Class DecorateDelegatedAssertion

All Implemented Interfaces:
Component, DestructableComponent, InitializableComponent, ProfileAction, Aware, MessageSource, MessageSourceAware, Action

public class DecorateDelegatedAssertion
extends AbstractProfileAction
A profile action which decorates instances of Assertion appropriately for use as delegation tokens.

An instance of DelegationContext is resolved via the strategy set via setDelegationContextLookupStrategy(Function). If no delegation context is found or if DelegationContext.isIssuingDelegatedAssertion() is false, then no decoration occurs.

The decoration consists of 3 primary parts:

  1. A holder-of-key SubjectConfirmation is added to the assertion's Subject. The credentials used are taken from DelegationContext.getSubjectConfirmationCredentials().
  2. An additional Audience is added to the assertion condition AudienceRestriction, indicating the IdP's own entityID as an acceptable audience. The IdP entityID is resolved from the active RelyingPartyContext, which is resolved via the strategy set by setRelyingPartyContextLookupStrategy(Function).
  3. An additional Attribute is added to the assertion's AttributeStatement containing an EndpointReference, indicating the location and other info necessary for the recipient to present the delegated assertion at the IdP for delegated SSO. The attribute name is a URI type with name LibertyConstants.SERVICE_TYPE_SSOS. The endpoint URL is either set directly on this action via setLibertySSOSEndpointURL(String), or is resolved via the strategy setLibertySSOSEndpointURLLookupStrategy(Function).
Event:
EventIds.INVALID_PROFILE_CTX
  • Field Details

    • log

      private final org.slf4j.Logger log
      Class logger.
    • libertySSOSEndpointURL

      private String libertySSOSEndpointURL
      The URL at which the IdP will accept Liberty ID-WSF SSOS requests.
    • libertySSOSEndpointURLLookupStrategy

      @Nullable private Function<Pair<ProfileRequestContext,​javax.servlet.http.HttpServletRequest>,​String> libertySSOSEndpointURLLookupStrategy
      The strategy used to resolve the URL at which the IdP will accept Liberty ID-WSF SSOS requests.
    • relyingPartyContextLookupStrategy

      @Nonnull private Function<ProfileRequestContext,​RelyingPartyContext> relyingPartyContextLookupStrategy
      Strategy used to lookup the RelyingPartyContext.
    • delegationContextLookupStrategy

      @Nonnull private Function<ProfileRequestContext,​DelegationContext> delegationContextLookupStrategy
      Strategy used to lookup the DelegationContext.
    • assertionLookupStrategy

      @Nonnull private Function<ProfileRequestContext,​List<Assertion>> assertionLookupStrategy
      Strategy used to locate the Assertions on which to operate.
    • keyInfoGeneratorManager

      @Nonnull private NamedKeyInfoGeneratorManager keyInfoGeneratorManager
      The manager used to generate KeyInfo instances from Credentials.
    • delegationContext

      private DelegationContext delegationContext
      The delegation context instance to be populated.
    • assertions

      private List<Assertion> assertions
      The list of assertions on which to operate.
    • relyingPartyContext

      private RelyingPartyContext relyingPartyContext
      The current RelyingPartyContext.
    • responderId

      private String responderId
      The entityID of the local responder entity.
    • relyingPartyId

      private String relyingPartyId
      The entityID of the SAML relying party.
  • Constructor Details

    • DecorateDelegatedAssertion

      public DecorateDelegatedAssertion()
      Constructor.
  • Method Details

    • setLibertySSOSEndpointURL

      public void setLibertySSOSEndpointURL​(@Nullable String url)
      Set the statically-configured URL at which the IdP will accept Liberty ID-WSF SSOS requests.
      Parameters:
      url - the Liberty ID-WSF SSOS endpoint URL, or null
    • setLibertySSOSEndpointURLLookupStrategy

      public void setLibertySSOSEndpointURLLookupStrategy​(@Nullable Function<Pair<ProfileRequestContext,​javax.servlet.http.HttpServletRequest>,​String> strategy)
      Set strategy used to resolve the URL at which the IdP will accept Liberty ID-WSF SSOS requests.
      Parameters:
      strategy - the Liberty ID-WSF SSOS endpoint URL lookup strategy, or null
    • setRelyingPartyContextLookupStrategy

      public void setRelyingPartyContextLookupStrategy​(@Nonnull Function<ProfileRequestContext,​RelyingPartyContext> strategy)
      Set the strategy used to locate the current RelyingPartyContext.
      Parameters:
      strategy - strategy used to locate the current RelyingPartyContext
    • setDelegationContextLookupStrategy

      public void setDelegationContextLookupStrategy​(@Nonnull Function<ProfileRequestContext,​DelegationContext> strategy)
      Set the strategy used to locate the current DelegationContext.
      Parameters:
      strategy - strategy used to locate the current DelegationContext
    • setAssertionLookupStrategy

      public void setAssertionLookupStrategy​(@Nonnull Function<ProfileRequestContext,​List<Assertion>> strategy)
      Set the strategy used to locate the Assertion to operate on.
      Parameters:
      strategy - strategy used to locate the Assertion to operate on
    • setKeyInfoGeneratorManager

      public void setKeyInfoGeneratorManager​(@Nonnull NamedKeyInfoGeneratorManager manager)
      Set the KeyInfoGeneratorManager instance used to generate KeyInfo from Credential.
      Parameters:
      manager - the manager instance to use
    • doInitialize

      protected void doInitialize() throws ComponentInitializationException
      Overrides:
      doInitialize in class AbstractInitializableComponent
      Throws:
      ComponentInitializationException
    • doPreExecute

      protected boolean doPreExecute​(@Nonnull ProfileRequestContext profileRequestContext)
      Overrides:
      doPreExecute in class AbstractConditionalProfileAction
    • doPreExecuteDelegationInfo

      protected boolean doPreExecuteDelegationInfo​(@Nonnull ProfileRequestContext profileRequestContext)
      Pre-execute actions on the delegation-specific info.
      Parameters:
      profileRequestContext - the current profile request context
      Returns:
      true iff doExecute(ProfileRequestContext) should proceed
    • doPreExecuteRelyingParty

      protected boolean doPreExecuteRelyingParty​(@Nonnull ProfileRequestContext profileRequestContext)
      Pre-execute actions on the relying party context info.
      Parameters:
      profileRequestContext - the current profile request context
      Returns:
      true iff doExecute(ProfileRequestContext) should proceed
    • doExecute

      protected void doExecute​(@Nonnull ProfileRequestContext profileRequestContext)
      Overrides:
      doExecute in class AbstractProfileAction
    • resolveLibertySSOSEndpointURL

      private void resolveLibertySSOSEndpointURL​(ProfileRequestContext profileRequestContext)
      Resolve and store the effective Liberty SSOS endpoint URL to use.
      Parameters:
      profileRequestContext - the current request context
    • decorateDelegatedAssertion

      private void decorateDelegatedAssertion​(@Nonnull ProfileRequestContext requestContext) throws EventException
      Decorate the Assertion to allow use as a delegated security token by the SAML requester.
      Parameters:
      requestContext - the current request context
      Throws:
      EventException - to propagate events
    • addLibertySSOSEPRAttribute

      private void addLibertySSOSEPRAttribute​(@Nonnull ProfileRequestContext requestContext, @Nonnull Assertion assertion)
      Add Liberty SSOS service Endpoint Reference (EPR) attribute to Assertion's AttributeStatement.
      Parameters:
      requestContext - the current request context
      assertion - the delegated assertion being issued
    • buildLibertSSOSEPRAttributeValue

      @Nonnull private XMLObject buildLibertSSOSEPRAttributeValue​(@Nonnull ProfileRequestContext requestContext, @Nonnull Assertion assertion)
      Build the Liberty SSOS EPR AttributeValue object.
      Parameters:
      requestContext - the current request context
      assertion - the delegated assertion being issued
      Returns:
      the AttributeValue object containing the EPR
    • addIdPAudienceRestriction

      private void addIdPAudienceRestriction​(@Nonnull ProfileRequestContext requestContext, @Nonnull Assertion assertion)
      An an AudienceRestriction condition indicating the IdP as an acceptable Audience.
      Parameters:
      requestContext - the current request context
      assertion - the assertion being isued
    • addSAMLPeerSubjectConfirmation

      private void addSAMLPeerSubjectConfirmation​(@Nonnull ProfileRequestContext requestContext, @Nonnull Assertion assertion) throws EventException
      Add SubjectConfirmation to the Assertion Subject to allow confirmation when wielded by the SAML requester.
      Parameters:
      requestContext - the current request context
      assertion - the assertion being issued
      Throws:
      EventException - to propagate event signals