Spring Security SAML

org.springframework.security.saml.metadata
Class ExtendedMetadata

java.lang.Object
  extended by org.springframework.security.saml.metadata.ExtendedMetadata
All Implemented Interfaces:
Serializable, Cloneable

public class ExtendedMetadata
extends Object
implements Serializable, Cloneable

Class contains additional information describing a SAML entity. Metadata can be used both for local entities (= the ones accessible as part of the deployed application using the SAML Extension) and remote entities (= the ones user can interact with like IDPs).

Author:
Vladimir Schaefer
See Also:
Serialized Form

Constructor Summary
ExtendedMetadata()
           
 
Method Summary
 ExtendedMetadata clone()
          Clones the existing metadata object.
 String getAlias()
          Returns alias.
 String getEncryptionKey()
          Encryption key used for encrypting messages send to the remote entity or decrypting data sent to the local one.
 String getIdpDiscoveryResponseURL()
           
 String getIdpDiscoveryURL()
           
 String getKeyInfoGeneratorName()
          Name of the KeyInfoGenerator registered at default KeyInfoGeneratorManager.
 String getSecurityProfile()
          Security profile to use for this local entity - MetaIOP (default) or PKIX.
 String getSigningAlgorithm()
          Gets the signing algorithm to use when signing the SAML messages.
 String getSigningKey()
          Signing key used for signing messages or verifying signatures of this entity.
 String getSslHostnameVerification()
          Hostname verifier for SSL connections.
 String getSslSecurityProfile()
          Security profile used for SSL/TLS connections of the local entity.
 String getTlsKey()
          Key used to authenticate instance against remote peers when specified on local entity.
 Set<String> getTrustedKeys()
          Trusted keys usable for signature and server SSL/TLS verification for entities with PKIX verification enabled.
 boolean isEcpEnabled()
           
 boolean isIdpDiscoveryEnabled()
          When true IDP discovery will be invoked before initializing WebSSO, unless IDP is already specified inside SAMLContext.
 boolean isLocal()
           
 boolean isRequireArtifactResolveSigned()
          Flag indicating whether entity in question requires artifact resolve messages to be signed.
 boolean isRequireLogoutRequestSigned()
          Flag indicating whether entity in question requires logout request to be signed.
 boolean isRequireLogoutResponseSigned()
          Flag indicating whether entity in question requires logout response to be signed.
 boolean isSignMetadata()
          Flag indicating whether local metadata will be digitally signed.
 boolean isSupportUnsolicitedResponse()
           
 void setAlias(String alias)
          Alias is used to identify a destination entity as part of the URL.
 void setEcpEnabled(boolean ecpEnabled)
           
 void setEncryptionKey(String encryptionKey)
          Sets encryption key to be used for interaction with the current entity.
 void setIdpDiscoveryEnabled(boolean idpDiscoveryEnabled)
           
 void setIdpDiscoveryResponseURL(String idpDiscoveryResponseURL)
          When set our local IDP Discovery implementation will send response back to Service Provider on this address.
 void setIdpDiscoveryURL(String idpDiscoveryURL)
          URL to invoke while initializing IDP Discovery protocol for the local SP.
 void setKeyInfoGeneratorName(String keyInfoGeneratorName)
          Sets KeyInfoGenerator used to create KeyInfo elements in metadata and digital signatures.
 void setLocal(boolean local)
          When set to true entity is treated as locally deployed and will be able to accept messages on endpoints determined by the selected alias.
 void setRequireArtifactResolveSigned(boolean requireArtifactResolveSigned)
          If true received artifactResolve messages will require a signature, sent artifactResolve will be signed.
 void setRequireLogoutRequestSigned(boolean requireLogoutRequestSigned)
          If true logoutRequests received will require a signature, sent logoutRequests will be signed.
 void setRequireLogoutResponseSigned(boolean requireLogoutResponseSigned)
          If true logoutResponses received will require a signature, sent logoutResponses will be signed.
 void setSecurityProfile(String securityProfile)
          Sets profile used for verification of signatures and encryption.
 void setSigningAlgorithm(String signingAlgorithm)
          Sets the signing algorithm to use when signing the SAML messages.
 void setSigningKey(String signingKey)
          Sets signing key to be used for interaction with the current entity.
 void setSignMetadata(boolean signMetadata)
          When set to true metadata generated for this entity will be digitally signed by the signing certificate.
 void setSslHostnameVerification(String sslHostnameVerification)
          Sets hostname verifier to use for verification of SSL connections.
 void setSslSecurityProfile(String sslSecurityProfile)
          Sets profile used for verification of SSL/TLS connections.
 void setSupportUnsolicitedResponse(boolean supportUnsolicitedResponse)
          When set to true system will support reception of Unsolicited SAML Response messages (IDP-initialized single sign-on) from this remote entity.
 void setTlsKey(String tlsKey)
          For local entities denotes alias of the key used to authenticate this instance against peer servers using SSL/TLS connections.
 void setTrustedKeys(Set<String> trustedKeys)
          Set of keys used as anchors for PKIX verification of messages coming from this entity.
 
Methods inherited from class java.lang.Object
equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

ExtendedMetadata

public ExtendedMetadata()
Method Detail

getSecurityProfile

public String getSecurityProfile()
Security profile to use for this local entity - MetaIOP (default) or PKIX.

Returns:
profile

setSecurityProfile

public void setSecurityProfile(String securityProfile)
Sets profile used for verification of signatures and encryption. The following profiles are available:

MetaIOP profile (by default):
Uses cryptographic data from the metadata document of the entity in question. No checks for validity or revocation of certificates is done in this mode. All keys must be known in advance.

PKIX profile:
Signatures are deemed as trusted when credential can be verified using PKIX with trusted keys of the peer configured as trusted anchors.

This setting is only relevant for local entities.

Parameters:
securityProfile - profile to use - PKIX when set to "pkix", MetaIOP otherwise

getSslSecurityProfile

public String getSslSecurityProfile()
Security profile used for SSL/TLS connections of the local entity.

Returns:
profile

setSslSecurityProfile

public void setSslSecurityProfile(String sslSecurityProfile)
Sets profile used for verification of SSL/TLS connections. The following profiles are available:

PKIX profile (by default), value "pkix":
Signatures are deemed as trusted when credential can be verified using PKIX with trusted keys of the peer configured as trusted anchors.

MetaIOP profile, any other value:
Uses cryptographic data from the metadata document of the entity in question. No checks for validity or revocation of certificates is done in this mode. All keys must be known in advance.

Logic is enforced in SAMLContextProviderImpl#populateSSLTrustEngine. Values are case insensitive.

This setting is only relevant for local entities.

Parameters:
sslSecurityProfile - profile to use - PKIX when set to "pkix", MetaIOP otherwise

getSslHostnameVerification

public String getSslHostnameVerification()
Hostname verifier for SSL connections.

Returns:
hostname verifier

setSslHostnameVerification

public void setSslHostnameVerification(String sslHostnameVerification)
Sets hostname verifier to use for verification of SSL connections. The following values are available:

default: org.apache.commons.ssl.HostnameVerifier.DEFAULT
defaultAndLocalhost: org.apache.commons.ssl.HostnameVerifier.DEFAULT_AND_LOCALHOST
strict: org.apache.commons.ssl.HostnameVerifier.STRICT
allowAll: org.apache.commons.ssl.HostnameVerifier.ALLOW_ALL, doesn't perform any validation

Logic is enforced in SAMLContextProviderImpl#populateSSLHostnameVerifier. Values are case insensitive. Unrecognized value revert to default setting.

This setting is only relevant for local entities.

Parameters:
sslHostnameVerification - hostname verification type flag

getAlias

public String getAlias()
Returns alias. Value should be null for remote entities.

Returns:
alias

setAlias

public void setAlias(String alias)
Alias is used to identify a destination entity as part of the URL. It only applies to local entities. Only ASCII characters can be used as alias.

In case the alias is null on a local entity it must be set as a default to be accessible.

Alias must be unique for each local entityId.

Parameters:
alias - alias value

getSigningKey

public String getSigningKey()
Signing key used for signing messages or verifying signatures of this entity.

Returns:
signing key, default if null

setSigningKey

public void setSigningKey(String signingKey)
Sets signing key to be used for interaction with the current entity. In case the entity is local the keyStore must contain a private and public key with the given name. For remote entities only public key is required.

Value can be used to override credential contained in the remote metadata.

Parameters:
signingKey - key for creation/verification of signatures

getEncryptionKey

public String getEncryptionKey()
Encryption key used for encrypting messages send to the remote entity or decrypting data sent to the local one.

Returns:
encryption key, default if null

setEncryptionKey

public void setEncryptionKey(String encryptionKey)
Sets encryption key to be used for interaction with the current entity. In case the entity is local the keyStore must contain a private key with the given name which will be used for decryption incoming message. For remote entities only public key is required and will be used for encryption of the sent data.

Value can be used to override credential contained in the remote metadata.

Parameters:
encryptionKey - key for creation/verification of signatures

isRequireLogoutRequestSigned

public boolean isRequireLogoutRequestSigned()
Flag indicating whether entity in question requires logout request to be signed.

Returns:
signature flag

setRequireLogoutRequestSigned

public void setRequireLogoutRequestSigned(boolean requireLogoutRequestSigned)
If true logoutRequests received will require a signature, sent logoutRequests will be signed.

Parameters:
requireLogoutRequestSigned - logout request signature flag

isRequireLogoutResponseSigned

public boolean isRequireLogoutResponseSigned()
Flag indicating whether entity in question requires logout response to be signed.

Returns:
signature flag

setRequireLogoutResponseSigned

public void setRequireLogoutResponseSigned(boolean requireLogoutResponseSigned)
If true logoutResponses received will require a signature, sent logoutResponses will be signed.

Parameters:
requireLogoutResponseSigned - logout response signature flag

isRequireArtifactResolveSigned

public boolean isRequireArtifactResolveSigned()
Flag indicating whether entity in question requires artifact resolve messages to be signed.

Returns:
signature flag

setRequireArtifactResolveSigned

public void setRequireArtifactResolveSigned(boolean requireArtifactResolveSigned)
If true received artifactResolve messages will require a signature, sent artifactResolve will be signed.

Parameters:
requireArtifactResolveSigned - artifact resolve signature flag

getTlsKey

public String getTlsKey()
Key used to authenticate instance against remote peers when specified on local entity. When specified on remote entity the key is added as a trust anchor during communication with the entity using SSL/TLS.

Returns:
tls key

setTlsKey

public void setTlsKey(String tlsKey)
For local entities denotes alias of the key used to authenticate this instance against peer servers using SSL/TLS connections. When not set no key will be available for client authentication. Alias must be associated with a key containing a private key and being of X509 type. For remote entities denotes key to be used as a trust anchor for SSL/TLS connections.

Parameters:
tlsKey - tls key

getTrustedKeys

public Set<String> getTrustedKeys()
Trusted keys usable for signature and server SSL/TLS verification for entities with PKIX verification enabled. Value is ignored when PKIX security is not enabled. In case value is null all keys in the keyStore will be treated as trusted.

Returns:
trusted keys

setTrustedKeys

public void setTrustedKeys(Set<String> trustedKeys)
Set of keys used as anchors for PKIX verification of messages coming from this entity. Only applicable for remote entities and used when local entity has the PKIX profile enabled.

When no trusted keys are specified all keys in the keyManager are treated as trusted.

This setting is only relevant for remote entities.

Parameters:
trustedKeys - keys

isLocal

public boolean isLocal()

setLocal

public void setLocal(boolean local)
When set to true entity is treated as locally deployed and will be able to accept messages on endpoints determined by the selected alias.

Parameters:
local - true when entity is deployed locally

getIdpDiscoveryURL

public String getIdpDiscoveryURL()

setIdpDiscoveryURL

public void setIdpDiscoveryURL(String idpDiscoveryURL)
URL to invoke while initializing IDP Discovery protocol for the local SP.

Parameters:
idpDiscoveryURL - IDP discovery URL

getIdpDiscoveryResponseURL

public String getIdpDiscoveryResponseURL()

setIdpDiscoveryResponseURL

public void setIdpDiscoveryResponseURL(String idpDiscoveryResponseURL)
When set our local IDP Discovery implementation will send response back to Service Provider on this address. Value should be set in situations when public address of the SP differs from values seen by the application sever.

Parameters:
idpDiscoveryResponseURL - discovery response URL

isIdpDiscoveryEnabled

public boolean isIdpDiscoveryEnabled()
When true IDP discovery will be invoked before initializing WebSSO, unless IDP is already specified inside SAMLContext.

Returns:
true when idp discovery is enabled

setIdpDiscoveryEnabled

public void setIdpDiscoveryEnabled(boolean idpDiscoveryEnabled)

setEcpEnabled

public void setEcpEnabled(boolean ecpEnabled)

isEcpEnabled

public boolean isEcpEnabled()

getSigningAlgorithm

public String getSigningAlgorithm()
Gets the signing algorithm to use when signing the SAML messages. This can be used, for example, when a strong algorithm is required (e.g. SHA 256 instead of SHA 128). Value only applies to local entities. At the moment the value is only used for signatures on metadata.

Returns:
A signing algorithm URI, if set. Otherwise returns null.
See Also:
SignatureConstants

setSigningAlgorithm

public void setSigningAlgorithm(String signingAlgorithm)
Sets the signing algorithm to use when signing the SAML messages. This can be used, for example, when a strong algorithm is required (e.g. SHA 256 instead of SHA 128). If this property is null, then the Credential default algorithm will be used instead. Value only applies to local entities. At the moment the value is only used for signatures on metadata. Typical values are: http://www.w3.org/2000/09/xmldsig#rsa-sha1 http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 http://www.w3.org/2001/04/xmldsig-more#rsa-sha512

Parameters:
signingAlgorithm - The new signing algorithm to use
See Also:
SignatureConstants

setKeyInfoGeneratorName

public void setKeyInfoGeneratorName(String keyInfoGeneratorName)
Sets KeyInfoGenerator used to create KeyInfo elements in metadata and digital signatures. Only valid for local entities.

Parameters:
keyInfoGeneratorName - generator name

getKeyInfoGeneratorName

public String getKeyInfoGeneratorName()
Name of the KeyInfoGenerator registered at default KeyInfoGeneratorManager. Used to generate KeyInfo elements in metadata and signatures.

Returns:
key info generator name
See Also:
Configuration.getGlobalSecurityConfiguration(), SecurityConfiguration.getKeyInfoGeneratorManager()

isSignMetadata

public boolean isSignMetadata()
Flag indicating whether local metadata will be digitally signed.

Returns:
metadata signing flag

setSignMetadata

public void setSignMetadata(boolean signMetadata)
When set to true metadata generated for this entity will be digitally signed by the signing certificate. Only applies to local entities.

Parameters:
signMetadata - metadata signing flag

isSupportUnsolicitedResponse

public boolean isSupportUnsolicitedResponse()
Returns:
true when system should accept unsolicited response messages from this remote entity

setSupportUnsolicitedResponse

public void setSupportUnsolicitedResponse(boolean supportUnsolicitedResponse)
When set to true system will support reception of Unsolicited SAML Response messages (IDP-initialized single sign-on) from this remote entity. When disabled such messages will be rejected. Unsolicited Responses are by default enabled.

Parameters:
supportUnsolicitedResponse - unsolicited response flag

clone

public ExtendedMetadata clone()
Clones the existing metadata object.

Overrides:
clone in class Object
Returns:
clone of the metadata

Spring Security SAML