WebSSOProfileConsumerHoKImpl (Spring Security SAML 1.0.10.RELEASE API)

java.lang.Object
- org.springframework.security.saml.websso.AbstractProfileBase
- - org.springframework.security.saml.websso.WebSSOProfileConsumerImpl
  - - org.springframework.security.saml.websso.WebSSOProfileConsumerHoKImpl

All Implemented Interfaces:

org.springframework.beans.factory.InitializingBean, WebSSOProfileConsumer
```
public class WebSSOProfileConsumerHoKImpl
extends WebSSOProfileConsumerImpl
implements WebSSOProfileConsumer
```
Class implements processing of the SAML Holder-of-Key Browser SSO profile as per https://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-holder-of-key-browser-sso-cs-02.pdf.

Author:

Vladimir Schäfer

Field Summary
- Fields inherited from class org.springframework.security.saml.websso.AbstractProfileBase
  artifactMap, builderFactory, log, metadata, processor, uriComparator

Constructor Summary

Constructors
Constructor and Description

WebSSOProfileConsumerHoKImpl()

Constructors
Constructor and Description
`WebSSOProfileConsumerHoKImpl()`

Method Summary

All Methods Instance Methods Concrete Methods
Modifier and Type	Method and Description
`String`	`getProfileIdentifier()` Implementation are expected to provide an unique identifier for the profile this class implements.
`protected String`	`getUserAgentBase64Certificate(SAMLMessageContext context)` Method locates user agent certificate used in SSL/TLS and encodes it using base64 for comparison in HoK subject confirmation.
`protected void`	`verifySubject(org.opensaml.saml2.core.Subject subject, org.opensaml.saml2.core.AuthnRequest request, SAMLMessageContext context)` Verifies validity of Subject element as per https://docs.oasis-open.org/security/saml/Post2.0/sstc-saml2-holder-of-key-cs-02.pdf and https://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-holder-of-key-browser-sso-cs-02.pdf.

Methods inherited from class org.springframework.security.saml.websso.WebSSOProfileConsumerImpl
getMaxAuthenticationAge, isIncludeAllAttributes, isReleaseDOM, processAdditionalData, processAuthenticationResponse, setIncludeAllAttributes, setMaxAuthenticationAge, setReleaseDOM, verifyAssertion, verifyAssertionConditions, verifyAssertionSignature, verifyAudience, verifyAuthenticationStatement, verifyAuthnContext, verifyConditions

Methods inherited from class org.springframework.security.saml.websso.AbstractProfileBase
afterPropertiesSet, buildCommonAttributes, generateID, getEndpointBinding, getIssuer, getMaxAssertionTime, getResponseSkew, getStatus, isEndpointMatching, sendMessage, sendMessage, setArtifactMap, setMaxAssertionTime, setMetadata, setProcessor, setResponseSkew, verifyEndpoint, verifyIssuer, verifySignature

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.springframework.security.saml.websso.WebSSOProfileConsumer
processAuthenticationResponse

- Constructor Detail
  - WebSSOProfileConsumerHoKImpl
```
public WebSSOProfileConsumerHoKImpl()
```
- Method Detail
  - getProfileIdentifier
```
public String getProfileIdentifier()
```
    Description copied from class: AbstractProfileBase
    
    Implementation are expected to provide an unique identifier for the profile this class implements.
    
    Overrides:
    
    getProfileIdentifier in class WebSSOProfileConsumerImpl
    
    Returns:
    
    profile name
  - verifySubject
```
protected void verifySubject(org.opensaml.saml2.core.Subject subject,
                             org.opensaml.saml2.core.AuthnRequest request,
                             SAMLMessageContext context)
                      throws org.opensaml.common.SAMLException,
                             org.opensaml.xml.encryption.DecryptionException
```
    Verifies validity of Subject element as per https://docs.oasis-open.org/security/saml/Post2.0/sstc-saml2-holder-of-key-cs-02.pdf and https://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-holder-of-key-browser-sso-cs-02.pdf.
    Only verification based on X509Certificate content of the X509Data in KeyInfo is supported. Subject is deemed as confirmed when at least one of the certificates present in the SubjectConfirmation matches the one used in TLS/SSL client authentication. No verification on trust or validity of the certificate itself is performed.
    
    Overrides:
    
    verifySubject in class WebSSOProfileConsumerImpl
    
    Parameters:
    
    subject - subject to validate
    
    request - request
    
    context - context
    
    Throws:
    
    org.opensaml.common.SAMLException - error validating the object
    
    org.opensaml.xml.encryption.DecryptionException - in case the NameID can't be decrypted
  - getUserAgentBase64Certificate
```
protected String getUserAgentBase64Certificate(SAMLMessageContext context)
                                        throws org.opensaml.common.SAMLException
```
    Method locates user agent certificate used in SSL/TLS and encodes it using base64 for comparison in HoK subject confirmation. Method fails when certificate can't be obtained or encoded.
    
    Parameters:
    
    context - context expected to contain certificate in peerSSLCredential field
    
    Returns:
    
    base64 encoded peer certificate
    
    Throws:
    
    org.opensaml.common.SAMLException - in case certificate is missing or can't be encoded

Class WebSSOProfileConsumerHoKImpl

Field Summary

Fields inherited from class org.springframework.security.saml.websso.AbstractProfileBase

Constructor Summary

Method Summary

Methods inherited from class org.springframework.security.saml.websso.WebSSOProfileConsumerImpl

Methods inherited from class org.springframework.security.saml.websso.AbstractProfileBase

Methods inherited from class java.lang.Object

Methods inherited from interface org.springframework.security.saml.websso.WebSSOProfileConsumer

Constructor Detail

WebSSOProfileConsumerHoKImpl

Method Detail

getProfileIdentifier

verifySubject

getUserAgentBase64Certificate