edu.internet2.middleware.shibboleth.idp.profile.saml2
Class AbstractSAML2ProfileHandler

java.lang.Object
  extended by edu.internet2.middleware.shibboleth.common.profile.provider.AbstractRequestURIMappedProfileHandler<HTTPInTransport,HTTPOutTransport>
      extended by edu.internet2.middleware.shibboleth.common.profile.provider.AbstractShibbolethProfileHandler<SAMLMDRelyingPartyConfigurationManager,Session>
          extended by edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler
              extended by edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler
All Implemented Interfaces:
ProfileHandler<HTTPInTransport,HTTPOutTransport>
Direct Known Subclasses:
ArtifactResolution, AttributeQueryProfileHandler, SSOProfileHandler

public abstract class AbstractSAML2ProfileHandler
extends AbstractSAMLProfileHandler

Common implementation details for profile handlers.


Nested Class Summary
protected  class AbstractSAML2ProfileHandler.SAML2AuditLogEntry
          SAML 1 specific audit log entry.
 
Field Summary
private  SAMLObjectBuilder<Assertion> assertionBuilder
          For building assertion.
private  SAMLObjectBuilder<Audience> audienceBuilder
          For building audience.
private  SAMLObjectBuilder<AudienceRestriction> audienceRestrictionBuilder
          For building audience restriction.
private  SAMLObjectBuilder<Conditions> conditionsBuilder
          For building conditions.
private  SAMLObjectBuilder<Issuer> issuerBuilder
          For building issuer.
private  org.slf4j.Logger log
          Class logger.
private  SAMLObjectBuilder<ProxyRestriction> proxyRestrictionBuilder
          For building proxy restrictions.
private  SAMLObjectBuilder<Response> responseBuilder
          For building response.
static SAMLVersion SAML_VERSION
          SAML Version for this profile handler.
private  XMLObjectBuilder<Signature> signatureBuilder
          For building signature.
private  SAMLObjectBuilder<Status> statusBuilder
          For building status.
private  SAMLObjectBuilder<StatusCode> statusCodeBuilder
          For building statuscode.
private  SAMLObjectBuilder<StatusMessage> statusMessageBuilder
          For building StatusMessages.
private  SAMLObjectBuilder<Subject> subjectBuilder
          For building subject.
private  SAMLObjectBuilder<SubjectConfirmation> subjectConfirmationBuilder
          For building subject confirmation.
private  SAMLObjectBuilder<SubjectConfirmationData> subjectConfirmationDataBuilder
          For building subject confirmation data.
 
Constructor Summary
protected AbstractSAML2ProfileHandler()
          Constructor.
 
Method Summary
protected  Assertion buildAssertion(BaseSAML2ProfileRequestContext<?,?,?> requestContext, org.joda.time.DateTime issueInstant)
          Builds a basic assertion with its id, issue instant, SAML version, issuer, subject, and conditions populated.
protected  AttributeStatement buildAttributeStatement(BaseSAML2ProfileRequestContext<?,?,?> requestContext)
          Executes a query for attributes and builds a SAML attribute statement from the results.
protected  Conditions buildConditions(BaseSAML2ProfileRequestContext<?,?,?> requestContext, org.joda.time.DateTime issueInstant)
          Builds a SAML assertion condition set.
protected  Issuer buildEntityIssuer(BaseSAML2ProfileRequestContext<?,?,?> requestContext)
          Creates an Issuer populated with information about the relying party.
protected  Response buildErrorResponse(BaseSAML2ProfileRequestContext<?,?,?> requestContext)
          Constructs an SAML response message carrying a request error.
protected  NameID buildNameId(BaseSAML2ProfileRequestContext<?,?,?> requestContext)
          Builds a NameID appropriate for this request.
protected  Response buildResponse(BaseSAML2ProfileRequestContext<?,?,?> requestContext, String subjectConfirmationMethod, List<Statement> statements)
          Builds a response to the attribute query within the request context.
protected  Status buildStatus(String topLevelCode, String secondLevelCode, String failureMessage)
          Build a status message, with an optional second-level failure message.
protected  Subject buildSubject(BaseSAML2ProfileRequestContext<?,?,?> requestContext, String confirmationMethod, org.joda.time.DateTime issueInstant)
          Builds the SAML subject for the user for the service provider.
protected  SubjectConfirmation buildSubjectConfirmation(BaseSAML2ProfileRequestContext<?,?,?> requestContext, String confirmationMethod, org.joda.time.DateTime issueInstant)
          Builds the SubjectConfirmation appropriate for this request.
protected  void checkSamlVersion(BaseSAML2ProfileRequestContext<?,?,?> requestContext)
          Checks that the SAML major version for a request is 2.
protected  Encrypter getEncrypter(String peerEntityId)
          Gets an encrypter that may be used encrypt content to a given peer.
protected  Credential getKeyEncryptionCredential(String peerEntityId)
          Gets the credential that can be used to encrypt encryption keys for a peer.
protected  boolean isEncryptAssertion(BaseSAML2ProfileRequestContext<?,?,?> requestContext)
          Determine whether issued assertions should be encrypted.
protected  boolean isEncryptNameID(BaseSAML2ProfileRequestContext<?,?,?> requestContext)
          Determine whether NameID's should be encrypted.
protected  boolean isRequestRequiresEncryptNameID(BaseSAML2ProfileRequestContext<?,?,?> requestContext)
          Determine whether information in the SAML request requires the issued NameID to be encrypted.
protected  boolean isSignAssertion(BaseSAML2ProfileRequestContext<?,?,?> requestContext)
          Determine whether issued assertions should be signed.
protected  void populateRequestContext(BaseSAMLProfileRequestContext requestContext)
          Populates the request context with information.
protected  void populateStatusResponse(BaseSAML2ProfileRequestContext<?,?,?> requestContext, StatusResponseType response)
          Populates the response's id, in response to, issue instant, version, and issuer properties.
protected  void populateUserInformation(BaseSAMLProfileRequestContext requestContext)
          Populates the request context with the information about the user.
protected  void postProcessAssertion(BaseSAML2ProfileRequestContext<?,?,?> requestContext, Assertion assertion)
          Extension point for for subclasses to post-process the Assertion before it is signed and encrypted.
protected  void postProcessResponse(BaseSAML2ProfileRequestContext<?,?,?> requestContext, Response samlResponse)
          Extension point for for subclasses to post-process the Response before it is signed and encoded.
protected  void resolveAttributes(BaseSAML2ProfileRequestContext<?,?,?> requestContext)
          Resolves the attributes for the principal.
protected  void resolvePrincipal(BaseSAML2ProfileRequestContext<?,?,?> requestContext)
          Resolves the principal name of the subject of the request.
protected  void signAssertion(BaseSAML2ProfileRequestContext<?,?,?> requestContext, Assertion assertion)
          Signs the given assertion if either the current profile configuration or the relying party configuration contains signing credentials.
protected  void writeAuditLogEntry(BaseSAMLProfileRequestContext context)
          Writes an audit log entry indicating the successful response to the attribute request.
 
Methods inherited from class edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler
encodeResponse, filterNameIDAttributesByFormats, filterNameIDAttributesByProtocol, getAduitLog, getEntitySupportedFormats, getIdGenerator, getInboundBinding, getInboundMessageDecoder, getMessageDecoders, getMessageEncoders, getMetadataCredentialResolver, getMetadataProvider, getOutboundMessageEncoder, getRelyingPartyConfiguration, getRequiredNameIDFormat, getSecurityPolicyResolver, getSupportedNameFormats, getSupportedOutboundBindings, getUserSession, getUserSession, isSignResponse, populateAssertingPartyInformation, populateProfileInformation, populateRelyingPartyInformation, populateSAMLMessageInformation, selectEndpoint, selectNameIDAttributeAndEncoder, selectNameIDAttributeAndEncoder, setIdGenerator, setInboundBinding, setMessageDecoders, setMessageEncoders, setSecurityPolicyResolver, setSupportedOutboundBindings
 
Methods inherited from class edu.internet2.middleware.shibboleth.common.profile.provider.AbstractShibbolethProfileHandler
getBuilderFactory, getParserPool, getProfileConfiguration, getProfileId, getRelyingPartyConfigurationManager, getSessionManager, getStorageService, setParserPool, setRelyingPartyConfigurationManager, setSessionManager, setStorageService
 
Methods inherited from class edu.internet2.middleware.shibboleth.common.profile.provider.AbstractRequestURIMappedProfileHandler
getRequestPaths, setRequestPaths
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 
Methods inherited from interface edu.internet2.middleware.shibboleth.common.profile.ProfileHandler
processRequest
 

Field Detail

SAML_VERSION

public static final SAMLVersion SAML_VERSION
SAML Version for this profile handler.


log

private org.slf4j.Logger log
Class logger.


responseBuilder

private SAMLObjectBuilder<Response> responseBuilder
For building response.


statusBuilder

private SAMLObjectBuilder<Status> statusBuilder
For building status.


statusCodeBuilder

private SAMLObjectBuilder<StatusCode> statusCodeBuilder
For building statuscode.


statusMessageBuilder

private SAMLObjectBuilder<StatusMessage> statusMessageBuilder
For building StatusMessages.


assertionBuilder

private SAMLObjectBuilder<Assertion> assertionBuilder
For building assertion.


issuerBuilder

private SAMLObjectBuilder<Issuer> issuerBuilder
For building issuer.


subjectBuilder

private SAMLObjectBuilder<Subject> subjectBuilder
For building subject.


subjectConfirmationBuilder

private SAMLObjectBuilder<SubjectConfirmation> subjectConfirmationBuilder
For building subject confirmation.


subjectConfirmationDataBuilder

private SAMLObjectBuilder<SubjectConfirmationData> subjectConfirmationDataBuilder
For building subject confirmation data.


conditionsBuilder

private SAMLObjectBuilder<Conditions> conditionsBuilder
For building conditions.


audienceRestrictionBuilder

private SAMLObjectBuilder<AudienceRestriction> audienceRestrictionBuilder
For building audience restriction.


proxyRestrictionBuilder

private SAMLObjectBuilder<ProxyRestriction> proxyRestrictionBuilder
For building proxy restrictions.


audienceBuilder

private SAMLObjectBuilder<Audience> audienceBuilder
For building audience.


signatureBuilder

private XMLObjectBuilder<Signature> signatureBuilder
For building signature.

Constructor Detail

AbstractSAML2ProfileHandler

protected AbstractSAML2ProfileHandler()
Constructor.

Method Detail

populateRequestContext

protected void populateRequestContext(BaseSAMLProfileRequestContext requestContext)
                               throws ProfileException
Populates the request context with information. This method requires the the following request context properties to be populated: inbound message transport, peer entity ID, metadata provider This methods populates the following request context properties: user's session, user's principal name, service authentication method, peer entity metadata, relying party configuration, local entity ID, outbound message issuer, local entity metadata

Overrides:
populateRequestContext in class AbstractSAMLProfileHandler
Parameters:
requestContext - current request context
Throws:
ProfileException - thrown if there is a problem looking up the relying party's metadata

populateUserInformation

protected void populateUserInformation(BaseSAMLProfileRequestContext requestContext)
Populates the request context with the information about the user. This method requires the the following request context properties to be populated: inbound message transport, relying party ID This methods populates the following request context properties: user's session, user's principal name, and service authentication method

Specified by:
populateUserInformation in class AbstractSAMLProfileHandler
Parameters:
requestContext - current request context

checkSamlVersion

protected void checkSamlVersion(BaseSAML2ProfileRequestContext<?,?,?> requestContext)
                         throws ProfileException
Checks that the SAML major version for a request is 2.

Parameters:
requestContext - current request context containing the SAML message
Throws:
ProfileException - thrown if the major version of the SAML request is not 2

buildResponse

protected Response buildResponse(BaseSAML2ProfileRequestContext<?,?,?> requestContext,
                                 String subjectConfirmationMethod,
                                 List<Statement> statements)
                          throws ProfileException
Builds a response to the attribute query within the request context.

Parameters:
requestContext - current request context
subjectConfirmationMethod - confirmation method used for the subject
statements - the statements to include in the response
Returns:
the built response
Throws:
ProfileException - thrown if there is a problem creating the SAML response

isEncryptAssertion

protected boolean isEncryptAssertion(BaseSAML2ProfileRequestContext<?,?,?> requestContext)
                              throws ProfileException
Determine whether issued assertions should be encrypted.

Parameters:
requestContext - the current request context
Returns:
true if assertions should be encrypted, false otherwise
Throws:
ProfileException - if there is a problem determining whether assertions should be encrypted

postProcessResponse

protected void postProcessResponse(BaseSAML2ProfileRequestContext<?,?,?> requestContext,
                                   Response samlResponse)
                            throws ProfileException
Extension point for for subclasses to post-process the Response before it is signed and encoded.

Parameters:
requestContext - the current request context
samlResponse - the SAML Response being built
Throws:
ProfileException - if there was an error processing the response

postProcessAssertion

protected void postProcessAssertion(BaseSAML2ProfileRequestContext<?,?,?> requestContext,
                                    Assertion assertion)
                             throws ProfileException
Extension point for for subclasses to post-process the Assertion before it is signed and encrypted.

Parameters:
requestContext - the current request context
assertion - the SAML Assertion being built
Throws:
ProfileException - if there is an error processing the assertion

buildAssertion

protected Assertion buildAssertion(BaseSAML2ProfileRequestContext<?,?,?> requestContext,
                                   org.joda.time.DateTime issueInstant)
Builds a basic assertion with its id, issue instant, SAML version, issuer, subject, and conditions populated.

Parameters:
requestContext - current request context
issueInstant - time to use as assertion issue instant
Returns:
the built assertion

buildEntityIssuer

protected Issuer buildEntityIssuer(BaseSAML2ProfileRequestContext<?,?,?> requestContext)
Creates an Issuer populated with information about the relying party.

Parameters:
requestContext - current request context
Returns:
the built issuer

buildConditions

protected Conditions buildConditions(BaseSAML2ProfileRequestContext<?,?,?> requestContext,
                                     org.joda.time.DateTime issueInstant)
Builds a SAML assertion condition set. The following fields are set; not before, not on or after, audience restrictions, and proxy restrictions.

Parameters:
requestContext - current request context
issueInstant - timestamp the assertion was created
Returns:
constructed conditions

populateStatusResponse

protected void populateStatusResponse(BaseSAML2ProfileRequestContext<?,?,?> requestContext,
                                      StatusResponseType response)
Populates the response's id, in response to, issue instant, version, and issuer properties.

Parameters:
requestContext - current request context
response - the response to populate

resolveAttributes

protected void resolveAttributes(BaseSAML2ProfileRequestContext<?,?,?> requestContext)
                          throws ProfileException
Resolves the attributes for the principal.

Parameters:
requestContext - current request context
Throws:
ProfileException - thrown if there is a problem resolved attributes

buildAttributeStatement

protected AttributeStatement buildAttributeStatement(BaseSAML2ProfileRequestContext<?,?,?> requestContext)
                                              throws ProfileException
Executes a query for attributes and builds a SAML attribute statement from the results.

Parameters:
requestContext - current request context
Returns:
attribute statement resulting from the query
Throws:
ProfileException - thrown if there is a problem making the query

resolvePrincipal

protected void resolvePrincipal(BaseSAML2ProfileRequestContext<?,?,?> requestContext)
                         throws ProfileException
Resolves the principal name of the subject of the request.

Parameters:
requestContext - current request context
Throws:
ProfileException - thrown if the principal name can not be resolved

signAssertion

protected void signAssertion(BaseSAML2ProfileRequestContext<?,?,?> requestContext,
                             Assertion assertion)
                      throws ProfileException
Signs the given assertion if either the current profile configuration or the relying party configuration contains signing credentials.

Parameters:
requestContext - current request context
assertion - assertion to sign
Throws:
ProfileException - thrown if the metadata can not be located for the relying party or, if signing is required, if a signing credential is not configured

isSignAssertion

protected boolean isSignAssertion(BaseSAML2ProfileRequestContext<?,?,?> requestContext)
                           throws ProfileException
Determine whether issued assertions should be signed.

Parameters:
requestContext - the current request context
Returns:
true if assertions should be signed, false otherwise
Throws:
ProfileException - if there is a problem determining whether assertions should be signed

buildStatus

protected Status buildStatus(String topLevelCode,
                             String secondLevelCode,
                             String failureMessage)
Build a status message, with an optional second-level failure message.

Parameters:
topLevelCode - The top-level status code. Should be from saml-core-2.0-os, sec. 3.2.2.2
secondLevelCode - An optional second-level failure code. Should be from saml-core-2.0-is, sec 3.2.2.2. If null, no second-level Status element will be set.
failureMessage - An optional second-level failure message
Returns:
a Status object.

buildSubject

protected Subject buildSubject(BaseSAML2ProfileRequestContext<?,?,?> requestContext,
                               String confirmationMethod,
                               org.joda.time.DateTime issueInstant)
                        throws ProfileException
Builds the SAML subject for the user for the service provider.

Parameters:
requestContext - current request context
confirmationMethod - subject confirmation method used for the subject
issueInstant - instant the subject confirmation data should reflect for issuance
Returns:
SAML subject for the user for the service provider
Throws:
ProfileException - thrown if a NameID can not be created either because there was a problem encoding the name ID attribute or because there are no supported name formats

isEncryptNameID

protected boolean isEncryptNameID(BaseSAML2ProfileRequestContext<?,?,?> requestContext)
                           throws ProfileException
Determine whether NameID's should be encrypted.

Parameters:
requestContext - the current request context
Returns:
true if NameID's should be encrypted, false otherwise
Throws:
ProfileException - if there is a problem determining whether NameID's should be encrypted

isRequestRequiresEncryptNameID

protected boolean isRequestRequiresEncryptNameID(BaseSAML2ProfileRequestContext<?,?,?> requestContext)
Determine whether information in the SAML request requires the issued NameID to be encrypted.

Parameters:
requestContext - the current request context
Returns:
true if the request indicates NameID encryption is required, false otherwise

buildSubjectConfirmation

protected SubjectConfirmation buildSubjectConfirmation(BaseSAML2ProfileRequestContext<?,?,?> requestContext,
                                                       String confirmationMethod,
                                                       org.joda.time.DateTime issueInstant)
Builds the SubjectConfirmation appropriate for this request.

Parameters:
requestContext - current request context
confirmationMethod - confirmation method to use for the request
issueInstant - issue instant of the response
Returns:
the constructed subject confirmation

buildNameId

protected NameID buildNameId(BaseSAML2ProfileRequestContext<?,?,?> requestContext)
                      throws ProfileException
Builds a NameID appropriate for this request. NameIDs are built by inspecting the SAML request and metadata, picking a name format that was requested by the relying party or is mutually supported by both the relying party and asserting party as described in their metadata entries. Once a set of supported name formats is determined the principals attributes are inspected for an attribute supported an attribute encoder whose category is one of the supported name formats.

Parameters:
requestContext - current request context
Returns:
the NameID appropriate for this request
Throws:
ProfileException - thrown if a NameID can not be created either because there was a problem encoding the name ID attribute or because there are no supported name formats

buildErrorResponse

protected Response buildErrorResponse(BaseSAML2ProfileRequestContext<?,?,?> requestContext)
Constructs an SAML response message carrying a request error.

Parameters:
requestContext - current request context
Returns:
the constructed error response

getEncrypter

protected Encrypter getEncrypter(String peerEntityId)
                          throws SecurityException
Gets an encrypter that may be used encrypt content to a given peer.

Parameters:
peerEntityId - entity ID of the peer
Returns:
encrypter that may be used encrypt content to a given peer
Throws:
SecurityException - thrown if there is a problem constructing the encrypter. This normally occurs if the key encryption credential for the peer can not be resolved or a required encryption algorithm is not supported by the VM's JCE.

getKeyEncryptionCredential

protected Credential getKeyEncryptionCredential(String peerEntityId)
                                         throws SecurityException
Gets the credential that can be used to encrypt encryption keys for a peer.

Parameters:
peerEntityId - entity ID of the peer
Returns:
credential that can be used to encrypt encryption keys for a peer
Throws:
SecurityException - thrown if there is a problem resolving the credential from the peer's metadata

writeAuditLogEntry

protected void writeAuditLogEntry(BaseSAMLProfileRequestContext context)
Writes an audit log entry indicating the successful response to the attribute request.

Overrides:
writeAuditLogEntry in class AbstractSAMLProfileHandler
Parameters:
context - current request context


Copyright © 1999-2012. All Rights Reserved.