java.lang.Object
- org.opensaml.saml.saml2.assertion.SAML20AssertionValidator

```
public class SAML20AssertionValidator
extends Object
```
A component capable of performing core validation of SAML version 2.0 Assertion instances.
Supports the following ValidationContext static parameters:
- SAML2AssertionValidationParameters.VALID_ISSUERS: Optional.
- SAML2AssertionValidationParameters.SIGNATURE_REQUIRED: Optional. If not supplied, defaults to 'true'. If an Assertion is signed, the signature is always evaluated and the result factored into the overall validation result, regardless of the value of this setting.
- SAML2AssertionValidationParameters.SIGNATURE_VALIDATION_CRITERIA_SET: Optional. If not supplied, a minimal criteria set will be constructed which contains an EntityIdCriterion containing the Assertion Issuer entityID, and a UsageCriterion of UsageType.SIGNING. If it is supplied, but either of those criteria are absent from the criteria set, they will be added with the above values.
- SAML2AssertionValidationParameters.SIGNATURE_VALIDATION_TRUST_ENGINE: Optional. If not supplied, defaults to the locally-injected instance.
- SAML2AssertionValidationParameters.SIGNATURE_VALIDATION_PREVALIDATOR: Optional. If not supplied, defaults to the locally-injected instance.
- SAML2AssertionValidationParameters.CLOCK_SKEW: Optional. If not present the default clock skew of DEFAULT_CLOCK_SKEW will be used.
- SAML2AssertionValidationParameters.COND_REQUIRED_CONDITIONS: Optional.
Supports the following ValidationContext dynamic parameters:
- SAML2AssertionValidationParameters.CONFIRMED_SUBJECT_CONFIRMATION: Optional. Will be present after validation iff subject confirmation was successfully performed.

Field Summary

Fields
Modifier and Type	Field	Description
`private net.shibboleth.utilities.java.support.collection.LazyMap<QName,ConditionValidator>`	`conditionValidators`	Registered `Condition` validators.
`static Duration`	`DEFAULT_CLOCK_SKEW`	Default clock skew of 5 minutes.
`private org.slf4j.Logger`	`log`	Class logger.
`private org.opensaml.xmlsec.signature.support.SignaturePrevalidator`	`signaturePrevalidator`	SAML signature profile validator.
`private net.shibboleth.utilities.java.support.collection.LazyMap<QName,StatementValidator>`	`statementValidators`	Registered `Statement` validators.
`private net.shibboleth.utilities.java.support.collection.LazyMap<String,SubjectConfirmationValidator>`	`subjectConfirmationValidators`	Registered `SubjectConfirmation` validators.
`private org.opensaml.xmlsec.signature.support.SignatureTrustEngine`	`trustEngine`	Trust engine for signature evaluation.

Constructor Summary

Constructors
Constructor	Description
`SAML20AssertionValidator(Collection<ConditionValidator> newConditionValidators, Collection<SubjectConfirmationValidator> newConfirmationValidators, Collection<StatementValidator> newStatementValidators, org.opensaml.xmlsec.signature.support.SignatureTrustEngine newTrustEngine, org.opensaml.xmlsec.signature.support.SignaturePrevalidator newSignaturePrevalidator)`	Constructor.

Method Summary

All Methods Static Methods Instance Methods Concrete Methods
Modifier and Type	Method	Description
`static Duration`	`getClockSkew(ValidationContext context)`	Gets the clock skew from the `ValidationContext.getStaticParameters()` parameters.
`protected net.shibboleth.utilities.java.support.resolver.CriteriaSet`	`getSignatureValidationCriteriaSet(Assertion token, ValidationContext context)`	Get the criteria set that will be used in evaluating the Assertion signature via the supplied trust engine.
`protected org.opensaml.xmlsec.signature.support.SignaturePrevalidator`	`getSignatureValidationPrevalidator(Assertion token, ValidationContext context)`	Get the signature trust engine that will be used in evaluating the Assertion signature.
`protected org.opensaml.xmlsec.signature.support.SignatureTrustEngine`	`getSignatureValidationTrustEngine(Assertion token, ValidationContext context)`	Get the signature trust engine that will be used in evaluating the Assertion signature.
`protected void`	`log(Assertion assertion, ValidationContext context)`	Log the Assertion which is being validated, along with the supplied validation context parameters.
`protected ValidationResult`	`performSignatureValidation(Assertion token, ValidationContext context)`	Handle the actual signature validation.
`ValidationResult`	`validate(Assertion assertion, ValidationContext context)`	Validate the supplied SAML 2 `Assertion`, using the parameters from the supplied `ValidationContext`.
`protected ValidationResult`	`validateConditions(Assertion assertion, ValidationContext context)`	Validates the conditions on the assertion.
`protected ValidationResult`	`validateConditionsTimeBounds(Assertion assertion, ValidationContext context)`	Validates the NotBefore and NotOnOrAfter Conditions constraints on the assertion.
`protected ValidationResult`	`validateIssuer(Assertion assertion, ValidationContext context)`	Validates the Assertion `Issuer`.
`protected ValidationResult`	`validateRequiredConditions(Assertion assertion, ValidationContext context)`	Validate that all conditions indicated to be required are present in the assertion.
`protected ValidationResult`	`validateSignature(Assertion token, ValidationContext context)`	Validates the signature of the assertion, if it is signed.
`protected ValidationResult`	`validateStatements(Assertion assertion, ValidationContext context)`	Validates the statements within the assertion.
`protected ValidationResult`	`validateSubjectConfirmation(Assertion assertion, ValidationContext context)`	Validates the subject confirmations of the assertion.
`protected ValidationResult`	`validateVersion(Assertion assertion, ValidationContext context)`	Validates that the assertion is a `SAMLVersion.VERSION_20` assertion.

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

DEFAULT_CLOCK_SKEW

@Nonnull
public static final Duration DEFAULT_CLOCK_SKEW

Default clock skew of 5 minutes.

log

@Nonnull
private final org.slf4j.Logger log

Class logger.

conditionValidators

private net.shibboleth.utilities.java.support.collection.LazyMap<QName,ConditionValidator> conditionValidators

Registered Condition validators.

subjectConfirmationValidators

private net.shibboleth.utilities.java.support.collection.LazyMap<String,SubjectConfirmationValidator> subjectConfirmationValidators

Registered SubjectConfirmation validators.

statementValidators

private net.shibboleth.utilities.java.support.collection.LazyMap<QName,StatementValidator> statementValidators

Registered Statement validators.

trustEngine

private org.opensaml.xmlsec.signature.support.SignatureTrustEngine trustEngine

Trust engine for signature evaluation.

signaturePrevalidator

private org.opensaml.xmlsec.signature.support.SignaturePrevalidator signaturePrevalidator

SAML signature profile validator.

Constructor Detail

SAML20AssertionValidator

public SAML20AssertionValidator(@Nullable
                                Collection<ConditionValidator> newConditionValidators,
                                @Nullable
                                Collection<SubjectConfirmationValidator> newConfirmationValidators,
                                @Nullable
                                Collection<StatementValidator> newStatementValidators,
                                @Nullable
                                org.opensaml.xmlsec.signature.support.SignatureTrustEngine newTrustEngine,
                                @Nullable
                                org.opensaml.xmlsec.signature.support.SignaturePrevalidator newSignaturePrevalidator)

Constructor.

Parameters:: newConditionValidators - validators used to validate the Conditions within the assertion; newConfirmationValidators - validators used to validate SubjectConfirmation methods within the assertion; newStatementValidators - validators used to validate Statements within the assertion; newTrustEngine - the trust used to validate the Assertion signature; newSignaturePrevalidator - the signature pre-validator used to pre-validate the Assertion signature

Method Detail

getClockSkew
```
public static Duration getClockSkew(@Nonnull
                                    ValidationContext context)
```
Gets the clock skew from the ValidationContext.getStaticParameters() parameters. If the parameter is not set or is not a non-zero Duration then the DEFAULT_CLOCK_SKEW is used.

Parameters:

context - current validation context

Returns:

the clock skew

validate

@Nonnull
public ValidationResult validate(@Nonnull
                                 Assertion assertion,
                                 @Nonnull
                                 ValidationContext context)
                          throws AssertionValidationException

Validate the supplied SAML 2 Assertion, using the parameters from the supplied ValidationContext.

Parameters:: assertion - the assertion being evaluated; context - the current validation context
Returns:: the validation result
Throws:: AssertionValidationException - if there is a fatal error evaluating the validity of the assertion

log
```
protected void log(@Nonnull
                   Assertion assertion,
                   @Nonnull
                   ValidationContext context)
```
Log the Assertion which is being validated, along with the supplied validation context parameters.

Parameters:

assertion - the SAML 2 Assertion being validated

context - current validation context

validateVersion

@Nonnull
protected ValidationResult validateVersion(@Nonnull
                                           Assertion assertion,
                                           @Nonnull
                                           ValidationContext context)
                                    throws AssertionValidationException

Validates that the assertion is a SAMLVersion.VERSION_20 assertion.

Parameters:: assertion - the assertion to validate; context - current validation context
Returns:: result of the validation evaluation
Throws:: AssertionValidationException - thrown if there is a problem validating the version

validateIssuer

protected ValidationResult validateIssuer(@Nonnull
                                          Assertion assertion,
                                          @Nonnull
                                          ValidationContext context)
                                   throws AssertionValidationException

Validates the Assertion Issuer.

Parameters:: assertion - the assertion to validate; context - current validation context
Returns:: the result of the validation evaluation
Throws:: AssertionValidationException - if there is a problem validating the Issuer

validateSignature

@Nonnull
protected ValidationResult validateSignature(@Nonnull
                                             Assertion token,
                                             @Nonnull
                                             ValidationContext context)
                                      throws AssertionValidationException

Validates the signature of the assertion, if it is signed.

Parameters:: token - assertion whose signature will be validated; context - current validation context
Returns:: the result of the signature validation
Throws:: AssertionValidationException - thrown if there is a problem determining the validity of the signature

performSignatureValidation

@Nonnull
protected ValidationResult performSignatureValidation(@Nonnull
                                                      Assertion token,
                                                      @Nonnull
                                                      ValidationContext context)
                                               throws AssertionValidationException

Handle the actual signature validation.

Parameters:: token - assertion whose signature will be validated; context - current validation context
Returns:: the validation result
Throws:: AssertionValidationException - thrown if there is a problem determining the validity of the signature

getSignatureValidationTrustEngine

@Nonnull
protected org.opensaml.xmlsec.signature.support.SignatureTrustEngine getSignatureValidationTrustEngine(@Nonnull
                                                                                                       Assertion token,
                                                                                                       @Nonnull
                                                                                                       ValidationContext context)

Get the signature trust engine that will be used in evaluating the Assertion signature.

Parameters:: token - assertion whose signature will be validated; context - current validation context
Returns:: the criteria set to use

getSignatureValidationPrevalidator

@Nonnull
protected org.opensaml.xmlsec.signature.support.SignaturePrevalidator getSignatureValidationPrevalidator(@Nonnull
                                                                                                         Assertion token,
                                                                                                         @Nonnull
                                                                                                         ValidationContext context)

Get the signature trust engine that will be used in evaluating the Assertion signature.

Parameters:: token - assertion whose signature will be validated; context - current validation context
Returns:: the criteria set to use

getSignatureValidationCriteriaSet

@Nonnull
protected net.shibboleth.utilities.java.support.resolver.CriteriaSet getSignatureValidationCriteriaSet(@Nonnull
                                                                                                       Assertion token,
                                                                                                       @Nonnull
                                                                                                       ValidationContext context)

Get the criteria set that will be used in evaluating the Assertion signature via the supplied trust engine.

Parameters:: token - assertion whose signature will be validated; context - current validation context
Returns:: the criteria set to use

validateConditions
```
@Nonnull
protected ValidationResult validateConditions(@Nonnull
                                              Assertion assertion,
                                              @Nonnull
                                              ValidationContext context)
                                       throws AssertionValidationException
```
Validates the conditions on the assertion. Condition validators are looked up by the element QName and, if present, the schema type of the condition. If no validator can be found for the Condition the validation process fails.

Parameters:

assertion - the assertion whose conditions will be validated

context - current validation context

Returns:

the result of the validation evaluation

Throws:

AssertionValidationException - thrown if there is a problem determining the validity of the conditions

validateRequiredConditions

protected ValidationResult validateRequiredConditions(@Nonnull
                                                      Assertion assertion,
                                                      @Nonnull
                                                      ValidationContext context)

Validate that all conditions indicated to be required are present in the assertion.

Parameters:: assertion - the assertion whose conditions will be evaluated; context - current validation context
Returns:: the result of the validation evaluation

validateConditionsTimeBounds

@Nonnull
protected ValidationResult validateConditionsTimeBounds(@Nonnull
                                                        Assertion assertion,
                                                        @Nonnull
                                                        ValidationContext context)
                                                 throws AssertionValidationException

Validates the NotBefore and NotOnOrAfter Conditions constraints on the assertion.

Parameters:: assertion - the assertion whose conditions will be validated; context - current validation context
Returns:: the result of the validation evaluation
Throws:: AssertionValidationException - thrown if there is a problem determining the validity of the conditions

validateSubjectConfirmation

@Nonnull
protected ValidationResult validateSubjectConfirmation(@Nonnull
                                                       Assertion assertion,
                                                       @Nonnull
                                                       ValidationContext context)
                                                throws AssertionValidationException

Validates the subject confirmations of the assertion. Validators are looked up by the subject confirmation method. If any one subject confirmation is met the subject is considered confirmed per the SAML specification.

Parameters:: assertion - assertion whose subject is being confirmed; context - current validation context
Returns:: the result of the validation
Throws:: AssertionValidationException - thrown if there is a problem determining the validity the subject

validateStatements
```
@Nonnull
protected ValidationResult validateStatements(@Nonnull
                                              Assertion assertion,
                                              @Nonnull
                                              ValidationContext context)
                                       throws AssertionValidationException
```
Validates the statements within the assertion. Validators are looked up by the Statement's element QName or, if present, its schema type. Any statement for which a validator can not be found is simply ignored.

Parameters:

assertion - assertion whose statements are being validated

context - current validation context

Returns:

result of the validation

Throws:

AssertionValidationException - thrown if there is a problem determining the validity the statements

Class SAML20AssertionValidator