Package net.shibboleth.idp.authn.duo.impl

Class ValidateDuoWebResponse

java.lang.Object

net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

org.opensaml.profile.action.AbstractProfileAction

org.opensaml.profile.action.AbstractConditionalProfileAction

net.shibboleth.idp.profile.AbstractProfileAction

net.shibboleth.idp.authn.AbstractAuthenticationAction

net.shibboleth.idp.authn.AbstractValidationAction

net.shibboleth.idp.authn.impl.AbstractAuditingValidationAction

net.shibboleth.idp.authn.duo.impl.ValidateDuoWebResponse

All Implemented Interfaces:

PrincipalSupportingComponent, Component, DestructableComponent, InitializableComponent, ProfileAction, Aware, MessageSource, MessageSourceAware, Action

public class ValidateDuoWebResponse
extends AbstractAuditingValidationAction

An action that validates a DuoWeb response message and produces an AuthenticationResult or records error state.

The username to cross-check comes from a lookup strategy, by default a CanonicalUsernameLookupStrategy that returns a username produced by an earlier authentication flow, and on success the same name is populated into a SubjectCanonicalizationContext as a pre-established result for the login flow.

Since:

3.3.0

Event:

EventIds.PROCEED_EVENT_ID, EventIds.INVALID_PROFILE_CTX, AuthnEventIds.INVALID_CREDENTIALS, AuthnEventIds.NO_CREDENTIALS

Postcondition:

ProfileRequestContext.getSubcontext(SubjectCanonicalizationContext.class).getPrincipalName() != null

Field Summary

Fields

Modifier and Type	Field	Description
private static final String	DEFAULT_METRIC_NAME	Default prefix for metrics.
private DuoIntegration	duoIntegration	Duo integration to use.
private Function<ProfileRequestContext,DuoIntegration>	duoIntegrationLookupStrategy	Lookp strategy for Duo integration.
private final org.slf4j.Logger	log	Class logger.
static final String	RESPONSE_PARAM	Signed response parameter name.
private String	signedResponse	Signed response string.
private String	username	Attempted username.
private Function<ProfileRequestContext,String>	usernameLookupStrategy	Lookup strategy for username to match against Duo identity.

Constructor Summary

Constructors

Constructor	Description
ValidateDuoWebResponse()	Constructor.

Method Summary

Modifier and Type	Method	Description
protected void	buildAuthenticationResult(ProfileRequestContext profileRequestContext, AuthenticationContext authenticationContext)	Normally called upon successful completion of credential validation, calls the AbstractValidationAction.populateSubject(Subject) abstract method, stores an AuthenticationResult in the AuthenticationContext, and attaches a SubjectCanonicalizationContext to the ProfileRequestContext in preparation for c14n to occur.
protected void	doExecute(ProfileRequestContext profileRequestContext, AuthenticationContext authenticationContext)	Performs this authentication action.
protected boolean	doPreExecute(ProfileRequestContext profileRequestContext, AuthenticationContext authenticationContext)	Performs this authentication action's pre-execute step.
protected Map<String,String>	getAuditFields(ProfileRequestContext profileRequestContext)	Subclasses can override this method to supply additional audit fields to store.
protected Subject	populateSubject(Subject subject)	Subclasses must override this method to complete the population of the Subject with Principal and credential information based on the validation they perform.
void	setDuoIntegration(DuoIntegration duo)	Set DuoIntegration details to use directly.
void	setDuoIntegrationLookupStrategy(Function<ProfileRequestContext,DuoIntegration> strategy)	Set DuoIntegration lookup strategy to use.
void	setUsernameLookupStrategy(Function<ProfileRequestContext,String> strategy)	Set the lookup strategy to use for the username to match against Duo identity.

Methods inherited from class net.shibboleth.idp.authn.impl.AbstractAuditingValidationAction

doAudit, doExecute, getAuditContext, recordFailure, recordSuccess, setAuditContextCreationStrategy, setPopulateAuditContextAction, setWriteAuditLogAction

Methods inherited from class net.shibboleth.idp.authn.AbstractValidationAction

addDefaultPrincipals, getClassifiedErrors, getCleanupHook, getMetricName, getRequesterLookupStrategy, getResponderLookupStrategy, getResultCachingPredicate, getSubject, getSupportedPrincipals, handleError, handleError, handleWarning, recordFailure, recordSuccess, setAddDefaultPrincipals, setClassifiedMessages, setCleanupHook, setMetricName, setRequesterLookupStrategy, setResponderLookupStrategy, setResultCachingPredicate, setSupportedPrincipals

Methods inherited from class net.shibboleth.idp.authn.AbstractAuthenticationAction

doExecute, doPreExecute, setAuthenticationContextLookupStrategy

Methods inherited from class net.shibboleth.idp.profile.AbstractProfileAction

execute, getBean, getBean, getMessage, getMessage, getMessage, getParameter, getParameter, getProfileContextLookupStrategy, getRequestContext, getResult, setMessageSource, setProfileContextLookupStrategy

Methods inherited from class org.opensaml.profile.action.AbstractConditionalProfileAction

getActivationCondition, setActivationCondition

Methods inherited from class org.opensaml.profile.action.AbstractProfileAction

doPostExecute, doPostExecute, execute, getHttpServletRequest, getHttpServletRequestSupplier, getHttpServletResponse, getHttpServletResponseSupplier, getLogPrefix, setHttpServletRequest, setHttpServletRequestSupplier, setHttpServletResponse, setHttpServletResponseSupplier

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

destroy, doDestroy, doInitialize, initialize, isDestroyed, isInitialized

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface net.shibboleth.utilities.java.support.component.InitializableComponent

initialize, isInitialized

Field Details

RESPONSE_PARAM

@Nonnull
@NotEmpty
public static final String RESPONSE_PARAM

Signed response parameter name.

See Also:

• Constant Field Values

DEFAULT_METRIC_NAME

@Nonnull
@NotEmpty
private static final String DEFAULT_METRIC_NAME

Default prefix for metrics.

See Also:

• Constant Field Values

log

@Nonnull
private final org.slf4j.Logger log

Class logger.

duoIntegrationLookupStrategy

@Nonnull
private Function<ProfileRequestContext,DuoIntegration> duoIntegrationLookupStrategy

Lookp strategy for Duo integration.

usernameLookupStrategy

@Nonnull
private Function<ProfileRequestContext,String> usernameLookupStrategy

Lookup strategy for username to match against Duo identity.

duoIntegration

@Nullable
private DuoIntegration duoIntegration

Duo integration to use.

username

@Nullable
@NotEmpty
private String username

Attempted username.

signedResponse

@Nullable
@NotEmpty
private String signedResponse

Signed response string.

Constructor Details

ValidateDuoWebResponse

public ValidateDuoWebResponse()

Constructor.

Method Details

setDuoIntegrationLookupStrategy

public void setDuoIntegrationLookupStrategy(@Nonnull
 Function<ProfileRequestContext,DuoIntegration> strategy)

Set DuoIntegration lookup strategy to use.

Parameters:

strategy - lookup strategy

setDuoIntegration

public void setDuoIntegration(@Nonnull
 DuoIntegration duo)

Set DuoIntegration details to use directly.

Parameters:

duo - Duo integration details

setUsernameLookupStrategy

public void setUsernameLookupStrategy(@Nonnull
 Function<ProfileRequestContext,String> strategy)

Set the lookup strategy to use for the username to match against Duo identity.

Parameters:

strategy - lookup strategy

doPreExecute

protected boolean doPreExecute(@Nonnull
 ProfileRequestContext profileRequestContext,
 @Nonnull
 AuthenticationContext authenticationContext)

Performs this authentication action's pre-execute step. Default implementation just returns true.

Overrides:

doPreExecute in class AbstractValidationAction

Parameters:

profileRequestContext - the current IdP profile request context

authenticationContext - the current authentication context

Returns:

true iff execution should continue

doExecute

protected void doExecute(@Nonnull
 ProfileRequestContext profileRequestContext,
 @Nonnull
 AuthenticationContext authenticationContext)

Performs this authentication action. Default implementation throws an exception.

Overrides:

doExecute in class AbstractAuthenticationAction

Parameters:

profileRequestContext - the current IdP profile request context

authenticationContext - the current authentication context

populateSubject

protected Subject populateSubject(@Nonnull
 Subject subject)

Subclasses must override this method to complete the population of the Subject with Principal and credential information based on the validation they perform.

Typically this will include attaching a UsernamePrincipal, but this is not a requirement if other components are suitably overridden.

Specified by:

populateSubject in class AbstractValidationAction

Parameters:

subject - subject to populate

Returns:

the input subject

buildAuthenticationResult

protected void buildAuthenticationResult(@Nonnull
 ProfileRequestContext profileRequestContext,
 @Nonnull
 AuthenticationContext authenticationContext)

Normally called upon successful completion of credential validation, calls the AbstractValidationAction.populateSubject(Subject) abstract method, stores an AuthenticationResult in the AuthenticationContext, and attaches a SubjectCanonicalizationContext to the ProfileRequestContext in preparation for c14n to occur.

Overrides:

buildAuthenticationResult in class AbstractValidationAction

Parameters:

profileRequestContext - the current profile request context

authenticationContext - the current authentication context

getAuditFields

@Nullable
protected Map<String,String> getAuditFields(@Nonnull
 ProfileRequestContext profileRequestContext)

Subclasses can override this method to supply additional audit fields to store.

Overrides:

getAuditFields in class AbstractAuditingValidationAction

Parameters:

profileRequestContext - profile request context

Returns:

audit fields