion to check
      data - The SubjectConfirmationData to check the assertion against

    • validateAssertionConditions

      protected void validateAssertionConditions(org.opensaml.saml.saml2.core.Conditions conditions, SAML2MessageContext context)
      Validate assertionConditions - notBefore - notOnOrAfter
      Parameters:
      conditions - the conditions
      context - the context

    • validateAudienceRestrictions

      protected void validateAudienceRestrictions(Collection<org.opensaml.saml.saml2.core.AudienceRestriction> audienceRestrictions, String spEntityId)
      Validate audience by matching the SP entityId.
      Parameters:
      audienceRestrictions - the audience restrictions
      spEntityId - the sp entity id

    • validateAuthenticationStatements

      protected void validateAuthenticationStatements(Iterable<org.opensaml.saml.saml2.core.AuthnStatement> authnStatements, SAML2MessageContext context)
      Validate the given authnStatements: - authnInstant - sessionNotOnOrAfter
      Parameters:
      authnStatements - the authn statements
      context - the context

    • validateAuthnContextClassRefs

      protected void validateAuthnContextClassRefs(SAML2MessageContext context, List<String> providedAuthnContextClassRefs)

      validateAuthnContextClassRefs.

      Parameters:
      context - a SAML2MessageContext object
      providedAuthnContextClassRefs - a List object

    • validateAssertionSignature

      protected void validateAssertionSignature(org.opensaml.xmlsec.signature.Signature signature, SAML2MessageContext context, org.opensaml.xmlsec.signature.support.SignatureTrustEngine engine)
      Validate assertion signature. If none is found and the SAML response did not have one and the SP requires the assertions to be signed, the validation fails.
      Parameters:
      signature - the signature
      context - the context
      engine - the engine