org.springframework.security.saml.websso
Class WebSSOProfileConsumerHoKImpl
java.lang.Object
org.springframework.security.saml.websso.AbstractProfileBase
org.springframework.security.saml.websso.WebSSOProfileConsumerImpl
org.springframework.security.saml.websso.WebSSOProfileConsumerHoKImpl
- All Implemented Interfaces:
- org.springframework.beans.factory.InitializingBean, WebSSOProfileConsumer
public class WebSSOProfileConsumerHoKImpl
- extends WebSSOProfileConsumerImpl
- implements WebSSOProfileConsumer
Class implements processing of the SAML Holder-of-Key Browser SSO profile as per
http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-holder-of-key-browser-sso-cs-02.pdf.
- Author:
- Vladimir Schäfer
|
Method Summary |
String |
getProfileIdentifier()
Implementation are expected to provide an unique identifier for the profile this class implements. |
protected String |
getUserAgentBase64Certificate(SAMLMessageContext context)
Method locates user agent certificate used in SSL/TLS and encodes it using base64 for comparison in HoK
subject confirmation. |
protected void |
verifySubject(org.opensaml.saml2.core.Subject subject,
org.opensaml.saml2.core.AuthnRequest request,
SAMLMessageContext context)
Verifies validity of Subject element as per http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml2-holder-of-key-cs-02.pdf and
http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-holder-of-key-browser-sso-cs-02.pdf. |
| Methods inherited from class org.springframework.security.saml.websso.AbstractProfileBase |
afterPropertiesSet, buildCommonAttributes, generateID, getEndpointBinding, getIssuer, getMaxAssertionTime, getResponseSkew, getStatus, isEndpointMatching, sendMessage, sendMessage, setArtifactMap, setMaxAssertionTime, setMetadata, setProcessor, setResponseSkew, verifyEndpoint, verifyIssuer, verifySignature |
| Methods inherited from class java.lang.Object |
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
WebSSOProfileConsumerHoKImpl
public WebSSOProfileConsumerHoKImpl()
getProfileIdentifier
public String getProfileIdentifier()
- Description copied from class:
AbstractProfileBase
- Implementation are expected to provide an unique identifier for the profile this class implements.
- Overrides:
getProfileIdentifier in class WebSSOProfileConsumerImpl
- Returns:
- profile name
verifySubject
protected void verifySubject(org.opensaml.saml2.core.Subject subject,
org.opensaml.saml2.core.AuthnRequest request,
SAMLMessageContext context)
throws org.opensaml.common.SAMLException,
org.opensaml.xml.encryption.DecryptionException
- Verifies validity of Subject element as per http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml2-holder-of-key-cs-02.pdf and
http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-holder-of-key-browser-sso-cs-02.pdf.
Only verification based on X509Certificate content of the X509Data in KeyInfo is supported. Subject is deemed as
confirmed when at least one of the certificates present in the SubjectConfirmation matches the one used in TLS/SSL
client authentication. No verification on trust or validity of the certificate itself is performed.
- Overrides:
verifySubject in class WebSSOProfileConsumerImpl
- Parameters:
subject - subject to validaterequest - requestcontext - context
- Throws:
org.opensaml.common.SAMLException - error validating the object
org.opensaml.xml.encryption.DecryptionException - in case the NameID can't be decrypted
getUserAgentBase64Certificate
protected String getUserAgentBase64Certificate(SAMLMessageContext context)
throws org.opensaml.common.SAMLException
- Method locates user agent certificate used in SSL/TLS and encodes it using base64 for comparison in HoK
subject confirmation. Method fails when certificate can't be obtained or encoded.
- Parameters:
context - context expected to contain certificate in peerSSLCredential field
- Returns:
- base64 encoded peer certificate
- Throws:
org.opensaml.common.SAMLException - in case certificate is missing or can't be encoded