Spring Security SAML

org.springframework.security.saml.metadata
Class MetadataGenerator

java.lang.Object
  extended by org.springframework.security.saml.metadata.MetadataGenerator

public class MetadataGenerator
extends Object

The class is responsible for generation of service provider metadata describing the application in the current deployment environment. All the URLs in the metadata will be derived from information in the ServletContext.

Author:
Vladimir Schäfer

Field Summary
protected  org.opensaml.xml.XMLObjectBuilderFactory builderFactory
           
static Collection<String> defaultNameID
          Default set of NameIDs included in metadata.
protected  KeyManager keyManager
          Source of certificates.
protected static org.slf4j.Logger log
          Class logger.
protected  SAMLDiscovery samlDiscovery
           
protected  SAMLEntryPoint samlEntryPoint
           
protected  SAMLLogoutProcessingFilter samlLogoutProcessingFilter
           
protected  SAMLProcessingFilter samlWebSSOFilter
          Filters for loading of paths.
protected  SAMLWebSSOHoKProcessingFilter samlWebSSOHoKFilter
           
 
Constructor Summary
MetadataGenerator()
          Default constructor.
 
Method Summary
protected  org.opensaml.saml2.common.Extensions buildExtensions(String entityBaseURL, String entityAlias)
           
protected  org.opensaml.saml2.metadata.SPSSODescriptor buildSPSSODescriptor(String entityBaseURL, String entityAlias, boolean requestSigned, boolean wantAssertionSigned, Collection<String> includedNameID)
           
 ExtendedMetadata generateExtendedMetadata()
          Generates extended metadata.
protected  org.opensaml.xml.signature.KeyInfo generateKeyInfoForCredential(org.opensaml.xml.security.credential.Credential credential)
           
 org.opensaml.saml2.metadata.EntityDescriptor generateMetadata()
           
 int getAssertionConsumerIndex()
           
protected  org.opensaml.saml2.metadata.AssertionConsumerService getAssertionConsumerService(String entityBaseURL, String entityAlias, boolean isDefault, int index, String filterURL, String binding)
           
 Collection<String> getBindingsHoKSSO()
           
 Collection<String> getBindingsSLO()
           
 Collection<String> getBindingsSSO()
           
protected  String getDiscoveryResponseURL(String entityBaseURL, String entityAlias)
          Provides set discovery response url or generates a default when none was provided.
protected  org.opensaml.samlext.idpdisco.DiscoveryResponse getDiscoveryService(String entityBaseURL, String entityAlias)
           
protected  String getDiscoveryURL(String entityBaseURL, String entityAlias)
          Provides set discovery request url or generates a default when none was provided.
protected  String getEncryptionKey()
          Provides key used for encryption from extended metadata.
protected  String getEntityAlias()
          Provides entity alias from extended metadata, or null when metadata isn't specified or contains null.
 String getEntityBaseURL()
           
 String getEntityId()
           
 ExtendedMetadata getExtendedMetadata()
          Extended metadata which contains details on configuration of the generated service provider metadata.
protected  org.opensaml.saml2.metadata.AssertionConsumerService getHoKAssertionConsumerService(String entityBaseURL, String entityAlias, boolean isDefault, int index, String filterURL, String binding)
           
 String getId()
           
protected  org.opensaml.saml2.metadata.KeyDescriptor getKeyDescriptor(org.opensaml.xml.security.credential.UsageType type, org.opensaml.xml.signature.KeyInfo key)
           
 Collection<String> getNameID()
           
protected  Collection<org.opensaml.saml2.metadata.NameIDFormat> getNameIDFormat(Collection<String> includedNameID)
           
protected  org.opensaml.xml.signature.KeyInfo getServerKeyInfo(String alias)
           
protected  String getSigningKey()
          Provides key used for signing from extended metadata.
protected  org.opensaml.saml2.metadata.SingleLogoutService getSingleLogoutService(String entityBaseURL, String entityAlias, String binding)
           
protected  String getTLSKey()
          Provides key used for SSL/TLS from extended metadata.
protected  boolean isIncludeDiscovery()
          True when IDP discovery is enabled either on local property includeDiscovery or property idpDiscoveryEnabled in the extended metadata.
 boolean isIncludeDiscoveryExtension()
           
 boolean isRequestSigned()
           
 boolean isWantAssertionSigned()
           
protected  Collection<String> mapAliases(Collection<String> values)
          Method iterates all values in the input, for each tries to resolve correct alias.
 void setAssertionConsumerIndex(int assertionConsumerIndex)
          Generated assertion consumer service with the index equaling set value will be marked as default.
 void setBindingsHoKSSO(Collection<String> bindingsHoKSSO)
          List of bindings to be included in the generated metadata for Web Single Sign-On Holder of Key.
 void setBindingsSLO(Collection<String> bindingsSLO)
          List of bindings to be included in the generated metadata for Single Logout.
 void setBindingsSSO(Collection<String> bindingsSSO)
          List of bindings to be included in the generated metadata for Web Single Sign-On.
 void setEntityBaseURL(String entityBaseURL)
           
 void setEntityId(String entityId)
           
 void setExtendedMetadata(ExtendedMetadata extendedMetadata)
          Default value for generation of extended metadata.
 void setId(String id)
           
 void setIncludeDiscoveryExtension(boolean includeDiscoveryExtension)
          When true discovery profile extension metadata pointing to the default SAMLEntryPoint will be generated and stored in the generated metadata document.
 void setKeyManager(KeyManager keyManager)
           
 void setNameID(Collection<String> nameID)
           
 void setRequestSigned(boolean requestSigned)
           
 void setSamlEntryPoint(SAMLEntryPoint samlEntryPoint)
           
 void setSamlLogoutProcessingFilter(SAMLLogoutProcessingFilter samlLogoutProcessingFilter)
           
 void setSamlWebSSOFilter(SAMLProcessingFilter samlWebSSOFilter)
           
 void setSamlWebSSOHoKFilter(SAMLWebSSOHoKProcessingFilter samlWebSSOHoKFilter)
           
 void setWantAssertionSigned(boolean wantAssertionSigned)
           
protected  void validateRequiredAttributes(String entityId, String entityBaseURL)
           
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

defaultNameID

public static final Collection<String> defaultNameID
Default set of NameIDs included in metadata.


builderFactory

protected org.opensaml.xml.XMLObjectBuilderFactory builderFactory

keyManager

protected KeyManager keyManager
Source of certificates.


samlWebSSOFilter

protected SAMLProcessingFilter samlWebSSOFilter
Filters for loading of paths.


samlWebSSOHoKFilter

protected SAMLWebSSOHoKProcessingFilter samlWebSSOHoKFilter

samlLogoutProcessingFilter

protected SAMLLogoutProcessingFilter samlLogoutProcessingFilter

samlEntryPoint

protected SAMLEntryPoint samlEntryPoint

samlDiscovery

protected SAMLDiscovery samlDiscovery

log

protected static final org.slf4j.Logger log
Class logger.

Constructor Detail

MetadataGenerator

public MetadataGenerator()
Default constructor.

Method Detail

generateMetadata

public org.opensaml.saml2.metadata.EntityDescriptor generateMetadata()

validateRequiredAttributes

protected void validateRequiredAttributes(String entityId,
                                          String entityBaseURL)

getServerKeyInfo

protected org.opensaml.xml.signature.KeyInfo getServerKeyInfo(String alias)

generateExtendedMetadata

public ExtendedMetadata generateExtendedMetadata()
Generates extended metadata. Default extendedMetadata object is cloned if present and used for defaults. The following properties are always overriden from the properties of this bean: discoveryUrl, discoveryResponseUrl, signingKey, encryptionKey, entityAlias and tlsKey. Property local of the generated metadata is always set to true.

Returns:
generated extended metadata

generateKeyInfoForCredential

protected org.opensaml.xml.signature.KeyInfo generateKeyInfoForCredential(org.opensaml.xml.security.credential.Credential credential)

buildSPSSODescriptor

protected org.opensaml.saml2.metadata.SPSSODescriptor buildSPSSODescriptor(String entityBaseURL,
                                                                           String entityAlias,
                                                                           boolean requestSigned,
                                                                           boolean wantAssertionSigned,
                                                                           Collection<String> includedNameID)

mapAliases

protected Collection<String> mapAliases(Collection<String> values)
Method iterates all values in the input, for each tries to resolve correct alias. When alias value is found, it is entered into the return collection, otherwise warning is logged. Values are returned in order of input with all duplicities removed.

Parameters:
values - input collection
Returns:
result with resolved aliases

buildExtensions

protected org.opensaml.saml2.common.Extensions buildExtensions(String entityBaseURL,
                                                               String entityAlias)

getKeyDescriptor

protected org.opensaml.saml2.metadata.KeyDescriptor getKeyDescriptor(org.opensaml.xml.security.credential.UsageType type,
                                                                     org.opensaml.xml.signature.KeyInfo key)

getNameIDFormat

protected Collection<org.opensaml.saml2.metadata.NameIDFormat> getNameIDFormat(Collection<String> includedNameID)

getAssertionConsumerService

protected org.opensaml.saml2.metadata.AssertionConsumerService getAssertionConsumerService(String entityBaseURL,
                                                                                           String entityAlias,
                                                                                           boolean isDefault,
                                                                                           int index,
                                                                                           String filterURL,
                                                                                           String binding)

getHoKAssertionConsumerService

protected org.opensaml.saml2.metadata.AssertionConsumerService getHoKAssertionConsumerService(String entityBaseURL,
                                                                                              String entityAlias,
                                                                                              boolean isDefault,
                                                                                              int index,
                                                                                              String filterURL,
                                                                                              String binding)

getDiscoveryService

protected org.opensaml.samlext.idpdisco.DiscoveryResponse getDiscoveryService(String entityBaseURL,
                                                                              String entityAlias)

getSingleLogoutService

protected org.opensaml.saml2.metadata.SingleLogoutService getSingleLogoutService(String entityBaseURL,
                                                                                 String entityAlias,
                                                                                 String binding)

setSamlWebSSOFilter

@Autowired(required=false)
@Qualifier(value="samlWebSSOProcessingFilter")
public void setSamlWebSSOFilter(SAMLProcessingFilter samlWebSSOFilter)

setSamlWebSSOHoKFilter

@Autowired(required=false)
@Qualifier(value="samlWebSSOHoKProcessingFilter")
public void setSamlWebSSOHoKFilter(SAMLWebSSOHoKProcessingFilter samlWebSSOHoKFilter)

setSamlLogoutProcessingFilter

@Autowired(required=false)
public void setSamlLogoutProcessingFilter(SAMLLogoutProcessingFilter samlLogoutProcessingFilter)

setSamlEntryPoint

@Autowired(required=false)
public void setSamlEntryPoint(SAMLEntryPoint samlEntryPoint)

isRequestSigned

public boolean isRequestSigned()

setRequestSigned

public void setRequestSigned(boolean requestSigned)

isWantAssertionSigned

public boolean isWantAssertionSigned()

setWantAssertionSigned

public void setWantAssertionSigned(boolean wantAssertionSigned)

getNameID

public Collection<String> getNameID()

setNameID

public void setNameID(Collection<String> nameID)

getEntityBaseURL

public String getEntityBaseURL()

setEntityBaseURL

public void setEntityBaseURL(String entityBaseURL)

setKeyManager

@Autowired
public void setKeyManager(KeyManager keyManager)

setId

public void setId(String id)

getId

public String getId()

setEntityId

public void setEntityId(String entityId)

getEntityId

public String getEntityId()

getBindingsSSO

public Collection<String> getBindingsSSO()

setBindingsSSO

public void setBindingsSSO(Collection<String> bindingsSSO)
List of bindings to be included in the generated metadata for Web Single Sign-On. Ordering of bindings affects inclusion in the generated metadata. Supported values are: "artifact" (or "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"), "post" (or "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST") and "paos" (or "urn:oasis:names:tc:SAML:2.0:bindings:PAOS"). The following bindings are included by default: "artifact", "post"

Parameters:
bindingsSSO - bindings for web single sign-on

getBindingsSLO

public Collection<String> getBindingsSLO()

setBindingsSLO

public void setBindingsSLO(Collection<String> bindingsSLO)
List of bindings to be included in the generated metadata for Single Logout. Ordering of bindings affects inclusion in the generated metadata. Supported values are: "post" (or "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST") and "redirect" (or "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"). The following bindings are included by default: "post", "redirect"

Parameters:
bindingsSLO - bindings for single logout

getBindingsHoKSSO

public Collection<String> getBindingsHoKSSO()

setBindingsHoKSSO

public void setBindingsHoKSSO(Collection<String> bindingsHoKSSO)
List of bindings to be included in the generated metadata for Web Single Sign-On Holder of Key. Ordering of bindings affects inclusion in the generated metadata. Supported values are: "artifact" (or "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact") and "post" (or "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"). By default there are no included bindings for the profile.

Parameters:
bindingsHoKSSO - bindings for web single sign-on holder-of-key

isIncludeDiscoveryExtension

public boolean isIncludeDiscoveryExtension()

setIncludeDiscoveryExtension

public void setIncludeDiscoveryExtension(boolean includeDiscoveryExtension)
When true discovery profile extension metadata pointing to the default SAMLEntryPoint will be generated and stored in the generated metadata document.

Parameters:
includeDiscoveryExtension - flag indicating whether IDP discovery should be enabled

getAssertionConsumerIndex

public int getAssertionConsumerIndex()

setAssertionConsumerIndex

public void setAssertionConsumerIndex(int assertionConsumerIndex)
Generated assertion consumer service with the index equaling set value will be marked as default. Use negative value to skip the default attribute altogether.

Parameters:
assertionConsumerIndex - assertion consumer index of service to mark as default

isIncludeDiscovery

protected boolean isIncludeDiscovery()
True when IDP discovery is enabled either on local property includeDiscovery or property idpDiscoveryEnabled in the extended metadata.

Returns:
true when discovery is enabled

getDiscoveryURL

protected String getDiscoveryURL(String entityBaseURL,
                                 String entityAlias)
Provides set discovery request url or generates a default when none was provided. Primarily value set on extenedMetadata property idpDiscoveryURL is used, when empty local property customDiscoveryURL is used, when empty URL is automatically generated.

Parameters:
entityBaseURL - base URL for generation of endpoints
entityAlias - alias of entity, or null when there's no alias required
Returns:
URL to use for IDP discovery request

getDiscoveryResponseURL

protected String getDiscoveryResponseURL(String entityBaseURL,
                                         String entityAlias)
Provides set discovery response url or generates a default when none was provided. Primarily value set on extenedMetadata property idpDiscoveryResponseURL is used, when empty local property customDiscoveryResponseURL is used, when empty URL is automatically generated.

Parameters:
entityBaseURL - base URL for generation of endpoints
entityAlias - alias of entity, or null when there's no alias required
Returns:
URL to use for IDP discovery response

getSigningKey

protected String getSigningKey()
Provides key used for signing from extended metadata. Uses default key when key is not specified.

Returns:
signing key

getEncryptionKey

protected String getEncryptionKey()
Provides key used for encryption from extended metadata. Uses default when key is not specified.

Returns:
encryption key

getTLSKey

protected String getTLSKey()
Provides key used for SSL/TLS from extended metadata. Uses null when key is not specified.

Returns:
tls key

getEntityAlias

protected String getEntityAlias()
Provides entity alias from extended metadata, or null when metadata isn't specified or contains null.

Returns:
entity alias

getExtendedMetadata

public ExtendedMetadata getExtendedMetadata()
Extended metadata which contains details on configuration of the generated service provider metadata.

Returns:
extended metadata

setExtendedMetadata

public void setExtendedMetadata(ExtendedMetadata extendedMetadata)
Default value for generation of extended metadata. Value is cloned upon each request to generate new ExtendedMetadata object.

Parameters:
extendedMetadata - default extended metadata or null

Spring Security SAML