Package org.pac4j.saml.sso.impl
Class SAML2AuthnResponseValidator
- java.lang.Object
-
- org.pac4j.saml.profile.impl.AbstractSAML2ResponseValidator
-
- org.pac4j.saml.sso.impl.SAML2AuthnResponseValidator
-
- All Implemented Interfaces:
SAML2ResponseValidator
public class SAML2AuthnResponseValidator extends AbstractSAML2ResponseValidator
Class responsible for executing every required checks for validating a SAML response. The method validate populates the givenSAML2MessageContext
with the correct SAML assertion and the corresponding nameID's Bearer subject if every checks succeeds.- Since:
- 1.5.0
- Author:
- Michael Remond, Jerome Leleu
-
-
Field Summary
-
Fields inherited from class org.pac4j.saml.profile.impl.AbstractSAML2ResponseValidator
acceptedSkew, decrypter, logger, logoutHandler, replayCache, signatureTrustEngineProvider, uriComparator
-
-
Constructor Summary
Constructors Constructor Description SAML2AuthnResponseValidator(SAML2SignatureTrustEngineProvider engine, org.opensaml.saml.saml2.encryption.Decrypter decrypter, ReplayCacheProvider replayCache, SAML2Configuration saml2Configuration)
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description protected SAML2Credentials
buildSAML2Credentials(SAML2MessageContext context, org.opensaml.saml.saml2.core.Response response)
protected java.util.List<org.opensaml.saml.saml2.core.Attribute>
collectAssertionAttributes(org.opensaml.saml.saml2.core.Assertion subjectAssertion)
protected void
decryptEncryptedAssertions(org.opensaml.saml.saml2.core.Response response, org.opensaml.saml.saml2.encryption.Decrypter decrypter)
Decrypt encrypted assertions and add them to the assertions list of the response.protected SAML2Credentials.SAMLNameID
determineNameID(SAML2MessageContext context, java.util.List<SAML2Credentials.SAMLAttribute> attributes)
protected java.lang.String
getSessionIndex(org.opensaml.saml.saml2.core.Assertion subjectAssertion)
Searches the sessionIndex in the assertionprotected boolean
isValidBearerSubjectConfirmationData(org.opensaml.saml.saml2.core.SubjectConfirmationData data, SAML2MessageContext context)
Validate Bearer subject confirmation data - notBefore - NotOnOrAfter - recipientorg.pac4j.core.credentials.Credentials
validate(SAML2MessageContext context)
Validates the SAML protocol response and the SAML SSO response.protected void
validateAssertion(org.opensaml.saml.saml2.core.Assertion assertion, SAML2MessageContext context, org.opensaml.xmlsec.signature.support.SignatureTrustEngine engine, org.opensaml.saml.saml2.encryption.Decrypter decrypter)
Validate the given assertion: - issueInstant - issuer - subject - conditions - authnStatements - signatureprotected void
validateAssertionConditions(org.opensaml.saml.saml2.core.Conditions conditions, SAML2MessageContext context)
Validate assertionConditions - notBefore - notOnOrAfterprotected void
validateAssertionReplay(org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.saml2.core.SubjectConfirmationData data)
Checks that the bearer assertion is not being replayed.protected void
validateAssertionSignature(org.opensaml.xmlsec.signature.Signature signature, SAML2MessageContext context, org.opensaml.xmlsec.signature.support.SignatureTrustEngine engine)
Validate assertion signature.protected void
validateAudienceRestrictions(java.util.List<org.opensaml.saml.saml2.core.AudienceRestriction> audienceRestrictions, java.lang.String spEntityId)
Validate audience by matching the SP entityId.protected void
validateAuthenticationStatements(java.util.List<org.opensaml.saml.saml2.core.AuthnStatement> authnStatements, SAML2MessageContext context)
Validate the given authnStatements: - authnInstant - sessionNotOnOrAfterprotected void
validateAuthnContextClassRefs(SAML2MessageContext context, java.util.List<java.lang.String> providedAuthnContextClassRefs)
protected void
validateSamlProtocolResponse(org.opensaml.saml.saml2.core.Response response, SAML2MessageContext context, org.opensaml.xmlsec.signature.support.SignatureTrustEngine engine)
Validates the SAML protocol response: - IssueInstant - Issuer - StatusCode - Signatureprotected void
validateSamlSSOResponse(org.opensaml.saml.saml2.core.Response response, SAML2MessageContext context, org.opensaml.xmlsec.signature.support.SignatureTrustEngine engine, org.opensaml.saml.saml2.encryption.Decrypter decrypter)
Validates the SAML SSO response by finding a valid assertion with authn statements.protected void
validateSubject(org.opensaml.saml.saml2.core.Subject subject, SAML2MessageContext context, org.opensaml.saml.saml2.encryption.Decrypter decrypter)
Validate the given subject by finding a valid Bearer confirmation.protected void
verifyRequest(org.opensaml.saml.saml2.core.AuthnRequest request, SAML2MessageContext context)
-
Methods inherited from class org.pac4j.saml.profile.impl.AbstractSAML2ResponseValidator
compareEndpoints, computeSloKey, decryptEncryptedId, isDateValid, isIssueInstantValid, setAcceptedSkew, validateIssueInstant, validateIssuer, validateIssuerIfItExists, validateSignature, validateSignatureIfItExists, validateSuccess, verifyEndpoint, verifyMessageReplay
-
-
-
-
Constructor Detail
-
SAML2AuthnResponseValidator
public SAML2AuthnResponseValidator(SAML2SignatureTrustEngineProvider engine, org.opensaml.saml.saml2.encryption.Decrypter decrypter, ReplayCacheProvider replayCache, SAML2Configuration saml2Configuration)
-
-
Method Detail
-
validate
public org.pac4j.core.credentials.Credentials validate(SAML2MessageContext context)
Description copied from interface:SAML2ResponseValidator
Validates the SAML protocol response and the SAML SSO response. The method decrypt encrypted assertions if any.- Parameters:
context
- the context- Returns:
- the SAML credentials
-
buildSAML2Credentials
protected SAML2Credentials buildSAML2Credentials(SAML2MessageContext context, org.opensaml.saml.saml2.core.Response response)
-
collectAssertionAttributes
protected java.util.List<org.opensaml.saml.saml2.core.Attribute> collectAssertionAttributes(org.opensaml.saml.saml2.core.Assertion subjectAssertion)
-
determineNameID
protected SAML2Credentials.SAMLNameID determineNameID(SAML2MessageContext context, java.util.List<SAML2Credentials.SAMLAttribute> attributes)
-
getSessionIndex
protected java.lang.String getSessionIndex(org.opensaml.saml.saml2.core.Assertion subjectAssertion)
Searches the sessionIndex in the assertion- Parameters:
subjectAssertion
- assertion from the response- Returns:
- the sessionIndex if found in the assertion
-
validateSamlProtocolResponse
protected void validateSamlProtocolResponse(org.opensaml.saml.saml2.core.Response response, SAML2MessageContext context, org.opensaml.xmlsec.signature.support.SignatureTrustEngine engine)
Validates the SAML protocol response: - IssueInstant - Issuer - StatusCode - Signature- Parameters:
response
- the responsecontext
- the contextengine
- the engine
-
verifyRequest
protected void verifyRequest(org.opensaml.saml.saml2.core.AuthnRequest request, SAML2MessageContext context)
-
validateSamlSSOResponse
protected void validateSamlSSOResponse(org.opensaml.saml.saml2.core.Response response, SAML2MessageContext context, org.opensaml.xmlsec.signature.support.SignatureTrustEngine engine, org.opensaml.saml.saml2.encryption.Decrypter decrypter)
Validates the SAML SSO response by finding a valid assertion with authn statements. Populates theSAML2MessageContext
with a subjectAssertion and a subjectNameIdentifier.- Parameters:
response
- the responsecontext
- the contextengine
- the enginedecrypter
- the decrypter
-
decryptEncryptedAssertions
protected void decryptEncryptedAssertions(org.opensaml.saml.saml2.core.Response response, org.opensaml.saml.saml2.encryption.Decrypter decrypter)
Decrypt encrypted assertions and add them to the assertions list of the response.- Parameters:
response
- the responsedecrypter
- the decrypter
-
validateAssertion
protected void validateAssertion(org.opensaml.saml.saml2.core.Assertion assertion, SAML2MessageContext context, org.opensaml.xmlsec.signature.support.SignatureTrustEngine engine, org.opensaml.saml.saml2.encryption.Decrypter decrypter)
Validate the given assertion: - issueInstant - issuer - subject - conditions - authnStatements - signature- Parameters:
assertion
- the assertioncontext
- the contextengine
- the enginedecrypter
- the decrypter
-
validateSubject
protected void validateSubject(org.opensaml.saml.saml2.core.Subject subject, SAML2MessageContext context, org.opensaml.saml.saml2.encryption.Decrypter decrypter)
Validate the given subject by finding a valid Bearer confirmation. If the subject is valid, put its nameID in the context.NameID / BaseID / EncryptedID is first looked up directly in the Subject. If not present there, then all relevant SubjectConfirmations are parsed and the IDs are taken from them.
- Parameters:
subject
- The Subject from an assertion.context
- SAML message context.decrypter
- Decrypter used to decrypt some encrypted IDs, if they are present. May benull
, no decryption will be possible then.
-
isValidBearerSubjectConfirmationData
protected boolean isValidBearerSubjectConfirmationData(org.opensaml.saml.saml2.core.SubjectConfirmationData data, SAML2MessageContext context)
Validate Bearer subject confirmation data - notBefore - NotOnOrAfter - recipient- Parameters:
data
- the datacontext
- the context- Returns:
- true if all Bearer subject checks are passing
-
validateAssertionReplay
protected void validateAssertionReplay(org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.saml2.core.SubjectConfirmationData data)
Checks that the bearer assertion is not being replayed.- Parameters:
assertion
- The Assertion to checkdata
- The SubjectConfirmationData to check the assertion against
-
validateAssertionConditions
protected void validateAssertionConditions(org.opensaml.saml.saml2.core.Conditions conditions, SAML2MessageContext context)
Validate assertionConditions - notBefore - notOnOrAfter- Parameters:
conditions
- the conditionscontext
- the context
-
validateAudienceRestrictions
protected void validateAudienceRestrictions(java.util.List<org.opensaml.saml.saml2.core.AudienceRestriction> audienceRestrictions, java.lang.String spEntityId)
Validate audience by matching the SP entityId.- Parameters:
audienceRestrictions
- the audience restrictionsspEntityId
- the sp entity id
-
validateAuthenticationStatements
protected void validateAuthenticationStatements(java.util.List<org.opensaml.saml.saml2.core.AuthnStatement> authnStatements, SAML2MessageContext context)
Validate the given authnStatements: - authnInstant - sessionNotOnOrAfter- Parameters:
authnStatements
- the authn statementscontext
- the context
-
validateAuthnContextClassRefs
protected void validateAuthnContextClassRefs(SAML2MessageContext context, java.util.List<java.lang.String> providedAuthnContextClassRefs)
-
validateAssertionSignature
protected void validateAssertionSignature(org.opensaml.xmlsec.signature.Signature signature, SAML2MessageContext context, org.opensaml.xmlsec.signature.support.SignatureTrustEngine engine)
Validate assertion signature. If none is found and the SAML response did not have one and the SP requires the assertions to be signed, the validation fails.- Parameters:
signature
- the signaturecontext
- the contextengine
- the engine
-
-