Package net.shibboleth.idp.saml.saml2.profile.config

Class BrowserSSOProfileConfiguration

java.lang.Object
net.shibboleth.utilities.java.support.component.AbstractInitializableComponent
net.shibboleth.utilities.java.support.component.AbstractIdentifiedInitializableComponent
net.shibboleth.utilities.java.support.component.AbstractIdentifiableInitializableComponent
net.shibboleth.idp.profile.config.AbstractProfileConfiguration
net.shibboleth.idp.profile.config.AbstractConditionalProfileConfiguration
net.shibboleth.idp.saml.profile.config.AbstractSAMLProfileConfiguration
net.shibboleth.idp.saml.saml2.profile.config.AbstractSAML2ProfileConfiguration
net.shibboleth.idp.saml.saml2.profile.config.AbstractSAML2ArtifactAwareProfileConfiguration
net.shibboleth.idp.saml.saml2.profile.config.BrowserSSOProfileConfiguration
All Implemented Interfaces:
AuthenticationProfileConfiguration, ConditionalProfileConfiguration, ProfileConfiguration, SAMLArtifactAwareProfileConfiguration, SAMLArtifactConsumerProfileConfiguration, SAMLProfileConfiguration, SAML2ProfileConfiguration, Component, DestructableComponent, IdentifiableComponent, IdentifiedComponent, InitializableComponent
Direct Known Subclasses:
ECPProfileConfiguration, SSOSProfileConfiguration
public class BrowserSSOProfileConfiguration
extends AbstractSAML2ArtifactAwareProfileConfiguration
implements AuthenticationProfileConfiguration
Configuration support for SAML 2 Browser SSO.

  • Field Details

    • PROFILE_ID

      @Nonnull @NotEmpty public static final String PROFILE_ID
      ID for this profile configuration.
      See Also:
      Constant Field Values

    • DEFAULT_DELEGATION_CHAIN_LENGTH

      @Nonnull public static final Long DEFAULT_DELEGATION_CHAIN_LENGTH
      Default maximum delegation chain length.

    • FEATURE_AUTHNCONTEXT

      public static final int FEATURE_AUTHNCONTEXT
      Bit constant for RequestedAuthnContext feature.
      See Also:
      Constant Field Values

    • FEATURE_SCOPING

      public static final int FEATURE_SCOPING
      Bit constant for Scoping feature.
      See Also:
      Constant Field Values

    • resolveAttributesPredicate

      @Nonnull private Predicate<ProfileRequestContext> resolveAttributesPredicate
      Whether attributes should be resolved in the course of the profile.

    • includeAttributeStatementPredicate

      @Nonnull private Predicate<ProfileRequestContext> includeAttributeStatementPredicate
      Whether responses to the authentication request should include an attribute statement.

    • ignoreScoping

      @Nonnull private Predicate<ProfileRequestContext> ignoreScoping
      Whether to ignore Scoping elements within AuthnRequest.

    • forceAuthnPredicate

      @Nonnull private Predicate<ProfileRequestContext> forceAuthnPredicate
      Whether to mandate forced authentication for the request.

    • checkAddressPredicate

      @Nonnull private Predicate<ProfileRequestContext> checkAddressPredicate
      Whether to compare client and assertion addresses on inbound SSO.

    • skipEndpointValidationWhenSignedPredicate

      @Nonnull private Predicate<ProfileRequestContext> skipEndpointValidationWhenSignedPredicate
      Whether the response endpoint should be validated if the request is signed.

    • proxiedAuthnInstantPredicate

      @Nonnull private Predicate<ProfileRequestContext> proxiedAuthnInstantPredicate
      Whether authentication results should carry the proxied AuthnInstant.

    • maximumSPSessionLifetimeLookupStrategy

      @Nonnull private Function<ProfileRequestContext,​Duration> maximumSPSessionLifetimeLookupStrategy
      Lookup function to supply maximum session lifetime.

    • maximumTimeSinceAuthnLookupStrategy

      @Nonnull private Function<ProfileRequestContext,​Duration> maximumTimeSinceAuthnLookupStrategy
      Lookup function to supply maximum time since inbound AuthnInstant.

    • allowDelegationPredicate

      @Nonnull private Predicate<ProfileRequestContext> allowDelegationPredicate
      The predicate used to determine if produced assertions may be delegated.

    • maximumTokenDelegationChainLengthLookupStrategy

      @Nonnull private Function<ProfileRequestContext,​Long> maximumTokenDelegationChainLengthLookupStrategy
      Lookup function to supply maximum delegation chain length.

    • authnContextTranslationStrategyLookupStrategy

      @Nonnull private Function<ProfileRequestContext,​Function<AuthnContext,​Collection<Principal>>> authnContextTranslationStrategyLookupStrategy
      Lookup function to supply the strategy function for translating SAML 2.0 AuthnContext data.

    • authnContextTranslationStrategyExLookupStrategy

      @Nonnull private Function<ProfileRequestContext,​Function<ProfileRequestContext,​Collection<Principal>>> authnContextTranslationStrategyExLookupStrategy
      Lookup function to supply the strategy function for translating fully-generic data.

    • authnContextComparisonLookupStrategy

      @Nonnull private Function<ProfileRequestContext,​String> authnContextComparisonLookupStrategy
      Lookup function for requested AC operator.

    • defaultAuthenticationContextsLookupStrategy

      @Nonnull private Function<ProfileRequestContext,​Collection<AuthnContextClassRefPrincipal>> defaultAuthenticationContextsLookupStrategy
      Lookup function to supply default authentication methods.

    • authenticationFlowsLookupStrategy

      @Nonnull private Function<ProfileRequestContext,​Set<String>> authenticationFlowsLookupStrategy
      Lookup function to supply authentication flows.

    • postAuthenticationFlowsLookupStrategy

      @Nonnull private Function<ProfileRequestContext,​Collection<String>> postAuthenticationFlowsLookupStrategy
      Lookup function to supply post authentication flows.

    • nameIDFormatPrecedenceLookupStrategy

      @Nonnull private Function<ProfileRequestContext,​Collection<String>> nameIDFormatPrecedenceLookupStrategy
      Lookup function to supply NameID formats.

  • Constructor Details

    • BrowserSSOProfileConfiguration

      public BrowserSSOProfileConfiguration()
      Constructor.

    • BrowserSSOProfileConfiguration

      protected BrowserSSOProfileConfiguration​(@Nonnull @NotEmpty String profileId)
      Constructor.
      Parameters:
      profileId - unique ID for this profile

  • Method Details

    • isResolveAttributes

      public boolean isResolveAttributes​(@Nullable ProfileRequestContext profileRequestContext)
      Get whether attributes should be resolved during the profile.

      Default is true

      Parameters:
      profileRequestContext - current profile request context
      Returns:
      true iff attributes should be resolved

    • setResolveAttributes

      public void setResolveAttributes​(boolean flag)
      Set whether attributes should be resolved during the profile.
      Parameters:
      flag - flag to set

    • setResolveAttributesPredicate

      public void setResolveAttributesPredicate​(@Nonnull Predicate<ProfileRequestContext> condition)
      Set a condition to determine whether attributes should be resolved during the profile.
      Parameters:
      condition - condition to set

    • isIncludeAttributeStatement

      public boolean isIncludeAttributeStatement​(@Nullable ProfileRequestContext profileRequestContext)
      Get whether responses to the authentication request should include an attribute statement.

      Default is true

      Parameters:
      profileRequestContext - current profile request context
      Returns:
      whether responses to the authentication request should include an attribute statement

    • setIncludeAttributeStatement

      public void setIncludeAttributeStatement​(boolean flag)
      Set whether responses to the authentication request should include an attribute statement.
      Parameters:
      flag - flag to set

    • setIncludeAttributeStatementPredicate

      public void setIncludeAttributeStatementPredicate​(@Nonnull Predicate<ProfileRequestContext> condition)
      Set a condition to determine whether responses to the authentication request should include an attribute statement.
      Parameters:
      condition - condition to set

    • isIgnoreScoping

      public boolean isIgnoreScoping​(@Nullable ProfileRequestContext profileRequestContext)
      Gets whether Scoping elements in requests should be ignored/omitted.
      Parameters:
      profileRequestContext - current profile request context
      Returns:
      whether Scoping elements in requests should be ignored/omitted
      Since:
      4.0.0

    • setIgnoreScoping

      public void setIgnoreScoping​(boolean flag)
      Sets whether Scoping elements in requests should be ignored/omitted.

      Defaults to false.

      Parameters:
      flag - flag to set
      Since:
      4.0.0

    • setIgnoreScopingPredicate

      public void setIgnoreScopingPredicate​(@Nonnull Predicate<ProfileRequestContext> condition)
      Sets a condition to determine whether Scoping elements in requests should be ignored/omitted.
      Parameters:
      condition - condition to set
      Since:
      4.0.0

    • isForceAuthn

      public boolean isForceAuthn​(@Nullable ProfileRequestContext profileRequestContext)
      Get whether the authentication process should include a proof of user presence.
      Specified by:
      isForceAuthn in interface AuthenticationProfileConfiguration
      Parameters:
      profileRequestContext - current profile request context
      Returns:
      true iff authentication should require user presence

    • setForceAuthn

      public void setForceAuthn​(boolean flag)
      Set whether a fresh user presence proof should be required for this request.
      Parameters:
      flag - flag to set

    • setForceAuthnPredicate

      public void setForceAuthnPredicate​(@Nonnull Predicate<ProfileRequestContext> condition)
      Set a condition to determine whether a fresh user presence proof should be required for this request.
      Parameters:
      condition - condition to set

    • isCheckAddress

      public boolean isCheckAddress​(@Nullable ProfileRequestContext profileRequestContext)
      Get whether the client's address must match the address in an inbound SubjectLocality element during inbound SSO.
      Parameters:
      profileRequestContext - current profile request context
      Returns:
      whether to compare addresses
      Since:
      4.0.0

    • setCheckAddress

      public void setCheckAddress​(boolean flag)
      Set whether the client's address must match the address in an inbound SubjectLocality element during inbound SSO.
      Parameters:
      flag - flag to set
      Since:
      4.0.0

    • setCheckAddressPredicate

      public void setCheckAddressPredicate​(@Nonnull Predicate<ProfileRequestContext> condition)
      Set a condition to determine whether the client's address must match the address in an inbound SubjectLocality element during inbound SSO.
      Parameters:
      condition - condition to set
      Since:
      4.0.0

    • isSkipEndpointValidationWhenSigned

      public boolean isSkipEndpointValidationWhenSigned​(@Nullable ProfileRequestContext profileRequestContext)
      Get condition to determine whether the response endpoint should be validated if the request is signed.
      Parameters:
      profileRequestContext - current profile request context
      Returns:
      condition
      Since:
      4.0.0

    • setSkipEndpointValidationWhenSigned

      public void setSkipEndpointValidationWhenSigned​(boolean flag)
      Set whether the response endpoint should be validated if the request is signed.
      Parameters:
      flag - flag to set
      Since:
      3.4.0

    • setSkipEndpointValidationWhenSignedPredicate

      public void setSkipEndpointValidationWhenSignedPredicate​(@Nonnull Predicate<ProfileRequestContext> condition)
      Set condition to determine whether the response endpoint should be validated if the request is signed.
      Parameters:
      condition - condition to set
      Since:
      3.4.0

    • isProxiedAuthnInstant

      public boolean isProxiedAuthnInstant​(@Nullable ProfileRequestContext profileRequestContext)
      Gets whether authentication results produced by use of this profile should carry the proxied assertion's AuthnInstant, rather than the current time.

      Defaults to true.

      Parameters:
      profileRequestContext - current profile request context
      Returns:
      whether to proxy across the inbound AuthnInstant
      Since:
      4.0.0

    • setProxiedAuthnInstant

      public void setProxiedAuthnInstant​(boolean flag)
      Sets whether authentication results produced by use of this profile should carry the proxied assertion's AuthnInstant, rather than the current time.
      Parameters:
      flag - flag to set
      Since:
      4.0.0

    • setProxiedAuthnInstantPredicate

      public void setProxiedAuthnInstantPredicate​(@Nonnull Predicate<ProfileRequestContext> condition)
      Sets condition to determine whether authentication results produced by use of this profile should carry the proxied assertion's AuthnInstant, rather than the current time.
      Parameters:
      condition - condition to set
      Since:
      4.0.0

    • getMaximumSPSessionLifetime

      @Nullable public Duration getMaximumSPSessionLifetime​(@Nullable ProfileRequestContext profileRequestContext)
      Get the maximum amount of time the service provider should maintain a session for the user based on the authentication assertion. A null or 0 is interpreted as an unlimited lifetime.
      Parameters:
      profileRequestContext - current profile request context
      Returns:
      max lifetime of service provider should maintain a session

    • setMaximumSPSessionLifetime

      public void setMaximumSPSessionLifetime​(@Nullable Duration lifetime)
      Set the maximum amount of time the service provider should maintain a session for the user based on the authentication assertion. A null or 0 is interpreted as an unlimited lifetime.
      Parameters:
      lifetime - max lifetime of service provider should maintain a session

    • setMaximumSPSessionLifetimeLookupStrategy

      public void setMaximumSPSessionLifetimeLookupStrategy​(@Nonnull Function<ProfileRequestContext,​Duration> strategy)
      Set a lookup strategy for the maximum amount of time the service provider should maintain a session for the user.
      Parameters:
      strategy - lookup strategy
      Since:
      3.4.0

    • getMaximumTimeSinceAuthn

      @Nullable public Duration getMaximumTimeSinceAuthn​(@Nullable ProfileRequestContext profileRequestContext)
      Get the maximum amount of time allowed to have elapsed since an incoming AuthnInstant.

      A null or 0 is interpreted as an unlimited amount.

      Parameters:
      profileRequestContext - current profile request context
      Returns:
      max time since inbound AuthnInstant
      Since:
      4.0.0

    • setMaximumTimeSinceAuthn

      public void setMaximumTimeSinceAuthn​(@Nullable Duration amount)
      Set the maximum amount of time allowed to have elapsed since an incoming AuthnInstant.

      A null or 0 is interpreted as an unlimited amount.

      Parameters:
      amount - max time to allow
      Since:
      4.0.0

    • setMaximumTimeSinceAuthnLookupStrategy

      public void setMaximumTimeSinceAuthnLookupStrategy​(@Nonnull Function<ProfileRequestContext,​Duration> strategy)
      Set a lookup strategy for the maximum amount of time allowed to have elapsed since an incoming AuthnInstant.
      Parameters:
      strategy - lookup strategy
      Since:
      4.0.0

    • isAllowDelegation

      @Nonnull public boolean isAllowDelegation​(@Nullable ProfileRequestContext profileRequestContext)
      Get the predicate used to determine if produced assertions may be delegated.
      Parameters:
      profileRequestContext - current profile request context
      Returns:
      predicate used to determine if produced assertions may be delegated

    • setAllowDelegation

      public void setAllowDelegation​(boolean flag)
      Set whether produced assertions may be delegated.
      Parameters:
      flag - flag to set

    • setAllowDelegationPredicate

      public void setAllowDelegationPredicate​(@Nonnull Predicate<ProfileRequestContext> predicate)
      Set the predicate used to determine if produced assertions may be delegated.
      Parameters:
      predicate - used to determine if produced assertions may be delegated

    • getMaximumTokenDelegationChainLength

      @NonNegative public long getMaximumTokenDelegationChainLength​(@Nullable ProfileRequestContext profileRequestContext)
      Get the limits on the total number of delegates that may be derived from the initial SAML token.
      Parameters:
      profileRequestContext - current profile request context
      Returns:
      the limit on the total number of delegates that may be derived from the initial SAML token

    • setMaximumTokenDelegationChainLength

      public void setMaximumTokenDelegationChainLength​(@NonNegative long length)
      Set the limits on the total number of delegates that may be derived from the initial SAML token.
      Parameters:
      length - the limit on the total number of delegates that may be derived from the initial SAML token

    • setMaximumTokenDelegationChainLengthLookupStrategy

      public void setMaximumTokenDelegationChainLengthLookupStrategy​(@Nonnull Function<ProfileRequestContext,​Long> strategy)
      Set a lookup strategy for the limits on the total number of delegates that may be derived from the initial SAML token.
      Parameters:
      strategy - lookup strategy
      Since:
      3.4.0

    • getAuthnContextTranslationStrategy

      @Nullable public Function<AuthnContext,​Collection<Principal>> getAuthnContextTranslationStrategy​(@Nullable ProfileRequestContext profileRequestContext)
      Get the function to use to translate an inbound proxied SAML 2.0 AuthnContext into the appropriate set of custom Principal objects to populate into the subject.
      Parameters:
      profileRequestContext - current profile request context
      Returns:
      translation function
      Since:
      4.0.0

    • setAuthnContextTranslationStrategy

      public void setAuthnContextTranslationStrategy​(@Nullable Function<AuthnContext,​Collection<Principal>> strategy)
      Set the function to use to translate an inbound proxied SAML 2.0 AuthnContext into the appropriate set of custom Principal objects to populate into the subject.
      Parameters:
      strategy - translation function
      Since:
      4.0.0

    • setAuthnContextTranslationStrategyLookupStrategy

      public void setAuthnContextTranslationStrategyLookupStrategy​(@Nonnull Function<ProfileRequestContext,​Function<AuthnContext,​Collection<Principal>>> strategy)
      Set a lookup strategy for the function to use to translate an inbound proxied SAML 2.0 AuthnContext into the appropriate set of custom Principal objects to populate into the subject.
      Parameters:
      strategy - lookup strategy
      Since:
      4.0.0

    • getAuthnContextTranslationStrategyEx

      @Nullable public Function<ProfileRequestContext,​Collection<Principal>> getAuthnContextTranslationStrategyEx​(@Nullable ProfileRequestContext profileRequestContext)
      Get the function to use to translate an inbound proxied response into the appropriate set of custom Principal objects to populate into the subject.

      This differs from the original in that the input is the entire ProfileRequestContext of the proxied authentication state rather than the SAML AuthnContext directly.

      Parameters:
      profileRequestContext - current profile request context
      Returns:
      translation function
      Since:
      4.1.0

    • setAuthnContextTranslationStrategyEx

      public void setAuthnContextTranslationStrategyEx​(@Nullable Function<ProfileRequestContext,​Collection<Principal>> strategy)
      Set the function to use to translate an inbound proxied response into the appropriate set of custom Principal objects to populate into the subject.

      This differs from the original in that the input is the entire ProfileRequestContext of the proxied authentication state rather than the SAML AuthnContext directly.

      Parameters:
      strategy - translation function
      Since:
      4.1.0

    • setAuthnContextTranslationStrategyExLookupStrategy

      public void setAuthnContextTranslationStrategyExLookupStrategy​(@Nonnull Function<ProfileRequestContext,​Function<ProfileRequestContext,​Collection<Principal>>> strategy)
      Set a lookup strategy for the function to use to translate an inbound proxied response into the appropriate set of custom Principal objects to populate into the subject.

      This differs from the original in that the input is the entire ProfileRequestContext of the proxied authentication state rather than the SAML AuthnContext directly.

      Parameters:
      strategy - lookup strategy
      Since:
      4.1.0

    • getAuthnContextComparison

      @Nullable public AuthnContextComparisonTypeEnumeration getAuthnContextComparison​(@Nullable ProfileRequestContext profileRequestContext)
      Get the comparison operator to use when issuing SAML requests containing requested context classes.
      Parameters:
      profileRequestContext - profile request context
      Returns:
      comparison value or null
      Since:
      4.0.0

    • setAuthnContextComparison

      public void setAuthnContextComparison​(@Nullable AuthnContextComparisonTypeEnumeration comparison)
      Set the comparison operator to use when issuing SAML requests containing requested context classes.
      Parameters:
      comparison - comparison value or null
      Since:
      4.0.0

    • setAuthnContextComparisonLookupStrategy

      public void setAuthnContextComparisonLookupStrategy​(@Nonnull Function<ProfileRequestContext,​String> strategy)
      Set a lookup strategy for the comparison operator to use when issuing SAML requests containing requested context classes.
      Parameters:
      strategy - lookup strategy
      Since:
      4.0.0

    • getDefaultAuthenticationMethods

      @Nonnull @NonnullElements @NotLive @Unmodifiable public List<Principal> getDefaultAuthenticationMethods​(@Nullable ProfileRequestContext profileRequestContext)
      Get the default authentication methods to use, expressed as custom principals.
      Specified by:
      getDefaultAuthenticationMethods in interface AuthenticationProfileConfiguration
      Parameters:
      profileRequestContext - current profile request context
      Returns:
      default authentication methods to use

    • setDefaultAuthenticationMethods

      public void setDefaultAuthenticationMethods​(@Nullable @NonnullElements Collection<AuthnContextClassRefPrincipal> contexts)
      Set the default authentication contexts to use, expressed as custom principals.
      Parameters:
      contexts - default authentication contexts to use

    • setDefaultAuthenticationMethodsLookupStrategy

      public void setDefaultAuthenticationMethodsLookupStrategy​(@Nonnull Function<ProfileRequestContext,​Collection<AuthnContextClassRefPrincipal>> strategy)
      Set a lookup strategy for the authentication contexts to use, expressed as custom principals.
      Parameters:
      strategy - lookup strategy
      Since:
      3.3.0

    • getAuthenticationFlows

      @Nonnull @NonnullElements @NotLive @Unmodifiable public Set<String> getAuthenticationFlows​(@Nullable ProfileRequestContext profileRequestContext)
      Get the allowable authentication flows for this profile.

      The flow IDs returned MUST NOT contain the AuthenticationFlowDescriptor.FLOW_ID_PREFIX prefix common to all interceptor flows.

      Specified by:
      getAuthenticationFlows in interface AuthenticationProfileConfiguration
      Parameters:
      profileRequestContext - current profile request context
      Returns:
      a set of authentication flow IDs to allow

    • setAuthenticationFlows

      public void setAuthenticationFlows​(@Nullable @NonnullElements Collection<String> flows)
      Set the authentication flows to use.
      Parameters:
      flows - flow identifiers to use

    • setAuthenticationFlowsLookupStrategy

      public void setAuthenticationFlowsLookupStrategy​(@Nonnull Function<ProfileRequestContext,​Set<String>> strategy)
      Set a lookup strategy for the authentication flows to use.
      Parameters:
      strategy - lookup strategy
      Since:
      3.3.0

    • getPostAuthenticationFlows

      @Nonnull @NonnullElements @NotLive @Unmodifiable public List<String> getPostAuthenticationFlows​(@Nullable ProfileRequestContext profileRequestContext)
      Get an ordered list of post-authentication interceptor flows to run for this profile.

      The flow IDs returned MUST NOT contain the ProfileInterceptorFlowDescriptor.FLOW_ID_PREFIX prefix common to all interceptor flows.

      Specified by:
      getPostAuthenticationFlows in interface AuthenticationProfileConfiguration
      Parameters:
      profileRequestContext - current profile request context
      Returns:
      a set of interceptor flow IDs to enable

    • setPostAuthenticationFlows

      public void setPostAuthenticationFlows​(@Nullable @NonnullElements Collection<String> flows)
      Set the ordered collection of post-authentication interceptor flows to enable.
      Parameters:
      flows - flow identifiers to enable

    • setPostAuthenticationFlowsLookupStrategy

      public void setPostAuthenticationFlowsLookupStrategy​(@Nonnull Function<ProfileRequestContext,​Collection<String>> strategy)
      Set a lookup strategy for the post-authentication interceptor flows to enable.
      Parameters:
      strategy - lookup strategy
      Since:
      3.3.0

    • getNameIDFormatPrecedence

      @Nonnull @NonnullElements @NotLive @Unmodifiable public List<String> getNameIDFormatPrecedence​(@Nullable ProfileRequestContext profileRequestContext)
      Get the name identifier formats to use.
      Parameters:
      profileRequestContext - profile request context
      Returns:
      formats to use

    • setNameIDFormatPrecedence

      public void setNameIDFormatPrecedence​(@Nonnull @NonnullElements Collection<String> formats)
      Set the name identifier formats to use.
      Parameters:
      formats - name identifier formats to use

    • setNameIDFormatPrecedenceLookupStrategy

      public void setNameIDFormatPrecedenceLookupStrategy​(@Nonnull Function<ProfileRequestContext,​Collection<String>> strategy)
      Set a lookup strategy for the name identifier formats to use.
      Parameters:
      strategy - lookup strategy
      Since:
      3.3.0