Package net.shibboleth.idp.saml.saml2.profile.impl

Class ValidateSAMLAuthentication

java.lang.Object
net.shibboleth.utilities.java.support.component.AbstractInitializableComponent
org.opensaml.profile.action.AbstractProfileAction
org.opensaml.profile.action.AbstractConditionalProfileAction
net.shibboleth.idp.profile.AbstractProfileAction
net.shibboleth.idp.authn.AbstractAuthenticationAction
net.shibboleth.idp.authn.AbstractValidationAction
net.shibboleth.idp.saml.saml2.profile.impl.ValidateSAMLAuthentication
All Implemented Interfaces:
PrincipalSupportingComponent, Component, DestructableComponent, InitializableComponent, ProfileAction, Aware, MessageSource, MessageSourceAware, Action
public class ValidateSAMLAuthentication extends AbstractValidationAction
An action that produces an AuthenticationResult based on an inbound SAML 2.0 SSO response.

A SAMLAuthnContext is used as the basis of the result and the lack of a context is a signal to record a failure. Actual validation is all upstream of this action, but the use of the ValidationAction subclass is a convenience for auditing and handling the result.

Event:
EventIds.PROCEED_EVENT_ID, EventIds.INVALID_PROFILE_CTX, IdPEventIds.INVALID_RELYING_PARTY_CTX, IdPEventIds.INVALID_PROFILE_CONFIG
Precondition:
ProfileRequestContext.getSubcontext(AuthenticationContext.class).getAttemptedFlow() != null
Postcondition:
If AuthenticationContext.getSubcontext(SAMLAuthnContext.class) != null, then an AuthenticationResult is saved to the AuthenticationContext.

  • Field Details

  • Constructor Details

    • ValidateSAMLAuthentication

      public ValidateSAMLAuthentication()
      Constructor.

  • Method Details

    • setTranscoderRegistry

      public void setTranscoderRegistry(@Nullable ReloadableService<AttributeTranscoderRegistry> registry)
      Sets the registry of transcoding rules to apply to encode attributes.
      Parameters:
      registry - registry service interface

    • setAttributeFilter

      public void setAttributeFilter(@Nullable ReloadableService<AttributeFilter> filterService)
      Sets the filter service to use for inbound attributes.
      Parameters:
      filterService - optional filter service for inbound attributes

    • setMetadataResolver

      public void setMetadataResolver(@Nullable MetadataResolver resolver)
      Set a metadata source to use during filtering.
      Parameters:
      resolver - metadata resolver

    • setRelyingPartyContextLookupStrategy

      public void setRelyingPartyContextLookupStrategy(@Nonnull Function<ProfileRequestContext,RelyingPartyContext> strategy)
      Set the strategy used to return the RelyingPartyContext for configuration options.
      Parameters:
      strategy - lookup strategy

    • setAttributeExtractionStrategy

      public void setAttributeExtractionStrategy(@Nullable Function<ProfileRequestContext,Collection<IdPAttribute>> strategy)
      Sets the strategy function to invoke for generalized extraction of data into IdPAttribute objects for inclusion in the AuthenticationResult.
      Parameters:
      strategy - extraction strategy

    • setLoggedAttributeId

      public void setLoggedAttributeId(@Nullable @NotEmpty String id)
      An attribute ID to pull a "name" from for logging purposes.
      Parameters:
      id - attribute ID
      Since:
      4.2.0

    • doPreExecute

      protected boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext)
      Performs this authentication action's pre-execute step. Default implementation just returns true.
      Overrides:
      doPreExecute in class AbstractValidationAction
      Parameters:
      profileRequestContext - the current IdP profile request context
      authenticationContext - the current authentication context
      Returns:
      true iff execution should continue

    • doExecute

      protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext)
      Performs this authentication action. Default implementation throws an exception.
      Overrides:
      doExecute in class AbstractAuthenticationAction
      Parameters:
      profileRequestContext - the current IdP profile request context
      authenticationContext - the current authentication context

    • logSuccess

      protected void logSuccess()
      Log a successful authentication based on a designated attribute ID or the NameID value.

    • populateSubject

      @Nonnull protected Subject populateSubject(@Nonnull Subject subject)
      Subclasses must override this method to complete the population of the Subject with Principal and credential information based on the validation they perform.

      Typically this will include attaching a UsernamePrincipal, but this is not a requirement if other components are suitably overridden.

      Specified by:
      populateSubject in class AbstractValidationAction
      Parameters:
      subject - subject to populate
      Returns:
      the input subject

    • buildProxyPrincipal

      @Nonnull private ProxyAuthenticationPrincipal buildProxyPrincipal(@Nonnull AuthnContext authnContext)
      Construct a populated ProxyAuthenticationPrincipal based on the inbound assertion.
      Parameters:
      authnContext - the SAML AuthnContext issued by the proxied IdP
      Returns:
      a constructed ProxyAuthenticationPrincipal to include in the Subject

    • processAttributes

      private void processAttributes(@Nonnull ProfileRequestContext profileRequestContext)
      Process the inbound SAML Attributes.
      Parameters:
      profileRequestContext - current profile request context

    • decodeAttribute

      private void decodeAttribute(@Nonnull AttributeTranscoderRegistry registry, @Nonnull ProfileRequestContext profileRequestContext, @Nonnull Attribute input, @Nonnull @NonnullElements @Live Multimap<String,IdPAttribute> results) throws AttributeDecodingException
      Access the registry of transcoding rules to decode the input Attribute.
      Parameters:
      registry - registry of transcoding rules
      profileRequestContext - current profile request context
      input - input object
      results - collection to add results to
      Throws:
      AttributeDecodingException - if an error occurs or no results were obtained

    • filterAttributes

      private void filterAttributes(@Nonnull ProfileRequestContext profileRequestContext)
      Check for inbound attributes and apply filtering.
      Parameters:
      profileRequestContext - current profile request context

    • populateFilterContext

      private void populateFilterContext(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AttributeFilterContext filterContext)
      Fill in the filter context data.
      Parameters:
      profileRequestContext - current profile request context
      filterContext - context to populate