Spring Security SAML

org.springframework.security.saml.websso
Class WebSSOProfileConsumerHoKImpl

java.lang.Object
  extended by org.springframework.security.saml.websso.AbstractProfileBase
      extended by org.springframework.security.saml.websso.WebSSOProfileConsumerImpl
          extended by org.springframework.security.saml.websso.WebSSOProfileConsumerHoKImpl
All Implemented Interfaces:
org.springframework.beans.factory.InitializingBean, WebSSOProfileConsumer

public class WebSSOProfileConsumerHoKImpl
extends WebSSOProfileConsumerImpl
implements WebSSOProfileConsumer

Class implements processing of the SAML Holder-of-Key Browser SSO profile as per http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-holder-of-key-browser-sso-cs-02.pdf.

Author:
Vladimir Schäfer

Field Summary
 
Fields inherited from class org.springframework.security.saml.websso.AbstractProfileBase
artifactMap, builderFactory, metadata, processor
 
Constructor Summary
WebSSOProfileConsumerHoKImpl()
           
 
Method Summary
 String getProfileIdentifier()
          Implementation are expected to provide an unique identifier for the profile this class implements.
protected  String getUserAgentBase64Certificate(SAMLMessageContext context)
          Method locates user agent certificate used in SSL/TLS and encodes it using base64 for comparison in HoK subject confirmation.
protected  void verifySubject(org.opensaml.saml2.core.Subject subject, org.opensaml.saml2.core.AuthnRequest request, SAMLMessageContext context)
          Verifies validity of Subject element as per http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml2-holder-of-key-cs-02.pdf and http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-holder-of-key-browser-sso-cs-02.pdf.
 
Methods inherited from class org.springframework.security.saml.websso.WebSSOProfileConsumerImpl
getMaxAuthenticationAge, processAdditionalData, processAuthenticationResponse, setMaxAuthenticationAge, verifyAssertion, verifyAssertionConditions, verifyAssertionSignature, verifyAuthenticationStatement, verifyAuthnContext, verifyConditions
 
Methods inherited from class org.springframework.security.saml.websso.AbstractProfileBase
afterPropertiesSet, buildCommonAttributes, generateID, getEndpointBinding, getIssuer, getMaxAssertionTime, getResponseSkew, getStatus, isEndpointMatching, sendMessage, sendMessage, setArtifactMap, setMaxAssertionTime, setMetadata, setProcessor, setResponseSkew, verifyEndpoint, verifyIssuer, verifySignature
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 
Methods inherited from interface org.springframework.security.saml.websso.WebSSOProfileConsumer
processAuthenticationResponse
 

Constructor Detail

WebSSOProfileConsumerHoKImpl

public WebSSOProfileConsumerHoKImpl()
Method Detail

getProfileIdentifier

public String getProfileIdentifier()
Description copied from class: AbstractProfileBase
Implementation are expected to provide an unique identifier for the profile this class implements.

Overrides:
getProfileIdentifier in class WebSSOProfileConsumerImpl
Returns:
profile name

verifySubject

protected void verifySubject(org.opensaml.saml2.core.Subject subject,
                             org.opensaml.saml2.core.AuthnRequest request,
                             SAMLMessageContext context)
                      throws org.opensaml.common.SAMLException,
                             org.opensaml.xml.encryption.DecryptionException
Verifies validity of Subject element as per http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml2-holder-of-key-cs-02.pdf and http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-holder-of-key-browser-sso-cs-02.pdf.

Only verification based on X509Certificate content of the X509Data in KeyInfo is supported. Subject is deemed as confirmed when at least one of the certificates present in the SubjectConfirmation matches the one used in TLS/SSL client authentication. No verification on trust or validity of the certificate itself is performed.

Overrides:
verifySubject in class WebSSOProfileConsumerImpl
Parameters:
subject - subject to validate
request - request
context - context
Throws:
org.opensaml.common.SAMLException - error validating the object
org.opensaml.xml.encryption.DecryptionException - in case the NameID can't be decrypted

getUserAgentBase64Certificate

protected String getUserAgentBase64Certificate(SAMLMessageContext context)
                                        throws org.opensaml.common.SAMLException
Method locates user agent certificate used in SSL/TLS and encodes it using base64 for comparison in HoK subject confirmation. Method fails when certificate can't be obtained or encoded.

Parameters:
context - context expected to contain certificate in peerSSLCredential field
Returns:
base64 encoded peer certificate
Throws:
org.opensaml.common.SAMLException - in case certificate is missing or can't be encoded

Spring Security SAML