Package org.apereo.cas.configuration.model.support.pac4j.saml

Class Pac4jSamlClientProperties

java.lang.Object
org.apereo.cas.configuration.model.support.pac4j.Pac4jBaseClientProperties
org.apereo.cas.configuration.model.support.pac4j.saml.Pac4jSamlClientProperties
All Implemented Interfaces:
Serializable, CasFeatureModule
@RequiresModule(name="cas-server-support-pac4j-webflow") public class Pac4jSamlClientProperties extends Pac4jBaseClientProperties implements CasFeatureModule
This is Pac4jSamlClientProperties.
Since:
5.2.0
See Also:

  • Constructor Details

    • Pac4jSamlClientProperties

      public Pac4jSamlClientProperties()

  • Method Details

    • getMetadata

      public Pac4jSamlClientMetadataProperties getMetadata()
      Metadata configuration properties.

    • getDestinationBinding

      public String getDestinationBinding()
      The destination binding to use when creating authentication requests.

    • getLogoutRequestBinding

      public String getLogoutRequestBinding()
      The destination binding to use when creating logout requests.

    • getKeystorePassword

      public String getKeystorePassword()
      The password to use when generating the SP/CAS keystore.

    • getPrivateKeyPassword

      public String getPrivateKeyPassword()
      The password to use when generating the private key for the SP/CAS keystore.

    • getKeystorePath

      public String getKeystorePath()
      Location of the keystore to use and generate the SP/CAS keystore.

    • getMaximumAuthenticationLifetime

      public String getMaximumAuthenticationLifetime()
      Once you have an authenticated session on the identity provider, usually it won't prompt you again to enter your credentials and it will automatically generate a new assertion for you. By default, the SAML client will accept assertions based on a previous authentication for one hour. You can adjust this behavior by modifying this setting. The unit of time here is seconds.

    • getAcceptedSkew

      public String getAcceptedSkew()
      Maximum skew in seconds between SP and IDP clocks. This skew is added onto the NotOnOrAfter field in seconds for the SAML response validation.

    • getMappedAttributes

      public List<String> getMappedAttributes()
      Describes the map of attributes that are to be fetched from the credential (map keys) and then transformed/renamed using map values before they are put into a profile. An example might be to fetch givenName from credential and rename it to urn:oid:2.5.4.42 or vice versa. Note that this setting only applies to attribute names, and not friendly-names. List arbitrary mappings of claims. Uses a "directed list" where the allowed syntax would be givenName->urn:oid:2.5.4.42.

    • getServiceProviderEntityId

      public String getServiceProviderEntityId()
      The entity id of the SP/CAS that is used in the SP metadata generation process.

    • isForceAuth

      public boolean isForceAuth()
      Whether authentication requests should be tagged as forced auth.

    • isPassive

      public boolean isPassive()
      Whether authentication requests should be tagged as passive.

    • getAuthnContextClassRef

      public List<String> getAuthnContextClassRef()
      Requested authentication context class in authn requests.

    • getAuthnContextComparisonType

      public String getAuthnContextComparisonType()
      Specifies the comparison rule that should be used to evaluate the specified authentication methods. For example, if exact is specified, the authentication method used must match one of the authentication methods specified by the AuthnContextClassRef elements. AuthContextClassRef element require comparison rule to be used to evaluate the specified authentication methods. If not explicitly specified "exact" rule will be used by default. Other acceptable values are minimum, maximum, better.

    • isForceKeystoreGeneration

      public boolean isForceKeystoreGeneration()
      Force generation of the keystore.

    • getResponseBindingType

      public String getResponseBindingType()
      The SAML2 response binding type to use when generating metadata. This ultimately controls the binding type of the assertion consumer service in the metadata. Default value is typically urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST.

    • getCertificateExpirationDays

      public int getCertificateExpirationDays()
      Define the validity period for the certificate in number of days. The end-date of the certificate is controlled by this setting, when defined as a value greater than zero.

    • getCertificateSignatureAlg

      public String getCertificateSignatureAlg()
      Certificate signature algorithm to use when generating the certificate.

    • getCertificateNameToAppend

      public String getCertificateNameToAppend()
      A name to append to signing certificates generated. The named part appended can be useful to identify for which clientName it was generated If no name is provided the default certificate name will be used.

    • getNameIdPolicyFormat

      public String getNameIdPolicyFormat()
      NameID policy to request in the authentication requests.

    • getNameIdPolicyAllowCreate

      public org.apereo.cas.util.model.TriStateBoolean getNameIdPolicyAllowCreate()
      Flag to indicate whether the allow-create flags for nameid policies should be set to true, false or ignored/defined.

    • isWantsAssertionsSigned

      public boolean isWantsAssertionsSigned()
      Whether metadata should be marked to request sign assertions.

    • isWantsResponsesSigned

      public boolean isWantsResponsesSigned()
      Whether a response has to be mandatory signed.

    • isAllSignatureValidationDisabled

      public boolean isAllSignatureValidationDisabled()
      Whether the signature validation should be disabled. Never set this property to true in production.

    • getAttributeConsumingServiceIndex

      public int getAttributeConsumingServiceIndex()
      AttributeConsumingServiceIndex attribute of AuthnRequest element. The given index points out a specific AttributeConsumingService structure, declared into the Service Provider (SP)'s metadata, to be used to specify all the attributes that the Service Provider is asking to be released within the authentication assertion returned by the Identity Provider (IdP). This attribute won't be sent with the request unless a positive value (including 0) is defined.

    • getAssertionConsumerServiceIndex

      public int getAssertionConsumerServiceIndex()
      Allows the SAML client to select a specific ACS url from the metadata, if defined. A negative value de-activates the selection process and is the default.

    • isUseNameQualifier

      public boolean isUseNameQualifier()
      Whether name qualifiers should be produced in the final saml response.

    • isSignServiceProviderMetadata

      public boolean isSignServiceProviderMetadata()
      Whether or not SAML SP metadata should be signed when generated.

    • isSignAuthnRequest

      public boolean isSignAuthnRequest()
      Whether or not the authnRequest should be signed.

    • isSignServiceProviderLogoutRequest

      public boolean isSignServiceProviderLogoutRequest()
      Whether or not the Logout Request sent from the SP should be signed.

    • getRequestedAttributes

      public List<Pac4jSamlServiceProviderRequestedAttribute> getRequestedAttributes()
      List of attributes requested by the service provider that would be put into the service provider metadata.

    • getBlockedSignatureSigningAlgorithms

      public List<String> getBlockedSignatureSigningAlgorithms()
      Collection of signing signature blocked algorithms, if any, to override the global defaults.

    • getSignatureAlgorithms

      public List<String> getSignatureAlgorithms()
      Collection of signing signature algorithms, if any, to override the global defaults.

    • getSignatureReferenceDigestMethods

      public List<String> getSignatureReferenceDigestMethods()
      Collection of signing signature reference digest methods, if any, to override the global defaults.

    • getSignatureCanonicalizationAlgorithm

      public String getSignatureCanonicalizationAlgorithm()
      The signing signature canonicalization algorithm, if any, to override the global defaults.

    • getNameIdAttribute

      public String getNameIdAttribute()
      The attribute name that should be used and extracted from the SAML2 response to identify and build a NameID value, when the response is processed and consumed.

    • getProviderName

      public String getProviderName()
      Provider name set for the saml authentication request. Sets the human-readable name of the requester for use by the presenter's user agent or the identity provider.

    • getMessageStoreFactory

      public String getMessageStoreFactory()
      Factory implementing this interface provides services for storing and retrieval of SAML messages for e.g. verification of retrieved responses. The default factory is an always empty store. You may choose org.pac4j.saml.store.HttpSessionStore instead which allows SAML messages to be stored in a distributed session store specially required for high availability deployments and validation operations.

      Available options are:

      • EMPTY: Uses the EmptyStoreFactory
      • SESSION: Uses the HttpSessionStore
      • Fully-qualified class name of the message store implementation.

      Also note that the message store implementation can be supplied and configured at runtime as a Spring @Bean with the type SAMLMessageStoreFactory which, if found in the available application context, will override all other options.

    • getSaml2AttributeConverter

      public String getSaml2AttributeConverter()
      Controls the way SAML2 attributes are converted from the authentication response into pac4j attributes. By default, values of complex types are serialized into a single attribute. To change this behaviour, a converter class implementing the AttributeConverter interface.
      See Also:

    • isPartialLogoutAsSuccess

      public boolean isPartialLogoutAsSuccess()
      Logouts are only successful if the IdP was able to inform all services, otherwise it will respond with PartialLogout. This setting allows clients such as CAS to ignore such server-side behavior. If the IdP reports back a partial logout, this setting instructs CAS whether it should accept or deny that response.

    • isResponseDestinationMandatory

      public boolean isResponseDestinationMandatory()
      When validating the response, ensure it has a value set for the Destination attribute.

    • getRequestInitiatorUrl

      public String getRequestInitiatorUrl()
      When generating SAML2 metadata, configure and set the request initiator location attribute.

    • getSingleLogoutServiceUrl

      public String getSingleLogoutServiceUrl()
      When generating SAML2 metadata, configure and set the single logout service URL attribute.

    • getLogoutResponseBindingType

      public String getLogoutResponseBindingType()
      Control the logout response binding type during logout operations as invoked by an external IdP and in response to logout requests.

    • getSupportedProtocols

      public List<String> getSupportedProtocols()
      When generating SAML2 metadata, configure and set the list of supported protocols in the metadata.

    • setMetadata

      public Pac4jSamlClientProperties setMetadata(Pac4jSamlClientMetadataProperties metadata)
      Metadata configuration properties.
      Returns:
      this.

    • setDestinationBinding

      public Pac4jSamlClientProperties setDestinationBinding(String destinationBinding)
      The destination binding to use when creating authentication requests.
      Returns:
      this.

    • setLogoutRequestBinding

      public Pac4jSamlClientProperties setLogoutRequestBinding(String logoutRequestBinding)
      The destination binding to use when creating logout requests.
      Returns:
      this.

    • setKeystorePassword

      public Pac4jSamlClientProperties setKeystorePassword(String keystorePassword)
      The password to use when generating the SP/CAS keystore.
      Returns:
      this.

    • setPrivateKeyPassword

      public Pac4jSamlClientProperties setPrivateKeyPassword(String privateKeyPassword)
      The password to use when generating the private key for the SP/CAS keystore.
      Returns:
      this.

    • setKeystorePath

      public Pac4jSamlClientProperties setKeystorePath(String keystorePath)
      Location of the keystore to use and generate the SP/CAS keystore.
      Returns:
      this.

    • setMaximumAuthenticationLifetime

      public Pac4jSamlClientProperties setMaximumAuthenticationLifetime(String maximumAuthenticationLifetime)
      Once you have an authenticated session on the identity provider, usually it won't prompt you again to enter your credentials and it will automatically generate a new assertion for you. By default, the SAML client will accept assertions based on a previous authentication for one hour. You can adjust this behavior by modifying this setting. The unit of time here is seconds.
      Returns:
      this.

    • setAcceptedSkew

      public Pac4jSamlClientProperties setAcceptedSkew(String acceptedSkew)
      Maximum skew in seconds between SP and IDP clocks. This skew is added onto the NotOnOrAfter field in seconds for the SAML response validation.
      Returns:
      this.

    • setMappedAttributes

      public Pac4jSamlClientProperties setMappedAttributes(List<String> mappedAttributes)
      Describes the map of attributes that are to be fetched from the credential (map keys) and then transformed/renamed using map values before they are put into a profile. An example might be to fetch givenName from credential and rename it to urn:oid:2.5.4.42 or vice versa. Note that this setting only applies to attribute names, and not friendly-names. List arbitrary mappings of claims. Uses a "directed list" where the allowed syntax would be givenName->urn:oid:2.5.4.42.
      Returns:
      this.

    • setServiceProviderEntityId

      public Pac4jSamlClientProperties setServiceProviderEntityId(String serviceProviderEntityId)
      The entity id of the SP/CAS that is used in the SP metadata generation process.
      Returns:
      this.

    • setForceAuth

      public Pac4jSamlClientProperties setForceAuth(boolean forceAuth)
      Whether authentication requests should be tagged as forced auth.
      Returns:
      this.

    • setPassive

      public Pac4jSamlClientProperties setPassive(boolean passive)
      Whether authentication requests should be tagged as passive.
      Returns:
      this.

    • setAuthnContextClassRef

      public Pac4jSamlClientProperties setAuthnContextClassRef(List<String> authnContextClassRef)
      Requested authentication context class in authn requests.
      Returns:
      this.

    • setAuthnContextComparisonType

      public Pac4jSamlClientProperties setAuthnContextComparisonType(String authnContextComparisonType)
      Specifies the comparison rule that should be used to evaluate the specified authentication methods. For example, if exact is specified, the authentication method used must match one of the authentication methods specified by the AuthnContextClassRef elements. AuthContextClassRef element require comparison rule to be used to evaluate the specified authentication methods. If not explicitly specified "exact" rule will be used by default. Other acceptable values are minimum, maximum, better.
      Returns:
      this.

    • setForceKeystoreGeneration

      public Pac4jSamlClientProperties setForceKeystoreGeneration(boolean forceKeystoreGeneration)
      Force generation of the keystore.
      Returns:
      this.

    • setResponseBindingType

      public Pac4jSamlClientProperties setResponseBindingType(String responseBindingType)
      The SAML2 response binding type to use when generating metadata. This ultimately controls the binding type of the assertion consumer service in the metadata. Default value is typically urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST.
      Returns:
      this.

    • setCertificateExpirationDays

      public Pac4jSamlClientProperties setCertificateExpirationDays(int certificateExpirationDays)
      Define the validity period for the certificate in number of days. The end-date of the certificate is controlled by this setting, when defined as a value greater than zero.
      Returns:
      this.

    • setCertificateSignatureAlg

      public Pac4jSamlClientProperties setCertificateSignatureAlg(String certificateSignatureAlg)
      Certificate signature algorithm to use when generating the certificate.
      Returns:
      this.

    • setCertificateNameToAppend

      public Pac4jSamlClientProperties setCertificateNameToAppend(String certificateNameToAppend)
      A name to append to signing certificates generated. The named part appended can be useful to identify for which clientName it was generated If no name is provided the default certificate name will be used.
      Returns:
      this.

    • setNameIdPolicyFormat

      public Pac4jSamlClientProperties setNameIdPolicyFormat(String nameIdPolicyFormat)
      NameID policy to request in the authentication requests.
      Returns:
      this.

    • setNameIdPolicyAllowCreate

      public Pac4jSamlClientProperties setNameIdPolicyAllowCreate(org.apereo.cas.util.model.TriStateBoolean nameIdPolicyAllowCreate)
      Flag to indicate whether the allow-create flags for nameid policies should be set to true, false or ignored/defined.
      Returns:
      this.

    • setWantsAssertionsSigned

      public Pac4jSamlClientProperties setWantsAssertionsSigned(boolean wantsAssertionsSigned)
      Whether metadata should be marked to request sign assertions.
      Returns:
      this.

    • setWantsResponsesSigned

      public Pac4jSamlClientProperties setWantsResponsesSigned(boolean wantsResponsesSigned)
      Whether a response has to be mandatory signed.
      Returns:
      this.

    • setAllSignatureValidationDisabled

      public Pac4jSamlClientProperties setAllSignatureValidationDisabled(boolean allSignatureValidationDisabled)
      Whether the signature validation should be disabled. Never set this property to true in production.
      Returns:
      this.

    • setAttributeConsumingServiceIndex

      public Pac4jSamlClientProperties setAttributeConsumingServiceIndex(int attributeConsumingServiceIndex)
      AttributeConsumingServiceIndex attribute of AuthnRequest element. The given index points out a specific AttributeConsumingService structure, declared into the Service Provider (SP)'s metadata, to be used to specify all the attributes that the Service Provider is asking to be released within the authentication assertion returned by the Identity Provider (IdP). This attribute won't be sent with the request unless a positive value (including 0) is defined.
      Returns:
      this.

    • setAssertionConsumerServiceIndex

      public Pac4jSamlClientProperties setAssertionConsumerServiceIndex(int assertionConsumerServiceIndex)
      Allows the SAML client to select a specific ACS url from the metadata, if defined. A negative value de-activates the selection process and is the default.
      Returns:
      this.

    • setUseNameQualifier

      public Pac4jSamlClientProperties setUseNameQualifier(boolean useNameQualifier)
      Whether name qualifiers should be produced in the final saml response.
      Returns:
      this.

    • setSignServiceProviderMetadata

      public Pac4jSamlClientProperties setSignServiceProviderMetadata(boolean signServiceProviderMetadata)
      Whether or not SAML SP metadata should be signed when generated.
      Returns:
      this.

    • setSignAuthnRequest

      public Pac4jSamlClientProperties setSignAuthnRequest(boolean signAuthnRequest)
      Whether or not the authnRequest should be signed.
      Returns:
      this.

    • setSignServiceProviderLogoutRequest

      public Pac4jSamlClientProperties setSignServiceProviderLogoutRequest(boolean signServiceProviderLogoutRequest)
      Whether or not the Logout Request sent from the SP should be signed.
      Returns:
      this.

    • setRequestedAttributes

      public Pac4jSamlClientProperties setRequestedAttributes(List<Pac4jSamlServiceProviderRequestedAttribute> requestedAttributes)
      List of attributes requested by the service provider that would be put into the service provider metadata.
      Returns:
      this.

    • setBlockedSignatureSigningAlgorithms

      public Pac4jSamlClientProperties setBlockedSignatureSigningAlgorithms(List<String> blockedSignatureSigningAlgorithms)
      Collection of signing signature blocked algorithms, if any, to override the global defaults.
      Returns:
      this.

    • setSignatureAlgorithms

      public Pac4jSamlClientProperties setSignatureAlgorithms(List<String> signatureAlgorithms)
      Collection of signing signature algorithms, if any, to override the global defaults.
      Returns:
      this.

    • setSignatureReferenceDigestMethods

      public Pac4jSamlClientProperties setSignatureReferenceDigestMethods(List<String> signatureReferenceDigestMethods)
      Collection of signing signature reference digest methods, if any, to override the global defaults.
      Returns:
      this.

    • setSignatureCanonicalizationAlgorithm

      public Pac4jSamlClientProperties setSignatureCanonicalizationAlgorithm(String signatureCanonicalizationAlgorithm)
      The signing signature canonicalization algorithm, if any, to override the global defaults.
      Returns:
      this.

    • setNameIdAttribute

      public Pac4jSamlClientProperties setNameIdAttribute(String nameIdAttribute)
      The attribute name that should be used and extracted from the SAML2 response to identify and build a NameID value, when the response is processed and consumed.
      Returns:
      this.

    • setProviderName

      public Pac4jSamlClientProperties setProviderName(String providerName)
      Provider name set for the saml authentication request. Sets the human-readable name of the requester for use by the presenter's user agent or the identity provider.
      Returns:
      this.

    • setMessageStoreFactory

      public Pac4jSamlClientProperties setMessageStoreFactory(String messageStoreFactory)
      Factory implementing this interface provides services for storing and retrieval of SAML messages for e.g. verification of retrieved responses. The default factory is an always empty store. You may choose org.pac4j.saml.store.HttpSessionStore instead which allows SAML messages to be stored in a distributed session store specially required for high availability deployments and validation operations.

      Available options are:

      • EMPTY: Uses the EmptyStoreFactory
      • SESSION: Uses the HttpSessionStore
      • Fully-qualified class name of the message store implementation.

      Also note that the message store implementation can be supplied and configured at runtime as a Spring @Bean with the type SAMLMessageStoreFactory which, if found in the available application context, will override all other options.

      Returns:
      this.

    • setSaml2AttributeConverter

      public Pac4jSamlClientProperties setSaml2AttributeConverter(String saml2AttributeConverter)
      Controls the way SAML2 attributes are converted from the authentication response into pac4j attributes. By default, values of complex types are serialized into a single attribute. To change this behaviour, a converter class implementing the AttributeConverter interface.
      Returns:
      this.
      See Also:

    • setPartialLogoutAsSuccess

      public Pac4jSamlClientProperties setPartialLogoutAsSuccess(boolean partialLogoutAsSuccess)
      Logouts are only successful if the IdP was able to inform all services, otherwise it will respond with PartialLogout. This setting allows clients such as CAS to ignore such server-side behavior. If the IdP reports back a partial logout, this setting instructs CAS whether it should accept or deny that response.
      Returns:
      this.

    • setResponseDestinationMandatory

      public Pac4jSamlClientProperties setResponseDestinationMandatory(boolean responseDestinationMandatory)
      When validating the response, ensure it has a value set for the Destination attribute.
      Returns:
      this.

    • setRequestInitiatorUrl

      public Pac4jSamlClientProperties setRequestInitiatorUrl(String requestInitiatorUrl)
      When generating SAML2 metadata, configure and set the request initiator location attribute.
      Returns:
      this.

    • setSingleLogoutServiceUrl

      public Pac4jSamlClientProperties setSingleLogoutServiceUrl(String singleLogoutServiceUrl)
      When generating SAML2 metadata, configure and set the single logout service URL attribute.
      Returns:
      this.

    • setLogoutResponseBindingType

      public Pac4jSamlClientProperties setLogoutResponseBindingType(String logoutResponseBindingType)
      Control the logout response binding type during logout operations as invoked by an external IdP and in response to logout requests.
      Returns:
      this.

    • setSupportedProtocols

      public Pac4jSamlClientProperties setSupportedProtocols(List<String> supportedProtocols)
      When generating SAML2 metadata, configure and set the list of supported protocols in the metadata.
      Returns:
      this.