edu.internet2.middleware.shibboleth.idp.profile.saml2
Class AbstractSAML2ProfileHandler

java.lang.Object
  extended by edu.internet2.middleware.shibboleth.common.profile.provider.AbstractRequestURIMappedProfileHandler<org.opensaml.ws.transport.http.HTTPInTransport,org.opensaml.ws.transport.http.HTTPOutTransport>
      extended by edu.internet2.middleware.shibboleth.common.profile.provider.AbstractShibbolethProfileHandler<edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager,Session>
          extended by edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler
              extended by edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler
All Implemented Interfaces:
edu.internet2.middleware.shibboleth.common.profile.ProfileHandler<org.opensaml.ws.transport.http.HTTPInTransport,org.opensaml.ws.transport.http.HTTPOutTransport>
Direct Known Subclasses:
ArtifactResolution, AttributeQueryProfileHandler, SSOProfileHandler

public abstract class AbstractSAML2ProfileHandler
extends AbstractSAMLProfileHandler

Common implementation details for profile handlers.


Nested Class Summary
protected  class AbstractSAML2ProfileHandler.SAML2AuditLogEntry
          SAML 1 specific audit log entry.
 
Field Summary
static org.opensaml.common.SAMLVersion SAML_VERSION
          SAML Version for this profile handler.
 
Constructor Summary
protected AbstractSAML2ProfileHandler()
          Constructor.
 
Method Summary
protected  org.opensaml.saml2.core.Assertion buildAssertion(BaseSAML2ProfileRequestContext<?,?,?> requestContext, DateTime issueInstant)
          Builds a basic assertion with its id, issue instant, SAML version, issuer, subject, and conditions populated.
protected  org.opensaml.saml2.core.AttributeStatement buildAttributeStatement(BaseSAML2ProfileRequestContext<?,?,?> requestContext)
          Executes a query for attributes and builds a SAML attribute statement from the results.
protected  org.opensaml.saml2.core.Conditions buildConditions(BaseSAML2ProfileRequestContext<?,?,?> requestContext, DateTime issueInstant)
          Builds a SAML assertion condition set.
protected  org.opensaml.saml2.core.Issuer buildEntityIssuer(BaseSAML2ProfileRequestContext<?,?,?> requestContext)
          Creates an Issuer populated with information about the relying party.
protected  org.opensaml.saml2.core.Response buildErrorResponse(BaseSAML2ProfileRequestContext<?,?,?> requestContext)
          Constructs an SAML response message carrying a request error.
protected  org.opensaml.saml2.core.NameID buildNameId(BaseSAML2ProfileRequestContext<?,?,?> requestContext)
          Builds a NameID appropriate for this request.
protected  org.opensaml.saml2.core.Response buildResponse(BaseSAML2ProfileRequestContext<?,?,?> requestContext, String subjectConfirmationMethod, List<org.opensaml.saml2.core.Statement> statements)
          Builds a response to the attribute query within the request context.
protected  org.opensaml.saml2.core.Status buildStatus(String topLevelCode, String secondLevelCode, String failureMessage)
          Build a status message, with an optional second-level failure message.
protected  org.opensaml.saml2.core.Subject buildSubject(BaseSAML2ProfileRequestContext<?,?,?> requestContext, String confirmationMethod, DateTime issueInstant)
          Builds the SAML subject for the user for the service provider.
protected  org.opensaml.saml2.core.SubjectConfirmation buildSubjectConfirmation(BaseSAML2ProfileRequestContext<?,?,?> requestContext, String confirmationMethod, DateTime issueInstant)
          Builds the SubjectConfirmation appropriate for this request.
protected  void checkSamlVersion(BaseSAML2ProfileRequestContext<?,?,?> requestContext)
          Checks that the SAML major version for a request is 2.
protected  org.opensaml.saml2.encryption.Encrypter getEncrypter(String peerEntityId)
          Gets an encrypter that may be used encrypt content to a given peer.
protected  org.opensaml.xml.security.credential.Credential getKeyEncryptionCredential(String peerEntityId)
          Gets the credential that can be used to encrypt encryption keys for a peer.
protected  boolean isEncryptAssertion(BaseSAML2ProfileRequestContext<?,?,?> requestContext)
          Determine whether issued assertions should be encrypted.
protected  boolean isEncryptNameID(BaseSAML2ProfileRequestContext<?,?,?> requestContext)
          Determine whether NameID's should be encrypted.
protected  boolean isRequestRequiresEncryptNameID(BaseSAML2ProfileRequestContext<?,?,?> requestContext)
          Determine whether information in the SAML request requires the issued NameID to be encrypted.
protected  boolean isSignAssertion(BaseSAML2ProfileRequestContext<?,?,?> requestContext)
          Determine whether issued assertions should be signed.
protected  void populateRequestContext(edu.internet2.middleware.shibboleth.common.profile.provider.BaseSAMLProfileRequestContext requestContext)
          Populates the request context with information.
protected  void populateStatusResponse(BaseSAML2ProfileRequestContext<?,?,?> requestContext, org.opensaml.saml2.core.StatusResponseType response)
          Populates the response's id, in response to, issue instant, version, and issuer properties.
protected  void populateUserInformation(edu.internet2.middleware.shibboleth.common.profile.provider.BaseSAMLProfileRequestContext requestContext)
          Populates the request context with the information about the user.
protected  void postProcessAssertion(BaseSAML2ProfileRequestContext<?,?,?> requestContext, org.opensaml.saml2.core.Assertion assertion)
          Extension point for for subclasses to post-process the Assertion before it is signed and encrypted.
protected  void postProcessResponse(BaseSAML2ProfileRequestContext<?,?,?> requestContext, org.opensaml.saml2.core.Response samlResponse)
          Extension point for for subclasses to post-process the Response before it is signed and encoded.
protected  void resolveAttributes(BaseSAML2ProfileRequestContext<?,?,?> requestContext)
          Resolves the attributes for the principal.
protected  void resolvePrincipal(BaseSAML2ProfileRequestContext<?,?,?> requestContext)
          Resolves the principal name of the subject of the request.
protected  void signAssertion(BaseSAML2ProfileRequestContext<?,?,?> requestContext, org.opensaml.saml2.core.Assertion assertion)
          Signs the given assertion if either the current profile configuration or the relying party configuration contains signing credentials.
protected  void writeAuditLogEntry(edu.internet2.middleware.shibboleth.common.profile.provider.BaseSAMLProfileRequestContext context)
          Writes an audit log entry indicating the successful response to the attribute request.
 
Methods inherited from class edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler
encodeResponse, getAduitLog, getEntitySupportedFormats, getIdGenerator, getInboundBinding, getInboundMessageDecoder, getMessageDecoders, getMessageEncoders, getMetadataProvider, getNameFormats, getOutboundMessageEncoder, getRelyingPartyConfiguration, getSecurityPolicyResolver, getSupportedOutboundBindings, getUserSession, getUserSession, isSignResponse, populateAssertingPartyInformation, populateProfileInformation, populateRelyingPartyInformation, populateSAMLMessageInformation, selectEndpoint, setIdGenerator, setInboundBinding, setMessageDecoders, setMessageEncoders, setSecurityPolicyResolver, setSupportedOutboundBindings
 
Methods inherited from class edu.internet2.middleware.shibboleth.common.profile.provider.AbstractShibbolethProfileHandler
getBuilderFactory, getParserPool, getProfileConfiguration, getProfileId, getRelyingPartyConfigurationManager, getSessionManager, setParserPool, setRelyingPartyConfigurationManager, setSessionManager
 
Methods inherited from class edu.internet2.middleware.shibboleth.common.profile.provider.AbstractRequestURIMappedProfileHandler
getRequestPaths, setRequestPaths
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 
Methods inherited from interface edu.internet2.middleware.shibboleth.common.profile.ProfileHandler
processRequest
 

Field Detail

SAML_VERSION

public static final org.opensaml.common.SAMLVersion SAML_VERSION
SAML Version for this profile handler.

Constructor Detail

AbstractSAML2ProfileHandler

protected AbstractSAML2ProfileHandler()
Constructor.

Method Detail

populateRequestContext

protected void populateRequestContext(edu.internet2.middleware.shibboleth.common.profile.provider.BaseSAMLProfileRequestContext requestContext)
                               throws edu.internet2.middleware.shibboleth.common.profile.ProfileException
Populates the request context with information. This method requires the the following request context properties to be populated: inbound message transport, peer entity ID, metadata provider This methods populates the following request context properties: user's session, user's principal name, service authentication method, peer entity metadata, relying party configuration, local entity ID, outbound message issuer, local entity metadata

Overrides:
populateRequestContext in class AbstractSAMLProfileHandler
Parameters:
requestContext - current request context
Throws:
edu.internet2.middleware.shibboleth.common.profile.ProfileException - thrown if there is a problem looking up the relying party's metadata

populateUserInformation

protected void populateUserInformation(edu.internet2.middleware.shibboleth.common.profile.provider.BaseSAMLProfileRequestContext requestContext)
Populates the request context with the information about the user. This method requires the the following request context properties to be populated: inbound message transport, relying party ID This methods populates the following request context properties: user's session, user's principal name, and service authentication method

Specified by:
populateUserInformation in class AbstractSAMLProfileHandler
Parameters:
requestContext - current request context

checkSamlVersion

protected void checkSamlVersion(BaseSAML2ProfileRequestContext<?,?,?> requestContext)
                         throws edu.internet2.middleware.shibboleth.common.profile.ProfileException
Checks that the SAML major version for a request is 2.

Parameters:
requestContext - current request context containing the SAML message
Throws:
edu.internet2.middleware.shibboleth.common.profile.ProfileException - thrown if the major version of the SAML request is not 2

buildResponse

protected org.opensaml.saml2.core.Response buildResponse(BaseSAML2ProfileRequestContext<?,?,?> requestContext,
                                                         String subjectConfirmationMethod,
                                                         List<org.opensaml.saml2.core.Statement> statements)
                                                  throws edu.internet2.middleware.shibboleth.common.profile.ProfileException
Builds a response to the attribute query within the request context.

Parameters:
requestContext - current request context
subjectConfirmationMethod - confirmation method used for the subject
statements - the statements to include in the response
Returns:
the built response
Throws:
edu.internet2.middleware.shibboleth.common.profile.ProfileException - thrown if there is a problem creating the SAML response

isEncryptAssertion

protected boolean isEncryptAssertion(BaseSAML2ProfileRequestContext<?,?,?> requestContext)
                              throws edu.internet2.middleware.shibboleth.common.profile.ProfileException
Determine whether issued assertions should be encrypted.

Parameters:
requestContext - the current request context
Returns:
true if assertions should be encrypted, false otherwise
Throws:
edu.internet2.middleware.shibboleth.common.profile.ProfileException - if there is a problem determining whether assertions should be encrypted

postProcessResponse

protected void postProcessResponse(BaseSAML2ProfileRequestContext<?,?,?> requestContext,
                                   org.opensaml.saml2.core.Response samlResponse)
                            throws edu.internet2.middleware.shibboleth.common.profile.ProfileException
Extension point for for subclasses to post-process the Response before it is signed and encoded.

Parameters:
requestContext - the current request context
samlResponse - the SAML Response being built
Throws:
edu.internet2.middleware.shibboleth.common.profile.ProfileException - if there was an error processing the response

postProcessAssertion

protected void postProcessAssertion(BaseSAML2ProfileRequestContext<?,?,?> requestContext,
                                    org.opensaml.saml2.core.Assertion assertion)
                             throws edu.internet2.middleware.shibboleth.common.profile.ProfileException
Extension point for for subclasses to post-process the Assertion before it is signed and encrypted.

Parameters:
requestContext - the current request context
assertion - the SAML Assertion being built
Throws:
edu.internet2.middleware.shibboleth.common.profile.ProfileException - if there is an error processing the assertion

buildAssertion

protected org.opensaml.saml2.core.Assertion buildAssertion(BaseSAML2ProfileRequestContext<?,?,?> requestContext,
                                                           DateTime issueInstant)
Builds a basic assertion with its id, issue instant, SAML version, issuer, subject, and conditions populated.

Parameters:
requestContext - current request context
issueInstant - time to use as assertion issue instant
Returns:
the built assertion

buildEntityIssuer

protected org.opensaml.saml2.core.Issuer buildEntityIssuer(BaseSAML2ProfileRequestContext<?,?,?> requestContext)
Creates an Issuer populated with information about the relying party.

Parameters:
requestContext - current request context
Returns:
the built issuer

buildConditions

protected org.opensaml.saml2.core.Conditions buildConditions(BaseSAML2ProfileRequestContext<?,?,?> requestContext,
                                                             DateTime issueInstant)
Builds a SAML assertion condition set. The following fields are set; not before, not on or after, audience restrictions, and proxy restrictions.

Parameters:
requestContext - current request context
issueInstant - timestamp the assertion was created
Returns:
constructed conditions

populateStatusResponse

protected void populateStatusResponse(BaseSAML2ProfileRequestContext<?,?,?> requestContext,
                                      org.opensaml.saml2.core.StatusResponseType response)
Populates the response's id, in response to, issue instant, version, and issuer properties.

Parameters:
requestContext - current request context
response - the response to populate

resolveAttributes

protected void resolveAttributes(BaseSAML2ProfileRequestContext<?,?,?> requestContext)
                          throws edu.internet2.middleware.shibboleth.common.profile.ProfileException
Resolves the attributes for the principal.

Parameters:
requestContext - current request context
Throws:
edu.internet2.middleware.shibboleth.common.profile.ProfileException - thrown if there is a problem resolved attributes

buildAttributeStatement

protected org.opensaml.saml2.core.AttributeStatement buildAttributeStatement(BaseSAML2ProfileRequestContext<?,?,?> requestContext)
                                                                      throws edu.internet2.middleware.shibboleth.common.profile.ProfileException
Executes a query for attributes and builds a SAML attribute statement from the results.

Parameters:
requestContext - current request context
Returns:
attribute statement resulting from the query
Throws:
edu.internet2.middleware.shibboleth.common.profile.ProfileException - thrown if there is a problem making the query

resolvePrincipal

protected void resolvePrincipal(BaseSAML2ProfileRequestContext<?,?,?> requestContext)
                         throws edu.internet2.middleware.shibboleth.common.profile.ProfileException
Resolves the principal name of the subject of the request.

Parameters:
requestContext - current request context
Throws:
edu.internet2.middleware.shibboleth.common.profile.ProfileException - thrown if the principal name can not be resolved

signAssertion

protected void signAssertion(BaseSAML2ProfileRequestContext<?,?,?> requestContext,
                             org.opensaml.saml2.core.Assertion assertion)
                      throws edu.internet2.middleware.shibboleth.common.profile.ProfileException
Signs the given assertion if either the current profile configuration or the relying party configuration contains signing credentials.

Parameters:
requestContext - current request context
assertion - assertion to sign
Throws:
edu.internet2.middleware.shibboleth.common.profile.ProfileException - thrown if the metadata can not be located for the relying party or, if signing is required, if a signing credential is not configured

isSignAssertion

protected boolean isSignAssertion(BaseSAML2ProfileRequestContext<?,?,?> requestContext)
                           throws edu.internet2.middleware.shibboleth.common.profile.ProfileException
Determine whether issued assertions should be signed.

Parameters:
requestContext - the current request context
Returns:
true if assertions should be signed, false otherwise
Throws:
edu.internet2.middleware.shibboleth.common.profile.ProfileException - if there is a problem determining whether assertions should be signed

buildStatus

protected org.opensaml.saml2.core.Status buildStatus(String topLevelCode,
                                                     String secondLevelCode,
                                                     String failureMessage)
Build a status message, with an optional second-level failure message.

Parameters:
topLevelCode - The top-level status code. Should be from saml-core-2.0-os, sec. 3.2.2.2
secondLevelCode - An optional second-level failure code. Should be from saml-core-2.0-is, sec 3.2.2.2. If null, no second-level Status element will be set.
failureMessage - An optional second-level failure message
Returns:
a Status object.

buildSubject

protected org.opensaml.saml2.core.Subject buildSubject(BaseSAML2ProfileRequestContext<?,?,?> requestContext,
                                                       String confirmationMethod,
                                                       DateTime issueInstant)
                                                throws edu.internet2.middleware.shibboleth.common.profile.ProfileException
Builds the SAML subject for the user for the service provider.

Parameters:
requestContext - current request context
confirmationMethod - subject confirmation method used for the subject
issueInstant - instant the subject confirmation data should reflect for issuance
Returns:
SAML subject for the user for the service provider
Throws:
edu.internet2.middleware.shibboleth.common.profile.ProfileException - thrown if a NameID can not be created either because there was a problem encoding the name ID attribute or because there are no supported name formats

isEncryptNameID

protected boolean isEncryptNameID(BaseSAML2ProfileRequestContext<?,?,?> requestContext)
                           throws edu.internet2.middleware.shibboleth.common.profile.ProfileException
Determine whether NameID's should be encrypted.

Parameters:
requestContext - the current request context
Returns:
true if NameID's should be encrypted, false otherwise
Throws:
edu.internet2.middleware.shibboleth.common.profile.ProfileException - if there is a problem determining whether NameID's should be encrypted

isRequestRequiresEncryptNameID

protected boolean isRequestRequiresEncryptNameID(BaseSAML2ProfileRequestContext<?,?,?> requestContext)
Determine whether information in the SAML request requires the issued NameID to be encrypted.

Parameters:
requestContext - the current request context
Returns:
true if the request indicates NameID encryption is required, false otherwise

buildSubjectConfirmation

protected org.opensaml.saml2.core.SubjectConfirmation buildSubjectConfirmation(BaseSAML2ProfileRequestContext<?,?,?> requestContext,
                                                                               String confirmationMethod,
                                                                               DateTime issueInstant)
Builds the SubjectConfirmation appropriate for this request.

Parameters:
requestContext - current request context
confirmationMethod - confirmation method to use for the request
issueInstant - issue instant of the response
Returns:
the constructed subject confirmation

buildNameId

protected org.opensaml.saml2.core.NameID buildNameId(BaseSAML2ProfileRequestContext<?,?,?> requestContext)
                                              throws edu.internet2.middleware.shibboleth.common.profile.ProfileException
Builds a NameID appropriate for this request. NameIDs are built by inspecting the SAML request and metadata, picking a name format that was requested by the relying party or is mutually supported by both the relying party and asserting party as described in their metadata entries. Once a set of supported name formats is determined the principals attributes are inspected for an attribute supported an attribute encoder whose category is one of the supported name formats.

Parameters:
requestContext - current request context
Returns:
the NameID appropriate for this request
Throws:
edu.internet2.middleware.shibboleth.common.profile.ProfileException - thrown if a NameID can not be created either because there was a problem encoding the name ID attribute or because there are no supported name formats

buildErrorResponse

protected org.opensaml.saml2.core.Response buildErrorResponse(BaseSAML2ProfileRequestContext<?,?,?> requestContext)
Constructs an SAML response message carrying a request error.

Parameters:
requestContext - current request context
Returns:
the constructed error response

getEncrypter

protected org.opensaml.saml2.encryption.Encrypter getEncrypter(String peerEntityId)
                                                        throws org.opensaml.xml.security.SecurityException
Gets an encrypter that may be used encrypt content to a given peer.

Parameters:
peerEntityId - entity ID of the peer
Returns:
encrypter that may be used encrypt content to a given peer
Throws:
org.opensaml.xml.security.SecurityException - thrown if there is a problem constructing the encrypter. This normally occurs if the key encryption credential for the peer can not be resolved or a required encryption algorithm is not supported by the VM's JCE.

getKeyEncryptionCredential

protected org.opensaml.xml.security.credential.Credential getKeyEncryptionCredential(String peerEntityId)
                                                                              throws org.opensaml.xml.security.SecurityException
Gets the credential that can be used to encrypt encryption keys for a peer.

Parameters:
peerEntityId - entity ID of the peer
Returns:
credential that can be used to encrypt encryption keys for a peer
Throws:
org.opensaml.xml.security.SecurityException - thrown if there is a problem resolving the credential from the peer's metadata

writeAuditLogEntry

protected void writeAuditLogEntry(edu.internet2.middleware.shibboleth.common.profile.provider.BaseSAMLProfileRequestContext context)
Writes an audit log entry indicating the successful response to the attribute request.

Overrides:
writeAuditLogEntry in class AbstractSAMLProfileHandler
Parameters:
context - current request context


Copyright © 2006-2009 Internet2. All Rights Reserved.