Package net.shibboleth.idp.saml.saml2.profile.delegation.impl

Class PopulateDelegationContext

java.lang.Object
net.shibboleth.utilities.java.support.component.AbstractInitializableComponent
org.opensaml.profile.action.AbstractProfileAction
org.opensaml.profile.action.AbstractConditionalProfileAction
net.shibboleth.idp.profile.AbstractProfileAction
net.shibboleth.idp.saml.saml2.profile.delegation.impl.PopulateDelegationContext
All Implemented Interfaces:
Component, DestructableComponent, InitializableComponent, ProfileAction, Aware, MessageSource, MessageSourceAware, Action
public class PopulateDelegationContext extends AbstractProfileAction
A profile action which determines whether issuance of a delegated Assertion token is active, and populates a DelegationContext appropriately.

The output of 3 different evaluations is combined to produce the final result:

  1. Determination is made whether delegation is requested by the relying party, as a value of type DelegationRequest. Delegation may be requested via:
  2. Determination is made whether issuance of a delegated token is allowed for the relying party, based on the (predicate driven) BrowserSSOProfileConfiguration.isAllowDelegation(ProfileRequestContext) method.
  3. Holder-of-key subject confirmation Credential instances are resolved for the relying party from its resolved metadata RoleDescriptor.

If 1) delegation is allowed, 2) subject confirmation credentials were resolved, and 3) request status was either DelegationRequest.REQUESTED_OPTIONAL or DelegationRequest.REQUESTED_REQUIRED, a DelegationContext is populated indicating issuance of delegated token to be active, and containing the resolved subject confirmation credentials.

If request status was DelegationRequest.REQUESTED_REQUIRED but delegation was not allowed and/or no subject confirmation credentials could be resolved, a fatal event is produced.

Otherwise, issuance of a delegated token is not active and so no DelegationContext is populated.

Event:
EventIds.INVALID_MSG_CTX, EventIds.INVALID_PROFILE_CTX, EventIds.MESSAGE_PROC_ERROR, EventIds.INVALID_SEC_CFG

  • Field Details

    • log

      @Nonnull private final org.slf4j.Logger log
      Class logger.

    • relyingPartyContextLookupStrategy

      @Nonnull private Function<ProfileRequestContext,RelyingPartyContext> relyingPartyContextLookupStrategy
      Strategy used to lookup the RelyingPartyContext.

    • samlMetadataContextLookupStrategy

      @Nonnull private Function<ProfileRequestContext,SAMLMetadataContext> samlMetadataContextLookupStrategy
      Strategy used to lookup the SAMLMetadataContext.

    • delegationContextLookupStrategy

      @Nonnull private Function<ProfileRequestContext,DelegationContext> delegationContextLookupStrategy
      Strategy used to lookup the DelegationContext.

    • defaultDelegationRequested

      private DelegationRequest defaultDelegationRequested
      Default delegation request value.

    • credentialResolver

      @Nonnull private CredentialResolver credentialResolver
      The credential resolver used to resolve HoK Credentials for the peer.

    • delegationRequested

      private DelegationRequest delegationRequested
      The delegation requested state for the current request.

    • relyingPartyContext

      private RelyingPartyContext relyingPartyContext
      The current RelyingPartyContext.

    • delegationAllowed

      private boolean delegationAllowed
      Whether delegation is allowed for the current relying party.

    • responderId

      private String responderId
      The entityID of the local responder entity.

    • relyingPartyId

      private String relyingPartyId
      The entityID of the SAML relying party.

    • roleDescriptor

      private RoleDescriptor roleDescriptor
      The RoleDescriptor for the SAML peer entity.

    • attributeConsumingService

      private AttributeConsumingService attributeConsumingService
      The AttributeConsumingService for the SAML peer entity.

    • confirmationCredentials

      private List<Credential> confirmationCredentials
      The subject confirmation credentials.

  • Constructor Details

    • PopulateDelegationContext

      public PopulateDelegationContext()
      Constructor.

  • Method Details

    • setRelyingPartyContextLookupStrategy

      public void setRelyingPartyContextLookupStrategy(@Nonnull Function<ProfileRequestContext,RelyingPartyContext> strategy)
      Set the strategy used to locate the current RelyingPartyContext.
      Parameters:
      strategy - strategy used to locate the current RelyingPartyContext

    • setSAMLMetadataContextLookupStrategy

      public void setSAMLMetadataContextLookupStrategy(@Nonnull Function<ProfileRequestContext,SAMLMetadataContext> strategy)
      Set the strategy used to locate the current SAMLMetadataContext.
      Parameters:
      strategy - strategy used to locate the current SAMLMetadataContext

    • setDelegationContextLookupStrategy

      public void setDelegationContextLookupStrategy(@Nonnull Function<ProfileRequestContext,DelegationContext> strategy)
      Set the strategy used to locate the current DelegationContext.
      Parameters:
      strategy - strategy used to locate the current DelegationContext

    • setCredentialResolver

      public void setCredentialResolver(@Nonnull CredentialResolver resolver)
      Set the CredentialResolver instance to use to resolve HoK Credential.

      Typically this should be a metadata-based resolver which accepts input as the peer's RoleDescriptor.

      Parameters:
      resolver - the resolver instance to use

    • getDefaultDelegationRequested

      @Nonnull public DelegationRequest getDefaultDelegationRequested()
      Get the effective default value for whether request processing should proceed with issuance of a delegation token.
      Returns:
      the default value

    • setDefaultDelegationRequested

      public void setDefaultDelegationRequested(@Nonnull DelegationRequest delegationRequest)
      Set the effective default value for whether request processing should proceed with issuance of a delegation token.
      Parameters:
      delegationRequest - the default delegation requested value

    • doInitialize

      protected void doInitialize() throws ComponentInitializationException
      Overrides:
      doInitialize in class AbstractInitializableComponent
      Throws:
      ComponentInitializationException

    • doPreExecute

      protected boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext)
      Overrides:
      doPreExecute in class AbstractConditionalProfileAction

    • doPreExecuteInbound

      protected boolean doPreExecuteInbound(@Nonnull ProfileRequestContext profileRequestContext)
      Pre-execute actions on the inbound message.
      Parameters:
      profileRequestContext - the current profile request context
      Returns:
      true iff doExecute(ProfileRequestContext) should proceed

    • doPreExecuteRelyingParty

      protected boolean doPreExecuteRelyingParty(@Nonnull ProfileRequestContext profileRequestContext)
      Pre-execute actions on the relying party context info.
      Parameters:
      profileRequestContext - the current profile request context
      Returns:
      true iff doExecute(ProfileRequestContext) should proceed

    • doPreExecuteMetadata

      protected boolean doPreExecuteMetadata(@Nonnull ProfileRequestContext profileRequestContext)
      Pre-execute actions on the relying party metadata.
      Parameters:
      profileRequestContext - the current profile request context
      Returns:
      true iff doExecute(ProfileRequestContext) should proceed, false otherwise

    • doExecute

      protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext)
      Overrides:
      doExecute in class AbstractProfileAction

    • createAndPopulateDelegationContext

      private void createAndPopulateDelegationContext(ProfileRequestContext profileRequestContext)
      Create and populate the DelegationContext using the available information.
      Parameters:
      profileRequestContext - the current request context

    • resolveConfirmationCredentials

      private List<Credential> resolveConfirmationCredentials(@Nonnull ProfileRequestContext requestContext)
      Resolve the subject confirmation credentials.
      Parameters:
      requestContext - the current request context
      Returns:
      the subject confirmation credentials, or null if not resolveable or there is an error

    • getDelegationRequested

      private DelegationRequest getDelegationRequested(@Nonnull ProfileRequestContext requestContext)
      Check whether issuance of a delegated token has been requested.
      Parameters:
      requestContext - the current request context
      Returns:
      true if delegation is requested, false otherwise

    • getDelegationRequestedByMetadata

      @Nonnull private DelegationRequest getDelegationRequestedByMetadata(@Nonnull ProfileRequestContext requestContext)
      Determine whether a delegation token was requested via the SP's SPSSODescriptor AttributeConsumingService.
      Parameters:
      requestContext - the current request context
      Returns:
      DelegationRequest enum value as appropriate

    • isDelegationRequestedByAudience

      private boolean isDelegationRequestedByAudience(@Nonnull ProfileRequestContext requestContext)
      Determine whether a delegation token was requested via the inbound AuthnRequest's Conditions' AudienceRestriction.
      Parameters:
      requestContext - the current request context
      Returns:
      true if the AudienceRestrictions condition contained the local entity Id, false otherwise