Interface BrowserSSOProfileConfiguration

All Superinterfaces:
AttributeResolvingProfileConfiguration, AuthenticationProfileConfiguration, BrowserSSOProfileConfiguration, BrowserSSOProfileConfiguration, Component, IdentifiedComponent, ProfileConfiguration, SAML2ProfileConfiguration, SAMLArtifactConsumerProfileConfiguration, SAMLAssertionConsumingProfileConfiguration, SAMLAssertionProducingProfileConfiguration, SAMLProfileConfiguration
All Known Subinterfaces:
ECPProfileConfiguration
All Known Implementing Classes:
BrowserSSOProfileConfiguration, ECPProfileConfiguration, SSOSProfileConfiguration

Configuration support for IdP and proxied SAML 2.0 Browser SSO.

Adds settings specific issuer role for SAML 2.0, along with special features needed for proxying.

  • Field Details

    • DEFAULT_DELEGATION_CHAIN_LENGTH

      @Nonnull static final Long DEFAULT_DELEGATION_CHAIN_LENGTH
      Default maximum delegation chain length.
  • Method Details

    • isIgnoreScoping

      @ConfigurationSetting(name="ignoreScoping") boolean isIgnoreScoping(@Nullable ProfileRequestContext profileRequestContext)
      Gets whether Scoping elements in requests should be ignored/omitted.
      Parameters:
      profileRequestContext - current profile request context
      Returns:
      whether Scoping elements in requests should be ignored/omitted
      Since:
      4.0.0
    • isSkipEndpointValidationWhenSigned

      @ConfigurationSetting(name="skipEndpointValidationWhenSigned") boolean isSkipEndpointValidationWhenSigned(@Nullable ProfileRequestContext profileRequestContext)
      Get condition to determine whether the response endpoint should be validated if the request is signed.
      Parameters:
      profileRequestContext - current profile request context
      Returns:
      condition
      Since:
      4.0.0
    • isRandomizeFriendlyName

      @ConfigurationSetting(name="randomizeFriendlyName") boolean isRandomizeFriendlyName(@Nullable ProfileRequestContext profileRequestContext)
      Gets whether to randomize/perturb the FriendlyName attribute when encoding SAML 2.0 Attributes to enable probing of invalid behavior by relying parties.
      Parameters:
      profileRequestContext - current profile request context
      Returns:
      true iff the FriendlyName should be randomized
      Since:
      5.1.0
    • getProxyAudiences

      @ConfigurationSetting(name="proxyAudiences") @Nonnull @NotLive @Unmodifiable Set<String> getProxyAudiences(@Nullable ProfileRequestContext profileRequestContext)
      Gets the unmodifiable collection of audiences for a proxied assertion.
      Parameters:
      profileRequestContext - current profile request context
      Returns:
      audiences for a proxied assertion
    • isSuppressAuthenticatingAuthority

      @ConfigurationSetting(name="suppressAuthenticatingAuthority") boolean isSuppressAuthenticatingAuthority(@Nullable ProfileRequestContext profileRequestContext)
      Gets whether to suppress inclusion of AuthenticatingAuthority element.

      Defaults to false.

      Parameters:
      profileRequestContext - current profile request context
      Returns:
      true iff the element should be suppressed when possible
      Since:
      4.2.0
    • isProxiedAuthnInstant

      @ConfigurationSetting(name="proxiedAuthnInstant") boolean isProxiedAuthnInstant(@Nullable ProfileRequestContext profileRequestContext)
      Gets whether authentication results produced by use of this profile should carry the proxied assertion's AuthnInstant, rather than the current time.

      Defaults to true.

      Parameters:
      profileRequestContext - current profile request context
      Returns:
      whether to proxy across the inbound AuthnInstant
      Since:
      4.0.0
    • isRequireSignedRequests

      @ConfigurationSetting(name="requireSignedRequests") boolean isRequireSignedRequests(@Nullable ProfileRequestContext profileRequestContext)
      Get whether to require signed requests.
      Parameters:
      profileRequestContext - current profile request context
      Returns:
      whether to require signed requests
      Since:
      4.3.0
    • getMaximumSPSessionLifetime

      @ConfigurationSetting(name="maximumSPSessionLifetime") @Nullable Duration getMaximumSPSessionLifetime(@Nullable ProfileRequestContext profileRequestContext)
      Get the maximum amount of time the service provider should maintain a session for the user based on the authentication assertion. A null or 0 is interpreted as an unlimited lifetime.
      Parameters:
      profileRequestContext - current profile request context
      Returns:
      max lifetime of service provider should maintain a session
    • isAllowDelegation

      @Deprecated(since="5.0.0", forRemoval=true) boolean isAllowDelegation(@Nullable ProfileRequestContext profileRequestContext)
      Deprecated, for removal: This API element is subject to removal in a future version.
      Get the predicate used to determine if produced assertions may be delegated.
      Parameters:
      profileRequestContext - current profile request context
      Returns:
      predicate used to determine if produced assertions may be delegated
    • getMaximumTokenDelegationChainLength

      @Deprecated(since="5.0.0", forRemoval=true) @NonNegative long getMaximumTokenDelegationChainLength(@Nullable ProfileRequestContext profileRequestContext)
      Deprecated, for removal: This API element is subject to removal in a future version.
      Get the limits on the total number of delegates that may be derived from the initial SAML token.
      Parameters:
      profileRequestContext - current profile request context
      Returns:
      the limit on the total number of delegates that may be derived from the initial SAML token
    • getAuthnContextTranslationStrategy

      @ConfigurationSetting(name="authnContextTranslationStrategy") @Nullable Function<AuthnContext,Collection<Principal>> getAuthnContextTranslationStrategy(@Nullable ProfileRequestContext profileRequestContext)
      Get the function to use to translate an inbound proxied SAML 2.0 AuthnContext into the appropriate set of custom Principal objects to populate into the subject.
      Parameters:
      profileRequestContext - current profile request context
      Returns:
      translation function
      Since:
      4.0.0
    • getAuthnContextTranslationStrategyEx

      @ConfigurationSetting(name="authnContextTranslationStrategyEx") @Nullable Function<ProfileRequestContext,Collection<Principal>> getAuthnContextTranslationStrategyEx(@Nullable ProfileRequestContext profileRequestContext)
      Get the function to use to translate an inbound proxied response into the appropriate set of custom Principal objects to populate into the subject.

      This differs from the original in that the input is the entire ProfileRequestContext of the proxied authentication state rather than the SAML AuthnContext directly.

      Parameters:
      profileRequestContext - current profile request context
      Returns:
      translation function
      Since:
      4.1.0