edu.internet2.middleware.shibboleth.idp.profile.saml1
Class AbstractSAML1ProfileHandler

java.lang.Object
  extended by edu.internet2.middleware.shibboleth.common.profile.provider.AbstractRequestURIMappedProfileHandler<org.opensaml.ws.transport.http.HTTPInTransport,org.opensaml.ws.transport.http.HTTPOutTransport>
      extended by edu.internet2.middleware.shibboleth.common.profile.provider.AbstractShibbolethProfileHandler<edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager,Session>
          extended by edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler
              extended by edu.internet2.middleware.shibboleth.idp.profile.saml1.AbstractSAML1ProfileHandler
All Implemented Interfaces:
edu.internet2.middleware.shibboleth.common.profile.ProfileHandler<org.opensaml.ws.transport.http.HTTPInTransport,org.opensaml.ws.transport.http.HTTPOutTransport>
Direct Known Subclasses:
ArtifactResolution, AttributeQueryProfileHandler, ShibbolethSSOProfileHandler

public abstract class AbstractSAML1ProfileHandler
extends AbstractSAMLProfileHandler

Common implementation details for profile handlers.


Nested Class Summary
protected  class AbstractSAML1ProfileHandler.SAML1AuditLogEntry
          SAML 1 specific audit log entry.
 
Field Summary
static org.opensaml.common.SAMLVersion SAML_VERSION
          SAML Version for this profile handler.
 
Constructor Summary
AbstractSAML1ProfileHandler()
          Default constructor.
 
Method Summary
protected  org.opensaml.saml1.core.Assertion buildAssertion(BaseSAML1ProfileRequestContext<?,?,?> requestContext, DateTime issueInstant)
          Builds a basic assertion with its id, issue instant, SAML version, issuer, subject, and conditions populated.
protected  org.opensaml.saml1.core.AttributeStatement buildAttributeStatement(BaseSAML1ProfileRequestContext<?,?,?> requestContext, String subjectConfMethod)
          Executes a query for attributes and builds a SAML attribute statement from the results.
protected  org.opensaml.saml1.core.Conditions buildConditions(BaseSAML1ProfileRequestContext<?,?,?> requestContext, DateTime issueInstant)
          Builds a SAML assertion condition set.
protected  org.opensaml.saml1.core.Response buildErrorResponse(BaseSAML1ProfileRequestContext<?,?,?> requestContext)
          Constructs an SAML response message carrying a request error.
protected  org.opensaml.saml1.core.NameIdentifier buildNameId(BaseSAML1ProfileRequestContext<?,?,?> requestContext)
          Builds a NameIdentifier appropriate for this request.
protected  org.opensaml.saml1.core.Response buildResponse(BaseSAML1ProfileRequestContext<?,?,?> requestContext, List<org.opensaml.saml1.core.Statement> statements)
          Builds a response to the attribute query within the request context.
protected  org.opensaml.saml1.core.Status buildStatus(QName topLevelCode, QName secondLevelCode, String failureMessage)
          Build a status message, with an optional second-level failure message.
protected  org.opensaml.saml1.core.Subject buildSubject(BaseSAML1ProfileRequestContext<?,?,?> requestContext, String confirmationMethod)
          Builds the SAML subject for the user for the service provider.
protected  void checkSamlVersion(BaseSAML1ProfileRequestContext<?,?,?> requestContext)
          Checks that the SAML major version for a request is 1.
protected  boolean isSignAssertion(BaseSAML1ProfileRequestContext<?,?,?> requestContext)
          Determine whether issued assertions should be signed.
protected  void populateRequestContext(edu.internet2.middleware.shibboleth.common.profile.provider.BaseSAMLProfileRequestContext requestContext)
          Populates the request context with information.
protected  void populateStatusResponse(BaseSAML1ProfileRequestContext<?,?,?> requestContext, org.opensaml.saml1.core.ResponseAbstractType response)
          Populates the response's id, in response to, issue instant, version, and issuer properties.
protected  void populateUserInformation(edu.internet2.middleware.shibboleth.common.profile.provider.BaseSAMLProfileRequestContext requestContext)
          Populates the request context with the information about the user.
protected  void resolveAttributes(BaseSAML1ProfileRequestContext<?,?,?> requestContext)
          Resolved the attributes for the principal.
protected  void resolvePrincipal(BaseSAML1ProfileRequestContext<?,?,?> requestContext)
          Resolves the principal name of the subject of the request.
protected  void signAssertion(BaseSAML1ProfileRequestContext<?,?,?> requestContext, org.opensaml.saml1.core.Assertion assertion)
          Signs the given assertion if either the current profile configuration or the relying party configuration contains signing credentials.
protected  void writeAuditLogEntry(edu.internet2.middleware.shibboleth.common.profile.provider.BaseSAMLProfileRequestContext context)
          Writes an audit log entry indicating the successful response to the attribute request.
 
Methods inherited from class edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler
encodeResponse, getAduitLog, getEntitySupportedFormats, getIdGenerator, getInboundBinding, getInboundMessageDecoder, getMessageDecoders, getMessageEncoders, getMetadataProvider, getNameFormats, getOutboundMessageEncoder, getRelyingPartyConfiguration, getSecurityPolicyResolver, getSupportedOutboundBindings, getUserSession, getUserSession, isSignResponse, populateAssertingPartyInformation, populateProfileInformation, populateRelyingPartyInformation, populateSAMLMessageInformation, selectEndpoint, setIdGenerator, setInboundBinding, setMessageDecoders, setMessageEncoders, setSecurityPolicyResolver, setSupportedOutboundBindings
 
Methods inherited from class edu.internet2.middleware.shibboleth.common.profile.provider.AbstractShibbolethProfileHandler
getBuilderFactory, getParserPool, getProfileConfiguration, getProfileId, getRelyingPartyConfigurationManager, getSessionManager, setParserPool, setRelyingPartyConfigurationManager, setSessionManager
 
Methods inherited from class edu.internet2.middleware.shibboleth.common.profile.provider.AbstractRequestURIMappedProfileHandler
getRequestPaths, setRequestPaths
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 
Methods inherited from interface edu.internet2.middleware.shibboleth.common.profile.ProfileHandler
processRequest
 

Field Detail

SAML_VERSION

public static final org.opensaml.common.SAMLVersion SAML_VERSION
SAML Version for this profile handler.

Constructor Detail

AbstractSAML1ProfileHandler

public AbstractSAML1ProfileHandler()
Default constructor.

Method Detail

populateRequestContext

protected void populateRequestContext(edu.internet2.middleware.shibboleth.common.profile.provider.BaseSAMLProfileRequestContext requestContext)
                               throws edu.internet2.middleware.shibboleth.common.profile.ProfileException
Populates the request context with information. This method requires the the following request context properties to be populated: inbound message transport, peer entity ID, metadata provider This methods populates the following request context properties: user's session, user's principal name, service authentication method, peer entity metadata, relying party configuration, local entity ID, outbound message issuer, local entity metadata

Overrides:
populateRequestContext in class AbstractSAMLProfileHandler
Parameters:
requestContext - current request context
Throws:
edu.internet2.middleware.shibboleth.common.profile.ProfileException - thrown if there is a problem looking up the relying party's metadata

populateUserInformation

protected void populateUserInformation(edu.internet2.middleware.shibboleth.common.profile.provider.BaseSAMLProfileRequestContext requestContext)
Populates the request context with the information about the user. This method requires the the following request context properties to be populated: inbound message transport, relying party ID This methods populates the following request context properties: user's session, user's principal name, and service authentication method

Specified by:
populateUserInformation in class AbstractSAMLProfileHandler
Parameters:
requestContext - current request context

checkSamlVersion

protected void checkSamlVersion(BaseSAML1ProfileRequestContext<?,?,?> requestContext)
                         throws edu.internet2.middleware.shibboleth.common.profile.ProfileException
Checks that the SAML major version for a request is 1.

Parameters:
requestContext - current request context containing the SAML message
Throws:
edu.internet2.middleware.shibboleth.common.profile.ProfileException - thrown if the major version of the SAML request is not 1

buildResponse

protected org.opensaml.saml1.core.Response buildResponse(BaseSAML1ProfileRequestContext<?,?,?> requestContext,
                                                         List<org.opensaml.saml1.core.Statement> statements)
                                                  throws edu.internet2.middleware.shibboleth.common.profile.ProfileException
Builds a response to the attribute query within the request context.

Parameters:
requestContext - current request context
statements - the statements to include in the response
Returns:
the built response
Throws:
edu.internet2.middleware.shibboleth.common.profile.ProfileException - thrown if there is a problem creating the SAML response

buildAssertion

protected org.opensaml.saml1.core.Assertion buildAssertion(BaseSAML1ProfileRequestContext<?,?,?> requestContext,
                                                           DateTime issueInstant)
Builds a basic assertion with its id, issue instant, SAML version, issuer, subject, and conditions populated.

Parameters:
requestContext - current request context
issueInstant - time to use as assertion issue instant
Returns:
the built assertion

buildConditions

protected org.opensaml.saml1.core.Conditions buildConditions(BaseSAML1ProfileRequestContext<?,?,?> requestContext,
                                                             DateTime issueInstant)
Builds a SAML assertion condition set. The following fields are set; not before, not on or after, audience restrictions, and proxy restrictions.

Parameters:
requestContext - current request context
issueInstant - timestamp the assertion was created
Returns:
constructed conditions

buildSubject

protected org.opensaml.saml1.core.Subject buildSubject(BaseSAML1ProfileRequestContext<?,?,?> requestContext,
                                                       String confirmationMethod)
                                                throws edu.internet2.middleware.shibboleth.common.profile.ProfileException
Builds the SAML subject for the user for the service provider.

Parameters:
requestContext - current request context
confirmationMethod - subject confirmation method used for the subject
Returns:
SAML subject for the user for the service provider
Throws:
edu.internet2.middleware.shibboleth.common.profile.ProfileException - thrown if a NameID can not be created either because there was a problem encoding the name ID attribute or because there are no supported name formats

buildNameId

protected org.opensaml.saml1.core.NameIdentifier buildNameId(BaseSAML1ProfileRequestContext<?,?,?> requestContext)
                                                      throws edu.internet2.middleware.shibboleth.common.profile.ProfileException
Builds a NameIdentifier appropriate for this request. NameIdentifier are built by inspecting the SAML request and metadata, picking a name format that was requested by the relying party or is mutually supported by both the relying party and asserting party as described in their metadata entries. Once a set of supported name formats is determined the principals attributes are inspected for an attribute supported an attribute encoder whose category is one of the supported name formats.

Parameters:
requestContext - current request context
Returns:
the NameIdentifier appropriate for this request
Throws:
edu.internet2.middleware.shibboleth.common.profile.ProfileException - thrown if a NameIdentifier can not be created either because there was a problem encoding the name ID attribute or because there are no supported name formats

buildErrorResponse

protected org.opensaml.saml1.core.Response buildErrorResponse(BaseSAML1ProfileRequestContext<?,?,?> requestContext)
Constructs an SAML response message carrying a request error.

Parameters:
requestContext - current request context containing the failure status
Returns:
the constructed error response

populateStatusResponse

protected void populateStatusResponse(BaseSAML1ProfileRequestContext<?,?,?> requestContext,
                                      org.opensaml.saml1.core.ResponseAbstractType response)
Populates the response's id, in response to, issue instant, version, and issuer properties.

Parameters:
requestContext - current request context
response - the response to populate

buildStatus

protected org.opensaml.saml1.core.Status buildStatus(QName topLevelCode,
                                                     QName secondLevelCode,
                                                     String failureMessage)
Build a status message, with an optional second-level failure message.

Parameters:
topLevelCode - top-level status code
secondLevelCode - second-level status code
failureMessage - An optional second-level failure message
Returns:
a Status object.

resolveAttributes

protected void resolveAttributes(BaseSAML1ProfileRequestContext<?,?,?> requestContext)
                          throws edu.internet2.middleware.shibboleth.common.profile.ProfileException
Resolved the attributes for the principal.

Parameters:
requestContext - current request context
Throws:
edu.internet2.middleware.shibboleth.common.profile.ProfileException

buildAttributeStatement

protected org.opensaml.saml1.core.AttributeStatement buildAttributeStatement(BaseSAML1ProfileRequestContext<?,?,?> requestContext,
                                                                             String subjectConfMethod)
                                                                      throws edu.internet2.middleware.shibboleth.common.profile.ProfileException
Executes a query for attributes and builds a SAML attribute statement from the results.

Parameters:
requestContext - current request context
subjectConfMethod - subject confirmation method
Returns:
attribute statement resulting from the query
Throws:
edu.internet2.middleware.shibboleth.common.profile.ProfileException - thrown if there is a problem making the query

resolvePrincipal

protected void resolvePrincipal(BaseSAML1ProfileRequestContext<?,?,?> requestContext)
                         throws edu.internet2.middleware.shibboleth.common.profile.ProfileException
Resolves the principal name of the subject of the request.

Parameters:
requestContext - current request context
Throws:
edu.internet2.middleware.shibboleth.common.profile.ProfileException - thrown if the principal name can not be resolved

signAssertion

protected void signAssertion(BaseSAML1ProfileRequestContext<?,?,?> requestContext,
                             org.opensaml.saml1.core.Assertion assertion)
                      throws edu.internet2.middleware.shibboleth.common.profile.ProfileException
Signs the given assertion if either the current profile configuration or the relying party configuration contains signing credentials.

Parameters:
requestContext - current request context
assertion - assertion to sign
Throws:
edu.internet2.middleware.shibboleth.common.profile.ProfileException - thrown if the metadata can not be located for the relying party or, if signing is required, if a signing credential is not configured

isSignAssertion

protected boolean isSignAssertion(BaseSAML1ProfileRequestContext<?,?,?> requestContext)
                           throws edu.internet2.middleware.shibboleth.common.profile.ProfileException
Determine whether issued assertions should be signed.

Parameters:
requestContext - the current request context
Returns:
true if assertions should be signed, false otherwise
Throws:
edu.internet2.middleware.shibboleth.common.profile.ProfileException - if there is a problem determining whether assertions should be signed

writeAuditLogEntry

protected void writeAuditLogEntry(edu.internet2.middleware.shibboleth.common.profile.provider.BaseSAMLProfileRequestContext context)
Writes an audit log entry indicating the successful response to the attribute request.

Overrides:
writeAuditLogEntry in class AbstractSAMLProfileHandler
Parameters:
context - current request context


Copyright © 2006-2009 Internet2. All Rights Reserved.