Package net.shibboleth.idp.authn.impl

Class FinalizeAuthentication

java.lang.Object
net.shibboleth.utilities.java.support.component.AbstractInitializableComponent
org.opensaml.profile.action.AbstractProfileAction
org.opensaml.profile.action.AbstractConditionalProfileAction
net.shibboleth.idp.profile.AbstractProfileAction
net.shibboleth.idp.authn.AbstractAuthenticationAction
net.shibboleth.idp.authn.impl.FinalizeAuthentication
All Implemented Interfaces:
Component, DestructableComponent, InitializableComponent, ProfileAction, Aware, MessageSource, MessageSourceAware, Action
public class FinalizeAuthentication extends AbstractAuthenticationAction
An authentication action that runs after a completed authentication flow (or the reuse of an active result) and transfers information from other contexts into a SubjectContext child of the ProfileRequestContext.

The action enforces any constraints on proxying that may be present in the result against the intended use based on the RelyingPartyContext.

The action also cross-checks RequestedPrincipalContext.getMatchingPrincipal(), if set, against the AuthenticationResult to ensure that the result produced actually satisfies the request. This is redundant when reusing active results, but is necessary to prevent a flow from running that can return different results and having it produce a result that doesn't actually satisfy the request. Such a flow would be buggy, but this guards against a mistake from leaving the subsystem.

If no matching Principal is established, or if the match is no longer valid, the request is evaluated in conjunction with the AuthenticationResult to establish a Principal that does satisfy the request and it is recorded via RequestedPrincipalContext.setMatchingPrincipal(Principal).

The context is populated based on the presence of a canonical principal name in either a SubjectCanonicalizationContext or SessionContext, and also includes the completed AuthenticationResult and any other active results found in the AuthenticationContext.

Any SubjectCanonicalizationContext found will be removed.

If AuthenticationContext.getRequiredName() is set, then this action will validate that the same principal name is represented by it, and signal a mismatch otherwise. This is used in protocols that indicate normatively what the authenticated identity is required to be.

Event:
EventIds.PROCEED_EVENT_ID, AuthnEventIds.INVALID_SUBJECT, AuthnEventIds.INVALID_AUTHN_CTX, AuthnEventIds.REQUEST_UNSUPPORTED
Precondition:
ProfileRequestContext.getSubcontext(AuthenticationContext.class) != null
Postcondition:
If SubjectCanonicalizationContext.getCanonicalPrincipalName() != null || SessionContext.getIdPSession() != null then ProfileRequestContext.getSubcontext(SubjectContext.class) != null, AuthenticationContext.setCompletionInstant() was called, 
ProfileRequestContext.getSubcontext(SubjectCanonicalizationContext.class) == null

  • Field Details

    • log

      @Nonnull private final org.slf4j.Logger log
      Class logger.

    • canonicalPrincipalName

      @Nullable private String canonicalPrincipalName
      The principal name extracted from the context tree.

  • Constructor Details

    • FinalizeAuthentication

      public FinalizeAuthentication()

  • Method Details

    • doPreExecute

      protected boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext)
      Performs this authentication action's pre-execute step. Default implementation just returns true.
      Overrides:
      doPreExecute in class AbstractAuthenticationAction
      Parameters:
      profileRequestContext - the current IdP profile request context
      authenticationContext - the current authentication context
      Returns:
      true iff execution should continue

    • doExecute

      protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext)
      Performs this authentication action. Default implementation throws an exception.
      Overrides:
      doExecute in class AbstractAuthenticationAction
      Parameters:
      profileRequestContext - the current IdP profile request context
      authenticationContext - the current authentication context

    • findMatchingPrincipal

      @Nullable protected Principal findMatchingPrincipal(@Nonnull AuthenticationContext authenticationContext, @Nonnull RequestedPrincipalContext requestedPrincipalCtx)
      Evaluate request criteria and the AuthenticationResult to locate a Principal in the result that satisfies the request criteria.

      If a weighting map is supplied, the Principal returned is the one that both satisfies the request and is highest weighted according to the underlying flow descriptor.

      Parameters:
      authenticationContext - authentication context
      requestedPrincipalCtx - request criteria
      Returns:
      matching Principal, or null

    • checkProxyRestrictions

      private boolean checkProxyRestrictions(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull Subject subject)
      Check for proxy restrictions and evaluate them against the request.
      Parameters:
      profileRequestContext - current profile request context
      subject - the authentication result's subject
      Returns:
      true iff processing should continue