Spring Security SAML

org.springframework.security.saml.websso
Class WebSSOProfileImpl

java.lang.Object
  extended by org.springframework.security.saml.websso.AbstractProfileBase
      extended by org.springframework.security.saml.websso.WebSSOProfileImpl
All Implemented Interfaces:
org.springframework.beans.factory.InitializingBean, WebSSOProfile
Direct Known Subclasses:
WebSSOProfileECPImpl, WebSSOProfileHoKImpl

public class WebSSOProfileImpl
extends AbstractProfileBase
implements WebSSOProfile

Class implements WebSSO profile and offers capabilities for SP initialized SSO and process Response coming from IDP or IDP initialized SSO. HTTP-POST and HTTP-Redirect bindings are supported.

Author:
Vladimir Schafer

Field Summary
 
Fields inherited from class org.springframework.security.saml.websso.AbstractProfileBase
artifactMap, builderFactory, log, metadata, processor
 
Constructor Summary
WebSSOProfileImpl()
           
WebSSOProfileImpl(SAMLProcessor processor, MetadataManager manager)
           
 
Method Summary
protected  void buildAuthnContext(org.opensaml.saml2.core.AuthnRequest request, WebSSOProfileOptions options)
          Fills the request with required AuthNContext according to selected options.
protected  org.opensaml.saml2.core.IDPList buildIDPList(Set<String> idpEntityNames, org.opensaml.saml2.metadata.SingleSignOnService serviceURI)
          Builds an IdP List out of the idpEntityNames
protected  void buildReturnAddress(org.opensaml.saml2.core.AuthnRequest request, org.opensaml.saml2.metadata.AssertionConsumerService service)
          Fills the request with assertion consumer service url and protocol binding based on assertionConsumer to be used to deliver response from the IDP.
protected  void buildScoping(org.opensaml.saml2.core.AuthnRequest request, org.opensaml.saml2.metadata.SingleSignOnService serviceURI, WebSSOProfileOptions options)
          Fills the request with information about scoping, including IDP in the scope IDP List.
protected  void builNameIDPolicy(org.opensaml.saml2.core.AuthnRequest request, WebSSOProfileOptions options)
          Fills the request with required AuthNContext according to selected options.
protected  org.opensaml.saml2.metadata.AssertionConsumerService getAssertionConsumerService(WebSSOProfileOptions options, org.opensaml.saml2.metadata.IDPSSODescriptor idpSSODescriptor, org.opensaml.saml2.metadata.SPSSODescriptor spDescriptor)
          Determines endpoint where should the identity provider return the SAML message.
protected  org.opensaml.saml2.core.AuthnRequest getAuthnRequest(SAMLMessageContext context, WebSSOProfileOptions options, org.opensaml.saml2.metadata.AssertionConsumerService assertionConsumer, org.opensaml.saml2.metadata.SingleSignOnService bindingService)
          Returns AuthnRequest SAML message to be used to demand authentication from an IDP described using idpEntityDescriptor, with an expected response to the assertionConsumer address.
 String getProfileIdentifier()
          Implementation are expected to provide an unique identifier for the profile this class implements.
protected  org.opensaml.saml2.metadata.SingleSignOnService getSingleSignOnService(WebSSOProfileOptions options, org.opensaml.saml2.metadata.IDPSSODescriptor idpssoDescriptor, org.opensaml.saml2.metadata.SPSSODescriptor spDescriptor)
          Method determines SingleSignOn service (and thus binding) to be used to deliver AuthnRequest to the IDP.
protected  String getSPNameQualifier()
          SAML-Core 2218, Specifies that returned subject identifier should be returned in the namespace of the given SP.
protected  boolean isEndpointSupported(org.opensaml.saml2.metadata.AssertionConsumerService endpoint)
          Determines whether given AssertionConsumerService can be used to deliver messages consumable by this profile.
protected  boolean isEndpointSupported(org.opensaml.saml2.metadata.SingleSignOnService endpoint)
          Determines whether given SingleSignOn service can be used together with this profile.
 void sendAuthenticationRequest(SAMLMessageContext context, WebSSOProfileOptions options)
          Initializes SSO by creating AuthnRequest assertion and sending it to the IDP using the default binding.
 
Methods inherited from class org.springframework.security.saml.websso.AbstractProfileBase
afterPropertiesSet, buildCommonAttributes, generateID, getEndpointBinding, getIssuer, getMaxAssertionTime, getResponseSkew, getStatus, isEndpointMatching, sendMessage, sendMessage, setArtifactMap, setMaxAssertionTime, setMetadata, setProcessor, setResponseSkew, verifyEndpoint, verifyIssuer, verifySignature
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

WebSSOProfileImpl

public WebSSOProfileImpl()

WebSSOProfileImpl

public WebSSOProfileImpl(SAMLProcessor processor,
                         MetadataManager manager)
Method Detail

getProfileIdentifier

public String getProfileIdentifier()
Description copied from class: AbstractProfileBase
Implementation are expected to provide an unique identifier for the profile this class implements.

Specified by:
getProfileIdentifier in class AbstractProfileBase
Returns:
profile name

sendAuthenticationRequest

public void sendAuthenticationRequest(SAMLMessageContext context,
                                      WebSSOProfileOptions options)
                               throws org.opensaml.common.SAMLException,
                                      org.opensaml.saml2.metadata.provider.MetadataProviderException,
                                      org.opensaml.ws.message.encoder.MessageEncodingException
Initializes SSO by creating AuthnRequest assertion and sending it to the IDP using the default binding. Default IDP is used to send the request.

Specified by:
sendAuthenticationRequest in interface WebSSOProfile
Parameters:
options - values specified by caller to customize format of sent request
Throws:
org.opensaml.common.SAMLException - error initializing SSO
org.opensaml.common.SAMLRuntimeException - in case context doesn't contain required entities or contains invalid data
org.opensaml.saml2.metadata.provider.MetadataProviderException - error retrieving needed metadata
org.opensaml.ws.message.encoder.MessageEncodingException - error forming SAML message

getSingleSignOnService

protected org.opensaml.saml2.metadata.SingleSignOnService getSingleSignOnService(WebSSOProfileOptions options,
                                                                                 org.opensaml.saml2.metadata.IDPSSODescriptor idpssoDescriptor,
                                                                                 org.opensaml.saml2.metadata.SPSSODescriptor spDescriptor)
                                                                          throws org.opensaml.saml2.metadata.provider.MetadataProviderException
Method determines SingleSignOn service (and thus binding) to be used to deliver AuthnRequest to the IDP. When binding is specified in the WebSSOProfileOptions it is honored. Otherwise first suitable binding is used.

Parameters:
options - user supplied preferences, binding attribute is used
idpssoDescriptor - idp
spDescriptor - sp
Returns:
service to send message to
Throws:
org.opensaml.saml2.metadata.provider.MetadataProviderException - in case binding from the options is invalid or not found or when no default service can be found

getAssertionConsumerService

protected org.opensaml.saml2.metadata.AssertionConsumerService getAssertionConsumerService(WebSSOProfileOptions options,
                                                                                           org.opensaml.saml2.metadata.IDPSSODescriptor idpSSODescriptor,
                                                                                           org.opensaml.saml2.metadata.SPSSODescriptor spDescriptor)
                                                                                    throws org.opensaml.saml2.metadata.provider.MetadataProviderException
Determines endpoint where should the identity provider return the SAML message. Endpoint also implies the used binding. In case assertionConsumerIndex in the WebSSOProfileOptions is specified the endpoint with the given ID is used. Otherwise assertionConsumerService marked as default is used when present, otherwise first found supported assertionConsumerService is used.

In case endpoint determined by the webSSOProfileOptions index is not supported by the profile an exception is raised.

Parameters:
options - user supplied preferences
idpSSODescriptor - idp, can be null when no IDP is known in advance
spDescriptor - sp
Returns:
consumer service or null
Throws:
org.opensaml.saml2.metadata.provider.MetadataProviderException - in case index supplied in options is invalid or unsupported or no supported consumer service can be found

isEndpointSupported

protected boolean isEndpointSupported(org.opensaml.saml2.metadata.SingleSignOnService endpoint)
                               throws org.opensaml.saml2.metadata.provider.MetadataProviderException
Determines whether given SingleSignOn service can be used together with this profile. Bindings POST, Artifact and Redirect are supported for WebSSO.

Parameters:
endpoint - endpoint
Returns:
true if endpoint is supported
Throws:
org.opensaml.saml2.metadata.provider.MetadataProviderException - in case system can't verify whether endpoint is supported or not

isEndpointSupported

protected boolean isEndpointSupported(org.opensaml.saml2.metadata.AssertionConsumerService endpoint)
                               throws org.opensaml.saml2.metadata.provider.MetadataProviderException
Determines whether given AssertionConsumerService can be used to deliver messages consumable by this profile. Bindings POST and Artifact are supported for WebSSO.

Parameters:
endpoint - endpoint
Returns:
true if endpoint is supported
Throws:
org.opensaml.saml2.metadata.provider.MetadataProviderException - in case system can't verify whether endpoint is supported or not

getAuthnRequest

protected org.opensaml.saml2.core.AuthnRequest getAuthnRequest(SAMLMessageContext context,
                                                               WebSSOProfileOptions options,
                                                               org.opensaml.saml2.metadata.AssertionConsumerService assertionConsumer,
                                                               org.opensaml.saml2.metadata.SingleSignOnService bindingService)
                                                        throws org.opensaml.common.SAMLException,
                                                               org.opensaml.saml2.metadata.provider.MetadataProviderException
Returns AuthnRequest SAML message to be used to demand authentication from an IDP described using idpEntityDescriptor, with an expected response to the assertionConsumer address.

Parameters:
context - message context
options - preferences of message creation
assertionConsumer - assertion consumer where the IDP should respond
bindingService - service used to deliver the request
Returns:
authnRequest ready to be sent to IDP
Throws:
org.opensaml.common.SAMLException - error creating the message
org.opensaml.saml2.metadata.provider.MetadataProviderException - error retreiving metadata

builNameIDPolicy

protected void builNameIDPolicy(org.opensaml.saml2.core.AuthnRequest request,
                                WebSSOProfileOptions options)
Fills the request with required AuthNContext according to selected options.

Parameters:
request - request to fill
options - options driving generation of the element

getSPNameQualifier

protected String getSPNameQualifier()
SAML-Core 2218, Specifies that returned subject identifier should be returned in the namespace of the given SP.

Returns:
by default returns null

buildAuthnContext

protected void buildAuthnContext(org.opensaml.saml2.core.AuthnRequest request,
                                 WebSSOProfileOptions options)
Fills the request with required AuthNContext according to selected options.

Parameters:
request - request to fill
options - options driving generation of the element

buildReturnAddress

protected void buildReturnAddress(org.opensaml.saml2.core.AuthnRequest request,
                                  org.opensaml.saml2.metadata.AssertionConsumerService service)
                           throws org.opensaml.saml2.metadata.provider.MetadataProviderException
Fills the request with assertion consumer service url and protocol binding based on assertionConsumer to be used to deliver response from the IDP.

Parameters:
request - request
service - service to deliver response to, building is skipped when null
Throws:
org.opensaml.saml2.metadata.provider.MetadataProviderException - error retrieving metadata information

buildScoping

protected void buildScoping(org.opensaml.saml2.core.AuthnRequest request,
                            org.opensaml.saml2.metadata.SingleSignOnService serviceURI,
                            WebSSOProfileOptions options)
Fills the request with information about scoping, including IDP in the scope IDP List.

Parameters:
request - request to fill
serviceURI - destination to send the request to
options - options driving generation of the element, contains list of allowed IDPs

buildIDPList

protected org.opensaml.saml2.core.IDPList buildIDPList(Set<String> idpEntityNames,
                                                       org.opensaml.saml2.metadata.SingleSignOnService serviceURI)
Builds an IdP List out of the idpEntityNames

Parameters:
idpEntityNames - The IdPs Entity IDs to include in the IdP List, no list is created when null
serviceURI - The binding service for an IdP for a specific binding. Should be null if there is more than one IdP in the list or if the destination IdP is not known in advance.
Returns:
an IdP List or null when idpEntityNames is null

Spring Security SAML