ExtendedMetadataConfigurer (Spring Boot Security SAML 1.16 API)

java.lang.Object
- org.springframework.security.config.annotation.SecurityConfigurerAdapter<Void,ServiceProviderBuilder>
- - com.github.ulisesbocchio.spring.boot.security.saml.configurer.builder.ExtendedMetadataConfigurer

All Implemented Interfaces:: org.springframework.security.config.annotation.SecurityConfigurer<Void,ServiceProviderBuilder>

Direct Known Subclasses:: LocalExtendedMetadataConfigurer

public class ExtendedMetadataConfigurer
extends org.springframework.security.config.annotation.SecurityConfigurerAdapter<Void,ServiceProviderBuilder>

Builder configurer that takes care of configuring/customizing the ExtendedMetadata bean.

Common strategy across most internal configurers is to first give priority to a Spring Bean if present in the Context. So if not ExtendedMetadata bean is defined, priority goes to a custom ExtendedMetadata provided explicitly to this configurer through the constructor. And if not provided through the constructor, a default implementation is instantiated that is configurable through the DSL methods.

This configurer also reads the values from SAMLSSOProperties#getExtendedMetadata() if no custom Extended Metadata is provided, for some DSL methods if they that are not used. In other words, the user is able to configure the Extended Metadata through the following properties:

     saml.sso.extended-metadata.local
     saml.sso.extended-metadata.alias
     saml.sso.extended-metadata.idp-discovery-enabled
     saml.sso.extended-metadata.idp-discovery-url
     saml.sso.extended-metadata.idp-discovery-response-url
     saml.sso.extended-metadata.ecp-enabled
     saml.sso.extended-metadata.security-profile
     saml.sso.extended-metadata.ssl-security-profile
     saml.sso.extended-metadata.ssl-hostname-verification
     saml.sso.extended-metadata.signing-key
     saml.sso.extended-metadata.sign-metadata
     saml.sso.extended-metadata.key-info-generator-name
     saml.sso.extended-metadata.encryption-key
     saml.sso.extended-metadata.tls-key
     saml.sso.extended-metadata.trusted-keys
     saml.sso.extended-metadata.require-logout-request-signed
     saml.sso.extended-metadata.require-logout-response-signed
     saml.sso.extended-metadata.require-artifact-resolve-signed
     saml.sso.extended-metadata.support-unsolicited-response

Author:: Ulises Bocchio

Field Summary

Fields
Modifier and Type	Field and Description
`protected org.springframework.security.saml.metadata.ExtendedMetadata`	`extendedMetadata`
`protected org.springframework.security.saml.metadata.ExtendedMetadata`	`extendedMetadataBean`
`protected ExtendedMetadataProperties`	`extendedMetadataConfig`
`protected Boolean`	`local`

Constructor Summary

Constructors
Constructor and Description

ExtendedMetadataConfigurer()

ExtendedMetadataConfigurer(org.springframework.security.saml.metadata.ExtendedMetadata extendedMetadata)

Constructors
Constructor and Description
`ExtendedMetadataConfigurer()`
`ExtendedMetadataConfigurer(org.springframework.security.saml.metadata.ExtendedMetadata extendedMetadata)`

Method Summary

All Methods Instance Methods Concrete Methods Deprecated Methods
Modifier and Type	Method and Description
`ExtendedMetadataConfigurer`	`alias(String alias)` Local alias of the entity used for construction of well-known metadata address and determining target entity from incoming requests.
`void`	`configure(ServiceProviderBuilder builder)`
`protected org.springframework.security.saml.metadata.ExtendedMetadata`	`createExtendedMetadata()`
`ExtendedMetadataConfigurer`	`ecpEnabled(boolean ecpEnabled)` Indicates whether Enhanced Client/Proxy profile should be used for requests which support it.
`ExtendedMetadataConfigurer`	`encryptionKey(String encryptionKey)` Key (stored in the local keyManager) used for encryption/decryption of messages coming/sent from this entity.
`ExtendedMetadataConfigurer`	`idpDiscoveryEnabled(boolean idpDiscoveryEnabled)` When true IDP discovery will be invoked before initializing WebSSO, unless IDP is already specified inside SAMLContext.
`ExtendedMetadataConfigurer`	`idpDiscoveryResponseURL(String idpDiscoveryResponseURL)` URL where the discovery service should send back response to our discovery request.
`ExtendedMetadataConfigurer`	`idpDiscoveryURL(String idpDiscoveryURL)` URL of the IDP Discovery service user should be redirected to upon request to determine which IDP to use.
`void`	`init(ServiceProviderBuilder builder)`
`ExtendedMetadataConfigurer`	`keyInfoGeneratorName(String keyInfoGeneratorName)` Name of generator for KeyInfo elements in metadata and signatures.
`ExtendedMetadataConfigurer`	`local(Boolean local)` Deprecated. As of version 1.10. Use `ServiceProviderBuilder.extendedMetadata()` or `ServiceProviderBuilder.localExtendedMetadata()`
`ExtendedMetadataConfigurer`	`requireArtifactResolveSigned(boolean requireArtifactResolveSigned)` If true received artifactResolve messages will require a signature, sent artifactResolve will be signed.
`ExtendedMetadataConfigurer`	`requireLogoutRequestSigned(boolean requireLogoutRequestSigned)` SAML specification mandates that incoming LogoutRequests must be authenticated.
`ExtendedMetadataConfigurer`	`requireLogoutResponseSigned(boolean requireLogoutResponseSigned)` Flag indicating whether incoming LogoutResposne messages must be authenticated.
`ExtendedMetadataConfigurer`	`securityProfile(String securityProfile)` Profile used for trust verification, MetaIOP by default.
`protected void`	`shareExtendedMetadata(ServiceProviderBuilder builder)`
`ExtendedMetadataConfigurer`	`signingAlgorithm(String signingAlgorithm)` Algorithm used for creation of digital signatures of this entity.
`ExtendedMetadataConfigurer`	`signingKey(String signingKey)` Key (stored in the local keyManager) used for signing/verifying signature of messages sent/coming from this entity.
`ExtendedMetadataConfigurer`	`signMetadata(boolean signMetadata)` Flag indicating whether to sign metadata for this entity.
`ExtendedMetadataConfigurer`	`sslHostnameVerification(String sslHostnameVerification)` Hostname verifier to use for verification of SSL connections, e.g.
`ExtendedMetadataConfigurer`	`sslSecurityProfile(String sslSecurityProfile)` Profile used for SSL/TLS trust verification, PKIX by default.
`ExtendedMetadataConfigurer`	`supportUnsolicitedResponse(boolean supportUnsolicitedResponse)` Flag indicating whether to support unsolicited responses (IDP-initialized SSO).
`ExtendedMetadataConfigurer`	`tlsKey(String tlsKey)` Key used for verification of SSL/TLS connections.
`ExtendedMetadataConfigurer`	`trustedKeys(String... trustedKeys)` Keys used as anchors for trust verification when PKIX mode is enabled for the local entity.

Methods inherited from class org.springframework.security.config.annotation.SecurityConfigurerAdapter
addObjectPostProcessor, and, getBuilder, postProcess, setBuilder

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

- Field Detail
  - extendedMetadataBean
```
protected org.springframework.security.saml.metadata.ExtendedMetadata extendedMetadataBean
```
  - extendedMetadata
```
protected org.springframework.security.saml.metadata.ExtendedMetadata extendedMetadata
```
  - extendedMetadataConfig
```
protected ExtendedMetadataProperties extendedMetadataConfig
```
  - local
```
protected Boolean local
```
- Constructor Detail
  - ExtendedMetadataConfigurer
```
public ExtendedMetadataConfigurer()
```
  - ExtendedMetadataConfigurer
```
public ExtendedMetadataConfigurer(org.springframework.security.saml.metadata.ExtendedMetadata extendedMetadata)
```
- Method Detail
  - init
```
public void init(ServiceProviderBuilder builder)
          throws Exception
```
    Specified by:
    
    init in interface org.springframework.security.config.annotation.SecurityConfigurer<Void,ServiceProviderBuilder>
    
    Overrides:
    
    init in class org.springframework.security.config.annotation.SecurityConfigurerAdapter<Void,ServiceProviderBuilder>
    
    Throws:
    
    Exception
  - configure
```
public void configure(ServiceProviderBuilder builder)
               throws Exception
```
    Specified by:
    
    configure in interface org.springframework.security.config.annotation.SecurityConfigurer<Void,ServiceProviderBuilder>
    
    Overrides:
    
    configure in class org.springframework.security.config.annotation.SecurityConfigurerAdapter<Void,ServiceProviderBuilder>
    
    Throws:
    
    Exception
  - createExtendedMetadata
```
protected org.springframework.security.saml.metadata.ExtendedMetadata createExtendedMetadata()
```
  - shareExtendedMetadata
```
protected void shareExtendedMetadata(ServiceProviderBuilder builder)
```
  - local
```
@Deprecated
public ExtendedMetadataConfigurer local(Boolean local)
```
    Deprecated. As of version 1.10. Use ServiceProviderBuilder.extendedMetadata() or ServiceProviderBuilder.localExtendedMetadata()
    When set to true entity is treated as locally deployed and will be able to accept messages on endpoints determined by the selected alias. Default is false.
    Alternatively use property:
```
      saml.sso.extended-metadata.local
 
```
    Parameters:
    
    local - true when entity is deployed locally
    
    Returns:
    
    this configurer for further customization
  - idpDiscoveryEnabled
```
public ExtendedMetadataConfigurer idpDiscoveryEnabled(boolean idpDiscoveryEnabled)
```
    When true IDP discovery will be invoked before initializing WebSSO, unless IDP is already specified inside SAMLContext. Default is false.
    Alternatively use property:
```
      saml.sso.extended-metadata.idp-discovery-enabled
 
```
    Parameters:
    
    idpDiscoveryEnabled - true when IDP Discovery is enabled
    
    Returns:
    
    this configurer for further customization
  - ecpEnabled
```
public ExtendedMetadataConfigurer ecpEnabled(boolean ecpEnabled)
```
    Indicates whether Enhanced Client/Proxy profile should be used for requests which support it. Only valid for local entities. Default is false.
    Alternatively use property:
```
      saml.sso.extended-metadata.ecp-enabled
 
```
    Parameters:
    
    ecpEnabled - true if ECP is enabled.
    
    Returns:
    
    this configurer for further customization
  - signMetadata
```
public ExtendedMetadataConfigurer signMetadata(boolean signMetadata)
```
    Flag indicating whether to sign metadata for this entity. Only valid for local entities. Default is false.
    Alternatively use property:
```
      saml.sso.extended-metadata.sign-metadata
 
```
    Parameters:
    
    signMetadata - true if sign metadata is enabled.
    
    Returns:
    
    this configurer for further customization
  - requireLogoutRequestSigned
```
public ExtendedMetadataConfigurer requireLogoutRequestSigned(boolean requireLogoutRequestSigned)
```
    SAML specification mandates that incoming LogoutRequests must be authenticated. Default is true.
    Alternatively use property:
```
      saml.sso.extended-metadata.require-logout-request-signed
 
```
    Parameters:
    
    requireLogoutRequestSigned - true is logout request signed is enabled.
    
    Returns:
    
    this configurer for further customization
  - requireLogoutResponseSigned
```
public ExtendedMetadataConfigurer requireLogoutResponseSigned(boolean requireLogoutResponseSigned)
```
    Flag indicating whether incoming LogoutResposne messages must be authenticated. Default is false.
    Alternatively use property:
```
      saml.sso.extended-metadata.require-logout-response-signed
 
```
    Parameters:
    
    requireLogoutResponseSigned - true is logout response signed is enabled.
    
    Returns:
    
    this configurer for further customization
  - requireArtifactResolveSigned
```
public ExtendedMetadataConfigurer requireArtifactResolveSigned(boolean requireArtifactResolveSigned)
```
    If true received artifactResolve messages will require a signature, sent artifactResolve will be signed. Default is true.
    Alternatively use property:
```
      saml.sso.extended-metadata.require-artifact-resolve-signed
 
```
    Parameters:
    
    requireArtifactResolveSigned - true is require artifactResolve signed is enabled.
    
    Returns:
    
    this configurer for further customization
  - supportUnsolicitedResponse
```
public ExtendedMetadataConfigurer supportUnsolicitedResponse(boolean supportUnsolicitedResponse)
```
    Flag indicating whether to support unsolicited responses (IDP-initialized SSO). Only valid for remote entities. Default is true.
    Alternatively use property:
```
      saml.sso.extended-metadata.support-unsolicited-response
 
```
    Parameters:
    
    supportUnsolicitedResponse - true is support unsolicited response is enabled.
    
    Returns:
    
    this configurer for further customization
  - alias
```
public ExtendedMetadataConfigurer alias(String alias)
```
    Local alias of the entity used for construction of well-known metadata address and determining target entity from incoming requests.
    Alternatively use property:
```
      saml.sso.extended-metadata.alias
 
```
    Parameters:
    
    alias - the actual alias.
    
    Returns:
    
    this configurer for further customization
  - idpDiscoveryURL
```
public ExtendedMetadataConfigurer idpDiscoveryURL(String idpDiscoveryURL)
```
    URL of the IDP Discovery service user should be redirected to upon request to determine which IDP to use. Value can override settings in the local SP metadata. Only valid for local entities.
    Alternatively use property:
```
      saml.sso.extended-metadata.idp-discovery-url
 
```
    Parameters:
    
    idpDiscoveryURL - the idp discovery page URL.
    
    Returns:
    
    this configurer for further customization
  - idpDiscoveryResponseURL
```
public ExtendedMetadataConfigurer idpDiscoveryResponseURL(String idpDiscoveryResponseURL)
```
    URL where the discovery service should send back response to our discovery request. Only valid for local entities.
    Alternatively use property:
```
      saml.sso.extended-metadata.idp-discovery-response-url
 
```
    Parameters:
    
    idpDiscoveryResponseURL - the idp discovery response page URL.
    
    Returns:
    
    this configurer for further customization
  - securityProfile
```
public ExtendedMetadataConfigurer securityProfile(String securityProfile)
```
    Profile used for trust verification, MetaIOP by default. Only relevant for local entities.
    Alternatively use property:
```
      saml.sso.extended-metadata.security-profile
 
```
    Parameters:
    
    securityProfile - the profile type.
    
    Returns:
    
    this configurer for further customization
  - sslSecurityProfile
```
public ExtendedMetadataConfigurer sslSecurityProfile(String sslSecurityProfile)
```
    Profile used for SSL/TLS trust verification, PKIX by default. Only relevant for local entities.
    Alternatively use property:
```
      saml.sso.extended-metadata.ssl-security-profile
 
```
    Parameters:
    
    sslSecurityProfile - the profile type.
    
    Returns:
    
    this configurer for further customization
  - sslHostnameVerification
```
public ExtendedMetadataConfigurer sslHostnameVerification(String sslHostnameVerification)
```
    Hostname verifier to use for verification of SSL connections, e.g. for ArtifactResolution. Default is "default".
    Alternatively use property:
```
      saml.sso.extended-metadata.ssl-hostname-verification
 
```
    Parameters:
    
    sslHostnameVerification - the ssl hostname verification type.
    
    Returns:
    
    this configurer for further customization
  - signingKey
```
public ExtendedMetadataConfigurer signingKey(String signingKey)
```
    Key (stored in the local keyManager) used for signing/verifying signature of messages sent/coming from this entity. For local entities private key must be available, for remote entities only public key is required.
    Alternatively use property:
```
      saml.sso.extended-metadata.signing-key
 
```
    Parameters:
    
    signingKey - the id of the signing/verifying key as it appears in the Keystore.
    
    Returns:
    
    this configurer for further customization
  - signingAlgorithm
```
public ExtendedMetadataConfigurer signingAlgorithm(String signingAlgorithm)
```
    Algorithm used for creation of digital signatures of this entity. At the moment only used for metadata signatures. Only valid for local entities.
    Alternatively use property:
```
      saml.sso.extended-metadata.signing-algorithm
 
```
    Parameters:
    
    signingAlgorithm - the signing algorithm ID.
    
    Returns:
    
    this configurer for further customization
  - keyInfoGeneratorName
```
public ExtendedMetadataConfigurer keyInfoGeneratorName(String keyInfoGeneratorName)
```
    Name of generator for KeyInfo elements in metadata and signatures. At the moment only used for metadata signatures. Only valid for local entities.
    Alternatively use property:
```
      saml.sso.extended-metadata.key-info-generator-name
 
```
    Parameters:
    
    keyInfoGeneratorName - name of generator.
    
    Returns:
    
    this configurer for further customization
  - encryptionKey
```
public ExtendedMetadataConfigurer encryptionKey(String encryptionKey)
```
    Key (stored in the local keyManager) used for encryption/decryption of messages coming/sent from this entity. For local entities private key must be available, for remote entities only public key is required.
    Alternatively use property:
```
      saml.sso.extended-metadata.encryption-key
 
```
    Parameters:
    
    encryptionKey - the key to use.
    
    Returns:
    
    this configurer for further customization
  - tlsKey
```
public ExtendedMetadataConfigurer tlsKey(String tlsKey)
```
    Key used for verification of SSL/TLS connections. For local entities key is included in the generated metadata when specified. For remote entities key is used to for server authentication of SSL/TLS when specified and when MetaIOP security profile is used.
    Alternatively use property:
```
      saml.sso.extended-metadata.tls-key
 
```
    Parameters:
    
    tlsKey - the key to use.
    
    Returns:
    
    this configurer for further customization
  - trustedKeys
```
public ExtendedMetadataConfigurer trustedKeys(String... trustedKeys)
```
    Keys used as anchors for trust verification when PKIX mode is enabled for the local entity. In case value is null all keys in the keyStore will be treated as trusted.
    Alternatively use property:
```
      saml.sso.extended-metadata.trusted-keys
 
```
    Parameters:
    
    trustedKeys - the trusted key names
    
    Returns:
    
    this configurer for further customization

Class ExtendedMetadataConfigurer

Field Summary

Constructor Summary

Method Summary

Methods inherited from class org.springframework.security.config.annotation.SecurityConfigurerAdapter

Methods inherited from class java.lang.Object

Field Detail

extendedMetadataBean

extendedMetadata

extendedMetadataConfig

local

Constructor Detail

ExtendedMetadataConfigurer

ExtendedMetadataConfigurer

Method Detail

init

configure

createExtendedMetadata

shareExtendedMetadata

local

idpDiscoveryEnabled

ecpEnabled

signMetadata

requireLogoutRequestSigned

requireLogoutResponseSigned

requireArtifactResolveSigned

supportUnsolicitedResponse

alias

idpDiscoveryURL

idpDiscoveryResponseURL

securityProfile

sslSecurityProfile

sslHostnameVerification

signingKey

signingAlgorithm

keyInfoGeneratorName

encryptionKey

tlsKey

trustedKeys