edu.internet2.middleware.shibboleth.idp.profile.saml2

Class SAML2ECPProfileHandler

java.lang.Object

edu.internet2.middleware.shibboleth.common.profile.provider.AbstractRequestURIMappedProfileHandler<HTTPInTransport,HTTPOutTransport>

edu.internet2.middleware.shibboleth.common.profile.provider.AbstractShibbolethProfileHandler<SAMLMDRelyingPartyConfigurationManager,Session>

edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler

edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler

edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler

edu.internet2.middleware.shibboleth.idp.profile.saml2.SAML2ECPProfileHandler

All Implemented Interfaces:

ProfileHandler<HTTPInTransport,HTTPOutTransport>

public class SAML2ECPProfileHandler
extends SSOProfileHandler

SAML 2.0 ECP request profile handler.

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
protected class	SAML2ECPProfileHandler.ECPRequestContext Extended context information specific to ECP requests.

Nested classes/interfaces inherited from class edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler

SSOProfileHandler.SSORequestContext

Nested classes/interfaces inherited from class edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler

AbstractSAML2ProfileHandler.SAML2AuditLogEntry

Field Summary

Fields

Modifier and Type	Field and Description
private SAMLObjectBuilder<Advice>	adviceBuilder Builder of Advice objects.
private SAMLObjectBuilder<AuthnContext>	authnContextBuilder Builder of AuthnContext objects.
private String	authnContextClassRef A context class reference to insert into the assertion.
private SAMLObjectBuilder<AuthnContextClassRef>	authnContextClassRefBuilder Builder of AuthnContextClassRef objects.
private SAMLObjectBuilder<ChannelBindings>	cbBuilder Builder of ChannelBindings objects.
private SAMLObjectBuilder<Response>	ecpResponseBuilder Builder of ECP Response object.
private StaticHandlerChainResolver	inboundPostSecurityHandlerChainResolver Static post-security inbound handler chain resolver.
private StaticHandlerChainResolver	inboundPreSecurityHandlerChainResolver Static pre-security inbound handler chain resolver.
private SAMLObjectBuilder<GeneratedKey>	keyBuilder Builder of GeneratedKey objects.
private org.slf4j.Logger	log Class logger.
private SAMLMessageDecoder	messageDecoder SOAP message decoder to use.
private SAMLMessageEncoder	messageEncoder SOAP message encoder to use.
private StaticHandlerChainResolver	outboundHandlerChainResolver Static outbound handler chain resolver.
private SecureRandom	prng A SecureRandom PRNG to generate session keys.
private SAMLObjectBuilder<RequestAuthenticated>	reqAuthnBuilder Builder of RequestAuthenticated objects.
private String	soapFaultResponseMessage SOAP fault message.

Fields inherited from class edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler

SAML_VERSION

Constructor Summary

Constructors

Constructor and Description
SAML2ECPProfileHandler() Constructor.

Method Summary

Methods

Modifier and Type	Method and Description
protected AuthnContext	buildAuthnContext(SSOProfileHandler.SSORequestContext requestContext) Creates an AuthnContext for a successful authentication request.
protected AuthnStatement	buildAuthnStatement(SSOProfileHandler.SSORequestContext requestContext) Creates an authentication statement for the current request.
protected HandlerChain	buildOutboundHandlerChain() Build the outbound handler chain.
protected HandlerChain	buildPostSecurityInboundHandlerChain() Build the post-security inbound handler chain.
protected HandlerChain	buildPreSecurityInboundHandlerChain() Build the pre-security inbound handler chain.
protected SAML2ECPProfileHandler.ECPRequestContext	buildRequestContext(HTTPInTransport in, HTTPOutTransport out) Creates an authentication request context from the current environmental information.
protected void	checkChannelBindings(SAML2ECPProfileHandler.ECPRequestContext requestContext) Checks for channel bindings to verify and either fails the request or populates the message context with the matched information.
protected void	decodeRequest(SAML2ECPProfileHandler.ECPRequestContext requestContext, HTTPInTransport inTransport, HTTPOutTransport outTransport) Decodes an incoming request and stores the information in a created request context.
String	getAuthnContextClassRef() Gets the AuthnContext class reference.
protected SAMLMessageDecoder	getInboundMessageDecoder(BaseSAMLProfileRequestContext requestContext) Get the inbound message decoder to use.
protected HandlerChainResolver	getOutboundHandlerChainResolver() Get the resolver used to resolve the outbound handler chain.
protected SAMLMessageEncoder	getOutboundMessageEncoder(BaseSAMLProfileRequestContext requestContext) Get the outbound message encoder to use.
protected HandlerChainResolver	getPostSecurityInboundHandlerChainResolver() Get the resolver used to resolve the post-security inbound handler chain.
protected HandlerChainResolver	getPreSecurityInboundHandlerChainResolver() Get the resolver used to resolve the pre-security inbound handler chain.
String	getProfileId()
void	initialize() Initialize the profile handler.
protected void	populateSAMLMessageInformation(BaseSAMLProfileRequestContext requestContext) Populates the request context with information from the inbound SAML message.
protected void	postProcessAssertion(BaseSAML2ProfileRequestContext<?,?,?> requestContext, Assertion assertion) Extension point for for subclasses to post-process the Assertion before it is signed and encrypted.
void	processRequest(HTTPInTransport inTransport, HTTPOutTransport outTransport)
void	setAuthnContextClassRef(String ref) Sets the AuthnContext class reference.

Methods inherited from class edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler

buildNameId, buildRequestContext, buildSubjectLocality, checkNameIDPolicy, completeAuthenticationRequest, decodeRequest, deserializeRequest, getRequiredNameIDFormat, performAuthentication, populateAssertingPartyInformation, populateRelyingPartyInformation, postProcessResponse, selectEndpoint

Methods inherited from class edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler

buildAssertion, buildAttributeStatement, buildConditions, buildEntityIssuer, buildErrorResponse, buildResponse, buildStatus, buildSubject, buildSubjectConfirmation, checkSamlVersion, getEncrypter, getKeyEncryptionCredential, getSessionIndexFromNameID, isEncryptAssertion, isEncryptNameID, isRequestRequiresEncryptNameID, isSignAssertion, populateRequestContext, populateStatusResponse, populateUserInformation, resolveAttributes, resolvePrincipal, signAssertion, writeAuditLogEntry

Methods inherited from class edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler

encodeResponse, filterNameIDAttributesByFormats, filterNameIDAttributesByProtocol, getAduitLog, getAuditLog, getEntitySupportedFormats, getIdGenerator, getInboundBinding, getMessageDecoders, getMessageEncoders, getMetadataCredentialResolver, getMetadataProvider, getRelyingPartyConfiguration, getSecurityPolicyResolver, getSupportedNameFormats, getSupportedOutboundBindings, getUserSession, getUserSession, isSignResponse, populateProfileInformation, selectNameIDAttributeAndEncoder, selectNameIDAttributeAndEncoder, setIdGenerator, setInboundBinding, setMessageDecoders, setMessageEncoders, setSecurityPolicyResolver, setSupportedOutboundBindings

Methods inherited from class edu.internet2.middleware.shibboleth.common.profile.provider.AbstractShibbolethProfileHandler

getBuilderFactory, getParserPool, getProfileConfiguration, getRelyingPartyConfigurationManager, getSessionManager, getStorageService, setParserPool, setRelyingPartyConfigurationManager, setSessionManager, setStorageService

Methods inherited from class edu.internet2.middleware.shibboleth.common.profile.provider.AbstractRequestURIMappedProfileHandler

getRequestPaths, setRequestPaths

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

log

private final org.slf4j.Logger log

Class logger.

prng

private final SecureRandom prng

A SecureRandom PRNG to generate session keys.

authnContextClassRef

private String authnContextClassRef

A context class reference to insert into the assertion.

ecpResponseBuilder

private SAMLObjectBuilder<Response> ecpResponseBuilder

Builder of ECP Response object.

reqAuthnBuilder

private SAMLObjectBuilder<RequestAuthenticated> reqAuthnBuilder

Builder of RequestAuthenticated objects.

cbBuilder

private SAMLObjectBuilder<ChannelBindings> cbBuilder

Builder of ChannelBindings objects.

keyBuilder

private SAMLObjectBuilder<GeneratedKey> keyBuilder

Builder of GeneratedKey objects.

adviceBuilder

private SAMLObjectBuilder<Advice> adviceBuilder

Builder of Advice objects.

authnContextBuilder

private SAMLObjectBuilder<AuthnContext> authnContextBuilder

Builder of AuthnContext objects.

authnContextClassRefBuilder

private SAMLObjectBuilder<AuthnContextClassRef> authnContextClassRefBuilder

Builder of AuthnContextClassRef objects.

inboundPreSecurityHandlerChainResolver

private StaticHandlerChainResolver inboundPreSecurityHandlerChainResolver

Static pre-security inbound handler chain resolver.

inboundPostSecurityHandlerChainResolver

private StaticHandlerChainResolver inboundPostSecurityHandlerChainResolver

Static post-security inbound handler chain resolver.

outboundHandlerChainResolver

private StaticHandlerChainResolver outboundHandlerChainResolver

Static outbound handler chain resolver.

messageEncoder

private SAMLMessageEncoder messageEncoder

SOAP message encoder to use.

messageDecoder

private SAMLMessageDecoder messageDecoder

SOAP message decoder to use.

soapFaultResponseMessage

private final String soapFaultResponseMessage

SOAP fault message.

See Also:

Constant Field Values

Constructor Detail

SAML2ECPProfileHandler

public SAML2ECPProfileHandler()

Constructor.

Method Detail

initialize

public void initialize()

Initialize the profile handler.

getProfileId

public String getProfileId()

Overrides:

getProfileId in class SSOProfileHandler

setAuthnContextClassRef

public void setAuthnContextClassRef(String ref)

Sets the AuthnContext class reference.

Parameters:

ref - AuthnContext class reference to set

getAuthnContextClassRef

public String getAuthnContextClassRef()

Gets the AuthnContext class reference.

Returns:

AuthnContext class reference

processRequest

public void processRequest(HTTPInTransport inTransport,
                  HTTPOutTransport outTransport)
                    throws ProfileException

Specified by:

processRequest in interface ProfileHandler<HTTPInTransport,HTTPOutTransport>

Overrides:

processRequest in class SSOProfileHandler

Throws:

ProfileException

decodeRequest

protected void decodeRequest(SAML2ECPProfileHandler.ECPRequestContext requestContext,
                 HTTPInTransport inTransport,
                 HTTPOutTransport outTransport)
                      throws ProfileException

Decodes an incoming request and stores the information in a created request context.

Parameters:

inTransport - inbound transport

outTransport - outbound transport

requestContext - request context to which decoded information should be added

Throws:

ProfileException - thrown if the incoming message failed decoding

buildRequestContext

protected SAML2ECPProfileHandler.ECPRequestContext buildRequestContext(HTTPInTransport in,
                                                           HTTPOutTransport out)
                                                                throws ProfileException

Creates an authentication request context from the current environmental information.

Parameters:

in - inbound transport

out - outbount transport

Returns:

created authentication request context

Throws:

ProfileException - thrown if there is a problem creating the context

checkChannelBindings

protected void checkChannelBindings(SAML2ECPProfileHandler.ECPRequestContext requestContext)
                             throws ProfileException

Checks for channel bindings to verify and either fails the request or populates the message context with the matched information.

Parameters:

requestContext - current request context

Throws:

ProfileException - if channel bindings are required and don't match or are missing

populateSAMLMessageInformation

protected void populateSAMLMessageInformation(BaseSAMLProfileRequestContext requestContext)
                                       throws ProfileException

Populates the request context with information from the inbound SAML message. This method requires the the following request context properties to be populated: login context This methods populates the following request context properties: inbound saml message, relay state, inbound saml message ID, subject name identifier

Overrides:

populateSAMLMessageInformation in class SSOProfileHandler

Parameters:

requestContext - current request context

Throws:

ProfileException - thrown if the inbound SAML message or subject identifier is null

buildAuthnStatement

protected AuthnStatement buildAuthnStatement(SSOProfileHandler.SSORequestContext requestContext)

Creates an authentication statement for the current request.

Overrides:

buildAuthnStatement in class SSOProfileHandler

Parameters:

requestContext - current request context

Returns:

constructed authentication statement

buildAuthnContext

protected AuthnContext buildAuthnContext(SSOProfileHandler.SSORequestContext requestContext)

Creates an AuthnContext for a successful authentication request.

Overrides:

buildAuthnContext in class SSOProfileHandler

Parameters:

requestContext - current request

Returns:

the built authn context

postProcessAssertion

protected void postProcessAssertion(BaseSAML2ProfileRequestContext<?,?,?> requestContext,
                        Assertion assertion)
                             throws ProfileException

Extension point for for subclasses to post-process the Assertion before it is signed and encrypted.

Overrides:

postProcessAssertion in class SSOProfileHandler

Parameters:

requestContext - the current request context

assertion - the SAML Assertion being built

Throws:

ProfileException - if there is an error processing the assertion

buildPreSecurityInboundHandlerChain

protected HandlerChain buildPreSecurityInboundHandlerChain()

Build the pre-security inbound handler chain.

Returns:

the handler chain

buildPostSecurityInboundHandlerChain

protected HandlerChain buildPostSecurityInboundHandlerChain()

Build the post-security inbound handler chain.

Returns:

the handler chain

getPreSecurityInboundHandlerChainResolver

protected HandlerChainResolver getPreSecurityInboundHandlerChainResolver()

Get the resolver used to resolve the pre-security inbound handler chain.

Returns:

the handler chain resolver

getPostSecurityInboundHandlerChainResolver

protected HandlerChainResolver getPostSecurityInboundHandlerChainResolver()

Get the resolver used to resolve the post-security inbound handler chain.

Returns:

the handler chain resolver

buildOutboundHandlerChain

protected HandlerChain buildOutboundHandlerChain()

Build the outbound handler chain.

Returns:

the handler chain

getOutboundHandlerChainResolver

protected HandlerChainResolver getOutboundHandlerChainResolver()

Get the resolver used to resolve the outbound handler chain.

Returns:

the handler chain resolver

getOutboundMessageEncoder

protected SAMLMessageEncoder getOutboundMessageEncoder(BaseSAMLProfileRequestContext requestContext)
                                                throws ProfileException

Get the outbound message encoder to use.

The default implementation uses the binding URI from the SAMLMessageContext.getPeerEntityEndpoint() to lookup the encoder from the supported message encoders defined in AbstractSAMLProfileHandler.getMessageEncoders().

Subclasses may override to implement a different mechanism to determine the encoder to use, such as for example cases where an active intermediary actor sits between this provider and the peer entity endpoint (e.g. the SAML 2 ECP case).

Overrides:

getOutboundMessageEncoder in class AbstractSAMLProfileHandler

Parameters:

requestContext - current request context

Returns:

the message encoder to use

Throws:

ProfileException - if the encoder to use can not be resolved based on the request context

getInboundMessageDecoder

protected SAMLMessageDecoder getInboundMessageDecoder(BaseSAMLProfileRequestContext requestContext)
                                               throws ProfileException

Get the inbound message decoder to use.

The default implementation uses the binding URI from AbstractSAMLProfileHandler.getInboundBinding() to lookup the decoder from the supported message decoders defined in AbstractSAMLProfileHandler.getMessageDecoders().

Subclasses may override to implement a different mechanism to determine the decoder to use.

Overrides:

getInboundMessageDecoder in class AbstractSAMLProfileHandler

Parameters:

requestContext - current request context

Returns:

the message decoder to use

Throws:

ProfileException - if the decoder to use can not be resolved based on the request context