edu.internet2.middleware.shibboleth.idp.profile.saml2

Class SSOProfileHandler

java.lang.Object

edu.internet2.middleware.shibboleth.common.profile.provider.AbstractRequestURIMappedProfileHandler<HTTPInTransport,HTTPOutTransport>

edu.internet2.middleware.shibboleth.common.profile.provider.AbstractShibbolethProfileHandler<SAMLMDRelyingPartyConfigurationManager,Session>

edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler

edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler

edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler

All Implemented Interfaces:

ProfileHandler<HTTPInTransport,HTTPOutTransport>

Direct Known Subclasses:

SAML2ECPProfileHandler

public class SSOProfileHandler
extends AbstractSAML2ProfileHandler

SAML 2.0 SSO request profile handler.

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
protected class	SSOProfileHandler.SSORequestContext Represents the internal state of a SAML 2.0 SSO Request while it's being processed by the IdP.

Nested classes/interfaces inherited from class edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler

AbstractSAML2ProfileHandler.SAML2AuditLogEntry

Field Summary

Fields

Modifier and Type	Field and Description
private String	authenticationManagerPath URL of the authentication manager Servlet.
private SAMLObjectBuilder<AuthnContext>	authnContextBuilder Builder of AuthnContext objects.
private SAMLObjectBuilder<AuthnContextClassRef>	authnContextClassRefBuilder Builder of AuthnContextClassRef objects.
private SAMLObjectBuilder<AuthnContextDeclRef>	authnContextDeclRefBuilder Builder of AuthnContextDeclRef objects.
private SAMLObjectBuilder<AuthnStatement>	authnStatementBuilder Builder of AuthnStatement objects.
private SAMLObjectBuilder<Endpoint>	endpointBuilder Builder of Endpoint objects.
private org.slf4j.Logger	log Class logger.
private SAMLObjectBuilder<SubjectLocality>	subjectLocalityBuilder Builder of SubjectLocality objects.

Fields inherited from class edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler

SAML_VERSION

Constructor Summary

Constructors

Constructor and Description
SSOProfileHandler(String authnManagerPath) Constructor.

Method Summary

Methods

Modifier and Type	Method and Description
protected AuthnContext	buildAuthnContext(SSOProfileHandler.SSORequestContext requestContext) Creates an AuthnContext for a successful authentication request.
protected AuthnStatement	buildAuthnStatement(SSOProfileHandler.SSORequestContext requestContext) Creates an authentication statement for the current request.
protected NameID	buildNameId(BaseSAML2ProfileRequestContext<?,?,?> requestContext) Builds a NameID appropriate for this request.
protected SSOProfileHandler.SSORequestContext	buildRequestContext(Saml2LoginContext loginContext, HTTPInTransport in, HTTPOutTransport out) Creates an authentication request context from the current environmental information.
protected SubjectLocality	buildSubjectLocality(SSOProfileHandler.SSORequestContext requestContext) Constructs the subject locality for the authentication statement.
protected void	checkNameIDPolicy(SSOProfileHandler.SSORequestContext requestContext) Checks to see, if present, if the affiliation associated with the SPNameQualifier given in the AuthnRequest NameIDPolicy lists the inbound message issuer as a member.
protected void	completeAuthenticationRequest(Saml2LoginContext loginContext, HTTPInTransport inTransport, HTTPOutTransport outTransport) Creates a response to the AuthnRequest and sends the user, with response in tow, back to the relying party after they've been authenticated.
protected void	decodeRequest(SSOProfileHandler.SSORequestContext requestContext, HTTPInTransport inTransport, HTTPOutTransport outTransport) Decodes an incoming request and stores the information in a created request context.
protected AuthnRequest	deserializeRequest(String request) Deserializes an authentication request from a string.
String	getProfileId()
protected String	getRequiredNameIDFormat(BaseSAMLProfileRequestContext requestContext) Gets the name identifier format required to be sent back to the relying party.
protected void	performAuthentication(HTTPInTransport inTransport, HTTPOutTransport outTransport) Creates a Saml2LoginContext an sends the request off to the AuthenticationManager to begin the process of authenticating the user.
protected void	populateAssertingPartyInformation(BaseSAMLProfileRequestContext requestContext) Populates the request context with information about the asserting party.
protected void	populateRelyingPartyInformation(BaseSAMLProfileRequestContext requestContext) Populates the request context with information about the relying party.
protected void	populateSAMLMessageInformation(BaseSAMLProfileRequestContext requestContext) Populates the request context with information from the inbound SAML message.
protected void	postProcessAssertion(BaseSAML2ProfileRequestContext<?,?,?> requestContext, Assertion assertion) Extension point for for subclasses to post-process the Assertion before it is signed and encrypted.
protected void	postProcessResponse(BaseSAML2ProfileRequestContext<?,?,?> requestContext, Response samlResponse) Extension point for for subclasses to post-process the Response before it is signed and encoded.
void	processRequest(HTTPInTransport inTransport, HTTPOutTransport outTransport)
protected Endpoint	selectEndpoint(BaseSAMLProfileRequestContext requestContext) Selects the appropriate endpoint for the relying party and stores it in the request context.

Methods inherited from class edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler

buildAssertion, buildAttributeStatement, buildConditions, buildEntityIssuer, buildErrorResponse, buildResponse, buildStatus, buildSubject, buildSubjectConfirmation, checkSamlVersion, getEncrypter, getKeyEncryptionCredential, getSessionIndexFromNameID, isEncryptAssertion, isEncryptNameID, isRequestRequiresEncryptNameID, isSignAssertion, populateRequestContext, populateStatusResponse, populateUserInformation, resolveAttributes, resolvePrincipal, signAssertion, writeAuditLogEntry

Methods inherited from class edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler

encodeResponse, filterNameIDAttributesByFormats, filterNameIDAttributesByProtocol, getAduitLog, getAuditLog, getEntitySupportedFormats, getIdGenerator, getInboundBinding, getInboundMessageDecoder, getMessageDecoders, getMessageEncoders, getMetadataCredentialResolver, getMetadataProvider, getOutboundMessageEncoder, getRelyingPartyConfiguration, getSecurityPolicyResolver, getSupportedNameFormats, getSupportedOutboundBindings, getUserSession, getUserSession, isSignResponse, populateProfileInformation, selectNameIDAttributeAndEncoder, selectNameIDAttributeAndEncoder, setIdGenerator, setInboundBinding, setMessageDecoders, setMessageEncoders, setSecurityPolicyResolver, setSupportedOutboundBindings

Methods inherited from class edu.internet2.middleware.shibboleth.common.profile.provider.AbstractShibbolethProfileHandler

getBuilderFactory, getParserPool, getProfileConfiguration, getRelyingPartyConfigurationManager, getSessionManager, getStorageService, setParserPool, setRelyingPartyConfigurationManager, setSessionManager, setStorageService

Methods inherited from class edu.internet2.middleware.shibboleth.common.profile.provider.AbstractRequestURIMappedProfileHandler

getRequestPaths, setRequestPaths

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

log

private final org.slf4j.Logger log

Class logger.

authnStatementBuilder

private SAMLObjectBuilder<AuthnStatement> authnStatementBuilder

Builder of AuthnStatement objects.

authnContextBuilder

private SAMLObjectBuilder<AuthnContext> authnContextBuilder

Builder of AuthnContext objects.

authnContextClassRefBuilder

private SAMLObjectBuilder<AuthnContextClassRef> authnContextClassRefBuilder

Builder of AuthnContextClassRef objects.

authnContextDeclRefBuilder

private SAMLObjectBuilder<AuthnContextDeclRef> authnContextDeclRefBuilder

Builder of AuthnContextDeclRef objects.

subjectLocalityBuilder

private SAMLObjectBuilder<SubjectLocality> subjectLocalityBuilder

Builder of SubjectLocality objects.

endpointBuilder

private SAMLObjectBuilder<Endpoint> endpointBuilder

Builder of Endpoint objects.

authenticationManagerPath

private String authenticationManagerPath

URL of the authentication manager Servlet.

Constructor Detail

SSOProfileHandler

public SSOProfileHandler(String authnManagerPath)

Constructor.

Parameters:

authnManagerPath - path to the authentication manager Servlet

Method Detail

getProfileId

public String getProfileId()

Specified by:

getProfileId in class AbstractShibbolethProfileHandler<SAMLMDRelyingPartyConfigurationManager,Session>

processRequest

public void processRequest(HTTPInTransport inTransport,
                  HTTPOutTransport outTransport)
                    throws ProfileException

Throws:

ProfileException

performAuthentication

protected void performAuthentication(HTTPInTransport inTransport,
                         HTTPOutTransport outTransport)
                              throws ProfileException

Creates a Saml2LoginContext an sends the request off to the AuthenticationManager to begin the process of authenticating the user.

Parameters:

inTransport - inbound request transport

outTransport - outbound response transport

Throws:

ProfileException - thrown if there is a problem creating the login context and transferring control to the authentication manager

completeAuthenticationRequest

protected void completeAuthenticationRequest(Saml2LoginContext loginContext,
                                 HTTPInTransport inTransport,
                                 HTTPOutTransport outTransport)
                                      throws ProfileException

Creates a response to the AuthnRequest and sends the user, with response in tow, back to the relying party after they've been authenticated.

Parameters:

loginContext - login context for this request

inTransport - inbound message transport

outTransport - outbound message transport

Throws:

ProfileException - thrown if the response can not be created and sent back to the relying party

decodeRequest

protected void decodeRequest(SSOProfileHandler.SSORequestContext requestContext,
                 HTTPInTransport inTransport,
                 HTTPOutTransport outTransport)
                      throws ProfileException

Decodes an incoming request and stores the information in a created request context.

Parameters:

inTransport - inbound transport

outTransport - outbound transport

requestContext - request context to which decoded information should be added

Throws:

ProfileException - thrown if the incoming message failed decoding

checkNameIDPolicy

protected void checkNameIDPolicy(SSOProfileHandler.SSORequestContext requestContext)
                          throws ProfileException

Checks to see, if present, if the affiliation associated with the SPNameQualifier given in the AuthnRequest NameIDPolicy lists the inbound message issuer as a member.

Parameters:

requestContext - current request context

Throws:

ProfileException - thrown if there the request is not a member of the affiliation or if there was a problem determining membership

buildRequestContext

protected SSOProfileHandler.SSORequestContext buildRequestContext(Saml2LoginContext loginContext,
                                                      HTTPInTransport in,
                                                      HTTPOutTransport out)
                                                           throws ProfileException

Creates an authentication request context from the current environmental information.

Parameters:

loginContext - current login context

in - inbound transport

out - outbount transport

Returns:

created authentication request context

Throws:

ProfileException - thrown if there is a problem creating the context

populateRelyingPartyInformation

protected void populateRelyingPartyInformation(BaseSAMLProfileRequestContext requestContext)
                                        throws ProfileException

Populates the request context with information about the relying party. This method requires the the following request context properties to be populated: inbound message issuer This methods populates the following request context properties: peer entityID, peer entity metadata, relying party configuration

Overrides:

populateRelyingPartyInformation in class AbstractSAMLProfileHandler

Parameters:

requestContext - current request context

Throws:

ProfileException - thrown if there is a problem looking up the relying party's metadata

populateAssertingPartyInformation

protected void populateAssertingPartyInformation(BaseSAMLProfileRequestContext requestContext)
                                          throws ProfileException

Populates the request context with information about the asserting party. Unless overridden, AbstractSAMLProfileHandler.populateRequestContext(BaseSAMLProfileRequestContext) has already invoked AbstractSAMLProfileHandler.populateRelyingPartyInformation(BaseSAMLProfileRequestContext) has already been invoked and the properties it provides are available in the request context. This method requires the the following request context properties to be populated: metadata provider, relying party configuration This methods populates the following request context properties: local entity ID, outbound message issuer, local entity metadata

Overrides:

populateAssertingPartyInformation in class AbstractSAMLProfileHandler

Parameters:

requestContext - current request context

Throws:

ProfileException - thrown if there is a problem looking up the asserting party's metadata

populateSAMLMessageInformation

protected void populateSAMLMessageInformation(BaseSAMLProfileRequestContext requestContext)
                                       throws ProfileException

Populates the request context with information from the inbound SAML message. This method requires the the following request context properties to be populated: login context This methods populates the following request context properties: inbound saml message, relay state, inbound saml message ID, subject name identifier

Specified by:

populateSAMLMessageInformation in class AbstractSAMLProfileHandler

Parameters:

requestContext - current request context

Throws:

ProfileException - thrown if the inbound SAML message or subject identifier is null

buildAuthnStatement

protected AuthnStatement buildAuthnStatement(SSOProfileHandler.SSORequestContext requestContext)

Creates an authentication statement for the current request.

Parameters:

requestContext - current request context

Returns:

constructed authentication statement

buildAuthnContext

protected AuthnContext buildAuthnContext(SSOProfileHandler.SSORequestContext requestContext)

Creates an AuthnContext for a successful authentication request.

Parameters:

requestContext - current request

Returns:

the built authn context

buildSubjectLocality

protected SubjectLocality buildSubjectLocality(SSOProfileHandler.SSORequestContext requestContext)

Constructs the subject locality for the authentication statement.

Parameters:

requestContext - curent request context

Returns:

subject locality for the authentication statement

getRequiredNameIDFormat

protected String getRequiredNameIDFormat(BaseSAMLProfileRequestContext requestContext)

Gets the name identifier format required to be sent back to the relying party. This implementation of this method returns null. Profile handler implementations should override this method if an incoming request is capable of requiring a specific format.

Overrides:

getRequiredNameIDFormat in class AbstractSAMLProfileHandler

Parameters:

requestContext - current request context

Returns:

the required name ID format or null if no specific format is required

buildNameId

protected NameID buildNameId(BaseSAML2ProfileRequestContext<?,?,?> requestContext)
                      throws ProfileException

Builds a NameID appropriate for this request. NameIDs are built by inspecting the SAML request and metadata, picking a name format that was requested by the relying party or is mutually supported by both the relying party and asserting party as described in their metadata entries. Once a set of supported name formats is determined the principals attributes are inspected for an attribute supported an attribute encoder whose category is one of the supported name formats.

Overrides:

buildNameId in class AbstractSAML2ProfileHandler

Parameters:

requestContext - current request context

Returns:

the NameID appropriate for this request

Throws:

ProfileException - thrown if a NameID can not be created either because there was a problem encoding the name ID attribute or because there are no supported name formats

selectEndpoint

protected Endpoint selectEndpoint(BaseSAMLProfileRequestContext requestContext)

Selects the appropriate endpoint for the relying party and stores it in the request context.

Specified by:

selectEndpoint in class AbstractSAMLProfileHandler

Parameters:

requestContext - current request context

Returns:

Endpoint selected from the information provided in the request context

deserializeRequest

protected AuthnRequest deserializeRequest(String request)
                                   throws UnmarshallingException

Deserializes an authentication request from a string.

Parameters:

request - request to deserialize

Returns:

the request XMLObject

Throws:

UnmarshallingException - thrown if the request can no be deserialized and unmarshalled

postProcessAssertion

protected void postProcessAssertion(BaseSAML2ProfileRequestContext<?,?,?> requestContext,
                        Assertion assertion)
                             throws ProfileException

Extension point for for subclasses to post-process the Assertion before it is signed and encrypted.

Overrides:

postProcessAssertion in class AbstractSAML2ProfileHandler

Parameters:

requestContext - the current request context

assertion - the SAML Assertion being built

Throws:

ProfileException - if there is an error processing the assertion

postProcessResponse

protected void postProcessResponse(BaseSAML2ProfileRequestContext<?,?,?> requestContext,
                       Response samlResponse)
                            throws ProfileException

Extension point for for subclasses to post-process the Response before it is signed and encoded.

Overrides:

postProcessResponse in class AbstractSAML2ProfileHandler

Parameters:

requestContext - the current request context

samlResponse - the SAML Response being built

Throws:

ProfileException - if there was an error processing the response