public class WebSSOProfileConsumerHoKImpl extends WebSSOProfileConsumerImpl implements WebSSOProfileConsumer
artifactMap, builderFactory, log, metadata, processor, uriComparator
Constructor and Description |
---|
WebSSOProfileConsumerHoKImpl() |
Modifier and Type | Method and Description |
---|---|
String |
getProfileIdentifier()
Implementation are expected to provide an unique identifier for the profile this class implements.
|
protected String |
getUserAgentBase64Certificate(SAMLMessageContext context)
Method locates user agent certificate used in SSL/TLS and encodes it using base64 for comparison in HoK
subject confirmation.
|
protected void |
verifySubject(org.opensaml.saml2.core.Subject subject,
org.opensaml.saml2.core.AuthnRequest request,
SAMLMessageContext context)
Verifies validity of Subject element as per https://docs.oasis-open.org/security/saml/Post2.0/sstc-saml2-holder-of-key-cs-02.pdf and
https://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-holder-of-key-browser-sso-cs-02.pdf.
|
getMaxAuthenticationAge, isIncludeAllAttributes, isReleaseDOM, processAdditionalData, processAuthenticationResponse, setIncludeAllAttributes, setMaxAuthenticationAge, setReleaseDOM, verifyAssertion, verifyAssertionConditions, verifyAssertionSignature, verifyAudience, verifyAuthenticationStatement, verifyAuthnContext, verifyConditions
afterPropertiesSet, buildCommonAttributes, generateID, getEndpointBinding, getIssuer, getMaxAssertionTime, getResponseSkew, getStatus, isEndpointMatching, sendMessage, sendMessage, setArtifactMap, setMaxAssertionTime, setMetadata, setProcessor, setResponseSkew, verifyEndpoint, verifyIssuer, verifySignature
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
processAuthenticationResponse
public String getProfileIdentifier()
AbstractProfileBase
getProfileIdentifier
in class WebSSOProfileConsumerImpl
protected void verifySubject(org.opensaml.saml2.core.Subject subject, org.opensaml.saml2.core.AuthnRequest request, SAMLMessageContext context) throws org.opensaml.common.SAMLException, org.opensaml.xml.encryption.DecryptionException
Only verification based on X509Certificate content of the X509Data in KeyInfo is supported. Subject is deemed as confirmed when at least one of the certificates present in the SubjectConfirmation matches the one used in TLS/SSL client authentication. No verification on trust or validity of the certificate itself is performed.
verifySubject
in class WebSSOProfileConsumerImpl
subject
- subject to validaterequest
- requestcontext
- contextorg.opensaml.common.SAMLException
- error validating the objectorg.opensaml.xml.encryption.DecryptionException
- in case the NameID can't be decryptedprotected String getUserAgentBase64Certificate(SAMLMessageContext context) throws org.opensaml.common.SAMLException
context
- context expected to contain certificate in peerSSLCredential fieldorg.opensaml.common.SAMLException
- in case certificate is missing or can't be encoded