Spring Security SAML

org.springframework.security.saml.metadata
Class MetadataGenerator

java.lang.Object
  extended by org.springframework.security.saml.metadata.MetadataGenerator

public class MetadataGenerator
extends Object

The class is responsible for generation of service provider metadata describing the application in the current deployment environment. All the URLs in the metadata will be derived from information in the ServletContext.

Author:
Vladimir Schäfer

Field Summary
protected  org.opensaml.xml.XMLObjectBuilderFactory builderFactory
           
static Collection<String> defaultNameID
           
protected  KeyManager keyManager
           
protected static org.slf4j.Logger log
          Class logger.
protected  SAMLDiscovery samlDiscovery
           
protected  SAMLEntryPoint samlEntryPoint
           
protected  SAMLLogoutProcessingFilter samlLogoutProcessingFilter
           
protected  SAMLProcessingFilter samlWebSSOFilter
          Filters for loading of paths.
protected  SAMLWebSSOHoKProcessingFilter samlWebSSOHoKFilter
           
 
Constructor Summary
MetadataGenerator()
          Default constructor.
 
Method Summary
protected  org.opensaml.saml2.common.Extensions buildExtensions(String entityBaseURL, String entityAlias)
           
protected  org.opensaml.saml2.metadata.SPSSODescriptor buildSPSSODescriptor(String entityBaseURL, String entityAlias, boolean requestSigned, boolean wantAssertionSigned, Collection<String> includedNameID)
           
 ExtendedMetadata generateExtendedMetadata()
          Generates extended metadata.
protected  org.opensaml.xml.signature.KeyInfo generateKeyInfoForCredential(org.opensaml.xml.security.credential.Credential credential)
           
 org.opensaml.saml2.metadata.EntityDescriptor generateMetadata()
           
 int getAssertionConsumerIndex()
           
protected  org.opensaml.saml2.metadata.AssertionConsumerService getAssertionConsumerService(String entityBaseURL, String entityAlias, boolean isDefault, int index, String filterURL, String binding)
           
 Collection<String> getBindingsHoKSSO()
           
 Collection<String> getBindingsSLO()
           
 Collection<String> getBindingsSSO()
           
 String getCustomDiscoveryResponseURL()
           
 String getCustomDiscoveryURL()
           
protected  org.opensaml.samlext.idpdisco.DiscoveryResponse getDiscoveryService(String entityBaseURL, String entityAlias)
           
 String getEntityAlias()
           
 String getEntityBaseURL()
           
 String getEntityId()
           
 ExtendedMetadata getExtendedMetadata()
           
protected  org.opensaml.saml2.metadata.AssertionConsumerService getHoKAssertionConsumerService(String entityBaseURL, String entityAlias, boolean isDefault, int index, String filterURL, String binding)
           
protected  org.opensaml.saml2.metadata.KeyDescriptor getKeyDescriptor(org.opensaml.xml.security.credential.UsageType type, org.opensaml.xml.signature.KeyInfo key)
           
protected  String getKeyInfoGeneratorName()
          Name of the KeyInfoGenerator registered at default KeyInfoGeneratorManager.
 Collection<String> getNameID()
           
protected  Collection<org.opensaml.saml2.metadata.NameIDFormat> getNameIDFormat(Collection<String> includedNameID)
           
protected  org.opensaml.xml.signature.KeyInfo getServerKeyInfo(String alias)
           
protected  org.opensaml.saml2.metadata.SingleLogoutService getSingleLogoutService(String entityBaseURL, String entityAlias, String binding)
           
 String getTlsKey()
           
 boolean isIncludeDiscovery()
           
 boolean isIncludeDiscoveryExtension()
           
 boolean isRequestSigned()
           
 boolean isSignMetadata()
           
 boolean isWantAssertionSigned()
           
protected  Collection<String> mapAliases(Collection<String> values)
          Method iterates all values in the input, for each tries to resolve correct alias.
 void setAssertionConsumerIndex(int assertionConsumerIndex)
          Generated assertion consumer service with the index equaling set value will be marked as default.
 void setBindingsHoKSSO(Collection<String> bindingsHoKSSO)
           
 void setBindingsSLO(Collection<String> bindingsSLO)
           
 void setBindingsSSO(Collection<String> bindingsSSO)
           
 void setCustomDiscoveryResponseURL(String customDiscoveryResponseURL)
          Custom value of IDP Discovery response URL to be included in the SP metadata as extension and in extended metadata.
 void setCustomDiscoveryURL(String customDiscoveryURL)
          Custom value of IDP Discovery request URL to be included in the extended metadata.
 void setEncryptionKey(String encryptionKey)
           
 void setEntityAlias(String entityAlias)
           
 void setEntityBaseURL(String entityBaseURL)
           
 void setEntityId(String entityId)
           
 void setExtendedMetadata(ExtendedMetadata extendedMetadata)
          Default value for generation of extended metadata.
 void setIncludeDiscovery(boolean includeDiscovery)
          When true system will also automatically generate discoveryRequest and discoveryResponse addresses or use values provided as customDiscoveryUrl and customDiscoveryResponseUrl and store them to the extended metadata.
 void setIncludeDiscoveryExtension(boolean includeDiscoveryExtension)
          When true discovery profile extension metadata pointing to the default SAMLEntryPoint will be generated and stored in the generated metadata document.
 void setKeyManager(KeyManager keyManager)
           
 void setNameID(Collection<String> nameID)
           
 void setRequestSigned(boolean requestSigned)
           
 void setSamlEntryPoint(SAMLEntryPoint samlEntryPoint)
           
 void setSamlLogoutProcessingFilter(SAMLLogoutProcessingFilter samlLogoutProcessingFilter)
           
 void setSamlWebSSOFilter(SAMLProcessingFilter samlWebSSOFilter)
           
 void setSamlWebSSOHoKFilter(SAMLWebSSOHoKProcessingFilter samlWebSSOHoKFilter)
           
 void setSigningKey(String signingKey)
           
 void setSignMetadata(boolean signMetadata)
           
 void setTlsKey(String tlsKey)
           
 void setWantAssertionSigned(boolean wantAssertionSigned)
           
protected  void signSAMLObject(org.opensaml.common.SAMLObject signableObject, org.opensaml.xml.security.credential.Credential signingCredential)
          Signs the given SAML message if it a SignableSAMLObject and this encoder has signing credentials.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

defaultNameID

public static final Collection<String> defaultNameID

builderFactory

protected org.opensaml.xml.XMLObjectBuilderFactory builderFactory

keyManager

protected KeyManager keyManager

samlWebSSOFilter

protected SAMLProcessingFilter samlWebSSOFilter
Filters for loading of paths.


samlWebSSOHoKFilter

protected SAMLWebSSOHoKProcessingFilter samlWebSSOHoKFilter

samlLogoutProcessingFilter

protected SAMLLogoutProcessingFilter samlLogoutProcessingFilter

samlEntryPoint

protected SAMLEntryPoint samlEntryPoint

samlDiscovery

protected SAMLDiscovery samlDiscovery

log

protected static final org.slf4j.Logger log
Class logger.

Constructor Detail

MetadataGenerator

public MetadataGenerator()
Default constructor.

Method Detail

generateMetadata

public org.opensaml.saml2.metadata.EntityDescriptor generateMetadata()

getServerKeyInfo

protected org.opensaml.xml.signature.KeyInfo getServerKeyInfo(String alias)

generateExtendedMetadata

public ExtendedMetadata generateExtendedMetadata()
Generates extended metadata. Default extendedMetadata object is cloned if present and used for defaults. The following properties are always overriden from the properties of this bean: discoveryUrl, discoveryResponseUrl, signingKey, encryptionKey, entityAlias and tlsKey. Property local of the generated metadata is always set to true.

Returns:
generated extended metadata

generateKeyInfoForCredential

protected org.opensaml.xml.signature.KeyInfo generateKeyInfoForCredential(org.opensaml.xml.security.credential.Credential credential)

buildSPSSODescriptor

protected org.opensaml.saml2.metadata.SPSSODescriptor buildSPSSODescriptor(String entityBaseURL,
                                                                           String entityAlias,
                                                                           boolean requestSigned,
                                                                           boolean wantAssertionSigned,
                                                                           Collection<String> includedNameID)

mapAliases

protected Collection<String> mapAliases(Collection<String> values)
Method iterates all values in the input, for each tries to resolve correct alias. When alias value is found, it is entered into the return collection, otherwise warning is logged. Values are returned in order of input with all duplicities removed.

Parameters:
values - input collection
Returns:
result with resolved aliases

buildExtensions

protected org.opensaml.saml2.common.Extensions buildExtensions(String entityBaseURL,
                                                               String entityAlias)

getKeyDescriptor

protected org.opensaml.saml2.metadata.KeyDescriptor getKeyDescriptor(org.opensaml.xml.security.credential.UsageType type,
                                                                     org.opensaml.xml.signature.KeyInfo key)

getNameIDFormat

protected Collection<org.opensaml.saml2.metadata.NameIDFormat> getNameIDFormat(Collection<String> includedNameID)

getAssertionConsumerService

protected org.opensaml.saml2.metadata.AssertionConsumerService getAssertionConsumerService(String entityBaseURL,
                                                                                           String entityAlias,
                                                                                           boolean isDefault,
                                                                                           int index,
                                                                                           String filterURL,
                                                                                           String binding)

getHoKAssertionConsumerService

protected org.opensaml.saml2.metadata.AssertionConsumerService getHoKAssertionConsumerService(String entityBaseURL,
                                                                                              String entityAlias,
                                                                                              boolean isDefault,
                                                                                              int index,
                                                                                              String filterURL,
                                                                                              String binding)

getDiscoveryService

protected org.opensaml.samlext.idpdisco.DiscoveryResponse getDiscoveryService(String entityBaseURL,
                                                                              String entityAlias)

getSingleLogoutService

protected org.opensaml.saml2.metadata.SingleLogoutService getSingleLogoutService(String entityBaseURL,
                                                                                 String entityAlias,
                                                                                 String binding)

setSamlWebSSOFilter

@Autowired(required=false)
@Qualifier(value="samlWebSSOProcessingFilter")
public void setSamlWebSSOFilter(SAMLProcessingFilter samlWebSSOFilter)

setSamlWebSSOHoKFilter

@Autowired(required=false)
@Qualifier(value="samlWebSSOHoKProcessingFilter")
public void setSamlWebSSOHoKFilter(SAMLWebSSOHoKProcessingFilter samlWebSSOHoKFilter)

setSamlLogoutProcessingFilter

@Autowired(required=false)
public void setSamlLogoutProcessingFilter(SAMLLogoutProcessingFilter samlLogoutProcessingFilter)

setSamlEntryPoint

@Autowired(required=false)
public void setSamlEntryPoint(SAMLEntryPoint samlEntryPoint)

signSAMLObject

protected void signSAMLObject(org.opensaml.common.SAMLObject signableObject,
                              org.opensaml.xml.security.credential.Credential signingCredential)
                       throws org.opensaml.ws.message.encoder.MessageEncodingException
Signs the given SAML message if it a SignableSAMLObject and this encoder has signing credentials.

Parameters:
signableObject - object to sign
signingCredential - credential to sign with
Throws:
org.opensaml.ws.message.encoder.MessageEncodingException - thrown if there is a problem marshalling or signing the outbound message

getKeyInfoGeneratorName

protected String getKeyInfoGeneratorName()
Name of the KeyInfoGenerator registered at default KeyInfoGeneratorManager.

Returns:
key info generator name
See Also:
Configuration.getGlobalSecurityConfiguration(), SecurityConfiguration.getKeyInfoGeneratorManager()

isRequestSigned

public boolean isRequestSigned()

setRequestSigned

public void setRequestSigned(boolean requestSigned)

isWantAssertionSigned

public boolean isWantAssertionSigned()

setWantAssertionSigned

public void setWantAssertionSigned(boolean wantAssertionSigned)

isSignMetadata

public boolean isSignMetadata()

setSignMetadata

public void setSignMetadata(boolean signMetadata)

getNameID

public Collection<String> getNameID()

setNameID

public void setNameID(Collection<String> nameID)

getEntityBaseURL

public String getEntityBaseURL()

getEntityAlias

public String getEntityAlias()

setEntityAlias

public void setEntityAlias(String entityAlias)

setEntityBaseURL

public void setEntityBaseURL(String entityBaseURL)

setKeyManager

@Autowired
public void setKeyManager(KeyManager keyManager)

setSigningKey

public void setSigningKey(String signingKey)

setEncryptionKey

public void setEncryptionKey(String encryptionKey)

setEntityId

public void setEntityId(String entityId)

getEntityId

public String getEntityId()

getTlsKey

public String getTlsKey()

setTlsKey

public void setTlsKey(String tlsKey)

getBindingsSSO

public Collection<String> getBindingsSSO()

setBindingsSSO

public void setBindingsSSO(Collection<String> bindingsSSO)

getBindingsSLO

public Collection<String> getBindingsSLO()

setBindingsSLO

public void setBindingsSLO(Collection<String> bindingsSLO)

getBindingsHoKSSO

public Collection<String> getBindingsHoKSSO()

setBindingsHoKSSO

public void setBindingsHoKSSO(Collection<String> bindingsHoKSSO)

isIncludeDiscoveryExtension

public boolean isIncludeDiscoveryExtension()

setIncludeDiscoveryExtension

public void setIncludeDiscoveryExtension(boolean includeDiscoveryExtension)
When true discovery profile extension metadata pointing to the default SAMLEntryPoint will be generated and stored in the generated metadata document.

Parameters:
includeDiscoveryExtension - flag indicating whether IDP discovery should be enabled

setIncludeDiscovery

public void setIncludeDiscovery(boolean includeDiscovery)
When true system will also automatically generate discoveryRequest and discoveryResponse addresses or use values provided as customDiscoveryUrl and customDiscoveryResponseUrl and store them to the extended metadata.

Parameters:
includeDiscovery - true when user should be redirected to discovery service during SSO initialization

isIncludeDiscovery

public boolean isIncludeDiscovery()

getAssertionConsumerIndex

public int getAssertionConsumerIndex()

setAssertionConsumerIndex

public void setAssertionConsumerIndex(int assertionConsumerIndex)
Generated assertion consumer service with the index equaling set value will be marked as default.

Parameters:
assertionConsumerIndex - assertion consumer index of service to mark as default

setCustomDiscoveryURL

public void setCustomDiscoveryURL(String customDiscoveryURL)
Custom value of IDP Discovery request URL to be included in the extended metadata. Only used when includeDiscovery is set to true.

Parameters:
customDiscoveryURL - custom discovery request URL

getCustomDiscoveryURL

public String getCustomDiscoveryURL()

setCustomDiscoveryResponseURL

public void setCustomDiscoveryResponseURL(String customDiscoveryResponseURL)
Custom value of IDP Discovery response URL to be included in the SP metadata as extension and in extended metadata. Only used when includeDiscovery is set to true.

Parameters:
customDiscoveryResponseURL - custom discovery response URL

getCustomDiscoveryResponseURL

public String getCustomDiscoveryResponseURL()

getExtendedMetadata

public ExtendedMetadata getExtendedMetadata()

setExtendedMetadata

public void setExtendedMetadata(ExtendedMetadata extendedMetadata)
Default value for generation of extended metadata. Value is cloned upon each request to generate new ExtendedMetadata object.

Parameters:
extendedMetadata - default extended metadata or null

Spring Security SAML