net.shibboleth.idp.saml.saml2.profile.delegation.impl

Class DecorateDelegatedAssertion

java.lang.Object

net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

org.opensaml.profile.action.AbstractProfileAction<InboundMessageType,OutboundMessageType>

org.opensaml.profile.action.AbstractConditionalProfileAction<InboundMessageType,OutboundMessageType>

net.shibboleth.idp.profile.AbstractProfileAction

net.shibboleth.idp.saml.saml2.profile.delegation.impl.DecorateDelegatedAssertion

All Implemented Interfaces:

Component, DestructableComponent, InitializableComponent, ProfileAction, org.springframework.beans.factory.Aware, org.springframework.context.MessageSource, org.springframework.context.MessageSourceAware, org.springframework.webflow.execution.Action

@Prototype
public class DecorateDelegatedAssertion
extends AbstractProfileAction

A profile action which decorates instances of Assertion appropriately for use as delegation tokens.

An instance of DelegationContext is resolved via the strategy set via setDelegationContextLookupStrategy(Function). If no delegation context is found or if DelegationContext.isIssuingDelegatedAssertion() is false, then no decoration occurs.

The decoration consists of 3 primary parts:

1. A holder-of-key SubjectConfirmation is added to the assertion's Subject. The credentials used are taken from DelegationContext.getSubjectConfirmationCredentials().
2. An additional Audience is added to the assertion condition AudienceRestriction, indicating the IdP's own entityID as an acceptable audience. The IdP entityID is resolved from the active RelyingPartyContext, which is resolved via the strategy set by setRelyingPartyContextLookupStrategy(Function).
3. An additional Attribute is added to the assertion's AttributeStatement containing an EndpointReference, indicating the location and other info necessary for the recipient to present the delegated assertion at the IdP for delegated SSO. The attribute name is a URI type with name LibertyConstants.SERVICE_TYPE_SSOS. The endpoint URL is either set directly on this action via setLibertySSOSEndpointURL(String), or is resolved via the strategy setLibertySSOSEndpointURLLookupStrategy(Function).

Event:

EventIds.INVALID_PROFILE_CTX

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
private class	DecorateDelegatedAssertion.AssertionStrategy Default strategy for obtaining assertion to modify.
static class	DecorateDelegatedAssertion.LibertySSOSEndpointURLStrategy Strategy that builds the SSOS endpoint URL based on the current HTTP request using default values for scheme, port and URI path suffix.

Field Summary

Fields

Modifier and Type	Field and Description
private com.google.common.base.Function<ProfileRequestContext,List<Assertion>>	assertionLookupStrategy Strategy used to locate the Assertions on which to operate.
private List<Assertion>	assertions The list of assertions on which to operate.
private DelegationContext	delegationContext The delegation context instance to be populated.
private com.google.common.base.Function<ProfileRequestContext,DelegationContext>	delegationContextLookupStrategy Strategy used to lookup the DelegationContext.
private NamedKeyInfoGeneratorManager	keyInfoGeneratorManager The manager used to generate KeyInfo instances from Credentials.
private String	libertySSOSEndpointURL The URL at which the IdP will accept Liberty ID-WSF SSOS requests.
private com.google.common.base.Function<Pair<ProfileRequestContext,javax.servlet.http.HttpServletRequest>,String>	libertySSOSEndpointURLLookupStrategy The strategy used to resolve the URL at which the IdP will accept Liberty ID-WSF SSOS requests.
private org.slf4j.Logger	log Class logger.
private RelyingPartyContext	relyingPartyContext The current RelyingPartyContext.
private com.google.common.base.Function<ProfileRequestContext,RelyingPartyContext>	relyingPartyContextLookupStrategy Strategy used to lookup the RelyingPartyContext.
private String	relyingPartyId The entityID of the SAML relying party.
private String	responderId The entityID of the local responder entity.

Constructor Summary

Constructors

Constructor and Description
DecorateDelegatedAssertion() Constructor.

Method Summary

Methods

Modifier and Type	Method and Description
private void	addIdPAudienceRestriction(ProfileRequestContext requestContext, Assertion assertion) An an AudienceRestriction condition indicating the IdP as an acceptable Audience.
private void	addLibertySSOSEPRAttribute(ProfileRequestContext requestContext, Assertion assertion) Add Liberty SSOS service Endpoint Reference (EPR) attribute to Assertion's AttributeStatement.
private void	addSAMLPeerSubjectConfirmation(ProfileRequestContext requestContext, Assertion assertion) Add SubjectConfirmation to the Assertion Subject to allow confirmation when wielded by the SAML requester.
private XMLObject	buildLibertSSOSEPRAttributeValue(ProfileRequestContext requestContext, Assertion assertion) Build the Liberty SSOS EPR AttributeValue object.
private void	decorateDelegatedAssertion(ProfileRequestContext requestContext) Decorate the Assertion to allow use as a delegated security token by the SAML requester.
protected void	doExecute(ProfileRequestContext profileRequestContext)
protected void	doInitialize()
protected boolean	doPreExecute(ProfileRequestContext profileRequestContext)
protected boolean	doPreExecuteDelegationInfo(ProfileRequestContext profileRequestContext) Pre-execute actions on the delegation-specific info.
protected boolean	doPreExecuteRelyingParty(ProfileRequestContext profileRequestContext) Pre-execute actions on the relying party context info.
private void	resolveLibertySSOSEndpointURL(ProfileRequestContext profileRequestContext) Resolve and store the effective Liberty SSOS endpoint URL to use.
void	setAssertionLookupStrategy(com.google.common.base.Function<ProfileRequestContext,List<Assertion>> strategy) Set the strategy used to locate the Assertion to operate on.
void	setDelegationContextLookupStrategy(com.google.common.base.Function<ProfileRequestContext,DelegationContext> strategy) Set the strategy used to locate the current DelegationContext.
void	setKeyInfoGeneratorManager(NamedKeyInfoGeneratorManager manager) Set the KeyInfoGeneratorManager instance used to generate KeyInfo from Credential.
void	setLibertySSOSEndpointURL(String url) Set the statically-configured URL at which the IdP will accept Liberty ID-WSF SSOS requests.
void	setLibertySSOSEndpointURLLookupStrategy(com.google.common.base.Function<Pair<ProfileRequestContext,javax.servlet.http.HttpServletRequest>,String> strategy) Set strategy used to resolve the URL at which the IdP will accept Liberty ID-WSF SSOS requests.
void	setRelyingPartyContextLookupStrategy(com.google.common.base.Function<ProfileRequestContext,RelyingPartyContext> strategy) Set the strategy used to locate the current RelyingPartyContext.

Methods inherited from class net.shibboleth.idp.profile.AbstractProfileAction

doExecute, execute, getMessage, getMessage, getMessage, getProfileContextLookupStrategy, getRequestContext, getResult, setMessageSource, setProfileContextLookupStrategy

Methods inherited from class org.opensaml.profile.action.AbstractConditionalProfileAction

getActivationCondition, setActivationCondition

Methods inherited from class org.opensaml.profile.action.AbstractProfileAction

doPostExecute, doPostExecute, execute, getHttpServletRequest, getHttpServletResponse, getLogPrefix, setHttpServletRequest, setHttpServletResponse

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

destroy, doDestroy, initialize, isDestroyed, isInitialized

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface net.shibboleth.utilities.java.support.component.InitializableComponent

initialize, isInitialized

Field Detail

log

private final org.slf4j.Logger log

Class logger.

libertySSOSEndpointURL

private String libertySSOSEndpointURL

The URL at which the IdP will accept Liberty ID-WSF SSOS requests.

libertySSOSEndpointURLLookupStrategy

@Nullable
private com.google.common.base.Function<Pair<ProfileRequestContext,javax.servlet.http.HttpServletRequest>,String> libertySSOSEndpointURLLookupStrategy

The strategy used to resolve the URL at which the IdP will accept Liberty ID-WSF SSOS requests.

relyingPartyContextLookupStrategy

@Nonnull
private com.google.common.base.Function<ProfileRequestContext,RelyingPartyContext> relyingPartyContextLookupStrategy

Strategy used to lookup the RelyingPartyContext.

delegationContextLookupStrategy

@Nonnull
private com.google.common.base.Function<ProfileRequestContext,DelegationContext> delegationContextLookupStrategy

Strategy used to lookup the DelegationContext.

assertionLookupStrategy

@Nonnull
private com.google.common.base.Function<ProfileRequestContext,List<Assertion>> assertionLookupStrategy

Strategy used to locate the Assertions on which to operate.

keyInfoGeneratorManager

@Nonnull
private NamedKeyInfoGeneratorManager keyInfoGeneratorManager

The manager used to generate KeyInfo instances from Credentials.

delegationContext

private DelegationContext delegationContext

The delegation context instance to be populated.

assertions

private List<Assertion> assertions

The list of assertions on which to operate.

relyingPartyContext

private RelyingPartyContext relyingPartyContext

The current RelyingPartyContext.

responderId

private String responderId

The entityID of the local responder entity.

relyingPartyId

private String relyingPartyId

The entityID of the SAML relying party.

Constructor Detail

DecorateDelegatedAssertion

public DecorateDelegatedAssertion()

Constructor.

Method Detail

setLibertySSOSEndpointURL

public void setLibertySSOSEndpointURL(@Nullable
                             String url)

Set the statically-configured URL at which the IdP will accept Liberty ID-WSF SSOS requests.

Parameters:

url - the Liberty ID-WSF SSOS endpoint URL, or null

setLibertySSOSEndpointURLLookupStrategy

public void setLibertySSOSEndpointURLLookupStrategy(@Nullable
                                           com.google.common.base.Function<Pair<ProfileRequestContext,javax.servlet.http.HttpServletRequest>,String> strategy)

Set strategy used to resolve the URL at which the IdP will accept Liberty ID-WSF SSOS requests.

Parameters:

strategy - the Liberty ID-WSF SSOS endpoint URL lookup strategy, or null

setRelyingPartyContextLookupStrategy

public void setRelyingPartyContextLookupStrategy(@Nonnull
                                        com.google.common.base.Function<ProfileRequestContext,RelyingPartyContext> strategy)

Set the strategy used to locate the current RelyingPartyContext.

Parameters:

strategy - strategy used to locate the current RelyingPartyContext

setDelegationContextLookupStrategy

public void setDelegationContextLookupStrategy(@Nonnull
                                      com.google.common.base.Function<ProfileRequestContext,DelegationContext> strategy)

Set the strategy used to locate the current DelegationContext.

Parameters:

strategy - strategy used to locate the current DelegationContext

setAssertionLookupStrategy

public void setAssertionLookupStrategy(@Nonnull
                              com.google.common.base.Function<ProfileRequestContext,List<Assertion>> strategy)

Set the strategy used to locate the Assertion to operate on.

Parameters:

strategy - strategy used to locate the Assertion to operate on

setKeyInfoGeneratorManager

public void setKeyInfoGeneratorManager(@Nonnull
                              NamedKeyInfoGeneratorManager manager)

Set the KeyInfoGeneratorManager instance used to generate KeyInfo from Credential.

Parameters:

manager - the manager instance to use

doInitialize

protected void doInitialize()
                     throws ComponentInitializationException

Overrides:

doInitialize in class AbstractInitializableComponent

Throws:

ComponentInitializationException

doPreExecute

protected boolean doPreExecute(@Nonnull
                   ProfileRequestContext profileRequestContext)

Overrides:

doPreExecute in class AbstractConditionalProfileAction

doPreExecuteDelegationInfo

protected boolean doPreExecuteDelegationInfo(@Nonnull
                                 ProfileRequestContext profileRequestContext)

Pre-execute actions on the delegation-specific info.

Parameters:

profileRequestContext - the current profile request context

Returns:

true iff doExecute(ProfileRequestContext) should proceed

doPreExecuteRelyingParty

protected boolean doPreExecuteRelyingParty(@Nonnull
                               ProfileRequestContext profileRequestContext)

Pre-execute actions on the relying party context info.

Parameters:

profileRequestContext - the current profile request context

Returns:

true iff doExecute(ProfileRequestContext) should proceed

doExecute

protected void doExecute(@Nonnull
             ProfileRequestContext profileRequestContext)

Overrides:

doExecute in class AbstractProfileAction

resolveLibertySSOSEndpointURL

private void resolveLibertySSOSEndpointURL(ProfileRequestContext profileRequestContext)

Resolve and store the effective Liberty SSOS endpoint URL to use.

Parameters:

profileRequestContext - the current request context

decorateDelegatedAssertion

private void decorateDelegatedAssertion(@Nonnull
                              ProfileRequestContext requestContext)

Decorate the Assertion to allow use as a delegated security token by the SAML requester.

Parameters:

requestContext - the current request context

addLibertySSOSEPRAttribute

private void addLibertySSOSEPRAttribute(@Nonnull
                              ProfileRequestContext requestContext,
                              @Nonnull
                              Assertion assertion)

Add Liberty SSOS service Endpoint Reference (EPR) attribute to Assertion's AttributeStatement.

Parameters:

requestContext - the current request context

assertion - the delegated assertion being issued

buildLibertSSOSEPRAttributeValue

@Nonnull
private XMLObject buildLibertSSOSEPRAttributeValue(@Nonnull
                                                 ProfileRequestContext requestContext,
                                                 @Nonnull
                                                 Assertion assertion)

Build the Liberty SSOS EPR AttributeValue object.

Parameters:

requestContext - the current request context

assertion - the delegated assertion being issued

Returns:

the AttributeValue object containing the EPR

addIdPAudienceRestriction

private void addIdPAudienceRestriction(@Nonnull
                             ProfileRequestContext requestContext,
                             @Nonnull
                             Assertion assertion)

An an AudienceRestriction condition indicating the IdP as an acceptable Audience.

Parameters:

requestContext - the current request context

assertion - the assertion being isued

addSAMLPeerSubjectConfirmation

private void addSAMLPeerSubjectConfirmation(@Nonnull
                                  ProfileRequestContext requestContext,
                                  @Nonnull
                                  Assertion assertion)

Add SubjectConfirmation to the Assertion Subject to allow confirmation when wielded by the SAML requester.

Parameters:

requestContext - the current request context

assertion - the assertion being issued