Package net.shibboleth.idp.saml.saml2.profile.delegation.impl

Class EvaluateDelegationPolicy

java.lang.Object
net.shibboleth.utilities.java.support.component.AbstractInitializableComponent
org.opensaml.profile.action.AbstractProfileAction
org.opensaml.profile.action.AbstractConditionalProfileAction
net.shibboleth.idp.profile.AbstractProfileAction
net.shibboleth.idp.saml.saml2.profile.delegation.impl.EvaluateDelegationPolicy
All Implemented Interfaces:
Component, DestructableComponent, InitializableComponent, ProfileAction, Aware, MessageSource, MessageSourceAware, Action
public class EvaluateDelegationPolicy extends AbstractProfileAction
Action which implements policy controls to decide whether an SSO request based on a delegated Assertion token is allowed to proceed.

Two policy checks are performed:

  1. The active SSOSProfileConfiguration is resolved and its predicate is applied. If the predicate evaluates to false, the request is not allowed. An example predicate commonly used here is AllowedSAMLPresentersPredicate.
  2. The length of the delegation chain as indicated in the inbound assertion token's DelegationRestrictionType condition is evaluated against a policy maximum resolved via the strategy set by setPolicyMaxChainLengthStrategy(Function), or from BrowserSSOProfileConfiguration.DEFAULT_DELEGATION_CHAIN_LENGTH if no value can otherwise be resolved. If the chain of Delegate child elements is greater than or equal to the resolved policy max chain length, the request is not allowed. The default policy resolution strategy is to look at the first DelegationPolicy contained within the inbound assertion token's Advice.
Event:
AuthnEventIds.NO_CREDENTIALS, EventIds.INVALID_PROFILE_CTX, EventIds.INVALID_SEC_CFG

  • Field Details

    • log

      @Nonnull private org.slf4j.Logger log
      Logger.

    • relyingPartyContextLookupStrategy

      @Nonnull private Function<ProfileRequestContext,RelyingPartyContext> relyingPartyContextLookupStrategy
      Strategy used to lookup the RelyingPartyContext.

    • assertionTokenStrategy

      @Nonnull private Function<ProfileRequestContext,Assertion> assertionTokenStrategy
      Function used to resolve the assertion token to process.

    • policyMaxChainLengthStrategy

      @Nonnull private Function<ProfileRequestContext,Long> policyMaxChainLengthStrategy
      Function used to resolve the policy maximum delegation chain length.

    • assertionToken

      private Assertion assertionToken
      The inbound delegated assertion token being evaluated.

    • policyMaxChainLength

      private Long policyMaxChainLength
      The policy maximum token delegation chain length.

    • tokenChainLength

      private Long tokenChainLength
      The actual token delegation chain length.

    • delegationAllowed

      private boolean delegationAllowed
      Whether the request is allowed to proceed.

  • Constructor Details

    • EvaluateDelegationPolicy

      public EvaluateDelegationPolicy()
      Constructor.

  • Method Details

    • setPolicyMaxChainLengthStrategy

      public void setPolicyMaxChainLengthStrategy(@Nonnull Function<ProfileRequestContext,Long> strategy)
      Set the strategy used to resolve the policy maximum delegation chain length.
      Parameters:
      strategy - the strategy

    • setAssertionTokenStrategy

      public void setAssertionTokenStrategy(@Nonnull Function<ProfileRequestContext,Assertion> strategy)
      Set the strategy used to locate the inbound assertion token to process.
      Parameters:
      strategy - lookup strategy

    • setRelyingPartyContextLookupStrategy

      public void setRelyingPartyContextLookupStrategy(@Nonnull Function<ProfileRequestContext,RelyingPartyContext> strategy)
      Set the strategy used to locate the current RelyingPartyContext.
      Parameters:
      strategy - strategy used to locate the current RelyingPartyContext

    • doPreExecute

      protected boolean doPreExecute(ProfileRequestContext profileRequestContext)
      Overrides:
      doPreExecute in class AbstractConditionalProfileAction

    • doPreExecuteInbound

      protected boolean doPreExecuteInbound(@Nonnull ProfileRequestContext profileRequestContext)
      Pre-execute actions on the inbound message.
      Parameters:
      profileRequestContext - the current profile request context
      Returns:
      true iff doExecute(ProfileRequestContext) should proceed

    • doPreExecuteRelyingParty

      protected boolean doPreExecuteRelyingParty(@Nonnull ProfileRequestContext profileRequestContext)
      Pre-execute actions on the relying party context info.
      Parameters:
      profileRequestContext - the current profile request context
      Returns:
      true iff doExecute(ProfileRequestContext) should proceed

    • doExecute

      protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext)
      Overrides:
      doExecute in class AbstractProfileAction

    • checkAllowedDelegate

      protected boolean checkAllowedDelegate(@Nonnull ProfileRequestContext profileRequestContext)
      Apply policy control.
      Parameters:
      profileRequestContext - the current request context
      Returns:
      true if check passes, false if not

    • checkTokenDelegationChainLength

      protected boolean checkTokenDelegationChainLength(@Nonnull ProfileRequestContext profileRequestContext)
      Apply policy control which checks the actual token chain length against the policy maximum chain length.
      Parameters:
      profileRequestContext - the current request context
      Returns:
      true if check passes, false if not

    • getTokenDelegationChainLength

      protected Long getTokenDelegationChainLength(@Nonnull Assertion token)
      Get the length of the delegation chain in the presented token.
      Parameters:
      token - the token to evaluate
      Returns:
      the token delegation chain length

    • getDelegationRestrictionCondition

      protected DelegationRestrictionType getDelegationRestrictionCondition(@Nullable Conditions conditions)
      Get the DelegationRestrictionType Condition from the supplied Conditions, if present.
      Parameters:
      conditions - the Assertion Conditions to process
      Returns:
      the DelegationRestrictionType Condition object, or null if not present

    • getPolicyMaxDelegationChainLength

      @Nonnull protected Long getPolicyMaxDelegationChainLength(@Nonnull ProfileRequestContext profileRequestContext)
      Get the effective maximum delegation chain length allowed by policy.
      Parameters:
      profileRequestContext - the current request context
      Returns:
      the policy max delegation chain policy length