net.shibboleth.idp.authn.duo.impl.ValidateDuoAuthAPI

All Implemented Interfaces:: PrincipalSupportingComponent, Component, DestructableComponent, InitializableComponent, ProfileAction, Aware, MessageSource, MessageSourceAware, Action

public class ValidateDuoAuthAPI extends AbstractValidationAction

An action that checks for a DuoAuthenticationContext and directly produces an AuthenticationResult based on that identity by authenticating against the Duo AuthAPI.

Event:

EventIds.PROCEED_EVENT_ID, AuthnEventIds.AUTHN_EXCEPTION, AuthnEventIds.ACCOUNT_LOCKED, AuthnEventIds.ACCOUNT_WARNING, AuthnEventIds.ACCOUNT_ERROR, AuthnEventIds.NO_CREDENTIALS, AuthnEventIds.INVALID_CREDENTIALS

Precondition:

      ProfileRequestContext.getSubcontext(AuthenticationContext.class).getAttemptedFlow() != null

Postcondition:

If AuthenticationContext.getSubcontext(DuoAuthenticationContext.class) != null, then an AuthenticationResult is saved to the AuthenticationContext on a successful login. On a failed login, the AbstractValidationAction.handleError(ProfileRequestContext, AuthenticationContext, String, String) method is called.

Field Summary

Fields

Modifier and Type

Field

Description

private DuoAuthAuthenticator

authAuthenticator

Implementation of Duo AuthApi /auth endpoint.

private static final String

DEFAULT_METRIC_NAME

Default prefix for metrics.

private DuoAuthenticationContext

duoContext

DuoApi context for tokens.

private DuoIntegration

duoIntegration

Duo integration to use.

private Function<ProfileRequestContext,DuoIntegration>

duoIntegrationLookupStrategy

Lookp strategy for Duo integration.

private final org.slf4j.Logger

log

Class logger.

private DuoPreauthAuthenticator

preauthAuthenticator

Implementation of Duo AuthApi /preauth enpoint.

private String

username

Attempted username.

private Function<ProfileRequestContext,String>

usernameLookupStrategy

Lookup strategy for username to match against Duo identity.
Constructor Summary

Constructors

Constructor

Description

ValidateDuoAuthAPI()

Constructor.
Method Summary

Modifier and Type

Method

Description

protected void

buildAuthenticationResult(ProfileRequestContext profileRequestContext, AuthenticationContext authenticationContext)

Normally called upon successful completion of credential validation, calls the AbstractValidationAction.populateSubject(Subject) abstract method, stores an AuthenticationResult in the AuthenticationContext, and attaches a SubjectCanonicalizationContext to the ProfileRequestContext in preparation for c14n to occur.

protected void

doExecute(ProfileRequestContext profileRequestContext, AuthenticationContext authenticationContext)

Performs this authentication action.

protected void

doInitialize()

protected boolean

doPreExecute(ProfileRequestContext profileRequestContext, AuthenticationContext authenticationContext)

Performs this authentication action's pre-execute step.

protected Subject

populateSubject(Subject subject)

Subclasses must override this method to complete the population of the Subject with Principal and credential information based on the validation they perform.

void

setAuthAuthenticator(DuoAuthAuthenticator authenticator)

Set the DuoAuthAuthenticator.

void

setDuoIntegration(DuoIntegration duo)

Set DuoIntegration details to use directly.

void

setDuoIntegrationLookupStrategy(Function<ProfileRequestContext,DuoIntegration> strategy)

Set DuoIntegration lookup strategy to use.

void

setPreauthAuthenticator(DuoPreauthAuthenticator authenticator)

Set the DuoPreauthAuthenticator.

void

setUsernameLookupStrategy(Function<ProfileRequestContext,String> strategy)

Set the lookup strategy to use for the username to match against Duo identity.

Methods inherited from class net.shibboleth.idp.authn.AbstractValidationAction
addDefaultPrincipals, getClassifiedErrors, getCleanupHook, getMetricName, getRequesterLookupStrategy, getResponderLookupStrategy, getResultCachingPredicate, getSubject, getSupportedPrincipals, handleError, handleError, handleWarning, recordFailure, recordFailure, recordSuccess, recordSuccess, setAddDefaultPrincipals, setClassifiedMessages, setCleanupHook, setMetricName, setRequesterLookupStrategy, setResponderLookupStrategy, setResultCachingPredicate, setSupportedPrincipals

Methods inherited from class net.shibboleth.idp.authn.AbstractAuthenticationAction
doExecute, doPreExecute, setAuthenticationContextLookupStrategy

Methods inherited from class net.shibboleth.idp.profile.AbstractProfileAction
doExecute, execute, getMessage, getMessage, getMessage, getProfileContextLookupStrategy, getRequestContext, getResult, setMessageSource, setProfileContextLookupStrategy

Methods inherited from class org.opensaml.profile.action.AbstractConditionalProfileAction
getActivationCondition, setActivationCondition

Methods inherited from class org.opensaml.profile.action.AbstractProfileAction
doPostExecute, doPostExecute, execute, getHttpServletRequest, getHttpServletResponse, getLogPrefix, setHttpServletRequest, setHttpServletResponse

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractInitializableComponent
destroy, doDestroy, initialize, isDestroyed, isInitialized

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface net.shibboleth.utilities.java.support.component.InitializableComponent
initialize, isInitialized

Field Details
- DEFAULT_METRIC_NAME
  
  @Nonnull @NotEmpty private static final String DEFAULT_METRIC_NAME
  
  Default prefix for metrics.
  See Also:
  
  Constant Field Values
- log
  
  @Nonnull @NotEmpty private final org.slf4j.Logger log
  
  Class logger.
- duoIntegrationLookupStrategy
  
  @Nonnull private Function<ProfileRequestContext,DuoIntegration> duoIntegrationLookupStrategy
  
  Lookp strategy for Duo integration.
- usernameLookupStrategy
  
  @Nonnull private Function<ProfileRequestContext,String> usernameLookupStrategy
  
  Lookup strategy for username to match against Duo identity.
- authAuthenticator
  
  @Nonnull private DuoAuthAuthenticator authAuthenticator
  
  Implementation of Duo AuthApi /auth endpoint.
- preauthAuthenticator
  
  @Nonnull private DuoPreauthAuthenticator preauthAuthenticator
  
  Implementation of Duo AuthApi /preauth enpoint.
- duoContext
  
  @Nonnull @NotEmpty private DuoAuthenticationContext duoContext
  
  DuoApi context for tokens.
- duoIntegration
  
  @Nullable private DuoIntegration duoIntegration
  
  Duo integration to use.
- username
  
  @Nullable @NotEmpty private String username
  
  Attempted username.
Constructor Details
- ValidateDuoAuthAPI
  
  public ValidateDuoAuthAPI()
  
  Constructor.
Method Details
- setDuoIntegrationLookupStrategy
  
  public void setDuoIntegrationLookupStrategy(@Nonnull Function<ProfileRequestContext,DuoIntegration> strategy)
  
  Set DuoIntegration lookup strategy to use.
  
  Parameters:
  
  strategy - lookup strategy
- setDuoIntegration
  
  public void setDuoIntegration(@Nonnull DuoIntegration duo)
  
  Set DuoIntegration details to use directly.
  
  Parameters:
  
  duo - Duo integration details
- setUsernameLookupStrategy
  
  public void setUsernameLookupStrategy(@Nonnull Function<ProfileRequestContext,String> strategy)
  
  Set the lookup strategy to use for the username to match against Duo identity.
  
  Parameters:
  
  strategy - lookup strategy
- setAuthAuthenticator
  
  public void setAuthAuthenticator(@Nonnull DuoAuthAuthenticator authenticator)
  
  Set the DuoAuthAuthenticator.
  
  Parameters:
  
  authenticator - a Duo AuthAPI /auth endpoint implementation
- setPreauthAuthenticator
  
  public void setPreauthAuthenticator(@Nonnull DuoPreauthAuthenticator authenticator)
  
  Set the DuoPreauthAuthenticator.
  
  Parameters:
  
  authenticator - a Duo AuthAPI /preauth endpoint implementation
- doInitialize
  
  protected void doInitialize() throws ComponentInitializationException
  
  Overrides:
  
  doInitialize in class AbstractInitializableComponent
  
  Throws:
  
  ComponentInitializationException
- doPreExecute
  
  protected boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext)
  
  Performs this authentication action's pre-execute step. Default implementation just returns true.
  
  Overrides:
  
  doPreExecute in class AbstractValidationAction
  
  Parameters:
  
  profileRequestContext - the current IdP profile request context
  
  authenticationContext - the current authentication context
  
  Returns:
  
  true iff execution should continue
- doExecute
  
  protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext)
  
  Performs this authentication action. Default implementation throws an exception.
  
  Overrides:
  
  doExecute in class AbstractAuthenticationAction
  
  Parameters:
  
  profileRequestContext - the current IdP profile request context
  
  authenticationContext - the current authentication context
- populateSubject
  
  protected Subject populateSubject(@Nonnull Subject subject)
  
  Subclasses must override this method to complete the population of the Subject with Principal and credential information based on the validation they perform.
  Typically this will include attaching a UsernamePrincipal, but this is not a requirement if other components are suitably overridden.
  
  Specified by:
  
  populateSubject in class AbstractValidationAction
  
  Parameters:
  
  subject - subject to populate
  
  Returns:
  
  the input subject
- buildAuthenticationResult
  
  protected void buildAuthenticationResult(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext)
  
  Normally called upon successful completion of credential validation, calls the AbstractValidationAction.populateSubject(Subject) abstract method, stores an AuthenticationResult in the AuthenticationContext, and attaches a SubjectCanonicalizationContext to the ProfileRequestContext in preparation for c14n to occur.
  
  Overrides:
  
  buildAuthenticationResult in class AbstractValidationAction
  
  Parameters:
  
  profileRequestContext - the current profile request context
  
  authenticationContext - the current authentication context

Class ValidateDuoAuthAPI

Field Summary

Constructor Summary

Method Summary

Methods inherited from class net.shibboleth.idp.authn.AbstractValidationAction

Methods inherited from class net.shibboleth.idp.authn.AbstractAuthenticationAction

Methods inherited from class net.shibboleth.idp.profile.AbstractProfileAction

Methods inherited from class org.opensaml.profile.action.AbstractConditionalProfileAction

Methods inherited from class org.opensaml.profile.action.AbstractProfileAction

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

Methods inherited from class java.lang.Object

Methods inherited from interface net.shibboleth.utilities.java.support.component.InitializableComponent

Field Details

DEFAULT_METRIC_NAME

log

duoIntegrationLookupStrategy

usernameLookupStrategy

authAuthenticator

preauthAuthenticator

duoContext

duoIntegration

username

Constructor Details

ValidateDuoAuthAPI

Method Details

setDuoIntegrationLookupStrategy

setDuoIntegration

setUsernameLookupStrategy

setAuthAuthenticator

setPreauthAuthenticator

doInitialize

doPreExecute

doExecute

populateSubject

buildAuthenticationResult