edu.internet2.middleware.shibboleth.idp.profile
Class AbstractSAMLProfileHandler

java.lang.Object
  extended by edu.internet2.middleware.shibboleth.common.profile.provider.AbstractRequestURIMappedProfileHandler<org.opensaml.ws.transport.http.HTTPInTransport,org.opensaml.ws.transport.http.HTTPOutTransport>
      extended by edu.internet2.middleware.shibboleth.common.profile.provider.AbstractShibbolethProfileHandler<edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager,Session>
          extended by edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler
All Implemented Interfaces:
edu.internet2.middleware.shibboleth.common.profile.ProfileHandler<org.opensaml.ws.transport.http.HTTPInTransport,org.opensaml.ws.transport.http.HTTPOutTransport>
Direct Known Subclasses:
AbstractSAML1ProfileHandler, AbstractSAML2ProfileHandler

public abstract class AbstractSAMLProfileHandler
extends edu.internet2.middleware.shibboleth.common.profile.provider.AbstractShibbolethProfileHandler<edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager,Session>

Base class for SAML profile handlers.


Constructor Summary
protected AbstractSAMLProfileHandler()
          Constructor.
 
Method Summary
protected  void encodeResponse(edu.internet2.middleware.shibboleth.common.profile.provider.BaseSAMLProfileRequestContext requestContext)
          Encodes the request's SAML response and writes it to the servlet response.
protected  org.slf4j.Logger getAduitLog()
          Gets the audit log for this handler.
protected  List<String> getEntitySupportedFormats(org.opensaml.saml2.metadata.RoleDescriptor role)
          Gets the list of name identifier formats supported for a given role.
 org.opensaml.common.IdentifierGenerator getIdGenerator()
          Gets an ID generator which may be used for SAML assertions, requests, etc.
 String getInboundBinding()
          Gets the SAML message binding used by inbound messages.
protected  org.opensaml.common.binding.decoding.SAMLMessageDecoder getInboundMessageDecoder(edu.internet2.middleware.shibboleth.common.profile.provider.BaseSAMLProfileRequestContext requestContext)
          Get the inbound message decoder to use.
 Map<String,org.opensaml.common.binding.decoding.SAMLMessageDecoder> getMessageDecoders()
          Gets all the SAML message decoders configured for the IdP indexed by SAML binding URI.
 Map<String,org.opensaml.common.binding.encoding.SAMLMessageEncoder> getMessageEncoders()
          Gets all the SAML message encoders configured for the IdP indexed by SAML binding URI.
 org.opensaml.saml2.metadata.provider.MetadataProvider getMetadataProvider()
          A convenience method for retrieving the SAML metadata provider from the relying party manager.
protected  List<String> getNameFormats(edu.internet2.middleware.shibboleth.common.profile.provider.BaseSAMLProfileRequestContext requestContext)
          Gets the name identifier formats to use when creating identifiers for the relying party.
protected  org.opensaml.common.binding.encoding.SAMLMessageEncoder getOutboundMessageEncoder(edu.internet2.middleware.shibboleth.common.profile.provider.BaseSAMLProfileRequestContext requestContext)
          Get the outbound message encoder to use.
 edu.internet2.middleware.shibboleth.common.relyingparty.RelyingPartyConfiguration getRelyingPartyConfiguration(String relyingPartyId)
          
 org.opensaml.ws.security.SecurityPolicyResolver getSecurityPolicyResolver()
          Gets the resolver used to determine active security policy for an incoming request.
 List<String> getSupportedOutboundBindings()
          Gets the SAML message bindings that may be used by outbound messages.
protected  Session getUserSession(org.opensaml.ws.transport.InTransport inTransport)
          Gets the user's session, if there is one.
protected  Session getUserSession(String principalName)
          Gets the user's session based on their principal name.
protected  boolean isSignResponse(edu.internet2.middleware.shibboleth.common.profile.provider.BaseSAMLProfileRequestContext requestContext)
          Determine whether responses should be signed.
protected  void populateAssertingPartyInformation(edu.internet2.middleware.shibboleth.common.profile.provider.BaseSAMLProfileRequestContext requestContext)
          Populates the request context with information about the asserting party.
protected  void populateProfileInformation(edu.internet2.middleware.shibboleth.common.profile.provider.BaseSAMLProfileRequestContext requestContext)
          Populates the request context with the information about the profile.
protected  void populateRelyingPartyInformation(edu.internet2.middleware.shibboleth.common.profile.provider.BaseSAMLProfileRequestContext requestContext)
          Populates the request context with information about the relying party.
protected  void populateRequestContext(edu.internet2.middleware.shibboleth.common.profile.provider.BaseSAMLProfileRequestContext requestContext)
          Populates the request context with information.
protected abstract  void populateSAMLMessageInformation(edu.internet2.middleware.shibboleth.common.profile.provider.BaseSAMLProfileRequestContext requestContext)
          Populates the request context with information from the inbound SAML message.
protected abstract  void populateUserInformation(edu.internet2.middleware.shibboleth.common.profile.provider.BaseSAMLProfileRequestContext requestContext)
          Populates the request context with the information about the user if they have an existing session.
protected abstract  org.opensaml.saml2.metadata.Endpoint selectEndpoint(edu.internet2.middleware.shibboleth.common.profile.provider.BaseSAMLProfileRequestContext requestContext)
          Selects the appropriate endpoint for the relying party and stores it in the request context.
 void setIdGenerator(org.opensaml.common.IdentifierGenerator generator)
          Gets an ID generator which may be used for SAML assertions, requests, etc.
 void setInboundBinding(String binding)
          Sets the SAML message binding used by inbound messages.
 void setMessageDecoders(Map<String,org.opensaml.common.binding.decoding.SAMLMessageDecoder> decoders)
          Sets all the SAML message decoders configured for the IdP indexed by SAML binding URI.
 void setMessageEncoders(Map<String,org.opensaml.common.binding.encoding.SAMLMessageEncoder> encoders)
          Sets all the SAML message encoders configured for the IdP indexed by SAML binding URI.
 void setSecurityPolicyResolver(org.opensaml.ws.security.SecurityPolicyResolver resolver)
          Sets the resolver used to determine active security policy for an incoming request.
 void setSupportedOutboundBindings(List<String> bindings)
          Sets the SAML message bindings that may be used by outbound messages.
protected  void writeAuditLogEntry(edu.internet2.middleware.shibboleth.common.profile.provider.BaseSAMLProfileRequestContext context)
          Writes an audit log entry indicating the successful response to the attribute request.
 
Methods inherited from class edu.internet2.middleware.shibboleth.common.profile.provider.AbstractShibbolethProfileHandler
getBuilderFactory, getParserPool, getProfileConfiguration, getProfileId, getRelyingPartyConfigurationManager, getSessionManager, setParserPool, setRelyingPartyConfigurationManager, setSessionManager
 
Methods inherited from class edu.internet2.middleware.shibboleth.common.profile.provider.AbstractRequestURIMappedProfileHandler
getRequestPaths, setRequestPaths
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 
Methods inherited from interface edu.internet2.middleware.shibboleth.common.profile.ProfileHandler
processRequest
 

Constructor Detail

AbstractSAMLProfileHandler

protected AbstractSAMLProfileHandler()
Constructor.

Method Detail

getSecurityPolicyResolver

public org.opensaml.ws.security.SecurityPolicyResolver getSecurityPolicyResolver()
Gets the resolver used to determine active security policy for an incoming request.

Returns:
resolver used to determine active security policy for an incoming request

setSecurityPolicyResolver

public void setSecurityPolicyResolver(org.opensaml.ws.security.SecurityPolicyResolver resolver)
Sets the resolver used to determine active security policy for an incoming request.

Parameters:
resolver - resolver used to determine active security policy for an incoming request

getAduitLog

protected org.slf4j.Logger getAduitLog()
Gets the audit log for this handler.

Returns:
audit log for this handler

getIdGenerator

public org.opensaml.common.IdentifierGenerator getIdGenerator()
Gets an ID generator which may be used for SAML assertions, requests, etc.

Returns:
ID generator

getInboundBinding

public String getInboundBinding()
Gets the SAML message binding used by inbound messages.

Returns:
SAML message binding used by inbound messages

getMessageDecoders

public Map<String,org.opensaml.common.binding.decoding.SAMLMessageDecoder> getMessageDecoders()
Gets all the SAML message decoders configured for the IdP indexed by SAML binding URI.

Returns:
SAML message decoders configured for the IdP indexed by SAML binding URI

getMessageEncoders

public Map<String,org.opensaml.common.binding.encoding.SAMLMessageEncoder> getMessageEncoders()
Gets all the SAML message encoders configured for the IdP indexed by SAML binding URI.

Returns:
SAML message encoders configured for the IdP indexed by SAML binding URI

getMetadataProvider

public org.opensaml.saml2.metadata.provider.MetadataProvider getMetadataProvider()
A convenience method for retrieving the SAML metadata provider from the relying party manager.

Returns:
the metadata provider or null

getSupportedOutboundBindings

public List<String> getSupportedOutboundBindings()
Gets the SAML message bindings that may be used by outbound messages.

Returns:
SAML message bindings that may be used by outbound messages

getUserSession

protected Session getUserSession(org.opensaml.ws.transport.InTransport inTransport)
Gets the user's session, if there is one.

Parameters:
inTransport - current inbound transport
Returns:
user's session

getUserSession

protected Session getUserSession(String principalName)
Gets the user's session based on their principal name.

Parameters:
principalName - user's principal name
Returns:
the user's session

setIdGenerator

public void setIdGenerator(org.opensaml.common.IdentifierGenerator generator)
Gets an ID generator which may be used for SAML assertions, requests, etc.

Parameters:
generator - an ID generator which may be used for SAML assertions, requests, etc

setInboundBinding

public void setInboundBinding(String binding)
Sets the SAML message binding used by inbound messages.

Parameters:
binding - SAML message binding used by inbound messages

setMessageDecoders

public void setMessageDecoders(Map<String,org.opensaml.common.binding.decoding.SAMLMessageDecoder> decoders)
Sets all the SAML message decoders configured for the IdP indexed by SAML binding URI.

Parameters:
decoders - SAML message decoders configured for the IdP indexed by SAML binding URI

setMessageEncoders

public void setMessageEncoders(Map<String,org.opensaml.common.binding.encoding.SAMLMessageEncoder> encoders)
Sets all the SAML message encoders configured for the IdP indexed by SAML binding URI.

Parameters:
encoders - SAML message encoders configured for the IdP indexed by SAML binding URI

setSupportedOutboundBindings

public void setSupportedOutboundBindings(List<String> bindings)
Sets the SAML message bindings that may be used by outbound messages.

Parameters:
bindings - SAML message bindings that may be used by outbound messages

getRelyingPartyConfiguration

public edu.internet2.middleware.shibboleth.common.relyingparty.RelyingPartyConfiguration getRelyingPartyConfiguration(String relyingPartyId)

Overrides:
getRelyingPartyConfiguration in class edu.internet2.middleware.shibboleth.common.profile.provider.AbstractShibbolethProfileHandler<edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager,Session>

populateRequestContext

protected void populateRequestContext(edu.internet2.middleware.shibboleth.common.profile.provider.BaseSAMLProfileRequestContext requestContext)
                               throws edu.internet2.middleware.shibboleth.common.profile.ProfileException
Populates the request context with information. This method requires the the following request context properties to be populated: inbound message transport, peer entity ID, metadata provider This methods populates the following request context properties: user's session, user's principal name, service authentication method, peer entity metadata, relying party configuration, local entity ID, outbound message issuer, local entity metadata

Parameters:
requestContext - current request context
Throws:
edu.internet2.middleware.shibboleth.common.profile.ProfileException - thrown if there is a problem looking up the relying party's metadata

populateRelyingPartyInformation

protected void populateRelyingPartyInformation(edu.internet2.middleware.shibboleth.common.profile.provider.BaseSAMLProfileRequestContext requestContext)
                                        throws edu.internet2.middleware.shibboleth.common.profile.ProfileException
Populates the request context with information about the relying party. This method requires the the following request context properties to be populated: peer entity ID This methods populates the following request context properties: peer entity metadata, relying party configuration

Parameters:
requestContext - current request context
Throws:
edu.internet2.middleware.shibboleth.common.profile.ProfileException - thrown if there is a problem looking up the relying party's metadata

populateAssertingPartyInformation

protected void populateAssertingPartyInformation(edu.internet2.middleware.shibboleth.common.profile.provider.BaseSAMLProfileRequestContext requestContext)
                                          throws edu.internet2.middleware.shibboleth.common.profile.ProfileException
Populates the request context with information about the asserting party. Unless overridden, populateRequestContext(BaseSAMLProfileRequestContext) has already invoked populateRelyingPartyInformation(BaseSAMLProfileRequestContext) has already been invoked and the properties it provides are available in the request context. This method requires the the following request context properties to be populated: metadata provider, relying party configuration This methods populates the following request context properties: local entity ID, outbound message issuer, local entity metadata

Parameters:
requestContext - current request context
Throws:
edu.internet2.middleware.shibboleth.common.profile.ProfileException - thrown if there is a problem looking up the asserting party's metadata

populateSAMLMessageInformation

protected abstract void populateSAMLMessageInformation(edu.internet2.middleware.shibboleth.common.profile.provider.BaseSAMLProfileRequestContext requestContext)
                                                throws edu.internet2.middleware.shibboleth.common.profile.ProfileException
Populates the request context with information from the inbound SAML message. Unless overridden, populateRequestContext(BaseSAMLProfileRequestContext) has already invoked populateRelyingPartyInformation(BaseSAMLProfileRequestContext),and populateAssertingPartyInformation(BaseSAMLProfileRequestContext) have already been invoked and the properties they provide are available in the request context.

Parameters:
requestContext - current request context
Throws:
edu.internet2.middleware.shibboleth.common.profile.ProfileException - thrown if there is a problem populating the request context with information

populateProfileInformation

protected void populateProfileInformation(edu.internet2.middleware.shibboleth.common.profile.provider.BaseSAMLProfileRequestContext requestContext)
                                   throws edu.internet2.middleware.shibboleth.common.profile.ProfileException
Populates the request context with the information about the profile. Unless overridden, populateRequestContext(BaseSAMLProfileRequestContext) has already invoked populateRelyingPartyInformation(BaseSAMLProfileRequestContext), populateAssertingPartyInformation(BaseSAMLProfileRequestContext), and populateSAMLMessageInformation(BaseSAMLProfileRequestContext) have already been invoked and the properties they provide are available in the request context. This method requires the the following request context properties to be populated: relying party configuration This methods populates the following request context properties: communication profile ID, profile configuration, outbound message artifact type, peer entity endpoint

Parameters:
requestContext - current request context
Throws:
edu.internet2.middleware.shibboleth.common.profile.ProfileException - thrown if there is a problem populating the profile information

getNameFormats

protected List<String> getNameFormats(edu.internet2.middleware.shibboleth.common.profile.provider.BaseSAMLProfileRequestContext requestContext)
                               throws edu.internet2.middleware.shibboleth.common.profile.ProfileException
Gets the name identifier formats to use when creating identifiers for the relying party.

Parameters:
requestContext - current request context
Returns:
list of formats that may be used with the relying party, or an empty list for no preference
Throws:
edu.internet2.middleware.shibboleth.common.profile.ProfileException - thrown if there is a problem determining the name identifier format to use

getEntitySupportedFormats

protected List<String> getEntitySupportedFormats(org.opensaml.saml2.metadata.RoleDescriptor role)
Gets the list of name identifier formats supported for a given role.

Parameters:
role - the role to get the list of supported name identifier formats
Returns:
list of supported name identifier formats

populateUserInformation

protected abstract void populateUserInformation(edu.internet2.middleware.shibboleth.common.profile.provider.BaseSAMLProfileRequestContext requestContext)
                                         throws edu.internet2.middleware.shibboleth.common.profile.ProfileException
Populates the request context with the information about the user if they have an existing session. Unless overridden, populateRequestContext(BaseSAMLProfileRequestContext) has already invoked populateRelyingPartyInformation(BaseSAMLProfileRequestContext), populateAssertingPartyInformation(BaseSAMLProfileRequestContext), populateProfileInformation(BaseSAMLProfileRequestContext), and populateSAMLMessageInformation(BaseSAMLProfileRequestContext) have already been invoked and the properties they provide are available in the request context. This method should populate: user's session, user's principal name, and service authentication method

Parameters:
requestContext - current request context
Throws:
edu.internet2.middleware.shibboleth.common.profile.ProfileException - thrown if there is a problem populating the user's information

selectEndpoint

protected abstract org.opensaml.saml2.metadata.Endpoint selectEndpoint(edu.internet2.middleware.shibboleth.common.profile.provider.BaseSAMLProfileRequestContext requestContext)
                                                                throws edu.internet2.middleware.shibboleth.common.profile.ProfileException
Selects the appropriate endpoint for the relying party and stores it in the request context.

Parameters:
requestContext - current request context
Returns:
Endpoint selected from the information provided in the request context
Throws:
edu.internet2.middleware.shibboleth.common.profile.ProfileException - thrown if there is a problem selecting a response endpoint

encodeResponse

protected void encodeResponse(edu.internet2.middleware.shibboleth.common.profile.provider.BaseSAMLProfileRequestContext requestContext)
                       throws edu.internet2.middleware.shibboleth.common.profile.ProfileException
Encodes the request's SAML response and writes it to the servlet response.

Parameters:
requestContext - current request context
Throws:
edu.internet2.middleware.shibboleth.common.profile.ProfileException - thrown if no message encoder is registered for this profiles binding

isSignResponse

protected boolean isSignResponse(edu.internet2.middleware.shibboleth.common.profile.provider.BaseSAMLProfileRequestContext requestContext)
                          throws edu.internet2.middleware.shibboleth.common.profile.ProfileException
Determine whether responses should be signed.

Parameters:
requestContext - the current request context
Returns:
true if responses should be signed, false otherwise
Throws:
edu.internet2.middleware.shibboleth.common.profile.ProfileException - if there is a problem determining whether responses should be signed

getOutboundMessageEncoder

protected org.opensaml.common.binding.encoding.SAMLMessageEncoder getOutboundMessageEncoder(edu.internet2.middleware.shibboleth.common.profile.provider.BaseSAMLProfileRequestContext requestContext)
                                                                                     throws edu.internet2.middleware.shibboleth.common.profile.ProfileException
Get the outbound message encoder to use.

The default implementation uses the binding URI from the SAMLMessageContext.getPeerEntityEndpoint() to lookup the encoder from the supported message encoders defined in getMessageEncoders().

Subclasses may override to implement a different mechanism to determine the encoder to use, such as for example cases where an active intermediary actor sits between this provider and the peer entity endpoint (e.g. the SAML 2 ECP case).

Parameters:
requestContext - current request context
Returns:
the message encoder to use
Throws:
edu.internet2.middleware.shibboleth.common.profile.ProfileException - if the encoder to use can not be resolved based on the request context

getInboundMessageDecoder

protected org.opensaml.common.binding.decoding.SAMLMessageDecoder getInboundMessageDecoder(edu.internet2.middleware.shibboleth.common.profile.provider.BaseSAMLProfileRequestContext requestContext)
                                                                                    throws edu.internet2.middleware.shibboleth.common.profile.ProfileException
Get the inbound message decoder to use.

The default implementation uses the binding URI from getInboundBinding() to lookup the decoder from the supported message decoders defined in getMessageDecoders().

Subclasses may override to implement a different mechanism to determine the decoder to use.

Parameters:
requestContext - current request context
Returns:
the message decoder to use
Throws:
edu.internet2.middleware.shibboleth.common.profile.ProfileException - if the decoder to use can not be resolved based on the request context

writeAuditLogEntry

protected void writeAuditLogEntry(edu.internet2.middleware.shibboleth.common.profile.provider.BaseSAMLProfileRequestContext context)
Writes an audit log entry indicating the successful response to the attribute request.

Parameters:
context - current request context


Copyright © 2006-2009 Internet2. All Rights Reserved.