org.springframework.security.saml.websso

Class WebSSOProfileImpl

java.lang.Object

org.springframework.security.saml.websso.AbstractProfileBase

org.springframework.security.saml.websso.WebSSOProfileImpl

All Implemented Interfaces:

org.springframework.beans.factory.InitializingBean, WebSSOProfile

Direct Known Subclasses:

WebSSOProfileECPImpl, WebSSOProfileHoKImpl

public class WebSSOProfileImpl
extends AbstractProfileBase
implements WebSSOProfile

Class implements WebSSO profile and offers capabilities for SP initialized SSO and process Response coming from IDP or IDP initialized SSO. HTTP-POST and HTTP-Redirect bindings are supported.

Author:

Vladimir Schafer

Field Summary

Fields inherited from class org.springframework.security.saml.websso.AbstractProfileBase

artifactMap, builderFactory, log, metadata, processor, uriComparator

Constructor Summary

Constructors

Constructor and Description
WebSSOProfileImpl()
WebSSOProfileImpl(SAMLProcessor processor, MetadataManager manager)

Method Summary

Modifier and Type	Method and Description
protected void	buildAuthnContext(org.opensaml.saml2.core.AuthnRequest request, WebSSOProfileOptions options) Fills the request with required AuthNContext according to selected options.
protected org.opensaml.saml2.core.IDPList	buildIDPList(Set<String> idpEntityNames, org.opensaml.saml2.metadata.SingleSignOnService serviceURI) Builds an IdP List out of the idpEntityNames
protected void	buildReturnAddress(org.opensaml.saml2.core.AuthnRequest request, org.opensaml.saml2.metadata.AssertionConsumerService service) Fills the request with assertion consumer service url and protocol binding based on assertionConsumer to be used to deliver response from the IDP.
protected void	buildScoping(org.opensaml.saml2.core.AuthnRequest request, org.opensaml.saml2.metadata.SingleSignOnService serviceURI, WebSSOProfileOptions options) Fills the request with information about scoping, including IDP in the scope IDP List.
protected void	builNameIDPolicy(org.opensaml.saml2.core.AuthnRequest request, WebSSOProfileOptions options) Fills the request with required AuthNContext according to selected options.
protected org.opensaml.saml2.metadata.AssertionConsumerService	getAssertionConsumerService(WebSSOProfileOptions options, org.opensaml.saml2.metadata.IDPSSODescriptor idpSSODescriptor, org.opensaml.saml2.metadata.SPSSODescriptor spDescriptor) Determines endpoint where should the identity provider return the SAML message.
protected org.opensaml.saml2.core.AuthnRequest	getAuthnRequest(SAMLMessageContext context, WebSSOProfileOptions options, org.opensaml.saml2.metadata.AssertionConsumerService assertionConsumer, org.opensaml.saml2.metadata.SingleSignOnService bindingService) Returns AuthnRequest SAML message to be used to demand authentication from an IDP described using idpEntityDescriptor, with an expected response to the assertionConsumer address.
String	getProfileIdentifier() Implementation are expected to provide an unique identifier for the profile this class implements.
protected org.opensaml.saml2.metadata.SingleSignOnService	getSingleSignOnService(WebSSOProfileOptions options, org.opensaml.saml2.metadata.IDPSSODescriptor idpssoDescriptor, org.opensaml.saml2.metadata.SPSSODescriptor spDescriptor) Method determines SingleSignOn service (and thus binding) to be used to deliver AuthnRequest to the IDP.
protected String	getSPNameQualifier() SAML-Core 2218, Specifies that returned subject identifier should be returned in the namespace of the given SP.
protected boolean	isEndpointSupported(org.opensaml.saml2.metadata.AssertionConsumerService endpoint) Determines whether given AssertionConsumerService can be used to deliver messages consumable by this profile.
protected boolean	isEndpointSupported(org.opensaml.saml2.metadata.SingleSignOnService endpoint) Determines whether given SingleSignOn service can be used together with this profile.
void	sendAuthenticationRequest(SAMLMessageContext context, WebSSOProfileOptions options) Initializes SSO by creating AuthnRequest assertion and sending it to the IDP using the default binding.

Methods inherited from class org.springframework.security.saml.websso.AbstractProfileBase

afterPropertiesSet, buildCommonAttributes, generateID, getEndpointBinding, getIssuer, getMaxAssertionTime, getResponseSkew, getStatus, isEndpointMatching, sendMessage, sendMessage, setArtifactMap, setMaxAssertionTime, setMetadata, setProcessor, setResponseSkew, verifyEndpoint, verifyIssuer, verifySignature

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

WebSSOProfileImpl

public WebSSOProfileImpl()

WebSSOProfileImpl

public WebSSOProfileImpl(SAMLProcessor processor,
                         MetadataManager manager)

Method Detail

getProfileIdentifier

public String getProfileIdentifier()

Description copied from class: AbstractProfileBase

Implementation are expected to provide an unique identifier for the profile this class implements.

Specified by:

getProfileIdentifier in class AbstractProfileBase

Returns:

profile name

sendAuthenticationRequest

public void sendAuthenticationRequest(SAMLMessageContext context,
                                      WebSSOProfileOptions options)
                               throws org.opensaml.common.SAMLException,
                                      org.opensaml.saml2.metadata.provider.MetadataProviderException,
                                      org.opensaml.ws.message.encoder.MessageEncodingException

Initializes SSO by creating AuthnRequest assertion and sending it to the IDP using the default binding. Default IDP is used to send the request.

Specified by:

sendAuthenticationRequest in interface WebSSOProfile

Parameters:

options - values specified by caller to customize format of sent request

Throws:

org.opensaml.common.SAMLException - error initializing SSO

org.opensaml.common.SAMLRuntimeException - in case context doesn't contain required entities or contains invalid data

org.opensaml.saml2.metadata.provider.MetadataProviderException - error retrieving needed metadata

org.opensaml.ws.message.encoder.MessageEncodingException - error forming SAML message

getSingleSignOnService

protected org.opensaml.saml2.metadata.SingleSignOnService getSingleSignOnService(WebSSOProfileOptions options,
                                                                                 org.opensaml.saml2.metadata.IDPSSODescriptor idpssoDescriptor,
                                                                                 org.opensaml.saml2.metadata.SPSSODescriptor spDescriptor)
                                                                          throws org.opensaml.saml2.metadata.provider.MetadataProviderException

Method determines SingleSignOn service (and thus binding) to be used to deliver AuthnRequest to the IDP. When binding is specified in the WebSSOProfileOptions it is honored. Otherwise first suitable binding is used.

Parameters:

options - user supplied preferences, binding attribute is used

idpssoDescriptor - idp

spDescriptor - sp

Returns:

service to send message to

Throws:

org.opensaml.saml2.metadata.provider.MetadataProviderException - in case binding from the options is invalid or not found or when no default service can be found

getAssertionConsumerService

protected org.opensaml.saml2.metadata.AssertionConsumerService getAssertionConsumerService(WebSSOProfileOptions options,
                                                                                           org.opensaml.saml2.metadata.IDPSSODescriptor idpSSODescriptor,
                                                                                           org.opensaml.saml2.metadata.SPSSODescriptor spDescriptor)
                                                                                    throws org.opensaml.saml2.metadata.provider.MetadataProviderException

Determines endpoint where should the identity provider return the SAML message. Endpoint also implies the used binding. In case assertionConsumerIndex in the WebSSOProfileOptions is specified the endpoint with the given ID is used. Otherwise assertionConsumerService marked as default is used when present, otherwise first found supported assertionConsumerService is used.

In case endpoint determined by the webSSOProfileOptions index is not supported by the profile an exception is raised.

Parameters:

options - user supplied preferences

idpSSODescriptor - idp, can be null when no IDP is known in advance

spDescriptor - sp

Returns:

consumer service or null

Throws:

org.opensaml.saml2.metadata.provider.MetadataProviderException - in case index supplied in options is invalid or unsupported or no supported consumer service can be found

isEndpointSupported

protected boolean isEndpointSupported(org.opensaml.saml2.metadata.SingleSignOnService endpoint)
                               throws org.opensaml.saml2.metadata.provider.MetadataProviderException

Determines whether given SingleSignOn service can be used together with this profile. Bindings POST, Artifact and Redirect are supported for WebSSO.

Parameters:

endpoint - endpoint

Returns:

true if endpoint is supported

Throws:

org.opensaml.saml2.metadata.provider.MetadataProviderException - in case system can't verify whether endpoint is supported or not

isEndpointSupported

protected boolean isEndpointSupported(org.opensaml.saml2.metadata.AssertionConsumerService endpoint)
                               throws org.opensaml.saml2.metadata.provider.MetadataProviderException

Determines whether given AssertionConsumerService can be used to deliver messages consumable by this profile. Bindings POST and Artifact are supported for WebSSO.

Parameters:

endpoint - endpoint

Returns:

true if endpoint is supported

Throws:

org.opensaml.saml2.metadata.provider.MetadataProviderException - in case system can't verify whether endpoint is supported or not

getAuthnRequest

protected org.opensaml.saml2.core.AuthnRequest getAuthnRequest(SAMLMessageContext context,
                                                               WebSSOProfileOptions options,
                                                               org.opensaml.saml2.metadata.AssertionConsumerService assertionConsumer,
                                                               org.opensaml.saml2.metadata.SingleSignOnService bindingService)
                                                        throws org.opensaml.common.SAMLException,
                                                               org.opensaml.saml2.metadata.provider.MetadataProviderException

Returns AuthnRequest SAML message to be used to demand authentication from an IDP described using idpEntityDescriptor, with an expected response to the assertionConsumer address.

Parameters:

context - message context

options - preferences of message creation

assertionConsumer - assertion consumer where the IDP should respond

bindingService - service used to deliver the request

Returns:

authnRequest ready to be sent to IDP

Throws:

org.opensaml.common.SAMLException - error creating the message

org.opensaml.saml2.metadata.provider.MetadataProviderException - error retreiving metadata

builNameIDPolicy

protected void builNameIDPolicy(org.opensaml.saml2.core.AuthnRequest request,
                                WebSSOProfileOptions options)

Fills the request with required AuthNContext according to selected options.

Parameters:

request - request to fill

options - options driving generation of the element

getSPNameQualifier

protected String getSPNameQualifier()

SAML-Core 2218, Specifies that returned subject identifier should be returned in the namespace of the given SP.

Returns:

by default returns null

buildAuthnContext

protected void buildAuthnContext(org.opensaml.saml2.core.AuthnRequest request,
                                 WebSSOProfileOptions options)

Fills the request with required AuthNContext according to selected options.

Parameters:

request - request to fill

options - options driving generation of the element

buildReturnAddress

protected void buildReturnAddress(org.opensaml.saml2.core.AuthnRequest request,
                                  org.opensaml.saml2.metadata.AssertionConsumerService service)
                           throws org.opensaml.saml2.metadata.provider.MetadataProviderException

Fills the request with assertion consumer service url and protocol binding based on assertionConsumer to be used to deliver response from the IDP.

Parameters:

request - request

service - service to deliver response to, building is skipped when null

Throws:

org.opensaml.saml2.metadata.provider.MetadataProviderException - error retrieving metadata information

buildScoping

protected void buildScoping(org.opensaml.saml2.core.AuthnRequest request,
                            org.opensaml.saml2.metadata.SingleSignOnService serviceURI,
                            WebSSOProfileOptions options)

Fills the request with information about scoping, including IDP in the scope IDP List.

Parameters:

request - request to fill

serviceURI - destination to send the request to

options - options driving generation of the element, contains list of allowed IDPs

buildIDPList

protected org.opensaml.saml2.core.IDPList buildIDPList(Set<String> idpEntityNames,
                                                       org.opensaml.saml2.metadata.SingleSignOnService serviceURI)

Builds an IdP List out of the idpEntityNames

Parameters:

idpEntityNames - The IdPs Entity IDs to include in the IdP List, no list is created when null

serviceURI - The binding service for an IdP for a specific binding. Should be null if there is more than one IdP in the list or if the destination IdP is not known in advance.

Returns:

an IdP List or null when idpEntityNames is null